53-1002581-01 9 May 2012 Brocade 6910 Ethernet Access Switch Configuration Guide Supporting R2.1.0.
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xlv Summary of enhancements for Brocade R2.1.0.x . . . . . . . . . . . . . .xlvi Summary of enhancements for Brocade R2.0.2.10. . . . . . . . . . . . .xlvi Summary of enhancements for Brocade R2.0.2.9. . . . . . . . . . . . . xlvii Document conventions . . . . . . . . . . . . . . . . . . . .
Basic Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Setting an IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Manual Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Dynamic Configuration . . . . . . . . . . . . . . . . .
end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Chapter 5 System Management Commands Device Designation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Banner Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
password-thresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 silent-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 stopbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 timeout login response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 disconnect . . . . . . . . . . . . . . . . . . . . .
snmp-server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 snmp-server view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 show snmp engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 show snmp group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 show snmp user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 show snmp view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 TACACS+ Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 tacacs-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 tacacs-server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 tacacs-server retransmit . . . . . . . . . . . . . . . . . .
dot1x re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 dot1x timeout quiet-period . . . . . . . . . . . . . . . . . . . . . . . . . .181 dot1x timeout re-authperiod . . . . . . . . . . . . . . . . . . . . . . . . .181 dot1x timeout supp-timeout . . . . . . . . . . . . . . . . . . . . . . . . .182 dot1x timeout tx-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 dot1x re-authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show web-auth interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 show web-auth summary . . . . . . . . . . . . . . . . . . . . . . . . . . .215 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 ip dhcp snooping information option . . . . . . . . . . . . . . . . . .218 ip dhcp snooping information policy . . . . . . . . . . . . . . . . . .
MAC ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 access-list mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 permit, deny (MAC ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 mac access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 show mac access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 show mac access-list . . . . . . . . . . . . . . . . . . . . . . . .
lacp system-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 lacp admin-key (Port Channel) . . . . . . . . . . . . . . . . . . . . . . .295 lacp timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 show lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 show port-channel load-balance . . . . . . . . . . . . . . . . . . . . .300 Chapter 14 Port Mirroring Commands Local Port Mirroring Commands . . . . . . . . .
show mac-address-table aging-time . . . . . . . . . . . . . . . . . .330 show mac-address-table count . . . . . . . . . . . . . . . . . . . . . .330 Chapter 18 Spanning Tree Commands spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334 spanning-tree cisco-prestandard . . . . . . . . . . . . . . . . . . . . .335 spanning-tree forward-time . . . . . . . . . . . . . . . . . . . . . . . . .335 spanning-tree hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . .
node-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 non-erps-dev-protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 propagate-tc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 ring-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 rpl owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 wtr-timer . . . . . . . . . . . . . . . . . . . . .
show traffic-segmentation . . . . . . . . . . . . . . . . . . . . . . . . . .403 Configuring Protocol-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . .403 protocol-vlan protocol-group (Configuring Groups) . . . . . . .404 protocol-vlan protocol-group (Configuring Interfaces) . . . . .404 show protocol-vlan protocol-group . . . . . . . . . . . . . . . . . . . .405 show interfaces protocol-vlan protocol-group . . . . . . . . . . .406 Configuring IP Subnet VLANs . . . . . . . . . . . . . . . . . .
police flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 police srtcm-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 police trtcm-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440 set cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442 set ip dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 set phb . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp throttle interface . . . . . . . . . . . . . . . . . . . . . . . 474 MVR for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475 mvr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 mvr associated-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 mvr domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 mvr priority . . . . . . . . . . . . . . . . . . . .
lldp basic-tlv system-name . . . . . . . . . . . . . . . . . . . . . . . . . .512 lldp dot1-tlv proto-ident . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 lldp dot1-tlv proto-vid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 lldp dot1-tlv pvid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 lldp dot1-tlv vlan-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 lldp dot3-tlv link-agg . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ethernet cfm loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555 mep fault-notify alarm-time . . . . . . . . . . . . . . . . . . . . . . . . .556 mep fault-notify lowest-priority . . . . . . . . . . . . . . . . . . . . . . .557 mep fault-notify reset-time . . . . . . . . . . . . . . . . . . . . . . . . . .558 show ethernet cfm fault-notify-generator . . . . . . . . . . . . . .559 ethernet cfm delay-measure two-way . . . . . . . . . . . . . . . . .559 Chapter 26 OAM Commands efm oam . . .
Chapter 29 IP Interface Commands IPv4 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589 Basic IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589 ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590 ip default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591 show ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592 show ip traffic . .
Navigating the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . .630 Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631 Panel Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .632 Chapter 32 Basic Management Tasks In this chapter . .
Trunk Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695 Configuring a Static Trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696 Configuring a Dynamic Trunk . . . . . . . . . . . . . . . . . . . . . . . . . .698 Displaying LACP Port Counters . . . . . . . . . . . . . . . . . . . . . . . . .703 Displaying LACP Settings and Status for the Local Side . . . . .704 Displaying LACP Settings and Status for the Remote Side . . .
Chapter 36 Spanning Tree Algorithm In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759 Configuring Loopback Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 Configuring Global Settings for STA . . . . . . . . . . . . . . . . . . . . . . . . .763 Displaying Global Settings for STA . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring VoIP Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .815 Configuring Telephony OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 Configuring VoIP Traffic Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .818 Chapter 41 Security Measures In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821 AAA Authentication, Authorization and Accounting. . . . . . . . . . . . .
Filtering IP Addresses for Management Access . . . . . . . . . . . . . . .883 Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885 Configuring 802.1X Port Authentication . . . . . . . . . . . . . . . . . . . . .887 Configuring 802.1X Global Settings . . . . . . . . . . . . . . . . . . . . .888 Configuring Port Authenticator Settings for 802.1X . . . . . . . .890 Configuring Port Supplicant Settings for 802.1X. . . . . . . . . . .893 Displaying 802.1X Statistics . .
Ethernet Ring Protection Switching . . . . . . . . . . . . . . . . . . . . . . . . .961 ERPS Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .963 ERPS Ring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .964 Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . .970 Configuring Global Settings for CFM. . . . . . . . . . . . . . . . . . . . .973 Configuring Interfaces for CFM . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 44 General IP Routing In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1041 IP Routing and Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 Configuring IP Routing Interfaces . . . . . . . . . . . . . . . . . . . . . . . .
Multicast VLAN Registration for IPv6 . . . . . . . . . . . . . . . . . . . . . . 1095 Configuring MVR6 Global Settings . . . . . . . . . . . . . . . . . . . . 1096 Configuring MVR6 Domain Settings . . . . . . . . . . . . . . . . . . . .1097 Configuring MVR6 Group Address Profiles. . . . . . . . . . . . . . 1098 Configuring MVR6 Interface Status . . . . . . . . . . . . . . . . . . . .1101 Assigning Static MVR6 Multicast Groups to Interfaces. . . . 1102 Displaying MVR6 Receiver Groups . . . . . . . . . . . .
Figures Figure 1 Storm Control by Limiting the Traffic Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Figure 2 Storm Control by Shutting Down a Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Figure 3 Configuring VLAN Trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Figure 4 Mapping QinQ Service VLAN to Customer VLAN. . . . . . . . . . . . . . . . . . . . . . . . . 391 Figure 5 Configuring VLAN Translation .
xxx Figure 36 Configuring Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 Figure 37 Configuring Remote Port Mirroring (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Figure 38 Configuring Remote Port Mirroring (Intermediate). . . . . . . . . . . . . . . . . . . . . . . 684 Figure 39 Configuring Remote Port Mirroring (Destination) . . . . . . . . . . . . . . . . . . . . . . . . 684 Figure 40 Showing Port Statistics (Table) . . . .
Figure 78 Configuring Static Members by VLAN Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 Figure 79 Configuring Static VLAN Members by Interface . . . . . . . . . . . . . . . . . . . . . . . . . 727 Figure 80 Configuring Static VLAN Members by Interface Range . . . . . . . . . . . . . . . . . . . 727 Figure 81 Configuring Global Status of GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 Figure 82 Configuring GVRP for an Interface. . . . . . . . . .
Figure 119 Displaying Global Settings for STA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 Figure 120 Configuring Interface Settings for STA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 Figure 121 STA Port Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 Figure 122 Displaying Interface Settings for STA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 161 Configuring the Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 Figure 162 Authentication Server Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 Figure 163 Configuring Remote Authentication Server (RADIUS) . . . . . . . . . . . . . . . . . . . . 826 Figure 164 Configuring Remote Authentication Server (TACACS+) . . . . . . . . . . . . . . . . . . . 826 Figure 165 Configuring AAA Server Groups . . . . . . . . . . . . . .
Figure 203 Configuring an Extended IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Figure 204 Configuring a Standard IPv6 ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 Figure 205 Configuring an Extended IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Figure 206 Configuring a MAC ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 245 Displaying LLDP Device Statistics (Port) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 Figure 246 Configuring Global Settings for SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932 Figure 247 Configuring the Local Engine ID for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 Figure 248 Configuring a Remote Engine ID for SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 Figure 249 Showing Remote Engine IDs for SNMP . . .
Figure 287 Configuring Global Settings for CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976 Figure 288 Configuring Interfaces for CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977 Figure 289 Configuring Maintenance Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980 Figure 290 Showing Maintenance Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 329 Tracing the Route to a Network Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035 Figure 330 Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036 Figure 331 Configuring General Settings for ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037 Figure 332 Configuring Static ARP Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 371 Configuring IGMP Filtering and Throttling Interface Settings . . . . . . . . . . . . . 1080 Figure 372 MVR Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1081 Figure 373 Configuring Global Settings for MVR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083 Figure 374 Configuring Domain Settings for MVR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Table 2 System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Table 3 Options 60, 66 and 67 Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 4 Options 55 and 124 Statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xl Table 36 Authentication Sequence Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Table 37 RADIUS Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Table 38 TACACS+ Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Table 39 AAA Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 78 Default STA Path Costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Table 79 ERPS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Table 80 show erps - summary display description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Table 81 show erps domain - detailed display description . . . . . . . . . . . . . . . . . . . . . . . . 371 Table 82 VLAN Commands . . . .
xlii Table 120 show mvr6 members - display description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Table 121 show mvr6 statistics input - display description. . . . . . . . . . . . . . . . . . . . . . . . . 503 Table 122 show mvr6 statistics output - display description . . . . . . . . . . . . . . . . . . . . . . . 504 Table 123 LLDP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Table 124 CFM Commands . . . . . . .
Table 162 Mapping Internal Per-hop Behavior to Hardware Queues . . . . . . . . . . . . . . . . . 793 Table 163 Default Mapping of DSCP Values to Internal PHB/Drop Values . . . . . . . . . . . . 797 Table 164 Default Mapping of CoS/CFI to Internal PHB/Drop Precedence. . . . . . . . . . . . 799 Table 165 Dynamic QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Table 166 HTTPS System Support. . . . . . . . . . . . . . . . . . . . . . . . . .
xliv Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
About This Document In this chapter • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv • Summary of enhancements for Brocade R2.1.0.x . . . . . . . . . . . . . . . . . . . xlvi • Summary of enhancements for Brocade R2.0.2.10 . . . . . . . . . . . . . . . . . . xlvi • Summary of enhancements for Brocade R2.0.2.9 . . . . . . . . . . . . . . . . . . . xlvii • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary of enhancements for Brocade R2.1.0.x Summary of enhancements for Brocade R2.1.0.x The following table describes the features introduced in R2.1.0.x. Enhancement Description Supports SFTP file transfer Added information about using SFTP for file transfer. See “copy” on page 67 and “Copying Files via FTP/SFTP/TFTP or HTTP” on page 653. Supports additional privacy encryption methods for SNMPv3 Added AES128, AES192 and AES256 privacy encryption methods for SNMPv3.
Summary of enhancements for Brocade R2.0.2.9 Summary of enhancements for Brocade R2.0.2.9 The following table describes the features introduced in R2.0.2.9. Enhancement Description The loader can be upgraded The loader can be upgraded using the copy command. Refer to “copy” on page 67. Supports VLAN Translation in Web interface Added configuration pages for VLAN Translation to the Web interface. Refer to “Configuring VLAN Translation” on page 747.
Trademark references [] Optional elements appear in brackets. variable Variables are printed in italics. ... Repeat the previous element, for example “member[,member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean. Elements are exclusive. Example: --show -mode egress | ingress Notes The following notice statements are used in this manual.
Getting technical help Getting technical help To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to: documentation@brocade.
Document feedback l Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Section Getting Started I This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface, and includes the following chapters: • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • Initial Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 1 Introduction In this chapter This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. This chapter includes the following topics: • Key Features . . . . . . . . . .
1 Description of Software Features TABLE 1 Key Features (Continued) Feature Description Port Mirroring 8 sessions, one or more source ports to one analysis port Congestion Control Rate Limiting Throttling for broadcast, multicast, unknown unicast storms Random Early Detection Address Table 16K MAC addresses in the forwarding table, 1K static MAC addresses, 1K L2 multicast groups IP Version 4 and 6 Supports IPv4 and IPv6 addressing and management IEEE 802.
Description of Software Features Authentication 1 This switch authenticates management access via the console port, Telnet, or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.
1 Description of Software Features IP Address Filtering Access to insecure ports can be controlled using DHCP Snooping which filters ingress traffic based on static IP addresses and addresses stored in the DHCP Snooping table. Traffic can also be restricted to specific source IP addresses or source IP/MAC address pairs based on static entries or entries stored in the DHCP Snooping table. IEEE 802.1D Bridge The switch supports IEEE 802.1D transparent bridging.
Description of Software Features 1 • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. • Use protocol VLANs to restrict traffic to specified interfaces based on protocol type. IEEE 802.
1 System Defaults Ethernet Ring Protection Switching ERPS can be used to increase the availability and robustness of Ethernet rings, such as those used in Metropolitan Area Networks (MAN). ERPS provides Layer 2 loop avoidance and fast reconvergence in Layer 2 ring topologies, supporting up to 255 nodes in the ring structure. It can also function with IEEE 802.1ag to support link monitoring when non-participating devices exist within the Ethernet ring. IP Routing The switch provides Layer 3 IP routing.
System Defaults TABLE 2 1 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Server Port 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Sta
1 System Defaults TABLE 2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
Chapter Initial Switch Configuration 2 In this chapter This chapter includes information on connecting to the switch and basic configuration procedures. It includes the following topics: • Connecting to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 • Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 • Managing System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Connecting to the Switch • • • • • • • Configure the bandwidth of any port by limiting input or output rates • • • • • • Configure Spanning Tree parameters Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.
Basic Configuration 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, or DHCP protocol. An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see “Setting an IP Address” on page 14. NOTE This switch supports four Telnet sessions or four SSH sessions.
2 Basic Configuration Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 32 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level. 2.
Basic Configuration 2 NOTE The IPv4 address for this switch is obtained via DHCP by default. Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
2 Basic Configuration 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Basic Configuration 2 Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254 Console(config)end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
2 Basic Configuration 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
Basic Configuration 2 Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 will also be supported in future software releases.) To dynamically generate an IPv6 host address for the switch, complete the following steps: 1.
2 Basic Configuration • If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
Basic Configuration 2 subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100";#Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_1" { #DHCP Option 60 Vendor class one match if option vendor-class-identifier = "es020000.
2 Basic Configuration • private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
Managing System Files Console(config)#snmp-server Console(config)#snmp-server Console(config)#snmp-server Console(config)#snmp-server einstien Console(config)# 2 view mib-2 1.3.6.1.2.1 included view 802.1d 1.3.6.1.2.1.17 included group r&d v3 auth read mib-2 write 802.
2 Managing System Files New startup configuration files must have a name specified. File names on the switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots.
Section Command Line Interface II This section provides a detailed description of the Command Line Interface, along with examples for all of the commands, and includes the following chapters: • Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 • General Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 • System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Using the Command Line Interface 3 In this chapter • Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 • Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 • CLI Command Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Entering Commands NOTE The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
Entering Commands 3 You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
3 Entering Commands garp gvrp history hosts interfaces ip ipv6 l2protocol-tunnel lacp line lldp log logging loop mac mac-address-table mac-vlan management memory mvr mvr6 network-access nlm policy-map port port-channel power-save process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan vlan-translation voice web-auth Cons
Entering Commands 3 The command “show interfaces ?” will display the following information: Console#show interfaces ? brief Shows brief interface description counters Interface counters information history Historical sample of interface counters information protocol-vlan Protocol-VLAN information status Shows interface status subnet-vlan IP subnet-based VLAN information switchport Shows interface switchport information transceiver Interface of transceiver information Console# Show commands which display
3 Entering Commands Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 3 Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
3 Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
3 CLI Command Groups TABLE 7 Keystroke Commands (Continued) Keystroke Function Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line. Ctrl-W Deletes the last word typed. Esc-B Moves the cursor back one word. Esc-D Deletes from the cursor to the end of the word. Esc-F Moves the cursor forward one word.
3 CLI Command Groups TABLE 8 36 Command Group Index (Continued) Command Group Description Page Simple Network Management Protocol Activates authentication failure traps; configures community access strings, and trap receivers 107 Remote Monitoring Supports statistics, history, alarm and event groups 127 Flow Sampling Samples traffic flows, and forwards data to designated collector 135 User Authentication Configures user names and passwords, logon access using local or remote authentication
CLI Command Groups TABLE 8 3 Command Group Index (Continued) Command Group Description Page OAM Configures Operations, Administration and Maintenance remote management tools required to monitor and maintain the links to subscriber CPEs 563 Domain Name Service Configures DNS services.
3 38 CLI Command Groups Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 4 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
4 General Commands Example Console(config)#prompt RD2 RD2(config)# reload (Global Configuration) This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
General Commands 4 • Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. • When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 67).
4 General Commands quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: show history This command shows the contents of the command history buffer.
General Commands 4 The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# configure This command activates Global Configuration mode.
4 General Commands Related Commands enable (41) reload (Privileged Exec) This command restarts the system. NOTE When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
General Commands 4 Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
4 46 General Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 5 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
5 Banner Information Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# Banner Information These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.
Banner Information 5 banner configure This command is used to interactively specify administrative information for this device. Syntax banner configure Default Setting None Command Mode Global Configuration Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered.
5 Banner Information banner configure company This command is used to configure company information displayed in the banner. Use the no form to remove the company name from the banner display. Syntax banner configure company name no banner configure company name - The name of the company. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries.
Banner Information 5 Command Usage Input strings cannot contain spaces. The banner configure dc-power-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure dc-power-info floor 3 row 15 rack 24 electrical-circuit 48v-id_3.15.24.
5 Banner Information row-id - The row number. rack-id - The rack number. sr-id - The shelf number in the rack. mfr-name - The name of the device manufacturer. Maximum length of each parameter: 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries.
Banner Information 5 Example Console(config)#banner configure equipment-location 710_Network_Path,_Indianapolis Console(config)# banner configure ip-lan This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
5 Banner Information Command Usage Input strings cannot contain spaces. The banner configure lp-number command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure lp-number 12 Console(config)# banner configure manager-info This command is used to configure the manager contact information displayed in the banner.
Banner Information 5 banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries.
5 System Status Command Usage Input strings cannot contain spaces. The banner configure note command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
5 System Status TABLE 13 System Status Commands (Continued) Command Function Mode show memory Shows memory utilization parameters NE, PE show process cpu Shows CPU utilization parameters NE, PE show running-config Displays the configuration data currently in use PE show startup-config Displays the contents of the configuration file (stored in flash memory) that is used to start up the system PE show system Displays system information NE, PE show tech-support Displays a detailed list o
5 System Status Command Usage • Alarms are signalled through the Alarm LEDs (Major Alarm and Minor Alarm) and the Alarm Input and Output port on the front panel. When an alarm occurs, the corresponding LEDs will not be extinguished until the alarm condition is resolved. The event that triggered the alarm can be viewed using this command. Alarms are also recorded in the system log, and can viewed using the show log command.
System Status 5 Related Commands memory (125) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
5 System Status • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
System Status 5 ! end ! Console# Related Commands show startup-config (61) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes.
5 System Status Command Usage For a description of the items shown by this command, refer to “Displaying System Information” on page 649, and “Displaying Hardware/Software Versions” on page 650. Example Console#show system System Description : BR6910 System OID String : 1.3.6.1.4.1.1991.1.16.1 System Information System Up Time : 0 days, 0 hours, 24 minutes, and 14.
System Status MAC Address (Unit 1) Web Server Web Server Port Web Secure Server Web Secure Server Port Telnet Server Telnet Server Port Jumbo Frame : : : : : : : : System Temperature: Unit 1 Temperature 1: 29 degrees 5 70-72-CF-32-DD-FD Enabled 80 Enabled 443 Enabled 23 Disabled Temperature 2: 27 degrees Temperature 3: 24 degrees Main Power Status : Down Redundant Power Status : Not present . . .
5 Frame Size show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Hardware/Software Versions” on page 650 for detailed information on the items displayed by this command.
5 File Management Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit Ethernet ports or trunks up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields. • To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature.
5 File Management TABLE 15 Flash/File Commands (Continued) Command Function Mode Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server GC upgrade opcode path Specifies an FTP/TFTP server and directory in which the new opcode is stored GC upgrade opcode reload Reloads the switch automatically after the opcode upgrade is completed GC show upgrade Shows the opcode upgrade configuration settings.
File Management 5 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/SFTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/SFTP/TFTP server and the quality of the network connection.
5 File Management • Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption. Although the underlying premises of SFTP are similar to SCP, it requires some additional steps to verify the protocol versions and perform security checks.
File Management 5 TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate Source private file name: SS-private Private password: ******** Success. Console#reload System will be restarted, continue ? y This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
5 File Management delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.
File Management 5 Command Usage • If you enter the command dir without any parameters, the system displays all files. File information is shown below: TABLE 16 File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Create Time The date and time the file was created. Size The length of the file in bytes.
5 File Management upgrade opcode auto This command automatically upgrades the current operational code when a new version is detected on the server indicated by the upgrade opcode path command. Use the no form of this command to restore the default setting. Syntax [no] upgrade opcode auto Default Setting Disabled Command Mode Global Configuration Command Usage • This command is used to enable or disable automatic upgrade of the operational code.
File Management 5 upgrade opcode path This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current setting. Syntax upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
5 File Management upgrade opcode reload This command reloads the switch automatically after the opcode upgrade is completed. Use the no form to disable this feature. Syntax [no] upgrade opcode reload Default Setting Disabled Command Mode Global Configuration Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings.
5 Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
5 Line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Line 5 Related Commands parity (78) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
5 Line Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: • login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. • login local selects authentication via the user name and password specified by the username command (i.e., default setting).
Line 5 Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting No password is specified.
5 Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
Line 5 Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (80) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
5 Line Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Line 5 disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
5 Event Logging Parity Stop Bits VTY Configuration: Password Threshold Inactive Timeout Login Timeout Silent Time Console# : None : 1 : : : : 3 times 600 seconds 300 sec. Disabled Event Logging This section describes commands used to configure event logging on the switch.
Event Logging 5 Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database. Example Console(config)#logging facility 19 Console(config)# logging history This command limits syslog messages saved to switch memory based on severity.
5 Event Logging Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. Default Setting None Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses.
Event Logging 5 Example Console(config)#logging on Console(config)# Related Commands logging history (85) logging trap (87) clear log (87) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
5 Event Logging Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (88) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Event Logging 5 show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset). sendmail - Displays settings for the SMTP event handler (page 93).
5 SMTP Alerts TABLE 21 show logging trap - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. REMOTELOG status Shows if remote logging has been enabled via the logging trap command. REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command.
SMTP Alerts 5 Example Console(config)#logging sendmail Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip-address ip-address - IPv4 or IPv6 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing.
5 SMTP Alerts Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
5 Time Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging sendmail This command displays the settings for the SMTP event handler.
5 Time TABLE 23 Time Commands (Continued) Command Function Mode sntp server Specifies one or more time servers GC show sntp Shows current SNTP configuration settings NE, PE Manual Configuration Commands clock summer-time (date) Configures summer time* for the switch’s internal clock GC clock summer-time (predefined) Configures summer time* for the switch’s internal clock GC clock summer-time (recurring) Configures summer time* for the switch’s internal clock GC clock timezone Sets the
Time 5 Current Server: 137.92.140.80 Console# Related Commands sntp server (95) sntp poll (95) show sntp (96) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
5 Time Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
Time 5 b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-day - The day summer time will end. (Options: 1-31) e-month - The month when summer time will end.
5 Time clock summer-time (predefined) This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions of the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Time 5 clock summer-time (recurring) This command allows the user to manually configure the start, end, and offset times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time. Syntax clock summer-time name recurring b-week b-day b-month b-hour b-minute e-week e-day e-month e-hour e-minute [offset] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
5 Time Example Console(config)#clock summer-time MESZ recurring 1 friday june 23 59 3 saturday september 2 55 60 Console(config)# Related Commands show sntp (96) clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC.
Time 5 calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
5 Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. TABLE 25 Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode GC absolute Sets the time range for the execution of a command TR periodic Sets the time range for the periodic execution of a command TR show time-range Shows configured time ranges.
Time Range 5 absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
5 Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Time Range 5 show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
5 106 Time Range Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 6 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
6 SNMP Commands TABLE 26 SNMP Commands (Continued) Command Function Mode snmp-server enable port-traps atc broadcast-alarm-clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC (Port) snmp-server enable port-traps atc broadcast-alarm-fire Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control IC (Port) snmp-server enable port-traps atc broadcast-control-apply Sends a trap when broadc
SNMP Commands 6 snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server community This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string.
6 SNMP Commands snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
SNMP Commands 6 show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
6 SNMP Commands snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down | ethernet cfm] authentication - Keyword to issue authentication failure notifications. link-up-down - Keyword to issue link-up or link-down notifications. ethernet cfm - Connectivity Fault Management traps.
SNMP Commands 6 snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
6 SNMP Commands • The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. • Some notification types cannot be controlled with the snmp-server enable traps command.
SNMP Commands 6 snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device. engineid-string - String identifying the engine ID.
6 SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
SNMP Commands 6 snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv { aes128 | aes192 | aes256 | des56} priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} username - Name of user connecting to the SNMP agent.
6 SNMP Commands • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides.
SNMP Commands 6 Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.
6 SNMP Commands Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent Row Status: active Group Name: public Security Model: v1 Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View
SNMP Commands 6 show snmp user This command shows information on SNMP users.
6 SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# TABLE 30 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
SNMP Commands 6 Example This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server notify-filter This command creates an SNMP notification log. Use the no form to remove this log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - The Internet address of a remote device. The specified target host must already have been configured using the snmp-server host command.
6 SNMP Commands • Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes. Information recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station. • When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
SNMP Commands 6 memory This command sets an SNMP trap based on configured thresholds for memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for memory utilization alarm expressed in percentage.
6 SNMP Commands Default Setting Rising Threshold: 90% Falling Threshold: 70% Command Mode Global Configuration Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Chapter 7 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
7 Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Remote Monitoring Commands 7 • If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. Example Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.
7 Remote Monitoring Commands rmon collection history This command periodically samples statistics on a physical interface. Use the no form to disable periodic sampling. Syntax rmon collection history controlEntry index [[owner name] [buckets number] [interval seconds]] | [buckets number] [interval seconds] | interval seconds no rmon collection history controlEntry index index – Index to this entry. (Range: 1-65535) number – The number of buckets requested for this entry.
Remote Monitoring Commands 7 Example Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history controlentry 21 owner mike buckets 24 interval 60 Console(config-if)# rmon collection rmon1 This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection. Syntax rmon collection rmon1 controlEntry index [owner name] no rmon collection rmon1 controlEntry index index – Index to this entry.
7 Remote Monitoring Commands Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 . . . show rmon events This command shows the settings for all configured events.
Remote Monitoring Commands 7 Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions. # of dropped packet events (due to lack of resources): 0 # of packets received of length (in octets): 64: 2245, 65-127: 87, 128-255: 31, 256-511: 5, 512-1023: 2, 1024-1518: 2 . . .
7 134 Remote Monitoring Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 8 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
8 Flow Sampling Commands Example Console(config)#sflow Console(config)# sflow destination This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings. Syntax sflow destination {ipv4 ipv4-address | ipv6 ipv6-address} [destination-udp-port] no sflow destination ipv4-address - IPv4 address of the sFlow Collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods.
Flow Sampling Commands 8 Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-datagram-size 1500 Console(config-if)# sflow max-header-size This command configures the maximum size of the sFlow datagram header. Use the no form to restore the default setting. Syntax sflow max-header-size max-header-size no max-header-size max-header-size - The maximum size of the sFlow datagram header.
8 Flow Sampling Commands Example This example set the owner’s name to Lamar. Console(config)#interface ethernet 1/9 Console(config-if)#sflow owner Lamer Console(config-if)# sflow polling-interval This command configures the interval at which counters are added to the sample datagram. Use the no form to restore the default polling interval. Syntax sflow polling-interval seconds no sflow polling-interval seconds - The interval at which the sFlow process adds counter values to the sample datagram.
Flow Sampling Commands 8 Example This example sets the sample rate to 1 out of every 100 packets. Console(config)#interface ethernet 1/9 Console(config-if)#sflow sample 100 Console(config-if)# sflow source This command enables sFlow on the source ports to be monitored. Use the no form to disable sFlow on the specified ports. Syntax [no] sflow source Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example This example enables flow control on ports 9 through 16.
8 Flow Sampling Commands Command Usage The sFlow agent sends sample data to an sFlow collector until the timeout set by this command expires. The sFlow agent then resets the sampling interval, the receiver’s name, address and UDP port, the time out, maximum header size, and maximum datagram size. Example This example sets the time out to 1000 seconds.
Chapter 9 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
9 User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.) {0 | 7} - 0 means plain password, 7 means encrypted password.
User Accounts 9 username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name name - The name of the user. (Maximum length: 32 characters, case sensitive. Maximum users: 16) access-level level - Specifies the user level.
9 Authentication Sequence Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Authentication Sequence 9 Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (142) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password.
9 RADIUS Client RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
RADIUS Client 9 Default Setting 1812 Command Mode Global Configuration Example Console(config)#radius-server auth-port 181 Console(config)# radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values.
9 RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Default Setting None Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries.
RADIUS Client 9 radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
9 TACACS+ Client RADIUS Server Group: Group Name Member Index ------------------------- ------------radius 1 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
TACACS+ Client 9 Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
9 TACACS+ Client Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
9 AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
9 AAA TABLE 39 AAA Commands (Continued) Command Function Mode accounting exec Applies an accounting method to local console, Telnet or SSH connections Line authorization exec Applies an authorization method to local console, Telnet or SSH connections Line show accounting Displays all accounting information PE aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service.
AAA 9 aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
9 AAA aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
AAA 9 Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage • This command performs authorization to determine if a user is allowed to run an Exec shell. • AAA authentication must be enabled before authorization is enabled.
9 AAA server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server. Default Setting None Command Mode Server Group Configuration Command Usage • When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command.
AAA 9 Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command. list-name - Specifies a method list created with the aaa accounting exec command.
9 AAA Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] level - Displays command accounting information for a specifiable command level.
9 Web Server Web Server This section describes commands used to configure web browser management access to the switch.
9 Web Server Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (161) show system (61) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
Web Server 9 Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: • The client authenticates the server using the server’s digital certificate.
9 Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
Telnet Server 9 ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface. (Range: 1-65535) Default Setting 23 Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet.
9 Secure Shell Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. NOTE The switch supports both SSH Version 1.5 and 2.0 clients.
Secure Shell 9 To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
9 Secure Shell Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e.
Secure Shell 9 Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (173) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
9 Secure Shell Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Secure Shell 9 delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
9 Secure Shell Example Console#ip ssh crypto host-key generate dsa Console# Related Commands ip ssh crypto zeroize (172) ip ssh save host-key (172) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM).
Secure Shell 9 Command Mode Privileged Exec Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (171) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.
9 Secure Shell Example Console#show public-key host Host: RSA: 1024 65537 13236940658254764031382795526536375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393834523103328 0214988866192159556859887989191950588394018138744046890877916030583776818549000 2831341625008348718449522087429212255691665655296328163516964040831554766066415 1657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqs
9 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). TABLE 45 802.
9 802.1X Port Authentication TABLE 45 802.1X Port Authentication Commands (Continued) Command Function Mode Shows all dot1x related information PE Display Information Commands show dot1x dot1x default This command sets all configurable dot1x global and port settings to their default values.
802.1X Port Authentication 9 dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN.
9 802.1X Port Authentication dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
802.1X Port Authentication 9 dot1x operation-mode This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count] | mac-based-auth} no dot1x operation-mode [multi-host max-count] single-host – Allows only a single host to connect to this port.
9 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise.
802.1X Port Authentication 9 Related Commands dot1x timeout re-authperiod (181) dot1x timeout quiet-period This command sets the time that a switch port waits after the maximum request count (see page 178) has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
9 802.1X Port Authentication dot1x timeout supp-timeout This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
802.1X Port Authentication 9 dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
9 802.1X Port Authentication Example Console(config)#dot1x identity profile username steve Console(config)#dot1x identity profile password excess Console(config)# dot1x max-start This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. Syntax dot1x max-start count no dot1x max-start count - Specifies the maximum number of EAP start frames.
802.1X Port Authentication 9 • This switch can be configured to serve as the authenticator on selected ports by setting the control mode to “auto” (see the dot1x port-control command on page 180), and as a supplicant on other ports by the setting the control mode to “force-authorized” and enabling dot1x supplicant mode with this command. • A port cannot be configured as a dot1x supplicant if it is a member of a trunk or LACP is enabled on the port.
9 802.1X Port Authentication Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# dot1x timeout start-period This command sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
802.1X Port Authentication 9 Command Mode Privileged Exec Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 177). • Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 176). • Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 183). • 802.
9 802.1X Port Authentication • Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session. • Backend State Machine • State – Current state (including request, response, success, fail, timeout, idle, initialize). • Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. • Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
9 Management IP Filter Authenticator PAE State Machine State : Authenticated Reauth Count : 0 Current Identifier : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
9 Management IP Filter Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e.
Management IP Filter 2. 192.168.1.25 9 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
9 192 Management IP Filter Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter General Security Measures 10 This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
10 Port Security TABLE 48 Management IP Filter Commands Command Function Mode mac-address-table static Maps a static address to a port in a VLAN GC port security Configures a secure port IC show mac-address-table Displays entries in the bridge-forwarding database PE show port security Displays port security status and secure address count PE port security This command enables or configures port security. Use the no form without any keywords to disable port security.
Port Security 10 • To configure the maximum number of address entries which can be learned on a port, specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs for frames received on the port. (The specified maximum address count is effective when port security is enabled or disabled.) Note that you can manually add additional secure addresses to a port using the mac-address-table static command.
10 Port Security Example This example shows the port security settings and number of secure addresses for all ports.
10 Network Access (MAC Address Authentication) MAC Filter ID Last Intrusion MAC Last Time Detected Intrusion MAC Console# : Disabled : NA : NA This example shows information about a detected intrusion.
10 Network Access (MAC Address Authentication) TABLE 50 Network Access Commands (Continued) Command Function Mode network-access mode mac-authentication Enables MAC authentication on an interface IC network-access port-mac-filter Enables the specified MAC address filter IC mac- authentication intrusion-action Determines the port response when a connected host fails MAC authentication.
Network Access (MAC Address Authentication) 10 network-access mac-filter Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table. (Range: 1-64) mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for a range of addresses.
10 Network Access (MAC Address Authentication) Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected. Example Console(config)#mac-authentication reauth-time 300 Console(config)# network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port.
Network Access (MAC Address Authentication) 10 Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
10 Network Access (MAC Address Authentication) network-access guest-vlan Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Network Access (MAC Address Authentication) 10 network-access link-detection link-down Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only.
10 Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link-detection link-up-down Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Network Access (MAC Address Authentication) 10 Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access mode mac-authentication Use this command to enable network access authentication on a port.
10 Network Access (MAC Address Authentication) Example Console(config-if)#network-access mode mac-authentication Console(config-if)# network-access port-mac-filter Use this command to enable the specified MAC address filter. Use the no form of this command to disable the specified MAC address filter. Syntax network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Network Access (MAC Address Authentication) 10 mac- authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of MAC-authenticated MAC addresses allowed.
10 Network Access (MAC Address Authentication) show network-access Use this command to display the MAC authentication settings for port interfaces. Syntax show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Default Setting Displays the settings for all interfaces.
Network Access (MAC Address Authentication) 10 show network-access mac-address- table Use this command to display secure MAC address table entries. Syntax show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
10 Web Authentication show network-access mac-filter Use this command to display information for entries in the MAC filter tables. Syntax show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) Default Setting Displays all filters.
Web Authentication TABLE 52 10 Web Authentication (Continued) Command Function Mode web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate PE web-auth re-authenticate (IP) Ends the web authentication session associated with the PE designated IP address and forces the user to re-authenticate show web-auth Displays global web authentication parameters PE show web-auth interface Displays interface-specific web authentication para
10 Web Authentication Command Mode Global Configuration Example Console(config)#web-auth quiet-period 120 Console(config)# web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.
Web Authentication 10 Example Console(config)#web-auth system-auth-control Console(config)# web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
10 Web Authentication web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-12) ip - IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.
Web Authentication 10 show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-12) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
10 DHCP Snooping DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
DHCP Snooping 10 Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
10 DHCP Snooping Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (220) ip dhcp snooping trust (222) ip dhcp snooping information option This command enables the use of DHCP Option 82 information for the switch, and specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
DHCP Snooping 10 • When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server. • When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address.
10 DHCP Snooping Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
DHCP Snooping 10 Default Setting Disabled Command Mode Global Configuration Command Usage • When DHCP snooping enabled globally using the ip dhcp snooping command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command.
10 DHCP Snooping • Option 82 information generated by the switch is based on TR-101 syntax as shown below: TABLE 54 Option 82 information 82 3-69 1 1-67 opt82 opt-len sub-opt1 string-len x1 x2 x3 x4 x5 x63 R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string. The R-124 string includes the following information: • sub-type - Distinguishes different types of circuit IDs.
DHCP Snooping 10 • Set all ports connected to DHCP servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
10 DHCP Snooping Example Console(config)#ip dhcp snooping database flash Console(config)# ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory. Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
10 IP Source Guard Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
10 IP Source Guard Command Usage • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. • All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command (page 228).
IP Source Guard 10 Command Usage • Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. • Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port. Use the “sip” option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
10 IP Source Guard ip source-guard max-binding This command sets the maximum number of entries that can be bound to an interface. Use the no form to restore the default setting. Syntax ip source-guard max-binding number no ip source-guard max-binding number - The maximum number of IP addresses that can be mapped to an interface in the binding table.
10 ARP Inspection show ip source-guard binding This command shows the source guard binding table. Syntax show ip source-guard binding [dhcp-snooping | static] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 216) static - Shows static entries configured with the ip source-guard binding command (see page 225).
10 ARP Inspection TABLE 56 ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection configuration Displays the global configuration settings for ARP Inspection PE show ip arp inspection interface Shows the trust status and inspection rate limit for ports PE show ip arp inspection log Shows information about entries stored in the log, including the associated VLAN, port, and address components PE show ip arp inspection statistics Shows statistics about the number of A
ARP Inspection 10 ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
10 ARP Inspection Default Setting Message Number: 5 Interval: 1 second Command Mode Global Configuration Command Usage • ARP Inspection must be enabled with the ip arp inspection command before this command will be accepted by the switch. • By default, logging is active for ARP Inspection, and cannot be disabled. • When the switch drops a packet, it places an entry in the log buffer.
ARP Inspection 10 Default Setting No additional validation is performed Command Mode Global Configuration Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function.
10 ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
ARP Inspection 10 Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules. Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection configuration This command displays the global configuration settings for ARP Inspection.
10 ARP Inspection show ip arp inspection log This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
ARP Inspection 10 Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 ACL Name -------------------sales ACL Status -------------------static 237
10 238 ARP Inspection Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 11 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
11 IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
IPv4 ACLs 11 permit, deny (Standard IP ACL) This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address. bitmask – Dotted decimal number representing the address bits to match.
11 IPv4 ACLs permit, deny (Extended IPv4 ACL) This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
IPv4 ACLs 11 dport – Protocol4 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range.
11 IPv4 ACLs This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.
IPv4 ACLs 11 show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# Related Commands ip access-group (244) show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
11 IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
IPv6 ACLs 11 Related Commands permit, deny (Standard IPv6 ACL) (247) permit, deny (Extended IPv6 ACL) (248) ipv6 access-group (250) show ipv6 access-list (249) permit, deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
11 IPv6 ACLs permit, deny (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, or next header type. Use the no form to remove a rule.
IPv6 ACLs 11 • Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
11 IPv6 ACLs permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (247) permit, deny (Extended IPv6 ACL) (248) ipv6 access-group (250) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name {in | out} [time-range time-range-name] [counter] no ipv6 access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets.
11 MAC ACLs show ipv6 access-group This command shows the ports assigned to IPv6 ACLs. Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (250) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
11 MAC ACLs Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 128 rules.
MAC ACLs 11 no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.
11 MAC ACLs Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: • 0800 - IP • 0806 - ARP • 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
MAC ACLs 11 Related Commands show mac access-list (255) Time Range (102) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (254) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
11 ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command (page 233).
ARP ACLs 11 permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
11 ACL Information Related Commands access-list arp (256) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp[acl-name] acl-name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.
ACL Information 11 Example Console#clear access-list hardware counters Console# show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules.
11 ACL Information permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.
Chapter 12 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
12 Interface Commands TABLE 63 Interface Commands (Continued) Command Function Mode show interfaces switchport Displays the administrative and operational status of an interface NE, PE show interfaces transceiver Displays the temperature, voltage, bias current, transmit power, and receive power information on connector type and vendor-related parameters PE test cable-diagnostics Performs cable diagnostics on the specified port PE show cable-diagnostics Shows the results of a cable diagnosti
Interface Commands 12 • When the interface command is used for the first time to enter interface configuration mode for a VLAN, that VLAN is changed to a Layer 3 interface. VLANs must be configured as a Layer 3 interface before the switch will allow access to any Layer 3 configuration options (e.g., setting an IP address) and reserve the memory space required to maintain additional information about this interface type.
12 Interface Commands capabilities This command advertises the port capabilities of a given interface during auto-negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Interface Commands 12 description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file.
12 Interface Commands • To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port. Example The following example enables flow control on port 5.
Interface Commands 12 media-type This command forces the port type selected for combination ports. Use the no form to restore the default mode. Syntax media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed). sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
12 Interface Commands • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. • If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 10 to use auto-negotiation.
Interface Commands 12 speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
12 Interface Commands switchport packet-rate This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} broadcast - Specifies storm control for broadcast traffic. multicast - Specifies storm control for multicast traffic. unicast - Specifies storm control for unknown unicast traffic. rate - Threshold level as a rate; i.e.
Interface Commands 12 transceiver-threshold current This command sends a trap when the transceiver current falls outside the specified thresholds. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high current threshold is crossed. high-warning – Sends a warning message when the high current threshold is crossed. low-alarm – Sends an alarm message when the low current threshold is crossed.
12 Interface Commands transceiver-threshold rx-power This command sends a trap when the power level of the received signal falls outside of the specified thresholds. Syntax transceiver-threshold rx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high power threshold is crossed. high-warning – Sends a warning message when the high power threshold is crossed. low-alarm – Sends an alarm message when the low power threshold is crossed.
Interface Commands 12 transceiver-threshold temperature This command sends a trap when the transceiver temperature falls outside of the specified thresholds. Syntax transceiver-threshold temperature {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high temperature threshold is crossed. high-warning – Sends a warning message when the high temperature threshold is crossed.
12 Interface Commands transceiver-threshold tx-power This command sends a trap when the power level of the transmitted signal falls outside of the specified thresholds. Syntax transceiver-threshold tx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high power threshold is crossed. high-warning – Sends a warning message when the high power threshold is crossed.
Interface Commands 12 transceiver-threshold voltage This command sends a trap when the transceiver voltage falls outside the specified thresholds. Syntax transceiver-threshold voltage {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high voltage threshold is crossed. high-warning – Sends a warning message when the high voltage threshold is crossed. low-alarm – Sends an alarm message when the low voltage threshold is crossed.
12 Interface Commands clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Interface Commands 12 show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
12 Interface Commands 0 0 0 0 0 0 Internal Mac Receive Errors Frames Too Long Carrier Sense Errors Symbol Errors Pause Frames Input Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 O
Interface Commands 12 count - The number of historical samples to display. (Range: 1-96) input - Ingress traffic. output - Egress traffic. Default Setting Shows historical statistics for all interfaces, intervals, ingress traffic, and egress traffic. Command Mode Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics” on page 684.
12 Interface Commands Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 02:45:07 116003318 616894 336491 17899 Discards Errors Unknown Proto ------------- ------------- ------------0 0 0 Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------648387890 819696 358285 8921 Discards Errors ------------- ------------0 0 Interface Name Interval Buckets Requested Buckets Granted S
Interface Commands 12 Discards Errors Unknown Proto ------------- ------------- ------------0 0 0 Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------5095864 7894 1776 18 Discards Errors ------------- ------------0 0 Previous Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 9381 1895 50 00d 00:06:37 1566090 10660 2195 50 00d 00:07:37 1754781 11786 2674 59 Start
12 Interface Commands Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 678.
Interface Commands 12 Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 1.
12 Interface Commands TABLE 64 show interfaces switchport - display description (Continued) Field Description Priority for Untagged Traffic Indicates the default priority for untagged frames (page 422). GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 376). Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 382).
Interface Commands Eth Compliance Codes Baud Rate Vendor OUI Vendor Name Vendor PN Vendor Rev Vendor SN Date Code DDM Info Temperature Vcc Bias Current TX Power RX Power Console# : : : : : : : : 1000BASE-SX 1200 MBd 00-30-D3 AGILENT HFBR-5710L : : : : : 37.56 degree C 3.29 V 24.15 mA -5.79 dBm -34.03 dBm 12 0111010843570877 01-11-01 test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length.
12 Interface Commands • To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics.
Interface Commands 12 power-save This command enables power savings mode on the specified port. Syntax [no] power-save Command Mode Interface Configuration (Ethernet) Command Usage • IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
12 Interface Commands show power-save This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 13 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
13 Link Aggregation Commands • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Link Aggregation Commands 13 • To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections: • dst-ip: All traffic with the same destination IP address is output on the same link in a trunk. This mode works best for switch-to-router trunk links where traffic through the switch is destined for many different hosts.
13 Link Aggregation Commands Example The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Link Aggregation Commands 13 Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 64 Kbits/second Multicast Storm : Disabled Multicast Storm Limit : 64 Kbits/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 64 Kbits/second Flow Control : Disabled VLAN Trunking : Disabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation speed-duplex : 1000full Up Time : 0w 0
13 Link Aggregation Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Link Aggregation Commands 13 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
13 Link Aggregation Commands Command Mode Interface Configuration (Port Channel) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Link Aggregation Commands 13 Example Console(config)#interface port-channel 1 Console(config-if)#lacp timeout short Console(config-if)# show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side.
13 Link Aggregation Commands Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------Oper Key : 3 Admin Key : 0 Timeout : long Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Internal : 30 seconds LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 3 Oper Key : 3 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggre
Link Aggregation Commands 13 Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 3 Admin State: defaulted, distrib
13 Link Aggregation Commands TABLE 69 show lacp sysid - display description Field Description Channel group System Priority A link aggregation group configured on this switch. * System MAC Address* LACP system priority for this channel group. System MAC address. * The LACP system priority and system MAC address are concatenated to form the LAG system ID. show port-channel load-balance This command shows the load-distribution method used on aggregated links.
Chapter 14 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
14 Local Port Mirroring Commands acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) Default Setting • No mirror session is defined. • When enabled for an interface, default mirroring is for both received and transmitted packets. • When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Local Port Mirroring Commands 14 This example configures port 2 to monitor packets matching the MAC address 00-12-CF-XX-XX-XX received by port 1.
14 RSPAN Mirroring Commands RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
RSPAN Mirroring Commands 14 • IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. RSPAN uplink ports cannot be configured to use IEEE 802.
14 RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
RSPAN Mirroring Commands 14 Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
14 RSPAN Mirroring Commands • Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the switchport allowed vlan command. Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers.
RSPAN Mirroring Commands 14 Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up 309
14 310 RSPAN Mirroring Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 15 Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
15 Rate Limit Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# Related Command show interfaces switchport (282) 312 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Automatic Traffic Control Commands 16 Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
16 Automatic Traffic Control Commands TABLE 74 ATC Commands (Continued) Command Function Mode show auto-traffic-control Shows global configuration settings for automatic storm control PE show auto-traffic-control interface Shows interface configuration settings and storm control status for the specified port PE ATC Display Commands * Enabling automatic storm control on a port will disable hardware-level storm control on the same port if configured by the switchport packet-rate command.
Automatic Traffic Control Commands FIGURE 2 16 Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the switchport packet-rate command.
16 Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Automatic Traffic Control Commands 16 auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
16 Automatic Traffic Control Commands Default Setting Rate control Command Mode Interface Configuration (Ethernet) Command Usage • When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command. • When the control response is set to rate limiting by this command, the rate limits are determined by the auto-traffic-control alarm-clear-threshold command.
Automatic Traffic Control Commands 16 Command Usage • Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-clear command or snmp-server enable port-traps atc multicast-alarm-clear command. • If rate limiting has been configured as a control response, it will be discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired.
16 Automatic Traffic Control Commands Example This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255 Console(config-if)# auto-traffic-control auto-control-release This command automatically releases a control response of rate-limiting after the time specified in the auto-traffic-control release-timer command has expired.
Automatic Traffic Control Commands 16 Example Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release Console(config-if)# snmp-server enable port-traps atc broadcast-alarm-clear This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
16 Automatic Traffic Control Commands snmp-server enable port-traps atc broadcast-control-apply This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Automatic Traffic Control Commands 16 snmp-server enable port-traps atc multicast-alarm-clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
16 Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-control-apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Automatic Traffic Control Commands 16 show auto-traffic-control This command shows global configuration settings for automatic storm control. Command Mode Privileged Exec Example Console#show auto-traffic-control Storm Control Broadcast Apply Timer (sec) : 300 Release Timer (sec) : 900 Storm Control Multicast Apply Timer (sec) : 300 Release Timer (sec) : 900 Console# show auto-traffic-control interface This command shows interface configuration settings and storm control status for the specified port.
16 326 Automatic Traffic Control Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
17 Address Table Commands mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Address Table Commands 17 clear mac-address-table dynamic This command removes any learned entries from the forwarding database. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address.
17 Address Table Commands • The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0” means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 16K.
Address Table Commands 17 Command Mode Privileged Exec Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Port ID Dynamic Address Count Total MAC Addresses Total MAC Address Space Console# Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 :1 :0 :0 Available: 16384 331
17 332 Address Table Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 18 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
18 Spanning Tree Commands TABLE 76 Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst port-priority Configures the priority of an instance in the MST IC spanning-tree port-bpdu-flooding Floods BPDUs to
Spanning Tree Commands 18 Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree cisco-prestandard This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting. [no] spanning-tree cisco-prestandard Default Setting Disabled Command Mode Global Configuration Command Usage Cisco prestandard versions prior to Cisco IOS Release 12.
18 Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
Spanning Tree Commands 18 spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
18 Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol This option uses RSTP set to STP forced compatibiltiy mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Spanning Tree Commands 18 spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
18 Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Spanning Tree Commands 18 Default Setting Floods to all other ports in the same VLAN. Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs.
18 Spanning Tree Commands Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Spanning Tree Commands 18 mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs. (Range: 1-4093) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
18 Spanning Tree Commands Command Usage The MST region name and revision number (page 344) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands 18 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
18 Spanning Tree Commands • Before enabling BPDU Guard, the interface must be configured as an edge port with the spanning-tree edge-port command. Also note that if the edge port attribute is disabled on an interface, BPDU Guard will also be disabled on that interface.
Spanning Tree Commands 18 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. • Path cost takes precedence over port priority. • When the path cost method (page 339) is set to short, the maximum value for path cost is 65,535.
18 Spanning Tree Commands spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Spanning Tree Commands 18 Command Usage • If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). • Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
18 Spanning Tree Commands spanning-tree loopback-detection release-mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default. Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
Spanning Tree Commands 18 Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode.
18 Spanning Tree Commands Related Commands spanning-tree mst port-priority (352) spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Spanning Tree Commands 18 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command. • The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
18 Spanning Tree Commands spanning-tree root-guard This command prevents a designated port9 from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable this feature. Syntax [no] spanning-tree root-guard Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time.
Spanning Tree Commands 18 Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree loopback-detection release This command manually releases a port placed in discarding state by loopback-detection. Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
18 Spanning Tree Commands Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Spanning Tree Commands 18 • Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces. • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings for STA” on page 763. For a description of the items displayed for specific interfaces, see “Displaying Interface Settings for STA” on page 771.
18 Spanning Tree Commands Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status : . . . : Block : Disabled : Disabled : Disabled : 300 Disabled This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port : Current Root Cost : RSTP Enabled 32768.
Chapter 19 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
19 ERPS Commands 3. Configure the RPL owner: Configure one node in the ring as the Ring Protection Link (RPL) owner using the rpl owner command. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL. Under normal operations (Idle state), the RPL is blocked to ensure that a loop cannot form in the ring.
ERPS Commands 19 Related Commands enable (362) erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. Syntax [no] erps domain name name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode Global Configuration Command Usage Up to 6 ERPS rings can be configured on the switch.
19 ERPS Commands • The following restrictions are recommended to avoid creating a loop in the network or other problems which may occur under some situations: • The Control VLAN must not be configured as a Layer 3 interface (with an IP address), a dynamic VLAN (with GVRP enabled), nor as a private VLAN. • In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN. • Also, the ring ports of the Control VLAN must be tagged.
ERPS Commands 19 Related Commands erps (360) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
19 ERPS Commands Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
ERPS Commands 19 meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. Syntax meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 0 Command Mode ERPS Configuration Command Usage • This parameter is used to ensure that received R-APS PDUs are directed for this ring.
19 ERPS Commands Command Mode ERPS Configuration Command Usage • If this command is used to monitor the link status of an ERPS node with CFM continuity check messages, then the MEG level set by the meg-level command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs. • To ensure complete monitoring of a ring node, use the mep-monitor command specify the CFM MEPs used to monitor both the east and west ports of the ring node.
19 ERPS Commands non-erps-dev-protect This command sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through SF messages. Use the no form to disable this feature. Syntax [no] non-erps-dev-protect Default Setting Disabled Command Mode ERPS Configuration Command Usage • The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link.
19 ERPS Commands propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Configuration Command Usage • When a secondary ring detects a topology change, it can pass a message about this event to the major ring.
ERPS Commands 19 Command Mode ERPS Configuration Command Usage Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction.
19 ERPS Commands Default Setting 5 minutes Command Mode ERPS Configuration Command Usage If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state.
ERPS Commands TABLE 80 19 show erps - summary display description (Continued) Field Description State Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring. Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up. This state will switch to protection state if a link failure occurs. Protection – If a node in this state, it means that a link failure has occurred.
19 ERPS Commands TABLE 81 372 show erps domain - detailed display description (Continued) Field Description West Port Shows the west ring port for this node, and the interface state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
Chapter 20 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
20 GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
GVRP and Bridge Extension Commands 20 garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
20 GVRP and Bridge Extension Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4093).
GVRP and Bridge Extension Commands 20 Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Bridge Extension Capabilities” on page 652 for a description of the displayed items.
20 Editing VLAN Groups Command Mode Normal Exec, Privileged Exec Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands garp timer (375) show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Editing VLAN Groups 20 vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
20 Configuring VLAN Interfaces Default Setting By default only VLAN 1 exists and is active. Command Mode VLAN Database Configuration Command Usage • no vlan vlan-id deletes the VLAN. • no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 4093 VLANs on the switch. NOTE The switch allows 4093 user-manageable VLANs. Example The following example adds a VLAN, using VLAN ID 105 and name RD5.
Configuring VLAN Interfaces 20 interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Syntax [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.
20 Configuring VLAN Interfaces Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands switchport mode (384) switchport allowed vlan This command configures VLAN groups on the selected interface.
Configuring VLAN Interfaces 20 • If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
20 Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Configuring VLAN Interfaces 20 switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
20 Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. FIGURE 3 Configuring VLAN Trunking C E A B D V1 V2 V1 V2 Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
20 Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. TABLE 86 Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan Shows VLAN information NE, PE show vlan This command shows VLAN information.
20 Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Configuring IEEE 802.1Q Tunneling 20 dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
20 Configuring IEEE 802.1Q Tunneling • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. • When a tunnel uplink port receives a packet from the service provider, the outer service provider’s tag is stripped off, and the packet passed on to the VLAN indicated by the inner tag.
20 Configuring IEEE 802.1Q Tunneling Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
20 Configuring IEEE 802.1Q Tunneling 7. Verify configuration settings. Console#show dot1q-tunnel service 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 1 10 100 Eth 1/ 1 20 200 Eth 1/ 1 30 300 Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300.
Configuring IEEE 802.1Q Tunneling 20 Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (282) show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
20 Configuring L2CP Tunneling Console#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 5 1 100 Eth 1/ 6 1 100 Console# Related Commands switchport dot1q-tunnel mode (389) Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Configuring L2CP Tunneling 20 • L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a proprietary MAC address (for example, the spanning tree protocol uses 10-12-CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad – Provider Bridges), or a user-defined address.
20 Configuring L2CP Tunneling • L2PT is enabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is enabled, and (b) uplink ports after rewriting the destination address to make it a GBPT protocol packet (i.e., setting the destination address to 01-00-0C-CD-CD-D0). • L2PT is disabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is disabled, and (b) all uplink ports.
Configuring VLAN Translation 20 Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#switchport l2protocol-tunnel spanning-tree Console(config-if)# show l2protocol-tunnel This command shows settings for Layer 2 Protocol Tunneling (L2PT).
20 Configuring VLAN Translation Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
Configuring Port-based Traffic Segmentation 20 Console# show vlan-translation This command displays the configuration settings for VLAN translation. Syntax show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
20 Configuring Port-based Traffic Segmentation traffic-segmentation This command enables traffic segmentation. Use the no form to disable traffic segmentation. Syntax [no] traffic-segmentation Default Setting Disabled Command Mode Global Configuration Command Usage • Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
Configuring Port-based Traffic Segmentation 20 Example This example enables traffic segmentation globally on the switch. Console(config)#traffic-segmentation Console(config)# traffic-segmentation session This command creates a traffic-segmentation client session. Use the no form to remove a client session. Syntax [no] pvlan session session-id session-id – Traffic segmentation session.
20 Configuring Port-based Traffic Segmentation Default Setting Session 1 if not defined No segmented port groups are defined. Command Mode Global Configuration Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
20 Configuring Protocol-based VLANs show traffic-segmentation This command displays the configured traffic segments.
20 Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame11 - Frame type used by this protocol.
Configuring Protocol-based VLANs 20 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
20 Configuring IP Subnet VLANs show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting The mapping for all interfaces is displayed.
Configuring IP Subnet VLANs 20 subnet-vlan (Global Configuration) This command configures IP subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
20 Configuring IP Subnet VLANs Syntax [no] subnet-vlan subnet ip-address mask ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet. Default Setting None Command Mode Interface Configuration (Port, Static Aggregation) Command Usage • Use the subnet-vlan command under Global Configuration mode to create a IP subnet VLAN.
Configuring MAC Based VLANs Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 Eth 1/6 Eth 1/7 Eth 1/8 Eth 1/9 Console# 192.168.12.128 192.168.12.192 192.168.12.224 192.168.12.240 192.168.12.248 192.168.12.252 192.168.12.254 192.168.12.255 20 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255 255.255.255.255 show subnet-vlan This command displays IP Subnet VLAN assignments.
20 Configuring MAC Based VLANs TABLE 94 MAC Based VLAN Commands Command Function Mode mac-vlan Defines the IP Subnet VLANs GC show mac-vlan Displays IP Subnet VLAN settings PE mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched.
Configuring Voice VLANs 20 Command Usage Use this command to display MAC address-to-VLAN mappings. Example The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC Address VLAN ID ----------------- -------00-00-00-11-22-33 10 Console# Priority -------0 Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic.
20 Configuring Voice VLANs Command Mode Global Configuration Command Usage • When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN.
Configuring Voice VLANs 20 voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network. (For example, 01-23-45-00-00-00) mask-address - Identifies a range of MAC addresses.
20 Configuring Voice VLANs switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Configuring Voice VLANs 20 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. Example The following example sets the CoS priority to 5 on port 1.
20 Configuring Voice VLANs switchport voice vlan security This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port. Syntax [no] switchport voice vlan security Default Setting Disabled Command Mode Interface Configuration Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID.
Configuring Voice VLANs 20 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age (minutes) -------- -------- -------- --------- -------- ------------Eth 1/ 1 Auto Enabled OUI 6 100 Eth 1/ 2 Disabled Disabled OUI 6 NA Eth 1/ 3 Manual Enabled OUI 5 100 Eth 1/ 4 Auto Enabled OUI 6 100 Eth 1/ 5 Disabled Disabled OUI 6 NA Eth 1/ 6 Disabled Disabled OUI 6 NA Eth 1/ 7 Disabled Disabled OUI 6 NA Eth 1/ 8 Disabled Disabled OUI 6 NA Eth 1/ 9 Disabled Disabled O
20 418 Configuring Voice VLANs Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 21 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
21 Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Priority Commands (Layer 2) 21 • The specified queue mode applies to all interfaces. • Protocols used to synchronize distributed switches use packets of 1588 bytes to control the synchronization process. This switch therefore assigns packets of this size to the highest priority queue to ensure quick passage.
21 Priority Commands (Layer 2) Related Commands queue mode (420) show queue weight (423) switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value. Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority.
21 Priority Commands (Layer 3 and 4) show queue mode This command shows the current queue mode. Command Mode Privileged Exec Example Console#show queue mode Queue Mode : Weighted Round Robin Mode Console# show queue weight This command displays the weights used for the weighted queues.
21 Priority Commands (Layer 3 and 4) TABLE 98 Priority Commands (Layer 3 and 4) Command Function Mode show qos map phb-queue Shows internal per-hop behavior to hardware queue map PE show qos map trust-mode Shows the QoS mapping mode PE The default settings used for mapping priority values to internal DSCP values and back to the hardware queues are designed to optimize priority services for the majority of network applications.
Priority Commands (Layer 3 and 4) 21 • Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight CoS/CFI paired values separated by spaces. • If a packet arrives with a 802.1Q header but it is not an IP packet, then the CoS/CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
21 Priority Commands (Layer 3 and 4) DEFAULT SETTING TABLE 100 Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1 0 1 2 3 4 5 6 7 8 9 0 0,0 0,1 0,0 0,3 0,0 0,1 0,0 0,3 1,0 1,1 1 1,0 1,3 1,0 1,1 1,0 1,3 2,0 2,1 2,0 2,3 2 2,0 2,1 2,0 2,3 3,0 3,1 3,0 3,3 3.0 3,1 3 3,0 3,3 4,0 4,1 4,0 4,3 4,0 4,1 4.0 4,3 4 5,0 5,1 5,0 5,3 5,0 5,1 6,0 5,3 6,0 6,1 5 6,0 6,3 6,0 6,1 6,0 6,3 7,0 7,1 7.
Priority Commands (Layer 3 and 4) 21 qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue. (Range: 0-7, where 7 is the highest priority queue) DEFAULT SETTING.
21 Priority Commands (Layer 3 and 4) Command Usage • If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet. • If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet's CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged.
Priority Commands (Layer 3 and 4) 21 show qos map dscp-mutation This command shows the ingress DSCP to internal DSCP map. Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
21 Priority Commands (Layer 3 and 4) show qos map phb-queue This command shows internal per-hop behavior to hardware queue map. Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter Quality of Service Commands 22 The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
22 Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, a CoS value, a DSCP or IP Precedence value, a source port, or a VLAN. 3.
Quality of Service Commands 22 Example This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Related Commands show class-map (445) description This command specifies the description of a class map or policy map. Syntax description string string - Description of the class map or policy map.
22 Quality of Service Commands Default Setting None Command Mode Class Map Configuration Command Usage • First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map. • If an ingress packet matches an ACL specified by this command, any deny rules included in the ACL will be ignored.
Quality of Service Commands 22 Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
22 Quality of Service Commands Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: • set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Quality of Service Commands 22 conform-action - Action to take when packet is within the CIR and BC. (There are enough tokens to service the packet, the packet is set green). violate-action - Action to take when packet exceeds the CIR and BC. (There are not enough tokens to service the packet, the packet is set red). transmit - Transmits without taking any action. drop - Drops packet as required by violate-action. new-dscp - Differentiated Service Code Point (DSCP) value.
22 Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
Quality of Service Commands 22 • The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and BC, but not the BE, and red otherwise. • The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored.
22 Quality of Service Commands Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conform-action transmit exceed-action 0 violate-action drop Console(config-pmap-c)# police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Quality of Service Commands 22 Command Usage • You can configure up to 16 policers (i.e., class maps) for ingress ports. • The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes.
22 Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst si
Quality of Service Commands 22 set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
22 Quality of Service Commands Command Usage • The set phb command is used to set an internal QoS value in hardware for matching packets (see Table 100, "Default Mapping of DSCP Values to Internal PHB/Drop Values"). The QoS label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion by the police srtcm-color command and police trtcm-color command. • The set cos and set phb command function at the same level of priority.
Quality of Service Commands 22 show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
22 Quality of Service Commands Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter Multicast Filtering Commands 23 This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
23 IGMP Snooping TABLE 104 IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into the attached VLAN GC ip igmp snooping unsolicited-report-interval Specifies how often the upstream interface should transmit unsolicited IGMP reports (when proxy reporting is enabled) GC ip igmp snooping version Configures the IGMP version for snooping GC ip igmp snooping version-exclusive Discards received IGMP messages whic
IGMP Snooping 23 Default Setting Enabled Command Mode Global Configuration Command Usage • When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence. • When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Example The following example enables IGMP snooping globally.
23 IGMP Snooping ip igmp snooping proxy-reporting This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
IGMP Snooping 23 Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping router-alert-option-check This command discards any IGMPv2/v3 packets that do not include the Router Alert option.
23 IGMP Snooping Default Setting 300 seconds Command Mode Global Configuration Example The following shows how to configure the time out to 400 seconds: Console(config)#ip igmp snooping router-port-expire-time 400 Console(config)# ip igmp snooping tcn-flood This command enables flooding of multicast traffic if a spanning tree topology change notification (TCN) occurs. Use the no form to disable flooding.
IGMP Snooping 23 The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping tcn-query-solicit This command instructs the switch to send out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
23 IGMP Snooping Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
IGMP Snooping 23 ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
23 IGMP Snooping Command Mode Global Configuration Command Usage • If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. • When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
IGMP Snooping 23 Default Setting Disabled Command Mode Global Configuration Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the time out period.
23 IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan last-memb-query-intvl This command configures the last-member-query interval. Use the no form to restore the default.
IGMP Snooping 23 Command Mode Global Configuration Command Usage • Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
23 IGMP Snooping Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports. Many hosts do not implement RFC 4541, and therefore do not understand query messages with the source address of 0.0.0.0.
IGMP Snooping 23 Command Usage • An IGMP general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined. • This command applies when the switch is serving as the querier (page 450), or as a proxy host when IGMP snooping proxy reporting is enabled (page 450).
23 IGMP Snooping interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting None Command Mode Global Configuration Command Usage • Static multicast entries are never aged out. • When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port.
IGMP Snooping 802.
23 IGMP Snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Flag: R H P Up time: Expire : Router port, M - Group member port Host counts (number of hosts join the group on this port). Port counts (number of ports join the group). Group elapsed time (d:h:m:s).
IGMP Snooping 23 Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 14 5 Console# TABLE 105 show ip igmp snooping statistics input - display description Field Description Interface Shows interface.
23 Static Multicast Routing Number of Leaves Sent Console# TABLE 107 : 0 show ip igmp snooping statistics vlan query - display description Field Description Querier IP Address The IP address of the querier on this interface. Querier Expire Time The time after which this querier is assumed to have expired. General Query Received The number of general queries received on this interface. General Query Sent The number of general queries sent from this interface.
Static Multicast Routing 23 Command Usage • Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
23 IGMP Filtering and Throttling The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/10 Static Console# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
IGMP Filtering and Throttling 23 Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the IGMP join report is forwarded as normal.
23 IGMP Filtering and Throttling Default Setting Deny Command Mode IGMP Profile Configuration Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
IGMP Filtering and Throttling 23 ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
23 IGMP Filtering and Throttling Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
IGMP Filtering and Throttling 23 show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
23 IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
23 MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
23 MVR for IPv4 mvr This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. Syntax [no] mvr Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following example enables MVR globally.
MVR for IPv4 23 Related Commands mvr profile (478) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain. (Range: 1-5) Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
23 MVR for IPv4 Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#mvr priority 6 Console(config)# Related Commands show mvr mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile.
MVR for IPv4 23 mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function. Syntax [no] mvr proxy-switching Default Setting Enabled Command Mode Global Configuration Command Usage • When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface.
23 MVR for IPv4 mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
MVR for IPv4 23 Example Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received.
23 MVR for IPv4 mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] immediate-leave domain-id - An independent multicast domain. (Range: 1-5) Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Immediate leave applies only to receiver ports.
MVR for IPv4 23 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN.
23 MVR for IPv4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Multicast groups can be statically assigned to a receiver port using this command. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. • Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
MVR for IPv4 TABLE 111 23 show mvr - display description Field Description MVR 802.1p Forwarding Priority Priority assigned to multicast traffic forwarded into the MVR VLAN MVR Proxy Switching Shows if MVR proxy switching is enabled MVR Robustness Value Shows the number of reports or query messages sent when proxy switching is enabled MVR Domain An independent multicast domain. MVR Config Status Shows if MVR is globally enabled on the switch.
23 MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
MVR for IPv4 23 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port. Syntax show mvr [domain domain-id] members [ip-address | host-ip-address [interface] | sort-by-port [interface]]] domain-id - An independent multicast domain.
23 MVR for IPv4 Group Address VLAN Port Uptime Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:20 1(P) 1 Eth 1/ 2(S) Console# TABLE 113 show mvr members - display description Field Description Group Address Multicast group address. VLAN VLAN to which this address is forwarded. Port Port to which this address is forwarded. Uptime Time that this multicast group has been known. Expire The time until this entry expires.
MVR for IPv4 23 show mvr statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr statistics {input | output} [interface interface] show mvr domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
23 MVR for IPv4 TABLE 114 show mvr statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
23 MVR for IPv6 TABLE 116 show mvr statistics query - display description (Continued) Field Description Specific Query Sent The number of specific queries sent from this interface. Number of Reports Sent The number of reports sent from this interface. Number of Leaves Sent The number of leaves sent from this interface. MVR for IPv6 This section describes commands used to configure Multicast VLAN Registration for IPv6 (MVR6).
23 MVR for IPv6 TABLE 117 Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode show mvr6 members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address PE show mvr6 profile Shows all configured MVR profiles PE show mvr6 statistics Shows MVR protocol statistics for the specified interface PE mvr6 associated-profile This command binds the MVR group addresses specified in a profile t
MVR for IPv6 23 Command Mode Global Configuration Command Usage When MVR6 is enabled on a domain, any multicast data associated with an MVR6 group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group. Example The following example enables MVR for domain 1: Console(config)#mvr6 domain 1 Console(config)# mvr6 profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile.
23 MVR for IPv6 Example The following example maps a range of MVR group addresses to a profile: Console(config)#mvr6 profile rd ff00::1 ff00::9 Console(config)# mvr6 proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
MVR for IPv6 23 Related Commands mvr6 robustness-value (495) mvr6 robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
23 MVR for IPv6 Default Setting All MVR reports sent upstream use a null source IP address Command Mode Global Configuration Command Usage All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
MVR for IPv6 23 mvr6 immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr6 domain domain-id immediate-leave domain-id - An independent multicast domain. (Range: 1-5) Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Immediate leave applies only to receiver ports.
23 MVR for IPv6 Default Setting The port type is not defined. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6. • Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see the switchport mode command).
MVR for IPv6 23 Default Setting No receiver port is a member of any configured multicast group. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Multicast groups can be statically assigned to a receiver port using this command. The assigned address must fall within the range set by the mvr6 associated-profile command. • All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
23 MVR for IPv6 Console# TABLE 118 show mvr6 - display description Field Description MVR Proxy Switching Shows if MVR proxy switching is enabled MVR Robustness Value Shows the number of reports or query messages sent when proxy switching is enabled MVR6 Domain An independent multicast domain. MVR6 Config Status Shows if MVR is globally enabled on the switch. MVR6 Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied.
MVR for IPv6 23 Default Setting Displays configuration settings for all attached interfaces.
23 MVR for IPv6 Example The following shows information about the number of multicast forwarding entries currently active in domain 1: Console#show mvr6 domain 1 members MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Console# The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port).
MVR for IPv6 23 show mvr6 statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr6 statistics {input | output} [interface interface] show mvr6 domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
23 MVR for IPv6 TABLE 121 show mvr6 statistics input - display description (Continued) Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined.
Chapter 24 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
24 LLDP Commands TABLE 123 LLDP Commands (Continued) Command Function Mode lldp dot3-tlv max-frame Configures an LLDP-enabled port to advertise its maximum frame size IC lldp notification Enables the transmission of SNMP trap notifications about LLDP changes IC show lldp config Shows LLDP configuration settings for all ports PE show lldp info local-device Shows LLDP global and interface-specific configuration settings for this device PE show lldp info remote-device Shows LLDP global and i
LLDP Commands 24 Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp notification-interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes. Use the no form to restore the default setting.
24 LLDP Commands lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting. Syntax lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent.
LLDP Commands 24 lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting. Syntax lldp tx-delay seconds no lldp tx-delay seconds - Specifies the transmit delay.
24 LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp admin-status rx-only Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature.
LLDP Commands 24 lldp basic-tlv port-description This command configures an LLDP-enabled port to advertise its port description. Use the no form to disable this feature. Syntax [no] lldp basic-tlv port-description Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
24 LLDP Commands lldp basic-tlv system-description This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature.
LLDP Commands 24 lldp dot1-tlv proto-ident This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-ident Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface.
24 LLDP Commands lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv pvid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see the switchport native vlan command).
LLDP Commands 24 lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv link-agg Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
24 LLDP Commands lldp dot3-tlv max-frame This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv max-frame Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Refer to “Frame Size” on page 64 for information on configuring the maximum frame size for this switch.
LLDP Commands 24 Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
24 LLDP Commands system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.3 specific TLVs Advertised: *mac-phy *link-agg *max-frame Console# show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
LLDP Commands 24 Console#show lldp info local-device detail ethernet 1/1 LLDP Port Information Details Port Port Type Port ID Port Description : : : : Eth 1/1 MAC Address 00-E0-0C-00-00-AE Ethernet Port on unit 0, port 1 Console# show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] detail - Shows configuration summary.
24 LLDP Commands Remote VLAN Name : VLAN-1 : DefaultVlan Remote Protocol Identity (Hex) : 88-CC Remote MAC/PHY Configuration Status : Remote port auto-neg supported : Yes Remote port auto-neg enabled : Yes Remote port auto-neg advertised cap (Hex) : 0000 Remote port MAU type : 6 Remote Power via MDI : Remote power class : PSE Remote power MDI supported : Yes Remote power MDI enabled : Yes Remote power pair controllable : No Remote power pairs : Spare Remote power classification : Class1 Remote Link Aggreg
LLDP Commands 24 Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- -----------------Eth 1/1 0 83 0 Eth 1/2 11 12 0 Eth 1/3 0 0 0 Eth 1/4 0 0 0 Eth 1/5 0 0 0 . . .
24 522 LLDP Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 25 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between Provider Edge devices or between Customer Edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
25 CFM Commands TABLE 124 CFM Commands (Continued) Command Function Mode clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including global settings, SNMP traps, and interface settings PE show ethernet cfm md Displays configured maintenance domains PE show ethernet cfm ma Displays configured maintenance associations PE show ethernet cfm maintenance-points local Displays maintenance point
25 CFM Commands TABLE 124 CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace messages logged on this device PE show ethernet cfm linktrace-cache Displays the contents of the link t
25 CFM Commands ethernet cfm ais level This command configures the maintenance level at which Alarm Indication Signal (AIS) information will be sent within the specified MA. Use the no form restore the default setting. Syntax ethernet cfm ais level level-id md domain-name ma ma-name no ethernet cfm ais level md domain-name ma ma-name level-id – Maintenance level at which AIS information will be sent. (Range: 0-7) domain-name – Domain name.
CFM Commands 25 Command Usage • Each MA name must be unique within the CFM domain. • Frames with AIS information can be issued at the client’s maintenance level by a MEP upon detecting defect conditions. For example, defect conditions may include: • Signal failure conditions if continuity checks are enabled. • AIS condition or LCK condition if continuity checks are disabled. • A MEP continues to transmit periodic frames with AIS information until the defect condition is removed.
25 CFM Commands ethernet cfm ais suppress alarm This command suppresses sending frames containing AIS information following the detection of defect conditions. Use the no form to restore the default setting. Syntax [no] ethernet cfm ais suppress alarm md domain-name ma ma-name domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CFM Commands 25 level-id – Authorized maintenance level for this domain. (Range: 0-7) type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this domain: default – MIPs can be created for any maintenance association (MA) configured in this domain on any bridge port through which the MA’s VID can pass.
25 CFM Commands Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command.
CFM Commands 25 ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
25 CFM Commands Example This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#ma index 1 name rd vlan 1 mip-creation default Console(config-ether-cfm)# ma index name-format This command specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format.
CFM Commands 25 ma-name – Maintenance association name. (Range: 1-43 alphanumeric characters, maximum length is 44 minus the length of the domain name) up – Indicates that the MEP faces inward toward the switch cross-connect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
25 CFM Commands • If a MEP has been configured on an interface with the ethernet cfm mep command, it must first be deleted before CFM can be disabled on that interface. • When CFM is disabled, hardware resources previously used for CFM processing on that interface are released, and all CFM frames entering that interface are forwarded as normal data traffic. Example This example enables CFM on port 1.
CFM Commands 25 show ethernet cfm configuration This command displays CFM configuration settings, including global settings, SNMP traps, and interface settings. Syntax show ethernet cfm configuration {global | traps | interface interface} global – Displays global settings including CFM global status, cross-check start delay, and link trace parameters. traps – Displays the status of all continuity check and cross-check traps. interface – Displays CFM status for the specified interface.
25 CFM Commands TABLE 125 show ethernet cfm configuration traps - display description Field Description CC MEP Up Trap Sends a trap if a remote MEP is discovered and added to the local database, the port state of a previously discovered remote MEP changes, or a CCM is received from a remote MEP which as an expired entry in the archived database.
CFM Commands 25 show ethernet cfm ma This command displays the configured maintenance associations. Syntax show ethernet cfm ma [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Command Usage For a description of the values displayed in the CC Interval field, refer to the ethernet cfm cc ma interval command. Example This example shows all configured maintenance associations.
25 CFM Commands Default Setting None Command Mode Privileged Exec Command Usage • Use the mep keyword with this command to display the MEPs configured on this device as DSAPs through the ethernet cfm mep command. • Using the mip keyword with this command to display the MIPs generated on this device by the CFM protocol when the mip-creation method is set to either “default” or “explicit” by the ethernet cfm domain command or the ma index name command.
CFM Commands 25 Example This example shows detailed information about the local MEP on port 1.
25 CFM Commands TABLE 126 show ethernet cfm maintenance-points local detail mep - display (Continued) Field Description Suppress Alarm Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions.
CFM Commands Frame Loss CC Packet Statistics Port State Interface State Crosscheck Status : : : : : 25 137 647/1 Up Up Enabled Console# TABLE 127 show ethernet cfm maintenance-points remote detail - display Field Description MAC Address MAC address of the remote maintenance point. (If a CCM for the specified remote MEP has never been received or the remote MEP record times out, the address will be set to the initial value of all Fs.
25 CFM Commands ethernet cfm cc ma interval This command sets the transmission delay between continuity check messages (CCMs). Use the no form to restore the default settings. Syntax ethernet cfm cc md domain-name ma ma-name interval interval-level no ethernet cfm cc ma ma-name interval domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CFM Commands 25 ethernet cfm cc enable This command enables the transmission of continuity check messages (CCMs) within a specified maintenance association. Use the no form to disable the transmission of these messages. Syntax [no] ethernet cfm cc enable md domain-name ma ma-name domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
25 CFM Commands snmp-server enable traps ethernet cfm cc This command enables SNMP traps for CFM continuity check events. Use the no form to disable these traps. Syntax [no] snmp-server enable traps ethernet cfm cc [config | loop | mep-down | mep-up] config – Sends a trap if this device receives a CCM with the same MPID as its own but with a different source MAC address, indicating that a CFM configuration error exists.
CFM Commands 25 Default Setting 100 minutes Command Mode CFM Domain Configuration Command Usage A change to the hold time only applies to entries stored in the database after this command is entered. Example This example sets the aging time for missing MEPs in the CCM database to 30 minutes.
25 CFM Commands clear ethernet cfm errors This command clears continuity check errors logged for the specified maintenance domain or maintenance level. Syntax clear ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the error database.
CFM Commands TABLE 128 25 show ethernet cfm errors - display description Field Description Level Maintenance level associated with this entry. VLAN VLAN in which this error occurred. MPID Identifier of remote MEP. Interface Port at which the error was recorded Remote MAC MAC address of remote MEP.
25 CFM Commands Example This example sets the maximum delay before starting the cross-check process. Console(config)#ethernet cfm mep crosscheck start-delay 60 Console(config)# snmp-server enable traps ethernet cfm crosscheck This command enables SNMP traps for CFM continuity check events, in relation to the cross-check operations between statically configured MEPs and those learned via continuity check messages (CCMs). Use the no form to restore disable these traps.
CFM Commands 25 mep crosscheck mpid This command statically defines a remote MEP in a maintenance association. Use the no form to remove a remote MEP. Syntax [no] mep crosscheck mpid mpid ma ma-name mpid – Identifier for a maintenance end point which exists on another CFM-enabled device within the same MA. (Range: 1-8191) ma-name – Maintenance association name. (Range: 1-43 alphanumeric characters, maximum length is 44 minus the length of the domain name) Default Setting No remote MEPs are configured.
25 CFM Commands Default Setting Disabled Command Mode Privileged Exec Command Usage • Before using this command to start the cross-check process, first configure the remote MEPs that exist on other devices inside the maintenance association using the mep crosscheck mpid command. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational.
CFM Commands 25 ethernet cfm linktrace cache This command enables caching of CFM data learned through link trace messages. Use the no form to disable caching.
25 CFM Commands Command Usage Before setting the aging time for cache entries, the cache must first be enabled with the ethernet cfm linktrace cache command. Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace cache size This command sets the maximum size for the link trace cache. Use the no form to restore the default setting.
CFM Commands 25 ethernet cfm linktrace This command sends CFM link trace messages to the MAC address of a remote MEP. Syntax ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number] destination-mpid – The identifier of a remote MEP that is the target of the link trace message. (Range: 1-8191) source-mpid – The identifier of a source MEP that will send the link trace message.
25 CFM Commands Example This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm linktrace-cache This command clears link trace messages logged on this device. Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm linktrace-cache This command displays the contents of the link trace cache.
CFM Commands TABLE 129 25 show ethernet cfm linktrace-cache - display description (Continued) Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
25 CFM Commands Default Setting Loop back count: One loopback message is sent. Loop back size: 64 bytes Command Mode Privileged Exec Command Usage • Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. • The point from which the loopback message is transmitted (i.e.
CFM Commands 25 Command Usage A fault alarm is issued when the MEP fault notification generator state machine detects that a time period configured by this command has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm.
25 CFM Commands TABLE 130 Remote MEP Priority Levels (Continued) Priority Level Level Name Description 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported. TABLE 131 MEP Defect Descriptions Field Description DefMACstatus Either some remote MEP is reporting its Interface Status TLV as not isUp, or all remote MEPs are reporting a Port Status TLV that contains some value other than psUp.
CFM Commands 25 show ethernet cfm fault-notify-generator This command displays configuration settings for the fault notification generator. Syntax show ethernet cfm fault-notify-generator mep mpid mpid – Maintenance end point identifier. (Range: 1-8191) Default Setting None Command Mode Privileged Exec Example This example shows the fault notification settings configured for one MEP.
25 CFM Commands mac-address – MAC address of a remote MEP that is the target of the delay-measure message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CFM Commands 25 Sequence Delay Time (ms.) Delay Variation (ms.) -------- ---------------- --------------------1 < 10 0 2 < 10 0 3 < 10 0 4 40 40 5 < 10 40 Success rate is 100% (5/5), delay time min/avg/max=0/8/40 ms. Average frame delay variation is 16 ms.
25 562 CFM Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 26 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
26 OAM Commands Default Setting Disabled Command Mode Interface Configuration Command Usage • If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. • Not all CPEs support OAM functions, and OAM is therefore disabled by default. If the CPE attached to a port supports OAM, then this functionality must first be enabled by the efm oam command to gain access to other remote configuration functions.
OAM Commands 26 Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam critical-link-event dying-gasp Console(config-if)# efm oam link-monitor frame This command enables reporting of errored frame link events. Use the no form to disable this function. Syntax [no] efm oam link-monitor frame Default Setting Enabled Command Mode Interface Configuration Command Usage • An errored frame is a frame in which one or more bits are errored.
26 OAM Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame threshold 5 Console(config-if)# efm oam link-monitor frame window This command sets the monitor period for errored frame link events. Use the no form to restore the default setting. Syntax [no] efm oam link-monitor frame window size size - The period of time in which to check the reporting threshold for errored frame link events.
OAM Commands 26 Command Mode Interface Configuration Command Usage When set to active mode, the selected interface will initiate the OAM discovery process. When in passive mode, it can only respond to discovery messages. Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam mode active Console(config-if)# clear efm oam counters This command clears statistical counters for various OAMPDU message types.
26 OAM Commands Default Setting None Command Mode Privileged Exec Command Usage • OAM remote loop back can be used for fault localization and link performance testing. Statistics from both the local and remote DTE can be queried and compared at any time during loop back testing. • Use the efm oam remote-loopback start command to start OAM remote loop back test mode on the specified port. Afterwards, use the efm oam remote-loopback test command (page 568) to start sending test packets.
OAM Commands 26 Command Usage • You can use this command to perform an OAM remote loopback test on the specified port. The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode. During a remote loopback test, the remote OAM entity loops back every frame except for OAMPDUs and pause frames. • OAM remote loopback can be used for fault localization and link performance testing.
26 OAM Commands show efm oam event-log interface This command displays the OAM event log for the specified port(s) or for all ports that have logs. show efm oam event-log interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
OAM Commands 26 show efm oam status interface This command displays OAM configuration settings and event counters. Syntax show efm oam status interface [interface-list] [brief] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports. (Range: 1-12) brief - Displays a brief list of OAM configuration states.
26 OAM Commands show efm oam status remote interface This command displays information about attached OAM-enabled devices. Syntax show efm oam status remote interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter Domain Name Service Commands 27 These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
27 Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. • If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used.
Domain Name Service Commands 27 Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (575) ip name-server (576) ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name.
27 Domain Name Service Commands ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address. Default Setting No static entries Command Mode Global Configuration Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries.
Domain Name Service Commands 27 Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.
27 Domain Name Service Commands Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 Console# TTL Domain ----- ------------------------------rd5 rd6 clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No.
Domain Name Service Commands 27 show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No.
27 Domain Name Service Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 3 4 Address 209.131.36.
Chapter 28 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface can be configured to automatically obtain an IP address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network.
28 DHCP Client Default Setting Class identifier option enabled, with the name BR6910 Command Mode Interface Configuration (VLAN) Command Usage • Use this command without any keyword to restore the default setting. • This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. • The general framework for this DHCP option is set out in RFC 2132 (Option 60).
DHCP Client 28 Console#ip dhcp restart client Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 12-34-12-34-12-34 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.9 Mask: 255.255.255.0 Proxy ARP is disabled Console# Related Commands ip address (590) ipv6 dhcp client rapid-commit vlan This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface.
28 DHCP Client ipv6 dhcp restart client vlan This command submits a DHCPv6 client request. Syntax ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
DHCP Client 28 Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (602) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage • DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
28 DHCP Relay DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
DHCP Relay 28 ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. Syntax ip dhcp restart relay Default Setting Disabled Command Mode Privileged Exec Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch.
28 DHCP Relay Example Status of DHCP relay information: Insertion of relay information: disabled. DHCP option policy: drop. DHCP relay-server address: 192.168.0.4, 0.0.0.0, 0.0.0.0, 0.0.0.0, 0.0.0.
Chapter 29 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
29 IPv4 Interface TABLE 142 Basic IP Configuration Commands (Continued) Command Function Mode show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE traceroute Shows the route packets take to the specified host PE ping Sends ICMP echo request packets to another node on the network NE, PE ip address This command sets the IPv4 address for the currently selected VLAN interface. Use the no form to restore the default IP address.
IPv4 Interface 29 • If bootp or dhcp options are selected, the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast periodically by the router in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
29 IPv4 Interface Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands ip address (590) ip route (623) show ip route (624) ipv6 default-gateway (600) show ip interface This command displays the settings of an IPv4 interface.
IPv4 Interface 29 reassembly failed IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unre
29 IPv4 Interface Default Setting None Command Mode Privileged Exec Command Usage • Use the traceroute command to determine the path taken to reach a specified destination. • A trace terminates when the destination responds, when the maximum time out (TTL) is exceeded, or the maximum number of hops is exceeded. • The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message.
IPv4 Interface 29 ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
29 IPv4 Interface Related Commands interface (262) ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
IPv4 Interface 29 • Static entries will not be aged out nor deleted when power is reset. A static entry can only be removed through the configuration interface. Example Console(config)#arp 192.168.0.19 00-ab-cd-ef-11-22 Console(config)# Related Commands clear arp-cache (598) show arp (598) arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout.
29 IPv4 Interface Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage • Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network. • End stations that require Proxy ARP must view the entire network as a single network. These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices.
29 IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 145.30.20.23 MAC Address ----------------FF-FF-FF-FF-FF-FF 00-00-AB-CD-00-00 FF-FF-FF-FF-FF-FF 09-50-40-30-20-10 Type --------other other other dynamic Interface ----------VLAN1 VLAN1 VLAN1 VLAN3 Total entry : 5 Console# IPv6 Interface This switch supports the following IPv6 interface commands.
29 IPv6 Interface TABLE 144 IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd dad attempts Configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection IC ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation retransmissions on an interface IC ipv6 nd reachable-time Configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event ha
IPv6 Interface 29 Example The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780 Console(config)# Related Commands show ipv6 default-gateway (608) ip default-gateway (591) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
29 IPv6 Interface IPv6 is enabled Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
IPv6 Interface 29 Example This example assigns a dynamic global unicast address of 2001:DB8:2222:7272:2E0:CFF:FE00:FD to the switch.
29 IPv6 Interface Command Usage • The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. • If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface.
IPv6 Interface 29 Related Commands ipv6 address autoconfig (602) show ipv6 interface (608) ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
29 IPv6 Interface Joined group address(es): FF02::1:FF19:6779 FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
IPv6 Interface 29 Console#show ipv6 interface VLAN 1 is up IPv6 is enable. Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
29 IPv6 Interface Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (610) jumbo frame (64) show ipv6 default-gateway This command displays the current IPv6 default gateway.
IPv6 Interface 29 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
29 IPv6 Interface TABLE 145 show ipv6 interface - display description (Continued) Field Description ND reachable time The amount of time a remote IPv6 node is considered reachable after a reachability confirmation event has occurred ND advertised reachable time The reachable time is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value. This example displays a brief summary of IPv6 addresses configured on the switch.
IPv6 Interface 29 Example The following example shows statistics for all IPv6 unicast and multicast traffic, as well as ICMP, UDP and TCP statistics: Console#show ipv6 traffic IPv6 Statistics: IPv6 received total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment fail
29 IPv6 Interface group membership query messages group membership response messages group membership reduction messages multicast listener discovery version 2 reports UDP Statistics: input no port errors other errors output Console# TABLE 147 show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 recived 612 total received The total number of input datagrams received by the interface, including those received in error.
IPv6 Interface TABLE 147 29 show ipv6 traffic - display description (Continued) Field Description reassembly failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
29 IPv6 Interface TABLE 147 show ipv6 traffic - display description (Continued) Field Description router solicit messages The number of ICMP Router Solicit messages received by the interface. router advertisement messages The number of ICMP Router Advertisement messages received by the interface. neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface.
IPv6 Interface TABLE 147 29 show ipv6 traffic - display description (Continued) Field Description UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
29 IPv6 Interface Command Mode Privileged Exec Command Usage • Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. • The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
IPv6 Interface 29 Command Usage • Use the traceroute6 command to determine the path taken to reach a specified destination. • The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
29 IPv6 Interface • Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. • Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state. Duplicate address detection is automatically restarted when the interface is administratively re-activated.
IPv6 Interface 29 ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
29 IPv6 Interface ipv6 nd reachable-time This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
IPv6 Interface 29 show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4093) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
29 IPv6 Interface TABLE 148 show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 30 IP Routing Commands To forward traffic to devices on other subnetworks, you can configure fixed paths with static routing commands. Dynamic routing protocols that exchange information with other routers on the network to automatically determine the best path to any subnetwork will be supported in a subsequent release. This section includes commands for static routing. These commands are used to connect between different local subnetworks.
30 IP Routing Commands Example This example forwards all traffic for subnet 192.168.1.0 to the gateway router 192.168.5.254. Console(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.254 Console(config)# show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | static | summary] connected – Displays all currently connected entries. static – Displays all static entries.
IP Routing Commands C 30 192.168.1.0/24 is directly connected, VLAN2 Console# show ip route database This command displays entries in the Routing Information Base (RIB). Command Mode Privileged Exec Command Usage The RIB contains all directly attached networks, and any additionally configured routes such as static routes.
30 626 IP Routing Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Section Web Configuration III This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser., and includes the following chapters: • Using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 • Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 • Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
628 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Using the Web Interface 31 In this chapter This chapter includes information on connecting to the switch and basic configuration procedures. It includes the following topics: • Connecting to the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 • Navigating the Web Browser Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 Connecting to the Web Interface This switch provides an embedded HTTP web agent.
31 Navigating the Web Browser Interface Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics.
Navigating the Web Browser Interface 31 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. TABLE 150 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply.
31 Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Configure by Port Range Configures connection settings for a range of ports 677 Show Information Displays port connection status 678 679 Mirror Add Sets the source and target ports for mirroring 679 Show Shows the configured mirror sessions 679 Statistics Shows Interface, Etherlike, and RMON port statistics 684 Chart Shows Interface, Etherlike, and RMON port statistics 684 688 Histor
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Neighbors Description Page Displays configuration settings and operational state for the remote side of a link aggregation 706 698 Configure Trunk Configure Configures connection settings 698 Show Displays port connection status 698 Show Member Shows the active members in a trunk 698 Statistics Shows Interface, Etherlike, and RMON port statistics 684 Chart Shows Interface, Etherlike, and RMON port stati
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page IEEE 802.
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Mirror Description Page Mirrors traffic matching a specified source address from any port on the switch to a target port 756 Spanning Tree 759 Loopback Detection Configures Loopback Detection parameters STA Spanning Tree Algorithm 761 Configure Global Configure Configures global bridge settings for STP, RSTP and MSTP 763 Show Information Displays STA values used for the bridge 767 Configure Configures
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page 796 DSCP to DSCP Configure Maps DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing 796 Show Shows the DSCP to DSCP mapping list 796 798 CoS to DSCP Configure Maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing 798 Show Shows the CoS to DSCP mapping list 798 793 PHB to Que
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Security 821 AAA System Authentication Authentication, Authorization and Accounting 822 Configures authentication sequence – local, RADIUS, and TACACS 822 823 Server Configure Server Configures RADIUS and TACACS server message exchange settings 823 Configure Group Add Specifies a group of authentication servers and sets the priority sequence 823 Show Shows the authentication server groups
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Network Access Configure Global Description Page MAC address-based network access authentication 839 Enables aging for authenticated MAC addresses, and sets the time period after which a connected MAC address must be reauthenticated 841 842 Configure Interface General Enables MAC authentication on a port; sets the maximum number of address that can be authenticated, the guest VLAN, dynamic VLAN and dynamic QoS 8
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Shows the rules specified for an ACL 861 Configure Binds a port to the specified ACL and time range 873 Add Mirror MIrrors matching traffic to the specified port 874 Show Mirror Shows ACLs mirrored to specified port 874 Show Hardware Counters Shows statistics for ACL hardware counters 875 Show Rule Configure Interface ARP Inspection 876 Configure General Enables inspection globally,
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu SMTP Description Page Sends an SMTP client message to a participating server 915 LLDP 916 Configure Global Configures global LLDP timing parameters 916 Configure Interface Sets the message transmission mode; enables SNMP notification; and sets the LLDP attributes to advertise 918 920 Show Local Device Information General Displays general information about the local device 920 Port/Trunk Displays informat
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Show SNMPv3 Remote User Description Page Shows SNMPv3 users set from a remote device 940 944 Configure Trap Add Configures trap managers to receive messages on key events that occur for this switch 944 Show Shows configured trap managers 944 948 Configure Notify Filter Add Creates an SNMP notification log 948 Show Shows the configured notification logs 948 Shows the status of SNMP communications 950 Re
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Configure Maintenance Domains 977 Add Defines a portion of the network for which connectivity faults can be managed, identified by an MD index, maintenance level, and the MIP creation method 977 Configure Details Configures the archive hold time and fault notification settings 977 Show Shows list of configured maintenance domains 977 Configure Maintenance Associations 981 Add Defines a u
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Operation, Administration, and Maintenance 1003 Interface Enables OAM on specified port, sets the mode to active or passive, and enables the reporting of critical events or errored frame events 1003 Counters Displays statistics on OAM PDUs 1005 Event Log Displays the log for recorded link events 1006 Remote Interface Displays information about attached OAM-enabled devices 1007 Remote Loo
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Show MTU Description Page Shows the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch 1032 IP Service 1047 DNS Domain Name Service 1047 General Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names 1047 Add Domain Name Defines a list of domain names that can be a
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Description Page Show Static Member Shows multicast addresses statically configured on the selected VLAN 1065 Show Current Member Shows multicast addresses associated with the selected VLAN, either through static or dynamic configuration 1065 1067 Interface Configure VLAN Configures IGMP snooping per VLAN interface 1067 Show VLAN Information Shows IGMP snooping settings per VLAN interface 1067 Displays the
31 Navigating the Web Browser Interface TABLE 151 Switch Main Menu (Continued) Menu Show Member Description Page Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active subscribers 1090 1091 Show Statistics Show Query Statistics Shows statistics for query-related messages 1091 Show VLAN Statistics Shows statistics for protocol messages and number of active groups 1091 Show Port Statistics Shows statistics for protocol
31 648 Navigating the Web Browser Interface Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Basic Management Tasks 32 In this chapter This chapter describes the following topics: • Displaying System Information – Provides basic system description, including contact information. • Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions • Configuring Support for Jumbo Frames – Enables support for jumbo frames. • Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
32 Displaying Hardware/Software Versions Interface To configure general system information: 1. Click System, General. 2. Specify the system name, location, and contact information for the system administrator. 3. Click Apply. FIGURE 8 System Information Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.
Configuring Support for Jumbo Frames 32 Interface To view hardware and software version information. 1. Click System, then Switch. FIGURE 9 General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet. Compared to standard Ethernet frames that run only up to 1.
32 Displaying Bridge Extension Capabilities Interface To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. FIGURE 10 Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs.
Managing System Files 32 • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register end stations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering. Interface To view Bridge Extension information: 1. Click System, then Capability.
32 Managing System Files Command Usage • When logging into an FTP/SFTP server, the interface prompts for a user name and password configured on the remote server. Note that “Anonymous” is set as the default user name. • Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption.
Managing System Files 32 3. Select TFTP, HTTP, FTP or SFTP Upgrade as the file transfer method. 4. If FTP, SFTP or TFTP Upgrade is used, enter the IP address of the file server. 5. If FTP or SFTP Upgrade is used, enter the user name and password for your account on the FTP/SFTP server. 6. Set the file type to Operation Code. 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name. 9. Then click Apply.
32 Managing System Files NOTE The maximum number of user-defined configuration files is limited only by available flash memory space. Interface To save the running configuration file: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select Running-Config from the Copy Type list. 4. Select the current startup file on the switch to overwrite or specify a new file name. 5. Then click Apply.
Managing System Files FIGURE 14 32 Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. NOTE Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI References • "dir" on page 70 • "delete" on page 70 Interface To show the system files: 1. Click System, then File. 2.
32 Managing System Files Automatic Operation Code Upgrade Use the System > File (Automatic Operation Code Upgrade) page to automatically download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Managing System Files 32 • During the automatic search and transfer process, the administrator cannot transfer or update another operation code image, configuration file, public key, or HTTPS certificate (i.e., no other concurrent file management operations are possible). • The upgrade operation code image is set as the startup image after it has been successfully written to the file system. • The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures.
32 Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: • tftp://192.168.0.1/ The image file is in the TFTP root directory. • tftp://192.168.0.1/switch-opcode/ The image file is in the “switch-opcode” directory, relative to the TFTP root. • tftp://192.168.0.
Setting the System Clock 32 If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
32 Setting the System Clock Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5. Click Apply FIGURE 17 Manually Setting the System Clock Setting the SNTP Polling Interval Use the System > Time (Configure General - SNTP) page to set the polling interval at which the switch will query the specified time servers.
Setting the System Clock FIGURE 18 32 Setting the Polling Interval for SNTP Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to specify the IP address for up to three SNTP time servers. CLI References • "sntp server" on page 95 Parameters The following parameters are displayed: • SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to three time servers.
32 Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Server) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
32 Setting the System Clock Configuring Summer Time Use the System > Time (Configure Summer Time) menu to configures summer time (that is, Daylight Savings Time) for the switch’s internal clock. CLI References • "clock summer-time (date)" on page 96 • "clock summer-time (predefined)" on page 98 • "clock summer-time (recurring)" on page 99 Usage Guidelines • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
32 Setting the System Clock • Recurring – Sets the start, end, and offset times of summer time on a recurring basis. • Offset – Summer time offset from the regular time zone. (Range: 0-99 minutes; Default: 60 minutes) • From – The recurring date and time at which to start using Summer Time settings. • To – The recurring date and time at which to stop using Summer Time settings. Interface To configure Summer Time: 1. Click System, then Time. 2. Select Configure Summer Time from the Step list. 3.
Configuring the Console Port 32 Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
32 Configuring Telnet Settings Interface To configure parameters for the console port: 1. Click System, then Console. 2. Specify the connection parameters as required. 3. Click Apply FIGURE 22 Console Port Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal).
Configuring Telnet Settings 32 • Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 1-65535 seconds; Default: 600 seconds) • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts.
32 Displaying CPU Utilization Displaying CPU Utilization Use the System > CPU Utilization page to display information on CPU utilization. CLI References • "show process cpu" on page 59 Parameters The following parameters are displayed: • Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) • CPU Utilization – CPU utilization over specified interval. Interface To display CPU utilization: 1.
Displaying Memory Utilization 32 Displaying Memory Utilization Use the System > Memory Status page to display memory utilization parameters. CLI References • "show memory" on page 58 Parameters The following parameters are displayed: • Free Size – The amount of memory currently free for use. • Used Size – The amount of memory allocated to active processes. • Total – The total amount of system memory. Interface To display memory utilization: 1. Click System, then Memory Status.
32 Resetting the System Parameters The following parameters are displayed: System Reload Configuration • Reset Mode – Restarts the switch immediately or at the specified time(s). • Immediately – Restarts the system immediately. • In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) • hours – The number of hours, combined with the minutes, before the switch resets.
Resetting the System FIGURE 26 Restarting the Switch (Immediately) FIGURE 27 Restarting the Switch (In) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 32 673
32 674 Resetting the System FIGURE 28 Restarting the Switch (At) FIGURE 29 Restarting the Switch (Regularly) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Interface Configuration 33 In this chapter This chapter describes the following topics: • Port Configuration – Configures connection settings, including auto-negotiation, or manual setting of speed, duplex mode, and flow control. • Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. • Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
33 Port Configuration Command Usage • Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. • When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
Port Configuration 33 (Default: Autonegotiation enabled; Advertised capabilities for 100Base-FX – 100full 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000Base-SX/LX/LH – 1000full) • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. Interface To configure port connection parameters: 1. Click Interface, Port, General. 2.
33 Port Configuration Interface To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port Range from the Action List. 3. Enter to range of ports to which your configuration changes apply. 4. Modify the required interface settings. 5. Click Apply.
Port Configuration 33 Interface To display port connection parameters: 1. Click Interface, Port, General. 2. Select Show Information from the Action List. FIGURE 32 Displaying Port Information Configuring Local Port Mirroring Use the Interface > Port > Mirror page to mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
33 Port Configuration • The destination port cannot be a trunk or trunk member port. Parameters These parameters are displayed: • Source Port – The port whose traffic will be monitored. • Target Port – The port that will mirror the traffic on the source port. • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Both) Interface To configure a local mirror session: 1. Click Interface, Port, Mirror. 2. Select Add from the Action List. 3.
Port Configuration 33 Configuring Remote Port Mirroring Use the Interface > RSPAN page to mirror traffic from remote switches for analysis at a destination port on the local switch. This feature, also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-specified VLAN dedicated to that RSPAN session in all participating switches. Monitored traffic from one or more sources is copied onto the RSPAN VLAN through IEEE 802.
33 Port Configuration 4. Set up the destination switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Destination), the destination port12, whether or not the traffic exiting this port will be tagged or untagged, and the RSPAN VLAN. Then specify each uplink port where the mirrored traffic is being received.
Port Configuration 33 • Uplink Port – A port on any switch participating in RSPAN through which mirrored traffic is passed on to or received from the RSPAN VLAN. Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports12 configured on an intermediate or destination switch. Only destination and uplink ports will be assigned by the switch as members of the RSPAN VLAN. Ports cannot be manually assigned to an RSPAN VLAN through the VLAN > Static page.
33 Port Configuration FIGURE 38 Configuring Remote Port Mirroring (Intermediate) FIGURE 39 Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Statistics Use the Interface > Port/Trunk > Statistics or Chart page to display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Port Configuration 33 Parameters These parameters are displayed: TABLE 153 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters. Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
33 Port Configuration TABLE 153 Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy.
Port Configuration TABLE 153 33 Port Statistics (Continued) Parameter Description 64 Bytes Packets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
33 Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Port Configuration 33 Command Usage For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 684. Parameters These parameters are displayed: Add • • • • Port – Port number. (Range: 1-12) HIstory Name – Name of sample interval. (Range: 1-32 characters) Interval - The interval for sampling statistics. (Range: 1-1440 minutes) Requested Buckets - The number of samples to take. (Range: 1-96) Show • • • • Port – Port number.
33 Port Configuration FIGURE 42 Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list. FIGURE 43 Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3.
Port Configuration FIGURE 44 33 Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
33 Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
Port Configuration 33 • General – Information on connector type and vendor-related parameters. • DDM Information – Information on temperature, supply voltage, laser bias current, laser power, and received optical power. Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list. 3. Click Apply.
33 Port Configuration Command Usage • Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. • Cable diagnostics can only be performed on twisted-pair media. • This cable test is only accurate for cables 7 - 140 meters long. • The test takes approximately 5 seconds.
Trunk Configuration FIGURE 48 33 Performing Cable Tests Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 6 trunks at a time on the switch.
33 Trunk Configuration • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN. • STP, VLAN, and IGMP settings can only be made for the entire trunk.
Trunk Configuration 33 Interface To create a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add from the Action list. 4. Enter a trunk identifier. 5. Set the unit and port for the initial trunk member. 6. Click Apply. FIGURE 50 Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5.
33 Trunk Configuration 4. Modify the required interface settings. (Refer to “Configuring by Port List” on page 675 for a description of the parameters.) 5. Click Apply. FIGURE 52 Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Trunk Configuration 33 CLI References • “Link Aggregation Commands” on page 289 Command Usage • To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
33 Trunk Configuration Configure Aggregation Port - General • Port – Port identifier. (Range: 1-12) • LACP Status – Enables or disables LACP on a port. Configure Aggregation Port - Actor/Partner • Port – Port number. (Range: 1-12) • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG. (Range: 0-65535; Default – Actor: 1, Partner: 0) By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key.
Trunk Configuration FIGURE 55 33 Configuring the LACP Aggregator Admin Key To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click General. 5. Enable LACP on the required ports. 6. Click Apply. FIGURE 56 Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3.
33 Trunk Configuration FIGURE 57 Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show Member from the Action List. 4. Select a Trunk. FIGURE 58 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4.
Trunk Configuration FIGURE 59 33 Configuring Connection Settings for Dynamic Trunks To display connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show from the Action List. FIGURE 60 Displaying Connection Parameters for Dynamic Trunks Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Counters) page to display statistics for LACP protocol messages.
33 Trunk Configuration TABLE 154 LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type. Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
Trunk Configuration 33 Parameters These parameters are displayed: TABLE 155 LACP Internal Configuration Information Parameter Description LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin Key Current administrative value of the key for the aggregation port. Oper Key Current operational value of the key for the aggregation port.
33 Trunk Configuration FIGURE 62 Displaying LACP Port Internal Information Displaying LACP Settings and Status for the Remote Side Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Neighbors) page to display the configuration settings and operational state for the remote side of a link aggregation.
Trunk Configuration 33 Interface To display LACP settings and status for the remote side: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Internal. 5. Select a group member from the Port list. FIGURE 63 Displaying LACP Port Remote Information Configuring Load Balancing Use the Interface > Trunk > Load Balance page to set the load-distribution method used among ports in aggregated links.
33 Trunk Configuration • Destination MAC Address: All traffic with the same destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination MAC address is the same for all traffic.
Saving Power 33 Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI References • “power-save” on page 287 • “show power-save” on page 288 Command Usage • IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
33 Sampling Traffic Flows Interface To enable power savings: 1. Click Interface, Green Ethernet. 2. Mark the Enabled check box for a port. 3. Click Apply. FIGURE 65 Enabling Power Savings Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
Sampling Traffic Flows 33 Configuring sFlow Global Settings Use the Interface > sFlow (Configure Global) page to enable sFlow globally for the switch. CLI References • “sflow” on page 135 Parameters These parameters are displayed in the web interface: • sFlow Global Status – Enables sFlow globally for the switch. (Default: Disabled) Interface To configure flow sampling: 1. Click Interface, sFlow. 2. Select Configure Global from the Step list. 3. Enable or disable flow sampling. 4. Click Apply.
33 Sampling Traffic Flows • Timeout – The time that the sFlow process will continuously send samples to the Collector before resetting all sFlow port parameters. (Range: 0-10000000 seconds, where 0 indicates no time out) • The sFlow parameters affected by this command include the sampling interval, the receiver’s name, address and UDP port, the time out, maximum header size, and maximum datagram size. • Max Header Size – Maximum size of the sFlow datagram header.
Traffic Segmentation 33 Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
33 Traffic Segmentation Configuring Uplink and Downlink Ports Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Traffic Segmentation 33 Interface To configure the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Add from the Action list. 4. Enter the session ID, set the direction to uplink or downlink, and select the interface to add. 5. Click Apply. FIGURE 69 Configuring Members for Traffic Segmentation To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2.
33 VLAN Trunking VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI References • “vlan-trunking” on page 385 Command Usage • Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
VLAN Trunking 33 • VLAN Trunking Status – Enables VLAN trunking on the selected interface. Interface To enable VLAN trunking on a port or trunk: 1. Click Interface, VLAN Trunking. 2. Click Port or Trunk to specify the interface type. 3. Enable VLAN trunking on any of the ports or on a trunk. 4. Click Apply.
33 718 VLAN Trunking Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter VLAN Configuration 34 In this chapter This chapter includes the following topics: • IEEE 802.1Q VLANs – Configures static and dynamic VLANs. • IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. • Protocol VLANs – Configures VLAN groups based on specified protocols.
34 IEEE 802.1Q VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
IEEE 802.1Q VLANs 34 Automatic VLAN Registration – GVRP (GARP VLAN Registration Protocol) defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned. If an end station (or its network adapter) supports the IEEE 802.1Q VLAN protocol, it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join.
34 IEEE 802.1Q VLANs Configuring VLAN Groups Use the VLAN > Static (Add) page to create or remove VLAN groups, set administrative status, or specify Remote VLAN type (see “Configuring Remote Port Mirroring” on page 681). To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups.
IEEE 802.1Q VLANs 34 Interface To create VLAN groups: 1. Click VLAN, Static. 2. Select Add from the Action list. 3. Enter a VLAN ID or range of IDs. 4. Mark Enabled to configure the VLAN as operational. 5. Specify whether the VLANs are to be used for remote port mirroring. 6. Click Apply. FIGURE 75 Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4.
34 IEEE 802.1Q VLANs FIGURE 77 Showing Static VLANs Adding Static Members to VLANs Use the VLAN > Static page to configure port members for the selected VLAN index, interface, or a range of interfaces. Use the menus for editing port members to configure the VLAN behavior for specific interfaces, including the mode of operation (Hybrid or 1Q Trunk), the default VLAN identifier (PVID), accepted frame types, and ingress filtering. Assign ports as tagged if they are connected to 802.
IEEE 802.1Q VLANs 34 • PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member. • Acceptable Frame Type – Sets the interface to accept all frame types, including tagged or untagged frames, or only tagged frames.
34 IEEE 802.1Q VLANs Interface To configure static members by the VLAN index: 1. Click VLAN, Static. 2. Select Edit Member by VLAN from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the settings for any interface as required. 5. Click Apply. FIGURE 78 Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4.
IEEE 802.1Q VLANs FIGURE 79 34 Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
34 IEEE 802.1Q VLANs Configuring Dynamic VLAN Registration Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to enable GVRP and adjust the protocol timers per interface. CLI References • “GVRP and Bridge Extension Commands” on page 374 • “Configuring VLAN Interfaces” on page 380 Parameters These parameters are displayed: Configure General • GVRP Status – GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
IEEE 802.1Q VLANs 34 Show Dynamic VLAN – Show VLAN Member • VLAN – Identifier of a VLAN this switch has joined through GVRP. • Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP. Interface To configure GVRP on the switch: 1. Click VLAN, Dynamic. 2. Select Configure General from the Step list. 3. Enable or disable GVRP. 4. Click Apply. FIGURE 81 Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic.
34 IEEE 802.1Q Tunneling To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. FIGURE 83 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list. FIGURE 84 Showing the Members of a Dynamic VLAN IEEE 802.1Q Tunneling IEEE 802.
IEEE 802.1Q Tunneling 34 QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
34 IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
IEEE 802.1Q Tunneling 34 • The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration. Instead, use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network. • There are some inherent incompatibilities between Layer 2 and Layer 3 switching: • Tunnel ports do not support IP Access Control Lists.
34 IEEE 802.1Q Tunneling Use this field to set a custom 802.1Q ethertype value for the 802.1Q Tunnel TPID. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, if 0x1234 is set as the custom 802.1Q ethertype on a trunk port, incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk.
IEEE 802.1Q Tunneling 34 • Rather than relying on standard service paths and priority queuing, QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.
34 IEEE 802.1Q Tunneling FIGURE 88 Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command on page 390. Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch.
Protocol VLANs 34 Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. FIGURE 89 Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
34 Protocol VLANs Configuring Protocol VLAN Groups Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. CLI References • “protocol-vlan protocol-group (Configuring Groups)” on page 404 Parameters These parameters are displayed: • Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. • Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6.
Protocol VLANs 34 To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. FIGURE 91 Displaying Protocol VLANs Mapping Protocol Groups to Interfaces Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group to a VLAN for each interface that will participate in the group.
34 Protocol VLANs • Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4093) • Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Interface To map a protocol group to a VLAN for a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Add from the Action list. 4.
Configuring IP Subnet VLANs FIGURE 93 34 Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
34 Configuring IP Subnet VLANs • VLAN – VLAN to which matching IP subnet traffic is forwarded. (Range: 1-4093) • Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority; Default: 0) Interface To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Configure IP Subnet from the Step list. 3. Select Add from the Action list. 4. Enter an address in the IP Address field. 5. Enter a mask in the Subnet Mask field. 6.
Configuring IP Subnet VLANs 34 Binding an Interface to an IP Subnet VLAN Use the VLAN > IP Subnet (Configure Interface - Add) page to bind an interface to an IP subnet VLAN. CLI References • “subnet-vlan (Interface Configuration)” on page 407 Command Usage • The IP subnet cannot be a broadcast or multicast IP address. • Use the Configure IP Subnet (Add) page described in the preceding section to create a IP subnet VLAN.
34 Configuring MAC-based VLANs To show the interfaces bound to IP subnet VLANs: 1. Click VLAN, IP Subnet. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. FIGURE 97 Showing the Interfaces Bound to IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Configuring MAC-based VLANs 34 Interface To map a MAC address to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Add from the Action list. 3. Enter an address in the MAC Address field. 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field. 6. Click Apply. FIGURE 98 Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2.
34 Configuring VLAN Mirroring Configuring VLAN Mirroring Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner. CLI References • “Port Mirroring Commands” on page 301 Command Usage • All active ports in a source VLAN are monitored for ingress traffic only.
Configuring VLAN Translation 34 FIGURE 100 Configuring VLAN Mirroring To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list. FIGURE 101 Showing the VLANs to Mirror Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
34 Configuring VLAN Translation For example, assume that the upstream switch does not support QinQ tunneling. Select Port 1, and set the Old VLAN to 10 and the New VLAN to 100 to map VLAN 10 to VLAN 100 for upstream traffic entering port 1, and VLAN 100 to VLAN 10 for downstream traffic leaving port 1 as shown below.
Configuring VLAN Translation 34 To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list.
34 750 Configuring VLAN Translation Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Address Table Settings 35 In this chapter Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: • • • • Static MAC Addresses – Configures static entries in the address table.
35 Setting Static Addresses • MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. • Static Status – Sets the time to retain the specified address. • Delete-on-reset - Assignment lasts until the switch is reset. • Permanent - Assignment is permanent. (This is the default.) Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3.
Changing the Aging Time 35 Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI References • “mac-address-table aging-time” on page 327 Parameters These parameters are displayed: • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded.
35 Displaying the Dynamic Address Table Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
Clearing the Dynamic Address Table 35 Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI References • “clear mac-address-table dynamic” on page 329 Parameters These parameters are displayed: • Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk.
35 Configuring MAC Address Mirroring Configuring MAC Address Mirroring Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Configuring MAC Address Mirroring 35 FIGURE 110 Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2. Select Show from the Action list.
35 758 Configuring MAC Address Mirroring Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Spanning Tree Algorithm 36 In this chapter This chapter describes the following basic topics: • Loopback Detection – Configures detection and response to loopback BPDUs. • Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. • Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
36 Overview FIGURE 112 STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Configuring Loopback Detection 36 FIGURE 114 Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree Region 1 Region 1 CIST CST IST Region 4 Region 2 Region 4 Region 3 Region 2 Region 3 MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols.
36 Configuring Loopback Detection • Status – Enables loopback detection on this interface. (Default: Enabled) • Trap – Enables SNMP trap notification for loopback events on this interface. (Default: Disabled) • Release Mode – Configures the interface for automatic or manual loopback release. (Default: Auto) • Release – Allows an interface to be manually released from discard mode. This is only available if the interface is configured for manual release mode.
Configuring Global Settings for STA 36 Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI References • “Spanning Tree Commands” on page 333 Command Usage • Spanning Tree Protocol14 This option uses RSTP set to STP forced compatibiltiy mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
36 Configuring Global Settings for STA Parameters These parameters are displayed: Basic Configuration of Global Settings • Spanning Tree Status – Enables/disables STA on this switch. (Default: Enabled) • Spanning Tree Type – Specifies the type of spanning tree used on this switch: • STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode). • RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
Configuring Global Settings for STA 36 • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
36 Configuring Global Settings for STA FIGURE 116 Configuring Global Settings for STA (STP) FIGURE 117 Configuring Global Settings for STA (RSTP) 766 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Displaying Global Settings for STA 36 FIGURE 118 Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
36 Configuring Interface Settings for STA • Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. • Root Path Cost – The path cost from the root port on this switch to the root device. • Configuration Changes – The number of times the Spanning Tree has been reconfigured.
Configuring Interface Settings for STA 36 • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 763) or when spanning tree is disabled on specific port. When flooding is enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the Spanning Tree BPDU Flooding attribute (page 763). • Priority – Defines the priority used for this port in the Spanning Tree Protocol.
36 Configuring Interface Settings for STA • Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location. Root Guard should be enabled on any designated port connected to low-speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topology.
Displaying Interface Settings for STA 36 Interface To configure interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. 5. Click Apply. FIGURE 120 Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree.
36 Displaying Interface Settings for STA • Forwarding - Port forwards packets, and continues learning addresses. The rules defining port status are: • A port on a network segment with no other STA compliant bridging device is always forwarding. • If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
Displaying Interface Settings for STA R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D 36 B Interface To display interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
36 Configuring Multiple Spanning Trees Configuring Multiple Spanning Trees Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI References • “Spanning Tree Commands” on page 333 Command Usage MSTP generates a unique spanning tree for each instance.
Configuring Multiple Spanning Trees 36 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply. FIGURE 123 Creating an MST Instance To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list.
36 Configuring Multiple Spanning Trees 5. Click Apply. FIGURE 125 Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list. 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 767.
Configuring Interface Settings for MSTP 36 FIGURE 127 Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. FIGURE 128 Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
36 Configuring Interface Settings for MSTP • Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. • Forwarding – Port forwards packets, and continues learning addresses. • Priority – Defines the priority used for this port in the Spanning Tree Protocol.
Configuring Interface Settings for MSTP 36 To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
36 780 Configuring Interface Settings for MSTP Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Congestion Control 37 In this chapter The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: • Rate Limiting – Sets the input and output rate limits for a port.
37 Storm Control 3. Set the rate limit for the individual ports,. 4. Click Apply. FIGURE 131 Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Storm Control 37 NOTE Due to a chip limitation, the switch supports only one limit on an interface for both ingress rate limiting and storm control (including unknown unicast, multicast, and broadcast storms). Parameters These parameters are displayed: • • • • • • Interface – Displays a list of ports or trunks. Type – Indicates interface type. (1000Base-T, 1000Base SFP) Unknown Unicast – Specifies storm control for unknown unicast traffic. Multicast – Specifies storm control for multicast traffic.
37 Automatic Traffic Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI References • “Automatic Traffic Control Commands” on page 313 Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Automatic Traffic Control 37 FIGURE 134 Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
37 Automatic Traffic Control • Broadcast Release Timer – The time at which to release the control response after ingress traffic has fallen beneath the lower threshold for broadcast storms. (Range: 1-900 seconds; Default: 900 seconds) • Multicast Apply Timer – The interval after the upper threshold has been exceeded at which to apply the control response to multicast storms.
Automatic Traffic Control 37 • State – Enables automatic traffic control for broadcast or multicast storms. (Default: Disabled) Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the Storm Control menu. However, only one of these control types can be applied to a port. Enabling automatic storm control on a port will disable hardware-level storm control on that port.
37 Automatic Traffic Control • Manual Control Release – Manually releases a control response of rate-limiting or port shutdown any time after the specified action has been triggered. Interface To configure the response timers for automatic storm control: 1. Click Traffic, Auto Traffic Control. 2. Select Configure Interface from the Step field. 3.
Chapter Class of Service 38 In this chapter Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
38 Layer 2 Queue Settings Parameters These parameters are displayed: • Interface – Displays a list of ports or trunks. • CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2. Select the interface type to display (Port or Trunk). 3. Modify the default priority for any interface. 4. Click Apply.
Layer 2 Queue Settings 38 • If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the Strict Mode field parameter. • A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities).
38 Layer 2 Queue Settings FIGURE 138 Setting the Queue Mode (Strict) FIGURE 139 Setting the Queue Mode (WRR) FIGURE 140 Setting the Queue Mode (Strict and WRR) 792 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
38 Layer 2 Queue Settings Mapping CoS Values to Egress Queues Use the Traffic > Priority > PHB to Queue page to specify the hardware output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 798).
38 Layer 2 Queue Settings Parameters These parameters are displayed: • Port – Specifies a port. • PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7, where 7 is the highest priority) • Queue – Output queue buffer. (Range: 0-7, where 7 is the highest CoS priority queue) Interface To map internal PHB to hardware queues: 1. Click Traffic, Priority, PHB to Queue. 2. Select Configure from the Action list. 3. Select a port. 4. Map an internal PHB to a hardware queue.
Layer 3/4 Priority Settings 38 FIGURE 142 Showing CoS Values to Egress Queue Mapping Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
38 Layer 3/4 Priority Settings • If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet’s CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged. For an untagged packet, the default port priority (see page 789) is used for priority processing. • If the QoS mapping mode is set to CoS, and the ingress packet type is IPv4, then priority processing will be based on the CoS and CFI values in the ingress packet.
38 Layer 3/4 Priority Settings Command Usage • Enter per-hop behavior and drop precedence for any of the DSCP values 0 - 63. • This map is only used when the priority mapping mode is set to DSCP (see page 795), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP.
38 Layer 3/4 Priority Settings 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. FIGURE 144 Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
Layer 3/4 Priority Settings 38 • If a packet arrives with a 802.1Q header but it is not an IP packet, then the CoS/CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
38 Layer 3/4 Priority Settings FIGURE 146 Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter Quality of Service 39 In this chapter This chapter describes the following tasks required to apply QoS policies: • Class Map – Creates a map which identifies a specific class of traffic. • Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. • Binding to a Port – Applies a policy map to an ingress port.
39 Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Configuring a Class Map • • • • • • 39 IP DSCP – A DSCP value. (Range: 0-63) IP Precedence – An IP Precedence value. (Range: 0-7) IPv6 DSCP – A DSCP value contained in an IPv6 packet. (Range: 0-63) VLAN ID – A VLAN. (Range:1-4093) CoS – A CoS value. (Range: 0-7) Source Port – A source port. (Range: 1-12) Interface To configure a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add from the Action list. 4. Enter a class name. 5. Enter a description. 6.
39 Configuring a Class Map To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5. Specify type of traffic for this class based on an access list, a DSCP or IP Precedence value, or a VLAN. You can specify up to 16 items to match when assigning ingress traffic to a class map. 6. Click Apply. FIGURE 150 Adding Rules to a Class Map To show the rules for a class map: 1.
Creating QoS Policies 39 Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (page 802), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (page 812). Configuring QoS policies requires several steps.
39 Creating QoS Policies • neither Tc nor Te is incremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Blind mode: • If Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else • if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, • else the packet is red and neither Tc nor Te is decremented.
Creating QoS Policies 39 When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: • If Tp(t)-B < 0, the packet is red, else • if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else • the packet is green and both Tp and Tc are decremented by B.
39 Creating QoS Policies • Set PHB – Configures the service provided to ingress traffic by setting the internal per-hop behavior for a matching packet (as specified in rule settings for a class map). (Range: 0-7) See Table 163, "Default Mapping of DSCP Values to Internal PHB/Drop Values," on page 797). • Set IP DSCP – Configures the service provided to ingress traffic by setting an IP DSCP value for a matching packet (as specified in rule settings for a class map).
Creating QoS Policies 39 • Committed Burst Size (BC) – Burst in bytes. (Range: 0-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. • Exceeded Burst Size (BE) – Burst in excess of committed burst size. (Range: 0-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. • Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level.
39 Creating QoS Policies • Peak Burst Size (BP) – Burst size in bytes. (Range: 0-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. • Conform – Specifies that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level. • Transmit – Transmits in-conformance traffic without any change to the DSCP service level.
Creating QoS Policies 39 FIGURE 153 Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class. Use one of the metering options to define parameters such as the maximum throughput and burst rate.
39 Attaching a Policy Map to a Port To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list. FIGURE 155 Showing the Rules for a Policy Map Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port.
Attaching a Policy Map to a Port 39 FIGURE 156 Attaching a Policy Map to a Port Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 813
39 814 Attaching a Policy Map to a Port Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter VoIP Traffic Configuration 40 In this chapter This chapter covers the following topics: • Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. • Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
40 Configuring VoIP Traffic Command Usage All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see “Adding Static Members to VLANs” on page 724). Parameters These parameters are displayed: • Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports.
Configuring Telephony OUI 40 Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP. Use the Traffic > VoIP (Configure OUI) page to configure this feature.
40 Configuring VoIP Traffic Ports To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list. FIGURE 159 Showing an OUI Telephony List Configuring VoIP Traffic Ports Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority.
Configuring VoIP Traffic Ports 40 • Security – Enables security filtering that discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped. (Default: Disabled) • Discovery Protocol – Selects a method to use for detecting VoIP traffic on the port.
40 820 Configuring VoIP Traffic Ports Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Security Measures 41 In this chapter You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
41 AAA Authentication, Authorization and Accounting AAA Authentication, Authorization and Accounting The authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services.
AAA Authentication, Authorization and Accounting 41 Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence. Then specify the corresponding parameters for the remote authentication protocol using the Security > AAA > Server page. Local and remote logon authentication control management access via the console port, web browser, or Telnet.
41 AAA Authentication, Authorization and Accounting FIGURE 162 Authentication Server Operation console Web Telnet RADIUS/ TACACS+ server 1. Client attempts management access. 2. Switch contacts authentication server. 3. Authentication server challenges client. 4. Client responds with proper password or key. 5. Authentication server approves access. 6. Switch grants management access. RADIUS uses UDP while TACACS+ uses TCP.
AAA Authentication, Authorization and Accounting 41 • Authentication Server UDP Port – Network (UDP) port on authentication server used for authentication messages. (Range: 1-65535; Default: 1812) • Authentication Timeout – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) • Authentication Retries – Number of times the switch tries to authenticate logon access via the authentication server.
41 AAA Authentication, Authorization and Accounting 3. Select RADIUS or TACACS+ server type. 4. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. 5. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it 6. Click Apply.
AAA Authentication, Authorization and Accounting 41 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply. FIGURE 165 Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
41 AAA Authentication, Authorization and Accounting Command Usage AAA authentication through a RADIUS or TACACS+ server must be enabled before accounting is enabled. Parameters These parameters are displayed: Configure Global • Periodic Update - Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server. (Range: 1-2147483647 minutes) Configure Method • Accounting Type – Specifies the service as: • 802.
AAA Authentication, Authorization and Accounting 41 • Interface - Displays the port, console or Telnet interface to which these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.) Show Information – Statistics • • • • User Name - Displays a registered user name. Accounting Type - Displays the accounting service. Interface - Displays the receive port number through which this user accessed the switch.
41 AAA Authentication, Authorization and Accounting FIGURE 168 Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
AAA Authentication, Authorization and Accounting 41 FIGURE 170 Configuring AAA Accounting Service for 802.1X Service FIGURE 171 Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
41 AAA Authentication, Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
AAA Authentication, Authorization and Accounting 41 • Telnet Method Name – Specifies a user defined method name to apply to Telnet connections. Show Information • • • • Authorization Type - Displays the authorization service. Method Name - Displays the user-defined or default accounting method. Server Group Name - Displays the authorization server group. Interface - Displays the console or Telnet interface to which these rules apply.
41 AAA Authentication, Authorization and Accounting FIGURE 175 Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list. 3. Enter the required authorization method. 4. Click Apply. FIGURE 176 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1.
Configuring User Accounts 41 Configuring User Accounts Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI References • “User Accounts” on page 141 Command Usage • The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” • The guest only has read access for most configuration parameters.
41 Web Authentication FIGURE 178 Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. FIGURE 179 Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Web Authentication 41 Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Global) page to edit the global parameters for web authentication. CLI References • “Web Authentication” on page 210 Parameters These parameters are displayed: • Web Authentication Status – Enables web authentication for the switch. (Default: Disabled) Note that this feature must also be enabled for any port where required under the Configure Interface menu.
41 Web Authentication Configuring Interface Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to enable web authentication on a port, and display information for any connected hosts. CLI References • “Web Authentication” on page 210 Parameters These parameters are displayed: • • • • Port – Indicates the port being configured. Status – Configures the web authentication status for the port. Host IP Address – Indicates the IP address of each connected host.
Network Access (MAC Address Authentication) 41 Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. The switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
41 Network Access (MAC Address Authentication) • The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: TABLE 165 Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (in units of Kbps) 802.
Network Access (MAC Address Authentication) 41 Configuring Global Settings for Network Access MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Use the Security > Network Access (Configure Global) page to configure MAC address authentication aging and reauthentication time.
41 Network Access (MAC Address Authentication) Configuring Network Access for Ports Use the Security > Network Access (Configure Interface - General) page to configure MAC authentication on switch ports, including enabling address authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
Network Access (MAC Address Authentication) 41 Interface To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4. Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments. 5. Click Apply.
41 Network Access (MAC Address Authentication) Interface To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
Network Access (MAC Address Authentication) 41 Interface To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Add from the Action list. 4. Enter a filter ID, MAC address, and optional mask. 5. Click Apply. FIGURE 185 Configuring a MAC Address Filter for Network Access To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2.
41 Network Access (MAC Address Authentication) Parameters These parameters are displayed: • Query By – Specifies parameters to use in the MAC address query. • Sort Key – Sorts the information displayed based on MAC address, port interface, or attribute. • MAC Address – Specifies a specific MAC address. • Interface – Specifies a port interface. • Attribute – Displays static or dynamic addresses. • Authenticated MAC Address List • MAC Address – The authenticated MAC address.
Configuring HTTPS 41 Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Configuring Global Settings for HTTPS Use the Security > HTTPS (Configure Global) page to enable or disable HTTPS and specify the UDP port used for this service.
41 Configuring HTTPS Parameters These parameters are displayed: • HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) • HTTPS Port – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) Interface To configure HTTPS: 1. Click Security, HTTPS. 2. Select Configure Global from the Step list. 3. Enable HTTPS and specify the port number if required. 4. Click Apply.
Configuring HTTPS 41 NOTE The switch must be reset for the new certificate to be activated. To reset the switch, see “Resetting the System” on page 671 or type “reload” at the command prompt: Console#reload CLI References • “Web Server” on page 161 Parameters These parameters are displayed: • • • • TFTP Server IP Address – IP address of TFTP server which contains the certificate file. Certificate Source File Name – Name of certificate file stored on the TFTP server.
41 Configuring Secure Shell Configuring Secure Shell Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
Configuring Secure Shell 41 4. Set the Optional Parameters – On the SSH Settings page, configure the optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
41 Configuring Secure Shell Configuring the SSH Server Use the Security > SSH (Configure Global) page to enable the SSH server and configure basic settings for authentication. NOTE A host key pair must be configured on the switch before you can enable the SSH server. See “Generating the Host Key Pair” on page 853. CLI References • “Secure Shell” on page 166 Parameters These parameters are displayed: • SSH Server Status – Allows you to enable/disable the SSH server on the switch.
Configuring Secure Shell 41 FIGURE 190 Configuring the SSH Server Generating the Host Key Pair Use the Security > SSH (Configure Host Key - Generate) page to generate a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section “Importing User Public Keys” on page 854.
41 Configuring Secure Shell 3. Select Generate from the Action list. 4. Select the host-key type from the drop-down box. 5. Select the option to save the host key from memory to flash if required. 6. Click Apply. FIGURE 191 Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the host-key type to clear. 5. Click Clear.
Configuring Secure Shell 41 CLI References • “Secure Shell” on page 166 Parameters These parameters are displayed: • User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see “Configuring User Accounts” on page 835). • User Key Type – The type of public key to upload. • RSA: The switch accepts a RSA version 1 encrypted public key. • DSA: The switch accepts a DSA version 2 encrypted public key.
41 Access Control Lists 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear. FIGURE 194 Showing the SSH User’s Public Key Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP, or next header type), or any frames (based on MAC address or Ethernet type).
Access Control Lists 41 The maximum number of rules (Access Control Entries, or ACEs) stated above is the worst case scenario. In practice, the switch compresses the ACEs in TCAM (a hardware table used to store ACEs), but the actual maximum number of ACEs possible depends on too many factors to be precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose.
41 Access Control Lists • Mode • Absolute – Specifies a specific time or time range. • Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. • Periodic – Specifies a periodic interval. • Start/To – Specifies the days of the week, hours, and minutes at which to start or end. Interface To configure a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add from the Action list. 4. Enter the name of a time range. 5. Click Apply.
Access Control Lists 41 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5. Select a mode option of Absolute or Periodic. 6. Fill in the required parameters for the selected mode. 7. Click Apply. FIGURE 197 Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show Rule from the Action list.
41 Access Control Lists Showing TCAM Utilization Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Access Control Lists 41 Setting the ACL Name and Type Use the Security > ACL (Configure ACL - Add) page to create an ACL. CLI References • “access-list ip” on page 240 • “show ip access-list” on page 245 • “access-list ipv6” on page 246 • “show ipv6 access-list” on page 249 Parameters These parameters are displayed: • ACL Name – Name of the ACL.
41 Access Control Lists To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. FIGURE 201 Showing a List of ACLs Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL.
Access Control Lists 41 Interface To add rules to a Standard IPv4 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9. Click Apply.
41 Access Control Lists Parameters These parameters are displayed: • • • • Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type. Action – An ACL can contain any combination of permit or deny rules. Source/Destination Address Type – Specifies the source or destination IP address type.
Access Control Lists 41 Interface To add rules to an Extended IPv4 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9.
41 Access Control Lists Parameters These parameters are displayed in the web interface: • • • • Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type. Action – An ACL can contain any combination of permit or deny rules. Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses.
Access Control Lists 41 FIGURE 204 Configuring a Standard IPv6 ACL Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to configure an Extended IPv6 ACL. CLI References • “permit, deny (Extended IPv6 ACL)” on page 248 • “show ipv6 access-list” on page 249 • “Time Range” on page 102 Parameters These parameters are displayed in the web interface: • • • • Type – Selects the type of ACLs to show in the Name list.
41 Access Control Lists Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Access Control Lists 41 FIGURE 205 Configuring an Extended IPv6 ACL Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI References • “permit, deny (MAC ACL)” on page 252 • “show ip access-list” on page 245 • “Time Range” on page 102 Parameters These parameters are displayed: • • • • Type – Selects the type of ACLs to show in the Name list.
41 Access Control Lists • Tagged-eth2 – Tagged Ethernet II packets. • Tagged-802.3 – Tagged Ethernet 802.3 packets. • VID – VLAN ID. (Range: 1-4094) • VID Bit Mask – VLAN bit mask. (Range: 0-4095) • Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 600-ffff hex.) A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX). • Ethernet Type Bit Mask – Protocol bit mask.
Access Control Lists 41 FIGURE 206 Configuring a MAC ACL Configuring an ARP ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 877).
41 Access Control Lists • Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address. • Source/Destination MAC Bit Mask – Hexadecimal mask for source or destination MAC address. • Log – Logs a packet when it matches the access control entry.
Access Control Lists 41 Binding a Port to an Access Control List After configuring ACLs, use the Security > ACL > Configure Interface (Configure) page to bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list and one MAC access list to any port.
41 Access Control Lists FIGURE 208 Binding a Port to an ACL Configuring ACL Mirroring After configuring ACLs, use the Security > ACL > Configure Interface (Add Mirror) page to mirror traffic matching an ACL from one or more source ports to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Access Control Lists 41 Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. FIGURE 209 Configuring ACL Mirroring To show the ACLs to be mirrored: 1. Select Configure Interface from the Step list. 2. Select Show Mirror from the Action list. 3. Select a port.
41 ARP Inspection Parameters These parameters are displayed: • • • • • • • • • • Port – Port identifier. (Range: 1-12) Type – Selects the type of ACL. Direction – Selects ingress or egress traffic. Query – Displays statistics for selected criteria. ACL Name – The ACL bound this port. Action – Shows if action is to permit or deny specified packets. Rules – Shows the rules for the ACL bound to this port. Time-Range – Name of a time range. Hits – Shows the number of packets matching this ACL.
ARP Inspection 41 ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database – the DHCP snooping binding database (see “DHCP Snooping Configuration” on page 904). This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs.
41 ARP Inspection • IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses. • Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses.
ARP Inspection 41 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply. FIGURE 212 Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure VLAN) page to enable ARP inspection for any VLAN and to specify the ARP ACL to use.
41 ARP Inspection • ARP ACL – Allows selection of any configured ARP ACLs. (Default: None) • Static – When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database. When an ARP ACL is selected, but static mode is not selected, the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database.
ARP Inspection 41 • Packet Rate Limit – Sets the maximum number of ARP packets that can be processed by CPU per second on trusted or untrusted ports. (Range: 0-2048; Default: 15) Setting the rate limit to “0” means that there is no restriction on the number of ARP packets that can be processed by the CPU. The switch will drop all ARP packets received on a port which exceeds the configured ARP-packets-per-second rate limit. Interface To configure interface settings for ARP Inspection: 1.
41 ARP Inspection TABLE 167 ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by additional validation (IP) Count of ARP packets that failed the IP address test. ARP packets dropped by additional validation (Dst-MAC) Count of packets that failed the destination MAC address test. Total ARP packets processed by ARP inspection Count of all ARP packets processed by the ARP Inspection engine.
Filtering IP Addresses for Management Access 41 Parameters These parameters are displayed: TABLE 168 ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen. Port The port where this packet was seen. Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet. Dst. MAC Address The destination MAC address in the packet.
41 Filtering IP Addresses for Management Access • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Configuring Port Security 41 FIGURE 218 Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
41 Configuring Port Security • A secure port has the following restrictions: • It cannot be used as a member of a static or dynamic trunk. • It should not be connected to a network interconnection device. Parameters These parameters are displayed: • Port – Port identifier. • Security Status – Enables or disables port security on an interface. (Default: Disabled) • Port Status – The operational status: • Secure/Down – Port security is disabled. • Secure/Up – Port security is enabled.
Configuring 802.1X Port Authentication 41 FIGURE 219 Configuring Port Security Configuring 802.1X Port Authentication The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication.
41 Configuring 802.1X Port Authentication FIGURE 220 Configuring Port Security 802.1x client RADIUS server 1. Client attempts to access a switch port. 2. Switch sends client an identity request. 3. Client sends back identity information. 4. Switch forwards this to authentication server. 5. Authentication server challenges client. 6. Client responds with proper credentials. 7. Authentication server approves access. 8. Switch grants client access to this port. The operation of 802.
Configuring 802.1X Port Authentication 41 When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
41 Configuring 802.1X Port Authentication Configuring Port Authenticator Settings for 802.1X Use the Security > Port Authentication (Configure Interface – Authenticator) page to configure 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
Configuring 802.1X Port Authentication 41 • Multi-Host – Allows multiple host to connect to this port. In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. • MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
41 Configuring 802.1X Port Authentication Supplicant List • Supplicant – MAC address of authorized client. Authenticator PAE State Machine • State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). • Reauth Count – Number of times connecting state is re-entered. • Current Identifier – Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Configuring 802.1X Port Authentication 41 FIGURE 222 Configuring Interface Settings for 802.1X Port Authenticator Configuring Port Supplicant Settings for 802.1X Use the Security > Port Authentication (Configure Interface – Supplicant) page to configure 802.1X port settings for supplicant requests issued from a port to an authenticator on another device. When 802.1X is enabled and the control mode is set to Force-Authorized (see “Configuring Port Authenticator Settings for 802.
41 Configuring 802.1X Port Authentication Parameters These parameters are displayed: • Port – Port number. • PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “Force-Authorized” on this port (see “Configuring Port Authenticator Settings for 802.1X” on page 890).
Configuring 802.1X Port Authentication 41 FIGURE 223 Configuring Interface Settings for 802.1X Port Supplicant Displaying 802.1X Statistics Use the Security > Port Authentication (Show Statistics) page to display statistics for dot1x protocol exchanges for any port. CLI References • “show dot1x” on page 186 Parameters These parameters are displayed: TABLE 169 802.
41 Configuring 802.1X Port Authentication TABLE 169 802.1X Statistics (Continued) Parameter Description Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator. Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid. Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator.
Configuring 802.1X Port Authentication 41 Interface To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. FIGURE 224 Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant.
41 IP Source Guard FIGURE 225 Showing Statistics for 802.1X Port Supplicant IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 903). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
IP Source Guard 41 • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see “DHCP Snooping” on page 903), or static addresses configured in the source guard binding table. • If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address and corresponding MAC address (SIP-MAC option) will be checked against the binding table. If no matching entry is found, the packet will be dropped.
41 IP Source Guard FIGURE 226 Setting the Filter Type for IP Source Guard Configuring Static Bindings for IP Source Guard Use the Security > IP Source Guard > Static Configuration page to bind a static address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
IP Source Guard 41 • MAC Address – A valid unicast MAC address. • IP Address – A valid unicast IP address, including classful types A, B or C. Show • • • • • VLAN – VLAN to which this entry is bound. MAC Address – Physical address associated with the entry. Interface – The port to which this entry is bound. IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.
41 IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings Use the Security > IP Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI References • “show ip dhcp snooping binding” on page 224 Parameters These parameters are displayed: Query by • • • • Port – A port on this switch. VLAN – ID of a configured VLAN (Range: 1-4093) MAC Address – A valid unicast MAC address.
DHCP Snooping 41 DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
41 DHCP Snooping • If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
DHCP Snooping 41 • DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification. If the source MAC address in the Ethernet header of the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) • DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay.
41 DHCP Snooping DHCP Snooping VLAN Configuration Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable DHCP snooping on specific VLANs. CLI References • “ip dhcp snooping vlan” on page 220 Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
DHCP Snooping 41 Configuring Ports for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Interface) page to configure switch ports as trusted or untrusted. CLI References • “ip dhcp snooping trust” on page 222 Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
41 DHCP Snooping Displaying DHCP Snooping Binding Information Use the IP Service > DHCP > Snooping (Show Information) page to display entries in the binding table. CLI References • “show ip dhcp snooping binding” on page 224 Parameters These parameters are displayed: • • • • MAC Address – Physical address associated with the entry. IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client.
DHCP Snooping 41 FIGURE 233 Displaying the Binding Table for DHCP Snooping Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 909
41 910 DHCP Snooping Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter Basic Administration Protocols 42 In this chapter This chapter describes basic administration tasks including: • Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
42 Configuring Event Logging CLI References • “Event Logging” on page 84 Parameters These parameters are displayed: • System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
Configuring Event Logging 42 FIGURE 234 Configuring Settings for System Memory Logs To show the error messages logged to system or flash memory: 1. Click Administration, Log, System. 2. Select Show System Logs from the Step list. 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.
42 Configuring Event Logging Remote Log Configuration Use the Administration > Log > Remote page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level. CLI References • “Event Logging” on page 84 Parameters These parameters are displayed: • Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process.
Configuring Event Logging 42 FIGURE 236 Configuring Settings for Remote Logging of Error Messages Sending Simple Mail Transfer Protocol Alerts Use the Administration > Log > SMTP page to alert system administrators of problems by sending SMTP (Simple Mail Transfer Protocol) email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
42 Link Layer Discovery Protocol 3. Click Apply. FIGURE 237 Configuring SMTP Alert Messages Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Link Layer Discovery Protocol 42 • Hold Time Multiplier – Configures the time-to-live (TTL) value sent in LLDP advertisements as shown in the formula below. (Range: 2-10; Default: 4) The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
42 Link Layer Discovery Protocol FIGURE 238 Configuring LLDP Timing Attributes Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface) page to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Link Layer Discovery Protocol 42 The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address. The interface number and OID are included to assist SNMP applications in the performance of network discovery by indicating enterprise specific or other starting points for the search, such as the Interface or Entity MIB.
42 Link Layer Discovery Protocol Interface To configure LLDP interface attributes: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 4. Click Apply.
Link Layer Discovery Protocol TABLE 171 42 Chassis ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Locally assigned locally assigned • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system.
42 Link Layer Discovery Protocol Interface To display LLDP information for the local device: 1. Click Administration, LLDP. 2. Select Show Local Device Information from the Step list. 3. Select General, Port, or Trunk.
Link Layer Discovery Protocol 42 Parameters These parameters are displayed: Port • Local Port – The local port to which a remote LLDP-capable device is attached. • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted. • System Name – A string that indicates the system’s administratively assigned name.
42 Link Layer Discovery Protocol • System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 172 on page 921.) • Management Address List – The management addresses for this device. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Link Layer Discovery Protocol TABLE 174 42 Remote Port Auto-Negotiation Advertised Capability (Continued) Bit Capability 14 1000BASE-T half duplex mode 15 1000BASE-T full duplex mode • Remote Port Auto-Neg Status – Shows whether port auto-negotiation is enabled on a port associated with the remote system. • Remote Port MAU Type – An integer value that indicates the operational MAU type of the sending device.
42 Link Layer Discovery Protocol 4. When the next page opens, select a port on this switch and the index far a remote device attached to this port. 5. Click Query.
Link Layer Discovery Protocol 42 FIGURE 243 Displaying Remote Device Information for LLDP (Port Details) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 927
42 Link Layer Discovery Protocol Displaying Device Statistics Use the Administration > LLDP (Show Device Statistics) page to display statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. CLI References • “show lldp info statistics” on page 520 Parameters These parameters are displayed: General Statistics on Remote Devices • Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated.
Simple Network Management Protocol 42 FIGURE 244 Displaying LLDP Device Statistics (General) FIGURE 245 Displaying LLDP Device Statistics (Port) Simple Network Management Protocol Simple Network Management Protocol (SNMP) is typically used to configure devices and to monitor them to evaluate performance or detect potential problems. Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent.
42 Simple Network Management Protocol Access to the switch from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3.
Simple Network Management Protocol 42 Command Usage Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. 3.
42 Simple Network Management Protocol Interface To configure global settings for SNMP: 1. Click Administration, SNMP. 2. Select Configure Global from the Step list. 3. Enable SNMP and the required trap types. 4. Click Apply FIGURE 246 Configuring Global Settings for SNMP Setting the Local Engine ID Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch.
Simple Network Management Protocol 42 Interface To configure the local SNMP engine ID: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Set Engine ID from the Action list. 4. Enter an ID of a least 9 hexadecimal characters. 5. Click Apply FIGURE 247 Configuring the Local Engine ID for SNMP Specifying a Remote Engine ID Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to configure a engine ID for a remote management station.
42 Simple Network Management Protocol Interface To configure a remote SNMP engine ID: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Add Remote Engine from the Action list. 4. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host. 5. Click Apply FIGURE 248 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3.
Simple Network Management Protocol 42 Parameters These parameters are displayed: Add View • View Name – The name of the SNMP view. (Range: 1-32 characters) • OID Subtree – Specifies the initial object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. Use the Add OID Subtree page to configure additional object identifiers. • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
42 Simple Network Management Protocol FIGURE 251 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Simple Network Management Protocol 42 FIGURE 253 Showing the OID Subtree Configured for SNMP Views Configuring SNMPv3 Groups Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
42 Simple Network Management Protocol 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply FIGURE 254 Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
Simple Network Management Protocol 42 Parameters These parameters are displayed: • Community String – A community string that acts like a password and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public” (Read-Only), “private” (Read/Write) • Access Mode – Specifies the access rights for the community string: • Read-Only – Authorized management stations are only able to retrieve MIB objects.
42 Simple Network Management Protocol FIGURE 257 Showing Community Access Strings Configuring Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Simple Network Management Protocol 42 Interface To configure a local SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Local User from the Action list. 4. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified. If the security level is authPriv, a privacy password must also be specified. 5.
42 Simple Network Management Protocol FIGURE 259 Showing Local SNMPv3 Users Configuring Remote SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
Simple Network Management Protocol 42 • AES192 - Uses SNMPv3 with privacy with AES192 encryption. • AES256 - Uses SNMPv3 with privacy with AES256 encryption. • DES56 - Uses SNMPv3 with privacy with DES56 encryption. • Privacy Password – A minimum of eight plain text characters is required. Interface To configure a remote SNMPv3 user: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add SNMPv3 Remote User from the Action list. 4. Enter a name and assign it to a group.
42 Simple Network Management Protocol FIGURE 261 Showing Remote SNMPv3 Users Specifying Trap Managers Use the Administration > SNMP (Configure Trap) page to specify the host devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Simple Network Management Protocol 42 5. Enable trap informs as described in the following pages. Parameters These parameters are displayed: SNMP Version 1 • IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). • Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) • Community String – Specifies a valid community string for the new trap manager entry.
42 Simple Network Management Protocol • Local User Name – The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch. (Range: 1-32 characters) If an account for the specified user has not been created (page 940), one will be automatically generated. • Remote User Name – The name of a remote user which is used to identify the source of SNMPv3 inform messages sent from the local switch.
Simple Network Management Protocol 42 FIGURE 263 Configuring Trap Managers (SNMPv2c) FIGURE 264 Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list.
42 Simple Network Management Protocol FIGURE 265 Showing Trap Managers Creating SNMP Notification Logs Use the Administration > SNMP (Configure Notify Filter - Add) page to create an SNMP notification log.
Simple Network Management Protocol 42 Parameters These parameters are displayed: • IP Address – The Internet address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap – Add) page. NOTE The notification log is stored locally. It is not sent to a remote device. This remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB. • Filter Profile Name – Notification log profile name.
42 Simple Network Management Protocol Showing SNMP Statistics Use the Administration > SNMP (Show Statistics) page to show counters for SNMP input and output protocol data units. CLI References • “show snmp” on page 111 Parameters The following counters are displayed: • SNMP packets input – The total number of messages delivered to the SNMP entity from the transport service.
Remote Monitoring 42 • Trap PDUs – The total number of SNMP Trap PDUs which have been accepted and processed by, or generated by, the SNMP protocol entity. Interface To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list. FIGURE 268 Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
42 Remote Monitoring Configuring RMON Alarms Use the Administration > RMON (Configure Global - Add - Alarm) page to define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval). Alarms can be set to respond to rising or falling thresholds.
Remote Monitoring 42 • Owner – Name of the person who created this entry. (Range: 1-127 characters) Interface To configure an RMON alarm: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Alarm. 5. Enter an index number, the MIB object to be polled (etherStatsEntry.n.n), the polling interval, the sample type, the thresholds, and the event to trigger. 6.
42 Remote Monitoring FIGURE 270 Showing Configured RMON Alarms Configuring RMON Events Use the Administration > RMON (Configure Global - Add - Event) page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Remote Monitoring 42 • Community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see “Setting Community Access Strings” on page 938) prior to configuring it here. (Range: 1-127 characters) • Description – A comment that describes this event. (Range: 1-127 characters) • Owner – Name of the person who created this entry.
42 Remote Monitoring FIGURE 272 Showing Configured RMON Events Configuring RMON History Samples Use the Administration > RMON (Configure Interface - Add - History) page to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
Remote Monitoring 42 • Buckets - The number of buckets requested for this entry. (Range: 1-65536; Default: 50) The number of buckets granted are displayed on the Show page. • Owner - Name of the person who created this entry. (Range: 1-127 characters) Interface To periodically sample statistics on a port: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Add from the Action list. 4. Click History. 5. Select a port from the list as the data source. 6.
42 Remote Monitoring FIGURE 274 Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click History.
Remote Monitoring 42 • The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, CRC alignment errors, jabbers, fragments, collisions, drop events, and frames of various sizes. Parameters These parameters are displayed: • Port – The port number on the switch. • Index - Index to this entry. (Range: 1-65535) • Owner - Name of the person who created this entry.
42 Remote Monitoring FIGURE 277 Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics.
Ethernet Ring Protection Switching 42 Ethernet Ring Protection Switching NOTE Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.
42 Ethernet Ring Protection Switching FIGURE 279 ERPS Ring Components West Port East Port RPL (Idle State) CC Messages x RPL Owner CC Messages Configuration Guidelines for ERPS 1. Create an ERPS ring (Configure Domain – Add): The ring name is used as an index in the G.8032 database. 2. Configure the east and west interfaces (Configure Domain – Configure Details): Each node on the ring connects to it through two ring ports.
Ethernet Ring Protection Switching 42 Configuration Limitations for ERPS The following configuration limitations apply to ERPS: • One switch supports up to six ERPS rings – each ring must have one Control VLAN, and at most 255 Data VLANs. • • • • Ring ports can not be a member of a dynamic trunk. Dynamic VLANs are not supported as protected data ports. Exclusive use of STP or ERPS on any port.
42 Ethernet Ring Protection Switching ERPS Ring Configuration Use the Administration > ERPS (Configure Domain) pages to configure ERPS rings. CLI References • “ERPS Commands” on page 359 Command Usage • An ERPS ring containing one Control VLAN and one or more protected Data VLANs must be configured, and the global ERPS function enabled on the switch (see “ERPS Global Configuration” on page 963) before a ring can start running.
Ethernet Ring Protection Switching 42 • MEG Level – The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) This parameter is used to ensure that received R-APS PDUs are directed for this ring. A unique level should be configured for each local ring if there are many R-APS PDUs passing through this switch. • Node ID – A MAC address unique to the ring node.
42 Ethernet Ring Protection Switching • WTR Timer – The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
Ethernet Ring Protection Switching 42 • West/East Port MEP – Specifies the CFM MEPs used to monitor the link on a ring node. (Range: 1-8191) To ensure complete monitoring of a ring node, specify the CFM MEPs used to monitor both the east and west ports of the ring node.
42 Ethernet Ring Protection Switching To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list. 4. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk. And the control VLAN must be unique for each ring. Adjust the protocol timers as required.
Ethernet Ring Protection Switching 42 FIGURE 283 Creating an ERPS Ring (Secondary Ring) To show the configure ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
42 Connectivity Fault Management Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Connectivity Fault Management 42 The following figure shows a single Maintenance Domain, with DSAPs located on the domain boundary, and Internal Service Access Points (ISAPs) inside the domain through which frames may pass between the DSAPs. FIGURE 285 Single CFM Maintenance Domain Maintenance Domain Bridge DSAP ISAP The figure below shows four maintenance associations contained within a hierarchical structure of maintenance domains.
42 Connectivity Fault Management Basic CFM Operations CFM uses standard Ethernet frames for sending protocol messages. Both the source and destination address for these messages are based on unicast or multicast MAC addresses, and therefore confined to a single Layer 2 CFM service VLAN. For this reason, the transmission, forwarding, and processing of CFM frames is performed by bridges, not routers. Bridges that do not recognize CFM messages forward them as normal data.
Connectivity Fault Management 7. 42 Enable continuity check and cross-check operations, and configure AIS parameters using the Configure MA – Configure Details screen (see "Configuring CFM Maintenance Associations").
42 Connectivity Fault Management LInk Trace Cache Settings • Link Trace Cache – Enables caching of CFM data learned through link trace messages. (Default: Enabled) A linktrace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a linktrace reply, up to the point at which the linktrace message reaches its destination or can no longer be forwarded.
Connectivity Fault Management 42 Cross-check Errors • Cross Check MA Up – Sends a trap when all remote MEPs in an MA come up. An MA Up trap is sent if cross-checking is enabled19, and a CCM is received from all remote MEPs configured in the static list for this maintenance association20. • Cross Check MEP Missing – Sends a trap if the cross-check timer expires and no CCMs have been received from a remote MEP configured in the static list.
42 Connectivity Fault Management FIGURE 287 Configuring Global Settings for CFM Configuring Interfaces for CFM CFM processes are enabled by default for all physical interfaces, both ports and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI References • “ethernet cfm port-enable” on page 533 Command Usage • An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Connectivity Fault Management 42 5. Click Apply. FIGURE 288 Configuring Interfaces for CFM Configuring CFM Maintenance Domains Use the Administration > CFM (Configure MD) pages to create and configure a Maintenance Domain (MD) which defines a portion of the network for which connectivity faults can be managed. Domain access points are set up on the boundary of a domain to provide end-to-end connectivity fault detection, analysis, and recovery.
42 Connectivity Fault Management The diagnostic functions provided by CFM can be used to detect connectivity failures between any pair of MEPs in an MA. Using MIPs allows these failures to be isolated to smaller segments of the network. Allowing the CFM to generate MIPs exposes more of the network structure to users at higher domain levels, but can speed up the process of fault detection and recovery. This trade-off should be carefully considered when designing a CFM maintenance structure.
Connectivity Fault Management 42 Parameters These parameters are displayed: Creating a Maintenance Domain • • • • MD Index – Domain index. (Range: 1-65535) MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) MD Level – Authorized maintenance level for this domain.
42 Connectivity Fault Management FIGURE 289 Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. FIGURE 290 Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5.
Connectivity Fault Management 42 FIGURE 291 Configuring Detailed Settings for Maintenance Domains Configuring CFM Maintenance Associations Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Associations (MA) which define a unique CFM service instance. Each MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
42 Connectivity Fault Management • If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). • The interval at which CCMs are issued should be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA.
Connectivity Fault Management 42 Before starting the cross-check process, first configure the remote MEPs that exist on other devices inside the maintenance association using the Remote MEP List (see "Configuring Remote Maintenance End Points"). These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational.
42 Connectivity Fault Management 4. Select an entry from the MD Index list. FIGURE 293 Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6.
Connectivity Fault Management 42 Configuring Maintenance End Points Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance End Points (MEPs). MEPs, also called Domain Service Access Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
42 Connectivity Fault Management FIGURE 295 Configuring Maintenance End Points To show the configured maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
Connectivity Fault Management 42 • Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see “Configuring Maintenance End Points” on page 985) at the same maintenance level and in the same MA. DSAPs are MEPs that exist on the edge of the domain, and act as primary service access points for end-to-end cross-check, loop-back, and link-trace functions.
42 Connectivity Fault Management 4. Select an entry from MD Index and MA Index. FIGURE 298 Showing Remote Maintenance End Points Transmitting Link Trace Messages Use the Administration > CFM (Transmit Link Trace) page to transmit link trace messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point).
Connectivity Fault Management 42 • MA Index – MA identifier. (Range: 1-2147483647) • Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) • Target • MEP ID – The identifier of a remote MEP that is the target of a link trace message. (Range: 1-8191) • MAC Address – MAC address of a remote MEP that is the target of a link trace message.
42 Connectivity Fault Management Command Usage • Loopback messages can be used for fault verification and isolation after automatic detection of a fault or receipt of some other error report. Loopback messages can also used to confirm the successful restoration or initiation of connectivity. The receiving maintenance point should respond to the loop back message with a loopback reply. • The point from which the loopback message is transmitted (i.e.
Connectivity Fault Management 42 FIGURE 300 Transmitting Loopback Messages Transmitting Delay-Measure Requests Use the Administration > CFM (Transmit Delay Measure) page to send periodic delay-measure requests to a specified MEP within a maintenance association. CLI References • “ethernet cfm delay-measure two-way” on page 559 Command Usage • Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
42 Connectivity Fault Management • MA Index – MA identifier. (Range: 1-2147483647) • Source MEP ID – The identifier of a source MEP that will send the delay-measure message. (Range: 1-8191) • Target • MEP ID – The identifier of a remote MEP that is the target of a delay-measure message. (Range: 1-8191) • MAC Address – MAC address of a remote MEP that is the target of a delay-measure message.
Connectivity Fault Management 42 FIGURE 301 Transmitting Delay-Measure Messages Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. CLI References • “show ethernet cfm maintenance-points local” on page 537 • “show ethernet cfm maintenance-points local detail mep” on page 538 Parameters These parameters are displayed: • • • • MEP ID – Maintenance end point identifier. MD Name – Maintenance domain name.
42 Connectivity Fault Management • MAC Address – MAC address of this MEP entry. Interface To show information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP from the Action list.
Connectivity Fault Management 42 • AIS Status – Shows if MEPs within the specified MA are enabled to send frames with AIS information following detection of defect conditions. • AIS Period – The interval at which AIS information is sent. • AIS Transmit Level – The maintenance level at which AIS information will be sent for the specified MEP. • Suppress Alarm – Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions.
42 Connectivity Fault Management Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under “Configuring CFM Maintenance Domains” on page 977.) CLI References • “show ethernet cfm maintenance-points local” on page 537 Parameters These parameters are displayed: • • • • • MD Name – Maintenance domain name.
Connectivity Fault Management 42 Displaying Remote MEPs Use the Administration > CFM > Show Information (Show Remote MEP) page to show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
42 Connectivity Fault Management Displaying Details for Remote MEPs Use the Administration > CFM > Show Information (Show Remote MEP Details) page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
Connectivity Fault Management 42 • Crosscheck Status – Shows if crosscheck function has been enabled. Interface To show detailed information for remote MEPs: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Remote MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Select a MEP ID.
42 Connectivity Fault Management • MA – Maintenance association name. • IP/Alias – IP address or DNS alias of the target device’s CPU. • Forwarded – Shows whether or not this link trace message was forwarded. A message is not forwarded if received by the target MEP. • Ingress MAC Address – MAC address of the ingress port on the target device. • Egress MAC Address – MAC address of the egress port on the target device.
Connectivity Fault Management 42 FIGURE 307 Showing the Link Trace Cache Displaying Fault Notification Settings Use the Administration > CFM > Show Information (Show Fault Notification Generator) page to display configuration settings for the fault notification generator. CLI References • “show ethernet cfm fault-notify-generator” on page 559 Parameters These parameters are displayed: • • • • MEP ID – Maintenance end point identifier. MD Name – Maintenance domain name.
42 Connectivity Fault Management Displaying Continuity Check Errors Use the Administration > CFM > Show Information (Show Continuity Check Error) page to display the CFM continuity check errors logged on this device. CLI References • “show ethernet cfm errors” on page 546 • “clear ethernet cfm errors” on page 546 Parameters These parameters are displayed: • • • • • • Level – Maintenance level associated with this entry. Primary VLAN – VLAN in which this error occurred.
OAM Configuration 42 FIGURE 309 Showing Continuity Check Errors OAM Configuration The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loopback testing, and displaying remote device information.
42 OAM Configuration TABLE 178 OAM Operation State (Continued) State Description Send Local And Remote OK OAM peering is allowed by the local device. OAM Peering Locally Rejected The local OAM entity rejects the peering. OAM Peering Remotely Rejected The remote OAM entity rejects the peering. Operational When the local OAM entity learns that both it and the remote OAM entity have accepted the peering, the state moves to this state.
OAM Configuration 42 Interface To enable OAM functionality on the selected port: 1. Click Administration, OAM, Interface. 2. Set the OAM administrative status and operational mode for the required ports. Specify whether or not critical link events will be reported by the switch. Specify whether errored frame link events will be reported, as well as the required window size and threshold. 3. Click Apply.
42 OAM Configuration Interface To display statistics for OAM messages: 1. Click Administration, OAM, Counters. FIGURE 311 Displaying Statistics for OAM Messages Displaying the OAM Event Log Use the Administration > OAM > Event Log page to display link events for the selected port. CLI References • “show efm oam event-log interface” on page 570 Command Usage • When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log.
OAM Configuration 42 FIGURE 312 Displaying the OAM Event Log Displaying the Status of Remote Interfaces Use the Administration > OAM > Remote Interface page to display information about attached OAM-enabled devices. CLI References • “show efm oam status remote interface” on page 572 Parameters These parameters are displayed: • • • • • Port – Port identifier. (Range: 1-12) MAC Address – MAC address of the OAM peer. OUI – Organizational Unit Identifier of the OAM peer.
42 OAM Configuration Interface To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. FIGURE 313 Displaying Status of Remote Interfaces Configuring a Remote Loop Back Test Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page to initiate a loop back test to the peer device attached to the selected port.
OAM Configuration 42 Loopback Test Parameters • • • • Packet Number – Number of packets to send. (Range: 1-99999999; Default: 10000) Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) Test – Starts the loop back test. End – Stops the loop back test. Loop Back Status of Remote Device • Result – Shows the loop back status on the peer. The loop back states shown in this field are described below.
42 OAM Configuration FIGURE 314 Running a Remote Loop Back Test Displaying Results of Remote Loop Back Testing Use the Administration > OAM > Remote Loop Back (Show Test Result) page to display the results of remote loop back testing for each port for which this information is available. CLI References • “show efm oam remote-loopback interface” on page 570 Parameters These parameters are displayed: • Port – Port identifier.
OAM Configuration 42 FIGURE 315 Displaying the Results of Remote Loop Back Testing Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 1011
42 1012 OAM Configuration Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter IP Configuration 43 In this chapter This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
43 Setting the Switch’s IP Address (IP Version 4) • The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add) menu, and then static routes (page 1044). Parameters These parameters are displayed: • VLAN – ID of the configured VLAN (1-4093). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Setting the Switch’s IP Address (IP Version 4) 43 FIGURE 316 Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP” or “BOOTP.” 4. Click Apply to save your changes. 5. Then click Restart DHCP to immediately request a new address.
43 Setting the Switch’s IP Address (IP Version 6) Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface.
Setting the Switch’s IP Address (IP Version 6) 43 Configuring the IPv6 Default Gateway Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 default gateway for the switch. CLI References • “ipv6 default-gateway” on page 600 Parameters These parameters are displayed: • Default Gateway – Sets the IPv6 address of the default next hop router. • All IPv6 addresses must be configured according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
43 Setting the Switch’s IP Address (IP Version 6) Configuring IPv6 Interface Settings Use the IP > IPv6 Configuration (Configure Interface) page to configure general IPv6 settings for the selected VLAN, including auto-configuration of a global unicast interface address, explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
Setting the Switch’s IP Address (IP Version 6) 43 • MTU – Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. (Range: 1280-65535 bytes; Default: 1500 bytes) • The maximum value set in this field cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. • If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
43 Setting the Switch’s IP Address (IP Version 6) • ND Reachable Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds; Default: 30000 milliseconds) • Restart DHCPv6 – When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
Setting the Switch’s IP Address (IP Version 6) 43 FIGURE 320 Configuring General Settings for an IPv6 Interface Configuring an IPv6 Address Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 interface for management access over the network. CLI References • “IPv6 Interface” on page 599 Command Usage • All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
43 Setting the Switch’s IP Address (IP Version 6) • You can also manually configure the global unicast address by entering the full address and prefix length. • You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. • If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console.
Setting the Switch’s IP Address (IP Version 6) 43 • Link Local – Configures an IPv6 link-local address. • The address prefix must be in the range of FE80~FEBF. • You can configure only one link-local address per interface. • The specified address replaces a link-local address that was automatically generated for the interface. • IPv6 Address – IPv6 address assigned to this interface. Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2. Select Add IPv6 Address from the Action list.
43 Setting the Switch’s IP Address (IP Version 6) • IP Address – An IPv6 address assigned to this interface. In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
Setting the Switch’s IP Address (IP Version 6) 43 Showing the IPv6 Neighbor Cache Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the IPv6 addresses detected for neighbor devices. CLI References • “show ipv6 neighbors” on page 621 Parameters These parameters are displayed: TABLE 180 Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in seconds).
43 Setting the Switch’s IP Address (IP Version 6) Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. FIGURE 323 Showing IPv6 Neighbors Showing IPv6 Statistics Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 traffic passing through this switch.
Setting the Switch’s IP Address (IP Version 6) 43 Parameters These parameters are displayed: TABLE 181 Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error. Header Errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
43 Setting the Switch’s IP Address (IP Version 6) TABLE 181 Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Setting the Switch’s IP Address (IP Version 6) TABLE 181 43 Show IPv6 Statistics - display description (Continued) Field Description Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface. Group Membership Response Messages The number of ICMPv6 Group Membership Response messages received by the interface.
43 Setting the Switch’s IP Address (IP Version 6) TABLE 181 Show IPv6 Statistics - display description (Continued) Field Description UDP Statistics Input The total number of UDP datagrams delivered to UDP users. No Port Errors The total number of received UDP datagrams for which there was no application at the destination port. Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Setting the Switch’s IP Address (IP Version 6) 43 FIGURE 325 Showing IPv6 Statistics (ICMPv6) FIGURE 326 Showing IPv6 Statistics (UDP) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 1031
43 Using the Ping Function Showing the MTU for Responding Destinations Use the IP > IPv6 Configuration (Show MTU) page to display the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Using the Ping Function 43 • Probe Count – Number of packets to send. (Range: 1-16) • Packet Size – Number of bytes in a packet. (Range: 32-512 bytes) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. Command Usage • Use the ping command to see if another site on the network can be reached.
43 Using the Trace Route Function Using the Trace Route Function Use the IP > General > Trace Route page to show the route packets take to a specified destination. CLI References • “traceroute” on page 593 Parameters These parameters are displayed: • Destination IP Address – IP address of the host. Command Usage • Use the trace route function to determine the path taken to reach a specified destination.
Address Resolution Protocol 43 FIGURE 329 Tracing the Route to a Network Device Address Resolution Protocol The switch uses its routing tables (for static routes and directly connected subnets) to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
43 Address Resolution Protocol Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address. Basic ARP Configuration Use the IP > ARP (Configure General) page to specify the timeout for ARP cache entries, or to enable Proxy ARP for specific VLAN interfaces.
Address Resolution Protocol 43 Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables. Interface To configure the timeout for the ARP cache or to enable Proxy ARP for a VLAN (i.e., IP subnetwork): 1. Click IP, ARP. 2. Select Configure General from the Step List. 3. Set the timeout to a suitable value for the ARP cache, or enable Proxy ARP for subnetworks that do not have routing or a default gateway. 4.
43 Address Resolution Protocol Parameters These parameters are displayed in the web interface: • IP Address – IP address statically mapped to a physical MAC address. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods, and must match a known network interface) • MAC Address – MAC address statically mapped to the corresponding IP address.
Address Resolution Protocol 43 Displaying ARP Entries Use the IP > ARP (Show Information) page to display dynamic entries in the ARP cache. The ARP cache contains entries for local interfaces, including subnet, host, and broadcast addresses. These entries are dynamically learned through replies to broadcast messages. CLI References • “show arp” on page 598 • “clear arp-cache” on page 598 Interface To display all dynamic entries in the ARP cache: 1. Click IP, ARP. 2.
43 Address Resolution Protocol Displaying ARP Statistics Use the IP > ARP (Show Information) page to display statistics for ARP messages crossing all interfaces on this router. CLI References • “show ip traffic” on page 592 Parameters These parameters are displayed: TABLE 184 ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router.
Chapter General IP Routing 44 In this chapter This chapter provides information on network functions including: • Static Routes – Configures static routes to other network segments. • Routing Table – Displays routing entries learned through dynamic routing and statically configured entries. Overview This switch supports IP routing via static routing definitions.
44 IP Routing and Switching FIGURE 337 Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Configuring IP Routing Interfaces 44 If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
44 Configuring Static Routes Once IP interfaces have been configured, the switch functions as a multilayer routing switch, operating at either Layer 2 or 3 as required. All IP packets are routed directly between local interfaces, or indirectly to remote interfaces using static routing. All other packets for non-IP protocols (for example, NetBuei, NetWare or AppleTalk) are switched based on MAC addresses).
Displaying the Routing Table 44 FIGURE 338 Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. FIGURE 339 Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, or through static routes.
44 Displaying the Routing Table • The Routing Table (and show ip route command) only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with a static route entry must be up. Note that routes currently not accessible for forwarding, may still be displayed by using the show ip route database command. Parameters These parameters are displayed in the web interface: • VLAN – VLAN identifier (i.e.
Chapter 45 IP Services In this chapter This chapter describes how to configure Domain Name Service (DNS) and DHCP Relay Service. For information on DHCP snooping which is included in this folder, see “DHCP Snooping” on page 903. This chapter provides information on the following IP services, including: • DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries.
45 Domain Name Service • Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2. Select Configure Global from the Action list. 3. Enable domain lookup, and set the default domain name. 4. Click Apply.
Domain Name Service 45 Interface To create a list domain names: 1. Click IP Service, DNS. 2. Select Add Domain Name from the Action list. 3. Enter one domain name at a time. 4. Click Apply. FIGURE 342 Configuring a List of Domain Names for DNS To show the list domain names: 1. Click IP Service, DNS. 2. Select Show Domain Names from the Action list.
45 Domain Name Service • If all name servers are deleted, DNS will automatically be disabled. This is done by disabling the domain lookup status. Parameters These parameters are displayed: • Name Server IP Address – Specifies the IPv4 or IPv6 address of a domain name server to use for name-to-address resolution. Up to six IP addresses can be added to the name server list. Interface To create a list name servers: 1. Click IP Service, DNS. 2. Select Add Name Server from the Action list. 3.
Domain Name Service 45 Configuring Static DNS Host to Address Entries Use the IP Service > DNS - Static Host Table (Add) page to manually configure static entries in the DNS table that are used to map domain names to IP addresses. CLI References • “ip host” on page 576 • “show hosts” on page 580 Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
45 Domain Name Service To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. FIGURE 347 Showing Static Entries in the DNS Table Displaying the DNS Cache Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers.
Dynamic Host Configuration Protocol 45 Interface To display entries in the DNS cache: 1. Click IP Service, DNS, Cache. FIGURE 348 Showing Entries in the DNS Cache Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up. If a subnet does not already include a BOOTP or DHCP server, you can relay DHCP client requests to a DHCP server on another subnet.
45 Dynamic Host Configuration Protocol Interface To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply. FIGURE 349 Specifying A DHCP Client Identifier Configuring DHCP Relay Service Use the IP Service > DHCP > Relay page to configure DHCP relay service for attached host devices.
Dynamic Host Configuration Protocol 45 Parameters These parameters are displayed in the web interface: • VLAN ID – ID of configured VLAN. • Server IP Address – Addresses of DHCP servers to be used by the switch’s DHCP relay agent in order of preference. • Restart DHCP Relay – Use this button to re-initialize DHCP relay service. Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2. Enter up to five IP addresses for any VLAN. 3. Click Apply.
45 1056 Dynamic Host Configuration Protocol Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Chapter 46 Multicast Filtering In this chapter This chapter describes how to configure the following multicast services: • IGMP – Configures snooping and query parameters. • Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. • Multicast VLAN Registration for IPv4 – Configures a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, preserving security and data isolation.
46 Layer 2 IGMP (Snooping and Query) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Layer 2 IGMP (Snooping and Query) 46 IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways. A static router port can be manually configured (see “Specifying Static Interfaces for a Multicast Router” on page 1063). Using this method, the router port is never timed out, and will continue to function until explicitly removed.
46 Layer 2 IGMP (Snooping and Query) Command Usage • IGMP Snooping – This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers/switches and IP multicast host groups to identify the IP multicast group members. It simply monitors the IGMP packets passing through it, picks out the group registration information, and configures the multicast filters accordingly.
Layer 2 IGMP (Snooping and Query) 46 If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a time out mechanism is used to delete all of the currently learned multicast channels. When a new uplink port starts up, the switch sends unsolicited reports for all currently learned channels out the new uplink port. By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs.
46 Layer 2 IGMP (Snooping and Query) • Forwarding Priority – Assigns a CoS priority to all multicast traffic. (Range: 0-6, where 6 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. • Version Exclusive – Discards any received IGMP messages which use a version different to that currently configured by the IGMP Version attribute.
Layer 2 IGMP (Snooping and Query) 46 FIGURE 353 Configuring General Settings for IGMP Snooping Specifying Static Interfaces for a Multicast Router Use the Multicast > IGMP Snooping > Multicast Router (Add) page to statically attach an interface to a multicast router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
46 Layer 2 IGMP (Snooping and Query) Interface To specify a static interface attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply.
Layer 2 IGMP (Snooping and Query) 46 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/switch are displayed. FIGURE 356 Showing Current Interfaces Attached a Multicast Router Assigning Interfaces to Multicast Services Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) page to statically assign a multicast service to an interface.
46 Layer 2 IGMP (Snooping and Query) 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an IGMP-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply. FIGURE 357 Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3.
Layer 2 IGMP (Snooping and Query) 46 FIGURE 359 Showing Current Interfaces Assigned to a Multicast Service Setting IGMP Snooping Status per Interface Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure IGMP snooping attributes for a VLAN. To configure snooping globally, refer to “Configuring IGMP Snooping and Query Parameters” on page 1059.
46 Layer 2 IGMP (Snooping and Query) • On receipt of a Solicitation message. • Multicast Router Solicitation – Devices send Solicitation messages in order to solicit Advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link. Solicitation messages are also sent whenever a multicast forwarding interface is initialized or re-initialized.
Layer 2 IGMP (Snooping and Query) 46 If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period. Note that this time out is set to Last Member Query Interval * Robustness Variable (fixed at 2) as defined in RFC 2236.
46 Layer 2 IGMP (Snooping and Query) • Last Member Query Interval – The interval to wait for a response to a group-specific or group-and-source-specific query message. (Range: 1-31744 tenths of a second in multiples of 10; Default: 1 second) When a multicast host leaves a group, it sends an IGMP leave message.
Layer 2 IGMP (Snooping and Query) 46 3. Select the VLAN to configure and update the required parameters. 4. Click Apply. FIGURE 360 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
46 Layer 2 IGMP (Snooping and Query) Displaying Multicast Groups Discovered by IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the forwarding entries learned through IGMP Snooping. CLI References • “show ip igmp snooping group” on page 463 Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 1059).
Layer 2 IGMP (Snooping and Query) 46 Displaying IGMP Snooping Statistics Use the Multicast > IGMP Snooping > Statistics pages to display IGMP snooping protocol-related statistics for the specified interface. CLI References • “show ip igmp snooping statistics” on page 464 Parameters These parameters are displayed: • VLAN – VLAN identifier. (Range: 1-4093) • Port – Port identifier. (Range: 1-12) • Trunk – Trunk identifier.
46 Layer 2 IGMP (Snooping and Query) Interface To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Query Statistics from the Action list. 3. Select a VLAN. FIGURE 363 Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Layer 2 IGMP (Snooping and Query) 46 FIGURE 364 Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
46 Filtering and Throttling IGMP Groups Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Filtering and Throttling IGMP Groups 46 FIGURE 366 Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page to create an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
46 Filtering and Throttling IGMP Groups FIGURE 367 Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. FIGURE 368 Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3.
Filtering and Throttling IGMP Groups 46 FIGURE 369 Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
46 Filtering and Throttling IGMP Groups Parameters These parameters are displayed: • Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. • Profile ID – Selects an existing profile to assign to an interface. • Max Multicast Groups – Sets the maximum number of multicast groups an interface can join at the same time.
Multicast VLAN Registration for IPv4 46 Multicast VLAN Registration for IPv4 Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
46 Multicast VLAN Registration for IPv4 • Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast groups are managed by IGMP snooping.
Multicast VLAN Registration for IPv4 46 Interface To configure global settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Global from the Step list. 3. Set the status for MVR proxy switching and the robustness value used for report and query messages. 4. Click Apply.
46 Multicast VLAN Registration for IPv4 • Forwarding Priority – The CoS priority assigned to all multicast traffic forwarded into this domain. (Range: 0-6, where 6 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. • Upstream Source IP – The source IP address assigned to all MVR control packets sent upstream on the specified domain.
Multicast VLAN Registration for IPv4 46 • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. • IGMP snooping and MVR share a maximum number of 1023 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated domain.
46 Multicast VLAN Registration for IPv4 FIGURE 376 Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. FIGURE 377 Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2.
Multicast VLAN Registration for IPv4 46 Configuring MVR Interface Status Use the Multicast > MVR (Configure Interface) page to configure each interface that participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
46 Multicast VLAN Registration for IPv4 • Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN. Any port configured as an receiver port will be dynamically added to the MVR VLAN when it forwards an IGMP report or join message from an attached host requesting any of the designated multicast services supported by the MVR VLAN. Just remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Multicast VLAN Registration for IPv4 46 Assigning Static MVR Multicast Groups to Interfaces Use the Multicast > MVR (Configure Static Group Member) page to statically bind multicast groups to a port which will receive long-term multicast streams associated with a stable set of hosts. CLI References • “mvr vlan group” on page 483 Command Usage • Multicast groups can be statically assigned to a receiver port using this configuration page. • The IP address range from 224.0.0.0 to 239.255.255.
46 Multicast VLAN Registration for IPv4 FIGURE 380 Assigning Static MVR Groups to a Port To show the static MVR groups assigned to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR domain. 5. Select the port or trunk for which to display this information.
Multicast VLAN Registration for IPv4 46 • VLAN – The VLAN through which the service is received. Note that this may be different from the MVR VLAN if the group address has been statically assigned. • Port – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. • Up Time – Time this service has been forwarded to attached clients. • Expire – Time before this entry expires if no membership report is received from currently active or new clients.
46 Multicast VLAN Registration for IPv4 Query Statistics • • • • • • • • Querier IP Address – The IP address of the querier on this interface. Querier Expire Time – The time after which this querier is assumed to have expired. General Query Received – The number of general queries received on this interface. General Query Sent – The number of general queries sent from this interface. Specific Query Received – The number of specific queries received on this interface.
Multicast VLAN Registration for IPv4 46 Interface To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
46 Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN. FIGURE 384 Displaying MVR Statistics – VLAN To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4.
Multicast VLAN Registration for IPv6 46 FIGURE 385 Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv6” on page 1095). Command Usage • General Configuration Guidelines for MVR6: 1. Enable MVR6 for a domain on the switch, and select the MVR VLAN (see “Configuring MVR6 Domain Settings” on page 1097). 2.
46 Multicast VLAN Registration for IPv6 Configuring MVR6 Global Settings Use the Multicast > MVR6 (Configure Global) page to configure proxy switching and the robustness variable. CLI References • “MVR for IPv6” on page 491 Parameters These parameters are displayed: • Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Multicast VLAN Registration for IPv6 46 4. Click Apply. FIGURE 386 Configuring Global Settings for MVR6 Configuring MVR6 Domain Settings Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI References • “MVR for IPv6” on page 491 Parameters These parameters are displayed: • Domain ID– An independent multicast domain.
46 Multicast VLAN Registration for IPv6 Interface To configure settings for an MVR6 domain: 1. Click Multicast, MVR6. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Multicast VLAN Registration for IPv6 46 Parameters These parameters are displayed: Configure Profile • Profile Name – The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) • Start IPv6 Address – Starting IP address for an MVR6 multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. • End IPv6 Address – Ending IP address for an MVR6 multicast group.
46 Multicast VLAN Registration for IPv6 FIGURE 389 Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. FIGURE 390 Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2.
Multicast VLAN Registration for IPv6 46 Configuring MVR6 Interface Status Use the Multicast > MVR6 (Configure Interface) page to configure each interface that participates in the MVR6 protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
46 Multicast VLAN Registration for IPv6 • Receiver – A subscriber port that can receive multicast data sent through the MVR6 VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see “Adding Static Members to VLANs” on page 724). • Forwarding Status – Shows if multicast traffic is being forwarded or blocked. • MVR6 Status – Shows the MVR6 status. MVR6 status for source ports is “Active” if MVR6 is globally enabled on the switch.
Multicast VLAN Registration for IPv6 46 Command Usage • Multicast groups can be statically assigned to a receiver port using this configuration page. • All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
46 Multicast VLAN Registration for IPv6 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information. FIGURE 394 Showing the Static MVR6 Groups Assigned to a Port Displaying MVR6 Receiver Groups Use the Multicast > MVR6 (Show Member) page to show the multicast groups either statically or dynamically assigned to the MVR6 receiver groups on each interface.
Multicast VLAN Registration for IPv6 46 FIGURE 395 Displaying MVR6 Receiver Groups Displaying MVR6 Statistics Use the Multicast > MVR6 > Show Statistics pages to display MVR6 protocol-related statistics for the specified interface. CLI References • “show mvr6 statistics” on page 503 Parameters These parameters are displayed: • • • • Domain ID – An independent multicast domain. (Range: 1-5) VLAN – VLAN identifier. (Range: 1-4093) Port – Port identifier. (Range: 1-12) Trunk – Trunk identifier.
46 Multicast VLAN Registration for IPv6 • Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR6 group report received. • Join Success – The number of times a multicast group was successfully joined. • Group – The number of MVR6 groups active on this interface. Output Statistics • • • • Report – The number of MLD membership reports sent from this interface.
Multicast VLAN Registration for IPv6 46 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
46 Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
Section IV Appendices This section provides additional information and includes these items: • Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Glossary and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1110 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Appendix A Troubleshooting In this chapter • Problems Accessing the Management Interface. . . . . . . . . . . . . . . . . . . 1111 • Using System Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Using System Logs TABLE 185 Troubleshooting Chart (Continued) Symptom Action Cannot access the on-board configuration program via a serial port connection • • Check to see if you have set the terminal emulator program to VT100 compatible, 8 data bits, 1 stop bit, no parity, and the baud rate set to 9600 bps. Verify that you are using the RJ-45 to DB-9 null-modem serial cable supplied with the switch.
Appendix Software Specifications B In this chapter • Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113 • Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 • Management Information Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115 Software Features Management Authentication Local, RADIUS, TACACS+, Port Authentication (802.
B Management Features Strict, Weighted Round Robin (WRR), or a combination of strict and weighted queuing Layer 3/4 priority mapping: IP DSCP Quality of Service DiffServ23 supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping (Layer 2) IP Routing Multicast VLAN Registration ARP, Proxy ARP Static routes Additional Features BOOTP Client Connectivity Fault Management DHCP Client DNS Client, Proxy ERPS (Ethernet Ring Protection Switching) LLDP (Link Layer Discover Pro
Management Information Bases B IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging IEEE 802.
B Management Information Bases IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
Appendix License Information C Overview This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
C The GNU General Public License Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents.
The GNU General Public License C These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
C The GNU General Public License 6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License.
The GNU General Public License C 11. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
C 1122 The GNU General Public License Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
Appendix Glossary and Acronyms D ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
D Glossary and Acronyms DiffServ Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary and Acronyms D GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.
D Glossary and Acronyms IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Glossary and Acronyms D Link Aggregation See Port Trunk. LLDP Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings. MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
D Glossary and Acronyms Out-of-Band Management Management of the network from a station not attached to the network. Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively.
Glossary and Acronyms D SMTP Simple Mail Transfer Protocol is a standard host-to-host mail transport protocol that operates over TCP, port 25. SNMP Simple Network Management Protocol. The application protocol in the Internet suite of protocols which offers network management services. SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server.
D Glossary and Acronyms UTC Universal Time Coordinate. UTC is a time scale that couples Greenwich Mean Time (based solely on the Earth’s rotation rate) with highly accurate atomic time. The UTC does not have daylight saving time. VLAN Virtual LAN. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Command List A auto-traffic-control apply-timer 315 aaa accounting dot1x 154 aaa accounting exec 155 aaa accounting update 156 aaa authorization exec 156 aaa group server 157 absolute 103 access-list arp 256 access-list ip 240 access-list ipv6 246 access-list mac 251 accounting dot1x 158 accounting exec 159 alias 263 arp 596 arp timeout 597 authentication enable 144 authentication login 145 authorization exec 159 auto-traffic-control 317 auto-traffic-control action 317 auto-traffic-control alarm-clear-thre
disable 43 disconnect 83 dot1q-tunnel system-tunnel-control 389 dot1x default 176 dot1x eapol-pass- through 176 dot1x identity profile 183 dot1x intrusion-action 177 dot1x max-reauth-req 178 dot1x max-req 178 dot1x max-start 184 dot1x operation-mode 179 dot1x pae supplicant 184 dot1x port-control 180 dot1x re-authenticate 183 dot1x re-authentication 180 dot1x system-auth-control 177 dot1x timeout auth-period 185 dot1x timeout held-period 185 dot1x timeout quiet-period 181 dot1x timeout re-authperiod 181 dot
ip dhcp snooping information policy 219 ip dhcp snooping trust 222 ip dhcp snooping verify mac-address 220 ip dhcp snooping vlan 220 ip domain-list 573 ip domain-lookup 574 ip domain-name 575 ip host 576 ip http port 161 ip http secure-port 162 ip http secure-server 162 ip http server 161 ip igmp filter (Global Configuration) 468 ip igmp filter (Interface Configuration) 471 ip igmp max-groups 471 ip igmp max-groups action 472 ip igmp profile 469 ip igmp snooping 448 ip igmp snooping priority 449 ip igmp sno
lldp reinit-delay 508 lldp tx-delay 509 logging facility 84 logging history 85 logging host 86 logging on 86 logging sendmail 90 logging sendmail destination- email 92 logging sendmail host 91 logging sendmail level 91 logging sendmail source-email 92 logging trap 87 login 77 M ma index name 531 ma index name-format 532 mac access-group 254 mac- authentication intrusion-action 206 mac- authentication max-mac-count 207 mac- authentication reauth-time 199 mac-address-table aging-time 327 mac-address-table st
policy-map 435 port channel load-balance 290 port monitor 301 port security 194 power-save 287 process cpu 125 prompt 39 propagate-tc 368 protocol-vlan protocol-group (Configuring Groups) 404 protocol-vlan protocol-group (Configuring Interfaces) 404 Q parity 78 qos map cos-dscp 424 qos map dscp-mutation 425 qos map phb-queue 427 qos map trust-mode 427 queue mode 420 queue weight 421 quit 42 R radius-server acct-port 146 radius-server auth-port 146 radius-server host 147 radius-server key 148 radius-server
show garp timer 377 show gvrp configuration 378 show history 42 show hosts 580 show interfaces brief 276 show interfaces counters 277 show interfaces history 278 show interfaces protocol-vlan protocol-group 406 show interfaces status 281 show interfaces subnet-vlan 408 show interfaces switchport 282 show interfaces transceiver 284 show ip access-group 245 show ip access-list 245 show ip arp inspection configuration 235 show ip arp inspection interface 235 show ip arp inspection log 236 show ip arp inspectio
show snmp 111 show snmp engine-id 119 show snmp group 119 show snmp notify-filter 124 show snmp user 121 show snmp view 122 show sntp 96 show spanning-tree 356 show spanning-tree mst configuration 358 show ssh 174 show startup-config 61 show subnet-vlan 409 show system 61 show tacacs-server 153 show tech-support 62 show time-range 105 show traffic-segmentation 403 show upgrade 74 show users 63 show version 64 show vlan 387 show vlan-translation 399 show voice vlan 416 show web-auth 214 show web-auth interfa
switchport packet-rate 270 switchport priority default 422 switchport vlan-translation 397 switchport voice vlan 414 switchport voice vlan priority 414 switchport voice vlan rule 415 switchport voice vlan security 416 T tacacs-server host 150 tacacs-server key 151 tacacs-server port 151 tacacs-server retransmit 152 tacacs-server timeout 152 test cable-diagnostics 285 timeout login response 82 time-range 102 traceroute 593 traceroute6 616 traffic-segmentation 400 traffic-segmentation session 401 traffic-seg
Index Numerics 802.1Q tunnel, 388, 730 access, 389, 736 configuration guidelines, 388, 733 configuration limitations, 388, 732 CVID to SVID map, 390, 734 description, 730 ethernet type, 392, 733 interface configuration, 389–392, 736 mode selection, 389, 736 status, configuring, 389, 733 TPID, 392, 733 uplink, 389, 736 802.
web authentication, re-authenticating ports, 213, 838 web, configuring, 212, 837 Automatic Traffic Control See ATC B BOOTP, 590, 1014 BPDU, 760 filter, 344, 770 flooding when STA disabled on VLAN, 352, 764 flooding when STA globally disabled, 340, 764 guard, 345, 770 ignoring superior BPDUs, 354, 770 selecting protocol based on message format, 355, 770 shut down port on receipt, 345, 770 bridge extension capabilities, displaying, 377, 652 broadcast storm, threshold, 270, 782 C cable diagnostics, 285, 693
D default IPv4 gateway, configuration, 591, 1044 default IPv6 gateway, configuration, 600, 1017 default priority, ingress port, 422, 789 default settings, system, 8 delay measure request, CFM, 559, 991 DHCP, 590, 1014, 1053 class identifier, 581, 1053 client, 581, 590, 1014 client identifier, 581, 1053 dynamic configuration, 17 relay service, 586, 1054 relay service, restarting, 587, 1055 DHCP snooping, 216, 903 enabling, 216, 904 global configuration, 216, 904 information option, 218, 905 information optio
configuration guidelines, 359, 962 control VLAN, 361, 966 domain configuration, 361, 964 domain, enabling, 362, 964 global configuration, 360, 963 guard timer, 363, 965 hold-off timer, 363, 965 major domain, 364, 966 MEG level, 365, 965 node identifier, 366, 965 non-compliant device protection, 367 non-ERPS device protection, 966 propagate topology change, 368, 966 ring configuration, 361, 964 ring port, east interface, 368, 965 ring port, west interface, 368, 965 ring, enabling, 362, 964 RPL owner, 369, 96
snooping, immediate leave, 456, 1068 IGMP snooping configuring, 447, 1067 enabling per interface, 448, 1067, 1068 forwarding entries, 463, 1072 immediate leave, status, 456, 1068 interface attached to multicast router, 466, 467, 1064 last leave, 1059 last member query count, 457, 1070 last member query interval, 458, 1070 proxy query address, 459, 1070 proxy query interval, 460, 1069 proxy query response interval, 461, 1069 proxy reporting, 450, 1060, 1069 querier timeout, 451, 1062 querier, enabling, 450,
layer 2, protocol tunnel, 396 license information, GNU, 1117 Link Layer Discovery Protocol See LLDP link trace cache, CFM, 551, 552, 554, 999 link trace message, CFM, 523, 551, 553, 970, 972, 988 link type, STA, 348, 769, 772 LLDP, 505, 916 device statistics details, displaying, 520, 929 device statistics, displaying, 520, 928 display device information, 519, 920, 922 displaying remote information, 519, 922 interface attributes, configuring, 509–516, 918 local device information, displaying, 518, 920 messag
multicast storm, threshold, 270, 783 Multicast VLAN Registration See MVR multicast, filtering and throttling, 468, 1076 MVR assigning static multicast groups, 478, 483, 1089 configuring, 475, 481, 1083 description, 1081 interface status, configuring, 482–483, 1087 interface status, displaying, 484, 1088 IP for control packets sent upstream, 480, 1084 proxy switching, 479, 1082 receiver groups, displaying, 487, 1090 robust value for proxy switching, 480, 1082 setting interface type, 482, 1087 setting multica
duplex mode, 269, 677 flow control, 265, 677 forced selection on combo ports, 267, 676 mirroring, 301, 679 mirroring local traffic, 301, 679 mirroring remote traffic, 304, 681 multicast storm threshold, 270, 783 speed, 269, 677 statistics, 277, 684 unknown unicast storm threshold, 270, 783 power savings configuring, 287, 709 enabling per port, 287, 709 priority, default port ingress, 422, 789 private key, 166, 850 problems, troubleshooting, 1111 protocol migration, 355, 770 protocol tunnel, layer 2, 396 pro
S secure shell, 166, 850 configuration, 166, 850 security, general measures, 193, 821 serial port, configuring, 75, 667 service instance, CFM, 531, 970, 972 sFlow flow configuration, 135–139, 711 target device, 136, 711 Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP single rate three color meter See srTCM SMTP event handling, 90, 915 sending log events, 90, 915 SNMP, 107, 929 community string, 109, 938 enabling traps, 112, 944 filtering IP addresses, 189, 883 global setti
system clock setting, 93, 661 setting manually, 101, 661 setting the time zone, 100, 664 setting with SNTP, 94–96, 662 summer time, 96–98, ??–99 summer time, setting, 665 system logs, 86, 911 system software, downloading from server, 67, 653 T TACACS+ logon authentication, 150, 823 settings, 150, 825 TCN flood, 452, 1060 general query solicitation, 453, 1061 Telnet configuring, 164, 668 server, enabling, 165, 668 Telnet connection, configuring, 75, 668 time range, ACL, 102, 857 time zone, setting, 100, 664
telephony OUI, configuring, 413, 817 voice VLAN, configuring, 411, 815 VoIP, detecting devices, 415, 819 W web authentication, 212, 836 address, re-authenticating, 214, 838 configuring, 212, 837 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01 configuring ports, 213, 838 port information, displaying, 215, 838 ports, configuring, 213, 838 ports, re-authenticating, 213, 838 web interface access requirements, 629 configuration buttons, 631 home page, 630 menu list, 632 panel display, 63
1150 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002581-01
