Professional Documents
Culture Documents
ICX200 REV0919 SG L PDF
ICX200 REV0919 SG L PDF
Ruckus Certified
Network Associate
Student Guide
Revision 0919
ICX 200
All or some of the products detailed in this document may still be under development and certain
specifications, including but not limited to, release dates, prices, and product features, may
change. The products may not function as intended and a production version of the products may
never be released. Even if a production version is released, it may be materially different from the
pre-release version discussed in this document.
Nothing in this document shall be deemed to create a warranty of any kind, either express or
implied, statutory or otherwise, including but not limited to, any implied warranties of
merchantability, fitness for a particular purpose, or non-infringement of third-party rights with
respect to any products and services referenced herein.
The Ruckus, Ruckus Wireless, Ruckus logo, Big Dog design, BeamFlex, ChannelFly, Xclaim, ZoneFlex
and OPENG trademarks are registered in the U.S. and other countries. Ruckus Networks,
MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, SmartCell, and Dynamic PSK are
Ruckus trademarks worldwide. Other names and brands mentioned in this document or website
may be claimed as the property of others. 18-1-B
ICX 200
Ruckus Certified Network Associate
Revision 0919
Legal Disclaimer
All or some of the products detailed in this presentation may still be under development and
certain specifications, including but not limited to, release dates, prices, and product
features, may change. The products may not function as intended and a production version
of the products may never be released. Even if a production version is released, it may be
materially different from the pre-release version discussed in this presentation.
Nothing in this presentation shall be deemed to create a warranty of any kind, either express
or implied, statutory or otherwise, including but not limited to, any implied warranties of
merchantability, fitness for a particular purpose, or non-infringement of third-party rights
with respect to any products and services referenced herein.
The Ruckus, Ruckus Wireless, Ruckus logo, Big Dog design, BeamFlex, ChannelFly, Xclaim,
ZoneFlex and OPENG trademarks are registered in the U.S. and other countries. Ruckus
Networks, MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, SmartCell, Dynamic
PSK, FastIron, ICX, Multi-Chassis Trunking and relevant wired technologies are Ruckus
trademarks worldwide. Other names and brands mentioned in this document or website
may be claimed as the property of others. 18-1-B
Module 1
Introduction
Course Overview
• This course covers L2/L3 protocol configurations including MSTP, OSPF, BGP, QoS, LLDP, PIM
and Ruckus proprietary protocols including MCT, VRRP-E and FDP
• Topics also include Virtual Routing and Forwarding Tables (VRFs) and foundational IP
version 6 protocol configuration on Ruckus ICX switches
• Additional topics include Multicast routing, traffic management and DHCP configuration on
ICX switches
Course Objectives
• Upon successful completion of this course, the student should be able to:
– Configure, implement and manage standard protocols on Ruckus equipment
– Configure and manage VLANs, Virtual Ethernet routed interfaces, topology groups, as well as create Link
Aggregation Groups (LAGs)
– Configure Layer 2 advanced features and discovery protocols
– Understand Layer 3 configuration including redundancy protocols
– Understand and configure management and monitoring features on an ICX switch
– Implement and maintain OSPF routing protocol
– Configure foundational BGP peering and route advertising
– Configure DHCP features on an ICX switch
– Understand and configure traffic management features
– Understand and configure Multicast routing protocols
Course Agenda
• M01: Introduction
• M05: MCT
• M09: Troubleshooting
• M10: Open Shortest Path First (OSPF) and Virtual Route and Forwarding (VRF)
• M13: Multicast
Course Prerequisites
• Ruckus uses Gilmore Global to provide training material used for all instructor-led classes
• Refer to the notes section for detailed steps on accessing the Gilmore Bookshelf
• Facility information
• Lab policies
• Start and stop times
• Regular breaks
• Set your cell phone to silent or vibrate
• Share relevant networking experiences
• Have fun!
Revision 0919 1 - 10
ICX 200 Introduction
Introductions
Revision 0919 1 - 11
ICX 200 Introduction
End of Module 1
Introduction
Revision 0919 1 - 12
ICX 200 Advanced Layer 2 Features
Module 2:
Advanced Layer 2 Features
Module Objectives
For ports to participate in a LAG, the physical links must have similar characteristics
and must connect to the same adjacent switch or group of switches represented as
one like in Multi-Chassis-Trunking.
LAG requirements may vary for different platforms, such as the number of member in
the LAG, specific port boundaries, etc., always check what is supported on the
devices on both ends of the LAG.
When combining ports into a LAG, the ports must have same attributes. LAG
formation rules are checked when a new port is associate with the LAG. Items that
will be checked are:
• VLAN membership and port tag-type (tagged/untagged)
• Port speed and duplex
• QoS priority
• Layer 3 configuration. member ports cannot have L3 or Policy Based Routing
(PBR) configured
ICX devices support the use of static and dynamic LAGs on the same device.
LAG Configuration
• Create a LAG by giving it a name and defining it as static, dynamic or keep-alive then
adding port members
Ruckus(config)# lag blue1 dynamic id 1
Ruckus(config-lag-blue1)# ports e 1/1/9 to 1/1/11
LAG blue1 deployed successfully!
Ruckus(config-lag-blue1)# port-name "Ruckus lag 1of3" ethernet 1/1/9
The configuration of a LAGs starts with defining a name for the LAG and entering the
keyword dynamic or static, depending on which type of LAG you are configuring
followed by id and the id value. The auto parameter is optional and provides an id
automatically.
This example creates a LAG named “blue1” as dynamic, but it could easily be
configured as static using the static keyword since they are configured in the same
manner. The maximum length for a LAG name is 64 characters. The name can have
spaces if you enclose the name in quotations.
The LAG ID is optional, and valid IDs are 1 to 256. If you do not specify a LAG ID, the
system generates one automatically when the auto option is used. If you enter a
duplicate ID, you will receive an error: Error: LAG id 123 is already
used. The next available LAG id is 2.
Enter into the LAG virtual interface and configure LAG parameters.
All configurations are done on the LAG virtual interface are then applied to all
member ports in the LAG. When viewing the running configuration, it will show the
LAG virtual interface similar to physical Ethernet ports in the configuration.
Static LAGs are configured in the same manner as shown including port membership
and layer 2 options.
For a complete list of configurations that can be used under the LAG virtual interface,
refer to the ICX layer 2 configuration guide.
• Traffic is balanced across LAG ports using a hash index as described below:1
– Non-IP:
• Source and destination MACs
– IP Packets
• IPv4 TCP/UDP:
– Source and destination IP addresses, and source and destination TCP/UDP ports
• IPv4 Non-TCP/UDP:
– Source and destination IP address, source and destination MACs
• IPv6 TCP/UDP:
– Source and destination IP addresses, source and destination TCP/UDP ports, flow label
• IPv6 Non-TCP/UDP:
– Source and destination TCP and UDP ports, and flow label
• Symmetric load balancing option provides IPv4/6 bidirectional source and destination
address pair traffic flows out of the same member of a trunk group2
– Enabled on router code switches using:
Ruckus(config)# load-balance symmetric
Footnote 1: In ICX 7150 devices, the LAG hashing scheme is different from other ICX
platforms. As a result, the user may observe uneven distribution of packets when the
traffic pattern is sequential or incremental in the same step, for example, when both
the source and the destination IP address are incremented in the same step.
Footnote 2: Symmetric load balancing is supported on Ruckus ICX 7850, Ruckus ICX
7750, Ruckus ICX 7450, and Ruckus ICX 7250. Not supported on non-IP data traffic or
where MCT is deployed.
ICX devices support load-sharing over a LAG:
Traffic type Load balancing method1
Source and destination IP addresses, source and destination TCP and UDP
Layer 2 bridged IPv6 TCP/UDP
ports, and flow label
Layer 2 bridged IPv6 non TCP/UDP Source and destination TCP and UDP ports, and flow label
Layer 3 routed traffic Source and destination IP addresses and protocol field
Source and destination IP addresses and protocol field, and, for TCP/UDP
Layer 3 multicast
packets, Layer 4 source and destination ports
In ICX 7150 devices, the LAG hashing scheme is different from other ICX platforms.
Please refer to documentation for details.
For many monitoring and security applications, bidirectional conversations flowing
through the system must be carried on the same port of a LAG. This enables the
firewall between Ruckus ICX devices to be configured to allow the bidirectional
conversations per link of the LAG if preferred. Network telemetry applications also
require symmetric load balancing on the LAGs between the devices. Symmetric load
balancing is supported on Ruckus ICX 7850, Ruckus ICX 7750, Ruckus ICX 7450, and
Ruckus ICX 7250.
You can enable symmetric load balancing for IPv4 and IPv6 data traffic on Ruckus ICX
devices using the load-balance symmetric command.
• Dynamic or keep-alive LAG timeout can be configured as short (3 seconds) or long (120
seconds)
– Once configured the port remains in that timeout mode
• Regardless if it is up or down and whether or not it is part of a LAG
– All the ports in a LAG should have the same timeout mode
• This requirement is checked when the LAG is enabled on the ports
– No flap on active dynamic LAG interface when LACP mode/timeout change (FI 8.0.80 and above)
• To configure a port for a short LACP timeout:
Ruckus(config)# lag blue dynamic id auto
Ruckus(config-lag-blue)# lacp-timeout short
• Syntax: [no] lacp-timeout { long | short }
The long keyword configures the port for the long timeout mode-120 seconds. With
the long timeout, an LACPDU is sent every 30 seconds. If no response comes from its
partner after 3 LACPDUs are sent, a timeout event occurs, and the LACP state
machine transition to the appropriate state based on its current state.
The short keyword configures the port for the short timeout mode--3 seconds. In the
short timeout configuration, an LACPDU is sent every second. If no response comes
from its partner after 3 LACPDUs are sent, a timeout event occurs, and the LACP state
machine transitions to the appropriate state based on its current state.
If you specify neither long nor short , the state machine operates based on the
standard IEEE specification as its default behavior. The original IEEE specification says
that the state machine starts with short the timeout and moves to the long timeout
after the LAG is established. However, sometimes a vendor’s implementation always
uses either the short timeout or the long timeout without changing the timeout.
Brocade provides this command so that you can configure Brocade devices to
interoperate with other vendor’s devices.
NOTE
This configuration is applicable to the configuration of dynamic or keep-alive LAGs
only.
Additionally for dynamic LAGs, LACP is set to active on all of the LAG ports. To set
LACP as passive you can use the lacp-mode passive command to set the LAG to the
passive mode. This is performed under the LAG configuration and applies to an
individuel LAG.
• Allows the ability to disable all of the ports in a static LAG group when the number of
active member ports drops below a specified threshold value
– Provides the ability for failover to redundant link where there is adequate bandwidth
– LAG is kept intact and it is re-enabled if enough ports become active to satisfy the threshold configured
– The trunk-threshold command should be configured only at one end of the trunk
• Configuration above will disable port members if the number of active ports drops below 3
– If the amount of active ports meets the threshold requirement the LAG is re-enabled
The trunk-threshold command should be configured only at one end of the trunk. If it
is set on both sides, link failures will result in race-conditions and will not function
properly.
Protected Ports
Revision 0919 2 - 10
ICX 200 Advanced Layer 2 Features
Protected Port
To further isolate user traffic within a switch in environments where APs are deployed
especially when public Wi-Fi is used, The ports where APs are connected can be
configured as a protected port. This insures that user traffic does not communicate
with other members of the VLAN or broadcast domain. Instead the traffic can only be
forwarded out the uplink port limiting access by other connected users.
Revision 0919 2 - 11
ICX 200 Advanced Layer 2 Features
• The following configurations are supported with the protected port feature:
– Port MAC security
– 802.1x security
– DHCP snooping
– Control protocols
– Aggregated ports (LAGs)
Revision 0919 2 - 12
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 13
ICX 200 Advanced Layer 2 Features
– Individual:
ICX# show interface ethernet 1/1/1
GigabitEthernet1/1/1 is up, line protocol is up
Port up for 1 day(s) 18 hour(s) 43 minute(s) 30 second(s)
Hardware is GigabitEthernet, address is 609c.9fe6.0e40 (bia 609c.9fe6.0e40)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDI
Untagged member of L2 VLAN 100, port state is FORWARDING
<Output Truncated>
9740757 packets output, 12609042459 bytes, 0 underruns
Transmitted 118050 broadcasts, 607658 multicasts, 9015049 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
Protected: Yes
– Globally:
ICX# show protected-ports
System-Wide Protected Ports: ethe 1/1/1 ethe 2/1/1 ethe 3/1/1 lag lg1
Configured on a port basis, each port configured as a protected port will be indicated
on the ports output. Although configured on each port specifically, all ports
configured as a protected port can be viewed from a global perspective using the
show protected-ports command.
Revision 0919 2 - 14
ICX 200 Advanced Layer 2 Features
VLANs
Revision 0919 2 - 15
ICX 200 Advanced Layer 2 Features
149_VLANs.png
VLAN Assignments
ICX devices support port-based and protocol-base VLANs. By default VLANs are port-
based and this module focuses on port-based VLANs.
For more details on ICX VLANs, please refer to the Ruckus FastIron Layer 2 Switching
Configuration Guide, on www.ruckuswireless.com.
On all ICX devices, VLAN 1 is considered the Default VLAN and it is a port-based VLAN.
All ports start out as members of VLAN 1. The Default VLAN can be changed using the
default-vlan-id command. Valid VLAN IDs are 1 through 4095, though some IDs are
reserved. VLAN ID 4094 is reserved for Single Spanning Tree, and VLANs 4087, 4090,
and 4093 are reserved for Ruckus internal functions.
Revision 0919 2 - 16
ICX 200 Advanced Layer 2 Features
162_vlan
• Example Configuration:
Switch1(config)# vlan 10
Switch1(config-vlan-10)# tagged e 1/1/5
Switch1(config)# vlan 1
Switch1(config-vlan-1)# no untagged ethernet 1/1/5
Switch1(config-vlan-1)# no untagged ethernet 1/1/6
Error! Port 1/1/6 is member of default VLAN only. Cannot
remove
VLAN tagging is necessary when VLAN traffic is forwarded on the same link between
two switches known as a trunk. Frames moving between switches are tagged so that
the next switch in the traffic flow path knows the destination VLAN of the frame.
In any part of the network that are or need to be VLAN-aware include VLAN tags. The
VLAN tag represents the VLAN membership of the frame's port or the port/protocol
combination, depending on whether the network uses port-based or port-and-
protocol-based VLAN classification.
The VLAN ID that is in the tag enables each device that receives the frame to
determine which VLAN the frame belongs to. Each frame must be distinguishable as
being within exactly one VLAN.
A port that is a member of only one VLAN, like a end device port, can be associated
with a VLAN however it is added as untagged. We will discuss untagged ports next.
Creating VLANs is done at the global CONFIG level using the vlan command
followed by a VLAN ID. Again, valid IDs are from 1 to 4095. Optionally, you can
configure a name for each VLAN using the name parameter. VLAN names can be up
to 32 characters long, and can have spaces as long has the name is put in double
quotations.
Revision 0919 2 - 17
ICX 200 Advanced Layer 2 Features
• In FI 8.0.80 and above configurations under VLAN can be performed before adding ports
– VLAN becomes active once user configures the VLAN
• Port member associations are not required for applications can be configured
– Allows VLAN feature configuration to be retained even if all port members are removed
• Example:
– Create VE interface even before adding ports to VLAN
When VLANs are configured they become active and additional configurations can be
added without the requirement of port members being identified. This allows a VLAN
to be fully configured before the ports have to be committed to it.
VLANs can also be configured as routed VLANs allowing them to forward traffic
between locally configured routed VLANs. Each VLAN has to have a router interface
configured before it can be routed and the switch has to be running router code. We
will go into more detail on VLAN routing features later in this course.
Revision 0919 2 - 18
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 19
ICX 200 Advanced Layer 2 Features
An aggregated VLAN allows multiple VLAN tags to be placed within another VLAN,
sometimes referred to as Q-in-Q. The outer VLAN tag is the “path” on which all VLANs
are aggregated, and the inner VLAN tag, or the “channel”, is the client VLAN. The
outer and inner VLANs use different VLAN tags.
Aggregated VLANs expand the limitation of 4095 VLANs in a network by
encapsulating multiple VLANs into a single VLAN ID. In this configuration, end devices
within a channel are not visible to devices in other channels. It provides point-to-
point and point-to-multipoint connections.
Revision 0919 2 - 20
ICX 200 Advanced Layer 2 Features
• Aggregation VLANs 500 and 501 in the core allow for overlapping Customer VLANs to be used
– VLAN 500 provides forwarding of customer VLANs 101 to 105 on Device A and F
– VLAN 501 provides forwarding of customer VLANs 101 to 105 on Device B and E
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 21
Revision 0919 2 - 21
ICX 200 Advanced Layer 2 Features
– To allow frames larger than 1522 on core devices due to the additional tag, you must enable jumbo
frames
• Enable jumbo frames
Ruckus(config)# jumbo
Jumbo mode setting requires a reload to take effect!
– Configure a VLAN tag profile (tag ID) that is different than the tag ID (Default 8100) used on the edges
Here we see the steps for configuring aggregated VLANs on the edge and core
devices.
We start with the edge switches and configure a VLAN for each client connected to
the edge switch, also referred to as the channel. Within each VLAN, add the port
connected to the client edge device as untagged, then add the port connected to the
core device as tagged.
On each core device, at the global CONFIG level, enter the aggregated-vlan
command. This command allows the core devices to add the additional tag to each
Ethernet frame containing the VLAN (or channel) packet from the edge device.
Next, configure a VLAN tag-type that is different than the tag-type used on the edge
devices. If you use the default tag-type of 8100 (default) on the edge devices, set the
tag-type on the core devices to another value, such as 9100. The tag-type must be
the same on all the core devices. All the edge devices also must have the same tag-
type but different from the tag-type on the core devices.
Also, ICX devices used at the core need to have support for larger frames enabled.
This is done using the jumbo command at the global CONFIG level. This change does
require a system reload.
Revision 0919 2 - 22
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 23
ICX 200 Advanced Layer 2 Features
• The tag-profile used (9100) must be the same on all the core devices
– Ports towards client switches are configured as untagged1
• Device D will have same VLAN, tag-profile and port tagging configuration on adjoining
ports
• Because client VLAN IDs are encapsulated in the core, duplicate IDs on different channels
are possible
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 24
Footnote 1: Since these ports are configured as untagged they simply accept the tag
placed on the frame from the client switches as payload and will encapsulate the tag
and consider it payload.
Next for core device configuration, set the tag-type globally using the tag-
profile command on the ICX 7000 series devices. Remember, each core device
must use the same tag-profile
Next, create your VLAN and add the uplink port between the core devices as tagged,
and the ports to the edge devices as untagged.
Because VLAN IDs used on edge devices are considered as payload when entering the
core, the use of duplicate channel VLAN IDs on other connecting switches is possible.
Device D Configuration Example:
DeviceD(config)# aggregated-vlan
DeviceD(config)# tag-profile 9100
DeviceD(config)# vlan 500
DeviceD(config-vlan-500)# tagged ethernet 1/2/4
DeviceD(config-vlan-500)# untagged ethernet 1/2/1
DeviceD(config-vlan-500)# vlan 501
DeviceD(config-vlan-501)# tagged ethernet 1/2/4
DeviceD(config-vlan-501)# untagged ethernet 1/2/2
DeviceD(config-vlan-501)# interface 1/2/1 to 1/2/2
DeviceD(config-mif-1/2/1-1/2/2)# tag-profile enable
Revision 0919 2 - 24
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 25
ICX 200 Advanced Layer 2 Features
• In ICX Q-in-Q, customer BPDU may be consumed and terminate in core devices
– Customers protocol traffic become ineffective by not reaching the rest of their devices
• BPDU Tunneling provides the ability for BPDU packets to be forwarded without local
processing
– BPDU tunneling can be enabled per protocol (STP (PVST, RSTP, MSTP)/CDP/LLDP/LACP)
– Tunneled protocol will use special destination MAC (0100.0ccd.cdd1)
– BPDU Tunneling supported in two Q-in-Q modes
• Legacy Tag-profile based Q-in-Q
• Selective Q-in-Q1
– Will interoperate with other vendors using same special destination MAC
Revision 0919 2 - 26
ICX 200 Advanced Layer 2 Features
1/1/1,2- Tag Profile Enable (0x9100) 1/1/1,2- Tag Profile Enable (0x9100)
l2protocol dot1q-tunnel stp l2protocol dot1q-tunnel stp
Customer Edge-A SVLAN 100 SVLAN 100
(0x8100) CVLAN 1-10
SVLAN 100 Customer Edge-B
ICX-one ICX-two ICX-three (0x8100) CVLAN 1-10
1/1/1,2
Customer-Site-A
Customer-Site-B
1/1/1,2
BM TM TM BM
CV SV SV CV
B CV CV B
P P
D B B D
U P P U
D D
U U BM: BPDU MAC
TM: Tunnel MAC
CV: Customer VLAN (1 to 10)
SV: Service Provider VLAN (100)
Revision 0919 2 - 27
ICX 200 Advanced Layer 2 Features
Command Description
l2protocol dot1q-tunnel STP Enable STP tunneling on physical interface or LAG
l2protocol dot1q-tunnel LACP Enable LACP tunneling on physical interface or LAG
l2protocol dot1q-tunnel LLDP Enable LLDP tunneling on physical interface or LAG
l2protocol dot1q-tunnel CDP Enable CDP tunneling on physical interface or LAG
Enable all protocols (STP, LACP, LLDP & CDP) tunneling on
l2protocol dot1q-tunnel
physical interface or LAG
• Syntax: show l2protocol dot1q-tunnel { counters [ unit / slot / port | lag-id ] | port { unit / slot / port | lag-id
} | summary |vlan vlan-id }
(Optional) Specify a global Class of Service (CoS) value on all Q-in-Q tunneling ports
from the global configuration mode.
ICX(config)# l2protocol dot1q-tunnel cos 6
Revision 0919 2 - 28
ICX 200 Advanced Layer 2 Features
Footnote 1: Each interface can limit the L2 traffic forwarded though the tunnel along
with drop value and shutdown threshold for each L2 protocol.
Syntax: l2protocol dot1q-tunnel drop-threshold { all | cdp | lacp | lldp | stp } threshold-
value
You can clear the counters within a switch using the clear l2protocol dot1q-tunnel
counters [ unit / slot / port | lag-id ] command
Revision 0919 2 - 29
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 30
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 31
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 32
ICX 200 Advanced Layer 2 Features
• Per protocol or per port level (drop) rate limiting of incoming BPDUs
• Per protocol or per port level (shutdown) rate limiting of incoming BPDUs
Revision 0919 2 - 33
ICX 200 Advanced Layer 2 Features
Spanning Tree
Revision 0919 2 - 34
ICX 200 Advanced Layer 2 Features
In 2014, the three main types of Spanning Tree, 802.1D (the original specification), 802.1w
(Rapid Spanning Tree), and 802.1s (Multiple Spanning Tree) were all incorporated into the
802.1Q-2014 specification. The original specifications are still commonly used when
comparing the functionality of one version against another.
Regardless of the version being used, the purpose of Spanning Tree is the same. Spanning
Tree uses an algorithm to ensure a loop-free topology by enabling a single path through any
physical arrangement of switches. It detects redundant links, blocks redundant links, and
allows for failover to redundant links. STP creates a loop-free topology without disconnecting
or disabling interfaces.
Rapid Spanning Tree Protocol (RSTP) is seen as an evolution of the original standard. RSTP
uses most of same terminology as 802.1D, and most of the parameters have been left
unchanged so that users familiar with 802.1D can rapidly configure RSTP comfortably.
RSTP is backward compatible to 802.1D in order to interoperate with legacy bridges on a per-
port basis In a mixed environment, the benefits that RSTP introduces are dropped.
RSTP provides rapid convergence and takes advantage of Spanning Tree's point-to-point
wiring configuration. Failure in one forwarding path does not affect other forwarding paths.
RSTP improves the operation of Spanning Tree while maintaining backward compatibility.
Then we have Multiple Spanning Tree (MSTP) it allows multiple VLANs to be managed by a
single STP instance and supports per-VLAN Spanning Tree. As a result, several VLANs can be
mapped to a reduced number of Spanning Tree instances. This ensures a loop-free topology
for one or more VLANs that have similar Layer 2 characteristics.
Revision 0919 2 - 35
ICX 200 Advanced Layer 2 Features
802.1D Timers
• Timers can be adusted to allow for faster forwarding and convergence times when using
802.1D
– These variable timing values are:
• forward-delay seconds
– The forward delay is the value of time that a switch spends each the listening and learning states
– Values can be set between 4 through 30 seconds. The default is 15 seconds
• hello-time seconds (applies to the root bridge)
– Configures the time interval between two Hello packets
– This value ranges from 1 through 10 seconds. The default is 2 seconds
• max-age seconds
– Configures the time period the device waits to receive a Hello packet before it initiates a topology change
– The time period ranges from 6 through 40 seconds. The default is 20 seconds.
• If you plan to change STP bridge timers, you are required to stay within the following ranges, from section 8.10.2 of
the IEEE STP specification:
– 2 * (forward_delay -1) >= max_age>= 2 * (hello_time +1)
Revision 0919 2 - 36
ICX 200 Advanced Layer 2 Features
• New higher link speeds have prompted the need for more granular link costs
• Feature provides the ability to adjust the STP path cost from 802.1D 1998 to 802.1D 2004
defined values
– Syntax: spanning-tree path-cost-method [long | short]
– Default option is short
– Configuring the long mode will upgrade spanning-tree Port Path Cost
path cost to 2004 defined values Link Speed IEE 802.1D 1998 IEE 802.1D 2004
– The short option will fallback to 1998 defined values
10 Mbps 100 2000000
– Switching between modes will remove any
interface path costs that have been configured 100 Mbps 19 200000
• Individual port cost value ranges vary depending
1 Gbps 4 20000
on which mode is configured on switch 2.5 Gbps 3 8000
5 Gbps 3 4000
Ruckus(config-vlan-100)# spanning-tree 10 Gbps 2 2000
ethernet 1/1/5 path-cost ?
DECIMAL short mode: 1 to 65535,
25 Gbps 1 800
long mode: 1 to 200000000 40 Gbps 1 500
100 Gbps 1 200
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 37
Higher port speeds have caused the need for more granular path cost values to
ensure the best path is chosen to the Root Bridge. By default the 1998 path cost
values are used when 802.1D is enabled. Newer values defined in the 2004
rectification of the standard makes room for 25Gbps and above values however this
effects all other port values as well. These values can be used within an ICX by using
the spanning-tree path-cost-method command which will count the path costs based
on the newer standard. It is recommended that all switches participating in the
instance have matching path cost values to avoid unexpected results. LAG interfaces
cost is calculated by the link speed of the LAG interface therefore it is suggested that
when a LAG is deployed in a STP environment that the cost be manually set to
correctly identify the link speed.
Make sure if you add interface path cost values you are aware of the proper cost
values that match the mode that you are using.
Ruckus(config-vlan-100)# spanning-tree ethernet 1/1/5
path-cost 20000000
Revision 0919 2 - 37
ICX 200 Advanced Layer 2 Features
• Syslog entries
SYSLOG: <12> Jan 1 03:33:20 ICX7650-48P STP: VLAN 100 Port 1/1/5 - PathCostDefaulted
SYSLOG: <12> Jan 1 03:33:20 ICX7650-48P STP: VLAN 100 Port 1/1/6 - PathCostDefaulted
This setting is applied globally and effects all VLANs using 802.1D on the switch.
SYSLOG entries are also entered when this value changes and setting takes effect
immediately when applied.
Revision 0919 2 - 38
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 39
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 40
ICX 200 Advanced Layer 2 Features
• Within a region:
– Internal Spanning Tree (IST) instance is established Physical layout
• Allows for the CST instance to be brought into a region
Revision 0919 2 - 41
ICX 200 Advanced Layer 2 Features
MSTP Mode
• When a system is enabled for MSTP mode, the following changes are made to the system
configuration:
– All 802.1D and 802.1w STP instances are deleted regardless of whether the VLAN is inside the MSTP scope
or not
– All topology groups are deleted
– Any VSRP configuration is deleted
– Single-span (if configured) is deleted
– Metro Ring Protocol (MRP) running on a VLAN inside MSTP scope is deleted
• The common and internal spanning trees (CIST) collection is created and all VLANS inside
the MSTP scope are attached with the CIST
• Make sure that no physical Layer 2 loops exist prior to switching from non-MSTP mode to
MSTP mode. If, for example, you have a Layer 2 loop topology configured as a redundancy
mechanism before you perform the switch, a Layer 2 storm should be expected
In standard MSTP deployments the MSTP scope defines the VLANs that are under
direct MSTP control. You cannot run 802.1D or 802.1w on any VLAN (even outside of
MSTP scope) and you cannot create topology groups when a system is under MSTP
mode. While a VLAN group will still be supported when a system is under MSTP
mode, the member VLAN should either be all in the MSTP scope or all out of the
MSTP scope.
MSTP scope defines the VLANs that are under direct MSTP control. You cannot run
802.1D or 802.1w on any VLAN (even outside of MSTP scope) and you cannot create
topology groups when a system is under MSTP mode. While a VLAN group will still be
supported when a system is under MSTP mode, the member VLAN should either be
all in the MSTP scope or all out of the MSTP scope.
Make sure that no physical Layer 2 loops exist prior to switching from non-MSTP
mode to MSTP mode. Because many system configurations are deleted once MSTP is
enabled it can cause a loop and spike the CPU.
Revision 0919 2 - 42
ICX 200 Advanced Layer 2 Features
• To configure a system into MSTP mode, use the following command at the Global
Configuration level1
• This enables MSTP but is not operational until the mstp start command
Footnote 1: There is an additional option when using MSTP mode which is to enable
MSTP+. The MSTP+ feature allows you to selectively include VLANs in the MSTP
scope. The MSTP+ feature is an enhancement that allows you to exclude one or
more VLANs from the MSTP scope and configure them in a non-MSTP topology. Use
the mstp scope command with the pvst keyword to configure MSTP+. Because
MSTP+ is beyond the scope of this class, more details on MSTP+ can be found in the
ICX layer 2 guide.
In the Ruckus ICX MSTP implementation however, a VLAN ID can be pre-mapped to
another MSTI as described in the “Configuring an MSTP instance” section. A VLAN
whose ID is pre-mapped, will attach to the specified MSTI instead of to the CIST when
created.
Once under MSTP mode, CIST always controls all ports in the system. If you do not
want a port to run MSTP, configure the no spanning-tree command under the
specified interface configuration.
Once under MSTP mode, CIST always controls all ports in the system. If you do not
want a port to run MSTP, configure the no spanning-tree command under the
specified interface configuration.
Revision 0919 2 - 43
ICX 200 Advanced Layer 2 Features
• If you want switches to be members of the same region, you must match the following:1
– MSTP configured name
– MSTP revision number (16 bit value)
Instance VLANs
-------- ------------------------------------------------------
0 1 30
Revision 0919 2 - 44
ICX 200 Advanced Layer 2 Features
• To configure an MSTP instance and map one or more VLANs to that MSTI
Ruckus(config)# mstp instance 7 vlan 4 to 7
ICX devices can support up to 16 spanning tree instances in an MSTP enabled bridge
which means that it can support up to 16 different Layer 2 topologies.
Display of configuration:
Ruckus(config)# show mstp config
MSTP CONFIGURATION
------------------
Scope : all system
Name : Ruckus
Revision : 4
Version : 3 (MSTP mode)
Config Digest: 0x2821e3577953b25a6e9d2179d1679940
Status : Started
Instance VLANs
-------- ---------------------------------------------
0 1
7 4 to 7
Revision 0919 2 - 45
ICX 200 Advanced Layer 2 Features
• Configuring bridge priority for an MSTP instance or port priority can be configured for a
specified instance
– To configure priority for an MSTP instance
Ruckus(config)# mstp instance 7 priority 8192
Revision 0919 2 - 46
ICX 200 Advanced Layer 2 Features
• You can define specific ports as edge ports for the region connecting devices (such as a
host) that are not running any STP instance
– Configure ports as operational edge ports:
Ruckus(config)# mstp admin-edge-port ethernet 3/1/1
• Point-to-point link
– You can set a point-to-point link between ports to increase the speed of convergence
– At the global configuration level issue:
Ruckus(config)# mstp admin-pt2pt-mac ethernet 1/2/5 ethernet 1/4/5
Footnote 1: This feature is set globally to apply to all ports on an MSTP switch where
it is configured. Note that after configuring, it takes the port about three seconds
longer to come to the enable state.
Revision 0919 2 - 47
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 48
ICX 200 Advanced Layer 2 Features
Field descriptions:
Field Description
Revision 0919 2 - 49
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 50
ICX 200 Advanced Layer 2 Features
physical server now has multiple Virtual Machines (VMs) each with its own Media Access Control (MAC) address
• VxLAN is intended to address limitations effecting modern data center networks including:
Revision 0919 2 - 51
ICX 200 Advanced Layer 2 Features
VxLAN As A Solution
VXLAN uses a tunneling method to carry the Layer 2 overlay network traffic over the
Layer 3 network. Communication is established between two tunnel endpoints called
Virtual Tunnel Endpoints (VTEPs). VXLAN is a MAC Address-in-User Datagram Protocol
(MAC-in-UDP) encapsulation, which encapsulates MAC frames at Layer 2 into a Layer
3 UDP header with an outer Ethernet header, outer IP header, outer UDP header, and
VXLAN header. The outer IP header contains the corresponding source and
destination VTEP IP addresses.
VTEPs are the nodes that provide the encapsulation and decapsulation functions and
also map the tenant traffic to the virtual network and vice versa. The tenant’s Layer 2
frame is encapsulated with the Layer 3 UDP header to send it to the remote location
(VTEP). The remote end decapsulates the outer header, and send the original Layer 2
packet to the remote tenant.
Revision 0919 2 - 52
ICX 200 Advanced Layer 2 Features
Module Summary
Revision 0919 2 - 53
ICX 200 Advanced Layer 2 Features
End of Module 2:
Advanced Layer 2 Features
Revision 0919 2 - 54
ICX 200 Advanced Layer 2 Features
Appendix A:
Topology Groups
Revision 0919 2 - 55
ICX 200 Advanced Layer 2 Features
• Topology groups allow multiple VLANs to share a single Layer 2 topology protocol
– Simplifies configuration
– Enhances scalability
• If STP, RSTP or MSTP is globally enabled topology groups are not allowed to be configured
on the switch
A topology group is a named set of VLANs that share a Layer 2 topology. Topology
groups simplify configuration and enhance scalability of Layer 2 protocols by allowing
you to run a single instance of a Layer 2 protocol on multiple VLANs.
You can use topology groups with the following Layer 2 protocols:
• Spanning Tree Protocol (STP)
• 802.1W
• Metro Ring Protocol (MRP)
• Virtual Switch Redundancy Protocol (VSRP)
Topology groups simplify Layer 2 configuration and provide scalability by enabling you
to use the same instance of a Layer 2 protocol for multiple VLANs. For example, if a
Ruckus device is deployed in a Metro network and provides forwarding for two MRP
rings that each contain 128 VLANs, you can configure a topology group for each ring.
If a link failure in a ring causes a topology change, the change is applied to all the
VLANs in the ring topology group. Without topology groups, you would need to
configure a separate ring for each VLAN.
In a simple topology with a L2-loop where spanning-tree is enabled to break the loop
and if the topology has 100 VLANs configured and per VLAN spanning tree is chosen,
then we need 100 instances of spanning tree to be running one for each VLAN. This
means that the number of VLANs deployed will be limited by the number of spanning
tree instances supported. Also a higher number of instances can impact CPU
performance. With topology groups one VLAN can be spanning tree enabled
becoming a master VLAN allowing other VLANs to become members of the group.
This allows to scale the number of VLANs past the STP instance limitation and with
much less of a CPU burden.
Revision 0919 2 - 56
ICX 200 Advanced Layer 2 Features
• Master VLAN
– Contains configuration information of any Layer 2 protocols configured for the group
• Parameter changes within this VLAN will be applied to the member VLANs
• Member VLAN
– Additional VLANs that share ports with the master VLAN
• Layer 2 topology resolution is controlled entirely by the master VLAN
– Member VLANs cannot not independently run a loop avoidance protocol
Each topology group contains a master VLAN and can contain one or more member
VLANs and VLAN groups:
• Master VLAN - The master VLAN contains the configuration information for the
Layer 2 protocol. For example, if you plan to use the topology group for MRP,
the topology group master VLAN contains the ring configuration information.
• Member VLANs - The member VLANs are additional VLANs that share ports
with the master VLAN. The Layer 2 protocol settings for the ports in the master
VLAN apply to the same ports in the member VLANs. A change to the master
VLAN Layer 2 protocol configuration or Layer 2 topology affects all the member
VLANs. Member VLANs do not independently run a Layer 2 protocol.
When a Layer 2 topology change occurs on a port in the master VLAN, the same
change is applied to that port in all the member VLANs that contain the port. For
example, if you configure a topology group whose master VLAN contains ports 1/1/1
and 1/1/2, a Layer 2 state change on port 1/1/1 applies to port 1/1/1 in all the
member VLANs that contain that port. However, the state change does not affect port
1/1/1 in VLANs that are not members of the topology group.
Revision 0919 2 - 57
ICX 200 Advanced Layer 2 Features
• Free port - A free port is not controlled by the master VLAN’s loop avoidance protocol
– Any ports in the member VLANs that are not also associated with the master VLAN are free ports
– Ports in master VLAN with the loop avoidance protocol disabled are free ports
– Free ports are always in a forwarding state
• As they are not controlled by the master VLAN Layer 2 protocol
Revision 0919 2 - 58
ICX 200 Advanced Layer 2 Features
From the global configuration topology groups are configured where the master
VLAN and the member VLANs are identified. Keep in mind that globally enabled STP,
RSTP or MSTP eliminates the possibility of configuring a topology group. Spanning
tree configuring for the master VLAN allows the single instance to manage the
topology group VLAN members. The master VLAN and member VLANs need to be
previously configured before they can be assigned to a topology group.
The master-vlan command adds the master VLAN. The VLAN must already be
configured. Make sure all the Layer 2 protocol settings in the VLAN are correct for
your configuration before you add the VLAN to the topology group. A topology group
can have only one master VLAN.
If you remove the master VLAN (by entering no master-vlan vlan-id ), the software
selects the new master VLAN from member VLANs. For example, if you remove
master VLAN 100 from the example above, the CLI converts member VLAN 200 into
the new master VLAN. The new master VLAN inherits the Layer 2 protocol settings of
the older master VLAN.
If you add a new master VLAN to a topology group that already has a master VLAN,
the new master VLAN replaces the older master VLAN. All member VLANs follow the
Layer 2 protocol settings of the new master VLAN.
Once you add a VLAN or VLAN group as a member of a topology group, all the Layer 2
protocol configuration information for the VLAN or group is deleted. For example, if
STP is configured on a VLAN and you add the VLAN to a topology group, the STP
configuration is removed from the VLAN. Once you add the VLAN to a topology
group, the VLAN uses the Layer 2 protocol settings of the master VLAN.
Revision 0919 2 - 59
ICX 200 Advanced Layer 2 Features
• Once configured topology group details can be displayed using the command:
Display of the topology group provides the master VLAN, L2 protocol type and
member VLANs. Free ports within a specific VLAN or bridge domain are displayed
indicating that the layer 2 protocol is not controlling the status of those ports.
Revision 0919 2 - 60
ICX 200 Advanced Layer 2 Features
• If layer 2 protocols are disabled on any master VLAN controlled ports they become free
ports
STP disabled on port
ICX(config)# vlan 100 in Master VLAN
ICX(config-vlan-100)# spanning-tree 802-1w ethernet 1/1/10 disable
ICX(config-vlan-100)# vlan 200
ICX(config-vlan-200)# tagged e 1/1/11
Port tagged in
L2 protocol is disabled by default on topology group interfaces Member VLAN only
All ports associated with the Master VLAN or any changes made to the Master VLAN
are reflected to other VLAN members. Any disabled later 2 ports will cause the ports
to become free ports. Additionally, any ports belonging to member VLANs that are
not part of the Master VLAN will also be identified as free ports.
Revision 0919 2 - 61
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 62
ICX 200 Advanced Layer 2 Features
End of Appendix A:
Topology Groups
Revision 0919 2 - 63
ICX 200 Advanced Layer 2 Features
Revision 0919 2 - 64
ICX 200 Port Monitoring and Management
Module 3:
Port Monitoring and
Management
Module Objectives
Link Monitoring
Interface errors
• Each interface records traffic along with port errors to help identify issues with the connection
Ruckus# show int e 1/1/3
GigabitEthernet1/1/3 is up, line protocol is up
Errors are divided into
Port up for 138 day(s) 23 hour(s) 9 minute(s) 25 second(s)
Hardware is GigabitEthernet, address is 609c.9fe6.0e42 (bia 609c.9fe6.0e42) input and output
<Output truncated>
300 second input rate: 2749888 bits/sec, 292 packets/sec, 0.27% utilization
300 second output rate: 25224 bits/sec, 28 packets/sec, 0.00% utilization
counters from the last
3079862649 packets input, 3478182772867 bytes, 0 no buffer
Received 2885777 broadcasts, 3803946 multicasts, 3073172926 unicasts
time they were cleared
3 input errors, 3 CRC, 0 frame, 0 ignored
0 runts, 0 giants or from system boot
761455170 packets output, 607134557302 bytes, 0 underruns
Transmitted 7927212 broadcasts, 23329296 multicasts, 730198662 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
Protected: No
MAC Port Security: Disabled
This port is not being monitored for queue drops
Egress queues:
Queue counters Queued packets Dropped Packets
0 751458052 0
1
2
0
8
0
0
Errors are accumulative
3
4
0
2492566
0
0 from the last time they
5 935717 0
6
7
0
6568827
0
0
were cleared or from
system boot
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 5
Port errors are stored and can be displayed showing not only traffic statistics but also
any errors that may have occurred on the interface. Some errors shown can be from
temporary or older events however if they are incrementing then there is a good
chance there is packet loss impacting the network.
Errors can be seen inbound and outbound as well as inbound CRC and frame errors.
Be aware that if the upstream device is configured to provide cut-through forwarding
the CRC errors shown may be coming from a device further upstream.
You can quickly look at a switch to tell if any ports are taking errors by using the show
statistics command. By repeating this command you can see if any errors are
incrementing and further investigation may need to take place.
Interface Statistics
• The clear statistics command clears many counters including interface statistics
– Helpful to understand if errors shown are recent or from a past issue
– Using the clear unit command clears all statistics from that switch for all counters listed in command for
the identified unit
• Monitoring of a port for InError packets can be enabled by defining the maximum number
of InError packets allowed during the specified sampling interval
– Commonly used in active/passive redundant uplinks to eliminate faulty passive links dropping PDU’s
causing it to revert to forwarding state and creating loops
• InError packets are counted on an ingress frame that has one or more of the following:
– Alignment error
– CRC error
– Oversized frame error
– Internal received MAC address error (Errors that do not fall in the above 3 types)
– Symbol error (includes the fragmented, short, or undersized frames)
• Configuration consists of setting allowed InError packet counts during a sampling interval
• Once the port receives more than the configured number of inError packets in two consecutive sampling intervals
the port becomes error-disabled
It is recommended to use Packet InError Detection only on required ports. heavy CPU
usage can occur if enabled on large number of ports especially if very short sampling
intervals are used.
The inError count configured on the LAG virtual interface of a LAG is inherited by
other member ports of the LAG. However, the LAG ports are individually sampled for
inError packets. Therefore, inError packets on a port disable only that port and not
the entire LAG.
The clear statistics command will clear the counters for inerror packets as well so use
with caution when troubleshooting.
The output of the show interface ethernet command for the affected port will show
the status of the port as “ERR-DISABLED (packet-inerror)”.
• Globally enable errdisable packet-inerror-detect command and define the sampling time
interval (in seconds 2-60)
Ruckus(config)# errdisable packet-inerror-detect interval 3
• Set (optional) recovery cause and interval (10-65535 in seconds Default 300)1
Ruckus(config)# errdisable recovery cause packet-inerror-detect
Ruckus(config)# errdisable recovery interval 500
– The ethernet interface 1/2/3 becomes disabled if more than 10 InError packets are received in each of
two consecutive 3-second intervals
– After the interface is disabled, it automatically recovers to the enabled state after 500 seconds
Footnote 1: Error disable recovery. (Optional) If you want the ports to automatically
recover from the error-disabled state after the expiry of a configured recovery timer,
run the errdisable recovery cause and errdisable recovery interval commands in
global configuration mode.
When automatic recovery re-enables the port, the port is not in the error-disabled
state, but it can remain down for other reasons, such as the Tx/Rx of the fiber optic
issues, BPDU Guard violation, loop detection violation or any other errdisable state
configured a port is placed into an error-disabled state, which is functionally
equivalent to a disable state. Once in an error-disabled state, the port remains in that
state until it is enabled either automatically or manually. Recovery interval is applied
to all enabled recovery causes.
The following syslog message is generated when a port is error-disabled because of
inError packets.
0d01h38m44s:I:PORT: 1/1/37 is ERR-DISABLED due to number
of packet inErrors exceeded the threshold
Revision 0919 3 - 10
ICX 200 Port Monitoring and Management
There are other recovery options that can be configured however some are
configured under the protocol or the associated feature. For those configuration
options consult the ICX config guide. Recovery interval configured previously effects
all causes that are configured.
Revision 0919 3 - 11
ICX 200 Port Monitoring and Management
Error disable can be configured for many different protocols and events within a
switch. You can display the current status of these by using the show errdisable
revovery command. Additionally if any ports are currently error disabled they will be
displayed at the bottom with details on what caused the errdisable status. It will also
display the remaining time the port will be effected by the errdisable action.
Revision 0919 3 - 12
ICX 200 Port Monitoring and Management
• Use the show errdisable recovery command to display all the default error disable
recovery state for all possible conditions
As you can see port 1/2/3 has crossed the threshold configured and has caused it to
be disabled. A counter of the remaining time for the port to remain disabled will be
displayed. If you choose to bypass this time remaining you can manually
disable/enable the port to put it back into active status. Do know that if the threshold
is crossed again the port may be put back into errdisable state.
Revision 0919 3 - 13
ICX 200 Port Monitoring and Management
• The errdisabled state of an interface is displayed in the show interface output and the
show interface brief commands
Ruckus# show interfaces ethernet 1/2/3
GigabitEthernet1/2/3 is ERR-DISABLED (packet-inerror),
line protocol is down
BPDU guard is Enabled, ROOT protect is Disabled
Port down for 0 hours 3 minutes 50 seconds
Hardware is GigabitEthernet, address is 0000.00a0.7100 (bia 0000.00a0.7100)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Configured mdi mode AUTO, actual unknown
Member of L2 VLAN ID 2, port is untagged, port state is DISABLED
STP configured to ON, priority is level0, flow control enabled
mirror disabled, monitor disabled
<Output Truncated>
4717256657 packets input, 6172668548255 bytes, 0 no buffer
Received 0 broadcasts, 0 multicasts, 4717256657 unicasts
13452 input errors, 23453245 CRC, 0 frame, 0 ignored
0 runts, 0 giants
2042808083 packets output, 596810533354 bytes, 0 underruns
Transmitted 11271 broadcasts, 192921 multicasts, 2042603891 unicasts
0 output errors, 0 collisions
Spanning Tree Protocol
Error disable recovery
The port status is also displayed when using the show interface command and will
reflect if the port is active or being disabled along with the reason. A timer of the port
down condition is also displayed allowing you to identify if any known event took
place at the time of disablement.
Revision 0919 3 - 14
ICX 200 Port Monitoring and Management
• Ports that are under an errdisabled state can be displayed using the show errdisable
summary command
– Shows the port number and the reason for errdisable state along with the method used to recover the
port
• A Syslog message is generated after a port is placed into or removed from an errdisable
state
STP: VLAN 50 BPDU-guard port 1/2/1 detect (Received BPDU), putting into err-disable
state
– A Syslog message such as the following is generated after the recovery timer expires
ERR_DISABLE: Interface ethernet 1/2/1, err-disable recovery timeout
And ports that are actively in errdisabled state can be viewed using the show
errdisable summary command. Syslog messages are generated when the port is
transitioned to the disabled and enabled state due to a errdisable event.
Revision 0919 3 - 15
ICX 200 Port Monitoring and Management
Optical Monitoring
Revision 0919 3 - 16
ICX 200 Port Monitoring and Management
• Digital optical monitoring (DOM) provides diagnostic monitoring for SFP and SFP+ optics
– DOM Support is available on all ICX switches using Ruckus optics which monitors:1
• Optical output/input power
• Temperature
• Laser bias current
• Transceiver voltage
– If monitoring is enabled, console/syslog messages
and SNMP traps are sent2
• Global enabling of monitoring
Ruckus(config)# optical-monitor 5
Enable optical monitoring and set alarm/warn interval to 5 minute(s)
Footnote 1: For a list of supported media types, refer to the Ruckus Ethernet Optics
data sheet.
Footnote 2: Console messages and syslog messages are printed when optical
operating conditions fall below or rise above the SFP, SFP28, SFP+, QSFP, QSFP+, and
QSFP28 manufacturer-recommended thresholds
Footnote 3: Ranges (in minutes) for the alarm-interval parameter for various ICX
switches is 71xx 72xx [3-65535], 74xx 77xx [8-65535]: optical monitoring alarm/warn
interval in minutes, 0 to disable
Normal port configuration options such as range commands can be used when
configuring optical monitoring.
Ruckus(config)# interface ethernet 1/1/1 to 1/1/2
Ruckus(config-mif-e10000-1/1/1-1/1/2)# optical-monitor
You can also review the timer interval for a port by
using:
Ruckus# show optic-timer 1/3/1
Optical monitoring timer Interval for Port 1/3/1 is 10
mins
Revision 0919 3 - 17
ICX 200 Port Monitoring and Management
• Optics information for XFP and SFP ports provide detection of temperature, transmit
power, receive power, transmit bias, and current1
– These measurements are indications of overall health of transceivers2
Field Description
Revision 0919 3 - 18
ICX 200 Port Monitoring and Management
Low-Alarm Monitored level has dropped below the “low-alarm” threshold set by the
manufacturer of the optical transceiver.
Low-Warn Monitored level has dropped below the “low-warn” threshold set by the
manufacturer of the optical transceiver.
Normal Monitored level is within the “normal” range set by the manufacturer of
the optical transceiver.
High-Warn Monitored level has climbed above the “high-warn” threshold set by the
manufacturer of the optical transceiver.
High-Alarm Monitored level has climbed above the “high-alarm” threshold set by the
manufacturer of the optical transceiver.
Revision 0919 3 - 19
ICX 200 Port Monitoring and Management
• Ensure you have the proper media installed based on distance and purpose
– Verification of DOM media support will also be displayed1
Revision 0919 3 - 20
ICX 200 Port Monitoring and Management
Revision 0919 3 - 21
ICX 200 Port Monitoring and Management
• UDLD is a layer two protocol using a keep-alive mechanism that monitors physical ports
providing fast disablement of failed links
– Provides port disablement at both ends of the link
• Available for individual Ethernet ports or LAGs for both fiber optic and twisted-pair
copper1
– Highly useful on fiber where a looped circuit is not present (unlike copper) or CWDM/DWDM multiplexing
technologies are deployed
– Copper links benefit by detecting failures along paths where intermediate devices cause link “sections”
like with media converters
Active Port Media Media Active Port
Converter Fiber Converter
Copper Copper
2 Port Static Trunk 2 Port Static Trunk
Ruckus Switch Copper Copper Ruckus Switch
(UDLD Enabled) Link Failure (UDLD Enabled)
Media Media
Active Port Active Port
Converter Fiber Converter
Footnote 1: Dynamic LAG is not supported. If you want to configure a LAG group that
contains ports on which UDLD is enabled, you must remove the UDLD configuration
from the ports. After you create the LAG group, you can re-add the UDLD
configuration.
Uni-directional Link Detection (UDLD) monitors a link between two devices and
provides a fast detection of link failures. UDLD brings the ports on both ends of the
link down if the link goes down at any point between the two devices. This feature is
useful for links that are individual ports and for LAG links.
Revision 0919 3 - 22
ICX 200 Port Monitoring and Management
• UDLD Considerations
– Both ends must be compatible devices
– Must be enabled on both ends of a link
– Not available on dynamic LAGs2
– UDLD LAG configuration requires enablement of UDLD on each port of the group individually
Revision 0919 3 - 23
ICX 200 Port Monitoring and Management
UDLD Configuration
Revision 0919 3 - 24
ICX 200 Port Monitoring and Management
• UDLD control messages traverse the link as tagged frames as specified below
ICX(config)# link-keepalive ethernet 1/1/18 vlan 22
• VLANs used for UDLD monitoring must be configured consistently between the connected
devices
Footnote 1: You must configure the same VLANs that will be used for UDLD on all
devices across the network; otherwise, the UDLD link cannot be maintained. UDLD
can be enabled on only one VLAN for tagged port.
Syntax: [no] link-keepalive ethernet { unit/slot/port } [ to unit/slot/port [ ethernet
unit/slot/port [ to unit/slot/port ] ... ] [ vlan vlanID ]
Revision 0919 3 - 25
ICX 200 Port Monitoring and Management
• The keepalive interval can be changed from the default of 500ms to a value from 1 – 60
– Each numeric value represents 100ms1
ICX(config)# link-keepalive interval 3
• The number of keepalive attempts can be changed from the default (7) to a value from 3 –
64
ICX(config)# link-keepalive retries 4
• This configuration will cause a port disable state after 1200ms after failure
Footnote 1: Low UDLD link-keepalive interval and retry options are not
recommended as they are more sensitive and prone to flaps.
The Keepalive Interval and Keepalive Retries can be configured to values other than
the default:
Syntax: [no] link-keepalive interval time
The <num> parameter specifies how often the ports send a UDLD packet. You can
specify from 1 – 60, in 100 ms increments. The default is 5 (500 ms).
Syntax: [no] link-keepalive retries number
The <num> parameter specifies the maximum number of times the port will try the
health check. You can specify a value from 3 – 10. The default is 5.
Revision 0919 3 - 26
ICX 200 Port Monitoring and Management
Revision 0919 3 - 27
ICX 200 Port Monitoring and Management
• The show link-keepalive command can also be used to display UDLD information for a
specific port
Revision 0919 3 - 28
ICX 200 Port Monitoring and Management
• If a port is disabled by UDLD, the change is indicated in the output of the show interfaces
brief command
– If the port was already down before UDLD was enabled for the port, the port’s state is listed as None
Revision 0919 3 - 29
ICX 200 Port Monitoring and Management
Revision 0919 3 - 30
ICX 200 Port Monitoring and Management
• Link Fault Signaling is a physical layer protocol that can be enabled on 10 Gbps Ethernet
ports
– When configured the port can detect and report fault conditions on transmit and receive ports to other
connected device
• Transmit LFS must be enabled on both ends of a link
• When a link fault occurs, the Link and Activity LEDs turn off
No Signal
Rx 10 GbE Tx
e 1/3/1 e 1/3/1
Tx Rx
Link down Disable LED
LFS has an advantage over UDLD by performing its operations in hardware which
lowers CPU usage which also provides improved scalability.
Revision 0919 3 - 31
ICX 200 Port Monitoring and Management
LFS Configuration
• LFS can be enabled on a per port basis using the link-fault-signal command (TX disabled by
default)1
– RX LFS is always enabled by default and cannot be disabled
• LFS configuration only applies to enabling or disabling TX LFS
• Enable LFS on any device prior to connecting the device to ICX platforms
– Any connecting device should have LFS enabled to ensure interoperability
• Syslog messages are generated when the link goes up or down or if TX or RX fiber is
removed from one or both sides of the link
Footnote 1: When you enable this feature, the transmit port notifies the remote port
whenever the fiber cable is either physically disconnected or has failed. When this
occurs and the feature is enabled, the device disables the link and turns OFF both
LEDs associated with the ports.
Revision 0919 3 - 32
ICX 200 Port Monitoring and Management
• The show interface ethernet command shows the status of an LFS-enabled link1
• This output shows the LFS-enabled link is down because of an error on the remote port as
indicated by “remote fault”
LFS has detected a link
fault on the remote side
ICX # show interface ethernet 1/3/1
10GigabitEthernet1/3/1 is down (remote fault), line protocol is down
Hardware is 10GigabitEthernet, address is 0012.f227.79d8 (bia 0012.f227.79d8)
Configured speed 10Gbit, actual unknown, configured duplex fdx,actual unknown
Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
BPDU guard is Disabled, ROOT protect is Disabled
Link Fault Signaling is Enabled, Link Error Dampening is Disabled
STP configured to ON, priority is level0
<Output Truncated >
Footnote 1: The Link Fault Signaling is Enabled is added to the output when it is
enabled. If disabled any reference to Link Fault signaling will be completely omitted
from the output.
The show interface brief command will also display the port as down due to LFS error.
ICX# show interface brief
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC
Name
1/2/1 Err-LFS None None None None No 1 0 0012.f227.79d8
Revision 0919 3 - 33
ICX 200 Port Monitoring and Management
Revision 0919 3 - 34
ICX 200 Port Monitoring and Management
• Remote Fault Notification (RFN) is only available for 1 Gbps Ethernet Fiber ports (enabled
by default)
– When enabled the device disables the link and turns OFF both LEDs associated with the ports
• When enabled the transmit port notifies the remote port whenever the fiber cable is
either:
– Physically disconnected
– Failed
Revision 0919 3 - 35
ICX 200 Port Monitoring and Management
• For 1Gbps fiber-optic connections, you can optionally configure a transmit port to notify
the receive port whenever the transmit port becomes disabled1
– RFN is enabled by default and can be disabled in an individual interface basis
• To re-enable RFN
Ruckus(config-if-e1000-1/1/1)# gig-default auto-gig
Footnote 1: When you enable this feature, the transmit port notifies the remote port
whenever the receive fiber cable is either physically disconnected or has failed.
The globally configured Gbps negotiation mode is the default mode for all Gbps fiber
ports. You can override the globally configured default and set individual ports to the
following:
• neg-full-auto - The port first tries to perform a handshake with the other port to
exchange capability information. If the other port does not respond to the
handshake attempt, the port uses the manually configured configuration
information (or the defaults if an administrator has not set the information). This is
the default.
• auto-gig - The port tries to perform a handshake with the other port to exchange
capability information.
• neg-off - The port does not try to perform a handshake. Instead, the port uses
configuration information manually configured by an administrator.
Revision 0919 3 - 36
ICX 200 Port Monitoring and Management
Keep-alive LAG
Revision 0919 3 - 37
ICX 200 Port Monitoring and Management
Keep-alive LAG
• Keep-alive LAG link between two devices allows you to configure a LAG for use in keep-
alive applications similar to the UDLD feature
– This configuration does not aggregate ports but uses the LACP PDUs to maintain/monitor the connection
status between the two device ports
• Disables link when LACP messages are not able to be exchanged
– Provide high compatibility between vendor devices due to the use of LACP standard
For a keep-alive LAG, sFlow can be enabled only at the interface level and not at a
LAG context. To configure sFLow for an interface belonging to the keep-alive LAG,
configure directly under the interface.
Ruckus(config-lag-kblue)# interface ethernet 1/1/10
Ruckus(config-if-e1000-1/1/10)# sflow forwarding
Because deployments of UDLD along with other link monitoring protocols can vary
causing incompatibility. LACP however is primarily used for link aggregation and is a
very stable and widely supported and provides an effective link monitoring tool
especially across different vendor connections. This is highly recommended if you are
using different vendors on each side of the link you want to monitor.
Revision 0919 3 - 38
ICX 200 Port Monitoring and Management
Revision 0919 3 - 39
ICX 200 Port Monitoring and Management
Revision 0919 3 - 40
ICX 200 Port Monitoring and Management
• Port Flap Dampening increases the resilience and availability of the network by limiting the
number of port state transitions on an interface
– Links are monitored for down transitions
• If transitions exceed a specified threshold within a given time the link is physically disabled for the specified time
• When the timer expires the port is re-enabled
• Considerations
– Only down transitions are counted
– Sampling time is started after the first down transition occurs
– UDLD toggles as well as physical link states are counted
– For a LAG the link-error-disable command is applied to the LAG interface1
Footnote 1: Once configured on the LAG virtual interface, the feature is enabled on
all ports that are members of the LAG. You cannot configure port flap dampening on
port members of the LAG.
Revision 0919 3 - 41
ICX 200 Port Monitoring and Management
• To display the status of a port and its Link error status use:
ICX# show link-error-disable all
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 42
toggle-threshold -Specifies the number of times a port link state goes from up to
down and down to up before the wait period is activated. The value ranges from 1
through 50.
sampling-time-in-sec - Specifies the amount of time, in seconds, during which the
specified toggle threshold can occur before the wait period is activated. The default
value is 0 and indicates that the time is forever. The value ranges from 0 through
65535.
wait-time-in-sec - Specifies the amount of time, in seconds, for which the port
remains disabled (down) before it becomes enabled. The value ranges from 0 through
65535. A value of 0 indicates that the port will stay down until an administrative
override occurs.
Revision 0919 3 - 42
ICX 200 Port Monitoring and Management
Revision 0919 3 - 43
ICX 200 Port Monitoring and Management
• Use the show chassis command to view power supply, fan and temperature information
– Also at the bottom of the output is the chassis MAC address
Fanless model
Slot 1 Current Temperature: 81.6 deg-C (Sensor 1), 10.0 deg-C (Sensor 2), 60.7 deg-C (Sensor 3), 62.2
deg-C (Sensor 4)
Slot 2 Current Temperature: NA
Slot 3 Current Temperature: NA
Warning level.......: 100.0 deg-C
Shutdown level......: 109.0 deg-C
Boot Prom MAC : 609c.9fe6.0e40
Management MAC: 609c.9fe6.0e40
The show chassis command displays information on power supplies, fans and
temperature.
The output shows ICX stack unit one with a single, AC PoE power supply installed.
There are 2 fan trays installed and their status is OK. Also note the temperature
readings for the both the management thermal plane and the PoE thermal plane.
Also, the management MAC address is displayed.
Revision 0919 3 - 44
ICX 200 Port Monitoring and Management
• Use the show module command to view each module type installed
– Interface modules should have a status of OK
The show module command displays the modules currently installed in the unit and
their status.
Revision 0919 3 - 45
ICX 200 Port Monitoring and Management
• Use the show cpu command to see CPU usage for an ICX switch
The output from the show cpu command displays the usage of the single CPU that
runs on the switch. It is broken up by time periods of 1, 5, 60 and 300 seconds. These
time periods allow better understanding of the duration of a high CPU usage event.
SigHdlrTsk 0
OsTsk 0
TimerTsk 0
FlashTsk 0
MainTsk 0
MportPollTsk 0
IntrTsk 0
itc 0
syslog 0
<Output Truncated>
Revision 0919 3 - 46
ICX 200 Port Monitoring and Management
• To view the default, maximum, current and configured system-max values use the show
default values command
Revision 0919 3 - 47
ICX 200 Port Monitoring and Management
Module Summary
Revision 0919 3 - 48
ICX 200 Port Monitoring and Management
End of Module 3:
Port Monitoring and Management
Revision 0919 3 - 49
ICX 200 Port Monitoring and Management
Revision 0919 3 - 50
ICX 200 Layer 2 Discovery Protocols
Module 4:
Layer 2 Discovery Protocols
Module Objectives
– Describe the Ruckus proprietary protocol Foundry Discovery Protocol (FDP) and its configuration
Link Layer Discovery Protocol is a standard protocol that is widely used and supported
by many vendors and devices.
Ruckus ICX devices support many of the features that LLDP provides including station
discovery, Network management as well as Media Endpoint Discovery attribute
advertisements. As a result directly connected devices can be discovered and
recorded by LLDP advertisements in a multi vendor environment. This aids in
topology mapping and troubleshooting along with inventory. End devices can benefit
from LLDP as well by the advertisement of MED attributes allowing the successful
onboarding of end devices providing emergency service information and VLAN
assignment.
Other TLVs can be disabled or specified to the admin preference. Refer to the config
guide for specific configuration needs.
Transmit mode: An LLDP agent initiates the transmission of LLDP packets whenever
the transmit countdown timing counter expires, or whenever LLDP information has
changed. When a transmit cycle is initiated, the LLDP manager extracts the MIB
objects and formats this information into TLVs. The TLVs are inserted into an LLDPDU,
addressing parameters are prepended to the LLDPDU, and the information is sent out
LLDP-enabled ports to adjacent LLDP-enabled devices.
Receive mode: When an LLDP agent receives LLDP packets, it checks to ensure that
the LLD PDUs contain the correct sequence of mandatory TLVs, then validates
optional TLVs. If the LLDP agent detects any errors in the LLDPDUs and TLVs, it drops
them in software. TLVs that are not recognized but do not contain basic formatting
errors, are assumed to be valid and are assigned a temporary identification index and
stored for future possible alter retrieval by network management. All validated TLVs
are stored in the neighbor database.
LLDP Considerations
• Cisco Discovery Protocol (CDP) and Foundry Discovery Protocol (FDP) run independently of
LLDP1
– These discovery protocols can run simultaneously on the same device
• LLDP packets have the standard Multicast Destination MAC address (01:80:c2:00:00:0e)
and are sent with highest priority (7)
• By default, the ICX device limits the number of neighbors per port to four2
Footnote 1: Details about CDP and FDP are discussed later in this module.
Footnote 2: If the advertisements by the neighbor exceed the maximum value of the
neighbor per port or if it exceeds the maximum neighbors configured at the global
level then the new advertisements will be dropped. ICX devices stagger transmission
of LLDP packets on different ports to minimize any high-usage spikes to the CPU. To
change the maximum number of neighbors for which LLDP data is retained for the
entire system, use the lldp max-total-neighbors command at the global config
prompt. Default LLDP neighbors per device is 392 and the configurable range is range
of 16 to 8192. To change the maximum number of LLDP neighbors per port, use the
LLDP max-neighbors-per-port command. Default per port is 4 and the configurable
range is 1 to 64.
LLDP typically uses Ethernet to forward its LLDPPDUs. The Ethernet type used for
LLDP is 0x88cc
LLDP Configuration
• Disabling specific ports from LLDP using the default (send/receive) mode
ICX(config)# no lldp enable ports ethernet 1/1/1
Footnote 1: Ports enabled for LLDP using the default mode requires removing ports
from the default before placing them in transmit or receive mode.
By default, Ruckus devices do not accept tagged LLDP packets from other vendor
devices. To enable support for tagged LLDP packets:
ICX(config)# lldp tagged-packets process
When enabled, the device accepts incoming LLDP tagged packets if the VLAN tag
matches with a configured VLAN on the port, the default VLAN for a tagged port.
Specify the maximum number of LLDP neighbors per device.
ICX(config)# lldp max-total-neighbors 500
This example changes the maximum number of LLDP neighbors for the entire device
to 500
Specify the maximum number of LLDP neighbors per port .
ICX(config)# lldp max-neighbors-per-port 6
This example changes the maximum number of LLDP neighbors per port to 6.
• Extension to LLDP
– Enables advanced LLDP features
– Discovery between Network Connectivity devices
and media Endpoints
• Example: IP telephones, softphones, VoIP gateways
and conference bridges
• Benefits:
– Vendor-independent management capabilities
• Enables different IP telephony systems to interoperate
– Automatic deployment network policies
• Layer 2 and Layer 3 QoS policies and Voice VLANs
– Supports E-911 Emergency Call Services (ECS) for IP
telephony
– Collects Endpoint inventory information
– Network troubleshooting
• Helps to detect improper network policy configuration
An LLDP-MED class specifies an Endpoint type and its capabilities. An Endpoint can
belong to one of three LLDP-MED class types:
• Class 1 (Generic endpoint) - A Class 1 Endpoint requires basic LLDP discovery
services, but does not support IP media nor does it act as an end-user
communication appliance. A Class 1 Endpoint can be an IP communications
controller, other communication-related server, or other device requiring basic
LLDP discovery services.
• Class 2 (Media endpoint) - A Class 2 Endpoint supports media streams and may or
may not be associated with a particular end user. Device capabilities include media
streaming, as well as all of the capabilities defined for Class 1 Endpoints. A Class 2
Endpoint can be a voice/media gateway, conference, bridge, media server, etc.
• Class 3 (Communication endpoint) - A Class 3 Endpoint supports end user IP
communication. Capabilities include aspects related to end user devices, as well as
all of the capabilities defined for Class 1 and Class 2 Endpoints. A Class 3 Endpoint
can be an IP telephone, softphone (PC-based phone), or other communication
device that directly supports the end user.
Discovery services defined in Class 3 include location identifier (ECS/E911)
information and inventory management.
The LLDP-MED device class is advertised when LLDP-MED is enabled on a port.
Revision 0919 4 - 10
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 11
ICX 200 Layer 2 Discovery Protocols
• Defining a location ID
– Extension enables the Ruckus device to set the physical location that an attached Class III Endpoint will
use for location-based applications
– For each port, you can define one or more of the following location ID formats:
• Geographic location (coordinate-based)
• Civic address
• Emergency Call Services (ECS) Emergency Location Identification Number (ELIN)
• To configure a civic address-based location for LLDP-MED within the global configuration
mode use:1
ICX(config)# lldp med location-id civic-address refers-to client country US
elem 1 CA elem 3 "Sunnyvale“ elem 6 “350 W Java Dr" elem 24 94089 elem 27 5
elem 28 151 elem 29 office elem 23 "John Doe"
Footnote 1: Elements are attributes that are defined in the civic address and are
listed in the following notes pages. Each element value is associated with a specific
element of the address.
Graphic location addressing is associated with a lat/long attribute with additional
values shown below.
ICX(config)# lldp med location-id coordinate-based
latitude 41.87884 resolution 18 longitude 87.63602
resolution 18 altitude floors 103 resolution 30 wgs84
The above configuration shows the following:
Latitude is 41.87884 degrees north (or 41.87884 degrees) - Longitude is 87.63602
degrees west (or 87.63602 degrees1
The location is inside a structure, on the 103rd floor
The WGS 84 map was used as the basis for calculating the location
The Emergency Call Service (ECS) location is used specifically for Emergency Call
Services applications.
ICX(config)# lldp med location-id ecs-elin 4083335745
To display the conferred ECS details use the show lldp localinfo command.
+ MED Location ID
Data Format: ECS ELIN
Value : 4083335745
Revision 0919 4 - 12
ICX 200 Layer 2 Discovery Protocols
Civic address
Description Acceptable values / examples
(CA) type
The ISO 639 language code used for
0 Language
presenting the address information.
National subdivisions (state, canton, Japan - Metropolis
1
region, province, or prefecture) United States – State
Revision 0919 4 - 13
ICX 200 Layer 2 Discovery Protocols
Civic address
Description Acceptable values / examples
(CA) type
The name or number of a part of a
structure where there
are separate administrative units, owners,
or tenants,
such as separate companies or families
26 Unit (apartment, suite)
who occupy that
structure. Common examples include suite
or apartment
designations.
Example: Apt 27
27 Floor Example: 4
The smallest identifiable subdivision of a
28 Room number
structure. Example: 7A
Place type The type of place
described by the civic coordinates.
For
example, a home, office, street, or
other public space.
Example: Office
29 Postal community name When the
postal community name is defined,
the civic
community name (typically CA type
3) is replaced by this
value.
Example: Alviso
When a P.O. box is defined, the street
address components (CA types 6, 16, 17,
31 Post office box (P.O. box)
18, 19, and 20) are replaced with this
value. Example: P.O. Box 1234
An additional country-specific code that
identifies the location. For example, for
Japan, this is the Japan Industry
32 Additional code Standard (JIS) address code. The JIS
address code provides a unique address
inside of Japan, down to the level of
indicating the floor of the building.
The script (from ISO 15924 [14]) used to
present the address information.
128 Script Example: Latn NOTE If not manually
configured, the system assigns
the default value Latn.
Revision 0919 4 - 14
ICX 200 Layer 2 Discovery Protocols
• Network policies apply to applications that have specific real-time network policy
requirements, such as interactive voice or video services
– Intended to run on links between Network Connectivity devices and Endpoints
– Can provide VLAN assignment as well as priority settings for an end device
• The network policy advertisement will appear similar to the following on the remote
device, and in the CLI display output on the Ruckus ICX
ICX# show lldp local-info
+ MED Network Policy
Application Type : Voice
Policy Flags : Known Policy, Tagged
VLAN ID : 99
L2 Priority : 3
DSCP Value : 22
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 15
Endpoints will advertise a policy as "unknown" in the show lldp neighbor detail
command output, if it is a policy that is required by the Endpoint and the Endpoint
has not yet received it.
Revision 0919 4 - 15
ICX 200 Layer 2 Discovery Protocols
• By default, LLDP SNMP notifications and corresponding syslog messages are disabled
– Notifications are set based on identified ports
ICX(config)# lldp enable snmp notifications ports ?
all All LLDP-capable ports
ethernet Ethernet port
• LLDP-MED topology changes can be enabled providing syslog messages when an endpoint
neighbor entry is added or removed1
Revision 0919 4 - 16
ICX 200 Layer 2 Discovery Protocols
• You can use the following CLI show commands to display information about LLDP settings
and statistics:
– show lldp – Displays a summary of the LLDP configuration
– show lldp statistics – Displays LLDP global and per-port statistics
– show lldp neighbors – Displays a list of the current LLDP neighbors
– show lldp neighbors detail – Displays the details of the latest advertisements received from
LLDP neighbors
Revision 0919 4 - 17
ICX 200 Layer 2 Discovery Protocols
LLDP Statistics
ICX# show lldp statistics
Last neighbor change time: 1 day(s) 3 hour(s) 34 minute(s) 12 second(s) ago
Revision 0919 4 - 18
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 19
ICX 200 Layer 2 Discovery Protocols
LLDP Neighbors
ICX# Local port: 1/1/1
Neighbor: 609c.9fe6.0e4b, TTL 116 seconds
+ Chassis ID (MAC address): 609c.9fe6.0e40
+ Port ID (MAC address): 609c.9fe6.0e4b
+ Time to live: 120 seconds
+ System name : "Second_Floor_MDF"
+ Port description : "GigabitEthernet1/1/12"
+ System capabilities : bridge
Enabled capabilities: bridge
+ 802.3 MAC/PHY : auto-negotiation enabled
Advertised capabilities: 10BaseT-HD, 10BaseT-FD, 100BaseTX-HD,
100BaseTX-FD, fdxSPause, fdxBPause,
1000BaseT-HD, 1000BaseT-FD
Operational MAU type : 1000BaseT-FD
+ 802.3 Power via MDI: PSE port, power enabled, class 0
Power Pair : A (not controllable)
<Output Truncated>
+ MED Extended Power via MDI
Power Type : PSE device
Power Source : Unknown Power Source
Power Priority : Low (3)
Power Value : 0.0 watts (PSE equivalent: 0 mWatts)
+ Port VLAN ID: 100
+ Management address (IPv4): 10.1.1.254<Output Truncated>
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 20
Revision 0919 4 - 20
ICX 200 Layer 2 Discovery Protocols
• Using the show lldp local-info command displays the details of the Link Layer Discovery
Protocol (LLDP) advertisements on a per port basis
– LLDP Advertisements can be limited by port using the lldp advertise command
• Note: Many LLDP TLVs are advertised by default and will need to be explicitly disabled
– Examples:1
ICX(config)# no lldp advertise
link-aggregation Advertise 802.3 link aggregation information
mac-phy-config-status Advertise 802.3 MAC/PHY configuration/status
management-address Advertise a management address
max-frame-size Advertise 802.3 maximum frame size
med-capabilities Advertise LLDP-MED capabilities
med-location-id Advertise LLDP-MED location id information
med-network-policy Advertise LLDP-MED network policy information
med-power-via-mdi Advertise LLDP-MED power-via-MDI information
port-description Advertise port description
port-id-subtype Advertise advertise lldp port id subtype
port-vlan-id Advertise 802.1 port untagged VLAN id (PVID)
power-via-mdi Advertise 802.3 power-via-MDI information
system-capabilities Advertise system capabilities
system-description Advertise system description
system-name Advertise system name
vlan-name Advertise 802.1 VLAN name
Footnote 1: For a full list of LLDP advertising control options refer to the ICX
Management guide. Note that many of these are advertised automatically therefore
will need to be disabled on ports you do not want the information shared. Below is
an example of disabling of the system name being advertised on Ethernet 1/1/2.
Revision 0919 4 - 21
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 22
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 23
ICX 200 Layer 2 Discovery Protocols
• FDP provides neighbor discovery of directly connected devices by sending Layer 2 frames
to MAC address 00-00-00-CC-CC-CC
Revision 0919 4 - 24
ICX 200 Layer 2 Discovery Protocols
Enabling FDP
• FDP can be enabled globally or at the interface level providing greater control and security
• Globally enable configure:
ICX(config)# fdp run
Revision 0919 4 - 25
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 26
ICX 200 Layer 2 Discovery Protocols
• Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves
to other Cisco devices
– ICX devices forward these packets without examining their contents (Default)
– An ICX device can intercept and display the contents of CDP version 1 and version 2 packets1
Footnote 1: The Ruckus device can interpret only the information fields that are
common to both CDP version 1 and CDP version 2 . When you enable interception of
CDP packets, the Ruckus device drops the packets and will not provide the forwarding
of packets like it did when disabled.
Footnote 2: CDP runs as a companion to the FDP protocol therefore for CDP
interception to take place FDP needs to be enabled for it to function.
CDP complementary to the IEEE 802.1AB standard Link Layer Discovery Protocol
(LLDP) that is implemented by multiple vendors and is functionally similar to CDP.
Revision 0919 4 - 27
ICX 200 Layer 2 Discovery Protocols
Footnote 1: If CDP intercept is enabled on an ICX device the information and statistics
gathered is displayed using the same commands described in the following slides.
Revision 0919 4 - 28
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 29
ICX 200 Layer 2 Discovery Protocols
Revision 0919 4 - 30
ICX 200 Layer 2 Discovery Protocols
Module Summary
– Describe the Ruckus proprietary protocol Foundry Discovery Protocol (FDP) and its configuration
Revision 0919 4 - 31
ICX 200 Layer 2 Discovery Protocols
End of Module 4:
Layer 2 Discovery Protocols
Revision 0919 4 - 32
ICX 200 Multi-Chassis Trunking
Module 5:
Multi-Chassis Trunking
Module Objectives
– Use show commands to review and analyze status of MCT cluster operations
• Other features:
– Integrated loop detection, which allows all links to be
active
– Easy deployment without fundamentally changing the
existing architecture
– Sub-second failure detection and re-allocation of traffic
MCT Terminology
• Inter-Chassis Link (ICL) – a single-port or multi-port static LAG between two MCT cluster
devices to communicate data flow and control messages between them
– Cluster Communication Protocol (CCP) - protocol used between MCT aware devices
The ICL is the Inter-Chassis Link between MCT logical peers. On ICX devices this must
be a static LAG. It provides data flow and control messages between them. On the
ICL, two control routing protocols are being managed. One is CCP which is Cluster
Communication Protocol based on TCP. The other is the MAC Database Update
Protocol (MDUP). It is recommended that you set up the ICL as a static LAG with at
least two ports. This provides port-level redundancy and higher bandwidth for cluster
communication. An ICL cannot be a regular port link or an LACP trunk. It must be a
single or multiple port static LAG.
Cluster Communication Protocol (CCP) provides reliable, point-to-point transport of
cluster communication and sync between MCT peers. CCP works on TCP port 4175.
Applications such as MAC Database Update between cluster peers can use CCP to
synchronize their MAC tables. Applications (MAC Manager, STP, etc.) can register with
CCP dynamically. Since CCP protocol is based on TCP, an IP address is needed for CCP
to function. Peer nodes exchange session parameters, including Cluster ID, RBridge
ID, Keep Alive time, Hold time, and Fast failover. Once keep alive messages are
exchanged, CCP will migrate into an UP state.
MDUP is used to synchronize MAC addresses between the peers. ICL ports should not
be untagged members of any VLAN. The ICL is a tagged Layer 2 link, which carries
packets for multiple VLANs. An ICL is preferably a LAG that provides port level
redundancy and higher bandwidth for cluster communication.
Customer Client Edge Port (CCEP) are physical ports on one of the MCT cluster
switches that is a member of the LAG interface to the MCT client. Ultimately another
physical port of the LAG will also be connected to the other switch in the MCT cluster.
• RBridge
– Any device involved in the MCT cluster including peer and client
• RBridge ID
– A unique ID assigned to each MCT peer and client
• MCT Peers:
– Pair of physical switches which act as one logical switch
– Edge switches or servers are connected via a LAG
– LAGs are distributed across the MCT pair
Cluster Edge Port (CEP) is a port on an MCT cluster device that belongs to the MCT
VLAN and connects to a switch, router or host but is neither a CCEP nor an ICL. CEPs
do not benefit from the MCT features, they allow connectivity to single homed clients
or routed interfaces.
An RBridge is any device involved in the MCT cluster, including peer and clients. Each
RBridge in the cluster has a unique ID.
The RBridge ID is a value assigned to MCT cluster devices and clients that uniquely
identifies them and helps associate learned MAC addresses with MCT clients.
Cluster RBridge IDs cannot conflict with any client RBridge ID. Client RBridge IDs
should match between cluster peers for the same common client.
MCT Peers are the pair of physical switches which act as one logical switch. Edge
switches or servers are connected via a LAG. LAGs are spread across the MCT pair.
The MCT Session VLAN is the VLAN used by the MCT cluster for control operations.
CCP runs over this VLAN. The MCT session VLAN subnet is not distributed in routing
protocols using redistribute commands.
The MCT Keep-alive VLAN is a VLAN configured to provide an alternate
communication path between MCT peers during ICL/CCP failure.
MCT Limitations
MCT Configuration
Footnote 1: IPv6 is not supported with MCT. All IP configurations used with MCT must use
IPv4.
Footnote 2: When running switch code, the global IP address of each MCT peer must be in
the same subnet to establish MCT CCP session.
These are the basic configuration steps necessary to configure an MCT cluster. The steps to
configure cluster clients will be covered in later slides. These steps will include:
• Configuring the LAG used for the Inter-Chassis Link (ICL), which can only be configured
as a static LAG.
• The required Session VLAN must be configured and the optional, but highly
recommended keep-alive VLAN should be as well.
• IP interfaces used for Cluster Communication Protocol (CCP) messages will be
configured. When running switch code, this be accomplished with the global IP
address, as it is the only IP address on the device. When running router code, it will be
a Virtual Ethernet (VE) interface on the Session VLAN.
• The cluster will be defined with all necessary parameters for establishing a CCP session
between MCT peer nodes.
The configuration examples provided in the following slides are completed on the switch
labeled MCT1 in the graphic. In order for MCT to function properly the equivalent commands
must also be completed on the switch labeled MCT2. The commands for configuring MCT2
will be provided in the notes section of this guide.
The steps above are applied in this order to provide a logical flow of how MCT is configured.
The steps are not required to be completed in this order. However, some of the steps defined
do have dependencies that will dictate the order of configuration steps.
Footnote 1: On a switch image, STP is enabled by default for all the VLANs; however,
for MCT, Layer 2 protocols such as STP and RSTP must not be enabled on the session
VLAN. Therefore, STP must be disabled explicitly for the session VLAN. STP is
automatically disabled in the router image.
Here we configure the ICL LAG as a static LAG and ports 1/1/1 and 1/1/2 are added as
members. Next, the recommended keep-alive VLAN is created using VLAN ID 3001
and port 1/1/24 is added as a member. Lastly, the session VLAN is created using VLAN
ID 3000, the ICL LAG is added as a member and Spanning Tree is explicitly disabled.
MCT2 Configuration Example:
MCT2(config)# lag MCT-ICL static id 2
MCT2(config-lag-MCT-ICL)# ports eth 1/1/1 to 1/1/2
MCT2(config-lag-MCT-ICL)# vlan 3000 name Session-VLAN
MCT2(config-vlan-3000)# tagged lag 2
MCT2(config-vlan-3000)# no spanning-tree
MCT2(config-vlan-3000)# vlan 3001 name MCT-keep-alive
MCT2(config-vlan-3001)# tagged ethernet 1/1/24
Revision 0919 5 - 10
ICX 200 Multi-Chassis Trunking
• Configure VE interface
MCT1(config)# interface ve 3000
MCT1(config-vif-3000)# ip address 1.1.1.1/30
In this example, the MCT peers are running router code, therefore the next step is to
create Virtual Ethernet (VE) interface 3000 in VLAN 3000. Once created, the interface
can be accessed with the interface ve 3000 command and an IP address can be
assigned. Next, the cluster is created with the cluster command. This command
requires the name of the cluster as well as the desired cluster ID to be provided.
MCT2 Configuration Example:
MCT2(config-vlan-3000)# router-interface ve 3000
MCT2(config-vlan-3000)# interface ve 3000
MCT2(config-vif-3000)# ip address 1.1.1.2/30
MCT2(config-vif-3000)# cluster MCT 1
MCT2(config-cluster-MCT)#
Revision 0919 5 - 11
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 12
ICX 200 Multi-Chassis Trunking
MCT Considerations
• The MCT cluster can be deployed separately without any clients configured
– When the cluster is deployed, it will check any deployed clients and start the state machine for the clients
– Clients can be configured and deployed as needed
• Once the cluster is deployed, only cluster clients, cluster member VLANs and client
isolation mode can be modified
– Cluster must be “un-deployed” to make any other changes
MCT1(config-cluster-MCT)# no deploy
You could stop the configuration here and deploy the MCT cluster separately without
any clients configured.
When the cluster is deployed, it will check for any deployed clients and start the state
machine for any that are found.
Clients can then be configured and deployed as needed.
However, once the cluster is deployed, only cluster clients, cluster member VLANs
and client isolation mode can be modified. No other cluster settings can be modified
unless the cluster is “un-deployed” with the no deploy command in the cluster
configuration context.
Revision 0919 5 - 13
ICX 200 Multi-Chassis Trunking
• Client isolation mode defines actions to be taken on client ports in the event of CCP failure
When using loose mode, When the CCP is down in loose mode, the following results
occur.
• If the keep-alive VLAN is configured, CCRR messages, used to exchange
information between peer devices, are sent every second over that VLAN.
• When CCP is down and a keep-alive VLAN is configured, active/standby
selection is based on the following criteria:
• If one device’s CCEPs are up and the peer’s CCEPs are down, the peer with
the local CCEPs down becomes the standby.
• Otherwise, the device with the higher RBridge ID becomes the standby.
• If no packets are received from the peer device for a period of three seconds,
the peer is considered down.
The CLI will allow modification of the client-isolation mode on MCT cluster nodes
even when the cluster is deployed. You must configure the same isolation mode on
both cluster nodes.
To configure client isolation strict mode enter the following command:
MCT1(config-cluster-MCT)# client-isolation strict
Syntax: [no] client-isolation strict
To revert back to the default of client isolation loose mode, use the “no” form of the
command:
MCT1(config-cluster-MCT)# no client-isolation strict
Revision 0919 5 - 14
ICX 200 Multi-Chassis Trunking
Peer Info:
----------
Peer IP: 1.1.1.2, Peer Rbridge Id: 2, ICL: MCT-ICL
KeepAlive Interval: 10 , Hold Time: 90, Fast Failover
Active Vlan Range: 1000
Last Reason for CCP Down: Not Down
Peer State: CCP Up (Up Time: 3 days:17 hr:55 min:34 sec)
The show cluster {cluster-id | cluster-name} peer command will display information
related to peer communications and status.
Output begins with local peer node information, including:
• Rbridge ID
• Session VLAN
• Keep-alive VLAN
• Cluster status
• Client isolation mode
• List of member VLANs
• Status of peer reachability over the keep-alive VLAN
Below that is information about the MCT peer node, including:
• Peer IP
• Peer RBridge ID
• ICL used for CCP
• MCT timers
• Active member VLANs on peer
• Reason for last CCP failure (if any)
• Peer CCP state
Revision 0919 5 - 15
ICX 200 Multi-Chassis Trunking
• Both client deployments methods will be covered using the topology shown here
– Client #1 will be configured using manually method
– Client #2 will be configured using automatic method
Manual client configuration includes administratively setting the client name, client
RBridge ID (unique identification for each client), client interface (CCEP), and
deployment settings on both MCT cluster devices. When many cluster clients are
being configured in a cluster, manual configuration can take a considerable amount of
time.
Cluster client automatic configuration saves the time that would be required to
complete the entire configuration manually. However it also comes with some
limitations, for example:
• There is no ability to configure client names, they are automatically generated
• No ability to control RBridge ID assignment, they are automatically generated
• Can be automatically deployed upon discovery. Optionally, the discovered
clients can be added to the running configuration in an undeployed state. To be
manually deployed at a later time.
Revision 0919 5 - 16
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 17
ICX 200 Multi-Chassis Trunking
Here we configure the Client1 LAG and assign the port members.
Next, we create the client VLAN and add the client LAG as well as the ICL LAG.
Remember the ICL must be a member of each MCT/Client VLAN.
Finally, from the MCT cluster configuration context, the client is defined with the
client command followed by a client name. This will move you to the client
configuration context, where you will:
• Define the RBridge ID, which must be unique
• Define the client interface, which will typically be a LAG
• Deploy the cluster client with the deploy command
In the example topology, Client #1 is connected to MCT2 through a single port.
However, because dynamic LAGs are being used on the client switches, it must still be
configured as a single-port LAG on the MCT switch. This is because if LACP is not
running on the interface, the dynamic LAG on the client-side will not be able to
negotiate trunk capabilities and the port will not be allowed as a member.
If static LAGs are used on the Client switches, the LAG configuration step for single-
port connections from MCT peers is optional and the client-interface command will
identify an ethernet port, rather than a LAG. For example:
MCT2(config-cluster-MCT-Client1)# client-interface ethernet 1/1/3
Revision 0919 5 - 18
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 19
ICX 200 Multi-Chassis Trunking
• Cluster prerequisites:
– The cluster must be configured on both MCT cluster devices
– Any client VLAN/s must be configured on both MCT cluster devices
• Client-facing ports must be members
– Trunk group/LAG configuration must be removed from the client-facing interfaces
– The client interfaces must be up and operational
Client configuration includes setting the client name, client RBridge ID (unique
identification for each client), client interface (CCEP), and deployment settings on
both MCT cluster devices. With a significant number of clients per cluster, manual
configuration can take a considerable amount of time.
Cluster client automatic configuration saves the time that would be required to
complete the entire configuration manually.
For cluster client automatic configuration to work, the following prerequisites are
required on the cluster side:
• The cluster must be configured on both MCT cluster devices.
• An MCT VLAN must be configured on both MCT cluster devices.
• The trunk group configuration must be removed from the client interfaces.
• The client interfaces must be up and operational.
• The cluster ID must be unique when there are multiple clusters interconnected
in a topology. For example, in a cascaded stage 2 MCT cluster, the cluster ID on
a stage 1 pair of switches must be different from the cluster ID on a stage 2 pair
of switches.
The following prerequisites are required on the client side:
• VLAN and trunk group configuration must be completed. Both static and
dynamic LAG types are supported.
• Link Level Discovery Protocol (LLDP) must be enabled.
Revision 0919 5 - 20
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 21
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 22
ICX 200 Multi-Chassis Trunking
Discovered client’s
hostname and MAC
address
Here we see the execution of the automatic configuration commands on the example
topology from the MCT1 peer. Ports 1/1/7 and 1/1/8 are identified as client-auto-
detect ports and then the auto-detect process is started.
The console output shows that the process has indeed started. Then, a client
discovered on port 1/1/7 and is running LACP. Next port 1/1/8 and is added to the
dynamic/LACP LAG connecting to the same client.
Notice the client hostname and MAC address are included in the client identifier, in
this case the hostname is “Client1”.
MCT2 Configuration Example:
MCT2(config-cluster-MCT)# client-auto-detect ethernet
1/1/5 to 1/1/6
MCT2(config-cluster-MCT)# client-auto-detect start
CLUSTER AUTOCONFIG INFO - Cluster 1 client auto-config
process started
CLUSTER AUTOCONFIG INFO - New Client: A-Client2-
609c9f41cc24 with rbridge id: 2446 discovered on port
1/1/6 with dynamic lag(lacp) capability
CLUSTER AUTOCONFIG INFO - Port 1/1/5 added as LACP
interface to Client:A-Client2-609c9f41cc24
Revision 0919 5 - 23
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 24
ICX 200 Multi-Chassis Trunking
• Use the client-auto-detect config command to save the discovered clients to the running-
config
– Optionally, use deploy-all to automatically deploy the discovered clients
Lastly, the client-auto-detect config deploy-all command is used to apply the changes
to the running-configuration. Using the deploy-all option ensures the newly
discovered clients are also deployed after creation. If the deploy-all option is not
used, the clients will be added to the running-configuration but they will not be
deployed, requiring manual deployment by the administrator.
Also notice the output that indicates a new LAG was configured and deployed and
Spanning Tree was disabled on the CCEP LAG interface. Next, we see both ports being
removed from the auto-config port list. Finally, since those were all of the ports in the
auto-config port list, the auto-config process is stopped automatically.
MCT2 Configuration Example:
MCT2(config-cluster-MCT)# client-auto-detect config
deploy-all
LAG MCT-CCAC-LAG_3 deployed successfully!
Spanning tree is disabled on CCEP port lg3 of MCT
Client: A-Client2-609c9f41cc24.
CLUSTER AUTOCONFIG INFO - Port 1/1/5 is successfully
programmed as client interface. Removing from
autoconfig port list.
CLUSTER AUTOCONFIG INFO - Port 1/1/6 is successfully
programmed as client interface. Removing from
autoconfig port list.
CLUSTER AUTOCONFIG INFO - Cluster 1 client auto-config
process stopped
Revision 0919 5 - 25
ICX 200 Multi-Chassis Trunking
Once the cluster is configured, you can use the show cluster {cluster-id | cluster-
name} config command to view the configuration. Remember to always make sure
the cluster and each configured client are deployed for proper operation.
MCT2 Configuration Example:
MCT2# show cluster MCT config
cluster MCT 1
rbridge-id 2
session-vlan 3000
keep-alive-vlan 3001
icl MCT-ICL lag 2
peer 1.1.1.1 rbridge-id 1 icl MCT-ICL
deploy
client Client1
rbridge-id 100
client-interface lag 21
deploy
client A-Client2-609c9f41cc24
rbridge-id 2446
client-interface lag 1
deploy
!
Revision 0919 5 - 26
ICX 200 Multi-Chassis Trunking
The show cluster client command displays the client information including the client
name, RBridge ID, configured/deployment state, LAG interface and trunk ID of the
LAG connected to the client and the FSM-State.
The FSM-State displays status of the Finite State Machine (FSM). This can be very
helpful as a validation and troubleshooting tool. Valid FSM-States are:
• Up – CCEP ports on both MCT peers are up.
• Local Up – CCEP ports are up on local MCT peer, but down on remote peer.
• Remote Up – CCEP ports are down on local MCT peer, but up on remote peer.
• Admin Up – CCEP ports on both MCT peers are enabled and deployed but
down.
Revision 0919 5 - 27
ICX 200 Multi-Chassis Trunking
Client Info:
------------
Number of Clients configured: 2
Name Rbridge-id Config Port Trunk FSM-State
A-Client2-609c9f41cc24 2446 Deployed lg1 1 Up
Client1 100 Deployed lg21 21 Up
The show cluster command displays a lot of useful information including the local
peer’s RBridge ID, the Session VLAN, and the cluster state, and more. The Peer Info
section shows connection information and status. These two sections are the same
information and display format as the show cluster {cluster-id | cluster-name} peer
output.
The ICL Info section displays the configured name and ports that make up the ICL.
At the bottom of the output, the Client Info section displays details about each
configured. This output is identical to the show cluster {cluster-id | cluster-name}
client command output.
Revision 0919 5 - 28
ICX 200 Multi-Chassis Trunking
Client Info:
------------ Client Information
Client: Client1, rbridge-id: 100, Deployed including, RBridge ID,
Client Port: lg21, Trunk Id :21 client ports, and state
Client portmask: ethe 1/1/5 to 1/1/6 lag 21
State: Up
Number of times Local CCEP down: 0 Client
statistics
Number of times Remote CCEP down: 0
Number of times Remote Client undeployed: 0
<Output Truncated>
Display more client details using the show cluster { cluster-id | cluster-name } client [
client-name ] command. Here we see the cluster information, as well as the client
information and statistics.
Revision 0919 5 - 29
ICX 200 Multi-Chassis Trunking
To display the CCP status between cluster peers, use the show cluster {cluster-id |
cluster-name} ccp peer command. Here we see that the peer at IP address 10.1.1.2 is
operational, and the amount of time CCP communications have been up to the peer.
Revision 0919 5 - 30
ICX 200 Multi-Chassis Trunking
Add the detail parameter, and you can see peer connection information as well as the
communication between the peers on the TCP port. There is lengthy data here that is
typically most useful in analysis and troubleshooting situations.
Revision 0919 5 - 31
ICX 200 Multi-Chassis Trunking
<Continuation>
TCP connection is up
TCP connection is initiated by 1.1.1.2
TCP connection tcbHandle not pending
TCP connection packets received
TCP Connection Details
----------------------
TCP Connection state: ESTABLISHED Maximum segment size: 1436
Local host: 1.1.1.1, Local Port: 4175
Remote host: 1.1.1.2, Remote Port: 12148
ISentSeq: 1186266851 SendNext: 1186956087 TotUnAck: 0
TotSent: 689236 ReTrans: 0 UnAckSeq: 1186956087
IRcvSeq: 1222766851 RcvNext: 1223443067 SendWnd: 16384
TotalRcv: 676216 DupliRcv: 0 RcvWnd: 16384
SendQue: 0 RcvQue: 0 CngstWnd: 1436
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 32
Here we have the continuation of the output from the show {cluster-id | cluster-
name} ccp peer detail command. This section displays the status of the TCP
connection and statistics of the various messages used to maintain the MCT cluster
and clients.
Revision 0919 5 - 32
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 33
ICX 200 Multi-Chassis Trunking
There are two links on the CCEP side on Client. If only one link fails, the trunk is still
up and there is minimal impact. If both links are down, MCT is designed to handle
that scenario. In other words, if MCT1 CCEPs are down then it will use MCT2 CCEPs
and data loss should be minimal or sub-second.
Revision 0919 5 - 34
ICX 200 Multi-Chassis Trunking
• Use show cluster mct client command to display client status after CCEP failure
FSM-States
MCT1# show cluster MCT client Up – CCEP ports up on both peers
Client Info: Local UP – CCEP ports up only on local peer
------------ Remote Up – CCEP ports up only on remote peer
Number of Clients Configured: 2 Admin Up – All CCEP ports enabled & deployed but down
Name Rbridge-id Config Port Trunk FSM-State
A-Client2-609c9f41cc24 2446 Deployed lg1 1 Up
Client1 100 Deployed lg21 21 Remote Up
The show cluster client command displays the client information including the client
name, RBridge ID, configured/deployment state, LAG interface and trunk ID of the
LAG connected to the client and the FSM-State.
The FSM-State displays status of the Finite State Machine (FSM). This can be very
helpful as a validation and troubleshooting tool. Valid FSM-States are:
• Up – CCEP ports on both MCT peers are up.
• Local Up – CCEP ports are up on local MCT peer, but down on remote peer.
• Remote Up – CCEP ports are down on local MCT peer, but up on remote peer.
• Admin Up – CCEP ports on both MCT peers are enabled and deployed but
down.
Revision 0919 5 - 35
ICX 200 Multi-Chassis Trunking
When an MCT cluster device goes down (for example, due to a power failure), the
traffic fails over to the other MCT cluster device.
Revision 0919 5 - 36
ICX 200 Multi-Chassis Trunking
Master-Standby negotiation
occurs on a per-client basis
If a keep-alive VLAN is used, the devices in the cluster can communicate even if the
ICL goes down. If the peer device is reachable over the keep-alive VLAN, the MCT
peers perform the active/standby negotiation per client. After negotiation, the
standby shuts down its client ports, and the active client ports continue to forward
the traffic.
The active/standby negotiation is performed per MCT client on the basis of RBridge
ID and client local or remote accessibility. If the client is reachable from both MCT
devices, the lower RBridge ID becomes the active device. If the client can be accessed
only from one of the MCT devices, the cluster device on which it is reachable
becomes the active device.
If the peer device cannot be reached over the keep-alive VLAN, then both cluster
devices keep forwarding.
Revision 0919 5 - 37
ICX 200 Multi-Chassis Trunking
When the keep-alive VLAN is not configured, both cluster devices keep forwarding.
Use the client-isolation strict command to disable the client interface as soon as the
ICL link goes down to completely isolate the client.
Revision 0919 5 - 38
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 39
ICX 200 Multi-Chassis Trunking
VRRP-E
Standby
HostA HostB
Host A Traffic
Host B Traffic
Revision 0919 5 - 40
ICX 200 Multi-Chassis Trunking
– short-path-forwarding
• Allows backup VRRP-E router to forward Layer 3
traffic if a forwarding path is available
• Provides Active-Active capability at Layer 3
– Routing occurs at standby if a forwarding path is
available VRRP-E
Standby
– Traffic forwards to Master if:
• No route is matched
• Only default route is matched HostA HostB
Host A Traffic
Host B Traffic
Revision 0919 5 - 41
ICX 200 Multi-Chassis Trunking
Module Summary
– Use show commands to review and analyze status of MCT cluster operations
Revision 0919 5 - 42
ICX 200 Multi-Chassis Trunking
End of Module 5:
Multi-Chassis Trunking
Revision 0919 5 - 43
ICX 200 Multi-Chassis Trunking
Revision 0919 5 - 44
ICX 200 Layer 3 Fundamentals
Module 6:
Layer 3 Fundamentals
Module Objectives
– Explain and configure standard and extended IP Access Control Lists (ACLs)
IP Addressing
Layer 3 Interfaces
• A secondary IP addresses within the same subnet can be added to a interface with the
secondary parameter
Layer 3 IPv4 and IPv6 addresses can be assigned to each of the interface types shown
here. On these interfaces, multiple IP addresses can be assigned. The function of
assigning IP addresses for multiple subnets on a single interface is referred to as
“multi-netting”. There are limits to how many IP addresses can be assigned to a single
interface, but the limit is based on hardware platform.
When IP addresses are configured on an interface, any existing IP addresses are not
removed. Unused/undesired IP addresses must be manually removed.
If there is a need to assign an interface with two IP addresses from the same subnet,
the secondary parameter must be used when defining the second IP address.
NOTE: By default, all physical and virtual routing interfaces configured on the device
use the base MAC address of the device or the configured stack MAC address. You
can specify a different MAC address for each physical or virtual routing interface. To
specify the MAC address for routing interfaces, enter commands such as the
following.
ICX(config)# interface ve 1000
ICX(config-vif-1000)# ip-mac aaaa.bbbb.cccc
ICX(config-vif-1000)# interface ethernet 1/1/13
ICX(config-if-e1000-1/1/13)# ip-mac 1234.5678.9abc
• Syntax: [no] ip-mac mac-addr
IPv4 Addressing
• IPv4 addresses are defined with the ip address command within the interface
configuration context
– Either dotted decimal or CIDR notation can be used for subnet mask
Ruckus Layer 3 devices support Internet Protocol version 4 (IPv4) and IPv6. IP support
on Ruckus Layer 2 switches consists of host services and functionality to support
management access and access to a default gateway.
All Ruckus IPv4 addresses can be configured and displayed in two formats:
• Classical subnet format with the IP address and subnet mask in dotted decimal
format.
• Classless Interdomain Routing (CIDR) format with the IP address in dotted
decimal but followed by a forward slash and a number representing the subnet
mask.
You can use either format when configuring IP address information. IP addresses are
displayed in classical subnet format by default, but you can change the display format
to CIDR.
To remove an IP address from an interface, the no ip address command is used. No
subnet mask is needed to remove IP address from interface. Additionally, you can
remove all IP addresses assigned to an interface with the * option.
While not shown on the slide, you can replace the primary IP address assigned to an
interface with by appending replace to the end of the ip address command. This will
in affect remove the primary IP address that is in the same subnet as the address
being added. This is supported on a router image only and does not allow the
changing of the subnet mask.
ICX-Router(config)# interface ethernet 1/1/1
ICX-Router(config-if-e1000-1/1/1)# ip address
10.45.6.100/24 replace
IPv6 Addressing
• IPv6 capabilities are globally enabled with the ipv6 unicast-routing command
– IPv6 traffic forwarding can be disabled globally by using the no ipv6 unicast-routing command
To forward IPv6 traffic on a router interface, the interface must have an IPv6 address,
or IPv6 must be enabled. By default, an IPv6 address is not configured on a router
interface. You must enable IPv6 and configure an IPV6 address to forward IPv6 traffic
on a router interface.
If you choose to configure a global or site-local IPv6 address for an interface, IPv6 is
also enabled on the interface. Further, when you configure a global IPv6 address, you
must decide on one of the following in the low-order 64 bits:
• A manually configured interface ID
• An automatically computed EUI-64 interface ID
If you prefer to assign a link-local IPv6 address to the interface, you must specifically
enable IPv6 on the interface, which causes a link-local address to be automatically
computed for the interface. If preferred, you can override the automatically
configured link-local address with an address that you manually configure.
• Enabling IPv6 on an interface without configuring a global or unique local unicast address
• When multiple VLANs share a port or VE, manually assigned link-local addresses should be
used
– All physical and VE interfaces share the same MAC address, resulting in duplicate link-local addresses
• The anycast keyword allows the device to recognize the assigned address as an anycast
address
• ICX interfaces can support both IPv4 ands IPv6 forwarding (dual-stacking) on the same
interface automatically
– No additional steps needed
A router interface can be configured to support both the IPv4 and IPv6 protocol
stacks.
Each router interface that sends and receives both the IPv4 and IPv6 traffic must be
configured with an IPv4 address and an IPv6 address. In this task, IPv6 is globally
enabled, an IPv4 address and an IPv6 address are configured for a specific interface.
Revision 0919 6 - 10
ICX 200 Layer 3 Fundamentals
• The neighbor discovery feature for IPv6 uses IPv6 ICMP messages to perform the following
tasks:
– Determine the link-layer address of a neighbor on the same link
– Verify that a neighbor is reachable
– Track neighbor devices
– Perform Duplicate Address Detection (DAD)
• An IPv6 host is required to listen for and recognize the following addresses that identify
itself:
– Link-local address
– Assigned unicast address
– Loopback address
– All-nodes multicast address
– Solicited-node multicast address
– Multicast address to all other groups to which it belongs
Revision 0919 6 - 11
ICX 200 Layer 3 Fundamentals
• Logical routing interface the ICX device uses to route Layer 3 protocol traffic between
VLANs
– Configure a virtual routing interface on each VLAN that needs routing capabilities
• Routing parameters are configured on the virtual routing interfaces allowing for routing
outside the local switch
– These parameters can include:
• IPv4/v6 addresses
Routing
• Static routing associated with the VE interface
(next hop)
eth1/1/1 ve10 ve2 ve20
• Routing protocols such as OSPF providing
dynamic routing to and from the VLAN
• Layer 3 redundancy protocols such as
VRRP/VRRP-E VLAN VLAN VLAN
10 2 22
A virtual interface is a logical port associated with a Layer 3 Virtual LAN (VLAN)
configured on a Layer 3 switch. You can configure routing parameters on the virtual
interface to enable the Layer 3 switch to route protocol traffic from one Layer 3 VLAN
to the other, without using an external router.
You can configure IP routing interface parameters on a virtual interface, including:
• Configuring IPv4 and IPv6 addresses
• Configure static routing which points to a VE as the next-hop
• Configure and enable dynamic routing protocols, including OSPF and BGP
• Configure Layer 3 gateway redundancy protocols such as VRRP and VRRP-E
Revision 0919 6 - 12
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 13
ICX 200 Layer 3 Fundamentals
ICX-Router(config)# vlan 2
ICX-Router(config-vlan-2)# untag ethernet 1/1/11 to 1/1/16
ICX-Router(config-vlan-2)# router-interface ve 2
ICX-Router(config-vlan-2)# interface ve 2
ICX-Router(config-vif-2)# ip address 192.123.2.1/24
ICX-Router(config-vif-2)# ipv6 address
2001:db8:12d:2::/64 eui-64
ICX-Router(config-vif-10)# vlan 22
ICX-Router(config-vlan-22)# untag ethernet 1/1/17 to 1/1/24
ICX-Router(config-vlan-22)# router-interface ve 20 Not required
to match
ICX-Router(config-vlan-22)# interface ve 20 (but should)
ICX-Router(config-vif-22)# ip address 192.123.22.1/24
ICX-Router(config-vif-2)# ipv6 address 2001:db8:12d:22::/64 eui-64
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 14
Here we have examples adding additional VLANs and VEs. In VLAN 2, router interface
VE 2 is created and in VLAN 22, VE 20 is created. Notice that VLAN 22 does not have
the same ID value as its router interface (VE20). These are two values are not
required to match however it is a best practice to do so.
The graphic shows that, upon creation, each of theses virtual interfaces, as well as
the physically interface configured earlier are “connected to the same routing engine
of the switch. This allows local routing between devices that are connected to these
interfaces (virtual and physical) to communicate, as long as those devices are
properly configured themselves.
Revision 0919 6 - 14
ICX 200 Layer 3 Fundamentals
• If the interfaces with IP addresses configured are up, their routes will be present in the IP
route table
– A tagged or untagged port member of a VLAN must be up in order for the VE interface in the same VLAN
to be up
Revision 0919 6 - 15
ICX 200 Layer 3 Fundamentals
• When jumbo frame support is enabled, the IP Maximum Transmission Unit (MTU) default
value increases based on Ethernet encapsulation type:
– Ethernet II – From 1,500 to 10,178
– SNAP – From 1,492 to 10,174
ICX devices support Layer 2 jumbo frames on 10/100, 10/100/1000, 40GbE and
10GbE ports. Conventionally, jumbo frames can carry up to 9,000 bytes MTU. In cut-
through mode, in jumbo mode, the MTU is 10200 which uses 20 buffers. In non-
jumbo mode MTU is 1522 which uses 3 buffers. Support for jumbo frames can be
enabled using the jumbo command.
When jumbo mode is not enabled, the maximum Ethernet MTU sizes are as follows:
• 1,500 bytes - The maximum for Ethernet II encapsulation (Default MTU: 1500)
• 1,492 bytes - The maximum for SNAP encapsulation (Default MTU: 1492)
When jumbo mode is enabled, the maximum Ethernet MTU sizes are as follows:
• 10,178 bytes - The maximum for Ethernet II encapsulation
• 10,174 bytes - The maximum ‐ for SNAP encapsulation
Revision 0919 6 - 16
ICX 200 Layer 3 Fundamentals
Layer 3 Features
Revision 0919 6 - 17
ICX 200 Layer 3 Fundamentals
• ARP is a Layer 2 (L2) protocol used to determine a MAC address when only an L3 IP address
is known
– Each device caches any discovered MAC addresses in a table
• The table is a mapping of IP addresses to MAC addresses
• Addresses are typically cached for 300 seconds by default
If a host wants to send a message to some other device on the LAN and knows its
destination IP address, the host must discover the Ethernet MAC address of the
target. This requirement occurs because Ethernet hardware does not understand IP
protocols or IP addresses. The destination IP address is associated with a MAC
address belonging to the target, and is present on the LAN.
Before sending an IP packet, the host must send a broadcast message onto the LAN
using ARP to discover the MAC address of its intended target. The switch or router
that has that MAC address in its tables can now send its IP packet to the destination.
The host’s operating system also stores the newly discovered MAC address in a table
(the result is cached). This table of mappings from IP addresses to MAC addresses is
retained and consulted multiple times, so the ARP discovery procedure only has to be
performed if the ARP cache does not have an entry.
A timer is set when information is entered into the ARP cache. Mappings occur when
the timer expires (five minutes by default for most devices).
Revision 0919 6 - 18
ICX 200 Layer 3 Fundamentals
ARP Aging
• ARP entries for learned devices age out of the ARP cache at a set interval
– Default ARP age interval is 10 minutes
When the Layer 3 switch places an entry in the ARP cache, the Layer 3 switch also
starts an aging timer for the entry. The aging timer ensures that the ARP cache does
not retain learned entries that are no longer valid. An entry can become invalid when
the device with the MAC address of the entry is no longer on the network.
The ARP age affects dynamic (learned) entries only, not static entries. The default ARP
age is ten minutes. On Layer 3 switches, you can change the ARP age to a value from
0 through 240 minutes. If you set the ARP age to zero, aging is disabled and entries
do not age out. You cannot change the ARP age on Layer 2 switches.
The following task configures the ARP aging time globally.
1. Enter the global configuration mode
device# configure terminal
2. Enter the ip arp-age command followed by the aging time in minutes.
device(config)# ip arp-age 100
The following task overrides the global ARP aging time.
1. Enter the global configuration mode
device# configure terminal
2. Specify the interface to be configured in the interface mode.
device(config)# interface ethernet 1/1/1
3. Enter the ip arp-age command followed by the aging time in minutes.
device(config-if-e1000-1/1/1)# ip arp-age 30
Revision 0919 6 - 19
ICX 200 Layer 3 Fundamentals
– Syntax: [no] arp ip-address mac-address { ethernet unit/slot/port | lag lag-id | inspection }
• The ethernet unit/slot/port option specifies the port number attached to the device that has the MAC address of
the entry
• The lag lag-id option specifies the LAG interface attached to the device that has the MAC address of the entry
• The inspection option is related to the Dynamic ARP Inspection (DAI) feature which will be covered in another
section of this course
Static ARP entries are added to the ARP cache when they are configured. Static ARP
entries are useful in cases where you want to pre-configure an entry for a device that
is not connected to the Layer 3 switch, or you want to prevent a particular entry from
aging out.
Ruckus Layer 3 switches have a static ARP table, in addition to the regular ARP cache.
Unlike static ARP entries, dynamic ARP entries are removed from the ARP cache if the
ARP aging interval expires before the entry is refreshed. Static entries do not age out,
regardless of whether the Ruckus device receives an ARP request from the device
that has the entry address.
Enter the following command to create a static ARP entry in the ARP cache.
device(config)# arp 10.53.4.2 0000.0054.2348 ethernet 1/1/2
NOTE: You cannot create static ARP entries on a Layer 2 switch.
Revision 0919 6 - 20
ICX 200 Layer 3 Fundamentals
Route-only
• Layer 2 switching can be disabled globally or on individual ports with the route-only
command
• The route-only feature can be configured globally, causing all ports to disable Layer 2
switching functionality
ICX-Router(config)# route-only
– These ports will now allow layer 2 switching between them and could still support Layer 3 forwarding with
a VE interface
Revision 0919 6 - 21
ICX 200 Layer 3 Fundamentals
Here is an example of an entry in the IP route table. It is displayed when the show ip
route command is executed.
Each IP route table entry contains the destination IP address and subnet mask and
the IP address of the next-hop router interface to the destination. Each entry also
indicates the port attached to the destination or the next-hop to the destination, the
route IP metric (cost), and the type. The type column indicates how the IP route table
received the route.
The route type, can be one of the following:
• B - The route was learned from BGP.
• D - the destination is directly connected to this Ruckus device.
• R- The route was learned from RIP.
• S - The route is a static route.
• * - The route is a candidate default route.
• O - The route is an OSPF route. Unless you use the OSPF option to display the
route table, 'O' is used for all OSPF routes. If you do not use the OSPF option,
the following type codes are used:
• O - OSPF intra area route (within the same area.)
• IA - The route is an OSPF inter area route (a route that passes from one area
in another area.)
• E1 - The route is an OSPF external type 1 route.
• E2 - The route is an external type 2 route.
Revision 0919 6 - 22
ICX 200 Layer 3 Fundamentals
Here is an example of an entry in the IPv6 route table. It is displayed when the show
ipv6 route command is executed.
Each IPv6 route table entry contains the destination IP address and subnet mask and
the IP address of the next-hop router interface to the destination. Each entry also
indicates the port attached to the destination or the next-hop to the destination, the
route IP metric (cost), and the type. The type column indicates how the IP route table
received the route.
The route type, can be one of the following:
• C - the destination is directly connected to this Ruckus device
• S - The route is a static route
• R- The route was learned from RIPng
• O - The route is an OSPFv3 route. Unless you use the OSPF option to display the
route table, 'O' is used for all OSPF routes. If you do not use the OSPF option,
the following type codes are used:
• O - OSPF intra area route (within the same area.)
• Oi - The route is an OSPF inter area route (a route that passes from one area
in another area.)
• O1 - The route is an OSPF external type 1 route
• O2 - The route is an external type 2 route
• B - The route was learned from BGP4
Revision 0919 6 - 23
ICX 200 Layer 3 Fundamentals
Learning IP Routes
– Directly connected routes — The networks that are directly connected to the router are always known
and added to the routing table
• A router knows a network is reachable because it has an interface in the address range
– Dynamic routes — A routing protocol populates routes it has learned from other routers
• A router learns of remote networks from a neighboring router
Revision 0919 6 - 24
ICX 200 Layer 3 Fundamentals
Static Routes
Revision 0919 6 - 25
ICX 200 Layer 3 Fundamentals
Question:
Given the static routes shown, can Host A ping interfaces on the 10.1.1.0/30 network?
Host A Host B
Revision 0919 6 - 26
ICX 200 Layer 3 Fundamentals
Default Routes
• A default route is used when an explicit route to a destination network is not known
– Is last in the order of execution of the routing table and can be dynamically learned by a routing protocol
• Syntax: [no] ip route dest-ip-addr next-hop-addr [ metric ] [ distance distance ] [ name string ] [ tag tag ]
You can manually create a static default route that the router uses if there are no
other routes to a destination network.
To configure a static default route, use the ip route command with 0.0.0.0 0.0.0.0 as
the destination route and network mask followed by a valid next-hop address.
device(config)# ip route 0.0.0.0 0.0.0.0 10.24.4.1
This example on the slide configures two different default routes however the second
has a higher administrative distance. If both routes are available the first will be
preferred because of its more favorable Administrative Distance (default 1). If the first
route becomes unavailable the second route will then be placed into the routing
table allowing for an alternate path as a default route.
Revision 0919 6 - 27
ICX 200 Layer 3 Fundamentals
• The default route is always displayed first in the IP routing table, as it is the least specific
If you configure 10.1.1.0/24 as a candidate default network route, if the IP route table
does not contain an explicit default route (0.0.0.0/0), the software uses the default
network route and automatically uses that route's next hop gateway as the default
gateway. If a topology change occurs and as a result the default network route's next
hop gateway changes, the software can still use the default network route.
However, if a default route is configured, the default network will only be used if the
default route becomes invalid and is removed from the IP routing table.
Revision 0919 6 - 28
ICX 200 Layer 3 Fundamentals
Null Route
• Null route is a static route that drops packets going to a specific network or host address
– A quick and easy way to block traffic going to a single route such as:
• Restricted websites
• Illegal IP address filtering
• Unused subnets within a summarized route1
• Attack mitigation (DDoS)
Footnote 1: When routes are summarized the ICX device will automatically add a null
route for the summarized address range to prevent routing loops.
You can configure a null static route to drop packets to a certain destination. This is
useful when the traffic should not be forwarded if the preferred route is unavailable.
Revision 0919 6 - 29
ICX 200 Layer 3 Fundamentals
• Null routes are displayed in the IP routing table with a port of drop
In the IP routing table, a null route is identified with the word “drop” in the port
column of the show ip route output.
Revision 0919 6 - 30
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 31
ICX 200 Layer 3 Fundamentals
IPv4/IPv6 ACLs
• IPv4 and IPv6 access control lists (ACLs) permit or deny packets according to defined rules
• ICX ACLs are programmed into the Content Addressable Memory (CAM)
– Packets are permitted or denied in the hardware
– No requirement to send the packets to the CPU for processing
Layer 3 (IPv4 and IPv6) access control lists (ACLs) permit or deny packets according to
rules included in the ACLs.
When a packet is received or sent, the device compares its header fields against the
rules in applied ACLs. This comparison is done according to a rule sequence, which
you can specify. Based on the comparison, the device either forwards or drops the
packet.
ACLs include the following benefits:
• Providing security and traffic management
• Monitoring network and user traffic
• Saving network resources by classifying traffic
• Protecting against denial of service (DoS) attacks
Because applied ACLs are programmed into the Content Addressable Memory (CAM),
packets are permitted or denied in the hardware, without sending the packets to the
CPU for processing.
Revision 0919 6 - 32
ICX 200 Layer 3 Fundamentals
• When an ACL is applied to a interface, all traffic not explicitly permitted is denied/blocked
• When a packet is received or sent, the device compares its header fields against the rules
in applied ACLs
– Comparison follows a specified rule sequence
• The sequence of rules in an ACL is critical
• The first rule that matches the traffic stops further processing of the packet
– Based on the comparison, the device either forwards or drops the packet
The default action when no ACLs are configured on a device is to permit all traffic.
However, once you configure an ACL and apply it to a port, the default action for that
port is to deny all traffic that is not explicitly permitted on the port:
• If you want to tightly control access, configure ACLs consisting of permit entries
for the access you want to permit. The ACLs implicitly deny all other access.
• If you want to secure access in environments with many users, you may want to
configure ACLs that consist of explicit deny entries, and then add an entry to
permit all access to the end of each ACL. The software permits packets that are
not denied by the deny entries.
Revision 0919 6 - 33
ICX 200 Layer 3 Fundamentals
2. Define permit and deny rules, using the optional sequence numbers and deny or permit command
3. Apply the ACL to one or more interfaces, using the relevant command:
• IPv4: ip access-group
• IPv6: ipv6 traffic-filter
Revision 0919 6 - 34
ICX 200 Layer 3 Fundamentals
IPv4 ACLs
Standard ACLs filter exclusively on source addresses. The default action is to deny all
traffic that has not been explicitly permitted. Permitted or denied packets can be sent
to the system log.
Extended ACLs permit or deny traffic according to source and destination addresses,
as well as other parameters, including:
• Port name or number
• Protocol (for example, TCP or UDP)
• TCP flags
In ICX release 8.0.90, there are two naming types for IPv4 standard and extended
ACLs that be configured; numbered and named.
Standard numbered ACLs can be in the numerical range of 1-99. Extended numbered
ACLs can be in the numerical range of 100-199. If the number selected is outside of
this range of the selected type when configuring, an error will be generated.
Named ACLs allow you to configure a user friendly name for the ACL. Named ACLs
must begin with an alphabetic character.
While ACLs can be used for many purposes, the basic process of configuring and
applying ACLs is to create the ACL globally, then assign it to one or more interfaces.
Revision 0919 6 - 35
ICX 200 Layer 3 Fundamentals
• For each rule, enter the deny or permit command, specifying the needed parameters:
ICX(config-std-nacl)# permit host 10.157.10.26 log
ICX(config-std-nacl)# deny 10.157.10.0 0.0.0.255 log
ICX(config-std-nacl)# deny 10.157.20.0/24 log
ICX(config-std-nacl)# permit any
– Partial Syntax: [ permit | deny ] { S_IPaddress [ mask ] | host S_IPaddress | any } [ log ] [ mirror ]
Revision 0919 6 - 36
ICX 200 Layer 3 Fundamentals
Display ACLs
• To display ACLs, use the show access-list command followed by the ACL number or name
For details of commands for displaying IPv4 ACLs, refer to the following commands in
the Ruckus FastIron Command Reference Guide:
• show access-list
• show access-list accounting
• show access-list named-acl
• show ip access-lists
To display the number of Layer 4 CAM entries used by each ACL, enter the following
command:
device# show access-list all
Extended IP access list 100 (Total flows: N/A, Total packets: N/A,
Total rule cam use: 3)
permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule
cam use: 1)
permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)
deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1)
The Rule cam use field lists the number of CAM entries used by the ACL or entry. The
number of CAM entries listed for the ACL itself is the total of the CAM entries used by
the ACL entries.
For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4
session table flows in use for the ACL.
The Total packets and Packets fields apply only to flow-based ACLs.
Revision 0919 6 - 37
ICX 200 Layer 3 Fundamentals
• Based on the ACL configured on the previous slide, only one host on the 10.157.10.0/24
subnet will be permitted
• What if you wanted to allow another host? Would adding the following statement to the
existing ACL work?
Host
10.157.10.45
Host
10.157.10.26
Revision 0919 6 - 38
ICX 200 Layer 3 Fundamentals
Sequence Matters
• The filter at sequence 20 will match and deny the packet before sequence 50
• Statements can be added to ACLs between existing statements with sequence command
ICX(config)# ip access-list standard 19
ICX(config-std-nacl)# sequence 15 permit host 10.157.10.45 log
You can specify and modify the sequence in which ACL rules are applied to traffic. By
default, the order in which ACL rules run is determined by the sequence in which they
are added to the ACL. Beginning with FastIron 08.0.50—preserving this order—
sequence numbers are automatically added to existing ACL rules in the following
manner:
• The first rule within each ACL is numbered 10.
• The sequence number for each succeeding rule is incremented by 10.
In new ACLs that you create, specifying rule sequence numbers is optional. However,
sequence numbers are assigned automatically in the previously mentioned order.
Sequence numbers have the following advantages:
• If you need a new rule to run between existing rules, you assign the new rule a
sequence number between those two rules.
• New rules are implemented seamlessly, with no need to re-apply ACLs.
• If you delete a rule, there is no need to re-apply the ACL.
If you add a rule to an ACL without specifying its sequence, the rule is added at the
end of the list. Such a rule is automatically assigned the next multiple of 10 as a
sequence number.
Revision 0919 6 - 39
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 40
ICX 200 Layer 3 Fundamentals
Resequencing ACLs
Revision 0919 6 - 41
ICX 200 Layer 3 Fundamentals
Extended ACLs
• Extended ACLs permit or deny traffic according to source and destination addresses, as
well as other parameters
– For example, in an extended ACL, you can also filter by one or more of the following parameters:
• Port name or number
• Protocol (for example, TCP or UDP)
• TCP flags
Extended ACLs filter traffic according to source and destination addresses, as well as
other parameters. The default action is to deny all traffic that has not been explicitly
permitted. Permitted or denied packets can be referenced in the system log.
In ICX release 8.0.90, there are two types of IPv4 extended ACLs that be configured;
numbered and named.
Numbered extended ACLs can be in the numerical range of 100-199. If the number
selected is outside of this range when configuring an extended ACL, an error will be
generated.
Named ACLs allow you to configure a user friendly name for the ACL. Named ACLs
must begin with an alphabetic character.
While ACLs can be used for many purposes, the basic process of configuring and
applying ACLs is to create the ACL globally, then assign it to one or more interfaces.
Revision 0919 6 - 42
ICX 200 Layer 3 Fundamentals
Use the following syntax to define a TCP or UDP rule that will deny or permit packets:
[ no ] [deny | permit] { tcp | udp } { S_IPaddress [ mask ] | host S_IPaddress | any
} [ source-comparison-operators ] { D_Ipaddress [ mask ] | host D_IPaddress | any }
[ established ] [ destination-comparison-operators ] [ precedence {
precedencename | precedence-value } ] [ tos { tos-name | tos-value } ] [ dscp-
matching dscp-value ] [ dscp-marking dscp-value ] [ 802.1p-priority-matching
802.1p-value ] [ 802.1p-priority-marking 802.1p-value ] [ internal-priority-
marking queuing-priority ] [ 802.1p-and-internal-marking priority-value ] [ traffic-
policy name ] [log] [mirror]
Use the following syntax to define an ICMP rule that will deny or packets:
[ no ] [deny | permit] icmp { S_IPaddress [ mask ] | host S_IPaddress | any } {
D_IPaddress [ mask ] | host D_IPaddress | any } [ icmpnum | icmp-type ] [
precedence { precedence-name | precedence-value } ] [ tos { tos-name | tos-value }
] [ dscpmatching dscp-value ] [ dscp-marking dscp-value ] [ 802.1p-priority-
matching 802.1p-value ] [ 802.1p-prioritymarking 802.1p-value ] [ internal-
priority-marking queuing-priority ] [ 802.1p-and-internal-marking priority-value ] [
traffic-policy name ] [ log ] [ mirror ]
Use the following syntax to define a rule for protocols other than TCP, UDP, or ICMP
that will deny or permit packets:
[ no ] [deny | permit] ip-protocol { S_IPaddress [ mask ] | host S_IPaddress | any }
{ D_IPaddress [ mask ] | host D_IPaddress | any } [ precedence { precedence-name
| precedence-value } ] [ tos { tos-name | tos-value } ] [ dscp-matching dscp-value ] [
dscp-marking dscp-value ] [ 802.1p-priority-matching 802.1p-value ] [ 802.1p-
priority-marking 802.1p-value ] [ internal-priority-marking queuing-priority ] [
802.1p-and-internal-marking priority-value ] [ traffic-policy name ] [log] [mirror]
Revision 0919 6 - 43
ICX 200 Layer 3 Fundamentals
ip-protocol
Specifies the type of IPv4 packet to filter. You can either specify a protocol number
(from 0 through 255) or a supported protocol name. For a complete list of protocols,
type ? after deny. Supported protocols include:
• icmp—Internet Control Message Protocol
• igmp—Internet Group Management Protocol
• igrp—Internet Gateway Routing Protocol
• ip—any IPv4 protocol
• ospf—Open Shortest Path First
• tcp—Transmission Control Protocol
• udp—User Datagram Protocol
S_IPaddress
Specifies a source address for which you want to filter the subnet.
D_IPaddress
Specifies a destination address for which you want to filter the subnet.source-
comparison-operators and destination-comparison-operators
If you specified tcp or udp, the following optional operators are available:
• eq - Specifies the address is equal to the port name or number you enter after
eq.
• gt - Specifies port numbers that are equal to or greater than the port number or
that are equal to or greater than the numeric equivalent of the port name you
enter after gt.
• lt - Specifies port numbers that are equal to or less than the port number or
that are equal to or less than the numeric equivalent of the port name you
enter after lt.
• neq - Specifies all port numbers except the port number or port name you enter
after neq.
• range - Specifies all port numbers that are between the first port name or
number and the second name or number you enter following the range
keyword. Enter the range as two values separated by a space. The first port
number in the range must be less than the last number in the range. For
example, to apply the policy to all ports between and including 23 (Telnet) and
53 (DNS), enter the following: 23 53 .
Revision 0919 6 - 44
ICX 200 Layer 3 Fundamentals
• For each rule, enter the deny or permit command, specifying the needed parameters:
ICX(config-ext-nacl)# deny tcp host 209.157.10.26 any eq telnet log
ICX(config-ext-nacl)# permit ip any any
– Basic Syntax: [ permit | deny ] { tcp | udp } { S_IPaddress [ mask ] | host S_IPaddress | any } { D_Ipaddress
[ mask ] | host D_IPaddress | any } [ log ] [ mirror ]
The commands in this example configure a extended ACL named block_telnet. The
ACL blocks telnet traffic from the host with IP address 209.157.10.26. The second
entry allows all other traffic types to pass through.
Revision 0919 6 - 45
ICX 200 Layer 3 Fundamentals
Here we see the how traffic is affected by the ACL. Telnet from the denied host is
filtered at the interface while all other traffic types from the host, or any host on the
port, is permitted.
The show access-list named-acl command is used to view standard and extended
named ACLs on an ICX switch.
Revision 0919 6 - 46
ICX 200 Layer 3 Fundamentals
IPv6 ACLs
Revision 0919 6 - 47
ICX 200 Layer 3 Fundamentals
• For each rule, enter the deny or permit command, specifying the needed parameters:
ICX(config-ipv6-access-list ipv6_test)# deny tcp host 2001:DB8:e0bb::2 any eq telnet
ICX(config-ipv6-access-list ipv6_test)# permit ipv6 any any
– Basic Syntax: [ permit | deny ] { tcp | udp } { S_IPaddress [ mask ] | host S_IPaddress | any } { D_Ipaddress [ mask ] |
host D_IPaddress | any } [ log ] [ mirror ]
The IPv6 protocol can be one of the following well-known names or any IPv6 protocol
number from 0 through 255:
• Authentication Header (AH) protocol
• Encapsulating Security Payload (ESP)
• Internet Control Message Protocol (ICMP)
• Internet Protocol Version 6 (IPv6)
• Stream Control Transmission Protocol (SCTP)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or
number. For example, you can configure a policy to block web access to a specific
website by denying all TCP port 80 (HTTP) packets from a specified source IPv6
address to the website IPv6 address.
IPv6 ACLs also provide support for filtering packets based on DSCP.
Revision 0919 6 - 48
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 49
ICX 200 Layer 3 Fundamentals
• Policy Based Routing (PBR) is a mechanism that allows the administrator to identify
incoming packets and forward them out a different next hop interface instead of the one
chosen by the routing protocol
Policy-based routing (PBR) is the process of altering a packet's path based on criteria
other than the destination address. PBR allows you to use access control lists (ACLs)
and route maps to selectively route an IP packet. The ACLs classify the traffic and the
route maps that match on the ACLs set routing attributes for the traffic.
A PBR policy specifies the routing attributes for traffic that matches the policy. Using
standard ACLs with route maps in PBR, an IP packet is routed based on its source IP
address. With extended ACLs, you can route IP packets based on all of the clauses in
the extended ACL.
Revision 0919 6 - 50
ICX 200 Layer 3 Fundamentals
Footnote 1: The need for PBR can vary depending on the network design. In some
situations only one router needs to alter the routing path. Because PBR is locally
significant it is possible each router needs to be configured.
The following are the basic steps used to configure a PBR policy:
1. Configure ACLs that specify all the conditions required to match the desired
packets to be routed using PBR.
2. Configure a route map that matches on the ACLs and sets the route information.
3. Enable PBR by applying the route map globally or on an untagged interface or
virtual interface.
Revision 0919 6 - 51
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 52
ICX 200 Layer 3 Fundamentals
Route Maps
• Route maps are commonly used for policy-based routing but may also be used for:
– Redistribution manipulation between routing protocols
– Route metric modification
– Attribute and route manipulation between BGP neighbors
– Route filtering
• A sequential series of match and set statements that either permit or deny the identified
traffic
– Match statement - can include such things as an interface, IP information, BGP attribute and protocol
types
– Set statement - identified traffic within the match statement can be manipulated by either excluding it
from normal processes, changing its characteristics or its forwarding behavior
Route maps are very versatile and can be used to enhance many routing processes
and protocols. Here we focus on route maps used for policy based routing (PBR).
Route maps enable you to define routing policy for the traffic causing a packet to be
forwarded to a predetermined next-hop interface, bypassing the path determined by
normal routing. Each entry in a route map statement contains a combination of
match and set statements. A route map specifies the match criteria that correspond
to ACLs, followed by a set statement that specifies the resulting action if all of the
match clauses are met. You can define multiple match and next-hop specifications on
the same interface. When a PBR policy has multiple next hops to a destination, PBR
selects the first live next hop specified in the policy that is up. If none of the policy's
direct routes or next hops is available, the packets are forwarded as per the routing
table.
• Match statement – IP standard or extended ACLs can be used to establish the
match criteria. Using the standard ACLs with route maps in PBR, an IP packet is
routed based on its source IP address. Using the extended ACLs, you can route
IP packets based on all of the clauses in the extended ACL.
• Set statement – Traffic that matches a match statement in the route map is
forwarded as defined by set commands. Multiple set commands can be
configured and when a match condition is met, the device works sequentially
through the list of set commands until it finds the first "next hop" that is
operational and uses it. If that "next hop" goes down, the next available next-
hop as defined in a set command is chosen and if all next hop interfaces in the
list are down, the packet is routed as determined in the IP Route Table. If a next-
hop interface that was down comes back up, the next hop selection process
begins again and restarts its selection process from the top of the list.
Revision 0919 6 - 53
ICX 200 Layer 3 Fundamentals
Footnote 1: Available match options are dependent on the ICX hardware platform
used and licenses applied.
Footnote 2: Available set options are dependent on the ICX hardware platform used
and licenses applied.
Route maps are configured globally with the route-map command.
Syntax: [no] route-map map-name [ permit | deny ] num
num - controls the order in which multiple route-maps of the same name are
evaluated, from lowest to highest.
Match statements for PBR match on standard and extended ACLs. With standard
ACLs, only the source IP address is matched. With extended ACLs, filtering can be
based on all of the ACL clauses. This is accomplished with match ip address
command.
Next-hop PBR actions are applied with the set command. Multiple set statements can
be configured and will be applied sequentially, only moving to the next in sequence if
the current next-hop selection is down. If all next-hop options are down, the IP
routing table will be used to forward the packet. If a next-hop of null0 is used, it will
always be processed last, no mater where it is placed in the sequence, and will
prevent the packet from being routed according the IP routing table.
Revision 0919 6 - 54
ICX 200 Layer 3 Fundamentals
In the example, RTR1 is configured with an access list the matches all traffic with the
destination TCP port marked as either 80 or 443.
Next, a route map is created to match the ACL. If the traffic matches the ACL, the next
hop is set to 10.1.2.2.
The last entry in the route map ensures that the default IP forwarding behavior is not
used if the configured next-hop goes down, in that case the traffic is discarded by
routing it to Null0.
Revision 0919 6 - 55
ICX 200 Layer 3 Fundamentals
• Normal routing would forward traffic from both networks up link N1 because of the
favorable metric
• The 10.x network however needs to be translated into a public IP before it is sent out to
the internet
R1(config)# ip access-list standard 99
R1(config-std-nacl)# permit 10.1.0.0 0.0.1.255
R1(config-std-nacl)# route-map to-nat permit 10
R1(config-routemap to-nat)# match ip address 99
R1(config-routemap to-nat)# set ip next-hop 10.2.2.2
R1(config-routemap to-nat)# set interface null0
10.2.2.2
In the example, router R1 is configured with an access list the matches all traffic
originating from the 10.1.0.0/23 subnet.
Next, a route map is created to match the ACL. If the traffic matches the ACL, the next
hop is set to the address of the firewall/NAT device at 10.2.2.2.
The last entry in the route map ensures that the default IP forwarding behavior is not
used if the configured next-hop goes down, in that case the traffic is discarded by
routing it to Null0.
Revision 0919 6 - 56
ICX 200 Layer 3 Fundamentals
• Traffic can be forwarded to a specific exit based on attributes such as source address,
traffic type, ports used, etc.
In the example, router at the bottom of the image is configured with an two access
lists and route maps. The ACLs match all traffic originating from specific subnets.
Next, a route map are created to match each of the ACLs. If the traffic matches the
ACLs, the next hop is set to one of the WAN routers, thus ensuring traffic from Group
1 is sent to the WAN 2 router and traffic from Group 2 is sent to the WAN 1router.
Notice that there is not additional items in the route map to use in the event that the
next hop is down, or unavailable. In this example, if one WAN router goes down,
traffic will follow normal routing behavior and use the only available WAN router.
Revision 0919 6 - 57
ICX 200 Layer 3 Fundamentals
Module Summary
– Explain and configure standard and extended IP Access Control Lists (ACLs)
Revision 0919 6 - 58
ICX 200 Layer 3 Fundamentals
End of Module 6:
Layer 3 Fundamentals
Revision 0919 6 - 59
ICX 200 Layer 3 Fundamentals
Revision 0919 6 - 60
ICX 200 Client Access Services
Module 7:
Client Access Services
Module Objectives
– Describe DHCP helpers on network devices, including DHCP assist and relay
– Explain the capabilities and configuration options for Ruckus ICX DHCP server
DHCP Overview
The Dynamic Host Configuration Protocol (DHCP) is based on the Bootstrap Protocol
(BOOTP) and provides several configuration parameters stored in DHCP server
databases to DHCP clients upon request.
DHCP enables the automatic configuration of client systems. DHCP removes the need
to configure devices individually. Clients can set network properties by connecting to
the DHCP server instead. This protocol consists of two components; a protocol to
deliver host-specific configuration parameters from a DHCP server to a host, and a
mechanism to allocate leased or permanent IP addresses to hosts. DHCP is built on a
client-server model, where designated DHCP server hosts allocate network addresses
and deliver configuration parameters to dynamically configured hosts.
The following parameters control the Layer 3 switch forwarding of BootP and DHCP
requests:
• Helper address - The BootP/DHCP server IP address. You must configure the
helper address on the interface that receives the BootP/DHCP requests from the
client. The Layer 3 switch cannot forward a request to the server unless you
configure a helper address for the server.
• Gateway address - The Layer 3 switch places the IP address of the interface that
received the BootP/DHCP request in the request packet Gateway Address field
(sometimes called the Router ID field). When the server responds to the
request, the server sends the response as a unicast packet to the IP address in
the Gateway Address field. (If the client and server are directly attached, the
Gateway ID field is empty, and the server replies to the client using a unicast or
broadcast packet, depending on the server.)
By default, the Layer 3 switch uses the lowest-numbered IP address on the
interface that receives the request as the Gateway address. You can override
the default by specifying the IP address you want the Layer 3 switch to use.
To forward a client broadcast request for a UDP application when the client and
server are on different networks, you must configure a helper address on the
interface connected to the client.
Specify the server IP address or the subnet directed broadcast address of the server's
IP subnet as the helper address. You can configure up to 16 helper addresses on each
interface. You can configure a helper address on an Ethernet port or a virtual
interface.
The commands in the example above add a helper address for server 10.95.7.6 to the
port. If the port receives a client request for any of the applications that the Layer 3
switch is enabled to forward, the Layer 3 switch forwards the client request to the
server.
You can configure the ICX device so that a BOOTP/DHCP reply to a client contains the
server IP address as the source address instead of the router IP address. To do so,
enter the following command at the Global CONFIG level of the CLI.
ICX(config)# ip helper-use-responder-ip
To modify the maximum number of BootP/DHCP hops, enter the following command.
ICX(config)# bootp-relay-max-hops 10
• By default, when DHCP replies are sent to the client from the helper router, the source
address is the interface facing the client
– You can configure the helper to use the DHCP server IP instead with the ip helper-use-responder-ip
command
• By default, a DHCP helper forwards a DHCP request if its hop count is four or less
– Requests with a hop count greater than four are discarded
– The maximum hop count can be modified with the bootp-relay-max-hops command
ICX(config)# bootp-relay-max-hops 10
Changing the DHCP reply source address - You can configure the device so that a
BOOTP/DHCP reply to a client contains the server IP address as the source address
instead of the router IP address with the ip helper-use-responder-ip command in the
global configuration context.
Changing the maximum number of hops to a BootP relay server - Each router that
forwards a BootP/DHCP packet increments the hop count by one. Routers also
discard a forwarded BootP/DHCP request instead of forwarding the request if the hop
count is greater than the maximum number of BootP/DHCP hops allowed by the
router. By default, a Ruckus Layer 3 switch forwards a BootP/DHCP request if its hop
count is four or less but discards the request if the hop count is greater than four. You
can change the maximum number of hops the Layer 3 switch allows to a value from 1
through 15.
• DHCP Assist on Layer 2 switch inserts gateway information into DHCP Discovery packets
Footnote 1: The DHCP relay function of the connecting router must be turned on.
DHCP Assist allows a Ruckus Layer 2 switch to assist a router that is performing multi-
netting on its interfaces as part of its DHCP relay function.
DHCP Assist ensures that a DHCP server that manages multiple IP subnets can readily
recognize the requester IP subnet, even when that server is not on the client local
LAN segment. The Ruckus Layer 2 switch does so by stamping each request with its IP
gateway address in the DHCP discovery packet.
By allowing multiple subnet DHCP requests to be sent on the same wire, you can
reduce the number of router ports required to support secondary addressing, as well
as reduce the number of DHCP servers required by allowing a server to manage
multiple subnet address assignments.
DHCP Assist works on initiation of a DHCP session, when the client sends out a DHCP
discovery packet for an address from the DHCP server. When the DHCP discovery
packet is received at a Ruckus Layer 2 switch with the DHCP Assist feature enabled,
the gateway address configured on the receiving interface is inserted into the packet.
This address insertion is also referred to as stamping.
When the stamped DHCP discovery packet is then received at the router, it is
forwarded to the DHCP server. The DHCP server then extracts the gateway address
from each request and assigns an available IP address within the corresponding IP
subnet. The IP address is then forwarded back to the workstation that originated the
request.
You can associate a gateway list with a port. You must configure a gateway list when
DHCP Assist is enabled on a Ruckus Layer 2 switch.
The gateway list contains a gateway address for each subnet that will be requesting
addresses from a DHCP server. The list allows the stamping process to occur. Each
gateway address defined on the Layer 2 switch corresponds to an IP address of the
Ruckus router interface or other router involved.
When multiple IP addresses are configured for a gateway list, the Layer 2 switch
inserts the addresses into the discovery packet in a round-robin fashion. Up to 32
gateway lists can be defined for each Layer 2 switch.
DHCP Server
Revision 0919 7 - 10
ICX 200 Client Access Services
DHCP Server
Revision 0919 7 - 11
ICX 200 Client Access Services
• Follow these steps to enable the server and configure the pool scope
Before you can configure the various DHCP server options, you must create an
address pool on your FastIron device.
The first step is to enable the DHCP server with the ip dhcp-server enable command.
Next, create a server pool with the ip dhcp-server pool command, which puts intot
he DHCP pool configuration context. From here you can configure several optional
parameters.
If the pool will provide IP addresses to clients, the scope of IP addresses must be
defined with the network command.
Revision 0919 7 - 12
ICX 200 Client Access Services
– Static IP mapping
ICX(config-dhcp-Building6)# static-mac-ip-mapping 10.10.10.29 0010.9400.0005
• Syntax: static-mac-ip-mapping ip-address mac-address
– Lease settings
ICX(config-dhcp-Building6)# lease 2
• Syntax: lease days
You can specify a single address or a range of addresses that should be excluded from
the address pool. This is accomplished with the excluded-address command from the
pool configuration context. You can enter a single IP address or a range of IP
addresses to exclude from the pool.
Based on the client MAC address, you can statically configure the IP address to the
MAC address in the DHCP server. This configuration is useful when you want to have
selected clients assigned with particular IP addresses from the server. Whenever a
DHCP discover message is received from these clients, based on the static
configuration, the IP address will be assigned with the other required parameters.
The lease duration for assigned IP addresses can be modified from the default of 1
day with the lease command. The range available is from 1 to 8 days.
Once the address pool is configured, it must be deployed with the deploy command.
Revision 0919 7 - 13
ICX 200 Client Access Services
DHCP Options
• DHCP options allow DHCP servers to pass additional configuration parameters to clients
• Common options include:
– Default router
– DNS server
– Host name
– Domain name
• Prior to 8.0.70, specific commands were used to set options
– Beginning in 8.0.70, commands will be displayed by option number, not command keyword
The list of supported DHCP options is extensive. However, the number of options that
can be passed to the client is limited by the size of the ACK packet. It is recommended
that you configure essential options only for the specific DHCP server address pool.
The following options (if configured) are prioritized, with additional options added as
needed:
• 3 - Router Option
• 6 - Domain Name Server
• 12 - Hostname
• 15 - Domain name
• 66 - TFTP server hostname or IP address
• 67 - Boot file name
• 60 - Vendor-Specific Information
DHCP options are not validated by the DHCP server. You must ensure the values are
configured correctly.
In FastIron 08.0.61 or earlier releases, it was possible to configure a subset of these
DHCP options using specific commands. For example, dhcp-default-router allows
configuration of the DHCP default router (which is now also configurable using DHCP
option 3). When upgrading to FastIron 08.0.70, any configured DHCP options are
retained. However, the configuration is stored and shown in the new options format.
The following table shows the options available in earlier releases and a mapping
between the new option format and the corresponding commands available in earlier
releases.
Revision 0919 7 - 14
ICX 200 Client Access Services
• Define options:
– Default router
ICX(config-dhcp-Building6)# option 3 ip 172.16.1.1
• Syntax: option 3 ip router-ip
– Domain name
ICX(config-dhcp-Building6)# option 15 ascii ruckuswireless.com
• Syntax: option 15 ascii domain-name
– DNS servers
ICX(config-dhcp-Building6)# option 6 ip 172.16.1.2 172.16.1.3
• Syntax: option 6 ip server-ip-address …
– NTP servers
ICX(config-dhcp-Building6)# option 42 ip 172.16.1.44
• Syntax: option 42 ip server-ip-address …
Note that the existing commands are still supported. Here we have the configuration
of the default router, the domain name, DNS servers and an NTP server using the
option command. These configurations could have been completed with the
following commands, respectively:
ICX(config-dhcp-Building6)# dhcp-default-router 172.16.1.1
ICX(config-dhcp-Building6)# domain-name ruckuswireless.com
ICX(config-dhcp-Building6)# dns-server172.16.1.2 172.16.1.3
ICX(config-dhcp-Building6)# netbios-name-server 172.16.1.2
However the configuration will be stored and shown in the option command format.
It is recommended that you configure these using the option command.
Revision 0919 7 - 15
ICX 200 Client Access Services
• DHCP options 60 and 43 allow identification of vendor-specific clients and provide them
with vendor-specific information
– Option 60 defines the vendor type and configuration value
– Option 43 defines vendor specific information
– If option 60 is configured, the vendor specific information (defined in option 43) is returned to clients that
provide the appropriate vendor type and configuration value
– If option 60 is not configured, the vendor specific information is sent to all clients
• Ruckus devices running as DHCP servers can be configured with option 43 and option 60 to
direct certain Ruckus devices to the Ruckus SmartZone network controller
ICX(config-dhcp-Building6)# option 60 ascii “Ruckus CPE”
ICX(config-dhcp-Building6)# option 43 hex 060b31302e31302e31302e3130
Translates to 10.10.10.10
Ruckus devices running as DHCP servers can be configured with option 43 and option
60. Configuring the DHCP option 60 helps in identifying the incoming DHCP client. If
the vendor class identifier (VCI) advertised by the DHCP client matches with the DHCP
server, the server makes a decision to exchange the vendor-specific information (VSI)
configured as part of DHCP option 43.
The Ruckus ICX DHCP server can recognize the DHCP client device using the VCI
(option 60) and pass specific information to this device type only (using option 43).
However, the DHCP server can be configured to always pass additional information
using option 43 (regardless of the client).
In summary:
• Option 60 defines the vendor type and configuration value.
• Option 43 defines vendor specific information.
• If option 60 is configured, the vendor specific information (defined in option 43)
is returned to clients that provide the appropriate vendor type and
configuration value.
• If option 60 is not configured, the vendor specific information is sent to all
clients.
Revision 0919 7 - 16
ICX 200 Client Access Services
Revision 0919 7 - 17
ICX 200 Client Access Services
Revision 0919 7 - 18
ICX 200 Client Access Services
Revision 0919 7 - 19
ICX 200 Client Access Services
– If any addresses in the scope of the DHCP pool are statically used, they must be excluded from the pool
The following configuration considerations apply to DHCP servers, the DHCP binding
database, and DHCP address pools:
• The DHCP server is supported in the Layer 2 and Layer 3 software images.
• The DHCP server is not supported on non-default VRF.
• In the event of a controlled or forced switchover, a DHCP client requests from
the DHCP server the same IP address and lease assignment that it had before
the switchover. After the switchover, the DHCP server will be automatically
reinitialized on the new Active Controller or management module.
• For DHCP client hitless support in a stack, the stack mac command must be
used to configure the MAC address, so that the MAC address does not change
in the event of a switchover or failover. If stack mac is not configured, the MAC
address/IP address pair assigned to a DHCP client will not match after a
switchover or failover. Furthermore, in the Layer 3 router image, if the stack
mac configuration is changed or removed and the management port has a
dynamic IP address, when a DHCP client tries to renew its lease from the DHCP
server, the DHCP server will assign a different IP address.
• If any address from the configured DHCP pool is used, for example, by the DHCP
server or TFTP server, you must exclude the address from the network pool.
• Ensure that DHCP clients do not send DHCP request packets with a Maximum
Transmission Unit (MTU) larger than 1500 bytes. Ruckus devices do not support
DHCP packets with an MTU larger than 1500 bytes.
Revision 0919 7 - 20
ICX 200 Client Access Services
DHCP Snooping
Revision 0919 7 - 21
ICX 200 Client Access Services
• DHCP snooping enables the device to filter untrusted DHCP packets in a subnet which can:
– Protect from rogue DHCP servers
– Prevent malicious user posing as a DHCP server sending false DHCP server reply packets
– Can stop unauthorized DHCP servers connected to the network (personal home routers)
DHCP Request
DHCP Reply
Rogue Rogue Trusted
DHCP Server DHCP Server DHCP Server
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 22
DHCP snooping enables the Ruckus device to filter untrusted DHCP packets in a
subnet. DHCP snooping can ward off MiM attacks, such as a rogue DHCP server
sending false DHCP server reply packets with the intention of misdirecting other
users. DHCP snooping can also stop unauthorized DHCP servers and prevent errors
stemming from user misconfiguration of DHCP servers.
DHCP snooping is often used with Dynamic ARP Inspection and IP Source Guard.
When enabled on a VLAN, DHCP snooping stands between untrusted ports (those
connected to host ports) and trusted ports (those connected to DHCP servers). A
VLAN with DHCP snooping enabled forwards DHCP request packets from clients and
discards DHCP server reply packets on untrusted ports. DHCP server reply packets on
trusted ports to DHCP clients are forwarded.
Revision 0919 7 - 22
ICX 200 Client Access Services
• Client IP-to-MAC address binding data learned on trusted ports are stored in a database
• Database information can be used to support other protective mechanisms, such as:
– Dynamic ARP Inspection(DAI)
– Source Guard
DHCP server reply packets are forwarded to DHCP clients on trusted ports. From the
DHCP server reply packets, the switch collects client IP-to-MAC address binding
information, which is saved in the DHCP binding database. This information includes
MAC addresses, IP addresses, lease time, VLAN numbers, and port numbers.
Beginning with FastIron release 8.0.30b, the DHCP binding database in the Ruckus
device is decoupled from the ARP database.
The lease time is refreshed when the client renews its IP address with the DHCP
server; otherwise, the Ruckus device removes the entry when the lease time expires.
Client IP addresses need not be on directly connected networks, as long as the client
MAC address is learned on the client port and the client port is on the same VLAN as
the DHCP server port. In this case, the system learns the client IP-to-MAC port
mapping. Therefore, a VLAN with DHCP snooping enabled does not require a VE
interface.
Revision 0919 7 - 23
ICX 200 Client Access Services
• Use the show ip dhcp snooping info command to view the DHCP binding database
Revision 0919 7 - 24
ICX 200 Client Access Services
• To run DHCP snooping, ACL filtering based on VLAN membership or VE port membership
must be enabled
ICX(config)# enable acl-per-port-per-vlan
ICX(config)# write mem
ICX(config)# exit
ICX# reload
– Syntax: [no] enable acl-per-port-per-vlan
DHCP snooping should be enabled on VLANs, after which the trust setting of ports
connected to a DHCP server must be changed to trusted. DHCP packets for a VLAN
with DHCP snooping enabled are inspected.
To run DHCP snooping, you must first enable support for ACL filtering based on VLAN
membership or VE port membership with the enable acl-per-port-per-vlan
command. Note that you must save the configuration and reload for the changes to
take effect.
Next, you enable DHCP snooping on a VLAN with the ip dhcp snooping vlan
command.
Then, you change the trust setting of the ports that are connected to the DHCP server
to trusted at the interface configuration level with the dhcp snooping trust
command.
NOTE: DHCP snooping is disabled by default and the trust setting of ports is untrusted
by default. DHCP snooping must be enabled on the client and the DHCP server
VLANs.
Revision 0919 7 - 25
ICX 200 Client Access Services
Revision 0919 7 - 26
ICX 200 Client Access Services
• Dynamic ARP Inspection (DAI) allows only valid ARP requests and responses to be
forwarded
– Can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning
– Disallows misconfiguration of client IP addresses
For enhanced network security, you can configure the Ruckus device to inspect and
keep track of Dynamic Host Configuration Protocol (DHCP) assignments.
Dynamic ARP Inspection (DAI) enables the Ruckus device to intercept and examine all
ARP request and response packets in a subnet and discard packets with invalid IP-to-
MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks
such as ARP cache poisoning, and disallow misconfiguration of client IP addresses.
DAI allows only valid ARP requests and responses to be forwarded and supports
Multi-VRFs with overlapping address spaces.
Revision 0919 7 - 27
ICX 200 Client Access Services
• ARP packets on untrusted ports are inspected against the switches local ARP table and the
DHCP Snooping table
• Status of each ARP entry is either valid or pending
– Valid - The mapping is valid, and the port is resolved
– Pending - Normal dynamic ARP entries before they are resolved
• Their status changes to valid when they are resolved, and the port is mapped
When you enable DAI on a VLAN, by default, all member ports are untrusted. You
must manually configure trusted ports. In a typical network configuration, ports
connected to host ports are untrusted. You configure ports connected to other
switches or routers as trusted.
DAI inspects ARP packets received on untrusted ports, as shown in the here. DAI
carries out the inspection based on IP-to-MAC address bindings stored in a trusted
binding database. For the Ruckus device, the binding database is the ARP table and
the DHCP snooping table, which supports DAI, DHCP snooping, and IP Source Guard.
To inspect an ARP request packet, DAI checks the source IP address and source MAC
address against the ARP table. For an ARP reply packet, DAI checks the source IP,
source MAC, destination IP, and destination MAC addresses. DAI forwards the valid
packets and discards those with invalid IP-to-MAC address bindings.
When ARP packets reach a trusted port, DAI lets them through, as shown here.
DAI uses the IP-to-MAC mappings in the ARP table to validate ARP packets received
on untrusted ports. DAI relies on the following entries:
• Dynamic ARP - Normal ARP learned from trusted ports.
• Static ARP - Statically configured IP/MAC/port mapping.
• Inspection ARP - Statically configured IP-to-MAC mapping, where the port is
initially unspecified. The actual physical port mapping will be resolved and
updated from validated ARP packets.
• DHCP-Snooping ARP - Information collected from snooping DHCP packets when
DHCP snooping is enabled on VLANs. DHCP snooping entries are stored in a
different table and are not part of the ARP table.
Revision 0919 7 - 28
ICX 200 Client Access Services
DAI Configuration
• Like DHCP snooping, ACL filtering based on VLAN membership or VE port membership
must be enabled for DAI with the global enable acl-per-port-per-vlan command
• If static IP addresses operate on VLANs with DAI configured, static inspection entries must
be configured
ICX(config)# arp 10.20.20.12 0000.0002.0003 inspection
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 29
Revision 0919 7 - 29
ICX 200 Client Access Services
IP Source Guard
Revision 0919 7 - 30
ICX 200 Client Access Services
• When first enabled, only DHCP is allowed until valid IP addresses are learned from DHCP
snooping
• Can be enabled per port, per VLAN, per port/per VLAN and per VE
You can use IP Source Guard together with Dynamic ARP Inspection on untrusted
ports. This feature leverages the DHCP snooping binding database to limit traffic that
is allowed on untrusted ports. This helps to prevent IP spoofing attacks.
The Ruckus implementation of the IP Source Guard technology supports
configuration on a port, specific VLAN memberships on a port (Layer 2 devices only),
and specific ports on a Virtual Ethernet (VE) interface (Layer 3 devices only).
When IP Source Guard is first enabled, only DHCP packets are allowed, while all other
IP traffic is blocked. IP Source Guard allows IP traffic when the system learns valid IP
addresses. The system learns of a valid IP address from DHCP snooping.
When a new IP source entry binding on the port is created or deleted, the ACL is
recalculated and reapplied in the hardware to reflect the change in IP source
bindings. By default, if IP Source Guard is enabled without any IP source binding on
the port, an ACL that denies all IP traffic is loaded on the port.
Revision 0919 7 - 31
ICX 200 Client Access Services
Revision 0919 7 - 32
ICX 200 Client Access Services
Revision 0919 7 - 33
ICX 200 Client Access Services
Module Summary
– Describe DHCP helpers on network devices, including DHCP assist and relay
– Explain the capabilities and configuration options for Ruckus ICX DHCP server
Revision 0919 7 - 34
ICX 200 Client Access Services
End of Module 7:
Client Access Services
Revision 0919 7 - 35
ICX 200 Client Access Services
Revision 0919 7 - 36
ICX 200 IP Gateway Redundancy
Module 8:
IP Gateway Redundancy
Module Objectives
VRRP-E
• VRRP-E is a Ruckus enhanced version of the VRRP standard (RFC 3768)1 that overcomes
limitations in the standard protocol
– No default owner and all routers start as backup
• All members have a configurable priority unlike VRRP
• The router with the highest active priority becomes the master
• If there is a tie for highest priority, the router with the highest interface IP address becomes master
– The Virtual IP (VIP) is not owned by any members of the VRRP-E instance
• There is no concept of an owner of the VIP, as a real interface IP is not used
• The elected master hosts the VIP address and answers ICMP requests
– More granular control of track port management
• Multiple track ports can be monitored providing thresholds on a member
– Security is available allowing MD5 authentication
Footnote 1: VRRP standard was established in RFC 3768 however was updated by RFC
5798 in 2010 to include IPv6 addressing.
NOTE: VRRP-E is supported in the full Layer 3 code only. It is not supported in the
base Layer 3 code.
Virtual Router Redundancy Protocol Enhanced (VRRP-E)
• All routers are backups for a given Virtual Router ID (VRID). The router with the
highest priority becomes master. If there is a tie for highest priority, the router
with the highest IP address becomes master. The elected master owns the virtual
IP address and answers ICMP and ARP requests.
• VRRP-E uses UDP to send hello messages in IP multicast messages. The hello
packets use the interface's actual MAC address and IP address as the source
addresses. The destination MAC address is 01-00-5E-00-00-02, and the destination
IP address is 224.0.0.2 (the well-known IP multicast address for all routers). Both
the source and destination UDP port number is 8888. VRRP-E messages are
encapsulated in the data portion of the packet.
• The virtual IP (VIP) must be an unique IP address on the same subnet where VRRP-
E is enabled.
• VRRP-E uses the interface's actual MAC address as the source MAC address for
VRRP-E Advertisements. A virtual MAC address is used for the gateway or VIP
address on the client subnet. The virtual MAC address is 02-E0-52-<hash-value>-
<vrid> where the <hash-value> is a two-octet hex hash value of the Virtual IP
Address and <vrid> is the Virtual Router ID value.
VRRP-E Requirements
– The VRRP-E virtual router IP address must be in the same subnet as a real IP address assigned to a physical
interface
• Must not be the same as any of the actual IP addresses on any router interface
• Configuring VRRP-E uses the same task steps for all devices; there are no differences between master and backup
device configuration
– Router configured with the highest active priority assumes the master role
– VRRP-E is not supported on non-Ruckus devices and does not interoperate with standards-based VRRP
sessions
Note that only one of these protocols (VRRP/VRRP-E) can be enabled at the same
time on an ICX device.
– VRRP-E uses UDP (port 8888) to send multicast hello messages to the "all routers" multicast address
224.0.0.2
• Only devices listening to the all routers multicast address will receive the message
VRRP VRRP-E
Routers are either IP address owner
All routers are backup
or backup
VIP is any unused IP address within
VIP is interface IP on owner
the same subnet
Virtual MAC Virtual MAC with hash1
00-00-5E-00-01 <vrid> 02-E0-52<hash><vrid>
hello packets use UDP port 8888 and
hello Packets are multicast to
send to “all routers” multicast
224.0.0.18
224.0.0.22
Track port priority becomes VRRP Reduces VRRP-E priority by amount of
priority tracked port’s priority3
Can ping VIP regardless of who is
Cannot ping VIP if owner is not master
master
Footnote 1: MAC hashing allows multiple routers within overlapping VRID groups in
the same broadcast domain to operate without creating MAC conflicts.
Footnote 2: The multicast address for VRRP-E advertisements was changed to
224.0.0.2:8888 (UDP) since the .18 address was reserved for VRRP usage. By sending
to UDP port 8888 on the all routers multicast address this allows the advertisements
to go to a unique destination and will be ignored by non-VRRP-E routers.
Footnote 3: The advantage that VRRP-E has over VRRP is that two or more track ports
can be defined on one router. There may be an application that involves two track
ports where it is preferred to keep one router as the master after one track port
failures, but decrement the routers current priority so that the next failure will
change its state to backup.
• All VRRP-E routers start as backup and send hello messages to determine the master
router
When using VRRP-E all configured routers start in backup mode for each VRRP
instance. Hello’s are sent and received to decide who has the highest priority. Once
the highest priority router for that instance has been identified it transitions to the
Master role it continues to send hello messages to inform the other backup routers of
its status. Backup routers will use the received hello message as a keep alive message
and will also continue to monitor the priority of the Master router.
If it does not receive a hello message from the current Master router before the keep
alive timer expires it will take over the Master role and begin sending out its own
hello messages. In addition, if at any time the priority received from the Master
router is lower that its own current priority it will begin sending its own hello
messages indicating it has a higher priority and will then migrate to the Master role as
well. Anytime there is a transition of the Master role the new Master will send out a
gratuitous ARP updating the inline switch tables of the new virtual MAC location.
No matter what router is Master it will respond to ICMP requests from hosts.
149_multiple_VRRPe_router
VRRP-E Instance
To correctly configure this we will enable VRRP-E on both routers with a matching
Virtual Router ID (VRID) and priority value. On router A however we will configure its
priority higher than router b to ensure it becomes the master of this VRRP-E instance.
If the priorities happen to be set the same or not set at all (default 100) on both
routers the router with the highest physical IP address configured would become the
master of this VRRP-E instance. (It is suggested to always configure unique priorities
to ensure expected behavior)
Question: Based on this configuration which router should become the Master of this
VRRP-E instance? Router A
149_multiple_VRRPe_router
Revision 0919 8 - 10
ICX 200 IP Gateway Redundancy
149_multiple_VRRPe_router
VRRP-E Failover
Dead interval
Default: 3x Hello interval1
Configurable backup: 1-84 seconds
Hello interval
Default: 1 second
Configurable: 1-84 seconds
In the event of a router failure the backup router for the VRRP-E instance will stop
receiving hello’s from the Master causing its dead interval to expire and will migrate
to the Master role and take over the duties of forwarding traffic and responding to
host requests.
Hello interval: The number of seconds or milliseconds between Hello messages from
the Master to the Backups for a given VRID. The interval can be from 1 through 84
seconds ( 1 second default) for VRRP v2, VRRP-E v2, and IPv6 VRRP-E. The interval for
VRRP v3 can be from 100 through 8400 milliseconds (1000 default) and can be
configured in seconds or milliseconds.
Dead interval: The number of seconds or milliseconds a Backup waits for a Hello
message from the Master for the VRID before determining that the Master is no
longer active. Can be configured in seconds (v2 mode) or centiseconds (v3 mode).
Footnote 1: If the Master does not send a Hello message before the dead interval
expires, the Backups negotiate (compare priorities) to select a new Master for the
VRID.
If the value for the dead interval is not configured, then the current dead interval is
equal to three times the Hello interval plus the Skew time (where Skew time is equal
to (256 - priority) divided by 256). Note: The hello intervals must be set to the same
value on both owner and backup devices for the same VRID
Revision 0919 8 - 11
ICX 200 IP Gateway Redundancy
149_multiple_VRRPe_router
• If original Master is restored it can assume it’s duties again by default (pre-emption)
Disabling prevents
a backup device
with a higher
priority than the Pre-emption can be
current backup disabled eliminating
acting as a master the original master
to assume the from taking over
master role
When the original master is recovered/restored it will begin to receive hello packets
from the acting master. Because the original master had a higher priority configured it
will to take over the master duties from the acting master which is a process called
pre-emption. This is on by default in ICX device but can be disabled if desired. This
allows for the ability to stabilize the environment reverting back to the original router
at a later date such as during a change window instead of the possibility of flapping. If
the original router continues to preempt, migration between the original and backup
could continue, leading to an unstable environment.
Revision 0919 8 - 12
ICX 200 IP Gateway Redundancy
• Track port failure causes track priority to be subtracted from configured backup priority
– Each track port failure causes the tracking value to be subtracted (possibly
multiple times)
Backup priority - (failed track ports x track port priority) = current priority
VRRP-E RouterB VirtualRouter VRRP-E RouterA Configured priority 115
VRID 1 VRID 1 VRID 1
2 track port failure -20
Backup
Master Virtual IP 10.1.1.1 Master
Backup
Priority 100 Virtual MAC to 02-EO-52-A3-23-01 Priority
Priority115
105
95 Current priority 95
Host 1
Default Gateway
10.1.1.1
When track port priorities are configured under the VRRP-E instance any failed track
port will cause its priority will be counted against the configured priority. Depending
on the VRRP-E configuration this could cause a migration of the Master duties to
another router.
In a situation where only one track port fails you might not want to migrate to a
different router. VRRP-E has the option to allow for one track port to fail and still
allow the original master to remain. However you can configure in a way that if two
track ports fail then the switch takes place. This is an advantage over the VRRP
standard by providing more flexibility in controlling when a failover would take place.
If a failover occurs, once the new master is selected it sends out a gratuitous ARP
updating the virtual MAC location forcing any inline switches in the VRRP-E
environment to update their MAC tables.
Revision 0919 8 - 13
ICX 200 IP Gateway Redundancy
Configuring VRRP-E
Revision 0919 8 - 14
ICX 200 IP Gateway Redundancy
Configuring VRRP-E
Revision 0919 8 - 15
ICX 200 IP Gateway Redundancy
VRID 2 RouterA
RouterA(config)# inter e1/1/2
RouterA(config-if-e1000-1/1/2)# ip addr 10.2.1.2/24
RouterA(config-if-e1000-1/1/2)# ip vrrp-e vrid 2
RouterA(config-if-e1000-1/1/2-vrid-2)# backup priority 100
track-priority 10
RouterA(config-if-e1000-1/1/2-vrid-2)# ip-add 10.2.1.1
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/16
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/17
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/18
RouterA(config-if-e1000-1/1/2-vrid-2)# activate
VRRP-E router 2 for this interface is activating
VRID 1 RouterB
RouterB(config)# router vrrp-e
RouterB(config-VRRP-E-router)# inter e1/1/2
RouterB(config-if-e1000-1/1/2)# ip addr 10.1.1.2/24
RouterB(config-if-e1000-1/1/2)# ip vrrp-e vrid 1
RouterB(config-if-e1000-1/1/2-vrid-1)# backup priority 100
track-priority 10
RouterB(config-if-e1000-1/1/2-vrid-1)# ip-add 10.1.1.1
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/12
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/13
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/14
RouterB(config-if-e1000-1/1/2-vrid-1)# activate
VRRPE router 1 for this interface is activating
VRID 2 RouterB
RouterB(config)# inter e1/1/1
RouterB(config-if-e1000-1/1/1)# ip addr 10.2.1.3/24
RouterB(config-if-e1000-1/1/1)# ip vrrp-e vrid 2
RouterB(config-if-e1000-1/1/1-vrid-2)# backup priority 115
track-priority 10
RouterB(config-if-e1000-1/1/1-vrid-2)# ip-add 10.2.1.1
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/12
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/13
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/14
RouterB(config-if-e1000-1/1/1-vrid-2)# activate
VRRP-E router 2 for this interface is activating
Revision 0919 8 - 16
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 17
ICX 200 IP Gateway Redundancy
State: This device VRRP state for the VRID. The state can be one of the following:
• initialize – The VRID is not enabled (activated). If the state remains “initialize” after
you activate the VRID, make sure that the VRID is also configured on the other routers
and that the routers can communicate with each other.
NOTE: If the state is initialize and the mode is incomplete, make sure you have
specified the IP address for the VRID.
• Standby – This device is a backup for the VRID.
• Master – This device is the master for the VRID.
Administrative-status: The administrative status of the VRID. The administrative status
can be one of the following:
• disabled – The VRID is configured on the interface but VSRP or VRRP-E has not been
activated on the interface.
• enabled – VSRP has been activated on the interface.
Priority: The device preference for becoming the master for the VRID. During
negotiation, the backup with the highest priority becomes the master. If two or more
backups are tied with the highest priority, the backup interface with the highest IP
address becomes the master for the VRID.
Current priority: The current VRRP or VRRP-E priority of this Layer 3 Switch for the VRID.
The current priority can differ from the configured priority (see the row above) for the
following reasons:
• The VRID is still in the initialization stage and has not become a master or backup yet.
In this case, the current priority is 0.
• The VRID is configured with track ports and the link on a tracked interface has gone
down.
Hello-interval: The number of seconds between hello messages from the master to the
backups for a given VRID.
Dead-interval: The configured value for the dead interval. The dead interval is the
number of seconds a backup waits for a hello message from the master for the VRID
before determining that the master is no longer active. If the master does not send a
hello message before the dead interval expires, the backups negotiate (compare
priorities) to select a new master for the VRID. NOTE: If the value is 0, then you have not
configured this parameter.
Current dead-interval: The current value of the dead interval. This is the value actually in
use by this interface for the VRID. Note: This field does not apply to VRRP owners
Preempt-mode: Whether the backup preempt mode is enabled. Note: This field does not
apply to VRRP owners.
Virtual ip address: The virtual IP addresses that this VRID is backing up.
Revision 0919 8 - 18
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 19
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 20
ICX 200 IP Gateway Redundancy
Footnote 1: IPv4 and IPv6 support can be activated at the same time however either
VRRP or VRRP-E instances can be activated at the same time. Example: You can not
have VRRPv3 and IPv6 VRRP-E activated at the same time.
Revision 0919 8 - 21
ICX 200 IP Gateway Redundancy
IPv6 VRRP-E
Revision 0919 8 - 22
ICX 200 IP Gateway Redundancy
• Backup preemption is enabled by default for VRRP and VRRP-E which allows the original
master or other backups to take over if their priority becomes higher than the active
master
– Feature can be disabled:
• Preventing route flapping
• Protects from bouncing due to unstable original master
• Ensures fall back is controlled by the administrator
• To avoid a backup device (acting as the master) from being preempted by another backup
device with a higher priority value use the following command1
RouterA(config)# interface ethernet 1/1/5
RouterA(config-if-e1000-1/1/5)# ip vrrp-extended vrid 1
RouterA(config-if-e1000-1/1/5-vrid-1)# non-preempt-mode
• Backup device will not assume the role of the VRRP master even if a backup device has a
higher priority than the current master device
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 23
Footnote 1: non-preempt-mode is only run on the original master, not on the backup.
Setting a VRRP-E instance in non-preempt-mode causes the device to ignore priorities
after a failure even if other VRID members have a lower priority. In non-preemt-mode
a router will still take over master state if it no longer receives hello messages from
the current master and the dead timer expires.
Revision 0919 8 - 23
ICX 200 IP Gateway Redundancy
• When enabled the backup router will advertise to the master router by sending a backup-
hello message (default every 1 min.)
RouterB(config)# int e 1/1/2
RouterB(config-if-e1000-1/1/2)# ip vrrp-e vrid 1
RouterB(config-if-e1000-1/1/2-vrid-1)# advertise backup
• You can adjust the frequency of hello messages from the backup router by using (in
seconds):1
RouterB(config-if-e1000-1/1/2-vrid-1)# backup-hello-interval 150
Footnote 1: The Master router once it receives a backup hello message it displays the
backup advertisement in its vrrp-e output. Additionally it sets a dead timer for the
backup router next advertisement to 3 minutes. If you set a backup-hello-interval on
the master the dead timer locally will be set for 3x the timer value.
Revision 0919 8 - 24
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 25
ICX 200 IP Gateway Redundancy
• Slow start timer provides a delay in migrating back to the original master after its priority
has become higher than the acting master
– Extends the time interval beyond the dead interval before the original master assumes its role
– Provides stability in the environment by:
• Guarding against pre-mature migration back to original master (bouncing track port)
• Allows for routing table to update (OSPF convergence)
Revision 0919 8 - 26
ICX 200 IP Gateway Redundancy
VRRP/-E Authentication
• VRRP along with VRRP-E provide the ability to use authentication when communicating
with other members participating in the VRRP VRID
Revision 0919 8 - 27
ICX 200 IP Gateway Redundancy
– VRRP-E Example:
Ruckus(config)# interface ethernet 1/1/6
Ruckus(config-if-e1000-1/1/6)# ip vrrp-extended auth-type md5-auth gy42mb
• VRRP-E Syntax: [no] ip vrrp-extended auth-type { no-auth | simple-text-auth auth-text | md5-auth auth-text }
• VRRP Syntax: [no] ip vrrp auth-type { no-auth | simple-text-auth auth-text }
• The password will be hidden or encrypted when saved in the configuration file
– When an MD5 authentication password is configured on an interface, a syslog message is displayed
Revision 0919 8 - 28
ICX 200 IP Gateway Redundancy
VRRP Statistics
Footnote 1: Output changes depending on if you use stat or status. Note the
difference in slide to the output preferred.
Ruckus# show ip vrrp-e statistics ?
ethernet port
lag Interface
ve Virtual Ethernet port
vrid show pkt stats for a VRID
Revision 0919 8 - 29
ICX 200 IP Gateway Redundancy
VRRP-E Considerations
– The Hello and dead interval must be set to the same value on configured devices
– The track priority must be lower than the VRRP-E backup priority
– The same VRID must not be used across IPv6 VRRP-E and IPv4 VRRP-E if they are in the same broadcast
domain
– All configuration is removed from running config if the protocol VRRP-E is removed using the no router
vrrp-extended command
Revision 0919 8 - 30
ICX 200 IP Gateway Redundancy
VRRP-E Troubleshooting
Revision 0919 8 - 31
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 32
ICX 200 IP Gateway Redundancy
priority 115
Priority has been e1 e1
current priority 95
reduced by track- 192.53.5.2 192.53.5.3
track-priority 10 priority
hello-interval 1000 msec
dead-interval 0 msec
current dead-interval 3500 msec
preempt-mode true Host 2
Default Gateway
virtual ip address 192.53.5.1 192.53.5.1
advertise backup: disabled
master router 192.53.5.3 expires in 00:00:03.0
track-port 1/1/16(down) 1/1/17(down) 1/1/18(up) Multiple Track-ports
are down
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 33
In the slide above, RouterA’s track port has failed. The current priority is reduced by
the amount of the track-port priority. The track-priority is subtracted from the VRRP-E
priority and as a result Router As current priority is less than Router Bs which results
in a failover.
Revision 0919 8 - 33
ICX 200 IP Gateway Redundancy
Module Summary
Revision 0919 8 - 34
ICX 200 IP Gateway Redundancy
End of Module 8:
IP Gateway Redundancy
Revision 0919 8 - 35
ICX 200 IP Gateway Redundancy
Appendix A:
VRRP Function
Revision 0919 8 - 36
ICX 200 IP Gateway Redundancy
• VRRP provides redundancy to default gateways servicing hosts on the same subnet, RFC
5798
– Allows an alternate router path for a host without changing the IP address or MAC address of its gateway
– Reliability is achieved by advertising a virtual router as the default gateway
– Two or more physical routers are configured to host a virtual router, with only one doing the actual
routing at any given time
VRRP Router Virtual Router VRRPe Router
Master Virtual IP 192.53.5.1 Backup
Virtual MAC 00-00-5E-00-01-01
WAN WAN
Host 1
Default Gateway
192.53.51
Revision 0919 8 - 37
ICX 200 IP Gateway Redundancy
VRRP Terminology
• Virtual router: An object managed by VRRP that acts as a default router for hosts on a
shared LAN and consists of:
– A Virtual Router Identifier (VRID)
– A virtual IP address (VIP)
– A virtual MAC address
• Virtual Router Identifier (VRID): Used to identify each virtual router in the subnet
– Supported range is 1-255 in decimal
– There is no default
Revision 0919 8 - 38
ICX 200 IP Gateway Redundancy
• Virtual MAC: The first five octets are a multicast standard MAC prefix for VRRP and the last
octet is the VRID1
MAC Prefix VRID #
00-00-5E-00-01-xx
Where XX is the VRID number in hex
• IP address owner: The VRRP router that has the same real interface IP address as the
virtual router's IP address
– When the owner router is up, it responds to ICMP pings
– When up, this router always becomes the master
Footnote 1: The first five octets of the address are the standard multiast MAC prefix
for VRRP packets, as described in RFC 2338. The last octet is the VRID. The VRID
number becomes the final octet in the virtual MAC address associated with the
virtual router. When you configure a VRID, the software automatically assigns its MAC
address. When a VRID becomes active, the master router broadcasts a gratuitous ARP
request containing the virtual router MAC address for each IP address associated with
the virtual router. In Figure 154, Switch 1 sends a gratuitous ARP with MAC address
00-00-5e-00-01-01 and IP address 192.53.5.1. Hosts use the virtual router MAC
address in routed traffic they send to their default IP gateway (in this example,
192.53.5.1).
Revision 0919 8 - 39
ICX 200 IP Gateway Redundancy
• Master: The VRRP router responsible for forwarding packets sent to the VIP associated
with the virtual router
– Creates and responds to ARP requests for the VIP
– If the IP address owner is up, it becomes the master1
• Backup: The set of VRRP routers available to assume forwarding responsibility for a virtual
router should the current master fail
• VRRP priority: Each router has a priority set for each VRID it hosts to determine which
router becomes the master2
– Priority can be from 3-255 (255 is the highest priority)
– 255 is reserved for the IP address owner to guarantee it always becomes the master
– 3-254 is used for backups (default value for backups is 100)
Footnote 1: This may not be true if track ports are used. Track ports are covered in
more detail later.
Revision 0919 8 - 40
ICX 200 IP Gateway Redundancy
Footnote 2:
The routers within a VRID use the VRRP priority values associated with each router to
determine which router becomes the master. When configuring the VRID on a router
interface, specify whether the router is the owner of the IP address or a backup. If the
router is the owner of the IP address, the software automatically sets the router VRRP
priority for the VRID to 255, the highest VRRP priority. The router with the highest priority
becomes the master. Backup routers can have a priority from 3 – 254, which are assigned
when the VRID is configured on the backup router interfaces. The default VRRP priority for
backup routers is 100. Because the router that owns the IP address associated with the
VRID always has the highest priority, when all the routers are operating normally, the
negotiation process results in the owner of the VRID IP addresses becoming the master
router.
Revision 0919 8 - 41
ICX 200 IP Gateway Redundancy
• All VRRP routers send multicast VRRP advertisements called hellos to determine the
master1
– Owner: The router whose interface IP address matches the virtual IP address;
the default priority is 255, which causes the owner to become the default
master
– Master: Sends hellos as a keep-alive and responds to ARP and ICMP requests
(i.e. ping)
Footnote 1: VRRP routers use hello messages to determine the master router. VRRP
routers send hello messages to IP multicast address 224.0.0.18.
Revision 0919 8 - 42
ICX 200 IP Gateway Redundancy
VRRP Failover
– If the dead interval expires before a hello is received, the backup router with the
highest priority becomes the master2
New master sends gratuitous ARP (GARP) to update MAC tables in the LAN
Owner interface is no
longer available so VIP
can not be pinged
Footnote 1: VRRP routers use hello messages to determine the master router. VRRP
routers send hello messages to IP multicast address 224.0.0.18. The frequency with
which the master sends hello messages is the hello Interval. Only the master sends
hello messages. However, a backup will use the configured hello interval if it becomes
the master. The backup routers wait for a period of time called the Dead Interval for a
hello message from the master. If a backup router does not receive a hello message
by the time the dead interval expires, the backup router assumes that the master
router is dead and negotiates with the other backups to select a new master router.
The backup router with the highest priority becomes the new master.
Footnote 2: If the owner becomes unavailable, but then comes back online, the
owner again becomes the master router. The owner becomes the master router again
because it has the highest priority. The owner always becomes the master again
when it comes back online.
Revision 0919 8 - 43
ICX 200 IP Gateway Redundancy
- If the tracked interface goes down, the VRRP priority is reduced to the track priority
causing a new master to be selected1
Footnote 1: When track port state becomes operational again, the VRRP priority
reverts back to original state (255) and an advertisement is generated. When the
master sees a higher priority advertisement it relinquishes the role of master back to
the owner.
Revision 0919 8 - 44
ICX 200 IP Gateway Redundancy
VRRP Considerations
Footnote 1: The track priority on the Owner must be higher than the track priority on
the Backups as well. The tracking-port configuration for IPv6 VRRP v3 is not allowed if
the router is configured as the VRRP Owner.
Revision 0919 8 - 45
ICX 200 IP Gateway Redundancy
• To configure the VRRP Owner router for IPv4, enter the following commands on the
router1
Router1(config)# router vrrp
Router1(config)# interface ethernet 1/1/6
Router1(config-if-e10000-1/1/6)# ip address 10.53.5.1/24
Router1(config-if-e10000-1/1/6)# ip vrrp vrid 1
Router1(config-if-e10000-1/1/6)# version v3|v2
Router1(config-if-e10000-1/1/6-vrid-1)# owner
Router1(config-if-e10000-1/1/6-vrid-1)# ip-address 10.53.5.1
Router1(config-if-e10000-1/1/6-vrid-1)# activate
VRRP router 1 for this interface is activating
Footnote 1: Both VRRP and VRRP-E cannot be activated on a device at the same time.
Syntax: [no] router vrrp
Syntax: [no] ip-address ip-address-address
Syntax: [no] ip vrrp vrid num (The num variable specifies the virtual router ID. Valid range is
between 1 through 255.)
Syntax: [no] owner [ track-priority value ] (The track-priority value option changes the track-
port priority for this interface and the VRID from the default (255) to a value from 1 through
254.)
Syntax: [no] version num (The version num specifies the version - v3 or v2.)
Syntax: [no] activate
The (vrid-#)# ip-address variable specifies the IPv4 address of the Owner router. The
IP address assigned to the Owner must be an IP address configured on an interface
that belongs to the virtual router.
Configuring the Owner for IPv6 VRRP
To configure the VRRP Owner router for IPv6, enter the following commands on the
router. You must first configure the ipv6 unicast-routing command at the global
configuration level to enable IPv6 VRRP on the router.
Router1(config)# ipv6 unicast-routing
Router1(config)# ipv6 router vrrp
Router1(config)# interface ethernet 1/1/6
Router1(config-if-e10000-1/1/6)# ipv6-address 2001:DB8::1/64
Router1(config-if-e10000-1/1/6)# ipv6 vrrp vrid 1
Router1(config-if-e10000-1/1/6-vrid-1)# owner
Router1(config-if-e10000-1/1/6-vrid-1)# ipv6-address 2001:DB8::1
Router1(config-if-e10000-1/1/6-vrid-1)# activate
VRRP router 1 for this interface is activating
Revision 0919 8 - 46
ICX 200 IP Gateway Redundancy
• To configure the VRRP Owner router for IPv4, enter the following commands on the
router1
Router2(config)# router vrrp
Router2(config)# interface ethernet 1/1/5
Router2(config-if-e1000-1/1/5)# ip-address 192.53.5.3
Router2(config-if-e1000-1/1/5)# ip vrrp vrid 1
Router2(config-if-e1000-1/1/5-vrid-1)# backup
Router2(config-if-e1000-1/1/5-vrid-1)# version v3|v2
Router2(config-if-e1000-1/1/5-vrid-1)# hello-interval 10
Router2(config-if-e1000-1/1/5-vrid-1)# advertise backup
Router2(config-if-e1000-1/1/5-vrid-1)# ip-address 192.53.5.1
Router2(config-if-e1000-1/1/5-vrid-1)# activate
VRRP router 2 for interface is activating
Footnote 1: To configure the VRRP Owner router for IPv4, enter the following
commands on the router1
Router2(config)# router vrrp
Router2(config)# interface ethernet 1/1/5
Router2(config-if-e1000-1/1/5)# ip-address 192.53.5.3
Router2(config-if-e1000-1/1/5)# ip vrrp vrid 1
Router2(config-if-e1000-1/1/5-vrid-1)# backup
Router2(config-if-e1000-1/1/5-vrid-1)# version v3|v2
Router2(config-if-e1000-1/1/5-vrid-1)# hello-interval 10
Router2(config-if-e1000-1/1/5-vrid-1)# advertise backup
Router2(config-if-e1000-1/1/5-vrid-1)# ip-address 192.53.5.1
Router2(config-if-e1000-1/1/5-vrid-1)# activate
VRRP router 2 for interface is activating
Revision 0919 8 - 47
ICX 200 IP Gateway Redundancy
VRRP Options
• Disabling VRRP or VRRP-E, the switch removes ALL configuration for the disabled protocol
from running-config
ICX(config)# no router vrrp
router vrrp mode is disabled. All vrrp config data will be lost when
writing to flash!
• ICX devices allow non-Owner Master router to respond to ping, traceroute, and Telnet
packets destined for the virtual IPv4 or IPv6 address of a VRRP cluster in accept mode1
Revision 0919 8 - 48
ICX 200 IP Gateway Redundancy
Revision 0919 8 - 49
ICX 200 IP Gateway Redundancy
Footnote 1: The default track priority for a VRRP Owner is 2. The default track priority
for Backups is 1. You can specify a value from 3 through 254
Revision 0919 8 - 50
ICX 200 IP Gateway Redundancy
• Although authentication was described in the original VRRP standard (RFC 2338) current
standards do not identify authentication
• For backward compatibility, ICX supports VRRP authentication using simple passwords1
– Simple-password authentication using password “ourpword”
Revision 0919 8 - 51
ICX 200 IP Gateway Redundancy
End of Appendix A:
VRRP Function
Revision 0919 8 - 52
ICX 200 Troubleshooting
Module 9:
Troubleshooting
Module Objectives
• Narrow down issue and gather data using feature/function specific commands
• show commands provides valuable insight
– Displays a variety of configuration and statistical information about devices
When troubleshooting Layer 1-3, consider the OSI model as a framework for
verification. Ensure that Layer 1 and 2 elements are functioning as intended before
verifying Layer 3 operations. Verify Layer 3 before troubleshooting at Layers 4 through
7.
Consider verifying these operations at each layer of the OSI model
Layer 1 – Physical – Ethernet connectivity. Also consider the switched network
environment between devices and if the devices are running switch or router code.
Layer 2 – Data Link – Ethernet connectivity, ARP resolving accurately, MAC address
tables accurate.
Layer 3 – Network – Real IP to VIP mapping is accurate. Consider routed paths
between the device and remote servers and clients.
The steps in this model are:
• Collect available information and analyze the symptoms of issue
• Localize the problem to within a single network segment, a single complete
module or unit, or to a single user
• Isolate the trouble to specific hardware or software within the unit, module, or
user’s network account.
• Locate and correct the specific problem.
• Verify that the problem has been solved.
– Use the show statistics command to check whether there are CRC errors transmitted or received on the
interface
• Errors of this nature are usually the result of physical problems such as bad cable or NIC
– The show rmon statistics ethernet command provides additional interface statistics for promiscuous
traffic on an interface
ICX# show rmon statistics e 1/2/1
Ethernet statistics 65 is active, owned by monitor
Interface 1/2/1 (ifIndex 65) counters
Octets 199634908639
Drop events 0 Packets 190493299
Broadcast pkts 440 Multicast pkts 8507
CRC align errors 0 Undersize pkts 0
Oversize pkts 0 Fragments 0
Jabbers 0 Collisions 0
When a MAC move occurs due to end host roaming via AP or because of failover, the
ICX management software should move the MAC address from the old port to the
specified new port it has learned in its forwarding table. It is good practice to look at
the mac table to ensure that the MAC to port binding is accurate and that the frames
for that host is accurate. Occasionally due to certain circumstances this process does
not take place or the MAC address remains bound to the original port. In this event
the MAC needs to be removed using a manual process.
• When wireless hosts roam between APs, their MACs will migrate between ports on a ICX
– Tracking of this activity can be stored on the switch for reference and troubleshooting
• Check that the learned MAC address entries are correct in the MAC address table
– Stuck MAC may require clearing
• If the clear mac command is used, the MDB and FDB are rebuilt for those cleared using
standard MAC learning and unknown unicast flooding processes
• To remove entries for the MAC address 0000.0080.00d0 in all VLANs, enter the following:
ICX# clear mac-address 0000.0080.00d0
• Syntax: clear mac-address [ mac-address | ethernet unit/slot/port | lag lag-id | vlan vlan-id ]
Footnote 1: Static MAC entries are not removed. If you enter clear mac-address
without any parameter, the software removes all MAC address entries.
Use the mac-address parameter to remove a specific MAC address from all VLANs.
Specify the MAC address in the following format: HHHH.HHHH.HHHH.
Use the ethernet unit/slot/port parameter to remove all MAC addresses for a specific
Ethernet port.
Use the vlan-id parameter to remove all MAC addresses for a specific VLAN.
When a MAC move occurs due to end host roaming via AP or because of failover, the
ICX management software should move the MAC address from the old port to the
specified new port it has learned in its forwarding table. It is good practice to look at
the mac table to ensure that the MAC to port binding is accurate and that the frames
for that host are accurate. Occasionally due to certain circumstances this process
does not take place or the MAC address remains bound to the original port. In this
event the MAC needs to be removed using a manual process.
The clear arp command can be used to clear the learned ARP entries
Static ARP entries are not removed
ICX# clear arp 10.1.2.1
• Syntax: clear arp [ IP-address | ethernet unit/slot/port | lag lag-id | mac-
address mac-address ]
• Enable Foundry Discovery Protocol or Link Layer Discovery Protocol on all devices to verify
topology and connectivity1
ICX(config)# fdp run
or
ICX(config)# lldp run
– Both commands when run in global config enable all ports for send/receive discovery packets
Footnote 1: If FDP is globally enabled on an ICX device, all the interfaces, by default,
have FDP enabled on them.
Revision 0919 9 - 10
ICX 200 Troubleshooting
• Internet Control Message Protocol provides an effective way to test L3 connectivity within
a network
– Address Resolution Protocol table within the ICX maps an IP address to MAC address
ICX# ping 10.1.1.1
Sending 1, 16-byte ICMP Echo to 10.1.1.1, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 10.1.1.1 : bytes=16 time=1ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=1/1/1 ms.
• Syntax: ping { ip-addr | host-name | vrf vrf-name | ipv6 [ ipv6-addr | host-name | vrf vrf-name ] [ outgoing-interface type
number ] } [ source ip-addr ] [ count num ] [ timeout msec ] [ ttl num ] [ size num ] [ quiet ] [ numeric ] [ nofragment ] [ verify ] [ data 1-to-4-byte-hex ] [ brief [ max-print-
per-sec number ] ]
Footnote 1: Static ARP entries binding an IP to a MAC can be configured using the
ARP command.
Syntax: arp ip-address mac-address { ethernet unit/slot/port | lag lag-id | inspection
}
Revision 0919 9 - 11
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
10.2.1.12 10.2.1.20
• User is not able to reach its destination which is within the same subnet
– With current information provided, what might be the problem?
As shown here the access port of the host is configured as a tagged port although the
host is not sending tagged frames. This causes the host frames to either be placed in
the default VLAN of that port or to be dropped.
Revision 0919 9 - 12
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
10.2.1.12 10.2.1.20
Now any untagged frames coming from the host is now correctly placed into VLAN
10.
Revision 0919 9 - 13
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 11
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 12
10.2.1.12 10.2.1.20
Any switches along the path are required to carry the VLAN ID value allowing for the
successful delivery of the frame. When ports along the path remove the tag the
receiving switch either has to have its port set up as an access port associated with
that VLAN. Mismatch port types (tagged/untagged) along the path can cause frames
to be dropped or to be placed in the wrong VLAN.
Revision 0919 9 - 14
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1)
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12
10.2.1.12 10.2.1.20
Revision 0919 9 - 15
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
– Confirm VLAN continuity along data path
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 11, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 8
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11
10.2.1.12 10.2.1.20
VLAN continuity is important to deliver the frame to its destination in most all cases.
Each switch along the path need to have the correct VLAN ID configured and the
proper ports are associated in either tagged or untagged depending on its position on
its path.
Revision 0919 9 - 16
ICX 200 Troubleshooting
• If hosts within the same VLAN cannot communicate, verify their VLAN membership and
configuration
– Use show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
– Confirm VLAN continuity along data path
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 8
Tagged Ports: (U1/M1) 212
12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11
10.2.1.12 10.2.1.20
Contiguous VLAN from source to destination allows for intra VLAN communication of
the member devices that belong to the same Layer 3 subnet.
Revision 0919 9 - 17
ICX 200 Troubleshooting
An often missed parameter is the configuration of the appropriate ports into all the
required VLANs. In this example, Switch 2 has tagged ethernet 1 placed in VLAN 20,
but not for VLAN 10. PC5 can reach PC3 and the FTP server currently by way of the
ethernet 2 links on Switch 2 and 3.
Revision 0919 9 - 18
ICX 200 Troubleshooting
Suppose Ethernet 2 on Switch2 and Switch 3 goes down. The Spanning Tree Protocol
will change the blocked port on Ethernet 1 (Switch 3) to forwarding mode. Now,
Switch 2 will receive the same PC5 traffic on Ethernet 1 instead. However, Switch 2
will drop this traffic because it will be tagged with VLAN 10. Tagged port e1 has not
been configured for VLAN 10.
In this example, PC5 cannot reach PC3 and the FTP server in VLAN 10. We will start
by verifying the ports in Switch2 using the show vlan command:
The output of the command above shows that Ethernet 1/1/1 interface on switch
Switch2 does not belong to VLAN 10.
Revision 0919 9 - 19
ICX 200 Troubleshooting
To find the VLAN that ethernet 1/1/1 belongs to, use the below command:
Switch2# show vlan ethernet 1/1/1
Total PORT-VLAN entries: 3
Maximum PORT-VLAN entries: 64
• The above output shows that tagged ethernet 1/1/1 belongs to VLAN 20, but not VLAN
10.
You can gather more data by using the show interfaces e 1/1/1 to 1/1/2
command on Switch2:
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC
Name
1/1/1 Up Forward Full 1G None Yes N/A 0 0024.38b7.f2c0
1/1/2 Up Forward Full 1G None Yes N/A 0 0024.38b7.f2c1
1/1/3 Up Forward Full 1G None No 10 0 0024.38b7.f2c2
Both ports are tagged which causes the output not to show the VLAN. However if this port
was untagged the PVID displays the VLAN membership. This is due to the fact that a
tagged port can potentially be a member of too many VLANs to list here.
Revision 0919 9 - 20
ICX 200 Troubleshooting
ICX(config)# vlan 10
ICX(config-vlan-10)# tagged e 1/1/1
The solution is simple, but finding the problem first is always the challenge. Add
tagged Ethernet 1 into VLAN 10. Once Ethernet 1 on Switch 2 is placed into VLAN 10,
PC5’s traffic will be able to communicate with all nodes on the VLAN. Furthermore,
Ethernet 1 will also be able to process the traffic that needs to be routed.
Revision 0919 9 - 21
ICX 200 Troubleshooting
Solution:
Ethernet 1/1/1 on Switch2 needs to be added to VLAN 10 using
the tag ethernet 1/1/1 command:
Revision 0919 9 - 22
ICX 200 Troubleshooting
Revision 0919 9 - 23
ICX 200 Troubleshooting
Revision 0919 9 - 24
ICX 200 Troubleshooting
Revision 0919 9 - 25
ICX 200 Troubleshooting
Troubleshooting LAGs
• Whether it’s a static or dynamic LAG, it is important to configure port groups that are the
same number of ports set to the same speed at both ends
– Individual interfaces can only be members of a single LAG
Footnote 1: Each port in the LAG will operate at the speed of the slowest link. For
example if one LAG is created with 2 ports and one is running at 1 Gbps and the other
is running at 100 Mbps; each link will run at 100 Mbps. This behavior will occur if the
ports are configured to auto, and negotiate to different speeds.
Revision 0919 9 - 26
ICX 200 Troubleshooting
Footnote 1: If the incorrect ports are configured port members will act independently
and can cause loops and possibly STP port blocking. Make sure both platforms have
the correct ports configured in the LAG. To ensure LAG speed consistency between
disable state and reboots, manually configure the vLAG port with a set speed which is
applied to all members using:
Ruckus(config-lag-if-lg1)# speed-duplex 1000-full
Footnote 2:. If there are not enough ports to meet the threshold the LAG will not be
active.
device(config)# lag blue static
device(config-lag-blue)# ports ethernet 1/3/1 to 1/3/4
device(config-lag-blue)# trunk-threshold 3
Footnote 3: If you specify neither long nor short, the state machine operates based
on the standard IEEE specification as its default behavior.
Revision 0919 9 - 27
ICX 200 Troubleshooting
Revision 0919 9 - 28
ICX 200 Troubleshooting
Revision 0919 9 - 29
ICX 200 Troubleshooting
• Route-only on interface
– BPDU’s will not be processed by a port in route-only mode
Basically, if Spanning Tree (or other equivalent loop avoidance protocol) is not
configured, a loop can easily occur. There are common issues that can affect and
impede the performance and normal operation of the Spanning Tree protocol.
If STP ports are configured for half duplex because the auto-negotiation handshake
didn’t work, STP BPDUs may be lost due to collisions. Use the show interface or show
interface brief command to make sure all ports are in full-duplex mode.
The route-only feature disables MAC learning and Layer 2 forwarding. As a result, STP
BPDUs or any Layer 2 traffic will not be forwarded.
STP protection features like BPDU guard should only be configured on the edge ports
and never on trunks or on uplinks to other switches.
If CPU is too busy (due to another process) to respond or send BDPUs, STP may
recoverge.
Revision 0919 9 - 30
ICX 200 Troubleshooting
• Useful commands:
– show span
– show 802-1w
– show log
– show interface brief
– show interface <port#>
– show cpu
– debug 802.1w messages vlan <vlan #>
– show mac-address
– show arp
Revision 0919 9 - 31
ICX 200 Troubleshooting
The show log output is also a good way to see recent STP events. In this output, port
1/1/19 and 1/1/20 is constantly transitioning between STP states.
Revision 0919 9 - 32
ICX 200 Troubleshooting
Revision 0919 9 - 33
ICX 200 Troubleshooting
Live Troubleshooting
– Supportsave
• Allows for the collecting logs from the driver, internal libraries, and firmware
– Debug
• Must know the category of the problem to use this effectively – OSPF, STP, LACP, etc.
– Mirror port
• Allows to capture packets for review using an analyzer
• Requires 3rd party capture tool (Wireshark is common option)
Revision 0919 9 - 34
ICX 200 Troubleshooting
Supportsave
Revision 0919 9 - 35
ICX 200 Troubleshooting
Supportsave
• Utility for collecting logs from the driver, internal libraries, and firmware
• Logs can be sent to technical support1
– Collection of relevant information of different categories as shown below:
• All - collects os,platform,l2,l3,core & system logs • Spx - collects spx related
• Core - collects core & system log files • System - collects generic system related
• Infra - collects infrastructure related
• L2 - collects layer 2 related • Custom - collects custom commands
• L3 - collects layer 3 related • Add_cust_cmd - add a custom option command
• OS - collects os related • Del_cust_cmd - delete a custom option command
• Platform - collects platform related • List_cust_cmd - lists all stored custom commands
• The supportsave command has the following advantages over the show tech-support
command:2
– Allows you to add additional commands to collect additional data
– Allows to transfer the collected data to an external server such as Secure Copy (SCP)
Footnote 1: The supportsave is an important utility for collecting logs from the driver,
internal libraries, and firmware. The collected logs are shared with the technical
support personnel for investigating issues seen on the device. It is recommended to
use the all variable to collect complete logs. There are many variables when it comes
to support save so refer to the FastIron debug command reference guide for more
details.
Footnote 2: It is a best practice to create a healthy baseline supportsave of your
network environment to be used as a comparison when trying to diagnose network
issues and periodically update it according to the change management cycle of your
network. Up to date supportsaves can provide critical information to help quickly
resolve network outages.
Revision 0919 9 - 36
ICX 200 Troubleshooting
Supportsave Commands
• Once collected the Supportsave data can be transferred to a remote server using TFTP or
SCP
– SCP Example:
ICX# supportsave all scp 10.1.1.104
User name:root
Password:
Supportsave started. This operation may take several minutes.
Press "Shift-A" to abort supportsave operation.
####################################################################
Connecting to remote host......
Sending data (8192 bytes per dot)
..............................................
SCP transfer from device completed
Connection Closed
Supportsave completed in 100 seconds
• Partial syntax: supportsave [add_cust_cmd | all | core | custom | del_cust_cmd | info | infra | l2 | l3 |
list_cust_cmd | os | platform | spx | system] [ tftp-ip | scp] scp-ip remote-server-file-path
TFTP Example:
ICX# supportsave all 10.37.2.40 fi/prince/supportsave
Supportsave started. This operation may take several
minutes.
Press "A" to abort supportsave operation.
ICX7750-48C
ICX#.***********************.............................
....................
.........................................................
........................
Supportsave completed in 100 seconds
Revision 0919 9 - 37
ICX 200 Troubleshooting
Debug
Revision 0919 9 - 38
ICX 200 Troubleshooting
Debug
Revision 0919 9 - 39
ICX 200 Troubleshooting
Debug Commands
• Using the debug destination command – Allows you to select an output destination;
Telnet, SSH, console(default), or logging 1
– To send debug output to a SSH session, first determine the session number using the show who command
SSH@ICX# show who | b SSH
SSH connections:
SSH connections (inbound):
1 established, client ip address 10.1.1.104, server hostkey RSA, user is admin, privilege super-user
using vrf default-vrf.
you are connecting to this session 4 minute(s) 13 second(s) in idle
<Output truncated>
– Once the session number is determined the debug output can be modified
SSH@ICX# debug destination ssh 1
• Debug commands can generate excessive output and can significantly slow device
operation
– Use debug commands with caution (Never use this command during periods of peak network activity)
– Issuing the undebug all command – Disables all debug functions currently enabled
– Issuing the show debug command– Shows all enabled debug settings
Footnote 1: To direct debug output to a different destination other than the default
console by selecting an active connection from the below options.
all, console, logging (automatic), SSH, telnet (both SSH and Telnet are from a number
from 1 through 5).
telnet Send debug message to telnet session (a number from 1 through 5).
This example indicates that you are connected through active SSH session 1. To
redirect the debug output to your SSH session, follow the command entry below.
SSH@ICX# show debug
Debug message destination: Console
SSH@ICX# debug destination ssh 1
SSH@ICX# show debug
Debug message destination: Console
Debug message destination: SSH session 1
Revision 0919 9 - 40
ICX 200 Troubleshooting
As seen in this output, there are various debug spanning-tree options. Descriptions
are provided to explain output.
Revision 0919 9 - 41
ICX 200 Troubleshooting
Debug Example
This command activates the debugging of RSTP BPDU packets. BPDU packet types
along with the port it was received/sent along with the VLAN/802.1w instance can be
determined.
Revision 0919 9 - 42
ICX 200 Troubleshooting
Revision 0919 9 - 43
ICX 200 Troubleshooting
• SPAN: Switched traffic is mirrored from multiple ports to one or more ports within the
same local switch facilitating exact packet capture on the destination port
– The monitor ports packets are copied and sent to a destination port (mirror port)
Uplink
• Example: one mirror port for ingress traffic and another mirror port
for egress traffic
– More than one monitored port can be assigned to the same
mirror port2
– The monitored port and its mirror port do not need to belong
to the same port-based VLAN:
• Frames are tagged with the monitor port VLAN ID if the mirror port is in a different VLAN from the monitored port
• Frames are tagged or untagged, depending on the mirror port configuration for mirror/monitored ports in the
same VLAN
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 44
Footnote 1: If a port is configured as a mirror port, all traffic will be forwarded in the
raw state that is was received or transmitted in from the monitor port, egress
information is not modified for configuration parameters of the mirror port.
Footnote 2: The mirror port cannot be a trunk port. Mirror ports speed is not related
to the speed of the ingress or egress monitored ports. Traffic that is being monitored
can possibly exceed the rate limit of the mirror port therefore any excess traffic in the
mirror port will be dropped.
Revision 0919 9 - 44
ICX 200 Troubleshooting
• Monitoring of a port can be done on an individual basis and can have ingress/egress or
both traffic forwarded to the mirror port
e 1/1/6 e 1/1/48
• Enter the slot and port number of the port that will be the mirrored and direct the
mirroring to the port indicating the traffic flow preference
ICX(config)# interface ethernet 1/1/6
ICX(config-if-e1000-1/1/6)# monitor ethernet 1/1/48 output
• Syntax: [no] monitor [ ethernet stackid/slot/port ] { both | input | output }
Revision 0919 9 - 45
ICX 200 Troubleshooting
VLAN-based Mirroring
• The VLAN-based mirroring feature allows users to monitor all incoming traffic in one or
more VLANs by sending a mirror image of that traffic to a configured mirror port1
– As with other ports on the switch, If the amount of traffic to the mirror port exceeds the available
bandwidth, some of that traffic may be dropped
Footnote 1: Supported on ICX 7750, ICX 7450 and ICX 7250 devices.
Footnote 2: Incoming tagged traffic is sent out tagged and incoming untagged traffic
is sent out untagged, regardless of which VLANs the mirror port belongs to, and
whether the mirror port is tagged or untagged.
Revision 0919 9 - 46
ICX 200 Troubleshooting
Revision 0919 9 - 47
ICX 200 Troubleshooting
• Select traffic passing through an interface can be mirrored by using the mirror option when
configuring an ACL
1. Mirror keyword in IPv4, Layer 2 and IPv6 ACL clauses directs matching traffic to be mirrored1
• ACL is used to direct IP traffic to a mirror port
ICX(config)# ip access-list extended mirror-list
ICX(config-ext-nacl)# permit icmp any any echo mirror
ICX(config-ext-nacl)# deny icmp host 192.0.2.100 any echo-reply mirror
ICX(config-ext-nacl)# permit ospf any any mirror
ICX(config-ext-nacl)# permit ip any any
• Syntax: [no] mac filter filter-num { permit | deny } { source-mac source-mask | any } { destination-mac
destination-mask | any } [ mirror ]
Footnote 1: As with any ACL, the final clause must permit desired traffic to flow: be
sure to add an appropriate permit any any clause to the end of any ACL intended to
mirror (and not filter) traffic. Failure to include the permit clause will result in
disruption of traffic through any interface to which the ACL is applied.
The following sections describe how to configure ACL-based Inbound Mirroring on an
ICX device:
• Creating an ACL with a mirroring clause
• Applying the ACL to an interface
• Specifying a destination mirror port
• Specifying the destination mirror port for physical ports
• Specifying the destination mirror port for a LAG
• Configuring ACL-based mirroring for ACLs bound to virtual interfaces
• Specifying the destination mirror port for IP receive ACLs
If both ACL mirroring and ACL-based rate limiting are applied on the same port, then
all packets that match are mirrored (including the packets that exceed the rate limit)
Revision 0919 9 - 48
ICX 200 Troubleshooting
Footnote 1: If you complete the rest of the configuration but do not specify a
destination mirror port, the port-mirroring ACL is non-operational.
Revision 0919 9 - 49
ICX 200 Troubleshooting
• If the LAG virtual interface is enabled for monitoring, the entire LAG is monitored1
– An individual member port of a LAG can also be configure for monitoring using the monitor command
from the LAG configuration mode
Revision 0919 9 - 50
ICX 200 Troubleshooting
• To configure an ACL for ACL-based mirroring bound to a virtual interface, you must use the
acl-mirror-port command on a physical port that is a member of the same VLAN as the
virtual interface
Revision 0919 9 - 51
ICX 200 Troubleshooting
Revision 0919 9 - 52
ICX 200 Troubleshooting
Revision 0919 9 - 53
ICX 200 Troubleshooting
• Remote Switched Port Analyzer (RSPAN) enables remote monitoring of multiple switches
across a Layer 2 network
– Monitors traffic from source ports distributed over multiple switches and forwarded to capture devices
that are centralized
• The configured source port or ports are mirrored to an RSPAN VLAN
– Ports that are members of this VLAN receive the mirrored traffic
– Trunking of the RSPAN VLAN can be configured forwarding traffic to the monitoring devices1
– As with other SPANs traffic transmitted, received, or both directions of traffic can be mirrored to the
RSPAN VLAN
Revision 0919 9 - 54
ICX 200 Troubleshooting
• Configure the RSPAN VLAN by using the rspan-vlan command source switch
S1(config)# rspan-vlan 4000
• Add source ports that are to be monitored specifying traffic flow capture
S1(config-rspan-vlan-4000)# rspan source monitor-both ethernet 1/1/1
Revision 0919 9 - 55
ICX 200 Troubleshooting
• Configure RSPAN VLAN and add ports that will be forwarding traffic to the destination
S2(config)# rspan-vlan 4000
S2(config-rspan-vlan-4000)# tagged ethernet 1/1/1 ethernet 1/1/2 tagged
ethernet
• Continue this configuration on any switches along the path to the destination
S1 S2 S3
e 1/1/1 e 1/1/2 e 1/1/2 e 1/1/2
e 1/1/1 e 1/1/1
The RSPAN VLAN will need to remain the same through the network so it is important
verify the VLAN ID chosen is not being used on any switches along the path. Repeat
this step on any intermediate devices to ensure the traffic is forwarded correctly to
the destination.
Revision 0919 9 - 56
ICX 200 Troubleshooting
• Define the RSPAN VLAN and associate incoming and destination ports as member ports1
S3(config)# rspan-vlan 4000
S3(config-rspan-vlan-4000)# tagged ethernet 1/1/1 ethernet 1/1/2
e 1/1/1 e 1/1/1
Revision 0919 9 - 57
ICX 200 Troubleshooting
Revision 0919 9 - 58
ICX 200 Troubleshooting
e 1/1/5 e 1/1/6
Host 1 Host 2
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 59
Revision 0919 9 - 59
ICX 200 Troubleshooting
ERSPAN Configuration
Revision 0919 9 - 60
ICX 200 Troubleshooting
Host 1 Host 2
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 61
Additional ports can be added to this profile using the monitor profile command
under the physical interface. If multiple interfaces are configured they will be shown
in the display as shown below.
ERSPAN configured on multiple local interfaces example:
ICX# show erspan profile
Profile 1
Type ERSPAN
Mirror destination Reachable.
Destination IP 2.2.2.2
Destination MAC 000c.2930.7e60
Source IP 1.1.1.1
Source MAC 609c.9fe6.0858
Outgoing port 1/1/1
Ports monitored:
Input monitoring : (U1/M1) 5 6
Input monitoring : (U1/M2) 1
Output monitoring : (U1/M1) 5 6
Output monitoring : (U1/M2) 1
HW destination id for each device:
stack_id/device:dest_id 1/1:3c000000
Revision 0919 9 - 61
ICX 200 Troubleshooting
There are seven reasons why a Mirror destination Not reachable error occurs.
Case Reason:
1 ARP is not resolved.
2 Route does not exist.
3 Outgoing port is a management port.
4 Outgoing port is a loopback port.
5 Outgoing port is a GRE IP tunnel port.
6 Outgoing port is not known.
7 Outgoing port is a sink port.
Revision 0919 9 - 62
ICX 200 Troubleshooting
Revision 0919 9 - 63
ICX 200 Troubleshooting
• ICX switches includes several defenses to combat the two most popular types of DoS
attacks:
– Smurf attacks where ICMP is used to flood a victim and TCP SYN attacks which use a partial TCP 3-way
handshake1
• Avoiding being an intermediary in a smurf attack when using Layer 3 router code globally
ICX(config)# no ip directed-broadcast
Revision 0919 9 - 64
ICX 200 Troubleshooting
• TCP SYN attacks exploit the process of how TCP connections are established to disrupt
normal traffic flow
– Destination hosts keep track of the incomplete TCP connections in a connection queue
– In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP addresses
filling the connection queue rapidly and possibly disallowing legitimate traffic
• To protect against participating in TCP SYN attacks on Ethernet and Layer 3 interfaces
ICX(config)# ip tcp burst-normal 1000 burst-max 3000 lockup 300
– Syntax: ip tcp burst-normal num-packets burst-max num-packets lockup time
– The number of incoming TCP SYN packets per second are compared to the threshold values:
– If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped
– If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of
seconds specified by the lockup value
It is important to understand that this feature helps keep your devices from being
participants in a botnet DDOS attack but does not protect servers from a TCP SYN
flood.
Great care must be taken to understand the normal SYN traffic rates from devices
connected to ports with TCP SYN attack protection enabled. Setting thresholds too
low can cause downstream clients to lose ability to create new TCP connections for
the lockup interval specified.
Syntax: ip tcp burst-normal value burst-max value lockup seconds
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
In this example, if the number of TCP SYN packets received per second exceeds 1000,
the excess packets are dropped. If the number of TCP SYN packets received per
second exceeds 3000, the device drops all TCP SYN packets for the next 300 seconds
(five minutes).
When incoming TCP SYN packets exceed the burst-max value, the following message
is logged.
<date> <time>:N:Local TCP exceeds <burst-max> burst
packets, stopping for <lockup> seconds!!
Revision 0919 9 - 65
ICX 200 Troubleshooting
For Layer 3 router code, if the interface is part of a VLAN that has a router VE, you
must configure TCP SYN attack protection at the VE level. When TCP SYN attack
protection is configured at the VE level, it will apply to routed traffic only. It will not
affect switched traffic.
The following example sets the threshold value for TCP SYN packets received on VE
31.
ICX(config)# interface ve 31
ICX(config-vif-31)# ip tcp burst-normal 5000 burst-max
10000 lockup 300
Revision 0919 9 - 66
ICX 200 Troubleshooting
• This command displays information about ICMP and TCP SYN packets dropped because
burst thresholds were exceeded
ICX# show statistics dos-attack
------------------------------ Local Attack Statistics -------------------------
ICMP TCP-SYN
-------------------------------------- --------------------------------------
Dropped pkts Blocked pkts Lockup Count Dropped pkts Blocked pkts Lockup Count
------------ ------------ ------------ ------------ ------------ ------------
0 0 0 0 0 0
---------------------------- Transit Attack Statistics ------------------------------
ICMP TCP-SYN
------------------------------------------- --------------------------------------
Port/VE Dropped pkts Blocked pkts Lockup Count Dropped pkts Blocked pkts Lockup Count
------- ------------ ------------ ------------ ------------ ------------ ------------
1/1/11 0 0 0 0 0 0
• Clearing of statistics provide the ability to identify if the threat is ongoing or prepare for
possible future events
ICX# clear statistics dos-attack
Revision 0919 9 - 67
ICX 200 Troubleshooting
Module Summary
Revision 0919 9 - 68
ICX 200 Troubleshooting
End of Module 9:
Troubleshooting
Revision 0919 9 - 69
ICX 200 Troubleshooting
Revision 0919 9 - 70
ICX 200 OSPF & VRF
Module 10:
OSPF and
Virtual Route Forwarding (VRF)
Revision 0919 10 - 1
ICX 200 OSPF & VRF
Module Objectives
– Use show and debug commands to assess and troubleshoot an OSPF network
Revision 0919 10 - 2
ICX 200 OSPF & VRF
OSPF Overview
• OSPF is a robust Interior Gateway Protocol (IGP) for medium to large networks
• Route topology database is created based on Shortest Path First (SPF) algorithm—Dijkstra’s
algorithm
Open Shortest Path First (OSPF) is a link-state routing protocol. Each OSPF device
originates link-state advertisement (LSA) packets to describe its link information.
These LSAs are flooded throughout the OSPF area. The flooding algorithm ensures
that every device in the area has an identical database. Each device in the area then
calculates a Shortest Path Tree (SPT) that shows the shortest distance to every other
device in the area, using the topology information in the Link State database.
OSPF Version 2 (OSPFv2) supports the exchange of IPv4 network prefixes.
OSPF Version 3 (OSPFv3) supports the exchange of IPv6 prefixes, which functions
similarly to OSPFv2, for IPv4 prefixes, except for the following enhancements:
• Ability to configure several IPv6 addresses on a device interface. (While OSPFv2
runs per IP subnet, OSPFv3 runs per link. In general, you can configure several
IPv6 addresses on a router interface, but OSPFv3 forms one adjacency per
interface only, using the link local address of the interface as the source for
OSPF protocol packets. On virtual links, OSPFv3 uses the global IP address of the
egress interface as the source. OSPFv3 imports all or none of the address
prefixes configured on a router interface. You cannot select the addresses to
import.)
• Ability to run one instance of OSPFv2 and one instance of OSPFv3 concurrently
on a link.
• Support for IPv6 link-state advertisements (LSAs).
NOTE – Although OSPFv2 and OSPFv3 function in a similar manner, Ruckus has
implemented the user interface for each version independently of the other.
Therefore, any configuration of OSPFv2 features will not affect the configuration of
OSPFv3 features and vice versa.
Revision 0919 10 - 3
ICX 200 OSPF & VRF
OSPF Support
• Area Types:
– Normal, Stub, Not-So-Stubby Area (NSSA), Totally Stub
Ruckus devices support the following types of LSAs, which are described in RFC 2328
and 3101:
• Router LSA (Type 1)
• Network LSA (Type 2)
• Summary LSA (Type 3)
• Autonomous system summary LSA (Type 4)
• AS external LSA (Type 5)
• Not-So-Stubby Area (NSSA) external LSA (Type 7)
• Grace LSAs (opaque LSA type 9)
Communication among areas is provided by means of link state advertisements
(LSAs). The LSAs supported for each area type are as follows:
• Backbone (area 0) supports LSAs 1, 2, 3, 4, and 5.
• Non-backbone area supports LSAs 1, 2, 3, 4, and 5.
• Stub area supports LSAs 1, 2, and 3.
• Totally stubby area (TSA) supports LSAs 1 and 2, and also supports a single LSA 3
per ABR, advertising a default route.
• No so stubby area (NSSA) supports LSAs 1, 2, 3, and 7.
• LSAs 8 and 9 are link-local, not area-wide.
Revision 0919 10 - 4
ICX 200 OSPF & VRF
– OSPF Authentication
– OSPF Virtual-Links
All of the features listed here will be discussed in the remainder of this module.
Revision 0919 10 - 5
ICX 200 OSPF & VRF
Router ID Requirement
• If no Router ID is configured, an ICX device uses the following to select a router ID:
– IP address configured on the lowest numbered loopback interface (loopback 1 > loopback 2)
– If there is no loopback interface configured the lowest numbered IP interface address on the device is
used (10.255.1.1 > 172.16.1.1)
• Layer 3 ICX switches use the same router ID for both OSPF and BGP4
Router(config)# ip router-id 10.157.22.26
Revision 0919 10 - 6
ICX 200 OSPF & VRF
1. Enter the router ospf and/or ipv6 router ospf command in global configuration mode to enable OSPF
on the device
4. Optionally, assign a virtual link to any ABR that does not have a direct link to the OSPF backbone area
Ruckus ICX switches allow the running of both OSPFv2 and OSPFv3 at the same time.
This is due to the independent configuration methods for each. Therefore, any
configuration of features for one version will not affect the configuration of the other.
As with all IPv6 features, the ipv6 unicast-routing command must be executed prior
to configuring any protocols that support the exchange of IPv6 addresses.
In most cases, the features described in the material can be used in both OSPFv2 and
OSPFv3 with minor changes in command syntax. The OSPFv3 versions of commands
and options available for them will be available in the notes section of the page.
Revision 0919 10 - 7
ICX 200 OSPF & VRF
OSPF Areas
• OSPF areas can be identified by either number1 or in dotted decimal (IPv4 address) format
– By default an area is normal, unless identified otherwise
– Each interface on a router can support only one area
Revision 0919 10 - 8
ICX 200 OSPF & VRF
• On each router:
e1 e1
1. Enable OSPF globally
Router_B(config)# router ospf
Router A Router B
Footnote 1: If the device is acting as an ABR, all areas in which the ABR is
participating need to be configured.
Footnote 2: When an interface is assigned to an area, the subnets assigned to that
interface are included in OSPF LSAs and OSPF hello messages are sent on each
subnet, by default.
You can configure and save the following OSPF changes without resetting the system:
• All OSPF interface-related parameters (for example: area, hello timer, router
dead time cost, priority, re-transmission time, transit delay)
• All area parameters
• All area range parameters
• All virtual-link parameters
• All global parameters
• Creation and deletion of an area, interface or virtual link
• Changes to address ranges
• Changes to global values for redistribution
• Addition of new virtual links
OSPFv3 Example:
Router_B(config)# ipv6 router ospf
Router_B(config-ospf6-router)# area 0
Router_B(config-ospf6-router)# interface e1/1/1
Router_B(config-if-e1000-1/1/1)# ipv6 address
2001:db8:12d:1011::/64 eui-64
Router_B(config-if-e1000-1/1/1)# ipv6 ospf area 0
Revision 0919 10 - 9
ICX 200 OSPF & VRF
OSPF Authentication
• Wait timers can be modified to allow more time before enforcing the security policy
(default 300 seconds)
ICX(config-if-e1000-1/1/1)# ip ospf authentication key-activation-wait-time 600
• Syntax: [no] ip ospf authentication key-activation-wait-time wait-time
Revision 0919 10 - 10
ICX 200 OSPF & VRF
• OSPF requires all non-backbone areas be directly connected to the backbone area (Area 0)
Area 2
• To create a virtual link: Router A Router E
RID: 10.10.10.1 RID: 209.157.22.1
– Both routers must share a common area Virtual Link
Area 0 Area 5
All ABRs must have either a direct or indirect link to the OSPFv2 backbone area
(0.0.0.0 or 0). If an ABR does not have a physical link to the area backbone, the ABR
can configure a virtual link to another router within the same area, which has a
physical connection to the backbone area.
The path for a virtual link is through an area shared by the neighbor ABR (router with
a physical backbone connection), and the ABR requires a logical connection to the
backbone.
Two parameters fields must be defined for all virtual links—transit area ID and
neighbor router:
• The transit area ID represents the shared area of the two ABRs and serves as
the connection point between the two routers. This number should match the
area ID value.
• The neighbor router field is the router ID (IP address) of the router that is
physically connected to the backbone, when assigned from the router interface
requiring a logical connection. When assigning the parameters from the router
with the physical connection, be aware that the neighbor router field uses the
router ID of the router requiring a logical connection to the backbone.
Virtual links cannot be configured in stub areas and NSSAs.
Revision 0919 10 - 11
ICX 200 OSPF & VRF
Revision 0919 10 - 12
ICX 200 OSPF & VRF
• Allows an OSPF router to reset without impacting neighbor SPF trees or Link State
Databases1
• Sends grace-LSAs to neighbor routers indicating it will restart within a specified amount of
time (grace period)
• Helper routers2 continue advertising the resetting router’s LSAs as if they were still fully
adjacent
• When the restarting router comes up it uses pre-reset routes to forward packets while re-
establishing neighbor relationships
• All grace-LSAs are flushed once neighbor relationships are fully established
Footnote 1: Useful for ISSU on non stop routing supporting devices, use with care on
devices without non-stop where other redundant paths exist since graceful restart
can black hole otherwise valid traffic.
The ICX implementation of Graceful Restart supports RFC 3623: Graceful OSPF
Restart. With this feature enabled, disruptions in forwarding are minimized and route
flapping diminished to provide continuous service during times when a router
experiences a restart.
A restarting router sends special LSAs to its neighbors called grace-lsas. These LSAs
are sent to neighbors either before a planned OSPF restart or immediately after an
unplanned restart. A grace LSA contains a grace period value that the requesting
routers asks its neighbor routers to use for the existing routes, to and through the
router after a restart.
The restarting router comes up, it continues to use its existing OSPF routes to forward
packets. In the background, it re-establishes OSPF adjacencies with its neighboring
router, relearns all OPSF LSAs, recalculates its OSPF routes, and replaces them with
new routes as necessary.
Once the restarting router relearns all OSPF routes, it flushes the grace LSAs from the
network, informing the helper routers of the completion of the restart process. If the
restarting router does not re-establish adjacencies with the helper router within the
restart time, the helper router stops the helping function and flushes the stale OSPF
routes.
Revision 0919 10 - 13
ICX 200 OSPF & VRF
• You can specify the maximum amount of time advertised to a neighbor router to maintain
routes from and forward traffic to a restarting router
Router(config-ospf-router)# graceful-restart restart-time 180
• You can prevent your router from participating in the OSPF Graceful Restart helper
function
Router(config-ospf-router)# graceful-restart helper-disable
OSPF graceful restart and graceful restart helper are enabled by default on ICX
devices. Use the following command to disable the graceful restart feature for the
global instance on a device.
Router(config)# router ospf
Router(config-ospf-router)# no graceful-restart
To re-enable graceful restart for the global instance:
Router(config-ospf-router)# graceful-restart
Use the following command to specify the maximum amount of time advertised to a
neighbor router to maintain routes from and forward traffic to a restarting router.
Router(config-ospf-router)# graceful-restart restart-
time 180
You can prevent your router from participating in OSPF Graceful Restart by using the
following command.
Router(config-ospf-router)# graceful-restart helper-
disable
Syntax: [no] graceful-restart [ helper-disable | restart-time seconds ]
Graceful restart and graceful restart helper capabilities are enabled by default.
Parameters:
• helper-disable - Disables the GR helper capability.
• restart-time - Specifies the maximum restart wait time, in seconds, advertised
to neighbors. The default value is 120 seconds. The configurable range of values
is from 10 through 1800 seconds.
Revision 0919 10 - 14
ICX 200 OSPF & VRF
• Cost (metric): Indicates the overhead required to send a packet across an interface
– Default cost is calculated by dividing reference-bandwidth, 100 Mbps by default, by the link speed
• 10 Mbps = 10
• 100 Mbps = 1
• 1 Gbps = 1
• 10 Gbps = 1
• 100 Gbps = 1
Each interface on which OSPFv2 is enabled has a cost associated with it. The device
advertises its interfaces and their costs to OSPFv2 neighbors. For example, if an
interface has an OSPFv2 cost of ten, the device advertises the interface with a cost of
ten to other OSPFv2 routers.
By default, an interface’s OSPFv2 cost is based on the port speed of the interface. The
cost is calculated by dividing the reference bandwidth by the port speed. The default
reference bandwidth is 100 Mbps, which results in the following default costs:
• 10 Mbps port - 10
• All other port speeds - 1
You can change the reference bandwidth. The following formula is used to calculate
the cost:
Cost = reference-bandwidth/interface-speed
The bandwidth for interfaces that consist of more than one physical port is calculated
as follows:
• LAG group - The combined bandwidth of all the ports.
• Virtual interface - The combined bandwidth of all the ports in the port-based
VLAN that contains the virtual interface.
The default reference bandwidth is 100 Mbps. You can change the reference
bandwidth to a value from 1—4294967.
If a change to the reference bandwidth results in a cost change to an interface, the
device sends a link-state update to update the costs of interfaces advertised by the
device.
Revision 0919 10 - 15
ICX 200 OSPF & VRF
• As a best-practice the default reference bandwidth should be the same for all routers in
the network
• For networks with interfaces over 100 Mbps, it is recommended to modify the reference
bandwidth
The chart below lists the recommended reference-bandwidth setting for routers
based on the routers highest interface speed. For routers with mixed
10/100/1000/10,000 Mbps Ethernet ports the recommended reference-bandwidth is
set equal to the highest-speed network link in Mbps.
Link Speed Reference-Bandwidth
100 Mbps or lower 100 Mbps (Default )
1 Gbps 1000 Mbps
10 Gbps 10000 Mbps
40 Gbps 40000 Mbps
100 Gbps 100000 Mbps
If you specify the cost for an individual interface, the cost you specify overrides the
cost calculated by the software.
OSPFv3 Example:
Router_B(config)# ipv6 router ospf
Router_B(config-ospf6-router)# auto-cost reference-
bandwidth 10000
Router_B(config)# int ethernet 1/1/2
Router_B(config-if-e1000-1/1/2)# ipv6 ospf cost 100
Revision 0919 10 - 16
ICX 200 OSPF & VRF
IP Load Sharing
• If the IP route table contains multiple paths to a destination, each having the lowest cost,
then the router uses IP load sharing to distribute the traffic
– You can enable a Layer 3 switch to load-balance above the
default of 4 equal-cost paths
Router(config)# ip load-sharing 5
Router(config)# show ip route
Total number of IP routes: 5
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 10.1.1.0/24 DIRECT e 1/1/17 0/0 D 4h21m
2 10.168.1.0/24 DIRECT e 1/1/1 0/0 D 4h22m
3 10.255.255.0/24 10.1.1.2 e 1/1/17 110/2 O 17h27m
10.255.255.0/24 10.168.1.2 e 1/1/1 110/2 O 17h27m
10.255.255.0/24 192.123.2.2 e 1/1/8 110/2 O 17h27m
10.255.255.0/24 192.123.22.2 e 2/1/22 110/2 O 17h27m
10.255.255.0/24 192.123.44.2 e 3/1/24 110/2 O 1m27s
4 192.123.2.0/24 DIRECT ve 2 0/0 D 4h20m
5 192.123.22.0/24 DIRECT ve 20 0/0 D 4h20m
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 17
The IP route table can contain more than one path to a given destination. When this
occurs, the Layer 3 Switch selects the path with the lowest cost as the path for
forwarding traffic to the destination. If the IP route table contains more than one
path to a destination and the paths each have the lowest cost, then the Layer 3
Switch uses IP load sharing to select a path to the destination.
IP load sharing is based on the destination address of the traffic. Layer 3 Switches
support load sharing based on individual host addresses or on network addresses.
Stackable Layer 3 Switches support load sharing based on host addresses.
You can enable a Layer 3 Switch to load balance across up to eight equal-cost paths.
The default maximum number of equal-cost load sharing paths is four.
IP load sharing is not based on source routing, only on next-hop routing.
The term “path” refers to the next-hop router to a destination, not to the entire route
to a destination. Thus, when the software compares multiple equal-cost paths, the
software is comparing paths that use different next-hop routers, with equal costs, to
the same destination.
Equal cost paths can include OSPF, RIP and static routes. Maximum equal cost paths
vary between switch families. Consult your switch documentation on its load sharing
capabilities.
NOTE: On ICX 7650, ICX 7750, and ICX 7850 devices, the value range for the
maximum number of load-sharing paths is from 2 through 32 ,which is controlled by
the system-max max-ecmp command.
Revision 0919 10 - 17
ICX 200 OSPF & VRF
Redistribution
• Allows routes learned from other mechanisms and protocols to be advertised into OSPF
– Connected interfaces
– Static routes
– Dynamic routing protocols
• Redistribution of external routes into OSPF automatically makes the router an ASBR
The redistribution command under the routing protocol configuration context allows
routes learned from other mechanisms to be advertised into the protocol.
Redistribution enables one routing protocol to learn and advertise routes that exist
under some other process. The other process could be another dynamic routing
protocol (another instance of the same routing protocol or a different routing
protocol), static routes, or directly connected interfaces on which no routing protocol
has been enabled.
The redistribution rip command under router-ospf takes RIP routes and sends them
out as OSPF LSAs.
OSPF does not include directly connected networks in routing updates. The
redistribution connected command takes directly connected routes and sends them
out as OSPF LSAs.
Redistribution should be employed in conjunction with a redistribution route map.
Otherwise, you might accidentally overload the network with routes you did not
intend to redistribute.
OSPFv3 Example:
Router_B(config)# ipv6 router ospf
Router_B(config-ospf6-router)# redistribute ?
Revision 0919 10 - 18
ICX 200 OSPF & VRF
By default, Ruckus ICX ASBRs advertise external routes with a Type 2 metric.
In the graphic above, Router A (the ASBR) is advertising the external 10.10.10.0/24
network with a Type 2 metric. Router B is advertising the 20.20.20.0/24 network with
a Type 1 metric. Both external routes are assigned an external link cost of 2 when
advertised. For the route with a Type 1 metric, each router will add the OSPF link
cost before inserting it into the IP routing table. The route with a Type 2 metric does
not have the internal link costs added to the metric.
It is also important to note that a Type 1 external route is always preferred over a
Type 2 external route, regardless of the cost.
Revision 0919 10 - 19
ICX 200 OSPF & VRF
• A static default route with redistribute static will not propagate 0.0.0.0/0 into OSPF
Router_B(config-ospf-router)# default-information-originate
Note: the always parameter will advertise a default route even when one is not
statically configured. This may result in routing issues and problems with other
routing protocols .
OSPFv3 Example:
Router_B(config)# ipv6 router ospf
Router_B(config-ospf6-router)# default-information-originate
Revision 0919 10 - 20
ICX 200 OSPF & VRF
Passive Interface
• In some cases, networks on an interface should be advertised into OSPF, but should never
form adjacency with another OSPF router
• A passive interface does not send or process OSPF hello messages
• Can be configured on the entire interface, impacting all configured IPs
Revision 0919 10 - 21
ICX 200 OSPF & VRF
OSPF-Ignore
Networks configured with ospf-ignore are not represented as OSPF networks, but are
available for local routing.
This filter is used in cases where OSPF must be enabled on a multi-netted interface,
but not all IP networks configured are meant to be advertised to OSPF neighbors.
In the graphic above, the 192.168.40.129 interface does not send or respond to OSPF
message. In addition, the 192.168.40.128/28 network is not advertised to OSPF
neighbors because of the ospf-ignore argument applied to the IP address statement.
OSPFv3 Example:
Salt_Lake(config-if-e1000-1/1/7)# ipv6 address
2001:db8:144::1/64
Salt_Lake(config-if-e1000-1/1/7)# ipv6 address
2001:db8:128::1/64 ospf-ignore
Salt_Lake(config-if-e1000-1/1/7)# ipv6 ospf area 2
Revision 0919 10 - 22
ICX 200 OSPF & VRF
Revision 0919 10 - 23
ICX 200 OSPF & VRF
Distribution Lists
• Allow you to filter OSPF routes from being installed in the IP routing table
– Leverages Access Control Lists to define network filters
• Scenario: Salt Lake should not be allowed to reach the 192.168.60.64/26 block of networks
in Vancouver1
Footnote 1: This feature does not block receipt of LSAs for the denied routes being
sent to other routers. The Layer 3 switch still receives the routes and installs them in
the OSPF database. The feature only prevents the software from installing the denied
OSPF routes into the local IP route table. By default, all OSPF routes in the OSPF route
table are eligible for installation in the IP route table.
Revision 0919 10 - 24
ICX 200 OSPF & VRF
192.168.60.64/26 block
In the example above, an access-list (ACL) is created to define the network and mask
to deny. The ACL is then applied as a distribution list under the global OSPF router
configuration context to filter it in any incoming LSAs. In this manner, the distribution
list will prevent the denied network from being added to the IP routing table.
However, this does not prevent the route advertised in an LSA from entering Salt
Lake’s LSDB. It only prevents the SPF algorithm from installing the filtered route into
Salt Lake’s IP route table. This distribution-list is applied locally and only impacts the
router on which it is configured. All other routers that require this filter must have a
similar distribution list configured.
To configure an OSPFv2 distribution list using ACLs:
• Configure an ACL that identifies the routes you want to deny. Using a standard
ACL allows you deny routes based on the destination network, but does not
filter based on the network mask. To also filter based on the network mask of
the destination network, use an extended ACL.
• Configure an OSPFv2 distribution list that uses the ACL as input.
Syntax: distribute-list access-list list-name in
Revision 0919 10 - 25
ICX 200 OSPF & VRF
You can filter the routes to be placed in the OSPFv3 route table by configuring
distribution lists.
The functionality of OSPFv3 distribution lists is similar to that of OSPFv2 distribution
lists. However, unlike OSPFv2 distribution lists, which filter routes based on criteria
specified in an Access Control List (ACL), OSPFv3 distribution lists can filter routes
using information specified in an IPv6 prefix list or a route map.
Prefix lists are configured in a similar manner to ACLS, but offer additional
functionality.
For example:
Salt_Lake(config)# ipv6 prefix-list PARTNER-net deny
2001:db8:e0bb::/64
Salt_Lake(config)# ipv6 router ospf
Salt_Lake(config-ospf6-router)# distribute-list prefix-list
PARTNER-net in
Syntax:
• ipv6 prefix-list { name | sequence-number } deny ipv6-prefix/prefix-length [ ge
ge-value ] [ le le-value ]
• ipv6 prefix-list { name | sequence-number } description string
• ipv6 prefix-list { name | sequence-number } permit ipv6-prefix/prefix-length [
ge ge-value ] [ le le-value ]
• ipv6 prefix-list { name | sequence-number } seq sequence-number permit ipv6-
prefix/prefix-length [ ge ge-value ] [ le levalue ]
• ipv6 prefix-list { name | sequence-number } seq sequence-number deny ipv6-
prefix/prefix-length [ ge ge-value ] [ le levalue ]
Revision 0919 10 - 26
ICX 200 OSPF & VRF
11000000.00000001.000000 01.00000000
11000000.00000001.000000 10.00000000
11000000.00000001.000000 11.00000000
Matching bits = 22
Document the summarized address by taking the matching bits, setting the remaining
bits to zero and adding the mask determined in the previous step
For example:
11000000.00000001.00000000.00000000 + mask = 192.1.0.0/22
Revision 0919 10 - 27
ICX 200 OSPF & VRF
Revision 0919 10 - 28
ICX 200 OSPF & VRF
OSPF BGP
Area 3 ASBR
e1 e1 e3 e3 e7
1.3.0.2/24 1.3.0.1/24 1.2.0.2/24 1.2.0.1/24
Seattle Portland Vancouver
Multinetted e7
Mask=24
1.1.0.1
1.1.1.1
1.1.2.1
1.1.3.1
1.1.4.1
1.1.5.1
1.1.6.1
1.1.7.1
Matching Bits Summary Address/
= 21 Summary Mask = 1.1.0.0/21
Revision 0919 10 - 29
ICX 200 OSPF & VRF
OSPF BGP
Area 3 ASBR
e1 e1 e3 e3 e7
1.3.0.2/24 1.3.0.1/24 1.2.0.2/24 1.2.0.1/24
Seattle Portland Vancouver
Seattle# show ip ospf database external Multinetted e7
Type-5 AS External Link States Mask=24
Index Age LS ID Router Netmask Metric Flag Fwd Address SyncState
1 209 1.2.0.0 1.2.0.2 ffffff00 8000000a 0000 10.3.3.1 Done
1.1.0.1
2 209 1.1.0.0 1.2.0.2 fffff800 8000000a 0000 10.3.3.1 Done 1.1.1.1
1.1.2.1
Seattle# show ip route
Total number of IP routes: 3
1.1.3.1
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric 1.1.4.1
BGP Codes - i:iBGP e:eBGP 1.1.5.1
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1.1.6.1
1 1.1.0.0/21 1.3.0.1 e 1/1/1 10/2 O 1h31m 1.1.7.1
3 1.2.0.0/24 1.3.0.1 e 1/1/1 10/2 O 1h31m
4 1.3.0.0/24 DIRECT e 1/1/1 0/0 D 1h31m
The summarized external routes reduced the number of entries in the OSPF database
and the IP routing table.
The above graphic displays the OSPF external LSDB and IP routing table after the
summarization command has been executed on the ASBR, Portland. When looking at
the external LSAs in Portland’s database, the number of LSAs in the external LSDB has
dropped from eight to two. The number of routes in the IP routing table has dropped
from nine to three.
Enabling summarization on the ASBR does not summarize the routes in the ASBRs
route table. It only impacts advertised routes from the ASBR. They still appear as
individual routes in the ASBRs IP route table, but they are summarized in the
neighbor’s IP route table.
Revision 0919 10 - 30
ICX 200 OSPF & VRF
Area 2 Area 0
ABR ASBR BGP Router
e7 e2 e2 e1 e1 e3 e3
1.4.0.2/24 1.4.0.1/24 1.3.0.2/24 1.3.0.1/24 1.2.0.2/24 1.2.0.1/24
Salt Lake Seattle Portland Vancouver
Multinetted e7
Mask=24
1.4.1.1
1.4.2.1
1.4.3.1
1.4.4.1
1.4.5.1
1.4.6.1
1.4.7.1
Revision 0919 10 - 31
ICX 200 OSPF & VRF
Area 2 Area 0
ABR ASBR BGP Router
e7 e2 e2 e1 e1 e3 e3
1.4.0.2/24 1.4.0.1/24 1.3.0.2/24 1.3.0.1/24 1.2.0.2/24 1.2.0.1/24
Salt Lake Seattle Portland Vancouver
Multinetted e7
Mask=24
1.4.1.1
1.4.2.1
1.4.3.1
1.4.4.1
1.4.5.1
1.4.6.1
1.4.7.1
The area range command can only be used to summarize native OSPF routes at ABRs.
The ABR creates an aggregate value based on the address range. The aggregate value
becomes the address that the ABR advertises instead of advertising the individual
addresses represented by the aggregate. Only this aggregate or summary address is
advertised into other areas instead of all the individual addresses that fall in the
configured range. Area range configuration can considerably reduce the number of
Type 3 summary LSAs advertised by a device. You have the option of adding the cost
to the summarized route. If you do not specify a value, the cost value is the default
range metric calculation for the generated summary LSA cost.
You can assign up to 32 ranges in an OSPF area.
This feature only applies to the ABR, when configured anywhere else it has no affect.
Revision 0919 10 - 32
ICX 200 OSPF & VRF
Revision 0919 10 - 33
ICX 200 OSPF & VRF
Footnote 1: OSPFv3 show commands are also available as you see here using ipv6
within the command. Example: show ipv6 route
show ip route – displays routes, use show ip ospf route to display only OSPF routes
show ip ospf route – route tables can be extremely long; this command allows you to
see only OSPF routes; especially important if doing redistribution of other routing
protocols, like BGP
show ip ospf database – displays link state database; used for troubleshooting
corrupted databases, a possible problem with large OSPF implementations
show ip ospf area – displays type of area (Normal, Stub, NSSA). NSSA is Not So
Stubby Area. Used when troubleshooting neighbor problems when converting stub
area to normal or vice versa. All routers in an area must be configured for the same
area type.
show ip ospf neighbor – common command used when troubleshooting OSPF
neighbor problems. Tells you the current neighbor state.
show ip ospf interface - displays area ID and adjacency information on a per interface
basis. Gives more detail than show ip ospf neighbor.
show ip ospf border-routers - shows router’s that are ABRs or ASBRs.
show ip ospf config - displays only the OSPF part of your startup-config.
Revision 0919 10 - 34
ICX 200 OSPF & VRF
The above slide is a report from show ip ospf interface executed on Router_B. This is
shown for the 172.16.1.2 interface. It states what area the interface is in and its title;
Designated Router (DR) or Backup Designated Router (BDR). It also states the router
ID for the DR and BDR with their corresponding interface addresses. Note that the
router ID for the DR and the interface addresses are the same. However, for the BDR,
the router ID and the interface address are different. The address 172.16.1.2 is the
lowest numerical address on any of Router_B interfaces, so it becomes Router_B’s
router ID. Router_A, on the other hand, has a loopback interface defined, so the
lowest numbered loopback is chosen to be the router ID for Router_A. By lowest
numbered, we mean that if both Lo1 and Lo2 were configured, Lo1 would be chosen
as the router ID.
During the election process, the router with the highest router ID wins. Based on this
report it would seem that Router_A would win the election with a high ID. However,
if Router_A is power cycled, the router ID will change and a new election will take
place making Router_A the new DR. Therefore during the OSPF election, Router_A
lost with a lower router ID of 172.16.1.1. This did not change with configuration of
the loopback on Router_A. However, if Router_B is power cycled, a new election
occurs, and Router_A will take over as DR.
OSPFv3 Example:
Router_B# show ipv6 ospf interface
Syntax: show ipv6 ospf interface [ brief ] [ ethernet unit/slot/port ] [ loopback
number ] [ tunnel number ] [ ve vlan_id ]
Revision 0919 10 - 35
ICX 200 OSPF & VRF
• Use the show ip ospf interface brief to quickly see status of OSPF connections
Router_B# show ip ospf interface brief
Number of Interfaces is 4
Router B
More details about OSPF interfaces can be gathered from the show ip ospf interface
command, without the brief option. These details are useful if you inspecting a
particular OSPF interface. In most cases the brief option is used to provide a quick
view of all OSPF interfaces.
OSPFv3 Example:
Router_B# show ipv6 ospf interface
Syntax: show ipv6 ospf interface [ brief ] [ ethernet unit/slot/port ] [ loopback
number ] [ tunnel number ] [ ve vlan_id ]
Revision 0919 10 - 36
ICX 200 OSPF & VRF
• LSAs populating the OSPF Database can be viewed using the following command:
Router# show ip ospf database
The OSPFv2 show ip ospf database command is very robust and provides several
options to look at specific information related to the OSPF link-state database. These
include:
• database-summary – Displays how many link state advertisements (LSAs) of
each type exist for each area, as well as total number of LSAs.
• external-link-state – Displays information by external link state, i.e.
redistributed routes.
• link-state – Displays networks originated within the OSPF domain.
• grace-link-state – Displays LSAs generated as part of the graceful restart
process.
The show ipv6 ospf database command displays information related to the OSPFv3
link-state database.
• extensive - Displays detailed lists of LSA information.
• as-external - Displays information about external LSAs.
• inter-prefix - Displays information about inter area prefix LSAs.
• inter-router - Displays information about inter area router LSAs.
• intra-prefix - Displays information about intra area prefix LSAs.
• link decimal - Displays information about the link LSAs.
• network - Displays information about network LSAs.
• router - Displays information about router LSAs.
• area - Displays LSAs by scope within a specified area.
• as - Displays autonomous system (AS) LSAs by scope.
• summary - Displays LSA summary information.
Revision 0919 10 - 37
ICX 200 OSPF & VRF
• To display useful information about an OSPF neighbor, use the show ip ospf neighbor
command
• Displays neighbor specific information including:
– OSPF priority
– Adjacency state and role
– IP address OSPF messages originate from
– Router-ID
– Number of state change events
The above slide is a report from show ip ospf neighbor executed on Router B. The
following are the descriptions of the fields:
• Port: The port through which the Layer 3 Switch is connected to the neighbor.
• Address: The IP address of this Layer 3 Switch’s interface with the neighbor.
• Pri: The OSPF priority of the neighbor. The priority is used during election of the
Designated Router (DR) and Backup Designated Router (BDR).
• State: The state of the conversation between the Layer 3 Switch and the
neighbor, and the title of the neighbor. The state field can have one of the
following values: Down, Init, 2-way, ExStart, Exchange, Loading, Full. The
neighbors title field can be: DR, BDR or other.
• Neigh Address: The IP address of the neighbors connected interface.
• Neigh ID: The neighbors router ID
• EV: The number of times a neighbor’s state has changed.
Syntax: show ip ospf neighbor [ extensive | num | router-id A.B.C.D ]
OSPFv3 Example:
Router_B# show ipv6 ospf neighbor
Total number of neighbors in all states: 1
Number of neighbors in state Full : 1
RouterID Pri State DR BDR Interface [State] Bfd-State
161.79.5.1 1 Full 161.79.8.1 161.79.5.1 e 1/1/1 [DR] NA
Syntax: show ipv6 ospf neighbor [ detail | router-id A.B.C.D ]
Revision 0919 10 - 38
ICX 200 OSPF & VRF
In the above slide, debug ip ospf packet is enabled on Salt Lake. The link between Salt
Lake and San Diego is down. When the link is connected, the subsequent adjacency
states are revealed by the packets that are transferred.
Note that contents of the packet types are indented under the packet title.
In the “Exchange” block, San Diego has advertised its Database contents. Note that
Salt Lake will recognize its own LSA and LSAs that are from Area 0.
The states that a router passes through during the adjacency process: Init, 2-way,
ExStart (Exchange Start), Exchange, Loading, and Full can be viewed with the debug ip
ospf adj command.
Revision 0919 10 - 39
ICX 200 OSPF & VRF
• adj – Reports OSPF neighbor-states leading to forming and tearing down a neighbor
adjacency. Example neighbor states are: Down, Initializing, One-way to 2-way, Exchange-
start, Loading, and Full. The sending and receiving of hellos causing the transitions through
these states are reported. The transitions back through these states, from Full to Down
are also reported due to an inactivity timer. This state information is limited to links
directly connected to the reporting router.
• events – Reports when a DR/BDR election is occurring, what is the final BDR and DR for a
LAN segment, and reports post election Database Exchanges. This router title information
is limited to links directly connected to the reporting router.
• flood – Reports OSPF flooding code paths, and the messages will also indicate the flooding
destinations (such as the area or the whole AS). It will report instances when OSPF is
receiving self-originated LSAs as well. Note: enabling this command will also copy debug
messages to the log buffer.
• log-debug-message – Enables/disable the logging (in "show log") of OSPF log messages. It
is used when there is repetitive OSPF log messages constantly filling up the log buffer. Use
this command to disable OSPF from logging log messages, thus allow other log messages
to stay in log buffer longer.
• log-empty-lsa – Will enable/disable logging of empty-lsa messages. This log message
quickly fills the log buffer, potentially overwriting more relevant log entries.
• lsa-generation – Reports when OSPF receives and processes LSAs and indicates if/why the
LSA is bad. Also tracks the receiving of LSA ACKs and when OSPF is installing a new LSA in
the database.
• packet – Provides a continuously decoded dump of all messages sent and received
by OSPF. Use with caution, will cause extensive screen activity.
• retransmission – Reports when OSPF adds or removes LSAs into the retransmission list.
• spf -short – This command enables displaying of a message on console when SPF
calculation is being invoked.
Revision 0919 10 - 40
ICX 200 OSPF & VRF
Virtual Routing
and Forwarding (VRF)
Revision 0919 10 - 41
ICX 200 OSPF & VRF
Multi-VRF
Virtual Routing and Forwarding (VRF) allows routers to maintain multiple routing
tables and forwarding tables on the same router. A Multi-VRF router can run multiple
instances of routing protocols with a neighboring router with overlapping address
spaces configured on different VRF instances.
Central to VRF-Lite is the ability to maintain multiple VRF tables on the same Provider
Edge (PE) Router. VRF-Lite uses multiple instances of a routing protocol such as OSPF
or BGP to exchange route information for a VPN among peer PE routers. The VRFLite
capable PE router maps an input customer interface to a unique VPN instance. The
router maintains a different VRF table for each VPN instance on that PE router.
Multiple input interfaces may also be associated with the same VRF on the router, if
they connect to sites belonging to the same VPN. This input interface can be a
physical interface or a virtual Ethernet interface on a port.
In Multi-VRF deployments:
• Two VRF-capable routers must be directly connected at Layer 3, deploying BGP,
OSPF, or static routes.
• Each VRF maintains unique routing and forwarding tables.
• Each VRF can be assigned one or more Layer 3 interfaces on a router to be part
of the VRF.
• Each VRF can be configured with IPv4 address family, IPv6 unicast address
family, or both.
• A packet’s VRF instance is determined based on the VRF index of the interface
on which the packet is received.
• Separate routing protocol instances are required for each VRF instance.
• Overlapping address spaces can be configured on different VRF instances.
Revision 0919 10 - 42
ICX 200 OSPF & VRF
– To store routes for a non-default VRF, the ICX system-max values must be modified
The default ICX 7250 configuration does not allow space for VRF routing tables. As a
result, you must modify VRF-related system-max values before configuring a VRF
instance. The following table lists commands that configure system-max values at the
global level.
Revision 0919 10 - 43
ICX 200 OSPF & VRF
Configuring Multi-VRF
A device can be configured with more than one VRF instance. You should define each
VRF instance before assigning the VRF to a Layer 3 interface. The range of the
instance name is from 1 through 255 alphanumeric characters. Each VRF instance is
identified by a unique Route Distinguisher (RD), which is prepended to the address
being advertised. Because the RD provides overlapping client address space with a
unique identifier, the same IP address can be used for different VRFs without conflict.
The RD can be an AS number, followed by a colon (:) and a unique arbitrary number
as shown below. Alternatively, it can be a local IP address followed by a colon (:) and
a unique arbitrary number, as in "1.1.1.1:100."
Use the address-family command in VRF configuration mode to specify an IPv4 or
IPv6 address family. For a specific address family you can also configure static route,
static ARP, IGMP, and multicast for IPv4, and static route, IPv6 neighbor, and multicast
for IPv6.
ICXPE2 Configuration Example:
ICXPE2(config)# vrf red
ICXPE2(config-vrf-tenent1)# rd 20:20
ICXPE2(config-vrf-tenent1)# address-family ipv4
ICXPE2(config-vrf-tenent1-ipv4)# exit
ICXPE2(config)# router ospf vrf tenent1
ICXPE2(config-ospf-router-vrf-tenent1)# area 0
ICXPE2(config-ospf-router-vrf-tenent1)# exit
ICXPE2(config)# interface ethernet 1/1/3
ICXPE2(config-if-e1000-1/1/1)# vrf forwarding tenent1
ICXPE2(config-if-e1000-1/1/1)# ip address 192.0.2.2/30
ICXPE2(config-if-e1000-1/1/1)# ip ospf area 0
Revision 0919 10 - 44
ICX 200 OSPF & VRF
• Both Green and Red VRFs maintain their own routing table in each PE router
– Each VRF also maintains their own OSPF routing instance
CE1 CE3
OSPF Area 0
Routes Routes
100.1.2.0/24 100.2.2.0/24
100.1.3.0/24 100.3.1.0/30 for green 100.2.3.0/24
VRF (vlan 10)
.2 100.3.1.0/30 for red .2
100.1.1.0/30 VRF (vlan 20) 100.2.1.0/30
OSPF Area 3 .1 e2 PE1 PE2 e2 .1 OSPF Area 2
e1 e1
CE2 CE4
.1 .2
Routes .1 e3 e3 .1 Routes
100.1.2.0/24 100.1.1.0/30 100.2.1.0/30 100.2.2.0/24
100.1.3.0/24 This link carries traffic 100.2.3.0/24
.2 from both green and .2
red VRFs (VPN)
Footnote 1: Multi-VRF uses the input interface to uniquely identify the associated
VPN, which is why the two PE routers should be directly connected at Layer 3
The 2 PEs routers have to be routers that are capable of supporting VRF routing
(either with or without MPLS support). They connect all four CE routers together with
a single link between the two of them. Note that this single link between the 2 PEs
could also be replaced by a layer-2 switched network if direct physical connection
between the PEs is not possible. The only requirement for the connections is that the
2 PEs have to be “directly connected” at layer 3.
PE1 configuration:
In this configuration, VLANs 10 and 20 are created as a link on a tagged port (e1)
between PE1 and PE2. Two VRFs (“RED” and “GREEN”) are then defined with each
having a unique Route Distinguisher (RD). VRF “Green” is assigned an RD value of
10:10, and VRF “Red” is assigned an RD value of 20:20. Because OSPF is the only
routing protocol used in this set-up, multiple OSPF areas are used. Area 0 is
configured between the two PEs. Area 1 is configured PE1 and CE’s 1 and 2. Area 0 is
configured between the two PEs. Area 2 is configured PE2 and CE’s 3 and 4. The
virtual Interfaces (ve10 and ve20) are configured with the same IP address
(10.3.1.1/30) and for VRF forwarding in the appropriate VRF (Green or Red). Both
VRFs on both PEs have OSPF adjacency in Area 0.
Revision 0919 10 - 45
ICX 200 OSPF & VRF
PE1(config)# vlan 10
PE1(config-vlan-10)# tagged e 1/1/1
PE1(config-vlan-10)# router-interface ve 10
PE1(config-vlan-10)# vlan 20
PE1(config-vlan-20)# tagged e 1/1/1
PE1(config-vlan-20)# router-interface ve 20
PE1(config-vlan-20)# exit-vrf
PE1(config)# vrf green
PE1(config-vrf-green) rd 10:10
PE1(config-vrf-green) address-family ipv4
PE1(config-vrf-green) vrf red
PE1(config-vrf-red) rd 20:20
PE1(config-vrf-red) address-family ipv4
PE1(config-vrf-red) exit-vrf
PE1(config)# router ospf vrf green
PE1(config-ospf-router-vrf-green)# area 0
PE1(config-ospf-router-vrf-green)# area 1
PE1(config-ospf-router-vrf-green)# exit
PE1(config)# router ospf vrf red
PE1(config-ospf-router-vrf-red)# area 0
PE1(config-ospf-router-vrf-red)# area 1
PE1(config-ospf-router-vrf-red)# exit
PE1(config)# interface ethernet 1/1/2
PE1(config-if-e1000-1/1/2)# vrf forwarding green
PE1(config-if-e1000-1/1/2)# ip ospf area 1
PE1(config-if-e1000-1/1/2)# ip address 100.1.1.1/30
PE1(config-if-e1000-1/1/2)# interface ethernet 1/1/3
PE1(config-if-e1000-1/1/3)# vrf forwarding red
PE1(config-if-e1000-1/1/3)# ip ospf area 1
PE1(config-if-e1000-1/1/3)# ip address 100.1.1.1/30
PE1(config-if-e1000-1/1/3)# exit
PE1(config)# interface ve 10
PE1(config-vif-10)# vrf forwarding green
PE1(config-vif-10)# ip ospf area 0
PE1(config-vif-10)# ip address 100.3.1.1/30
PE1(config-vif-10)# Interface ve 20
PE1(config-vif-20)# vrf forwarding red
PE1(config-vif-20)# ip ospf area 0
PE1(config-vif-20)# ip address 100.3.1.1/30
Revision 0919 10 - 46
ICX 200 OSPF & VRF
PE2(config)# vlan 10
PE2(config-vlan-10)# tagged e 1/1/1
PE2(config-vlan-10)# router-interface ve 10
PE2(config-vlan-10)# vlan 20
PE2(config-vlan-20)# tagged e 1/1/1
PE2(config-vlan-20)# router-interface ve 20
PE2(config-vlan-20)# exit-vrf
PE2(config)# vrf green
PE2(config-vrf-green) rd 10:10
PE2(config-vrf-green) address-family ipv4
PE2(config-vrf-green) vrf red
PE2(config-vrf-red) rd 20:20
PE2(config-vrf-red) address-family ipv4
PE2(config-vrf-red) exit-vrf
PE2(config)# router ospf vrf green
PE2(config-ospf-router-vrf-green)# area 0
PE2(config-ospf-router-vrf-green)# area 1
PE2(config-ospf-router-vrf-green)# exit
PE2(config)# router ospf vrf red
PE2(config-ospf-router-vrf-red)# area 0
PE2(config-ospf-router-vrf-red)# area 1
PE2(config-ospf-router-vrf-red)# exit
PE2(config)# interface ethernet 1/1/2
PE2(config-if-e1000-1/1/2)# vrf forwarding green
PE2(config-if-e1000-1/1/2)# ip ospf area 1
PE2(config-if-e1000-1/1/2)# ip address 100.2.1.1/30
PE2(config-if-e1000-1/1/2)# interface ethernet 1/1/3
PE2(config-if-e1000-1/1/3)# vrf forwarding red
PE2(config-if-e1000-1/1/3)# ip ospf area 1
PE2(config-if-e1000-1/1/3)# ip address 100.2.1.1/30
PE2(config-if-e1000-1/1/3)# exit
PE2(config)# interface ve 10
PE2(config-vif-10)# vrf forwarding green
PE2(config-vif-10)# ip ospf area 0
PE2(config-vif-10)# ip address 100.3.1.2/30
PE2(config-vif-10)# Interface ve 20
PE2(config-vif-20)# vrf forwarding red
PE2(config-vif-20)# ip ospf area 0
PE2(config-vif-20)# ip address 100.3.1.2/30
Revision 0919 10 - 47
ICX 200 OSPF & VRF
Revision 0919 10 - 48
ICX 200 OSPF & VRF
Revision 0919 10 - 49
ICX 200 OSPF & VRF
Management VRF
Revision 0919 10 - 50
ICX 200 OSPF & VRF
Revision 0919 10 - 51
ICX 200 OSPF & VRF
Revision 0919 10 - 52
ICX 200 OSPF & VRF
Revision 0919 10 - 53
ICX 200 OSPF & VRF
Module Summary
– Use show and debug commands to assess and troubleshoot an OSPF network
Revision 0919 10 - 54
ICX 200 OSPF & VRF
Revision 0919 10 - 55
ICX 200 OSPF & VRF
Revision 0919 10 - 56
ICX 200 Border Gateway Protocol
Module 11:
Border Gateway Protocol (BPG)
Revision 0919 11 - 1
ICX 200 Border Gateway Protocol
Module Objectives
Revision 0919 11 - 2
ICX 200 Border Gateway Protocol
BGP Overview
• BGP is standard Exterior Gateway Protocol (EGP) used on the Internet today for inter-
domain AS routing
• BGP peers only exchange full routing tables after peer establishment
– No periodic updates
Revision 0919 11 - 3
ICX 200 Border Gateway Protocol
• Prefixes are placed in BGP database, where the best path to each prefix is placed in the
BGP database
– BGP validates prefixes received for viable next hop
– If BGP peer is dropped, routes are withdrawn
Revision 0919 11 - 4
ICX 200 Border Gateway Protocol
BGP4+
• Multiprotocol BGP (MBGP) extensions that allows the BGP protocol to distribute IPv6
routing information
• Supports all of the same features and functionality of IPv4 BGP (BGP4)
Revision 0919 11 - 5
ICX 200 Border Gateway Protocol
AS 10
AS 10 AS 30
Revision 0919 11 - 6
ICX 200 Border Gateway Protocol
• Four-byte AS numbers (AS4) allow backwards compatibility with two byte AS BGP speakers
– AS4 capabilities are discovered during neighbor establishment
– AS advertisements are limited to a two byte format by replacing their AS4 number with AS 23456
Revision 0919 11 - 7
ICX 200 Border Gateway Protocol
• The tasks listed here, and shown in the module, describe the basic steps for configuring
BGP connectivity and route exchange:
Revision 0919 11 - 8
ICX 200 Border Gateway Protocol
Revision 0919 11 - 9
ICX 200 Border Gateway Protocol
When using CLI, you set global level parameters at the BGP CONFIG Level of the CLI.
You can reach the BGP CONFIG level by entering the router bgp CLI command.
The system will display the next step to take:
BGP: Please configure 'local-as' parameter in order to
enable BGP.
Set the router’s local AS number using the following local-as command.
Syntax: [no] local-as num
The num parameter specifies local AS number.
The local AS number identifies the AS the Ruckus BGP router is in. The AS number can
be from 1– 4,294,967,296. There is no default. AS numbers 64512 – 65535 are the
well-known private BGP AS numbers and are not advertised to the Internet
community.
Note: The Ruckus ICX complies with RFC 4893 - BGP Support for Four-octet (32-bit)
AS Number Space
These global configuration steps are the same when implementing either BGP4 (IPv4)
or BGP4+ (IPv6).
Revision 0919 11 - 10
ICX 200 Border Gateway Protocol
AS 22787 AS 33090
e1: e1:
198.135.207.2/30 198.135.207.1/30
Router C Router A
• Neighbors are added manually and are automatically identified as IBGP or EBGP peers
– Determined by comparing local-as to remote-as
• Match = IBGP
• No match = EBGP
• As soon as a BGP neighbor is added, the router tries to establish a BGP session
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 11
The BGP protocol does not contain a peer discovery process. Therefore, for each of
the router BGP neighbors (peers), you must indicate the neighbor IP address and the
AS each neighbor is in. Neighbors that are in different ASs communicate using EBGP.
Neighbors within the same AS communicate using IBGP.
When BGP is enabled on an ICX Layer 3 Switch, you do not need to reset the system.
The protocol is activated as soon as you enable it. Moreover, the router begins a BGP
session with a BGP neighbor as soon as you add the neighbor.
When adding a BGP neighbor, the configured neighbor IP address must be valid and
reachable.
Revision 0919 11 - 11
ICX 200 Border Gateway Protocol
AS 33090
Router A Router B
Revision 0919 11 - 12
ICX 200 Border Gateway Protocol
Because loopback interfaces are being used for the IBGP peering session, additional
configuration steps are required. Until those steps are taken, the state of the peers
will be Active (ACTIV). The explanation for this behavior is related to the default
behavior of a router’s interface use when attempting to establish a peer session.
Revision 0919 11 - 13
ICX 200 Border Gateway Protocol
• IBGP requires full-mesh connectivity between peers over Interior Gateway Protocol (IGP)
• For redundant paths, use loopbacks to establish session
• The update-source command forces the router to use an alternate interface for peer
(neighbor) communication
AS 100
Loopback Loopback
AS 300
IGBP IGBP EBGP
ISP Customer 2
IGBP
IGBP IGBP
Loopback
Loopback Loopback
IGBP
Loopback
By default, BGP will use the IP address of the physical interface as the source IP in the
packets sent to the peer. If the physical interface goes down, even though there is
another path to the peer, the packets can’t be sent.
The solution is to configure all IBGP peering to use loopback addresses. This loopback
address needs to be advertised and included in the IGP routing table. Neighboring
routers will need to have an explicit route to the IBGP peer loopback address. If this is
done, the peering will continue to be established providing the routers have some
level of IP connectivity. As links fail and return, the traffic is automatically rerouted,
usually with no interruption to the peering session. This loopback address needs to
be advertised and included in the IGP routing table. Neighboring routers will need to
have an explicit route to the IBGP peer loopback address.
Revision 0919 11 - 14
ICX 200 Border Gateway Protocol
• Loopback addresses should be used for this purpose, as they can never go down
– Syntax: neighbor ip-address update-source loopback num
AS 33090
IBGP
Loopback 1 Loopback 1
10.1.1.10 Router A e1 e5 Router B 10.1.1.11
10.255.43.10 10.255.43.9
!Router A !Router B
router bgp router bgp
local-as 33090 local-as 33090
neighbor 10.1.1.11 remote-as 33090 neighbor 10.1.1.10 remote-as 33090
neighbor 10.1.1.11 update-source loopback 1 neighbor 10.1.1.10 update-source loopback 1
! !
interface loopback 1 interface loopback 1
ip address 10.1.1.10/32 ip address 10.1.1.11/32
! !
ip route 10.1.1.11/32 10.255.43.9 ip route 10.1.1.10/32 10.255.43.10
• Important: Both neighbor addresses used for peering must be routable and reachable
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 15
To configure a BGP router to communicate with its IBGP neighbor, through a specified
interface (e.g. Loopback 1) use the CLI command:
Syntax: neighbor ip-address update-source loopback num
The loopback address must be a routable and reachable IP address.
The neighbor command has some additional parameters, as shown in the following:
Syntax: [no] neighbor { ip-address | ipv6-address | peer-group-name } update-source
{ ip-address | ipv6-address | ethernet unit/slot/port | lag lag-id | loopback num | ve
vlan_id }
The examples shown configures the router to communicate with the neighbor
through the specified interfaces.
Revision 0919 11 - 15
ICX 200 Border Gateway Protocol
Because loopback interfaces are being used for the IBGP peering session, additional
configuration steps are required. Until those steps are taken, the state of the peers
will be Active (ACTIV). The explanation for this behavior is related to the default
behavior of a router’s interface use when attempting to establish a peer session.
Revision 0919 11 - 16
ICX 200 Border Gateway Protocol
• MD5 password for securing sessions between the neighbors can be used for additional
security
• Password parameters are:
– Up to 63 characters long
– Can contain any alphanumeric (first character cannot be a number)
– Spaces can be used if the words are placed inside quotes
• Passwords are applied on a per neighbor basis and must match on neighbor
The system adds an encryption code followed by the encrypted text of the original
password. One of the following may be displayed:
• 0 = the password is not encrypted and is in clear text
• 1 = the password uses proprietary simple cryptographic 2-way algorithm
If you want the software to assume that the value you enter is the clear-text form,
and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption
option and allow the software to use the default behavior. If you specify encryption
option 1, the software assumes that you are entering the encrypted form of the
password or authentication string. In this case, the software decrypts the password or
string you enter before using the value for authentication. If you accidentally enter
option 1 followed by the clear-text version of the password or string, authentication
will fail because the value used by the software will not match the value you intended
to use.
Revision 0919 11 - 17
ICX 200 Border Gateway Protocol
• You can specify the maximum number of IP network prefixes (routes) that can be learned
from the specified neighbor
– Value 0 through 4,294,967,295 (Default is 0 (unlimited))
– Threshold parameter specifies the percentage of the value you specified for the maximum prefix which
when crossed will generate a Syslog message (Range 1-100%)
– Teardown parameter tears down the neighbor session if the maximum-prefix limit is exceeded1
Footnote 1: The session remains shutdown (if the teardown parameter is configured)
until you clear the prefixes using the clear ip bgp neighbor all or clear ip bgp
neighbor command, or change the maximum prefix configuration. The software also
generates a Syslog message.
Revision 0919 11 - 18
ICX 200 Border Gateway Protocol
This command shows the router’s peers and whether the peer is an IBGP or EBGP
neighbor.
To view BGP neighbor information including the values for all the configured
parameters, enter the following command: show ip bgp neighbor
The display shows information regarding connection and exchange with all BGP
neighbors.
Revision 0919 11 - 19
ICX 200 Border Gateway Protocol
This is the second part of the command, with Router_A’s second neighbor (EBGP)
information.
Revision 0919 11 - 20
ICX 200 Border Gateway Protocol
No Routes Advertised
You can display the local AS number, the maximum number of routes and neighbors
supported, and some BGP statistics.
To view summary BGP information for the router, enter the following command at
any CLI prompt: show ip bgp summary
Some of the fields of interest are:
• Time - The time that has passed since the state last changed.
• Rt: Accepted - The number of routes received from the neighbor that this router
installed in the BGP4 route table. Usually, this number is lower than the
RoutesRcvd number. The difference indicates that this router filtered out some of
the routes received in the UPDATE messages
• Filtered - The routes or prefixes that have been filtered out:
• If soft reconfiguration is enabled, this field shows how many routes were
filtered out (not placed in the BGP4 route table) but retained in memory.
• If soft reconfiguration is not enabled, this field shows the number of BGP4
routes that have been filtered out.
• Sent - The number of BGP4 routes that the Layer 3 switch has sent to the neighbor.
• ToSend - The number of routes the Layer 3 switch has queued to send to this
neighbor
Revision 0919 11 - 21
ICX 200 Border Gateway Protocol
• A BGP router does originate an network advertisement unless there is a valid entry in the
IP routing table for the network
– The exact route and subnet mask must exist in the IP route table
In order to advertise a network, the exact route must exist in the IP route table before
the Layer 3 Switch can create a local BGP route.
To configure the Layer 3 Switch to advertise network 161.79.45.0/24, enter the
command shown on the slide. The options are defined as:
• network/mask - specifies the network number and network mask.
• route-map map-name - specifies the name of the route map you want to use to
set or change BGP attributes for the network you are advertising. The route map
must already be configured.
• weight num - specifies a weight to be added to routes to this network.
• backdoor - changes the administrative distance of the route to this network from
the EBGP administrative distance (20 by default) to the Local BGP weight (200 by
default), thus tagging the route as a backdoor route. Use this parameter when you
want the router to prefer IGP routes such as RIP or OSPF routes over the EBGP
route for the network.
In practice, the aggregate-address command may be used instead of network
command.
You can also configure the device to redistribute RIP routes, OSPF routes, directly
connected routes, or static routes into BGP4 and BGP4+. This is accomplished with
the redistribute command followed by the protocol which the routes are being
redistributed from. An optional metric or route-map can be applied to the
redistributed protocol.
Revision 0919 11 - 22
ICX 200 Border Gateway Protocol
• For maintenance and troubleshooting you may need to temporarily disable BGP neighbors
– Adds neighbor entry to the running-configuration disabling the neighbor but maintaining all BGP
configuration parameters relating to the neighbor
• To re-enable the BGP session to the peer issue the following command
Router_A(config-bgp-router)# no neighbor 10.1.1.11 shutdown
Note: All BGP configurations or all configurations related to that neighbor will be lost
when no router bgp or no neighbor is issued.
Revision 0919 11 - 23
ICX 200 Border Gateway Protocol
Revision 0919 11 - 24
ICX 200 Border Gateway Protocol
You can display the following configuration information and statistics for the BGP
protocol on the router:
• Summary BGP configuration information for the router
• Active BGP configuration information (the BGP information in the running-config)
• CPU utilization statistics
• Neighbor information
• Peer-group information
• Information about the paths from which BGP selects routes
• Summary BGP route information
• The router BGP route table
• Route flap dampening statistics
• Active route maps (the route map configuration information in the running-config)
Revision 0919 11 - 25
ICX 200 Border Gateway Protocol
You can display the local AS number, the maximum number of routes and neighbors
supported, and some BGP statistics.
To view summary BGP information for the router, enter the following command at
any CLI prompt: show ip bgp summary
Some of the fields of interest are:
• Time - The time that has passed since the state last changed.
• Rt: Accepted - The number of routes received from the neighbor that this router
installed in the BGP4 route table. Usually, this number is lower than the
RoutesRcvd number. The difference indicates that this router filtered out some of
the routes received in the UPDATE messages
• Filtered - The routes or prefixes that have been filtered out:
• If soft reconfiguration is enabled, this field shows how many routes were
filtered out (not placed in the BGP4 route table) but retained in memory.
• If soft reconfiguration is not enabled, this field shows the number of BGP4
routes that have been filtered out.
• Sent - The number of BGP4 routes that the Layer 3 switch has sent to the neighbor.
• ToSend - The number of routes the Layer 3 switch has queued to send to this
neighbor
Revision 0919 11 - 26
ICX 200 Border Gateway Protocol
Revision 0919 11 - 27
ICX 200 Border Gateway Protocol
The CLI displays the routes the Layer 3 Switch has advertised to a specific neighbor for
a specific network.
Revision 0919 11 - 28
ICX 200 Border Gateway Protocol
• Displays the summary statistics for all the routes in the Layer 3 Switch BGP route table,
example:
To display summary statistics for all the routes in the Layer 3 Switch BGP route table,
enter a command such as the above at any level of the CLI. The fields display are
described as follows:
• Total number of BGP routes (NLRIs) Installed: The number of BGP routes the Layer
3 Switch has installed in the BGP route table.
• Distinct BGP destination networks: The number of destination networks the
installed routes represent. The BGP route table can have multiple routes to the
same network.
• Filtered BGP routes for soft reconfig: The number of route updates received from
soft-reconfigured neighbors or peer groups that have been filtered out but
retained.
• Routes originated by this router: The number of routes in the BGP route table that
this Layer 3 Switch originated.
• Routes selected as BEST routes: The number of routes in the BGP route table that
this Layer 3 Switch has selected as the best routes to the destinations.
• BEST routes not installed in IP forwarding table: The number of BGP routes that
are the best BGP routes to their destinations but were not installed in the IP route
table because the Layer 3 Switch received better routes from other sources (such
as OSPF, RIP, or static IP routes).
• Unreachable routes (no IGP route for NEXTHOP): The number of routes in the BGP
route table whose destinations are unreachable because the next hop is
unreachable.
• IBGP routes selected as best routes: The number of “best” routes in the BGP route
table that are IBGP routes.
• EBGP routes selected as best routes: The number of “best” routes in the BGP
route table that are EBGP routes.
Revision 0919 11 - 29
ICX 200 Border Gateway Protocol
Revision 0919 11 - 30
ICX 200 Border Gateway Protocol
Revision 0919 11 - 31
ICX 200 Border Gateway Protocol
• Use the show ip bgp summary command to view the current state of the BGP peering session
Revision 0919 11 - 32
ICX 200 Border Gateway Protocol
Revision 0919 11 - 33
ICX 200 Border Gateway Protocol
Review Configuration
• Each router’s local-as value should match the peer router’s remote-as value
Cust-01# show ip bgp config ISP1# show ip bgp config
Current BGP configuration: Current BGP configuration:
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved © 2017 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 34
For eBGP peering to be migrate to the Established state, each router’s local-as must
match the neighbor’s configured remote-as. The local AS number is provided in the
OpenSent BGP message. If the received AS number does not match the configured
local-as number, a Notification is sent and the in-progress session establishment is
torn down and BGP will start over again due to its finite state model. In this example
the configuration is showing an eBGP adjacency configuration. It is important to verify
that both peers have the correct neighbor IP address and the expected As number of
the neighbor. As both of these peers attempt TCP connections with each other they
will compare their local configuration and only accept TCP connections to configured
neighbors. If the peer receiving the SYN message does not see the source IP address
configured in a neighbor statement it will not respond to the request. Therefore care
needs to be taken to ensure the neighbors IP address and its correct AS number is
configured.
Revision 0919 11 - 34
ICX 200 Border Gateway Protocol
• The misconfiguration can be confirmed by viewing the output of the debug ip bgp
neighbor command
Cust-01# debug ip bgp neighbor 172.16.56.1
BGP: 172.16.56.1 start peer
BGP: 172.16.56.1 Init TCP Connection to peer, local IP 172.16.56.2
BGP: 172.16.56.1 Active TCP Connection is Open, local address 172.16.56.2
BGP: 172.16.56.1 TCP Connection opened
BGP: 172.16.56.1 sending MultiProtocol cap, afi/safi=1/1, length 4
BGP: 172.16.56.1 sending Graceful Restart cap, rbit 0, time 120, length 6
BGP: 172.16.56.1 sending OPEN, My asn=18816 holdTime=180 route_refresh=1 cooperative= 1, restart 1/0
BGP: 172.16.56.1 rcv OPEN w/Option parameter length 16, My asn 64496, hold_time 180
BGP: 172.16.56.1 rcv OPEN w/Option parameter length 16
BGP: 172.16.56.1 rcv MP_EXT capability 1, len 4, afi/safi=1/1
BGP: 172.16.56.1 rcv capability 2, len 0
BGP: 172.16.56.1 rcv capability 128, len 0
BGP: 172.16.56.1 rcv OPEN: bad peer AS number 64496, expected 64469
BGP: 172.16.56.1 rcv OPEN: bad peer AS number 64496, expected 64469
BGP: 172.16.56.1 sending NOTIFICATION 2/2 (Bad Peer AS Number)
BGP: 172.16.56.1 reset due to BGP notification sent
BGP: 172.16.56.1 Closing TCP connection 0x255bac94
In this debug output we can see a TCP connection was established which indicates
the correct neighbor IP address configured on the remote router. If it was not the
remote router would have refused the TCP connection and that would be reflected in
this output. Other misconfigurations can also be confirmed in the debug output
which shows that the ISP router received a different local-AS number in the OPEN
exchange than was configured for the remote node. This results in a notification
being sent to the peer which will cause a reset of the connection. This will continue
until the configuration is corrected. Other notification messages can be obtained in
the debug output which can indicate other problems with establishing and
maintaining adjacency. In this example we sent a notification 2/2 indicating a bad
Peer As number. Other notification messages are available as well.
Revision 0919 11 - 35
ICX 200 Border Gateway Protocol
Module Summary
Revision 0919 11 - 36
ICX 200 Border Gateway Protocol
Revision 0919 11 - 37
ICX 200 Border Gateway Protocol
Appendix A:
Policy Changes
Revision 0919 11 - 38
ICX 200 Border Gateway Protocol
• To apply changes to existing prefixes received or sent, you need to enter a clear command
• Three methods:
– Hard clear – Downs BGP session & all routes are resent
– Soft-reconfiguration – Keeps copies of old updates, no routes sent
– Route refresh – BGP session remains up & all routes are resent
Revision 0919 11 - 39
ICX 200 Border Gateway Protocol
1 – Hard Clear
• To clear a neighbor session and re-learn all exchanged routes, use the
clear ip bgp command
– Example to clear all neighbor sessions:
Router_A# clear ip bgp neighbor all
Revision 0919 11 - 40
ICX 200 Border Gateway Protocol
BGP Table
BGP Router
Soft Reconfiguration keeps a complete copy of each EBGP peers route table.
Hence, instead of asking it’s neighbor to resend it’s entire route table, each time it
changes it’s configuration, it simply uses the copy stored in memory.
The soft reconfiguration feature places policy changes into effect without resetting
the BGP session. Soft reconfiguration does not request the neighbor or group to send
its entire BGP table, nor does the feature reset the session with the neighbor or
group. Instead, the soft reconfiguration feature stores all the route updates received
from the neighbor or group. When you request a soft reset of inbound routes, the
software performs route selection by comparing the policies against the stored route
updates, instead of requesting the neighbor BGP route table or resetting the session
with the neighbor. To use soft reconfiguration:
• Enable the feature
• Make the policy changes
• Apply the changes by requesting a soft reset of the inbound updates from the
neighbor or group
Note: Route refresh is preferred for most configurations. Soft reconfiguration can be
useful as a temporary solution when several configuration changes would result in
significant WAN link saturation for BGP updates.
Revision 0919 11 - 41
ICX 200 Border Gateway Protocol
2 – Soft Reconfiguration
Use the following CLI methods to configure soft configuration, apply policy changes,
and display information for the updates that are filtered out by the policies.
To configure a neighbor for soft reconfiguration, enter a command such as the
following.
Router(config-bgp-router)# neighbor 161.79.5.2 soft-
reconfiguration inbound
This command enables soft reconfiguration for updates received from
10.10.200.102. The software dynamically refreshes or resets the session with the
neighbor, then retains all route updates from the neighbor following the reset.
Syntax: [no] neighbor { ip-address | ipv6-address | peer-group-name } soft-
reconfiguration inbound
To place policy changes into effect, enter a command such as the following.
ICX# clear ip bgp neighbor 161.79.5.2 soft in
Revision 0919 11 - 42
ICX 200 Border Gateway Protocol
• Typically used after configuration changes to update BGP table (route-map, prefix list,
MED)
The dynamic route refresh capability is enabled by default and cannot be disabled.
When the Layer 3 Switch sends a BGP OPEN message to a neighbor, the Layer 3
Switch includes a Capability Advertisement to inform the neighbor that the Layer 3
Switch supports dynamic route refresh. This command is the same used for a soft
refresh. The only difference is that the software tables have been enabled.
Note: The option for dynamically refreshing routes received from a neighbor requires
the neighbor to support dynamic route refresh. If the neighbor does not support this
feature, the option does not take effect and the software displays an error message.
The option for dynamically re-advertising routes to a neighbor does not require the
neighbor to support dynamic route refresh.
Revision 0919 11 - 43
ICX 200 Border Gateway Protocol
End of Appendix A:
Policy Changes
Revision 0919 11 - 44
ICX 200 Border Gateway Protocol
Appendix B:
BGP4+ Configuration
Revision 0919 11 - 45
ICX 200 Border Gateway Protocol
AS 22787 AS 33090
Revision 0919 11 - 46
ICX 200 Border Gateway Protocol
Revision 0919 11 - 47
ICX 200 Border Gateway Protocol
• IPv6 prefixes are defined in the IPv6 unicast address-family under the router bgp
configuration context
In order to advertise a network, the exact route must exist in the IP route table before
the Layer 3 Switch can create a local BGP route.
To configure the Layer 3 Switch to advertise network 161.79.5.0/24, enter the
command shown on the slide. The options are defined as:
• network/mask - specifies the network number and network mask.
• route-map map-name - specifies the name of the route map you want to use to
set or change BGP attributes for the network you are advertising. The route map
must already be configured.
• weight num - specifies a weight to be added to routes to this network.
• backdoor - changes the administrative distance of the route to this network from
the EBGP administrative distance (20 by default) to the Local BGP weight (200 by
default), thus tagging the route as a backdoor route. Use this parameter when you
want the router to prefer IGP routes such as RIP or OSPF routes over the EBGP
route for the network.
In practice, the aggregrate-address command may be used instead of network
command.
Revision 0919 11 - 48
ICX 200 Border Gateway Protocol
AS 33090
L1: 10.1.1.10/32 L1: 10.1.1.11/32
2001:0db8:79:7::1/128 2001:0db8:79:8::1/128
AS 22787 EBGP IBGP
You can display the local AS number, the maximum number of routes and neighbors
supported, and some BGP statistics.
To view summary BGP information for the router, enter the following command at
any CLI prompt: show ip bgp summary
Some of the fields of interest are:
• Time - The time that has passed since the state last changed.
• Rt: Accepted - The number of routes received from the neighbor that this router
installed in the BGP4 route table. Usually, this number is lower than the
RoutesRcvd number. The difference indicates that this router filtered out some of
the routes received in the UPDATE messages
• Filtered - The routes or prefixes that have been filtered out:
• If soft reconfiguration is enabled, this field shows how many routes were
filtered out (not placed in the BGP4 route table) but retained in memory.
• If soft reconfiguration is not enabled, this field shows the number of BGP4
routes that have been filtered out.
• Sent - The number of BGP4 routes that the Layer 3 switch has sent to the neighbor.
• ToSend - The number of routes the Layer 3 switch has queued to send to this
neighbor
Revision 0919 11 - 49
ICX 200 Border Gateway Protocol
This command shows the router’s peers and whether the peer is an IBGP or EBGP
neighbor.
To view BGP neighbor information including the values for all the configured
parameters, enter the following command: show ip bgp neighbor
The display shows all the configured parameters for the neighbor. Only the
parameters that have values different from their defaults are shown.
Revision 0919 11 - 50
ICX 200 Border Gateway Protocol
This is the second part of the command, with Router_A’s second neighbor (IBGP)
information.
Revision 0919 11 - 51
ICX 200 Border Gateway Protocol
End of Appendix B:
BGP4+ Configuration
Revision 0919 11 - 52
ICX 200 Traffic Management
Module 12:
Traffic Management
Revision 0919 12 - 1
ICX 200 Traffic Management
Module Objectives
Revision 0919 12 - 2
ICX 200 Traffic Management
Revision 0919 12 - 3
ICX 200 Traffic Management
• QoS is an umbrella term for tools and protocols that control and manage the use of
network resources
• Network traffic is prioritized to ensure appropriate resources are available for the most
critical traffic
• Optimizes bandwidth utilization and enforces Service Level Agreements (SLAs) for different
services and applications
– Allows performance to be more predictable and bandwidth utilization more effective
– Provides protection from network attacks (DoS)
Revision 0919 12 - 4
ICX 200 Traffic Management
QoS Elements
• Classification
– Traffic is differentiated and processed based on prioritization
• Queueing
– QoS values are mapped to various “lanes” on outbound ports
– Segregation of outbound traffic providing opportunity of preferential treatment of forwarding
– Queue congestion avoidance can be controlled by algorithms such as Random Early Detection (RED) or
Weighted Random Early Detection (WRED)
• Scheduling
– Scheduling determines how the frames/packets in the queues are served, such as Weighted Round Robin
(WRR) scheduling algorithm and Strict Priority scheduling algorithm
Revision 0919 12 - 5
ICX 200 Traffic Management
• Remarking
– Remarking is typically the last phase of the QoS process
– The remarking engine has the option of rewriting the QoS value of a packet before it is put out onto the
wire
– The QoS values that can be remarked include 802.1p, IP precedence/DCSP bits
• Policing
– Manages traffic congestion by determining whether packets are conforming to administratively defined
traffic rates and takes action accordingly (passing, remarking, or dropping a packet)
Remarking, also referred to as QoS marking, is the process of initially changing the
packet QoS information for the next hop. You can mark a packet’s Layer 2 Cost of
Service (CoS) value, its Layer 3 Differentiated Services Code Point (DSCP) value, or
both values. The Layer 2 CoS or DSCP value that the device marks in the packet is the
same value that results from mapping the packet QoS value into a Layer 2 CoS or
DSCP value. Marking is optional and is disabled by default.
Policing, or rate limiting, allows the configuration of administratively defined
thresholds to apply to incoming and outgoing traffic. If the traffic is not in
conformance with the configured policy, action may be taken by the switch to force
conformity. Some of these actions include passing, remarking, or dropping non-
confirming packets.
Revision 0919 12 - 6
ICX 200 Traffic Management
QoS Classification
Revision 0919 12 - 7
ICX 200 Traffic Management
Classification
• Defines how traffic is treated based on ingress Ethernet frame and IP packet data
Revision 0919 12 - 8
ICX 200 Traffic Management
Footnote 1: Bit four, not defined in the graphic, is a 1 bit CFI field used for
compatibility between Ethernet and Token Ring networks.
Class of Service (CoS) is a 3-bit field within an Ethernet frame header known as the
Priority Code Point (PCP) when using a 802.1 network. This field specifies a priority
value between 0 and 7, inclusive, that can be used by Quality of Service (QoS) to
differentiate traffic.
Revision 0919 12 - 9
ICX 200 Traffic Management
• IPv4/IPv6 Packets
• DSCP: Six most significant bits of ToS (Type of Service) byte are called Differentiated
Services Code Point (DSCP) – remaining two bits used for flow control
– A default DSCP decode table is used to derive a 3-bit priority value and a 2-bit drop precedence value for
incoming packets1
– Custom decode DSCP policy maps configured in a switch can be configured and takes precedence over the
default DSCP decode table2
Version ToS
Len ID Offset TTL Proto FCS IP SA IP DA Data
Length Byte
Standard IPv4
7 IP Precedence
6 5 4 3 2
Unused 1 0
DiffServ Code Point (DSCP) IP ECN DiffServ Extensions
Revision 0919 12 - 10
ICX 200 Traffic Management
• QoS capabilities vary based on the location or roll of a device (switches and routers) as well
as host capabilities
• More granular control is achieved when a blend of marking techniques are used within a
network
Revision 0919 12 - 11
ICX 200 Traffic Management
Footnote 1: The Priority Code Point (PCP) field was formerly called IEEE 802.1p.
802.1p and PCP are used interchangeably throughout this module.
The trust level in effect on an interface determines the type of QoS information the
device uses for performing QoS. A Ruckus ICX device establishes the trust level based
on the configuration of various features and whether the traffic is switched or routed.
The trust level can be one of the following:
• ACL keyword—An ACL can also prioritize traffic and mark it before sending it
along to the next hop.
• Static MAC address—If the packet does not match on an ACL that defines a
priority and the MAC address of the packet matches a static entry, the packet is
classified with the priority of the static MAC entry.
• Layer 3 Differentiated Services Code Point (DSCP)—This is the value in the six
most significant bits of the IP packet header 8-bit DSCP field. It can be a value
from 0 through 63. These values are described in RFCs 2472 and 2475. The
DSCP value is sometimes called the DiffServ value.
• Layer 2 Class of Service (CoS) value—This is the 802.1p priority value in the
Ethernet frame. It can be a value from 0 through 7. The 802.1p priority is also
called the Class of Service.
• Ingress port default priority.
Given the variety of different criteria, there are many possibilities for traffic
classification within a stream of network traffic. For this reason, the priority of
packets must be resolved based on which criteria takes precedence.
Revision 0919 12 - 12
ICX 200 Traffic Management
Revision 0919 12 - 13
ICX 200 Traffic Management
QoS Queues
PCP Priority DCSP QoS Queue PCP DCSP Value QoS Queue
Value Priority
0 0–7 qosp0 (lowest priority queue) 4 32 – 39 qosp4
1 8 – 15 qosp1 5 40 – 47 qosp5
2 16 – 23 qosp2 6 48 – 55 qosp6
3 24 – 31 qosp3 7 56 – 63 qosp7 (highest priority queue)
Revision 0919 12 - 14
ICX 200 Traffic Management
Tagged Port
Tagged Port
802.1Q Frame
5
802.1Q Frame
w/ 802.1p CoS (0-8) 4 w/ 802.1p CoS (0-8)
(with or without DSCP)
3 3 3
2
0 6 6
3
0 1
– By default, the ingress
0 0 0
DSCP value, if present, is
– DSCP, if present, is
passed without change
ignored by default
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 15
Revision 0919 12 - 15
ICX 200 Traffic Management
• All tagged frames contain CoS markings and are honored by default
• Untagged frames are not received with CoS, and are assigned the priority defined on an
interface
– Default priority is 0
• To change the hardware queue of unmarked ingress frames on port 1/1/1 to the queue 4
(qosp4):
ICX(config)# interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)# priority 4
– The device assigns priority 4 to untagged switched traffic received on port 1/1/1
Revision 0919 12 - 16
ICX 200 Traffic Management
Untagged Port
traffic is placed in 5
the defined queue IP DSCP Marked
Packet 4
3
• Tagged frames will be 2
placed in queue 0 48 48
25
0 1
matching the 802.1p 0 48
25
0
field in the 802.1Q header
Revision 0919 12 - 17
ICX 200 Traffic Management
DSCP Trust
• 6 most significant bits of IP DSCP field are mapped to internal forwarding priority (0-7)
– The default DSCP-to-Priority values are show in the table
DSCP-based QoS is not automatically honored for routed and switched traffic. The
default is 802.1p to CoS mapping. To honor DSCP-based QoS, you must either use an
ACL or enable trust DSCP.
When the trust dscp command is enabled, the interface honors the Layer 3 DSCP
value. The switch uses the six most significant bits of the IP packet header 8-bit ToS
field as a DSCP value, and maps that value to an internal forwarding priority. The
internal forwarding priorities are mapped to one of the eight forwarding queues
based on the table shown here, by default.
Revision 0919 12 - 18
ICX 200 Traffic Management
IP Packet
5
– Examples: w/ DSCP 4
• 48 / 8 = 6 (with or without 802.1p CoS markings)
• 25 / 8 = 3.125 = 3
3 25
• 0/8=0 2
0 48 48
25
0 1
0 0
Revision 0919 12 - 19
ICX 200 Traffic Management
Revision 0919 12 - 20
ICX 200 Traffic Management
• The show qos-tos command is used to display the DSCP-to-Priority mapping table
d2| 0 1 2 3 4 5 6 7 8 9
d1 |
-----+----------------------------------------
0 | 0 0 0 0 0 0 0 0 1 1 DSCP value of 24 (d1d2)
1 | 1 1 1 1 1 1 2 2 2 2 maps to a priority of 3
2 | 2 2 2 2 3 3 3 3 3 3
3 | 3 3 4 4 4 4 4 4 4 4
4 | 5 5 5 5 5 5 5 5 6 6
5 | 6 6 6 6 6 6 7 7 7 7
6 | 7 7 7 7
The show qos-tos command displays the DSCP-to-priority mappings that will be used
when DSCP is trusted on an interface. The default DSCP-to-priority mapping is
displayed here. To read this output, select the first part of the DSCP value from the d1
column and select the second part of the DSCP value from the d2 row.
Revision 0919 12 - 21
ICX 200 Traffic Management
You can change the DSCP to internal forwarding mappings. Use the qos-tos map
dscp-priority command to assign up to 8 DSCP priority values (per command) to one
of the internal forwarding priorities.
Revision 0919 12 - 22
ICX 200 Traffic Management
• The remapped DSCP-to-Priority table can be displayed with the show qos-tos command
d2| 0 1 2 3 4 5 6 7 8 9
d1 |
-----+----------------------------------------
0 | 0 0 0 0 0 0 0 0 1 1
1 | 1 1 1 1 1 1 2 2 2 2
2 | 2 2 2 2 2 3 3 3 3 3
3 | 3 3 4 4 4 4 4 4 4 4
4 | 5 5 5 5 5 5 5 5 0 0
5 | 0 0 0 0 0 0 0 0 0 0
6 | 0 0 0 0
Here, the changes to the DSCP-to-priority mapping as a result of the changes shown
on the previous slide are displayed. The changes from default values are highlighted.
Revision 0919 12 - 23
ICX 200 Traffic Management
• A static MAC entry that does not specify the priority will be assigned to queue 0 if no other
interface or QoS markings exist
Revision 0919 12 - 24
ICX 200 Traffic Management
CoS Remarking
• Switch can remark CoS values of all incoming packets to specified values
– Can be applied globally or on individual ports
– Assigned ACLs or individual port settings override global settings
– Traffic is queued based on ingress classification, remarking occurs on egress
– Disabled by default
The Class of Service can be remarked globally, but there are very few use cases for it.
This can be accomplished with the following configuration in global configuration
mode:
ICX(config)# ip pcp-remark 4
• Marks all incoming traffic on the device with a priority of 4
Revision 0919 12 - 25
ICX 200 Traffic Management
DSCP Remarking
• Switch can remark DSCP values of all incoming packets to specified values
– Can be applied globally or on individual ports
– Assigned ACLs or individual port settings override global settings
– Traffic is queued based on ingress classification, remarking occurs on egress
– Disabled by default
Revision 0919 12 - 26
ICX 200 Traffic Management
– 802.1p-priority-marking – remarks the 802.1p value in the 802.1Q header with specified value
ICX(config-ext-nacl)# permit tcp any any 802.1p-priority-marking 4
– internal-priority-marking – assigns the traffic to the specified internal forwarding queue without
remarking
ICX(config-ext-nacl)# permit ip host 10.45.6.12 any internal-priority-marking 5
– 802.1p-and-internal-marking – remarks the 802.1p value in the 802.1Q header AND assigns the traffic to
the internal forwarding queue
ICX(config-ext-nacl)# permit udp any any 802.1p-and-internal-marking 4
– Note: dscp-marking can be used with any one of the 802.1p and/or internal markings in a single rule
ACL Quality of Service (QoS) parameters enable you to perform QoS for packets that
match the ACLs.
Using an ACL to perform QoS is an alternative to directly setting the internal
forwarding priority based on incoming port, VLAN membership, and so on.
The following QoS ACL marking options are supported:
• dscp-marking: Marks the DSCP value in the outgoing packet with the value you
specify.
• internal-priority-marking: Assigns traffic that matches the ACL to a hardware
forwarding queue (internal-priority-marking).
• 802.1p-priority-marking: Remarks the packets that match the ACL with the
802.1p priority (802.1p-priority-marking).
• 802.1p-and-internal-marking: Remarks the 802.1p priority and assign traffic to
a hardware forwarding queue.
The following QoS ACL matching options are supported:
• dscp-matching: Matches on the packet DSCP value. This option does not change
the packet forwarding priority through the device or mark the packet.
• 802.1p-priority-matching: Inspects the 802.1p bit in the ACL that can be used
with adaptive rate limiting.
Revision 0919 12 - 27
ICX 200 Traffic Management
The image above illustrates how most ICX series devices determine the trust level of
a packet. As shown in the flowchart, the first criteria considered is whether the
packet matches on an ACL that defines a priority. If this is not the case and the MAC
address of the packet matches a static entry, the packet is classified with the priority
of the static MAC entry. If neither of these is true, the packet is next classified with
the ingress port default priority, then DSCP/ToS value, then 802.1p CoS value, and
finally the default priority of zero (0).
NOTE: ICX 7150 devices determine internal priority differently. The image below
illustrates how the ICX 7150 determines the trust level of a packet. ACL matches are
first considered, and DSCP/ToS priority is considered next, followed by the priority of
the static MAC entry, then default ingress port priority, 802.1p CoS value, and finally
the default priority of zero (0).
Revision 0919 12 - 28
ICX 200 Traffic Management
Revision 0919 12 - 29
ICX 200 Traffic Management
– Strict Priority
• Only ensures service for high-priority traffic
– Mixed-Strict Priority-WRR
• A combination of WWR and strict priority
• Strict priority is applied to specific queues with round-robin service to remaining queues after SP queues are
emptied
Footnote 1: In stacking mode, the qosp7 queue is reserved as Strict Priority under the
weighted queuing mechanism. Attempts to change the qosp7 setting are ignored.
Scheduling is the process of mapping a packet to an internal forwarding queue based
on its QoS information and servicing the queues according to a queueing method.
The following QoS queueing mechanisms are supported for the FastIron devices:
Weighted Round Robin (WRR)—This method ensures that all queues are serviced
during each cycle and is the default queueing method on ICX devices.
Strict Priority (SP)—This ensures service for high-priority traffic.
Mixed SP and WWR—This configurable queueing mechanism combines both the SP
and WRR mechanisms. This combined method enables the device to give strict
priority to delay-sensitive traffic such as VoIP traffic, and weighted round robin
priority to other traffic types.
Revision 0919 12 - 30
ICX 200 Traffic Management
• This method rotates service among the queues, forwarding a specific number of bytes in
one queue before moving on to the next one
A WRR algorithm is used to rotate service among the eight queues on the FastIron
devices. The rotation is based on the weights you assign to each queue. This method
rotates service among the queues, forwarding a specific number of packets in one
queue before moving on to the next one.
WRR is the default queueing method and uses a default set of queue weights. The
number of packets serviced during each visit to a queue depends on the percentages
you configure for the queues. The software automatically converts the percentages
you specify into weights for the queues.
Revision 0919 12 - 31
ICX 200 Traffic Management
7
6
5
Ingress 4
Egress
Traffic 3 Traffic
2
1
0
• To configure weighted
round robin scheduling
ICX(config)# qos mechanism weighted
Revision 0919 12 - 32
ICX 200 Traffic Management
Strict Priority
• The software assigns the maximum weights to each queue, to cause the queueing
mechanism to serve all packets in one queue before moving to a lower queue
• This method biases the queueing mechanism to favor the higher queues over the lower
queues
– For example, strict queueing processes all packets in qosp3 before processing any packets in qosp2, then
processes all packets in qosp2 before processing any packets in qosp1, etc
– With high volumes of high priority traffic, lower traffic may be starved and never be processed
• IMPORTANT: Use this function with caution as under heavy traffic load this may result in
no ability to transmit queue 0 (unmarked) traffic, which is a bulk of traffic in most network
environments.
With Strict Priority queueing the software assigns the maximum weights to each
queue, to cause the queueing mechanism to serve as many packets in one queue as
possible before moving to a lower queue. This method biases the queueing
mechanism to favor the higher queues over the lower queues.
Revision 0919 12 - 33
ICX 200 Traffic Management
7
6
5
Ingress 4
Egress
Traffic 3 Traffic
2
1
0
• To configure strict
priority-based
scheduling
ICX(config)# qos mechanism strict
Revision 0919 12 - 34
ICX 200 Traffic Management
• The combined method enables strict priority to delay-sensitive traffic such as VoIP traffic,
and weighted round robin priority to other traffic types
• By default, the ICX devices assign strict priority to traffic in qosp7 and qosp6, and weighted
round robin priority to traffic in qosp0 through qosp5
By default, when you select the combined SP and WRR queueing method, the device
assigns strict priority to traffic in qosp7 and qosp6, and weighted round robin priority
to traffic in qosp0 through qosp5. Thus, the device schedules traffic in queue 7 and
queue 6 first, based on the strict priority queueing method. When there is no traffic
in queue 7 and queue 6, the device schedules the other queues in round-robin
fashion from the highest priority queue to the lowest priority queue.
Revision 0919 12 - 35
ICX 200 Traffic Management
7
6
5
Ingress 4
Egress
Traffic 3 Traffic
2
1
0
• To configure mixed
strict priority/WWR scheduling
Priority 6-7 = Strict Priority
ICX(config)# qos mechanism mixed-sp-wrr Priority 0-5 = Weighted Round Robin
Weight is a relative value. The easiest way to calculate the correlation between
weight and bandwidth is to have the total weight of all queues sum up to 100, then
the weight itself will be the % bandwidth available for that queue.
Revision 0919 12 - 36
ICX 200 Traffic Management
1 SP SP 3% 8% 15% 15%
2 SP SP 3% 8% 15% 15%
3 SP SP 3% 8% 15% 15%
4 SP SP 3% 8% 15% 15%
5 SP SP 3% 8% 25% 25%
6 SP SP 7% 8% SP SP
7 SP SP 75% 44% SP SP
SP = Strict Priority
WRR = Weighted Round Robin
Jumbo = Jumbo frame support enabled
Revision 0919 12 - 37
ICX 200 Traffic Management
1 SP SP 3% 8% 15% 15%
2 SP SP 3% 8% 15% 15%
3 SP SP 3% 8% 15% 15%
4 SP SP 3% 8% 15% 15%
5 SP SP 10% 16% 25% 25%
6 SP SP 75% 44% SP SP
7 SP SP SP SP SP SP
SP = Strict Priority
WRR = Weighted Round Robin
Jumbo = Jumbo frame support enabled
Revision 0919 12 - 38
ICX 200 Traffic Management
• The user-configurable scheduler profile can be created by specifying weights from qosp0
through qosp7 as shown in the following command format1
Footnote 1: If you create a profile specifying only the weights (qosp0 through qosp7)
without specifying the mechanism, the default mechanism is used.
• The default mechanism for stacking systems is Mixed, and WRR for stand-alone
systems
If you change the profile mechanism, the weights also get changed according to the
mechanism
The weights can be modified according to the following requirements:
• If the mechanism is changed to WRR, the default system weights get assigned
• If the mechanism is changed to Mixed, the default mix weights get assigned
• If the mechanism is changed to Strict, the weights are ignored and remain
untouched
Scheduler-profile modifications take effect dynamically on an active profile
Revision 0919 12 - 39
ICX 200 Traffic Management
Revision 0919 12 - 40
ICX 200 Traffic Management
Policing
Revision 0919 12 - 41
ICX 200 Traffic Management
Rate Limiting
Footnote 1: Traffic policy ACL-based rate limiting is a complex topic and therefore are
too advanced for this course. It is only referenced here to make you aware of the
capability.
Revision 0919 12 - 42
ICX 200 Traffic Management
• This feature should not be used on uplinks and ports that perform routing or receive
protocol control traffic
You can configure a fixed rate limiting policy on a ports inbound direction only. This
feature allows you to specify the maximum number of bytes in kilobits per second
(kbps), a given port can receive. The port drops bytes that exceed the limit you
specify.
Fixed rate limiting applies to all traffic on the rate limited port. It counts the number
of bytes that a port receives in one second intervals. If the number exceeds the
maximum number you specified when you configured the rate, the port drops all
further inbound packets for the duration of the one-second interval. Unused
bandwidth is not carried over from one interval to the next. Once the one-second
interval is complete, the port clears the counter and re-enables traffic.
NOTE - Ruckus recommends that you do not use fixed rate limiting on ports that
receive route control traffic or Spanning Tree Protocol (STP) control traffic. If the port
drops control packets due to the fixed rate limiting policy, routing or STP can be
disrupted.
All ICX devices support line-rate rate limiting in hardware.
Revision 0919 12 - 43
ICX 200 Traffic Management
• Traffic is only dropped within the one second interval where the configured limit is
exceeded
• At each new
interval the
counter is reset
to zero
• Unused band-
width is not
carried over to
the next
interval
The following figure shows an example of how fixed rate limiting works. In this
example, a fixed rate limiting policy is applied to a port to limit the inbound traffic to
500000 bits (62500 bytes) a second. During the first two one-second intervals, the
port receives less than 500000 bits in each interval. However, the port receives more
than 500000 bits during the third and fourth one-second intervals, and consequently
drops the excess traffic.
The software counts the bytes by polling statistics counters for the port every 100
milliseconds, which provides 10 readings each second. As such, the fixed rate limiting
policy has an accuracy of within 10% of the port's line rate. It is possible then for the
policy to sometimes allow more traffic than the limit you specify, but the extra traffic
is never more than 10% of the port's line rate.
Revision 0919 12 - 44
ICX 200 Traffic Management
• The rate-limit command is used to define the traffic limit, in kbps, per port
Revision 0919 12 - 45
ICX 200 Traffic Management
• Limits the number of BUM packets or bytes received each second on a port
– The kbps option determines if the num represents packets or kbps
Ruckus ICX devices can forward all flooded traffic at wire speed within a VLAN.
However, some third party networking devices cannot handle high rates of broadcast,
unknown unicast, and multicast (BUM) traffic.
If high rates of traffic are being received by the device on a given port of that VLAN,
you can limit the number of BUM packets or bytes received each second on that port.
This can help to control the number of such packets or bytes that are flooded on the
VLAN to other devices.
Ruckus ICX devices support byte-based and packet-based BUM rate limiting.
NOTE - BUM rate-limiting is not supported on PE ports in an SPX environment.
Revision 0919 12 - 46
ICX 200 Traffic Management
Rate Shaping
• Ruckus supports shaping from 128 kbps up to the interface line rate
Outbound rate shaping is a port-level feature that is used to shape the rate and
control the bandwidth of outbound traffic on a port.
Rate shaping smooths excess and bursting traffic to the configured maximum limit
before it is sent out on a port. Packets are stored in available buffers and then
forwarded at a rate no greater than the configured limit. This process provides for
better control over the inbound traffic of neighboring devices.
The following apply when configuring outbound rate shaping:
• Outbound rate shaping can be configured only on physical ports, not on virtual
or loopback ports.
• Ruckus ICX devices have one global rate shaper for a port and one rate shaper
for each port priority queue. Rate shaping is done on a single-token basis,
where each token is defined to be 1 byte.
• When outbound rate shaping is enabled on a port on an IPv4 device, the port
QoS queueing method (qos mechanism ) will be strict mode. This applies to IPv4
devices only. On IPv6 devices, the QoS mechanism is whatever method is
configured on the port, even when outbound rate shaping is enabled.
• You can configure a rate shaper for a port and for the individual priority queues
of that port. However, if a port rate shaper is configured, that value overrides
the rate shaper value of a priority queue if the priority queue rate shaper is
greater than the rate shaper for the port.
• You can configure rate shaping on individual ports of the link aggregation group
(LAG). You cannot configure rate shaping on the LAG itself.
Revision 0919 12 - 47
ICX 200 Traffic Management
– Verify configuration:
ICX # show rate-limit output-shaping
Outbound Rate Shaping Limits in Kbps:
Port PortMax Prio0 Prio1 Prio2 Prio3 Prio4 Prio5 Prio6 Prio7
1/1/2 1304 - - - - - - - 500
3. Configure the maximum rate at which outbound traffic is sent out on a port
priority queue.
device(config-if-e1000-1/1/2)# rate-limit output shaping 500
priority 7
Outbound Rate Shaping on Port 1/1/2 for Priority 7
Config: 500 Kbps, Actual: 500 Kbps
Revision 0919 12 - 48
ICX 200 Traffic Management
Module Summary
Revision 0919 12 - 49
ICX 200 Traffic Management
Revision 0919 12 - 50
ICX 200 IP Multicast
Module 13:
IPv4 Multicast
Revision 0919 13 - 1
ICX 200 IP Multicast
Module Objectives
Revision 0919 13 - 2
ICX 200 IP Multicast
Revision 0919 13 - 3
ICX 200 IP Multicast
Multicast Traffic
Source
Nodes Nodes
Nodes
In multicast environments, hosts receiving the multicast traffic respond using unicast
back to the single source.
Multicast traffic is not always aware of which hosts on the network that are going to
join the group. Thus, multicast uses UDP (connectionless) rather than TCP.
Routers do not forward multicast by default, it must be enabled.
Layer-2 switches flood the packets by default.
Revision 0919 13 - 4
ICX 200 IP Multicast
Multicast IP Addressing
• Network devices must have a way to distinguish multicast from other types of traffic
IP Class D addresses are used for identifying and routing multicast traffic. The address
range of 224.0.0.0/4 is used for this purpose. This allows for more than 1 million
unique multicast IP addresses. These addresses are easy to identify because the first
four bytes of the IP address will always begin with 1110.
The Internet Assigned Numbers Authority (IANA) has several reserved IPv4 multicast
addresses to be used for specific purposes. Some of the more well known reserved
addresses are listed here.
The multicast in the range of 224.0.0.0 – 224.0.0.255 is reserved for the use of
routing, topology discovery and maintenance protocols. Multicast destinations in this
range will not be forwarded by a multicast router.
Revision 0919 13 - 5
ICX 200 IP Multicast
• Multicast addresses are recognizable to Layer-2 devices because each one is mapped to a
MAC address
• The first 24 bits of that MAC address are a specific OUI - 0100.5e, and the 25th bit is always
0
• The lower 23 bits are copied from the lower 23 bits of the multicast IP address
• This creates the situation where there are 32 multicast IP addresses for each multicast
MAC address
Because 5 bits are lost in the address translation, MAC addresses could match 32
different multicast IP addresses. Therefore, the hosts inspect multicast frame that has
the MAC address of the multicast source of the group it has joined, regardless of
which IP address the frame is traveling toward. The host then inspects the destination
IP address to verify that the IP multicast address is intended for a joined multicast
group. If not, the packet is discarded.
Revision 0919 13 - 6
ICX 200 IP Multicast
Revision 0919 13 - 7
ICX 200 IP Multicast
Overview
• Dynamic registration of interested hosts into multicast group is performed by IGMP
– Multicast flows are forwarded into LANs with registered members
• Three versions of IGMP are available and are supported by ICX switches
– IGMP v1 is defined in RFC 11121
– IGMP v2 is defined in RFC 2236 (Default)
– IGMP v3 is defined in RFC 3376
Footnote 1: IGMP version 1, due to it’s limitations, is rarely used in todays networks
and will not be covered with the detail of the IGMP versions 2 and 3 in this course.
When a Layer 2 device processes a multicast packet, by default, it broadcasts the
packets to all ports except the incoming port of a VLAN. Packets are flooded by
hardware without going to the CPU. This behavior causes some clients to receive
unwanted traffic.
IGMP snooping provides multicast containment by forwarding traffic to only the ports
that have IGMP receivers for a specific multicast group (destination address). A device
maintains the IGMP group membership information by processing the IGMP reports
and leave messages, so traffic can be forwarded to ports receiving IGMP reports.
In ICX switch supports IGMV v1/v2/v3 and IGMP v2 is enabled by default.
An IPv4 multicast address is a destination address in the range of 224.0.0.0 to
239.255.255.255. Addresses of 224.0.0.X are reserved. Because packets destined for
these addresses may require VLAN flooding, devices do not snoop in the reserved
range. Data packets destined to addresses in the reserved range are flooded to the
entire VLAN by hardware, and mirrored to the CPU. Multicast data packets destined
for the non-reserved range of addresses are snooped. A client must send IGMP
reports in order to receive traffic.
Revision 0919 13 - 8
ICX 200 IP Multicast
Revision 0919 13 - 9
ICX 200 IP Multicast
IGMP Snooping
• IGMP Snooping allows a switch to identify hosts that request multicast traffic and limit
forwarding of multicast addresses to specific ports
– Enabled by default
• An IGMP v2 switch examines contents of every IGMP message to determine which ports to
forward the traffic
• IGMP v3 switch examines only 224.0.0.22 group messages not general IGMP data traffic
– Lowers CPU utilization
IGMP snooping can be enabled on some VLANs or on all VLANs. Each VLAN can be
independently configured to be a querier or non-querier and can be configured for
IGMP v2 or IGMP V3. In general, the ip multicast commands apply globally to all
VLANs except those configured with VLAN-specific multicast commands. The VLAN-
specific multicast commands supersede the global ip multicast commands.
IGMP snooping can be configured for IGMP v2 or IGMP v3 on individual ports of a
VLAN. An interface or router sends the queries and reports that include its IGMP
version specified on it. The version configuration only applies to sending queries.
Lower versions cannot recognize and process higher version reports. Higher versions
can recognize and process both lower and higher versions.
To avoid version deadlock, an interface retains its version configuration even when it
receives a report with a lower version.
With IGMP v1/v2, the switch listens to the IGMP conversations between hosts and
switches. This requires extra CPU resources in the switch to identify and intercept all
IGMP packets flowing between routers and hosts. This can impact the switch’s
performance.
When all clients and switches employ IGMP v3, only multicast address 224.0.0.22 is
used for group messages and therefor minimizes CPU utilization.
Revision 0919 13 - 10
ICX 200 IP Multicast
IGMP Querying
• Active
– In general, this mode should only be used in Layer 2 switched network with no multicast routers
• In a Layer 2 switched environment, only one device should be configured as Active, others should be Passive
• Active switch should be closest to the multicast source
– The Ruckus device sends IGMP queries to identify multicast groups
– Populates IGMP table from membership reports it receives
• Passive
– VLANs on Ruckus device do not send queries
– Received queries are flooded to the VLAN
– Forwards membership reports to router ports which receive queries
Revision 0919 13 - 11
ICX 200 IP Multicast
IGMP Configuration
Revision 0919 13 - 12
ICX 200 IP Multicast
Enabling IGMP
• To globally enable
ICX(config)# ip multicast
– Syntax: [no] ip multicast [ active | passive ]
• Default: passive
• To globally identify the IGMP version on an ICX device, enter the ip multicast command
ICX(config)# ip multicast version 3
– Syntax: [no] ip multicast version [ 2 | 3 ]
• Default: version 2
• To specify the IGMP mode for a VLAN, enter a command such as the following:
ICX(config)# vlan 10
ICX(config-vlan-10)# multicast active
– Syntax: [no] multicast { active | passive }
• Default: Globally configured mode
You can configure active or passive IGMP modes on the Ruckus device. The default
mode is passive. The default can be changed with the ip multicast active global
configuration command.
The default global IGMP version on an ICX switch is v2 and this version is inherited by
all interfaces. The global version can be changed with ip multicast version command
in the global configuration context. If changed, this version will be inherited by all
interfaces. As long as those interface do not have a different version already explicitly
configured.
The IGMP mode can be configured at the VLAN level to override the global configured
mode using the multicast active or multicast passive command in the VLAN
configuration context.
Revision 0919 13 - 13
ICX 200 IP Multicast
Even if the IGMP mode and version have been configured globally, specifying the
mode and version for a VLAN overrides the global settings.
You can specify an IGMP version for a VLAN. If no IGMP version is specified on a
VLAN, then the globally-configured IGMP version is used.
You can specify the IGMP version for individual ports in a VLAN. You can specify a list
of ports, a range of ports, or a combination of lists and ranges. If an IGMP version is
specified for individual ports, those ports use that version, instead of the VLAN
version.
A snooping-enabled VLAN cannot forward multicast traffic to ports that do not
receive IGMP membership reports. If clients cannot send reports, you can configure a
static group which applies to specific ports. The static group allows packets to be
forwarded to the static group ports even though they have no client membership
reports.
Revision 0919 13 - 14
ICX 200 IP Multicast
The ip multicast query-interval period defines how often a switch will query an
interface for group membership when the mode is set to active. Possible values are
10-3600 seconds and the default value is 125 seconds.
The ip multicast age-interval command specifies the time that group entries can
remain in an IGMP group table on a specific VLAN or on all VLANs. Enter a value from
20 through 2600 seconds. When multiple devices are connected, they must all be
configured for the same age interval, which must be at least twice the length of the
query interval, so that missing one report does not stop traffic.
The ip multicast max-response-time command defines the maximum number of
seconds that a client can wait before it replies to the query sent by the router.
Possible values are 1 – 25. The default is 10.
Revision 0919 13 - 15
ICX 200 IP Multicast
IGMP v3 gives clients membership tracking and fast leave capability. IGMP v3 requires
every client to respond to queries, allowing the device to track all clients. When
tracking is enabled, and an IGMP v3 client sends a leave message and there is no
other client, the device immediately stops forwarding traffic to the interface. This
feature requires the entire VLAN be configured for IGMP v3 with no IGMP v2 clients.
If a client does not send a report during the specified group membership time (the
default is 260 seconds), that client is removed from the tracking list.
Every group on a physical port keeps its own tracking record. However, it can only
track group membership; it cannot track by (source, group). For example, Client A and
Client B belong to group1 but each receives traffic streams from different sources.
Client A receives a stream from (source_1, group1) and Client B receives a stream
from (source_2, group1). The device still waits for the configured leave-wait-time
before it stops the traffic because these two clients are in the same group. If the
clients are in different groups, then the waiting period is not applied and traffic is
stopped immediately.
Revision 0919 13 - 16
ICX 200 IP Multicast
• By default, when an IGMPv2 client leaves a group, group-specific queries are sent to see if
other clients on that interface need the data stream of the client who is leaving
– If no client responds, the device waits a few seconds before it stops the traffic
In IGMP v2, only one client on an interface needs to respond to a router's queries.
This can leave some clients invisible to the router, making it impossible to track the
membership of all clients in a group. When a client leaves the group, the device sends
group-specific queries to the interface to see if other clients on that interface need
the data stream of the client who is leaving. If no client responds, the device waits a
few seconds before it stops the traffic. You can configure the wait time using the ip
multicast leave-wait-time command.
Revision 0919 13 - 17
ICX 200 IP Multicast
When a device receives an IGMP v2 leave message, it sends out multiple group-
specific queries. If no other client replies within the waiting period, the device stops
forwarding traffic. When fast leave version 2 is configured, and when the device
receives a leave message, it immediately stops forwarding to that port. The device
does not send group-specific queries. When fast leave version 2 is configured on a
VLAN, you must not have multiple clients on any port that is part of the VLAN. In a
scenario where two devices connect, the querier device should not be configured for
fast leave version 2 because the port might have multiple clients through the non-
querier. The number of queries, and the waiting period (in seconds) can be
configured.
Revision 0919 13 - 18
ICX 200 IP Multicast
Revision 0919 13 - 19
ICX 200 IP Multicast
• PIM is a routing protocol used for forwarding multicast traffic between IP subnets or
network segments
• As the name implies, PIM works independently of any particular routing protocol
– PIM does not create and maintain a multicast routing table
• It uses the unicast routing table, which, since it can be populated by more than one protocol, is also
protocol independent
• There are two operating modes for PIM
– Dense mode - suitable for densely populated multicast groups, primarily in the LAN environment (RFC
3973)
– Sparse mode - suitable for sparsely populated multicast groups with the focus on WAN (RFC 2362)
PIM was introduced to simplify some of the complexity of the routing protocol at the
cost of additional overhead tied with a greater replication of forwarded multicast
packets. PIM builds source-routed multicast delivery trees and employs reverse path
check when forwarding multicast packets.
PIM uses the IP routing table instead of maintaining its own, thereby being routing
protocol dependent.
There are two modes in which PIM operates: Dense and Sparse. The Dense Mode is
suitable for densely populated multicast receivers, primarily in the LAN environment.
The Sparse Mode is suitable for sparsely populated multicast receivers with the focus
on WAN.
Revision 0919 13 - 20
ICX 200 IP Multicast
Footnote 1: Default values for these parameters work well in most network
environments. In some cases it is necessary to adjust these based on certain
accommodations needed.
Revision 0919 13 - 21
ICX 200 IP Multicast
device(config-pim-router)# prune-timer 90
• The prune timer range is from 60 through 3600 seconds. The default is 180.
device(config-pim-router)# prune-wait 1
• Value from 0 through 30 seconds. The default is 3.
device(config-pim-router)# inactivity-timer 90
• The value of the inactivity timer can be set from 60 through 3600 seconds. The default is 180.
Many PIM options can be modified from their default values in global configuration
mode. PIM global parameters come with preset values. The defaults work well in
most networks, but you can modify the following parameters if necessary:
• Neighbor timeout—Neighbor timeout is the interval after which a PIM device
will consider a neighbor to be absent.
• Hello timer – The hello timer defines the interval at which periodic hellos are
sent out PIM interfaces.
• Prune timer – The prune timer defines how long a PIM device will maintain a
prune state for a forwarding entry. A prune state is maintained until the prune
timer expires or a graft message is received for the forwarding entry.
• Prune wait timer – The prune wait timer allows you to configure the amount of
time a PIM device will wait before stopping traffic to neighbor devices that do
not want the traffic. A prune wait value of zero causes the PIM device to stop
traffic immediately upon receiving a prune message.
• Graft retransmit timer – The graft retransmit timer defines the interval between
the transmission of graft messages. A graft message is sent by a device to cancel
a prune state. When a device receives a graft message, the device responds
with a Graft Ack (acknowledge) message. If this Graft Ack message is lost, the
device that sent the graft message will resend it.
• Inactivity timer – The device deletes a forwarding entry if the entry is not used
to send multicast packets. The PIM inactivity timer defines how long a
forwarding entry can remain unused before the device deletes it.
Revision 0919 13 - 22
ICX 200 IP Multicast
PIM Dense
Revision 0919 13 - 23
ICX 200 IP Multicast
• This mode works on the premise that there are multicast stream listeners throughout the
entire network
• PIM-DM builds its multicast tree by flooding traffic from the source to all dense mode
routers in the network
– This will propagate unnecessary traffic for a short time
• Each router checks to see if it has active group members waiting for the data
– If so, the router remains quiet and lets the traffic flow
– If no hosts have registered for that group, the router sends a prune message toward the source, and that
branch of the tree is “pruned” off to stop unnecessary traffic flow
• Trees built with this flood and prune method are called source trees1
• Reverse path forwarding (RPF) checks are used to ensure loop-free topology
Revision 0919 13 - 24
ICX 200 IP Multicast
• Uses unicast routing table to compare against source of the multicast stream
– Multicast flow is reviewed on ingress
– The port and source address are compared against the unicast routing table
• If the source of the stream matches a routing table entry and the port associated with the route entry, the RPF
check passes and the stream is forwarded out other multicast interfaces
• If it does not match, the stream is dropped1
Source
Footnote 1: Depending on the multicast routing protocol being used, this may also
result in a “prune” message being sent to the forwarding router. Some multicast
routing protocols use prune messages to instruct the sending router to cease sending
multicast traffic from that source.
Revision 0919 13 - 25
ICX 200 IP Multicast
• Initial flooding
Multicast traffic sent by the source is flooded throughout the entire network. RPF
ensures proper traffic flow by avoiding loops. RPF is applied to every multicast packet
received by all routers.
As each router receives the multicast traffic via its RPF interface (the interface in the
direction of the source), it forwards the multicast traffic to all of its PIM-DM
neighbors. This causes traffic to arrive at some routers multiple times via a non-RPF
interface. This is normal for the initial flooding of data and are corrected by the
normal PIM-DM pruning mechanism.
Revision 0919 13 - 26
ICX 200 IP Multicast
In the diagram, two of the routers receive multicast traffic on a non-RPF interface
from a neighboring router, which results in a prune messages sent between them.
The routers with no receivers attached also send prune messages toward the source,
via the RPF interface.
PIM-DM prunes are sent to neighbor routers toward the source on the RPF interface
to stop the flow of unwanted traffic:
• Prunes are sent when the router has no downstream members that need the
multicast traffic.
• Prunes are also sent to shut off the flow of multicast traffic that is received on
the wrong interface (non-RPF interfaces).
• For equal cost paths, router vendors each define their own proprietary method
of pruning down to a single path. Possible methods could be hash-based,
source-based, based on the IP address of the next-hop routers, or the IP
addresses of the receiving interfaces.
Revision 0919 13 - 27
ICX 200 IP Multicast
• Once pruning process completes, • Every 3 minutes, by default, the flood and
multicast traffic only flows to active prune process repeats
receivers
After multicast traffic has been pruned off unnecessary links, this results in a Shortest
Path Tree (SPT) being built from the source to the receiver. At this point, multicast
traffic is no longer flowing to all routers in the network. However, the (S, G) state still
remains in all routers. This (S, G) state will remain until the source stops transmitting.
In PIM-DM, a prune state expires after three minutes. A refresh state message is then
sent up the tree to verify if the source is still active. If it does not receive a response,
the (S, G) entry times out and is dropped.
Revision 0919 13 - 28
ICX 200 IP Multicast
PIM Dense
Configuration Example
Revision 0919 13 - 29
ICX 200 IP Multicast
• To configure an ICX Layer 3 router for PIM Dense, perform the following tasks:
– Enter the IP address for the interface (if not already present)
ICX(config-if-e10000-1/1/3)# ip address 10.9.9.9/32
Revision 0919 13 - 30
ICX 200 IP Multicast
PIM Sparse
Revision 0919 13 - 31
ICX 200 IP Multicast
• Sparse mode works on the premise that multicast receivers are not positioned in all areas
of the network
• One router is designated as the Rendezvous Point (RP) and should be located close to the
source in the network
– Receiver routers generate PIM join messages, based on received IGMP Membership Reports, to the RP to
identify which multicast groups they are interested in
– Source routers send register messages to the RP to identify which groups they are sending
– Multicast traffic from all source routers is sent to the RP for redistribution to the receivers
– This mode is referred to as a shared tree, because initially all source traffic flows through the RP
Source Receiver
Rendezvous Point
Footnote 1: A shared tree is somewhat similar to the source tree, except that instead
of being rooted from the source and growing towards the receivers, it is rooted at a
common point, the Rendezvous Point (RP). Because the source is not necessarily
known to receivers, a (*,G) notation is used to maintain the multicast table between
receivers and the RP. A source tree is maintained only between the multicast source
and the RP.
The tree from the RP to the group members is a subset of the main tree. When
members join a group, the local router forwards the membership report toward the
RP. Each router along the way adds that branch to the shared tree.
Pruning is performed when a group member is removed from the group. Only routers
with active group members join the tree.
Revision 0919 13 - 32
ICX 200 IP Multicast
Sender Registration
• The router local to the source is responsible for registering the source with the RP and
building a tree between them
Revision 0919 13 - 33
ICX 200 IP Multicast
Revision 0919 13 - 34
ICX 200 IP Multicast
Combining Trees
Revision 0919 13 - 35
ICX 200 IP Multicast
Revision 0919 13 - 36
ICX 200 IP Multicast
• Multicast traffic from the source transitions to the shortest routing path between the
source and the client
Revision 0919 13 - 37
ICX 200 IP Multicast
• Each PIM-Sparse router manages multicast flows using inbound (IIF) and outbound
interface (OIF) tables for each multicast group address
RP
e1/1/44
e 1/1/14 e 1/1/44
Traffic Flow
Receiver
Revision 0919 13 - 38
ICX 200 IP Multicast
PIM Sparse
Configuration Example
Revision 0919 13 - 39
ICX 200 IP Multicast
• To configure an ICX Layer 3 router for PIM Sparse, perform the following tasks:
– Configure the following global parameter:
• Enable the PIM Sparse mode of multicast routing
To enhance overall network performance, the ICX device uses the RP to forward only
the first packet from a group source to the group’s receivers. After the first packet,
the ICX device calculates the shortest path between the receiver and source (the
Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source
to the receiver. The ICX device calculates a separate SPT for each source-receiver pair.
Revision 0919 13 - 40
ICX 200 IP Multicast
Enabling PIM
• To configure basic global PIM Sparse parameters, enter commands such as the following
on each Layer 3 switch within the PIM Sparse domain1
ICX(config)# router pim
• To enable PIM Sparse mode on an interface, enter commands such as the following:
ICX(config)# interface ethernet 1/1/2
ICX(config-if-e10000-1/1/2)# ip address 207.95.7.1 255.255.255.0
ICX(config-if-e10000-1/1/2)# ip pim-sparse
Footnote 1: Enabling PIM globally allows you to configure either dense or sparse
mode on interfaces. Dense and Sparse mode however cannot be run simultaneously.
Revision 0919 13 - 41
ICX 200 IP Multicast
PIM Borders
• Defining an interface as a PIM border defines the edge of the PIM-Sparse Domain
Revision 0919 13 - 42
ICX 200 IP Multicast
• For PIM Sparse mode to work you need to identify at least one Layer 3 switch interface as
a candidate for a boot strap router (BSR) and PIM Sparse Rendezvous Point (RP)
– To configure the Layer 3 switch as a candidate BSR, enter commands such as the following:
ICX(config)# router pim
ICX(config-pim-router)# bsr-candidate loopback 1 30 255
BSR address: 207.95.7.1, hash mask length: 30, priority: 255
– Enter a command such as the following to configure the Layer 3 switch as a candidate rendezvous point
(RP):
ICX(config-pim-router)# rp-candidate loopback 1
• PIM Sparse mode must be enabled on any interface configured as a BSR or RP candidate
The bsr-candidate command configures the PIM Sparse interface loopback 1 as a BSR
candidate, with a hash mask length of 30 and a priority of 255. The CLI displays a summary of
the applied configuration once the command is executed.
Syntax: [no] bsr-candidate {ethernet unit/slot/port | lag lag-id | loopback num | ve num |
tunnel num} hash-mask-length [priority]
The device will advertise the IP address of the specified interface as a candidate BSR.
The hash-mask-length parameter specifies the number of bits in a group address that are
significant when calculating the group-to-RP mapping. You can specify a value from 1–32.
The priority specifies the BSR priority. You can specify a value from 0 - 255. When the
election process for BSR takes place, the candidate BSR with the highest priority becomes the
BSR. The default is 0.
It is recommended that you use the PIM Sparse protocol’s RP election process so that a
backup RP can automatically take over if the active RP router becomes unavailable. This is
accomplished with the rp-candidate command, followed by the interface to be used.
Revision 0919 13 - 43
ICX 200 IP Multicast
• Rendezvous Point routers should be placed as close to the multicast source as possible
– Each RP can be configured to only represent multicast groups they are near to
– To specify which multicast group addresses an RP will represent, use the rp-candidate add command
ICX(config-pim-router)# rp-candidate add 224.126.0.0 16
• Adding any multicast prefix will automatically remove the default prefix (224.0.0.0 4) from the running config
– To remove an added multicast group address (or a specific group address), use the rp-candidate delete
command
ICX(config-pim-router)# rp-candidate delete 224.126.0.0 16
You can configure the device as a candidate RP with the rp-candidate command. By
default, this command configures the device as a candidate RP for all group numbers
beginning with 224. As a result, the device is a candidate RP for all valid PIM Sparse
group numbers. You can change this by adding or deleting specific address ranges.
To add a group number range for which the device is a candidate RP, use the add
option to explicitly add a range.
ICX(config-pim-router)# rp-candidate add 224.126.0.0 16
The group-addr mask-bits variable specifies the group address and the number of
significant bits in the subnet mask. In this example, the device is a candidate RP for
all groups that begin with 224.126. When you add a range, you override the
default. The device then becomes a candidate RP only for the group address
ranges you add.
To delete a group number range for which the device is a candidate RP, use the delete
option to explicitly remove a range that was previously added.
ICX(config-pim-router)# rp-candidate delete 224.126.0.0
16
This example deletes an address group from the devices for which it is a candidate
RP.
Revision 0919 13 - 44
ICX 200 IP Multicast
Revision 0919 13 - 45
ICX 200 IP Multicast
– If configured, the router will use this RP for all multicast group prefixes
If you do not want the RP to be selected by the RP election process but instead you
want to explicitly identify the RP by IP address, use the rp-address command.
If you explicitly specify the RP, the device uses the specified RP for all group-to-RP
mappings and overrides the set of candidate RPs supplied by the BSR.
Revision 0919 13 - 46
ICX 200 IP Multicast
Revision 0919 13 - 47
ICX 200 IP Multicast
• Below is the topology that will be used to demonstrate the capabilities of the show
commands available on the Ruckus ICX for multicast routing using PIM-SM
RP RP
Client 244.1.1.0/24 239.0.1.0/24 Source
224.1.1.1
224.1.1.1
The topology used for the demonstrations of the show commands is shown here. In
the examples all focus will be on one multicast stream for group address 244.1.1.1
between the client and server shown. The path for this multicast stream will flow
between the routers shown. In some examples, output will be shown from each
router to display the different information that can be obtained from each router’s
perspective. Others will only be displayed from a single device
Revision 0919 13 - 48
ICX 200 IP Multicast
RP RP
Client 244.1.1.0/24 239.0.1.0/24 Source
224.1.1.1
224.1.1.1
Copyright 2019 – ARRIS Enterprises, LLC. All rights reserved 49
Revision 0919 13 - 49
ICX 200 IP Multicast
• Use the show ip pim neighbor command to display neighboring PIM routers
Client-Edge# show ip pim neighbor Client
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
Port |PhyPort |Neighbor |Holdtime|T |PropDelay|Override |Age |UpTime |VRF |Prio
| | |sec |Bit|msec |msec |sec | | |
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
e1/1/19 e1/1/19 172.16.240.5 105 1 500 3000 3 89d 08:35:22 default 1
Client-Edge
<Output Truncated>
Core-Agg# show ip pim neighbor
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
Port |PhyPort |Neighbor |Holdtime|T |PropDelay|Override |Age |UpTime |VRF |Prio Core-Agg
| | |sec |Bit|msec |msec |sec | | |
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
e1/1/20 e1/1/20 172.16.240.6 105 1 500 3000 15 89d 08:43:45 default 1
Srvr-Edge
v4 e1/1/14 10.254.4.3 105 1 500 3000 1 91d 04:49:33 default 1
<Output Truncated>
Srvr-Edge# show ip pim neighbor
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
Port |PhyPort |Neighbor |Holdtime|T |PropDelay|Override |Age |UpTime |VRF |Prio
| | |sec |Bit|msec |msec |sec | | |
--------+---------+-------------+--------+---+---------+---------+-----+--------------+-----------+----+
v4 e1/1/16 10.254.4.5 105 1 500 3000 15 91d 04:44:58 default 1
Source
<Output Truncated> 224.1.1.1
Revision 0919 13 - 50
ICX 200 IP Multicast
• Use the show ip pim rp-set command to display known RPs in the PIM domain
– Typically, RP information should be the same for all PIM routers in the domain Client
Srvr-Edge
Group prefix = 224.1.1.0/24 # RPs: 1
RP L1:
RP 1: 10.255.255.1 priority=0 age=20 holdtime=150 239.0.1.0/24 10.255.250.2
Source
224.1.1.1
Revision 0919 13 - 51
ICX 200 IP Multicast
• Use the show ip pim rp-hash command to display RP information for specific multicast
group prefixes Client
Source
224.1.1.1
Revision 0919 13 - 52
ICX 200 IP Multicast
• The multicast cache (mcache) contains all know multicast source-groups (S,G)
Client
• Use the show ip pim mcache command to display a router’s multicast cache
The output from the show ip pim mcache command provides a robust set of
information.
The output show here is from the Server Distribution router which is closest to the
multicast source.
For the purposes of this course, the most important information to view is related to
the data associated with a specific source, group (S,G) entry. Most especially the
incoming and outgoing ports for the multicast stream. The incoming interface, which
may display as a VE, still indicates the physical interface that incoming multicast
stream traffic is coming from.
The output also provides a list of forwarding ports. These are the ports that multicast
stream is being forwarded to. These ports have either received PIM Join messages or
IGMP Group Membership Queries for the multicast group.
I tis important to note that each router is only capable of determining it’s own
responsibility in forwarding multicast traffic. When multiple PIM routers are in the
path of multicast stream, each will have it’s own perspective on correct forwarding
behavior. Consistency of configuration and deployment is critical for predictable
operation and behavior between PIM routers.
Detailed descriptions of output fields are provided in the notes pages following this
slide.
Revision 0919 13 - 53
ICX 200 IP Multicast
Revision 0919 13 - 54
ICX 200 IP Multicast
Revision 0919 13 - 55
ICX 200 IP Multicast
Here we show the output from the show ip pim mcache command on the Core
Aggregation router.
Revision 0919 13 - 56
ICX 200 IP Multicast
Lastly, we show the output from the show ip pim mcache command on the Client
Distribution router, which is closest to the client receiving the multicast traffic.
Revision 0919 13 - 57
ICX 200 IP Multicast
Module Summary
Revision 0919 13 - 58
ICX 200 IP Multicast
Revision 0919 13 - 59
ICX 200 IP Multicast
Revision 0919 13 - 60