0% found this document useful (0 votes)

353 views1,220 pages

FTOS Configuration Guide

Uploaded by

Andi Wahyu Utama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

353 views1,220 pages

FTOS Configuration Guide

Uploaded by

Andi Wahyu Utama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1220

FTOS Configuration Guide

Version 8.3.2.0

July 9, 2010

Copyright 2010 Force10 Networks

All rights reserved. Printed in the USA. January 2010.
Force10 Networks reserves the right to change, modify, revise this publication without notice.

Trademarks
Force10 Networks and E-Series are registered trademarks of Force10 Networks, Inc. Force10, the Force10 logo, E1200, E600, E600i,
E300, EtherScale, TeraScale, FTOS, C-Series, and S-Series are trademarks of Force10 Networks, Inc. All other brand and product names are
registered trademarks or trademarks of their respective holders.

Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Force10 Networks reserves the right to make changes to
products described in this document without notice. Force10 Networks does not assume any liability that may occur due to the use or
application of the product(s) described herein.

Contents
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Information Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 1
Configuration Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Accessing the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Navigating CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The do Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Undoing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Obtaining Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Entering and Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Filtering show Command Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Multiple Users in Configuration mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 2
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure a Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Access the System Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Access the C-Series and E-Series Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Access the S-Series Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configure the Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuration File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Copy Files to and from the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Save the Running-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
View Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
File System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
View command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Upgrading and Downgrading FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 3
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configure Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Create a Custom Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Apply a Privilege Level to a Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Apply a Privilege Level to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Log Messages in the Internal Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configure a Unix System as a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Change System Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Display the Logging Buffer and the Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configure a UNIX logging facility level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Synchronize log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Enable timestamp on syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuration Task List for File Transfer Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Deny and Permit Access to a Terminal Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configure Login Authentication for Terminal Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Time out of EXEC Privilege Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Telnet to Another Network Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Lock CONFIGURATION mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Viewing the Configuration Lock Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Recovering from a Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Recovering from a Forgotten Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Recovering from a Forgotten Password on S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Recovering from a Failed Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 4
802.1ag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Maintenance Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Maintenance End Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configure CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Enable Ethernet CFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Contents

Create a Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Create a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Create Maintenance Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Create a Maintenance End Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Create a Maintenance Intermediate Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
MP Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Continuity Check Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Enable CCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Enable Cross-checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Loopback Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Linktrace Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Link Trace Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Enable CFM SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Display Ethernet CFM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 5
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
The Port-authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
EAP over RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Enabling 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring Request Identity Re-transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring a Quiet Period after a Failed Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Forcibly Authorizing or Unauthorizing a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Re-authenticating a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Periodic Re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Dynamic VLAN Assignment with Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Guest and Authentication-fail VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Configuring a Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Configuring an Authentication-fail VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Multi-host Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 6
IP Access Control Lists (ACL), Prefix Lists, and Route-maps. . . . . . . . . . . . . . . . . . . . . . 115
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
IP Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
CAM Profiling, CAM Allocation, and CAM Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Implementing ACLs on FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
IP Fragment Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Configure a standard IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Configure an extended IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Established Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring Layer 2 and Layer 3 ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Assign an IP ACL to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Counting ACL Hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Ingress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Egress ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Egress Layer 3 ACL Lookup for Control-plane IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuring ACLs to Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Applying an ACL on Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
IP Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuration Task List for Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
ACL Resequencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Resequencing an ACL or Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuration Task List for Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 7
Bidirectional Forwarding Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
How BFD Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring Bidirectional Forwarding Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring BFD for Physical Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configuring BFD for Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring BFD for OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring BFD for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Configuring BFD for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Configuring BFD for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Configuring BFD for Port-Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Configuring Protocol Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Troubleshooting BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Chapter 8
Border Gateway Protocol IPv4 (BGPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Autonomous Systems (AS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Sessions and Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Route Reflectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Contents

Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
BGP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Best Path Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Local Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Multi-Exit Discriminators (MEDs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
AS Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Next Hop

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Multiprotocol BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Implementing BGP with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4-Byte AS Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
AS4 Number Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
AS Number Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
BGP4 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
BGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Configuration Task List for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
MBGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
BGP Regular Expression Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Retain NH in BGP Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Debugging BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Storing Last and Bad PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Capturing PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
PDU Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Chapter 9
Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
CAM Profiling for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Boot Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
When to Use CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Differences Between EtherScale and TeraScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Select CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
CAM Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Test CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
View CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
View CAM-ACL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

View CAM Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Configure IPv4Flow Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Configure Ingress Layer 2 ACL Sub-partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Return to the Default CAM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
CAM Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Applications for CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
LAG Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
LAG Hashing based on Bidirectional Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
CAM profile for the VLAN ACL group feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Troubleshoot CAM Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
CAM Profile Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
QoS CAM Region Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Chapter 10
Content Addressable Memory for ExaScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Static Random Access Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
CAM-profile templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Default CAM-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Recommended CAM-profile templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
CAM/SRAM region minimums and maximums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Boot Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Select a CAM-profile template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Select pre-defined CAM-profile template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Create new CAM-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Assign a microcode to the CAM-profile template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Validate CAM-profile templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Show CAM-profile templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Chapter 11
Configuration Replace and Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Archived Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring Configuration Replace and Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Enabling the Archive Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Archiving a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Viewing the Archive Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Replacing the Current Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Rolling Back to the Previous Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configuring an Archive File Maximum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring Auto-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Contents

Copying and Deleting an Archive File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Viewing and Editing the Contents of an Archive File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Viewing the Difference between Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Chapter 12
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
DHCP Packet Format and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Assigning an IP Address using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Configure the System to be a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Configure the Server for Automatic Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Specify a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Enable DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Specify a DHCP Database Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configure a Method of Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Specify Values for DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Allocate Addresses to BOOTP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Create Manual Binding Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Enable DHCP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Check for Address Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
DHCP Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configure the System to be a Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configure Secure DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Drop DHCP packets on snooped VLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Chapter 13
Equal Cost Multi-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
ECMP for Flow-based Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Configurable Hash Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Deterministic ECMP Next Hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Configurable Hash Algorithm Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Chapter 14
Force10 Resilient Ring Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Ring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Multiple FRRP Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Important FRRP Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Important FRRP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Implementing FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
FRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Troubleshooting FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Configuration Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Sample Configuration and Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Chapter 15
Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configure Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Enable Force10 Service Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Specify an SMTP Server for FTSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Provide an Administrator E-mail Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
FTSA Messaging Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Enable the FTSA Messaging Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Add Additional Recipients of FTSA E-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Encrypt FTSA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Provide Administrator Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Set the Frequency of FTSA Type 3 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Generate FTSA Type 4 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Set Parameters FTSA Type 5 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
FTSA Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
FTSA Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Create an FTSA Policy Test List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Create a Policy Action List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Create a Policy and Assign a Test and Action List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Additional Policy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
FTSA Policy Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Debugging FTSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Chapter 16
GARP VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Enabling GVRP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Enabling GVRP on a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Contents

Configuring GVRP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Configuring a GARP Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Chapter 17
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Component Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
RPM Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
RPM Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Linecard Online Insertion and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Hitless Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Software Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Runtime System Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
SFM Channel Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Software Component Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
System Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Failure and Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Hot-lock Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Warm Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Configure Cache Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Chapter 18
Internet Group Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
IGMP Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
IGMP Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
IGMP version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
IGMP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Viewing IGMP Enabled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Selecting an IGMP Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Viewing IGMP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Adjusting Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Adjusting Query and Response Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Adjusting the IGMP Querier Timeout Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Configuring a Static IGMP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
IGMP Snooping Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Disabling Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Specifying a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Configuring the Switch as Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Fast Convergence after MSTP Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Designating a Multicast Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Chapter 19
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
View Basic Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Enable a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuration Task List for Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Overview of Layer Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configure Layer 2 (Data Link) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configure Layer 3 (Network) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Configure Management Interfaces on the E-Series and C-Series . . . . . . . . . . . . . . . . . . . . . . 422
Configure Management Interfaces on the S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Null Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Port Channel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Bulk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Bulk Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Interface Range Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Define the Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Choose an Interface-range Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Monitor and Maintain Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Maintenance using TDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Link Debounce Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Important Points to Remember about Link Debounce Timer . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Assign a debounce time to an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Show debounce times in an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Disable ports when one only SFM is available (E300 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Disable port on one SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Enable Link Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Ethernet Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Threshold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Enable Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Configure MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Contents

Port-pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Auto-Negotiation on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
View Advanced Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Display Only Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configure Interface Sampling Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Dynamic Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Chapter 20
IPv4 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Configuration Task List for IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Resolution of Host Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Configuration Task List for ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
ARP Learning via Gratuitous ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
ARP Learning via ARP Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configurable ARP Retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Configuration Task List for ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Configuring UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Important Points to Remember about UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Enabling UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Configuring a Broadcast Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Configurations Using UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
UDP Helper with Broadcast-all Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
UDP Helper with Subnet Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
UDP Helper with Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
UDP Helper with No Configured Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Troubleshooting UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Chapter 21
IPv6 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Extended Address Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Stateless Autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
IPv6 Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Extension Header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Implementing IPv6 with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

IPv6 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
IPv6 Neighbor Discovery of MTU packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Advertise Neighbor Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
QoS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
SSH over an IPv6 Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Configuration Task List for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Change your CAM-Profile on an E-Series system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Adjust your CAM-Profile on an C-Series or S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Assign an IPv6 Address to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Assign a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Telnet with IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
SNMP over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Show IPv6 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Show an IPv6 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Show IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Show the Running-Configuration for an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Clear IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Chapter 22
Intermediate System to Intermediate System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
IS-IS Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Multi-Topology IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Transition Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Interface support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configuration Task List for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configuring the distance of a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Change the IS-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
IS-IS Metric Styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Configure Metric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Maximum Values in the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Changing the IS-IS Metric Style in One Level Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Leaking from One Level to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Contents

Chapter 23
Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Introduction to Dynamic LAGs and LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
LACP modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
LACP Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
LACP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Monitor and Debugging LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Configure Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Important Points about Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Configure LACP as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
LACP Basic Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Chapter 24
Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Managing the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Clear the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Set the Aging Time for Dynamic Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Configure a Static MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Display the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
mac learning-limit dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
mac learning-limit station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
mac learning-limit no-station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Learning Limit Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Station Move Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Recovering from Learning Limit and Station Move Violations . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Per-VLAN MAC Learning Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
MAC Move Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Microsoft Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Configuring the Switch for Microsoft Server Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Enable and Disable VLAN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Important Points about Configuring Redundant Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Restricting Layer 2 Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Far-end Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
FEFD state changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Configuring FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Debugging FEFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Chapter 25
Link Layer Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
802.1AB (LLDP) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Protocol Data Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Optional TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Management TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
TIA-1057 (LLDP-MED) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
TIA Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Configuring LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
LLDP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
CONFIGURATION versus INTERFACE Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Enabling LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Disabling and Undoing LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Advertising TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Viewing the LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Viewing Information Advertised by Adjacent LLDP Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Configuring LLDPDU Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Configuring Transmit and Receive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Configuring a Time to Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Debugging LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Relevant Management Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Chapter 26
Multicast Listener Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
MLD Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
MLD Querier Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Joining a Multicast Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Leaving a Multicast Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
MLD version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Enabling MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Related MLD Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Change MLD Timer Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Reduce Host Response Burstiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Reduce Leave Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Last Member Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Explicit Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Configure a Static Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Display the MLD Group Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Clear MLD Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Contents

Change the MLD Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Debug MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
MLD Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Enable MLD Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Disable MLD Snooping on a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Configure the Switch as a Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Disable Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Specify a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Enable Snooping Explicit Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Display the MLD Snooping Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
MLDv2 Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Port Inheritance on Mixed MLD Mode VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Chapter 27
Multicast Source Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Configuring Multicast Source Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Enable MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Manage the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
View the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Limit the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Clear the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Enable the Rejected Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Accept Source-active Messages that fail the RFP Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Limit the Source-active Messages from a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Prevent MSDP from Caching a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Prevent MSDP from Caching a Remote Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Prevent MSDP from Advertising a Local Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Log Changes in Peership States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Terminate a Peership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Clear Peer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Debug MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
MSDP with Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Reducing Source-active Message Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Specify the RP Address Used in SA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
MSDP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Chapter 28
Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Configure Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Enable Multiple Spanning Tree Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Create Multiple Spanning Tree Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Influence MSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Interoperate with Non-FTOS Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Flush MAC Addresses after a Topology Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
MSTP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Debugging and Verifying MSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Chapter 29
Multicast Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Enable IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Multicast with ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
First Packet Forwarding for Lossless Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
IPv4 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
IPv6 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Multicast Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Multicast Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Optimize the E-Series for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Allocate More Buffer Memory for Multicast WRED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Allocate More Bandwidth to Multicast using Egress WFQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Tune the Central Scheduler for Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674

Chapter 30
Open Shortest Path First (OSPFv2 and OSPFv3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Autonomous System (AS) Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Networks and Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Router Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Designated and Backup Designated Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Link-State Advertisements (LSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Router Priority and Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Implementing OSPF with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686

Contents

Fast Convergence ( OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686

Multi-Process OSPF (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
RFC-2328 Compliant OSPF Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
OSPF ACK Packing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
OSPF Adjacency with Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Configuration Task List for OSPFv2 (OSPF for IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Troubleshooting OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Configuration Task List for OSPFv3 (OSPF for IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Troubleshooting OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Sample Configurations for OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Basic OSPFv2 Router Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716

Chapter 31
PIM Dense-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Requesting Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Configure PIM-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Enable PIM-DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722

Chapter 32
PIM Sparse-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Requesting Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Sending Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Configure PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Enable PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Configurable S,G Expiry Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Configure a Static Rendezvous Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Override Bootstrap Router Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Elect an RP using the BSR Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Configure a Designated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Create Multicast Boundaries and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Set a Threshold for Switching to the SPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
PIM-SM Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
Monitoring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Chapter 33
PIM Source-Specific Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Configure PIM-SM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Enable PIM-SSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Use PIM-SSM with IGMP version 2 Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742

Chapter 34
Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
Configuring Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Enabling PoE on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Manage Ports using Power Priority and the Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Determine the Power Priority for a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Determine the Affect of a Port on the Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
Monitor the Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Manage Power Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Recover from a Failed Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
Power Additional PoE Ports on the S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Deploying VOIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Create VLANs for an Office VOIP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Configure LLDP-MED for an Office VOIP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
Configure Quality of Service for an Office VOIP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 759

Chapter 35
Policy-based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Implementing Policy-based Routing with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Non-contiguous bitmasks for PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Hot-Lock PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Configuration Task List for Policy-based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Create a Redirect List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Create a Rule for a Redirect-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Apply a Redirect-list to an Interface using a Redirect-group . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Show Redirect List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Chapter 36
Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Port Monitoring on E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776

Contents

E-Series TeraScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776

E-Series ExaScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Port Monitoring on C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Configuring Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
Flow-based Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782

Chapter 37
Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Configure Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Configure PVLAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Place PVLAN Ports in a Secondary VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Place the Secondary VLANs in a Primary VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Private VLAN show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788

Chapter 38
Per-VLAN Spanning Tree Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Configure Per-VLAN Spanning Tree Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Enable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Disable PVST+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Influence PVST+ Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Modify Global PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Modify Interface PVST+ Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
PVST+ in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
PVST+ Extended System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
PVST+ Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

Chapter 39
Quality of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Port-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Set dot1p Priorities for Incoming Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Honor dot1p Priorities on Ingress Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Configure Port-based Rate Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Configure Port-based Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Configure Port-based Rate Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Policy-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Classify Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Create a QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .811

Create Policy Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
QoS Rate Adjustment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Strict-priority Queueing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
Weighted Random Early Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
Create WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Apply a WRED profile to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Configure WRED for Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Display Default and Configured WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Display WRED Drop Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Allocating Bandwidth to Multicast Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Pre-calculating Available QoS CAM Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824
Viewing QoS CAM Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825

Chapter 40
Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
RIPv1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Configuration Task List for RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836

Chapter 41
Remote Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Fault Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844

Chapter 42
Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Configuring Rapid Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Configure Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Enable Rapid Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
Influence RSTP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860

Contents

Fast Hellos for Link State Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860

Chapter 43
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
Configuration Task List for AAA Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Configuration Task List for AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
AAA Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
Privilege Levels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
Configuration Task List for Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
RADIUS Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
Configuration Task List for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Configuration Task List for TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
TACACS+ Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Command Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Protection from TCP Tiny and Overlapping Fragment Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
SCP and SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Using SCP with SSH to copy a software image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Secure Shell Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Troubleshooting SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Configuration Tasks for Trace Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
VTY Line and Access-Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
VTY Line Local Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
VTY Line Remote Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
VTY MAC-SA Filter Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897

Chapter 44
Service Provider Bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
Configure VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
Create Access and Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Enable VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Configure the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
FTOS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
Debug VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
VLAN Stacking in Multi-vendor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
VLAN Stacking Packet Drop Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Enable Drop Eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912

Honor the Incoming DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Mark Egress Packets with a DEI Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Dynamic Mode CoS for VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Enable Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
Specify a Destination MAC Address for BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
Rate-limit BPDUs on the E-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
Rate-limit BPDUs on the C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
Debug Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
Provider Backbone Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921

Chapter 45
sFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
Enable and Disable sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
Enable and Disable on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
sFlow Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Show sFlow Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Show sFlow on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Show sFlow on a Line Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Specify Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928
Polling Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928
Sampling Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
Sub-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
Back-off Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
sFlow on LAG ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Extended sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931

Chapter 46
Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Configure Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
Read Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Write Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936

Contents

Configure Contact and Location Information using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936

Subscribe to Managed Object Value Updates using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Copy Configuration Files Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
Manage VLANs using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Create a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Assign a VLAN Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Display the Ports in a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
Add Tagged and Untagged Ports to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
Enable and Disable a Port using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
Fetch Dynamic MAC Entries using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
Deriving Interface Indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
Monitor Port-channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955

Chapter 47
SONET/SDH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Packet Over SONET (POS) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Configuring POS Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
10GE WAN Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 959
Alarm Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
Events that Bring Down a SONET Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
SONET Port Recovery Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
SONET MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
SONET Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966

Chapter 48
Stacking S-Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
S-Series Stacking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
High Availability on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
MAC Addressing on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Management Access on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
S-Series Stacking Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Create an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Add a Unit to an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Remove a Unit from an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
Merge Two S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Split an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
S-Series Stacking Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Assign Unit Numbers to Units in an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Create a Virtual Stack Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
Display Information about an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Influence Management Unit Selection on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . 988

Manage Redundancy on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
Reset a Unit on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
Monitor an S-Series Stack with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
Troubleshoot an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
Recover from Stack Link Flaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
Recover from a Card Problem State on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Recover from a Card Mismatch State on an S-Series Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 991

Chapter 49
Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Storm Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
Layer 3 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
Layer 2 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Multicast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996

Chapter 50
Spanning Tree Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Configuring Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Enabling Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Adding an Interface to the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Removing an Interface from the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Modifying Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Modifying Interface STP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
Enabling PortFast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
Preventing Network Disruptions with BPDU Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
STP Root Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
SNMP Traps for Root Elections and Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Configuring Spanning Trees as Hitless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009

Chapter 51
System Time and Date. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1011
Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Enable NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014

Contents

Set the Hardware Clock with the Time Derived from NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015
Configure NTP broadcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015
Disable NTP on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
Configure a source IP address for NTP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
Configure NTP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
FTOS Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
Configuring time and date settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
Set daylight savings time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1022

Chapter 52
Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
Find the upgrade procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
Get Help with upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027

Chapter 53
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Virtual LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Related Protocols and Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Create a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Assign Interfaces to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034
Enable Routing between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Use a Native VLAN on Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Change the Default VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037
Set the Null VLAN as the Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038
Enable VLAN Interface Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038

Chapter 54
Virtual Routing and Forwarding (VRF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
VRF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
Configuration Task List for VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
Configure CAM Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
Enable VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
Assign a block of VLANs to a VRF process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Set a starting VRF VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046

Assign VRF to an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
View VRF instance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
Connect an OSPF process to a VRF instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1049
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051

Chapter 55
Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057
VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057
VRRP Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
VRRP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
VRRP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Configuration Task List for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069

Chapter 56
FTOS XML Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
XML Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
The Form of XML Requests and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074
The Configuration Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075
The Show Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076
Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076
XML Error Conditions and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
Summary of XML Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
Examples of Error Conditions

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1081

Using display xml as a Pipe Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084

Chapter 57
C-Series Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085
Switch Fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086
Switch Fabric link monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086
Runtime hardware status monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088
Inter-CPU timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090
Bootup diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091
Recognizing bootup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091
Troubleshoot bootup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Environmental monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Recognize an overtemperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Troubleshoot an overtemperature condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
Recognize an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093

Contents

Troubleshoot an under-voltage condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094

Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
Automatic trace log updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
Save a hardware log to a file on the flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
Manual reload messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
CP software exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
Command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097
Advanced debugging commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
debug commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Monitoring hardware components with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1100
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1101
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1102
Configuration task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1102
Important points to remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1102
Take the line card offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1103
Run offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1103
View offline diagnostic test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1103
Bring the line card online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1106
Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1107
When to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1108
Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1109
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113

Chapter 58
E-Series TeraScale
Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1115
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
System health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
Runtime dataplane loopback check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
Disable RPM-SFM walk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118
RPM-SFM bring down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119
Manual loopback test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119
Power the SFM on/off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1120
Reset the SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1121
SFM channel monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1122
Respond to PCDFO events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1123
Inter-CPU timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1124
Debug commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1126
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1126
Show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1126
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1127
Important points to remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1127

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Offline configuration task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1128

Parity error detection and correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1129
Enable parity error correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1130
Recognize a transient parity error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1130
Recognize a non-recoverable parity error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1131
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1132
Buffer full condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1132
Manual reload condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133
CP software exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133
View trace buffer content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1133
Write the contents of the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1134
Clear the trace buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1134
Recognize a high CPU condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1135
Configure an action upon a hardware error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1135
Buffer traffic manager hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1135
Flexible packet classifier hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1136
Line card MAC hardware errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1136
Core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1136
RPM core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1136
Line card core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1137

Chapter 59
E-Series ExaScale
Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1140
System health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1141
Line card loopback checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1141
Manual loopback test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1144
Power On/Off the SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1145
Reset the SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1147
SFM channel monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1148
Respond to PCDFO events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1149
Inter-CPU timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1150
Software debugging commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1152
Hardware debugging commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1152
show control-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1153
show ipc-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1155
show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1157
Identify a suspect SFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1161
Identify a suspect line card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1162
Last restart reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1162
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1163
Information files and logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1163

Contents

Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1164

Automatic trace log updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1164
Save a trace log to a file on the flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1165
Manual reload messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1165
CP/RP1/RP2 software exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1166
Recognize a high CPU condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1166
Command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1166
Software exception handling on line cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1167
Crash logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1167
Core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1168
RPM core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1168
Line card core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1170
Console output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1172

Chapter 60
S-Series Debugging and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175
Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1175
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1175
Running Offline Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1176
Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1179
Auto Save on Crash or Rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1180
Hardware watchdog timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1180
Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1180
Deciding to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1182
Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1183
Sample buffer profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1186
Troubleshooting packet loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1186
Displaying Drop Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1187
Dataplane Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1188
Displaying Stack Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1190
Displaying Stack Member Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1190
Application core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1191
Mini core dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1191

Appendix A
Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195
IEEE Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1195
RFC and I-D Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1196
MIB Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Contents

Preface

About this Guide

Objectives
This guide describes the protocols and features supported by the Force10 Operating System (FTOS) and
provides configuration instructions and examples for implementing them. It supports the system platforms
E-Series, C-Series, and S-Series.
The E-Series ExaScale platform is supported with with FTOS version 8.1.1.0. and later.

Though this guide contains information on protocols, it is not intended to be a complete reference. This
guide is a reference for configuring protocols on Force10 systems. For complete information on protocols,
refer to other documentation including IETF Requests for Comment (RFCs). The instructions in this guide
cite relevant RFCs, and Appendix A contains a complete list of the supported RFCs and Management
Information Base files (MIBs).

Audience
This document is intended for system administrators who are responsible for configuring and maintaining
networks and assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies.

Conventions
This document uses the following conventions to describe command syntax:
Convention

Description

keyword

Keywords are in bold and should be entered in the CLI as listed.

parameter

Parameters are in italics and require a number or word to be entered in the CLI.

{X}

Keywords and parameters within braces must be entered in the CLI.

[X]

Keywords and parameters within brackets are optional.

x|y

Keywords and parameters separated by bar require you to choose one.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Information Symbols
Table 1 describes symbols contained in this guide.
Table 1 Information Symbols
Symbol

Warning

Description

Note

This symbol informs you of important operational information.

FTOS Behavior

This symbol informs you of an FTOS behavior. These behaviors are

inherent to the Force10 system or FTOS feature and are
non-configurable.

ces

Platform Specific
Feature

This symbol informs you of a feature that supported on one or two

platforms only: e is for E-Series, c is for C-Series, s is for S-Series.

et ex

E-Series Specific
Feature/Command

If a feature or command applies to only one of the E-Series platforms, a

separate symbol calls this to attention: et for the TeraScale or e x for
the ExaScale.

Exception

This symbol is a note associated with some other text on the page that is
marked with an asterisk.

Related Documents
For more information about the Force10 Networks E-Series, C-Series, and S-Series refer to the following
documents:

FTOS Command Reference

Force10 Network Operations Guide
Installing and Maintaining the <Force10 chassis> System
FTOS Release Notes

About this Guide

Chapter 1

Configuration Fundamentals

The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure
interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the
exception of some commands and command outputs. The CLI is structured in modes for security and
management purposes. Different sets of commands are available in each mode, and you can limit user
access to modes using privilege levels.
In FTOS, after a command is enabled, it is entered into the running configuration file. You can view the
current configuration for the whole system or for a particular CLI mode. To save the current configuration
copy the running configuration to another location.

Note: Due to a differences in hardware architecture and the continued system development, features may
occasionally differ between the platforms. These differences are identified by the information symbols
shown on Table 1 on page 34.

Accessing the Command Line

Access the command line through a serial console port or a Telnet session (Figure 1). When the system
successfully boots, you enter the command line in the EXEC mode.

Note: You must have a password configured on a virtual terminal line before you can Telnet into the
system. Therefore, you must use a console connection when connecting to the system for the first time.
Figure 1 Logging into the System using Telnet
telnet 172.31.1.53
Trying 172.31.1.53...
Connected to 172.31.1.53.
Escape character is '^]'.
Login: username
Password:
Force10>
EXEC mode

prompt

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

CLI Modes
Different sets of commands are available in each mode. A command found in one mode cannot be
executed from another mode (with the exception of EXEC mode commands preceded by the command do;
see The do Command on page 40). You can set user access rights to commands and command modes using
privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security,
on page 627.
The FTOS CLI is divided into three major mode levels:

EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only
a limited selection of commands is available, notably show commands, which allow you to view
system information.
EXEC Privilege mode has commands to view configurations, clear counters, manage configuration
files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is
unrestricted. You can configure a password for this mode; see Configure the Enable Password on
page 50.
CONFIGURATION mode enables you to configure security features, time settings, set logging and
SNMP functions, configure static ARP and MAC addresses, and set line cards on the system.

Beneath CONFIGURATION mode are sub-modes that apply to interfaces, protocols, and features.
Figure 2 illustrates this sub-mode command structure. Two sub-CONFIGURATION modes are important
when configuring the chassis for the first time:

INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP
services specific to an interface. An interface can be physical (Management interface, 1-Gigabit
Ethernet, or 10-Gigabit Ethernet, or SONET) or logical (Loopback, Null, port channel, or VLAN).
LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
Note: At any time, entering a question mark (?) will display the available command options. For example,
when you are in CONFIGURATION mode, entering the question mark first will list all available commands,
including the possible sub-modes.

Configuration Fundamentals

Figure 2 CLI Modes in FTOS

EXEC
EXEC Privilege
CONFIGURATION
ARCHIVE
AS-PATH ACL
INTERFACE
GIGABIT ETHERNET
10 GIGABIT ETHERNET
INTERFACE RANGE
LOOPBACK
MANAGEMENT ETHERNET
NULL
PORT-CHANNEL
SONET
VLAN
VRRP
IP
IPv6
IP COMMUNITY-LIST
IP ACCESS-LIST
STANDARD ACCESS-LIST
EXTENDED ACCESS-LIST
LINE
AUXILIARY
CONSOLE
VIRTUAL TERMINAL
MAC ACCESS-LIST
MONITOR SESSION
MULTIPLE SPANNING TREE
Per-VLAN SPANNING TREE
PREFIX-LIST
RAPID SPANNING TREE
REDIRECT
ROUTE-MAP
ROUTER BGP
ROUTER ISIS
ROUTER OSPF
ROUTER RIP
SPANNING TREE
TRACE-LIST

Navigating CLI Modes

The FTOS prompt changes to indicate the CLI mode. Table 2 lists the CLI mode, its prompt, and
information on how to access and exit this CLI mode. You must move linearly through the command
modes, with the exception of the end command which takes you directly to EXEC Privilege mode; the exit
command moves you up one command mode level.

Note: Sub-CONFIGURATION modes all have the letters conf in the prompt with additional modifiers to
identify the mode and slot/port information. These are shown in Table 2.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Table 2 FTOS Command Modes

CLI Command Mode

Prompt

Access Command

EXEC

Force10>

Access the router through the console or Telnet.

EXEC Privilege

Force10#

CONFIGURATION

Force10(conf)#

From EXEC mode, enter the command

enable.
From any other mode, use the command
end.
From EXEC privilege mode, enter the
command configure.
From every mode except EXEC and EXEC
Privilege, enter the command exit.

LINE

IP ACCESS-LIST

INTERFACE modes

Note: Access all of the following modes from CONFIGURATION mode.

Table 2 FTOS Command Modes

Prompt

Access Command

STANDARD
ACCESS- LIST

Force10(config-std-macl)#

mac access-list standard

EXTENDED
ACCESS- LIST

Force10(config-ext-macl)#

mac access-list extended

MULTIPLE
SPANNING TREE

Force10(config-mstp)#

protocol spanning-tree mstp

Per-VLAN SPANNING
TREE Plus

Force10(config-pvst)#

protocol spanning-tree pvst

PREFIX-LIST

Force10(conf-nprefixl)#

ip prefix-list

RAPID SPANNING
TREE

Force10(config-rstp)#

protocol spanning-tree rstp

REDIRECT

Force10(conf-redirect-list)#

ip redirect-list

ROUTE-MAP

Force10(config-route-map)#

route-map

ROUTER BGP

Force10(conf-router_bgp)#

router bgp

ROUTER ISIS

Force10(conf-router_isis)#

router isis

ROUTER OSPF

Force10(conf-router_ospf)#

router ospf

ROUTER RIP

Force10(conf-router_rip)#

router rip

SPANNING TREE

Force10(config-span)#

protocol spanning-tree 0

TRACE-LIST

Force10(conf-trace-acl)#

ip trace-list

MAC ACCESS-LIST

CLI Command Mode

Figure 3 illustrates how to change the command mode from CONFIGURATION mode to PROTOCOL
SPANNING TREE.
Figure 3 Changing CLI Modes
Force10(conf)#protocol spanning-tree 0
Force10(config-span)#
New command

prompt

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

The do Command
Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE,
SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with
the command do. Figure 4 illustrates the do command.
Note: The following commands cannot be modified by the do command: enable, disable, exit, and
configure.
Figure 4 Using the do Command
Force10(conf)#do show linecard all

do form of show command

-- Line cards -Slot Status

NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------0
not present
1
not present
2
online
online
E48TB
E48TB
1-1-463
48
3
not present
4
not present
5
online
online
E48VB
E48VB
1-1-463
48
6
not present
7
not present

Undoing Commands
When you enter a command, the command line is added to the running configuration file. Disable a
command and remove it from the running-config by entering the original command preceded by the
command no. For example, to delete an ip address configured on an interface, use the no ip address
ip-address command, as shown in Figure 5.
Note: Use the help or ? command as discussed in Obtaining Help command to help you construct the
no form of a command.
Figure 5 Undoing a command with the no Command
Force10(conf)#interface gigabitethernet 4/17
Force10(conf-if-gi-4/17)#ip address 192.168.10.1/24
Force10(conf-if-gi-4/17)#show config
!
interface GigabitEthernet 4/17
IP address assigned
ip address 192.168.10.1/24
no shutdown
Force10(conf-if-gi-4/17)#no ip address
no form of
Force10(conf-if-gi-4/17)#show config
!
interface GigabitEthernet 4/17
no ip address
IP address removed
no shutdown

IP address command

Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in
PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.

Configuration Fundamentals

Obtaining Help
Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ?
or help command:

Enter ? at the prompt or after a keyword to list the keywords available in the current mode.
? after a prompt lists all of the available keywords. The output of this command is the same for
the help command.

Figure 6 ? Command Example

? at prompt for list of commands

Force10#?
calendar
cd
change
clear
clock
configure
copy
debug
--More--

Manage the hardware calendar

Change current directory
Change subcommands
Reset functions
Manage the system clock
Configuring from terminal
Copy from one file to another
Debug functions

after a partial keyword lists all of the keywords that begin with the specified letters.

Figure 7 Keyword? Command Example

Force10(conf)#cl?
class-map
clock
Force10(conf)#cl

partial keyword plus [space]? for matching keywords

A keyword followed by [space]? lists all of the keywords that can follow the specified
keyword.

Figure 8 Keyword ? Command Example

Force10(conf)#clock ?
summer-time
timezone
Force10(conf)#clock

keyword plus [space]? for compatible keywords

Configure summer (daylight savings) time
Configure time zone

Entering and Editing Commands

When entering commands:

The CLI is not case sensitive.

You can enter partial CLI keywords.
You must enter the minimum number of letters to uniquely identify a command. For example,
cl cannot be entered as a partial keyword because both the clock and class-map commands
begin with the letters cl. clo, however, can be entered as a partial keyword because only one
command begins with those three letters.
The TAB key auto-completes keywords in commands. You must enter the minimum number of letters
to uniquely identify a command.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

The UP and DOWN arrow keys display previously entered commands (see Command History).
The BACKSPACE and DELETE keys erase the previous letter.
Key combinations are available to move quickly across the command line, as described in Table 3.

Table 3 Short-Cut Keys and their Actions

Key Combination

Action

CNTL-A

Moves the cursor to the beginning of the command line.

CNTL-B

Moves the cursor back one character.

CNTL-D

Deletes character at cursor.

CNTL-E

Moves the cursor to the end of the line.

CNTL-F

Moves the cursor forward one character.

CNTL-I

Completes a keyword.

CNTL-K

Deletes all characters from the cursor to the end of the command line.

CNTL-L

Re-enters the previous command.

CNTL-N

Return to more recent commands in the history buffer after recalling commands with CTRL-P
or the UP arrow key.

CNTL-P

Recalls commands, beginning with the last command

CNTL-R

Re-enters the previous command.

CNTL-U

Deletes the line.

CNTL-W

Deletes the previous word.

CNTL-X

Deletes the line.

CNTL-Z

Ends continuous scrolling of command outputs.

Esc B

Moves the cursor back one word.

Esc F

Moves the cursor forward one word.

Esc D

Deletes all characters from the cursor to the end of the word.

Command History
FTOS maintains a history of previously-entered commands for each mode. For example:

When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC
mode commands.
When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the
previously-entered CONFIGURATION mode commands.

Configuration Fundamentals

Filtering show Command Outputs

Filter the output of a show command to display specific information by adding | [except | find | grep |
no-more | save] specified_text after the command. The variable specified_text is the text for which you are
filtering and it IS case sensitive unless the ignore-case sub-option is implemented.
Starting with FTOS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to
case-insensitive. For example, the commands:

show run | grep Ethernet

returns a search result with instances containing a capitalized Ethernet,

such as interface GigabitEthernet 0/0.
show run | grep ethernet would not return that search result because it only searches for instances
containing a non-capitalized ethernet.

Executing the command show run | grep Ethernet ignore-case would return instances containing both
Ethernet and ethernet.

grep displays only the lines containing specified text. Figure 9 shows this command used in

combination with the command show linecard all.

Figure 9 Filtering Command Outputs with the grep Command
Force10(conf)#do show linecard all | grep 0
0
not present

Note: FTOS accepts a space or no space before and after the pipe. To filter on a phrase with spaces,
underscores, or ranges, enclose the phrase with double quotation marks.

except displays text that does not match the specified text. Figure 10 shows this command used in

combination with the command show linecard all.

Figure 10 Filtering Command Outputs with the except Command
Force10#show linecard all | except 0
-- Line cards -Slot Status
NxtBoot
ReqTyp
CurTyp
Version
Ports
--------------------------------------------------------------------------2
not present
3
not present
4
not present
5
not present
6
not present

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

find displays the output of the show command beginning from the first occurrence of specified text

Figure 11 shows this command used in combination with the command show linecard all.
Figure 11 Filtering Command Outputs with the find Command
Force10(conf)#do show linecard all | find 0
0
not present
1
not present
2
online
online
E48TB
E48TB
3
not present
4
not present
5
online
online
E48VB
E48VB
6
not present
7
not present

1-1-463

display displays additional configuration information.

no-more displays the output all at once rather than one screen at a time. This is similar to the
command terminal length except that the no-more option affects the output of the specified
command only.
save copies the output to a file for future reference.

Multiple Users in Configuration mode

FTOS notifies all users in the event that there are multiple users logged into CONFIGURATION mode. A
warning message indicates the username, type of connection (console or vty), and in the case of a vty
connection, the IP address of the terminal on which the connection was established. For example:

On the system that telnets into the switch, Message 1 appears:

Message 1 Multiple Users in Configuration mode Telnet Message

% Warning: The following users are currently configuring the system:
User "<username>" on line console0

On the system that is connected over the console, Message 2 appears:

Message 2 Multiple Users in Configuration mode Telnet Message

% Warning: User "<username>" on line vty0 "10.11.130.2" is in configuration mode

If either of these messages appears, Force10 recommends that you coordinate with the users listed in the
message so that you do not unintentionally overwrite each others configuration changes.

Configuration Fundamentals

Chapter 2

Getting Started

This chapter contains the following major sections:

Default Configuration on page 46

Configure a Host Name on page 47
Access the System Remotely on page 47
Configure the Enable Password on page 50
Configuration File Management on page 50
File System Management on page 55

When you power up the chassis, the system performs a Power-On Self Test (POST) during which Route
Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.The
system then loads FTOS and boot messages scroll up the terminal window during this process. No user
interaction is required if the boot process proceeds without interruption.
When the boot process is complete, the RPM and line card status LEDs remain online (green), and the
console monitor displays the Force10 banner and EXEC mode prompt, as shown in Figure 12.
For details on using the Command Line Interface (CLI), see the Accessing the Command Line section in
Chapter 1, Configuration Fundamentals, on page 47.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Figure 12 Completed Boot Process

######## #######
###
###
##
###
###
###
###
###
##
###### ###
##
###
###
##
###
###
###
###
###
###
###
#####

#########
########
###
### ####
###
### ###
###
#### ###
######### ###
### #### ###
###
#### ####
###
### #####
##
###
###
######

########
###
###
########
########
###
###
########
########

.*************.
.# ####
#######.
.#. ###### ###########.
.##. ## ### ####
###.
*#.
### ###
#*
*#
-## ###
#*
*#
### ##
#*
*#
#### ###
#*
*#. #### ###
###*
.#.#####
####
#### .
.###### ############ .
.#
######### .
`************'

Copyright 1999-2006 Force10 Networks, Inc.

+
+
+
+
+
+

Force10 Networks, Inc.

CPU: DB-MV64460-BP/IBM750Fx (2.3)
Version: VxWorks5.5.1
Memory Size: 1038876672 bytes.
BSP Version: 1.2/1.3.6
Creation Date : Jan 2 2007

nvDrvInit: nvDrvErase passed

-> 00:00:10: %RPM0-U:CP %RAM-6-ELECTION_ROLE: RPM0 is transitioning to Primary RPM.
00:00:11: %RPM0-P:CP %CHMGR-2-FAN_BAD: Minor alarm: some fans in fan tray 0 are down
00:00:11: %RPM0-P:CP %CHMGR-5-CARDDETECTED: Line card 1 present
DSA Card
00:00:11:
available
00:00:12:
00:00:12:
00:00:12:
00:00:13:

Init
%RPM0-P:CP POEMGR-4-POE_POWER_USAGE_ABOVE_THRESHOLD: Inline power used is exceeded 90% o
inline power
%RPM0-P:CP %CHMGR-5-CARDDETECTED: Line card 2 present
%RPM0-P:CP %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%RPM0-P:CP %TSM-6-SFM_FULL_PARTIAL_STATE: SW_FAB_UP_1 SFM in the system
%RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Ma 0/0

00:01:27:
00:01:27:
00:01:28:
00:01:28:
00:01:36:
00:01:36:

%RPM0-P:CP
%RPM0-P:CP
%RPM0-P:CP
%RPM0-P:CP
%RPM0-P:CP
%RPM0-P:CP

%CHMGR-5-CHECKIN: Checkin from line

%CHMGR-5-CHECKIN: Checkin from line
%CHMGR-5-LINECARDUP: Line card 1 is
%CHMGR-5-LINECARDUP: Line card 2 is
%RAM-5-RPM_STATE: RPM0 is in Active
%CHMGR-5-CHAS_READY: Chassis ready

card 1 (type E48TB, 48 ports)

card 2 (type E48TB, 48 ports)
up
up
State.

00:01:37: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user

Force10>

on line console

Default Configuration
A version of FTOS is pre-loaded onto the chassis, however the system is not configured when you power
up for the first time (except for the default hostname, which is Force10). You must configure the system
using the CLI.

Getting Started

Configure a Host Name

The host name appears in the prompt. The default host name is force10.

Host names must start with a letter and end with a letter or digit.
Characters within the string can be letters, digits, and hyphens.

To configure a host name:

Step
1

Task

Command Syntax

Command Mode

Create a new host name.

hostname name

CONFIGURATION

Figure 13 illustrates the hostname command.

Figure 13 Configuring a Hostname

Default Hostname
Force10(conf)#hostname R1
R1(conf)#

New Hostname

Access the System Remotely

You can configure the system to access it remotely by Telnet. The method for configuring the C-Series and
E-Series for Telnet access is different from S-Series.

The C-Series and E-Series have a dedicated management port and a management routing table that is
separate from the IP routing table.
The S-Series does not have a dedicated management port, but is managed from any port. It does not
have a separate management routing table.

Access the C-Series and E-Series Remotely

Note: Use this process fothe S60 system.

Configuring the system for Telnet is a three-step process:

1. Configure an IP address for the management port. See Configure the Management Port IP Address.
2. Configure a management route with a default gateway. See Configure a Management Route.
3. Configure a username and password. See Configure a Username and Password.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Configure the Management Port IP Address

Assign IP addresses to the management ports in order to access the system remotely.

Note: Assign different IP addresses to each RPMs management port.

To configure the management port IP address:

Step
1

Task

Command Syntax

Command Mode

Enter INTERFACE mode for the

Management port.

interface ManagementEthernet slot/port

CONFIGURATION

Assign an IP address to the

interface.

ip address ip-address/mask

Enable the interface.

slot range: 0 to 1
port range: 0

INTERFACE

ip-address: an address in dotted-decimal

format (A.B.C.D).
mask: a subnet mask in /prefix-length
format (/xx).

no shutdown

INTERFACE

Configure a Management Route

Define a path from the system to the network from which you are accessing the system remotely.
Management routes are separate from IP routes and are only used to manage the system through the
management port.
To configure a management route:
Step
1

Task

Command Syntax

Command Mode

Configure a management route

to the network from which you
are accessing the system.

management route ip-address/mask gateway

CONFIGURATION

ip-address: the network address in

dotted-decimal format (A.B.C.D).
mask: a subnet mask in /prefix-length
format (/xx).
gateway: the next hop for network traffic
originating from the management port.

Configure a Username and Password

Configure a system username and password to access the system remotely.

Getting Started

To configure a username and password:

Step
1

Task

Command Syntax

Command Mode

Configure a username and

password to access the
system remotely.

username username password [encryption-type]

password
encryption-type specifies how you are inputting

CONFIGURATION

the password, is 0 by default, and is not required.

0 is for inputting the password in clear text.

7 is for inputting a password that is already
encrypted using a Type 7 hash. Obtaining the
encrypted password from the configuration of
another Force10 system.

Access the S-Series Remotely

The S-Series does not have a dedicated management port nor a separate management routing table.
Configure any port on the S-Series to be the port through which you manage the system and configure an
IP route to that gateway.
Note: The S60 system uses management ports and should be configured similar to the C-Series and
E-Series systems. Refer to Access the C-Series and E-Series Remotely

Configuring the system for Telnet access is a three-step process:

1. Configure an IP address for the port through which you will manage the system using the command ip
address from INTERFACE mode, as shown in Figure 14.
2. Configure a IP route with a default gateway using the command ip route from CONFIGURATION
mode, as shown in Figure 14.
3. Configure a username and password using the command username from CONFIGURATION mode,
as shown in Figure 14.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Figure 14 Configuring the S-Series for Remote Access

R5(conf)#int gig 0/48
R5(conf-if-gi-0/48)#ip address 10.11.131.240
R5(conf-if-gi-0/48)#show config
!
interface GigabitEthernet 0/48
ip address 10.11.131.240/24
no shutdown
R5(conf-if-gi-0/48)#exit
R5(conf)#ip route 10.11.32.0/23 10.11.131.254
R5(conf)#username admin pass force10

Configure the Enable Password

Access the EXEC Privilege mode using the enable command. The EXEC Privilege mode is unrestricted
by default. Configure a password as a basic security measure. There are two types of enable passwords:

enable password

stores the password in the running/startup configuration using a DES encryption

method.

enable secret is

stored in the running/startup configuration in using a stronger, MD5 encryption

method.
Force10 recommends using the enable secret password.
To configure an enable password:
Task

Command Syntax

Command Mode

Create a password to
access EXEC Privilege
mode.

enable [password | secret] [level level] [encryption-type]

CONFIGURATION

password
level is the privilege level, is 15 by default, and is not required.
encryption-type specifies how you are inputting the password,
is 0 by default, and is not required.

0 is for inputting the password in clear text.

7 is for inputting a password that is already encrypted using
a DES hash. Obtain the encrypted password from the
configuration file of another Force10 system.
5 is for inputting a password that is already encrypted using
an MD5 hash. Obtain the encrypted password from the
configuration file of another Force10 system.

Configuration File Management

Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the
system from the EXEC Privilege mode.

Getting Started

The E-Series EtherScale platform architecture uses MMC cards for both the internal and external Flash
memory. MMC cards support a maximum of 100 files. The E-Series TeraScale and ExaScale platforms
architecture use Compact Flash for the internal and external Flash memory. It has a space limitation but
does not limit the number of files it can contain.
Note: Using flash memory cards in the system that have not been approved by Force10 can cause
unexpected system behavior, including a reboot.

Copy Files to and from the System

The command syntax for copying files is similar to UNIX. The copy command uses the format copy
source-file-url destination-file-url.

Note: See the FTOS Command Reference for a detailed description of the copy command.

To copy a local file to a remote system, combine the file-origin syntax for a local file location with the
file-destination syntax for a remote file location shown in Table 4.
To copy a remote file to Force10 system, combine the file-origin syntax for a remote file location with
the file-destination syntax for a local file location shown in Table 4.

Table 4 Forming a copy Command

source-file-url Syntax

destination-file-url Syntax

primary RPM

copy flash://filename

flash://filename

standby RPM

copy rpm{0|1}flash://filename

rpm{0|1}flash://filename

primary RPM

copy rpm{0|1}slot0://filename

rpm{0|1}slot0://filename

standby RPM

copy rpm{0|1}slot0://filename

rpm{0|1}slot0://filename

Local File Location

Internal flash:

External flash:

USB Drive (E-Series ExaScale only)

USB drive on RPM0

copy rpm0usbflash://filepath

rpm0usbflash://filename

External USB drive

copy usbflash://filepath

usbflash://filename

copy ftp://username:password@{hostip

ftp://username:password@{hostip |
hostname}/filepath/filename

Remote File Location

FTP server

| hostname}/filepath/filename
TFTP server

copy tftp://{hostip | hostname}/filepath/

filename

tftp://{hostip | hostname}/filepath/filename

SCP server

copy scp://{hostip | hostname}/filepath/ scp://{hostip | hostname}/filepath/filename

filename

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Important Points to Remember

You may not copy a file from one remote system to another.
You may not copy a file from one location to the same location.
The internal flash memories on the RPMs are synchronized whenever there is a change, but only if
both RPMs are running the same version of FTOS.
When copying to a server, a hostname can only be used if a DNS server is configured.
The usbflash and rpm0usbflash commands are supported on E-Series ExaScale platform only.
Refer to the FTOS Release Notes for a list of approved USB vendors.

Figure 15 shows an example of using the copy command to save a file to an FTP server.
Figure 15 Saving a file to a Remote System

Local Location
Remote Location
Force10#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:[email protected]//FTOS/FTOS-EF-8.2.1.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27952672 bytes successfully copied

Figure 16 shows an example of using the copy command to import a file to the Force10 system from an
FTP server.
Figure 16 Saving a file to a Remote System

Remote Location
Local Location
core1#$//copy ftp://myusername:[email protected]//FTOS/FTOS-EF-8.2.1.0.bin flash://
Destination file name [FTOS-EF-8.2.1.0.bin.bin]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
26292881 bytes successfully copied

Save the Running-configuration

The running-configuration contains the current system configuration. Force10 recommends that you copy
your running-configuration to the startup-configuration. The system uses the startup-configuration during
boot-up to configure the system. The startup-configuration is stored in the internal flash on the primary
RPM by default, but it can be saved onto an external flash (on an RPM) or a remote server.
To save the running-configuration:
Note: The commands in this section follow the same format as those in Copy Files to and from the
System on page 51 but use the filenames startup-configuration and running-configuration. These
commands assume that current directory is the internal flash, which is the system default.

Getting Started

Task

Command Syntax

Command Mode

Save the running-configuration to:

the startup-configuration on the
internal flash of the primary
RPM

copy running-config startup-config

the internal flash on an RPM

copy running-config rpm{0|1}flash://filename

Note: The internal flash memories on the RPMs are synchronized whenever there
is a change, but only if the RPMs are running the same version of FTOS.
the external flash of an RPM

copy running-config rpm{0|1}slot0://filename

an FTP server

copy running-config ftp://

username:password@{hostip | hostname}/
filepath/filename

a TFTP server

copy running-config tftp://{hostip | hostname}/

filepath/filename

an SCP server

copy running-config scp://{hostip | hostname}/

filepath/filename

EXEC Privilege

Note: When copying to a server, a hostname can only be used if a DNS server is configured.
Save the running-configuration to the
startup-configuration on the internal
flash of the primary RPM. Then copy
the new startup-config file to the
external flash of the primary RPM.

copy running-config startup-config duplicate

EXEC Privilege

FTOS Behavior: If you create a startup-configuration on an RPM and then move the RPM to another
chassis, the startup-configuration is stored as a backup file (with the extension .bak), and a new,
empty startup-configuration file is created. To restore your original startup-configuration in this
situation, overwrite the new startup-configuration with the original one using the command copy
startup-config.bak startup-config.

View Files
File information and content can only be viewed on local file systems.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

To view a list of files on the internal or external Flash:

Step
1

Task

Command Syntax

Command Mode

the internal flash of an RPM

dir flash:

EXEC Privilege

the external flash of an RPM

dir slot:

View a list of files on:

The output of the command dir also shows the read/write privileges, size (in bytes), and date of
modification for each file, as shown in Figure 17.
Figure 17 Viewing a List of Files in the Internal Flash
Force10#dir
Directory of flash:
1 drw2 drwx
3 drw4 drw5 drw6 drw7 d--8 -rw9 -rw10 -rw11 drw12 -rw13 -rw14 -rw15 -rw--More--

32768
512
8192
8192
8192
8192
8192
33059550
27674906
27674906
8192
7276
7341
27674906
27674906

Jan
Jul
Mar
Mar
Mar
Mar
Mar
Jul
Jul
Jul
Jan
Jul
Jul
Jul
Jul

01
23
30
30
30
30
30
11
06
06
01
20
20
06
06

1980
2007
1919
1919
1919
1919
1919
2007
2007
2007
1980
2007
2007
2007
2007

00:00:00
00:38:44
10:31:04
10:31:04
10:31:04
10:31:04
10:31:04
17:49:46
00:20:24
19:54:52
00:18:28
01:52:40
15:34:46
19:52:22
02:23:22

.
..
TRACE_LOG_DIR
CRASH_LOG_DIR
NVTRACE_LOG_DIR
CORE_DUMP_DIR
ADMIN_DIR
FTOS-EF-7.4.2.0.bin
FTOS-EF-4.7.4.302.bin
boot-image-FILE
diag
startup-config.bak
startup-config
boot-image
boot-flash

To view the contents of a file:

Step
1

Task

Command Syntax

Command Mode

View the:
contents of a file in the internal
flash of an RPM

show file rpm{0|1}flash://filename

contents of a file in the external

flash of an RPM

show file rpm{0|1}slot0://filename

running-configuration

show running-config

startup-configuration

show startup-config

EXEC Privilege

View Configuration Files

Configuration files have three commented lines at the beginning of the file, as shown in Figure 18, to help
you track the last time any user made a change to the file, which user made the changes, and when the file
was last saved to the startup-configuration.

Getting Started

In the running-configuration file, if there is a difference between the timestamp on the Last configuration
change, and Startup-config last updated, then you have made changes that have not been saved and will
not be preserved upon a system reboot.
Figure 18 Tracking Changes with Configuration Comments
Force10#show running-config
Current Configuration ...
! Version 8.2.1.0
! Last configuration change at Thu Apr 3 23:06:28 2008 by admin
! Startup-config last updated at Thu Apr 3 23:06:55 2008 by admin
!
boot system rpm0 primary flash://FTOS-EF-8.2.1.0.bin
boot system rpm0 secondary flash://FTOS-EF-7.8.1.0.bin
boot system rpm0 default flash://FTOS-EF-7.7.1.1.bin
boot system rpm1 primary flash://FTOS-EF-7.8.1.0.bin
boot system gateway 10.10.10.100
--More--

File System Management

The Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores
files on the internal Flash by default but can be configured to store files elsewhere.
To view file system information:
Task

Command Syntax

Command Mode

View information about each file system.

show file-systems

EXEC Privilege

The output of the command show file-systems (Figure 19) shows the total capacity, amount of free
memory, file structure, media type, read/write privileges for each storage device in use.
Figure 19 show file-systems Command Example
Force10#show file-systems
Size(b)
Free(b)
Feature
Type
Flags
520962048
213778432
dosFs2.0 USERFLASH
127772672
21936128
dosFs2.0 USERFLASH
network
network
network

Prefixes
rw flash:
rw slot0:
rw ftp:
rw tftp:
rw scp:

You can change the default file system so that file management commands apply to a particular device or
memory.
To change the default storage location:
Task

Command Syntax

Command Mode

Change the default directory.

cd directory

EXEC Privilege

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

In Figure 20, the default storage location is changed to the external Flash of the primary RPM. File
management commands then apply to the external Flash rather than the internal Flash.
Figure 20 Alternative Storage Location
Force10#cd slot0:
Force10#copy running-config test
Force10#copy run test
!
7419 bytes successfully copied
Force10#dir
Directory of slot0:
1
2
3
4
5
6
7
8
9

drwdrwx
----rw----------------

32768
512
0
7419
0
0
0
0
0

Jan
Jul
Jan
Jul
Jan
Jan
Jan
Jan
Jan

01
23
01
23
01
01
01
01
01

1980
2007
1970
2007
1970
1970
1970
1970
1970

No File System Specified

00:00:00
00:38:44
00:00:00
20:44:40
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00

.
..
DCIM
test
BT
200702~1VSN
G
F
F

File Saved to External Flash

slot0: 127772672 bytes total (21927936 bytes free)

View command history

The command-history trace feature captures all commands entered by all users of the system with a time
stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for
each executed command. No password information is saved to the file.
To view the command-history trace, use the show command-history command, as shown in Figure 487.
Figure 21 Command Example show command-history
Force10#show command-history
[12/5 10:57:8]: CMD-(CLI):service password-encryption
[12/5 10:57:12]: CMD-(CLI):hostname Force10
[12/5 10:57:12]: CMD-(CLI):ip telnet server enable
[12/5 10:57:12]: CMD-(CLI):line console 0
[12/5 10:57:12]: CMD-(CLI):line vty 0 9
[12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin

Upgrading and Downgrading FTOS

Note: To upgrade or downgrade FTOS, see the release notes for the version you want to load on the
system.

Getting Started

Chapter 3
Management is supported on platforms:

Management
ces

This chapter explains the different protocols or services used to manage the Force10 system including:

Configure Privilege Levels on page 57

Configure Logging on page 61
File Transfer Services on page 68
Terminal Lines on page 70
Lock CONFIGURATION mode on page 74
Recovering from a Forgotten Password on page 75
Recovering from a Forgotten Password on S-Series on page 77
Recovering from a Failed Start on page 78

Configure Privilege Levels

Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of
which three are pre-defined. The default privilege level is 1.

Level 0Access to the system begins at EXEC mode, and EXEC mode commands are limited to
enable, disable, and exit.
Level 1Access to the system begins at EXEC mode, and all commands are available.
Level 15Access to the system begins at EXEC Privilege mode, and all commands are available.

Create a Custom Privilege Level

Custom privilege levels start with the default EXEC mode command set. You can then customize privilege
levels 2-14 by:

restricting access to an EXEC mode command

moving commands from EXEC Privilege to EXEC mode
restricting access

A user can access all commands at his privilege level and below.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Removing a command from EXEC mode

Remove a command from the list of available commands in EXEC mode for a specific privilege level
using the command privilege exec from CONFIGURATION mode. In the command, specify a level
greater than the level given to a user or terminal line, followed by the first keyword of each command to be
restricted.

Move a command from EXEC privilege mode to EXEC mode

Move a command from EXEC Privilege to EXEC mode for a privilege level using the command privilege
exec from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal
line, and specify all keywords in the command to which you want to allow access.

Allow Access to CONFIGURATION mode commands

Allow access to CONFIGURATION mode using the command privilege exec level level configure from
CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level, and
has access to only two commands, end and exit. You must individually specify each CONFIGURATION
mode command to which you want to allow access using the command privilege configure level level. In
the command, specify the privilege level of the user or terminal line, and specify all keywords in the
command to which you want to allow access.

Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode

1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE,
ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into
the mode. For example, allow a user to enter INTERFACE mode using the command privilege
configure level level interface gigabitethernet

2. Then, individually identify the INTERFACE, LINE, ROUTE-MAP or ROUTER commands to which
you want to allow access using the command privilege {interface | line | route-map | router} level
level. In the command, specify the privilege level of the user or terminal line, and specify all keywords
in the command to which you want to allow access.
The following table lists the configuration tasks you can use to customize a privilege level:
Task

Command Syntax

Command Mode

Remove a command from the list of available

commands in EXEC mode.

privilege exec level level

{command ||...|| command}

CONFIGURATION

Move a command from EXEC Privilege to EXEC

mode.

privilege exec level level

{command ||...|| command}

CONFIGURATION

Allow access to CONFIGURATION mode.

privilege exec level level

configure

CONFIGURATION

Management

Task

Command Syntax

Allow access to INTERFACE, LINE, ROUTE-MAP,

and/or ROUTER mode. Specify all keywords in the
command.

privilege configure level level

{interface | line | route-map |
router} {command-keyword
||...|| command-keyword}

Allow access to a CONFIGURATION, INTERFACE,

LINE, ROUTE-MAP, and/or ROUTER mode
command.

privilege {configure |interface

| line | route-map | router}
level level
{command ||...|| command}

Command Mode
CONFIGURATION

CONFIGURATION

The configuration in Figure 22 creates privilege level 3. This level:

removes the resequence command from EXEC mode by requiring a minimum of privilege level 4,
moves the command capture bgp-pdu max-buffer-size from EXEC Privilege to EXEC mode by,
requiring a minimum privilege level 3, which is the configured level for VTY 0,
allows access to CONFIGURATION mode with the banner command, and
allows access to INTERFACE and LINE modes are allowed with no commands.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Figure 22 Create a Custom Privilege Level

Force10(conf)#do show run priv
!
privilege exec level 3 capture
privilege exec level 3 configure
privilege exec level 4 resequence
privilege exec level 3 capture bgp-pdu
privilege exec level 3 capture bgp-pdu max-buffer-size
privilege configure level 3 line
privilege configure level 3 interface
Force10(conf)#do telnet 10.11.80.201
[telnet output omitted]
Force10#show priv
Current privilege level is 3.
Force10#?
capture
Capture packet
configure
Configuring from terminal
disable
Turn off privileged commands
enable
Turn on privileged commands
exit
Exit from the EXEC
ip
Global IP subcommands
monitor
Monitoring feature
mtrace
Trace reverse multicast path from destination to source
ping
Send echo messages
quit
Exit from the EXEC
show
Show running system information
[output omitted]
Force10#config
[output omitted]
Force10(conf)#do show priv
Current privilege level is 3.
Force10(conf)#?
end
Exit from configuration mode
exit
Exit from configuration mode
interface
Select an interface to configure
line
Configure a terminal line
linecard
Set line card type
Force10(conf)#interface ?
fastethernet
Fast Ethernet interface
gigabitethernet
Gigabit Ethernet interface
loopback
Loopback interface
managementethernet
Management Ethernet interface
null
Null interface
port-channel
Port-channel interface
range
Configure interface range
sonet
SONET interface
tengigabitethernet
TenGigabit Ethernet interface
vlan
VLAN interface
Force10(conf)#interface gigabitethernet 1/1
Force10(conf-if-gi-1/1)#?
end
Exit from configuration mode
exit
Exit from interface configuration mode
Force10(conf-if-gi-1/1)#exit
Force10(conf)#line ?
aux
Auxiliary line
console
Primary terminal line
vty
Virtual terminal
Force10(conf)#line vty 0
Force10(config-line-vty)#?
exit
Exit from line configuration mode
Force10(config-line-vty)#

Management

Apply a Privilege Level to a Username

To set a privilege level for a user:
Task

Command Syntax

Command Mode

Configure a privilege level for a user.

username username privilege level

CONFIGURATION

Apply a Privilege Level to a Terminal Line

To set a privilege level for a terminal line:
Task

Command Syntax

Command Mode

Configure a privilege level for a terminal line.

privilege level level

LINE

Note: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode,
but the prompt is hostname#, rather than hostname>.

Configure Logging
FTOS tracks changes in the system using event and error messages. By default, FTOS logs these messages
on:

the internal buffer

console and terminal lines, and
any configured syslog servers

Disable Logging
To disable logging:
Task

Command Syntax

Command Mode

Disable all logging except on the console.

no logging on

CONFIGURATION

Disable logging to the logging buffer.

no logging buffer

CONFIGURATION

Disable logging to terminal lines.

no logging monitor

CONFIGURATION

Disable console logging.

no logging console

CONFIGURATION

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Log Messages in the Internal Buffer

All error messages, except those beginning with %BOOTUP (Message 1), are log in the internal buffer.
Message 1 BootUp Events
%BOOTUP:RPM0:CP %PORTPIPE-INIT-SUCCESS: Portpipe 0 enabled

Configuration Task List for System Log Management

The following list includes the configuration tasks for system log management:

Disable System Logging on page 62

Send System Messages to a Syslog Server on page 63

Disable System Logging

By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console,
and syslog servers.
Enable and disable system logging using the following commands:
Task

Command Syntax

Command Mode

Disable all logging except on the console.

no logging on

CONFIGURATION

Disable logging to the logging buffer.

no logging buffer

CONFIGURATION

Disable logging to terminal lines.

no logging monitor

CONFIGURATION

Disable console logging.

no logging console

CONFIGURATION

Management

Send System Messages to a Syslog Server

Send system messages to a syslog server by specifying the server with the following command:
Task

Command Syntax

Command Mode

Specify the server to which you want to send system

messages. You can configure up to eight syslog
servers.

logging {ip-address | hostname}

CONFIGURATION

Configure a Unix System as a Syslog Server

Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the Unix
system and assigning write permissions to the file.

on a 4.1 BSD UNIX system, add the line: local7.debugging /var/log/force10.log

on a 5.7 SunOS UNIX system, add the line: local7.debugging /var/adm/force10.log

In the lines above, local7 is the logging facility level and debugging is the severity level.

Change System Logging Settings

You can change the default settings of the system logging by changing the severity level and the storage
location. The default is to log all messages up to debug level, that is, all system messages.
Task

Command Syntax

Command Mode

Specify the minimum severity level for logging to the

logging buffer.

logging buffered level

CONFIGURATION

Specify the minimum severity level for logging to the

console.

logging console level

CONFIGURATION

Specify the minimum severity level for logging to

terminal lines.

logging monitor level

CONFIGURATION

Specifying the minimum severity level for logging to

a syslog server.

logging trap level

CONFIGURATION

Specify the minimum severity level for logging to the

syslog history table.

logging history level

CONFIGURATION

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Task

Command Syntax

Command Mode

Specify the size of the logging buffer.

Note: When you decrease the buffer size, FTOS
deletes all messages stored in the buffer. Increasing
the buffer size does not affect messages in the
buffer.

logging buffered size

CONFIGURATION

Specify the number of messages that FTOS saves

to its logging history table.

logging history size size

CONFIGURATION

To view the logging buffer and configuration, use the show logging command (Figure 35) in the EXEC
privilege mode.
To view the logging configuration, use the show running-config logging command (Figure 37) in the
EXEC privilege mode.

Display the Logging Buffer and the Logging Configuration

Display the current contents of the logging buffer and the logging settings for the system, use the show
logging command (Figure 35) in the EXEC privilege mode.

Management

Figure 23 show logging Command Example

Force10#show logging
syslog logging: enabled
Console logging: level Debugging
Monitor logging: level Debugging
Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes)
Trap logging: level Informational
%IRC-6-IRC_COMMUP: Link to peer RPM is up
%RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:'
%CHMGR-5-CARDDETECTED: Line card 0 present
%CHMGR-5-CARDDETECTED: Line card 2 present
%CHMGR-5-CARDDETECTED: Line card 4 present
%CHMGR-5-CARDDETECTED: Line card 5 present
%CHMGR-5-CARDDETECTED: Line card 8 present
%CHMGR-5-CARDDETECTED: Line card 10 present
%CHMGR-5-CARDDETECTED: Line card 12 present
%TSM-6-SFM_DISCOVERY: Found SFM 0
%TSM-6-SFM_DISCOVERY: Found SFM 1
%TSM-6-SFM_DISCOVERY: Found SFM 2
%TSM-6-SFM_DISCOVERY: Found SFM 3
%TSM-6-SFM_DISCOVERY: Found SFM 4
%TSM-6-SFM_DISCOVERY: Found SFM 5
%TSM-6-SFM_DISCOVERY: Found SFM 6
%TSM-6-SFM_DISCOVERY: Found SFM 7
%TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP
%TSM-6-SFM_DISCOVERY: Found SFM 8
%TSM-6-SFM_DISCOVERY: Found 9 SFMs
%CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 5 is up
%CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports)
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A
%CHMGR-5-LINECARDUP: Line card 12 is up
%IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8
%IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8

To view any changes made, use the show running-config logging command (Figure 37) in the EXEC
privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Configure a UNIX logging facility level

You can save system log messages with a UNIX system logging facility.
To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode:
Command Syntax

Command Mode

Purpose

logging facility [facility-type]

CONFIGURATION

Specify one of the following parameters.

auth (for authorization messages)
cron (for system scheduler messages)
daemon (for system daemons)
kern (for kernel messages)
local0 (for local use)
local1 (for local use)
local2 (for local use)
local3 (for local use)
local4 (for local use)
local5 (for local use)
local6 (for local use)
local7 (for local use). This is the default.
lpr (for line printer system messages)
mail (for mail system messages)
news (for USENET news messages)
sys9 (system use)
sys10 (system use)
sys11 (system use)
sys12 (system use)
sys13 (system use)
sys14 (system use)
syslog (for syslog messages)
user (for user programs)
uucp (UNIX to UNIX copy protocol)
The default is local7.

To view nondefault settings, use the show running-config logging command (Figure 37) in the EXEC
mode.

Management

Figure 24 show running-config logging Command Example

Force10#show running-config logging
!
logging buffered 524288 debugging
service timestamps log datetime msec
service timestamps debug datetime msec
!
logging trap debugging
logging facility user
logging source-interface Loopback 0
logging 10.10.10.4
Force10#

Synchronize log messages

You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing
the message output. Only the messages with a severity at or below the set level appear. This feature works
on the terminal and console connections available on the system.
To synchronize log messages, use these commands in the following sequence starting in the
CONFIGURATION mode:
Step

Command Syntax

Command Mode

Purpose

line {console 0 | vty number

[end-number] | aux 0}

CONFIGURATION

Enter the LINE mode. Configure the

following parameters for the virtual
terminal lines:
number range: zero (0) to 8.
end-number range: 1 to 8.
You can configure multiple virtual
terminals at one time by entering a
number and an end-number.

logging synchronous [level

severity-level | all] [limit]

LINE

Configure a level and set the maximum

number of messages to be printed.
Configure the following optional
parameters:
level severity-level range: 0 to 7.
Default is 2. Use the all keyword to
include all messages.
limit range: 20 to 300. Default is 20.

To view the logging synchronous configuration, use the show config command in the LINE mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Enable timestamp on syslog messages

syslog messages, by default, do not include a time/date stamp stating when the error or message was
created.
To have FTOS include a timestamp with the syslog message, use the following command syntax in the
CONFIGURATION mode:
Command Syntax

Command Mode

Purpose

service timestamps [log | debug]

[datetime [localtime] [msec]
[show-timezone] | uptime]

CONFIGURATION

Add timestamp to syslog messages.

Specify the following optional parameters:
datetime: You can add the keyword
localtime to include the localtime,
msec, and show-timezone. If you
do not add the keyword localtime,
the time is UTC.
uptime. To view time since last boot.
If neither parameter is specified, FTOS
configures uptime.

To view the configuration, use the show running-config logging command in the EXEC privilege
mode.
To disable time stamping on syslog messages, enter no service timestamps [log | debug].

File Transfer Services

With FTOS, you can configure the system to transfer files over the network using File Transfer Protocol
(FTP). One FTP application is copying the system image files over an interface on to the system; however,
FTP is not supported on VLAN interfaces.
For more information on FTP, refer to RFC 959, File Transfer Protocol.

Configuration Task List for File Transfer Services

The following list includes the configuration tasks for file transfer services:

Enable FTP server on page 69 (mandatory)

Configure FTP server parameters on page 69 (optional)
Configure FTP client parameters on page 70 (optional)

For a complete listing of FTP related commands, refer to .

Management

Enable FTP server

To enable the system as an FTP server, use the following command in the CONFIGURATION mode:
Command Syntax

Command Mode

Purpose

ftp-server enable

CONFIGURATION

Enable FTP on the system.

To view FTP configuration, use the show running-config ftp command (Figure 41) in the EXEC
privilege mode.
Figure 25 show running-config ftp Command Output
Force10#show running ftp
!
ftp-server enable
ftp-server username nairobi password 0 zanzibar
Force10#

Configure FTP server parameters

After the FTP server is enabled on the system, you can configure different parameters.
To configure FTP server parameters, use any or all of the following commands in the CONFIGURATION
mode:
Command Syntax

Command Mode

Purpose

ftp-server topdir dir

CONFIGURATION

Specify the directory for users using FTP to reach the

system.
The default is the internal flash directory.

ftp-server username

CONFIGURATION

Specify a user name for all FTP users and configure

either a plain text or encrypted password. Configure
the following optional and required parameters:
username: Enter a text string
encryption-type: Enter 0 for plain text or 7 for
encrypted text.
password: Enter a text string.

username password
[encryption-type] password

Note: You cannot use the change directory (cd) command until ftp-server topdir has been
configured.

To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Configure FTP client parameters

To configure FTP client parameters, use the following commands in the CONFIGURATION mode:
Command Syntax

Command Mode

Purpose

ip ftp source-interface

CONFIGURATION

Enter the following keywords and slot/port or number

information:
For a Gigabit Ethernet interface, enter the keyword
GigabitEthernet followed by the slot/port
information.
For a loopback interface, enter the keyword
loopback followed by a number between 0 and
16383.
For a port channel interface, enter the keyword
port-channel followed by a number from 1 to 255
for TeraScale and ExaScale, 1 to 32 for
EtherScale.
For a SONET interface, enter the keyword sonet
followed by the slot/port information.
For a 10-Gigabit Ethernet interface, enter the
keyword TenGigabitEthernet followed by the
slot/port information.
For a VLAN interface, enter the keyword vlan
followed by a number from 1 to 4094.
E-Series ExaScale platforms support 4094 VLANs
with FTOS version 8.2.1.0 and later. Earlier
ExaScale supports 2094 VLANS.

ip ftp password password

CONFIGURATION

Configure a password.

ip ftp username name

CONFIGURATION

Enter username to use on FTP client.

interface

To view FTP configuration, use the show running-config ftp command (Figure 41) in the EXEC
privilege mode.

Terminal Lines
You can access the system remotely and restrict access to the system by creating user profiles. The terminal
lines on the system provide different means of accessing the system. The console line (console) connects
you through the Console port in the RPMs. The virtual terminal lines (VTY) connect you through Telnet to
the system. The auxiliary line (aux) connects secondary devices such as modems.

Deny and Permit Access to a Terminal Line

Force 10 recommends applying only standard ACLs to deny and permit access to VTY lines.

Layer 3 ACL deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with
no rules does not deny any traffic.

Management

You cannot use show ip accounting access-list to display the contents of an ACL that is applied only
to a VTY line.

To apply an IP ACL to a line:

Task

Command Syntax

Command Mode

Apply an ACL to a VTY line.

ip access-class access-list

LINE

To view the configuration, enter the show config command in the LINE mode, as shown in Figure 26.
Figure 26 Applying an Access List to a VTY Line
Force10(config-std-nacl)#show config
!
ip access-list standard myvtyacl
seq 5 permit host 10.11.0.1
Force10(config-std-nacl)#line vty 0
Force10(config-line-vty)#show config
line vty 0
access-class myvtyacl

FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply
an ACL and AAA authentication to the line. Then users are denied access only after they enter a
username and password. Beginning in FTOS version 7.4.2.0, only an ACL is required, and users are
denied access before they are prompted for a username and password.

Configure Login Authentication for Terminal Lines

You can use any combination of up to 6 authentication methods to authenticate a user on a terminal line. A
combination of authentication methods is called a method list. If the user fails the first authentication
method, FTOS prompts the next method until all methods are exhausted, at which point the connection is
terminated. The available authentication methods are:

enablePrompt

for the enable password.

linePrompt for the e password you assigned to the terminal line. You must configure a password for
the terminal line to which you assign a method list that contains the line authentication method.
Configure a password using the command password from LINE mode.
localPrompt for the the system username and password.
noneDo not authenticate the user.
radiusPrompt for a username and password and use a RADIUS server to authenticate.
tacacs+Prompt for a username and password and use a TACACS+ server to authenticate.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

To configure authentication for a terminal line:

Step

Task

Command Syntax

Command Mode

Create an authentication method

list. You may use a mnemonic
name or use the keyword default.
The default authentication
method for terminal lines is local,
and the default method list is
empty.

aaa authentication login

{method-list-name | default} [method-1]
[method-2] [method-3] [method-4] [method-5]
[method-6]

Apply the method list from Step 1

to a terminal line.

login authentication {method-list-name |

default}

CONFIGURATION

If you used the line authentication

method in the method list you
applied to the terminal line,
configure a password for the
terminal line.

password

LINE

CONFIGURATION

In Figure 27 VTY lines 0-2 use a single authentication method, line.

Figure 27 Configuring Login Authentication on a Terminal Line
Force10(conf)#aaa authentication login myvtymethodlist line
Force10(conf)#line vty 0 2
Force10(config-line-vty)#login authentication myvtymethodlist
Force10(config-line-vty)#password myvtypassword
Force10(config-line-vty)#show config
line vty 0
password myvtypassword
login authentication myvtymethodlist
line vty 1
password myvtypassword
login authentication myvtymethodlist
line vty 2
password myvtypassword
login authentication myvtymethodlist
Force10(config-line-vty)#

Time out of EXEC Privilege Mode

EXEC timeout is a basic security feature that returns FTOS to the EXEC mode after a period of inactivity
on terminal lines.

Management

To change the timeout period or disable EXEC timeout.

Task

Command Syntax

Command Mode

Set the number of minutes and seconds.

Default: 10 minutes on console, 30 minutes on VTY.
Disable EXEC timeout by setting the timeout period
to 0.

exec-timeout minutes [seconds]

LINE

Return to the default timeout values.

no exec-timeout

LINE

View the configuration using the command show config from LINE mode.
Figure 28 Configuring EXEC Timeout
Force10(conf)#line con 0
Force10(config-line-console)#exec-timeout 0
Force10(config-line-console)#show config
line console 0
exec-timeout 0 0
Force10(config-line-console)#

Telnet to Another Network Device

To telnet to another device:
Task

Command Syntax

Telnet to the peer RPM. You do not need to configure the

management port on the peer RPM to be able to telnet to it.

telnet-peer-rpm

Telnet to a device with an IPv4 or IPv6 address. If you do not enter

an IP address, FTOS enters a Telnet dialog that prompts you for
one.
Enter an IPv4 address in dotted decimal format (A.B.C.D).
Enter an IPv6 address in the format
0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is
supported.

telnet [ip-address]

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Command Mode
EXEC Privilege
EXEC Privilege

Lock CONFIGURATION mode

FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION
mode so that only one user can be in CONFIGURATION mode at any time (Message 4).
A two types of locks can be set: auto and manual.

Set an auto-lock using the command configuration mode exclusive auto from CONFIGURATION
mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are
denied access. This means that you can exit to EXEC Privilege mode, and re-enter
CONFIGURATION mode without having to set the lock again.
Set a manual lock using the command configure terminal lock from CONFIGURATION mode. When
you configure a manual lock, which is the default, you must enter this command time you want to enter
CONFIGURATION mode and deny access to others.

Figure 30 Locking CONFIGURATION mode

R1(conf)#configuration mode exclusive auto
BATMAN(conf)#exit
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by

console

R1#config
! Locks configuration mode exclusively.
R1(conf)#

If another user attempts to enter CONFIGURATION mode while a lock is in place, Message 3 appears on
their terminal.
Message 3 CONFIGURATION mode Locked Error
% Error: User "" on line console0 is in exclusive configuration mode

Management

If any user is already in CONFIGURATION mode when while a lock is in place, Message 4 appears on
their terminal.
Message 4 Cannot Lock CONFIGURATION mode Error
% Error: Can't lock configuration mode exclusively since the following users are currently
configuring the system:
User "admin" on line vty1 ( 10.1.1.1 )

Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you
configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION
mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you
are the one that configured the lock.

Note: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is
unconfigured.

Viewing the Configuration Lock Status

If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which
user has control of CONFIGURATION mode using the command show configuration lock from EXEC
Privilege mode.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively
you can clear any line using the command clear from EXEC Privilege mode. If you clear a console session,
the user is returned to EXEC mode.

Recovering from a Forgotten Password

If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password:
Step

Task

Command Syntax

Command Mode

Log onto the system via console.

Power-cycle the chassis by switching off all of the power modules and then switching them back on.

Abort bootup by sending the

break signal when prompted.

Ctrl+Shift+6

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Step

Task

Command Syntax

Command Mode

Figure 31 Entering BOOT_USER mode

Type "go 0x00040004" to enter the Force10 BLI shell
You can use U-boot native networking facilities
============================================================

Hit any key to stop autoboot:

Starting F10 BLI Shell ...

BOOT_USER # enable admin

Password : XXXXXXXXX
RPM0-CP BOOT_ADMIN #

Enter BOOT_ADMIN mode using

the command enable admin.
Enter ncorerulz when prompted
for a password.

enable admin

BOOT_USER

Figure 32 Entering BOOT_ADMIN mode

***** Welcome to Force10 Boot Interface *****
Use "help" or "?" for more information.
BOOT_USER # enable admin
Password : XXXXXXXXX
RPM0-CP BOOT_ADMIN #

Rename the startup-config so it

does not load on the next system
reload.

rename :flash://startup-config flash://

startup-config.bak

BOOT_ADMIN

Verify that startup-config is

renamed.

dir flash:

BOOT_ADMIN

Figure 33 Renaming the startup-config

RPM0-CP BOOT_ADMIN # dir flash:
Directory of flash:
1 -rwx 11407411 Jun 09 2004 09:38:40 FTOS-EE3-5.3.1.1.bin
2 -rwx 4977 Jun 09 2004 09:38:38 startup-config.bak

Reload the system.

reload

BOOT_ADMIN

Copy startup-config.bak to the

running config.

copy flash://startup-config.bak
running-config

EXEC Privilege

Remove all authentication

statements you might have for the
console.

no authentication login
no password

LINE

Save the running-config.

copy running-config startup-config

EXEC Privilege

Management

Recovering from a Forgotten Enable Password

If you forget the enable password:
Step

Task

Command Syntax

Command Mode

Log onto the system via console.

Eject the secondary RPM if there is one.

Power-cycle the chassis by switching off all of the power modules and then switching them back on.

Abort bootup by sending the

break signal when prompted. See
Figure 31.

Ctrl+Shift+6

Configure the system to ignore

the enable password on bootup.
Note: This command only
bypasses the enable password
once. You must repeat this
procedure to bypass it again.

ignore enable-password

BOOT_USER

Figure 34 Ignoring the Enable Password

***** Welcome to Force10 Boot Interface *****
Use "help" or "?" for more information.
BOOT_USER # ignore enable-password

Reload the system.

reload

BOOT_USER

Configure a new enable

password.

enable {secret | password}

CONFIGURATION

Insert the secondary RPM.

Save the running-config to the

startup-config. The startup-config
files on both RPMs will be
synchronized.

copy running-config startup-config

EXEC Privilege

Recovering from a Forgotten Password on S-Series

If you configure authentication for the console and you exit out of EXEC mode or your console session
times out, you are prompted for a password to re-enter.
If you forget your password:
Step

Task

Command Syntax

Log onto the system via console.

Power-cycle the chassis by unplugging the power cord.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Command Mode

Step
3

Task

Command Syntax

Abort bootup by sending the

break signal when prompted.

(any key)

Command Mode

Figure 35 Entering BOOT_USER mode

Type "go 0x00040004" to enter the Force10 BLI shell
You can use U-boot native networking facilities
============================================================

* Welcome to Force10 Boot Interface *

Use "help" or "?" for more information.
BOOT_USER #

Configure the system to ignore

the startup-config, which prevents
the system from prompting you
for a password to enter EXEC
mode.
Note: This command only
bypasses the password once.
You must repeat this procedure to
bypass it again.

ignore startup-config

BOOT_USER

Remove all authentication

statements you might have for the
console.

no authentication login

CONFIGURATION

Reload the system.

reload

BOOT_USER

Recovering from a Failed Start

A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a
mis-specified location. In that case, you can restart the system and interrupt the boot process to point the
system to another boot location. Use the boot change command, as described below. For details on the
boot change command, its supporting commands, and other commands that can help recover from a failed
start, see the BOOT_USER chapter in the FTOS Command Reference.
Step

Task

Command Syntax

Power-cycle the chassis (pull the power cord and reinsert it).

Abort bootup by sending the break

signal when prompted.

Ctrl-Shift 6 (Ctrl-^)C-Series and E-Series

(On the S-Series, hit any key)

Command Mode

(during bootup)

Management

Step

Task

Command Syntax

Command Mode

Tell the system where to access the

FTOS image used to boot the
system:
Enter primary to configure the
boot parameters used in the first
attempt to boot the system.
Enter secondary for when the
primary operating system boot
selection is not available.
Enter default to configure boot
parameters used if the
secondary operating system
boot parameter selection is not
available. The default location
should always be the internal
flash device (flash:), and a
verified image should be stored
there.

boot change {primary|secondary|default}

After entering the keywords and desired
option, press Enter. The software prompts
you to enter the following:
boot device (ftp, tftp, flash, slot0)
Note: S-Series can only use a TFTP
location.
image file name
IP address of the server with the image
username and password (only for FTP)

BOOT_USER

On S-Series systems only, assign a

port to be the Management
Ethernet interface.

interface management ethernet port portID

BOOT_USER

Assign an IP address to the

Management Ethernet interface.

[no] interface management ethernet ip

address ip-address mask

BOOT_USER

(OPTIONAL) On C- and E-Series

systems only, configure speed,
duplex, and negotiation settings for
the management interface.

interface management port config

BOOT_USER

{half-duplex | full-duplex | 10m | 100m |

auto-negotiation | no auto-negotiation |
show}

Assign an IP address as the default

gateway for the system.

[no] default-gateway ip-address

BOOT_USER

Reload the system.

reload

BOOT_USER

Very similar to the options of the boot change command, the boot system command is available in
CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the
startup configuration file, are stored in NVRAM and are then used routinely:
Task

Command Syntax

Command Mode

Configure the system to routinely boot from the

designated location.
After entering rpm0 or rpm1, enter one of the three
keywords and then the file-url.
You can use the command for each of the
combinations of RPM and option.

boot system {rpm0 | rpm1}

(default | primary | secondary}
file-url
For file-url, to boot from a file:
on the internal Flash, enter flash://

CONFIGURATION

followed by the filename.

on an FTP server, enter ftp://
user:password@hostip/filepath
on the external Flash, enter slot0://
followed by the filename.

on a TFTP server, enter tftp://

hostip/filepath

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Also, because the C-Series and E-Series can boot from an external flash, you can recover from a failed
boot image on the flash by simply fixing that source. For details on boot code and FTOS setup, see the
FTOS Release Notes for the specific FTOS versions that you want to use.
The network boot facility has only become available on the S-Series with FTOS 7.8.1.0 and its
accompanying boot code. In addition to installing FTOS 7.8.1.0, you must separately install that new boot
code. For installation details, see the S-Series and FTOS Release Notes for Version 7.8.1.0.

Management

Chapter 4
802.1ag is available only on platform:

802.1ag
s

Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor,
troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas:
1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM)
2. Link Layer OAM: IEEE 802.3ah OAM
3. Ethernet Local management Interface (MEF-16 E-LMI)

Ethernet CFM
Ethernet CFM is an end-to-end, per-service-instance Ethernet OAM scheme which enables: proactive
connectivity monitoring, fault verification, and fault isolation.
The service-instance in the OAM for Metro/Carrier Ethernet context is a VLAN. This service is sold to an
end-customer by a network service provider. Typically the service provider contracts with multiple
network operators to provide end-to-end service between customers. For end-to-end service between
customer switches, connectivity must be present across the service provider through multiple network
operators.
Layer 2 Ethernet networks usually cannot be managed with IP tools such as ICMP Ping and IP Traceroute.
Traditional IP tools often fail because:

there are complex interactions between various Layer 2 and Layer 3 protocols such as STP, LAG,
VRRP and ECMP configurations.
Ping and traceroute are not designed to verify data connectivity in the network and within each node in
the network (such as in the switching fabric and hardware forwarding tables).
when networks are built from different operational domains, access controls impose restrictions that
cannot be overcome at the IP level, resulting in poor fault visibility. There is a need for hierarchical
domains that can be monitored and maintained independently by each provider or operator.
routing protocols choose a subset of the total network topology for forwarding, making it hard to detect
faults in links and nodes that are not included in the active routing topology. This is made more
complex when using some form of Traffic Engineering (TE) based routing.
network and element discovery and cataloging is not clearly defined using IP troubleshooting tools.

There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With
these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of
running the network. OAM also increases availability and reduces mean time to recovery, which allows for
tighter service level agreements, resulting in increased revenue for the service provider.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

In addition to providing end-to-end OAM in native Layer 2 Ethernet Service Provider/Metro networks,
you can also use CFM to manage and troubleshoot any Layer 2 network including enterprise, datacenter,
and cluster networks.

Maintenance Domains
Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in Figure 36.
A CFM maintenance domain is a management space on a network that is owned and operated by a single
management entity. The network administrator assigns a unique maintenance level (0 to 7) to each domain
to define the hierarchical relationship between domains. Domains can touch or nest but cannot overlap or
intersect as that would require management by multiple entities.
Figure 36 OAM Domains
Service Provider Network
Customer Network

Customer Network

Ethernet Access

MPLS Core

MPLS Access

Customer Domain (7)

Provider Domain (6)

Operator Domain (5)

MPLS Domain (4)

Maintenance Points
Domains are comprised of logical entities called Maintenance Points. A maintenance point is an interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:

Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain
Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that is an
intermediate point of a Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. MIPs are internal to a domain, not at the boundary, and respond to CFM
only when triggered by linktrace and loopback messages. MIPs can be configured to snoop Continuity
Check Messages (CCMs) to build a MIP CCM database.

802.1ag

These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames.
Figure 37 Maintenance Points
Service Provider Network
Customer Network

Customer Network

Ethernet Access

MPLS Core

MPLS Access

Customer Domain (7)

Provider Domain (6)

Operator Domain (5)

MPLS Domain (4)

MEP

MIP

Maintenance End Points

A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:

Up-MEP: monitors the forwarding path internal to an bridge on the customer or provider edge; on
Force10 systems the internal forwarding path is effectively the switch fabric and forwarding engine.
Down-MEP: monitors the forwarding path external another bridge.

Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Figure 38 Up-MEP versus Down-MEP
Customer Network

towards relay

Service Provider Ethernet Access

away from relay

Up-MEP
Down-MEP

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Implementation Information

Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed
per MA (per VLAN or per MD level).

Configure CFM
Configuring CFM is a five-step process:
1. Configure the ecfmacl CAM region using the cam-acl command. See Configure Ingress Layer 2 ACL
Sub-partitions.
2. Enable Ethernet CFM. See page 85.
3. Create a Maintenance Domain. See page 85.
4. Create a Maintenance Association. See page 86.
5. Create Maintenance Points. See page 86.
6. Use CFM tools:
a

Continuity Check Messages on page 89

Loopback Message and Response on page 90

Linktrace Message and Response on page 91

Related Configuration Tasks

Enable CFM SNMP Traps. on page 92

Display Ethernet CFM Statistics on page 93

802.1ag

Enable Ethernet CFM

Task

Command Syntax

Command Mode

Spawn the CFM process. No CFM configuration is

allowed until the CFM process is spawned.

ethernet cfm

CONFIGURATION

Disable Ethernet CFM without stopping the CFM

process.

disable

ETHERNET CFM

Create a Maintenance Domain

Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as
shown in Figure 36.
Step
1

Task

Command Syntax

Command Mode

Create maintenance domain.

domain name md-level number

ETHERNET CFM

Range: 0-7
2

show ethernet cfm domain

[name | brief]

Display maintenance domain information.

EXEC Privilege

Force10# show ethernet cfm domain

Domain Name: customer
Level: 7
Total Service: 1
Services
MA-Name
My_MA
Domain Name: praveen
Level: 6
Total Service: 1
Services
MA-Name
Your_MA

VLAN
200

VLAN
100

CC-Int
10s

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

X-CHK Status
enabled

Create a Maintenance Association

A Maintenance Association MA is a subdivision of an MD that contains all managed entities
corresponding to a single end-to-end service, typically a VLAN. An MA is associated with a VLAN ID.
Task

Command Syntax

Command Mode

Create maintenance association.

service name vlan vlan-id

ECFM DOMAIN

Create Maintenance Points

Domains are comprised of logical entities called Maintenance Points. A maintenance point is a interface
demarcation that confines CFM frames to a domain. There are two types of maintenance points:

These roles define the relationships between all devices so that each device can monitor the layers under its
responsibility.

Create a Maintenance End Point

A Maintenance End Point (MEP) is a logical entity that marks the end-point of a domain. There are two
types of MEPs defined in 802.1ag for an 802.1 bridge:

Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure
Down-MEPs on egress ports, ports that send traffic away from the bridge relay.
Task

Command Syntax

Command Mode

Create an MEP.

ethernet cfm mep {up-mep | down-mep} domain {name |

level } ma-name name mepid mep-id

INTERFACE

Range: 1-8191
Display configured MEPs and
MIPs.

show ethernet cfm maintenance-points local [mep |

mip]

EXEC Privilege

802.1ag

Task

Command Syntax

Command Mode

Force10#show ethernet cfm maintenance-points local mep

------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------100

cfm0
test0

7
10

MEP
DOWN

Gi 4/10
00:01:e8:59:23:45

Enabled

200

cfm1
test1

6
20

MEP
DOWN

Gi 4/10
00:01:e8:59:23:45

Enabled

300

cfm2
test2

5
30

MEP
DOWN

Gi 4/10
00:01:e8:59:23:45

Enabled

Create a Maintenance Intermediate Point

Maintenance Intermediate Point (MIP) is a logical entity configured at a port of a switch that constitutes
intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship between two
MEPs within a single domain. An MIP is not associated with any MA or service instance, and it belongs to
the entire MD.
Task

Command Syntax

Command Mode

Create an MIP.

ethernet cfm mip domain {name | level } ma-name name

INTERFACE

Display configured MEPs and

MIPs.

show ethernet cfm maintenance-points local [mep |

mip]

EXEC Privilege

Force10#show ethernet cfm maintenance-points local mip

service1
My_MA

4
3333

MIP
DOWN

Gi 0/5
00:01:e8:0b:c6:36

Disabled

service1
Your_MA

4
3333

MIP
UP

Gi 0/5
00:01:e8:0b:c6:36

Disabled

MP Databases
CFM maintains two MP databases:

MEP Database (MEP-DB): Every MEP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that
have announced their presence via CCM

Task

Command Syntax

Command Mode

Display the MEP Database.

show ethernet cfm maintenance-points remote detail

[active | domain {level | name} | expired | waiting]

EXEC Privilege

Force10#show ethernet cfm maintenance-points remote detail

MAC Address: 00:01:e8:58:68:78
Domain Name: cfm0
MA Name: test0
Level: 7
VLAN: 10
MP ID: 900
Sender Chassis ID: Force10
MEP Interface status: Up
MEP Port status: Forwarding
Receive RDI: FALSE
MP Status: Active
Display the MIP Database.

show ethernet cfm mipdb

EXEC Privilege

MP Database Persistence
Task

Command Syntax

Command Mode

Set the amount of time that

data from a missing MEP is
kept in the Continuity Check
Database.

database hold-time minutes

ECFM DOMAIN

Default: 100 minutes

Range: 100-65535 minutes

802.1ag

Continuity Check Messages

Continuity Check Messages (CCM) are periodic hellos used to:

discover MEPs and MIPs within a maintenance domain

detect loss of connectivity between MEPs
detect misconfiguration, such as VLAN ID mismatch between MEPs
to detect unauthorized MEPs in a maintenance domain

Continuity Check Messages (CCM) are multicast Ethernet frames sent at regular intervals from each MEP.
They have a destination address based on the MD level (01:80:C2:00:00:3X where X is the MD level of
the transmitting MEP from 0 to 7). All MEPs must listen to these multicast MAC addresses and process
these messages. MIPs may optionally processes the CCM messages originated by MEPs and construct a
MIP CCM database.
MEPs and MIPs filter CCMs from higher and lower domain levels as described in Table 5.
Table 5 Continuity Check Message Processing
Frames at

Frames from

UP-MEP Action

Down-MEP Action MIP Action

Less than my level

Bridge-relay side or Wire side

Drop

My level

Bridge-relay side

Consume

Drop

Wire side

Drop

Consume

Add to MIP-DB
and forward

Bridge-relay side or Wire side

Forward

Greater than my level

Forward

All the remote MEPs in the maintenance domain are defined on each MEP. Each MEP then expects a
periodic CCM from the configured list of MEPs. A connectivity failure is then defined as:
1. Loss of 3 consecutive CCMs from any of the remote MEP, which indicates a network failure
2. Reception of a CCM with an incorrect CCM transmission interval, which indicates a configuration
error.
3. Reception of CCM with an incorrect MEP ID or MAID, which indicates a configuration or
cross-connect error. This could happen when different VLANs are cross-connected due to a
configuration error.
4. Reception of a CCM with an MD level lower than that of the receiving MEP, which indicates a
configuration or cross-connect error.
5. Reception of a CCM containing a port status/interface status TLV, which indicates a failed bridge or
aggregated port.
The Continuity Check protocol sends fault notifications (Syslogs, and SNMP traps if enabled) whenever
any of the above errors are encountered.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Enable CCM
Step
1

Task

Command Syntax

Command Mode

Enable CCM.

no ccm disable

ECFM DOMAIN

Default: Disabled
2

Configure the transmit interval

(mandatory). The interval specified applies
to all MEPs in the domain.

ccm transmit-interval seconds

ECFM DOMAIN

Default: 10 seconds

Enable Cross-checking
Task

Command Syntax

Command Mode

Enable cross-checking.

mep cross-check enable

ETHERNET CFM

Default: Disabled
Start the cross-check operation for an MEP.

mep cross-check mep-id

ETHERNET CFM

Configure the amount of time the system waits for a

remote MEP to come up before the cross-check
operation is started.

mep cross-check start-delay

number

ETHERNET CFM

Loopback Message and Response

Loopback Message and Response (LBM, LBR), also called Layer 2 Ping, is an administrative echo
transmitted by MEPs to verify reachability to another MEP or MIP within the maintenance domain. LBM
and LBR are unicast frames.
Task
Send a Loopback message.

Command Syntax

Command Mode

ping ethernet domain name ma-name ma-name remote

EXEC Privilege

{mep-id | mac-addr mac-address} source {mep-id | port

interface}

802.1ag

Linktrace Message and Response

Linktrace Message and Response (LTM, LTR), also called Layer 2 Traceroute, is an administratively sent
multicast frames transmitted by MEPs to track, hop-by-hop, the path to another MEP or MIP within the
maintenance domain. All MEPs and MIPs in the same domain respond to an LTM with a unicast LTR.
Intermediate MIPs forward the LTM toward the target MEP.
Figure 39 Linktrace Message and Response

MPLS Core

MEP

Lin

MIP

ktra

c e m M essa

MIP

L i n k t ra ce R e s p o n s e

Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast
frame. The destination group address is based on the MD level of the transmitting MEP
(01:80:C2:00:00:3[8 to F]). The MPs on the path to the target MAC address reply to the LTM with an LTR,
and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0.
Task

Command Syntax

Command Mode

Send a Linktrace message. Since

the LTM is a Multicast message
sent to the entire ME, there is no
need to specify a destination.

traceroute ethernet domain

EXEC Privilege

Link Trace Cache

After a Link Trace command is executed, the trace information can be cached so that you can view it later
without retracing.
Task

Command Syntax

Command Mode

Enable Link Trace caching.

traceroute cache

CONFIGURATION

Set the amount of time a trace result is

cached.

traceroute cache hold-time minutes

ETHERNET CFM

Default: 100 minutes

Range: 10-65535 minutes

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Task

Command Syntax

Command Mode

Set the size of the Link Trace Cache.

traceroute cache size entries

ETHERNET CFM

Default: 100
Range: 1 - 4095 entries
show ethernet cfm traceroute-cache

Display the Link Trace Cache.

EXEC Privilege

Force10#show ethernet cfm traceroute-cache

Traceroute to 00:01:e8:52:4a:f8 on Domain Customer2, Level 7, MA name Test2 with
VLAN 2
-----------------------------------------------------------------------------Hops
Host
IngressMAC
Ingr Action
Relay Action
Next Host
Egress MAC
Egress Action FWD Status
-----------------------------------------------------------------------------4

00:00:00:01:e8:53:4a:f8
00:00:00:01:e8:52:4a:f8

Delete all Link Trace Cache entries.

00:01:e8:52:4a:f8

IngOK

clear ethernet cfm traceroute-cache

RlyHit
Terminal MEP
EXEC Privilege

Enable CFM SNMP Traps.

Task

Command Syntax

Command Mode

Enable SNMP trap messages for

Ethernet CFM.

snmp-server enable traps ecfm

CONFIGURATION

A Trap is sent only when one of the five highest priority defects occur, as shown in Table 6.
Table 6 ECFM SNMP Traps

Cross-connect defect

%ECFM-5-ECFM_XCON_ALARM: Cross connect fault detected by MEP 1 in Domain customer1

at Level 7 VLAN 1000

Error-CCM defect

%ECFM-5-ECFM_ERROR_ALARM: Error CCM Defect detected by MEP 1 in Domain customer1

at Level 7 VLAN 1000

MAC Status defect

%ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain

provider at Level 4 VLAN 3000

Remote CCM defect

%ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1

at Level 7 VLAN 1000

RDI defect

%ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level

7 VLAN 1000

802.1ag

Three values are giveng within the trap messages: MD Index, MA Index, and MPID. You can reference
these values agains the output of show ethernet cfm domain and show ethernet cfm maintenance-points
local mep.
Force10#show ethernet cfm maintenance-points local mep
------------------------------------------------------------------------------MPID
Domain Name
Level
Type
Port
CCM-Status
MA Name
VLAN
Dir
MAC
------------------------------------------------------------------------------100

cfm0
test0

7
10

MEP
DOWN

Gi 4/10
00:01:e8:59:23:45

Enabled

Force10(conf-if-gi-0/6)#do show ethernet cfm domain

Domain Name: My_Name
MD Index: 1
Level: 0
Total Service: 1
Services
MA-Index
MA-Name
1

VLAN

test

Domain Name: Your_Name

MD Index: 2
Level: 2
Total Service: 1
Services
MA-Index
MA-Name
1

test

CC-Int

X-CHK Status

VLAN
100

CC-Int

enabled

X-CHK Status

enabled

Display Ethernet CFM Statistics

Task

Command Syntax

Command Mode

Display MEP CCM statistics.

show ethernet cfm statistics [domain {name |

level} vlan-id vlan-id mpid mpid

EXEC Privilege

Force10#

show ethernet cfm statistics

Domain Name: Customer

Domain Level: 7
MA Name: My_MA
MPID: 300
CCMs:
Transmitted:
LTRs:
Unexpected Rcvd:
LBRs:
Received:
Received Bad MSDU:
Transmitted:

1503

RcvdSeqErrors:

0
0
0
0

Rcvd Out Of Order:

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Task

Command Syntax

Command Mode

Display CFM statistics by port.

show ethernet cfm port-statistics [interface]

EXEC Privilege

Force10#show ethernet cfm port-statistics interface gigabitethernet 0/5

Port statistics for port: Gi 0/5
==================================
RX Statistics
=============
Total CFM Pkts 75394 CCM Pkts 75394
LBM Pkts 0 LTM Pkts 0
LBR Pkts 0 LTR Pkts 0
Bad CFM Pkts 0 CFM Pkts Discarded 0
CFM Pkts forwarded 102417
TX Statistics
=============
Total CFM Pkts 10303 CCM Pkts 0
LBM Pkts 0 LTM Pkts 3
LBR Pkts 0 LTR Pkts 0

802.1ag

Chapter 5

802.1X

802.1X is supported on platforms:

ces

This chapter has the following sections:

Protocol Overview on page 95

Configuring 802.1X on page 99
Important Points to Remember on page 99
Enabling 802.1X on page 99
Configuring Request Identity Re-transmissions on page 102
Forcibly Authorizing or Unauthorizing a Port on page 104
Re-authenticating a Port on page 106
Configuring Timeouts on page 107
Dynamic VLAN Assignment with Port Authentication on page 108
Guest and Authentication-fail VLANs on page 109

Protocol Overview
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed
from sending or receiving traffic on the network until its identity can be verified (through a username and
password, for example); all ingress frames, except those used for 802.1X authentication, are dropped. This
feature is named for its IEEE specification.
802.1X employs Extensible Authentication Protocol (EAP)* to transfer a devices credentials to an
authentication server (typically RADIUS) via a mandatory intermediary network access device, in this
case, a Force10 switch. The network access device mediates all communication between the end-user
device and the authentication server so that the network remains secure. The network access device uses
EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over RADIUS to
communicate with the server.

End-user Device

Force10 switch

EAP over LAN (EAPOL)

RADIUS Server

EAP over RADIUS

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Figure 40 and Figure show how EAP frames are encapsulated in Ethernet and Radius frames.

Note: FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.

Figure 40 EAPOL Frame Format

Preamble

Start Frame
Delimiter

Destination MAC
(1:80:c2:00:00:03)

Source MAC
(Auth Port MAC)

EAPOL Frame

Ethernet Type
(0x888e)

Protocol Version
Range: 0-4
(1)
Type: 0: EAP Packet
1: EAPOL Start
2: EAPOL Logoff
3: EAPOL Key
4: EAPOL Encapsulated-ASF-Alert
Range: 1-4
Codes: 1: Request
2: Response
3: Success
4: Failure

Packet Type

Code
(0-4)

Padding

EAP Frame

Length

ID
(Seq Number)

Range: 1-255
Codes: 1: Identity
2: Notification
3: NAK
4: MD-5 Challenge
5: One-Time Challenge
6: Generic Token Card

FCS

EAP-Method Frame

Length

EAP-Method
Code
(0-255)

Length

EAP-Method Data
(Supplicant Requested Credentials)

The authentication process involves three devices:

The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the port is authorized by the authenticator. It can only communicate
with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenicator is the gate
keeper of the network. It translates and forwards requests and responses between the authentication
server and the supplicant. The authenticator also changes the status of the port based on the results of
the authentication process. The Force10 switch is the authenticator.
The authentication-server selects the authentication method, verifies the information provided by the
supplicant, and grants it network access privileges.

Ports can be in one of two states:

Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In
this state, network traffic can be forwarded normally.
Note: The Force10 switches place 802.1X-enabled ports in the unauthorized state by default.

802.1X

The Port-authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down
to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an
EAP Identity Request Frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame, and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the
supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The
challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides
the requested challenge information in an EAP Response, which is translated and forwarded to the
authentication server as another Access-Request.
6. If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized, and forwards an EAP Success frame. If the identity information is invalid, the
server sends and Access-Reject frame. The port state remains unauthorized, and the authenticator
forwards EAP Failure frame.
Figure 41 802.1X Authentication Process

Supplicant

Authenticator

EAP over LAN (EAPOL)

Authentication
Server

EAP over RADIUS

Request Identity
Response Identity
Access Request
Access Challenge
EAP Request
EAP Reponse
Access Request
Access {Accept | Reject}
EAP {Sucess | Failure}

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

EAP over RADIUS

802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as
defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type,
Length, Value (TLV) format. The Type value for EAP messages is 79.
Figure 42 RADIUS Frame Format
Identifier

Code

Length

Message-Authenticator
Attribute

Range: 1-4
Codes: 1: Access-Request
2: Access-Accept
3: Access-Reject
11: Access-Challenge

Type
(79)

EAP-Message Attribute

Length

EAP-Method Data
(Supplicant Requested Credentials)

RADIUS Attributes for 802.1 Support

Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request
messages:
Table 7 802.1X Supported RADIUS Attributes
Attribute

Name

Description

User-Name

the name of the supplicant to be authenticated.

NAS-IP-Address

NAS-Port

State

Called-Station-Id

Calling-Station-Id

relays the supplicant MAC address to the authentication server.

NAS-Port-Type

NAS-port physical port type. 5 indicates Ethernet.

Tunnel-Type

Tunnel-Medium-Type

EAP-Message

encapsulates EAP packets

Message-Authenticator

a calculated value included in Access-Requests to prevent spoofing.

Tunnel-Private-Group-ID

associate a tunneled session with a particular group of users.

the physical port number by which the authenticator is connected to the

supplicant.

802.1X

Configuring 802.1X
Configuring 802.1X on a port is a two-step process:
1. Enable 802.1X globally. See page 99.
2. Enable 802.1X on an interface. See page 99.

Related Configuration Tasks

Configuring Request Identity Re-transmissions on page 102

Configuring Port-control on page 106
Re-authenticating a Port on page 106
Configuring Timeouts on page 107
Configuring a Guest VLAN on page 110
Configuring an Authentication-fail VLAN on page 110

Important Points to Remember

FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
All platforms support only RADIUS as the authentication server.
On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins
using a secondary RADIUS server, if configured.
802.1X is not supported on port-channels or port-channel members.

Enabling 802.1X
802.1X must be enabled globally and at interface level.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

Figure 43 Enabling 802.1X

Supplicant

Authenticator
2/1

Authentication
Server

2/2

Force10(conf )#dot1x authentication

Force10(conf )#interface range gigabitethernet 2/1 - 2
Force10(conf-if-range-gi-2/1-2)#dot1x authentication
Force10(conf-if-range-gi-2/1-2)#show config
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown

100

802.1X

To enable 802.1X:
Step

Task

Command Syntax

Command Mode

Enable 802.1X globally.

dot1x authentication

CONFIGURATION

Enter INTERFACE mode on an interface or a range of

interfaces.

interface [range]

INTERFACE

Enable 802.1X on an interface or a range of interfaces.

dot1x authentication

INTERFACE

Verify that 802.1X is enabled globally and at interface level using the command show running-config |
EXEC Privilege mode, as shown in Figure 44.

find dot1x from

Figure 44 Verifying 802.1X Global Configuration

Force10#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
--More--

802.1X Enabled

802.1X Enabled on

View 802.1X configuration information for an interface using the command show dot1x interface, as
shown in Figure 45.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

101

Figure 45 Verifying 802.1X Interface Configuration

Force10#show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:

802.1X Enabled on
All ports unauthorized by default

Initialize
Initialize

Configuring Request Identity Re-transmissions

If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator
waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before
re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Note: There are several reasons why the supplicant might fail to respond; the supplicant might have been
booting when the request arrived, or there might be a physical layer problem.

To configure the amount of time that the authenticator waits before re-transmitting an EAP Request
Identity frame:
Step
1

Task

Command Syntax

Command Mode

Configure the amount of time that the

authenticator waits before re-transmitting an
EAP Request Identity frame.

dot1x tx-period number

INTERFACE

Range: 1-31536000 (1 year)

Default: 30

To configure a maximum number of Request Identity re-transmissions:

Step
1

102

Task

Command Syntax

Command Mode

Configure a maximum number of times that a

Request Identity frame can be re-transmitted by
the authenticator.

dot1x max-eap-req number

INTERFACE

Range: 1-10
Default: 2

802.1X

Figure 46 shows configuration information for a port for which the authenticator re-transmits an EAP
Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.

Configuring a Quiet Period after a Failed Authentication

If the supplicant fails the authentication process, the authenticator sends another Request Identity frame
after 30 seconds by default, but this period can be configured.
Note: The quiet period (dot1x quiet-period) is an transmit interval for after a failed authentication where
as the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

103

To configure the quiet period after a failed authentication:

Step
1

Task

Command Syntax

Command Mode

Configure the amount of time that the

authenticator waits to re-transmit a Request
Identity frame after a failed authentication.

dot1x quiet-period seconds

INTERFACE

Range: 1-65535
Default: 60

Figure 46 shows configuration information for a port for which the authenticator re-transmits an EAP
Request Identity frame:

after 90 seconds and a maximum of 10 times for an unresponsive supplicant

Re-transmits an EAP Request Identity frame

Figure 46 Configuring a Request Identity Re-transmissions

Force10(conf-if-range-gi-2/1)#dot1x tx-period 90
Force10(conf-if-range-gi-2/1)#dot1x max-eap-req 10
Force10(conf-if-range-gi-2/1)#dot1x quiet-period 120
Force10#show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:

New Re-transmit Interval

New Quiet Period

New Maximum Re-transmissions

Initialize
Initialize

Forcibly Authorizing or Unauthorizing a Port

IEEE 802.1X requires that a port can be manually placed into any of three states:

104

ForceAuthorized is an authorized state. A device connected to this port in this state is never subjected
to the authentication process, but is allowed to communicate on the network. Placing the port in this
state is same as disabling 802.1X on the port.

802.1X

ForceUnauthorized an unauthorized state. A device connected to a port in this state is never subjected
to the authentication process and is not allowed to communicate on the network. Placing the port in
this state is the same as shutting down the port. Any attempt by the supplicant to initiate authentication
is ignored.
Auto is an unauthorized state by default. A device connected to this port is this state is subjected to the
authentication process. If the process is successful, the port is authorized and the connected device can
communicate on the network. All ports are placed in the auto state by default.

To place a port in one of these three states:

Step
1

Task

Command Syntax

Command Mode

Place a port in the

ForceAuthorized,
ForceUnauthorized, or Auto state.

dot1x port-control {force-authorized |

force-unauthorized | auto}

INTERFACE

Default: auto

Figure 47 shows configuration information for a port that has been force-authorized.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

105

Figure 47 Configuring Port-control

Force10(conf-if-gi-2/1)#dot1x port-control force-authorized
Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:
Backend State:

New Port-control State

Initialize
Initialize
Initialize
Initialize

Re-authenticating a Port
Periodic Re-authentication
After the supplicant has been authenticated, and the port has been authorized, the authenticator can be
configured to re-authenticates the supplicant periodically. If re-authentication is enabled, the supplicant is
required to re-authenticate every 3600 seconds, but this interval can be configured. A maximum number of
re-authentications can be configured as well.
To configure a re-authentication or a re-authentication period:
Step
1

Task

Command Syntax

Command Mode

Configure the authenticator to

periodically re-authenticate the
supplicant.

dot1x reauthentication [interval] seconds

INTERFACE

Range: 1-65535
Default: 60

To configure a maximum number of re-authentications:

Step
1

106

Task

Command Syntax

Command Mode

Configure the maximum number of

times that the supplicant can be
reauthenticated.

dot1x reauth-max number

INTERFACE

Range: 1-10
Default: 2

802.1X

Figure 48 Configuring a Reauthentiction Period

Force10(conf-if-gi-2/1)#dot1x reauthentication interval 7200
Force10(conf-if-gi-2/1)#dot1x reauth-max 10
Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Enable
Untagged VLAN id:
None
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:
Auth PAE State:

Re-authentication Enabled

New Maximum
New Re-authentication Period

Initialize
Initialize
Initialize

Configuring Timeouts
If the supplicant or the authentication server is unresponsive, the authenticator terminates the
authentication process after 30 seconds by default. This amount of time that the authenticator waits for a
response can be configured.
To terminate the authentication process due to an unresponsive supplicant:
Step
1

Task

Command Syntax

Command Mode

Terminate the authentication process due

to an unresponsive supplicant.

dot1x supplicant-timeout seconds

INTERFACE

Range: 1-300
Default: 30

To terminate the authentication process due to an unresponsive authentication server:

Step
1

Task

Command Syntax

Command Mode

Terminate the authentication process due

to an unresponsive authentication server.

dot1x server-timeout seconds

INTERFACE

Range: 1-300
Default: 30

Figure 49 shows configuration information for a port for which the authenticator terminates the
authentication process for an unresponsive supplicant or server after 15 seconds.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

107

Figure 49 Configuring a Timeout

Force10(conf-if-gi-2/1)#dot1x port-control force-authorized
Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Disable
Guest VLAN id:
NONE
Auth-Fail VLAN:
Disable
Auth-Fail VLAN id:
NONE
Auth-Fail Max-Attempts:
NONE
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:

New Supplicant and Server Timeouts

Initialize
Initialize

Dynamic VLAN Assignment with Port Authentication

FTOS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is
RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x
procedure:
1. the host sends a dot1x packet to the Force10 system
2. the system forwards a RADIUS REQEST packet containing the host MAC address and ingress port
number
3. the RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the
VLAN assignment using Tunnel-Private-Group-ID.
Step

108

Task

Configure 8021.x globally and at interface level (see Enabling 802.1X on page 99) along with relevant
RADIUS server configurations (Figure 50)

Make the interface a switchport so that it can be assigned to a VLAN.

Create the VLAN to which the interface will be assigned.

Connect the supplicant to the port configured for 802.1X.

Verify that the port has been authorized and placed in the desired VLAN (Figure 50, red text).

802.1X

In Figure 50 shows the configuration on the Force10 system before connecting the end-user device in
black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding
numbered steps on dynamic VLAN assignment with 802.1X.
Figure 50 Dynamic VLAN Assignment with 802.1X
Force10(conf-if-gi-1/10)#show config
interface GigabitEthernet 1/10
no ip address
2
switchport
radius-server host 10.11.197.169 auth-port 1645
dot1x authentication 1
key 7 387a7f2df5969da4
no shutdow

End-user Device

Force10 switch
4

Force10#show dot1x interface gigabitethernet 1/10

802.1x information on Gi 1/10:
----------------------------Dot1x Status:
Enable
Port Control:
AUTO
Port Auth Status: AUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: 400
Tx Period:
30 seconds
Quiet Period:
60 seconds
ReAuth Max:
2
Supplicant Timeout: 30 seconds
Server Timeout:
30 seconds
Re-Auth Interval:
3600 seconds
Max-EAP-Req:
2
Auth Type:
SINGLE_HOST
Auth PAE State:
Authenticated
Backend State:
Idle

RADIUS Server

1/10

Force10(conf-if-vl-400)# show config

interface Vlan 400 3
no ip address
shutdown

fnC0065mp

Force10#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description
* 1
Inactive
400 Inactive

Q Ports
U Gi 1/10

Force10#show vlan
Codes: * - Default VLAN, G - GVRP VLANs
Q: U - Untagged, T - Tagged
x - Dot1x untagged, X - Dot1x tagged
G - GVRP tagged
NUM Status Description
* 1
Inactive
400 Active

Q Ports
U Gi 1/10

Guest and Authentication-fail VLANs

Typically, the authenticator (Force10 system) denies the supplicant access to the network until the
supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places
it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates
in the authentication data.
Note: Ports cannot be dynamically assigned to the default VLAN.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

109

If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this
behavior is not appropriate. External users of an enterprise network, for example, might not be able to be
authenticated, but still need access to the network. Also, some dumb-terminals such as network printers do
not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such
devices, they must be allowed access the network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices,
and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.

If the supplicant fails authentication a specified number of times, the authenticator places the port in
the Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, then the port is moved out
of the Guest VLAN, and the authentication process begins.

Configuring a Guest VLAN

If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, see
Configuring Timeouts on page 107) the system assumes that the host does not have 802.1X capability, and
and the port is placed in the Guest VLAN.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using
the command dot1x guest-vlan from INTERFACE mode, as shown in Figure 51.
Figure 51 Configuring a Guest VLAN
Force10(conf-if-gi-1/2)#dot1x guest-vlan 200
Force10(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
no shutdown
Force10(conf-if-gi-1/2)#

View your configuration using the command show config from INTERFACE mode, as shown in
Figure 51, or using the command show dot1x interface command from EXEC Privilege mode as shown in
Figure 53.

Configuring an Authentication-fail VLAN

If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount
of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication on page 103).
You can configure the maximum number of times the authenticator re-attempts authentication after a
failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of
times using the command dot1x auth-fail-vlan from INTERFACE mode, as shown in Figure 52. Configure
the maximum number of authentication attempts by the authenticator using the keyword max-attempts
with this command.

110

802.1X

Figure 52 Configuring an Authentication-fail VLAN

Force10(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5
Force10(conf-if-gi-1/2)#show config
!
interface GigabitEthernet 1/2
switchport
dot1x guest-vlan 200
dot1x auth-fail-vlan 100 max-attempts 5
no shutdown
Force10(conf-if-gi-1/2)#

View your configuration using the command show config from INTERFACE mode, as shown in
Figure 51, or using the command show dot1x interface command from EXEC Privilege mode as shown in
Figure 53.
Figure 53 Viewing Guest and Authentication-fail VLAN Configurations
Force10(conf-if-gi-2/1)#dot1x port-control force-authorized
Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id:
100
Auth-Fail Max-Attempts:
5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Auth Type:
SINGLE_HOST
Auth PAE State:
Backend State:

Initialize
Initialize

Multi-host Authentication
Multi-host Authentication is available on platforms:

c et s

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

111

802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 54;
this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to
the same port, a many-to-one configuration, only the first end-user to respond to the identity request is
authenticated. Subsequent responses are ignored, and a system log is generated to indicate reception of
unexpected 802.1x frames. When a port is authorized, the authenticated supplicant MAC address is
associated with the port, and traffic from any other source MACs is dropped.
Figure 54 Single-host Authentication Mode

End-user Device

Force10 switch

EAP over LAN (EAPOL)

RADIUS Server

EAP over RADIUS

When multiple end-users are connected to a single authenticator port, Single-host mode authentication
does not authenticate all end-users, and all but one are denied access to the network. For these cases
(Figure 55), FTOS offers Multi-host mode authentication.
Figure 55 Multi-host Authentication Mode

Force10 switch

EAP over LAN (EAPOL)

RADIUS Server

EAP over RADIUS

End-user Devices
When Multi-host mode authentication is configured, the first client to respond to an identity request is
authenticated, and subsequent responses are still ignored, but since the authenticator expects the possibility
of multiple responses, no system log is generated. After the first supplicant is authenticated, all end-users
attached to the authorized port are allowed to access the network.
If the authorized port becomes unauthorized due to re-authentication failure or the supplicant sends and
EAPOL logoff frame, all attached end-users are denied access to the network.
When the host mode is changed on a port that is already authenticated:

112

Single-host to Multi-host: all devices attached to the port that were previously blocked may access
the network; the supplicant does not re-authenticate.

802.1X

Multi-host to Single-host: the port restarts the authentication process, and the first end-user to respond is
authenticated and allowed access.
Task

Command Syntax

Command Mode

Configure Multi-host Authentication mode on a port.

Enter no dot1x host-mode to return to Single-host
mode.

dot1x host-mode multi-host

INTERFACE

Default: Single-host mode

Force10(conf-if-gi-2/1)#dot1x port-control force-authorized

Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1
802.1x information on Gi 2/1:
----------------------------Dot1x Status:
Enable
Port Control:
FORCE_AUTHORIZED
Port Auth Status:
UNAUTHORIZED
Re-Authentication:
Disable
Untagged VLAN id:
None
Guest VLAN:
Enable
Guest VLAN id:
200
Auth-Fail VLAN:
Enable
Auth-Fail VLAN id:
100
Auth-Fail Max-Attempts:
5
Tx Period:
90 seconds
Quiet Period:
120 seconds
ReAuth Max:
10
Supplicant Timeout:
15 seconds
Server Timeout:
15 seconds
Re-Auth Interval:
7200 seconds
Max-EAP-Req:
10
Host Mode:
MULTI_HOST
Auth PAE State:
Backend State:

Initialize
Initialize

Configure Single-host Authentication mode on a

port.

dot1x host-mode single-host

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

INTERFACE

113

Task

Command Syntax

Command Mode

Force10(conf-if-gi-2/1)#dot1x port-control force-authorized

114

Initialize
Initialize

802.1X

Access Control Lists (ACL),

Chapter 6 IP
Prefix Lists, and Route-maps
IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms:

ces

ces
Egress IP ACLs are supported on platform: e
Ingress IP ACLs are supported on platforms:

Overview
At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based
on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and
Route-maps. For MAC ACLS, refer to Chapter 10, Layer 2, on page 47.
An ACL is essentially a filter containing some criteria to match (examine IP, TCP, or UDP packets) and an
action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the
criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the
switch drops or forwards the packet based on the filters specified action. If the packet does not match any
of the filters in the ACL, the packet is dropped ( implicit deny).
The number of ACLs supported on a system depends on your CAM size. See CAM Profiling, CAM
Allocation, and CAM Optimization in this chapter for more information. Refer to Chapter 3, Content
Addressable Memory (CAM), on page 47 for complete CAM profiling information.
This chapter covers the following topics:

IP Access Control Lists (ACLs) on page 116

CAM Profiling, CAM Allocation, and CAM Optimization on page 116
Implementing ACLs on FTOS on page 119
IP Fragment Handling on page 120
Configure a standard IP ACL on page 122
Configure an extended IP ACL on page 125
Configuring Layer 2 and Layer 3 ACLs on an Interface on page 129
Assign an IP ACL to an Interface on page 129
Configuring Ingress ACLs on page 131
Configuring Egress ACLs on page 132
Configuring ACLs to Loopback on page 134
Applying an ACL on Loopback Interfaces on page 134

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

115

IP Prefix Lists on page 135

ACL Resequencing on page 140
Route Maps on page 143

IP Access Control Lists (ACLs)

In the Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A
standard ACL filters packets based on the source IP packet. An extended ACL filters traffic based on the
following criteria (for more information on ACL supported options see the FTOS Command Reference):

IP protocol number
Source IP address
Destination IP address
Source TCP port number
Destination TCP port number
Source UDP port number
Destination UDP port number

For extended ACL TCP and UDP filters, you can match criteria on specific or ranges of TCP or UDP
ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
When creating an access list, the sequence of the filters is important. You have a choice of assigning
sequence numbers to the filters as you enter them, or FTOS will assign numbers in the order the filters are
created. The sequence numbers, whether configured or assigned by FTOS, are listed in the show config
and show ip accounting access-list command display output.
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already
written into CAM) without disrupting traffic flow. Existing entries in CAM are shuffled to accommodate
the new entries. Hot Lock ACLs are enabled by default and support both standard and extended ACLs on
all platforms.
Note: Hot Lock ACLs are supported on Ingress ACLs only.

CAM Profiling, CAM Allocation, and CAM Optimization

CAM Profiling is supported on platform

User Configurable CAM Allocations are supported on platform

CAM optimization is supported on platforms

116

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

CAM Profiling
CAM optimization is supported on platforms

CAM profiling for ACLs is supported on E-Series TeraScale only. For complete information regarding
E-Series TeraScale CAM profiles and configuration, refer to Chapter 9, Content Addressable Memory.
For information regarding E-Series ExaScale CAM-profile templates and their support of ACLs, refer to
Chapter 10, Content Addressable Memory for ExaScale.
The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2
ingress ACLs, select the profile l2-ipv4-inacl.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS
rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP
rules with port range options might require more than one CAM entry.
The Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 8 lists the
sub-partition and the percentage of the Layer 2 ACL CAM partition that FTOS allocates to each by default.
Table 8 Layer 2 ACL CAM Sub-partition Sizes
Partition

% Allocated

Sysflow

L2ACL

*PVST

QoS

L2PT

FRRP

You can re-configure the amount of space, in percentage, allocated to each sub-partition. As with the
IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or
CONFIGURATION mode.
The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that
the selected CAM profile allocates to the Layer 2 ACL partition. FTOS requires that you specify the
amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%. FTOS displays
the following message if the total allocated space is not correct:
% Error: Sum of all regions does not total to 100%.

User Configurable CAM Allocation

User Configurable CAM Allocations are supported on platform

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

117

Allocate space for IPV6 ACLs on the C-Series by using the cam-acl command in CONFIGURATION
mode.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there
are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM
Allocation settings on a C-Series matching are:

L3 ACL (ipv4acl): 6
L2 ACL(l2acl) : 5
IPv6 L3 ACL (ipv6acl): 0
L3 QoS (ipv4qos): 1
L2 QoS (l2qos): 1

The ipv6acl allocation must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use
either even or odd numbered ranges.
You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the
system for the new settings to take effect.

CAM optimization
CAM optimization is supported on platforms

When this command is enabled, if a Policy Map containing classification rules (ACL and/or dscp/
ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single
copy of the policy is written (only 1 FP entry will be used). When the command is disabled, the system
behaves as described in this chapter.

Test CAM Usage

The test cam-usage command is supported on platforms

ces

This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.

118

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege
mode to verify the actual CAM space required. Figure 56 gives a sample of the output shown when
executing the command. The status column indicates whether or not the policy can be enabled.
Figure 56 Command Example: test cam-usage (C-Series)
Force10#test cam-usage service-policy input TestPolicy linecard all
Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status
-----------------------------------------------------------------------------------------2 |
1 | IPv4Flow
|
232 |
0 | Allowed
2 |
1 | IPv6Flow
|
0 |
0 | Allowed
4 |
0 | IPv4Flow
|
232 |
0 | Allowed
4 |
0 | IPv6Flow
|
0 |
0 | Allowed
Force10#

Implementing ACLs on FTOS

One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not
used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for
detailed specification on entries allowed per ACL.
If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable
to the following features:

L2 Ingress Access list

L2 Egress Access list
L3 Egress Access list

Note: IP ACLs are supported over VLANs in Version 6.2.1.1 and higher.
V

ACLs and VLANs

There are some differences when assigning ACLs to a VLAN rather than a physical port. For example,
when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries would get
installed in the ACL CAM on the port-pipe. The entry would look for the incoming VLAN in the packet.
Whereas if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries would be
installed for each port belonging to a port-pipe.
When you use the log keyword, CP processor will have to log details about the packets that match.
Depending on how many packets match the log entry and at what rate, CP might become busy as it has to
log these packets details. However the other processors (RP1 and RP2) should be unaffected. This option
is typically useful when debugging some problem related to control traffic. We have used this option
numerous times in the field and have not encountered any problems in such usage so far.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

119

ACL Optimization
If an access list contains duplicate entries, FTOS deletes one entry to conserve CAM space.
Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM
entries whether it is identified as a Standard or Extended ACL.

Determine the order in which ACLs are used to classify traffic

When you link class-maps to queues using the command service-queue, FTOS matches the class-maps
according to queue priority (queue numbers closer to 0 have lower priorities). For example, in Figure 57,
class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be
buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 57. The
order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order
numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.
By default, all ACL rules have an order of 254.
Figure 57 Using the Order Keyword in ACLs
Force10(conf)#ip access-list standard acl1
Force10(config-std-nacl)#permit 20.0.0.0/8
Force10(config-std-nacl)#exit
Force10(conf)#ip access-list standard acl2
Force10(config-std-nacl)#permit 20.1.1.0/24 order 0
Force10(config-std-nacl)#exit
Force10(conf)#class-map match-all cmap1
Force10(conf-class-map)#match ip access-group acl1
Force10(conf-class-map)#exit
Force10(conf)#class-map match-all cmap2
Force10(conf-class-map)#match ip access-group acl2
Force10(conf-class-map)#exit
Force10(conf)#policy-map-input pmap
Force10(conf-policy-map-in)#service-queue 7 class-map cmap1
Force10(conf-policy-map-in)#service-queue 4 class-map cmap2
Force10(conf-policy-map-in)#exit
Force10(conf)#interface gig 1/0
Force10(conf-if-gi-1/0)#service-policy input pmap

IP Fragment Handling
FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and
subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all
Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).

120

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Both standard and extended ACLs support IP fragments.

Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.
For IP ACL, FTOS always applies implicit deny. You do not have to configure it.
For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit
rule for fragments.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with
the fragments option and apply it to a loopback interface, the command is accepted, but the ACL
entries are not actually installed the offending rule in CAM.

IP fragments ACL examples

The following configuration permits all packets (both fragmented & non-fragmented) with destination IP
10.1.1.1. The second rule does not get hit at all.
Force10(conf)#ip access-list extended ABC
Force10(conf-ext-nacl)#permit ip any 10.1.1.1/32
Force10(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments
Force10(conf-ext-nacl)

To deny second/subsequent fragments, use the same rules in a different order. These ACLs deny all second
& subsequent fragments with destination IP 10.1.1.1 but permit the first fragment & non fragmented
packets with destination IP 10.1.1.1 .
Force10(conf)#ip access-list extended ABC
Force10(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Force10(conf-ext-nacl)#permit ip any 10.1.1.1/32
Force10(conf-ext-nacl)

Layer 4 ACL rules examples

In the below scenario, first fragments non-fragmented TCP packets from 10.1.1.1 with TCP destination
port equal to 24 are permitted. All other fragments are denied.
Force10(conf)#ip access-list extended ABC
Force10(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Force10(conf-ext-nacl)#deny ip any any fragment
Force10(conf-ext-nacl)

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

121

In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
Force10(conf)#ip access-list extended ABC
Force10(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Force10(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Force10(conf-ext-nacl)#deny ip any any fragment
Force10(conf-ext-nacl)

To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
Force10(conf)#ip access-list extended ABC
Force10(conf-ext-nacl)#permit tcp any any fragment
Force10(conf-ext-nacl)#permit udp any any fragment
Force10(conf-ext-nacl)#deny ip any any log
Force10(conf-ext-nacl)

Note the following when configuring ACLs with the fragments keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a
fragment.
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO)
is checked.
If a packet's FO > 0, the packet is permitted.
If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset
(FO) is checked.
If a packet's FO > 0, the packet is denied.
If a packet's FO = 0, the next ACL line is processed.

Configure a standard IP ACL

To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface
Reference document.

122

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Refer to Configure an extended IP ACL on page 125 to set up extended ACLs.

A standard IP ACL uses the source IP address as its match criterion.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs
with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered
with a TCP filter included.
Force10(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq 8 of
list test as individual TCP flags are not supported on linecard 0

To configure a standard IP ACL, use these commands in the following sequence:

Step
1

Command Syntax

Command Mode

Purpose

ip access-list standard

CONFIGURATION

Enter IP ACCESS LIST mode by

naming a standard IP access list.

CONFIG-STD-NACL

Configure a drop or forward filter.

The parameters are:
log and monitor options are
supported on E-Series only.

access-listname

seq sequence-number {deny | permit}

{source [mask] | any | host ip-address}
[count [byte] | log ] [order] [monitor]
[fragments]

Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.

When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets
details.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting
access-list ACL-name interface interface command (Figure 226) in EXEC Privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

123

Figure 58 Command Example: show ip accounting access-list

Force10#show ip accounting access ToOspf interface gig 1/6
Standard IP access list ToOspf
seq 5 deny any
seq 10 deny 10.2.0.0 /16
seq 15 deny 10.3.0.0 /16
seq 20 deny 10.4.0.0 /16
seq 25 deny 10.5.0.0 /16
seq 30 deny 10.6.0.0 /16
seq 35 deny 10.7.0.0 /16
seq 40 deny 10.8.0.0 /16
seq 45 deny 10.9.0.0 /16
seq 50 deny 10.10.0.0 /16
Force10#

Figure 59 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 25 was configured before filter 15, but the show config command displays the
filters in the correct order.
Figure 59 Command example: seq
Force10(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log
Force10(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any
Force10(config-std-nacl)#show config
!
ip access-list standard dilling
seq 15 permit tcp 10.3.0.0/16 any
seq 25 deny ip host 10.5.0.0 any log
Force10(config-std-nacl)#

To delete a filter, use the no seq sequence-number command in the IP ACCESS LIST mode.
If you are creating a standard ACL with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. The software assigns filters in multiples of 5.
To configure a filter without a specified sequence number, use these commands in the following sequence,
starting in the CONFIGURATION mode:
Step
1

Command Syntax

Command Mode

Purpose

ip access-list standard

CONFIGURATION

Create a standard IP ACL and assign it a

unique name.

CONFIG-STD-NACL

Configure a drop or forward IP ACL filter.

log and monitor options are
supported on E-Series only.

access-list-name

{deny | permit} {source [mask] |

any | host ip-address} [count
[byte] | log ] [order] [monitor]
[fragments]

124

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 60 illustrates a standard IP ACL in which the sequence numbers were assigned by the FTOS . The
filters were assigned sequence numbers based on the order in which they were configured (for example,
the first filter was given the lowest sequence number). The show config command in the IP ACCESS
LIST mode displays the two filters with the sequence numbers 5 and 10.
Figure 60 Standard IP ACL
Force10(config-route-map)#ip access standard kigali
Force10(config-std-nacl)#permit 10.1.0.0/16
Force10(config-std-nacl)#show config
!
ip access-list standard kigali
seq 5 permit 10.1.0.0/16
Force10(config-std-nacl)#

To view all configured IP ACLs, use the show ip accounting access-list command (Figure 229) in the
EXEC Privilege mode.
Figure 61 Command Example: show ip accounting access-list
Force10#show ip accounting access example interface gig 4/12
Extended IP access list example
seq 10 deny tcp any any eq 111
seq 15 deny udp any any eq 111
seq 20 deny udp any any eq 2049
seq 25 deny udp any any eq 31337
seq 30 deny tcp any any range 12345 12346
seq 35 permit udp host 10.21.126.225 10.4.5.0 /28
seq 40 permit udp host 10.21.126.226 10.4.5.0 /28
seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49
seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813

To delete a filter, enter the show config command in the IP ACCESS LIST mode and locate the sequence
number of the filter you want to delete. Then use the no seq sequence-number command in the IP
ACCESS LIST mode.

Configure an extended IP ACL

Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Since traffic passes through the filter in the order of the filters sequence, you can configure the extended
IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in standard or extended ACLs
with IPv6 microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered
with a TCP filter included.
Force10(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq 8 of
list test as individual TCP flags are not supported on linecard 0

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

125

Configure filters with sequence number

To create a filter for packets with a specified sequence number, use these commands in the following
sequence, starting in the CONFIGURATION mode:
Step
1

Command Syntax

Command Mode

Purpose

ip access-list extended
access-list-name

CONFIGURATION

Enter the IP ACCESS LIST mode by

creating an extended IP ACL.

seq sequence-number {deny |

permit} {ip-protocol-number |
icmp | ip | tcp | udp}
{source mask | any | host
ip-address} {destination mask |
any | host ip-address}
[operator port [port]] [count
[byte] | log ] [order] [monitor]
[fragments]

CONFIG-EXT-NACL

Configure a drop or forward filter.

log and monitor options are
supported on E-Series only.

When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets
details.
TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in
the following sequence, starting in the CONFIGURATION mode:
Step
1

Command Syntax

Command Mode

Purpose

ip access-list extended

CONFIGURATION

Create an extended IP ACL and assign it a

unique name.

CONFIG-EXT-NACL

Configure an extended IP ACL filter for TCP

packets.
log and monitor options are supported
on E-Series only.

access-list-name

seq sequence-number {deny

| permit} tcp {source mask |
any | host ip-address}}
[count [byte] | log ] [order]
[monitor] [fragments]

When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets
details.
UDP packets: To create a filter for UDP packets with a specified sequence number, use these commands
in the following sequence, starting in the CONFIGURATION mode:
Step
1

Command Syntax

Command Mode

Purpose

ip access-list extended

CONFIGURATION

Create a extended IP ACL and assign it a

unique name.

access-list-name

126

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Step
2

Command Syntax

Command Mode

Purpose

seq sequence-number

CONFIG-EXT-NACL

Configure an extended IP ACL filter for UDP

packets.
log and monitor options are supported
on E-Series only.

{deny | permit}
{ip-protocol-number udp}
{source mask | any | host
ip-address} {destination
mask | any | host
ip-address} [operator port
[port]] [count [byte] | log ]
[order] [monitor]
[fragments]

When you create the filters with a specific sequence number, you can create the filters in any order and the
filters are placed in the correct order.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.

Figure 62 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 15 was configured before filter 5, but the show config command displays the filters
in the correct order.
Figure 62 Command Example: seq
Force10(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log
Force10(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any
Force10(config-ext-nacl)#show confi
!
ip access-list extended dilling
seq 5 permit tcp 12.1.0.0 0.0.255.255 any
seq 15 deny ip host 112.45.0.0 any log
Force10(config-ext-nacl)#

Configure filters without sequence number

If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. FTOS assigns filters in multiples of 5.
To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the
following commands in the IP ACCESS LIST mode:
Command Syntax

Command Mode

Purpose

{deny | permit} {source mask | any |

host ip-address} [count [byte] | log ]
[order] [monitor] [fragments]

CONFIG-EXT-NACL

Configure a deny or permit filter to

examine IP packets.
log and monitor options are
supported on E-Series only.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

127

Command Syntax

Command Mode

Purpose

{deny | permit} tcp {source mask] | any |

host ip-address}} [count [byte] | log ]
[order] [monitor] [fragments]

CONFIG-EXT-NACL

Configure a deny or permit filter to

examine TCP packets.
log and monitor options are
supported on E-Series only.

{deny | permit} udp {source mask | any |

host ip-address}} [count [byte] | log ]
[order] [monitor] [fragments]

CONFIG-EXT-NACL

Configure a deny or permit filter to

examine UDP packets.
log and monitor options are
supported on E-Series only.

When you use the log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets
details.
Figure 63 illustrates an extended IP ACL in which the sequence numbers were assigned by the software.
The filters were assigned sequence numbers based on the order in which they were configured (for
example, the first filter was given the lowest sequence number). The show config command in the IP
ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10.
Figure 63 Extended IP ACL
Force10(config-ext-nacl)#deny tcp host 123.55.34.0 any
Force10(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0
Force10(config-ext-nacl)#show config
!
ip access-list extended nimule
seq 5 deny tcp host 123.55.34.0 any
seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0
Force10(config-ext-nacl)#

To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip
accounting access-list command (Figure 232) in the EXEC Privilege mode.

Established Flag
The est (established) flag is deprecated for Terascale series line cards.The flag is only available on legacy
Etherscale linecards. Employ the ack and rst flags in their stead to achieve the same functionality.
To obtain the functionality of est, use the following ACLs:

128

permit tcp any any rst

permit tcp any any ack

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Configuring Layer 2 and Layer 3 ACLs on an Interface

Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3
ACLs are applied to an interface, the following rules apply:

The packets routed by FTOS are governed by the L3 ACL only, since they are not filtered against an
L2 ACL.
The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
When packets are switched by FTOS, the egress L3 ACL does not filter the packet.

For the following features, if counters are enabled on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters will be reset:

L2 Ingress Access list

L3 Egress Access list
L2 Egress Access list

If a rule is simply appended, existing counters are not affected.

Table 9 L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior

L3 ACL Behavior

Decision on Targeted Traffic

Deny

Denied by L3 ACL

Deny

Permit

Permitted by L3 ACL

Permit

Deny

Denied by L2 ACL

Permit

Permitted by L2 ACL

Note: If an interface is configured as a vlan-stack access port, the packets are filtered by an
L2 ACL only. The L3 ACL applied to such a port does not affect traffic. That is, existing rules
for other features (such as trace-list, PBR, and QoS) are applied accordingly to the permitted
traffic.

For information on MAC ACLs, refer to Chapter 24, Layer 2, on page 561.

Assign an IP ACL to an Interface

c and s
Ingress and Egress IP ACL are supported on platform: e

Ingress IP ACLs are supported on platforms:

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

129

To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port
channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel
interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in
the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL "ABCD", and apply it using the in keyword and it becomes an ingress access list. If you
apply the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL
to the loopback interface, it becomes a loopback access list.
This chapter covers the following topics:

Configuring Ingress ACLs on page 131

Configuring Egress ACLs on page 132
Configuring ACLs to Loopback on page 134

For more information on Layer-3 interfaces, refer to Chapter 13, Interfaces, on page 47.
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in
the following sequence in the INTERFACE mode:
Step

Command Syntax

Command Mode

Purpose

interface interface slot/port

CONFIGURATION

Enter the interface number.

ip address ip-address

INTERFACE

Configure an IP address for the interface,

placing it in Layer-3 mode.

ip access-group

INTERFACE

Apply an IP ACL to traffic entering or exiting

an interface.
out: configure the ACL to filter outgoing
traffic. This keyword is supported only on
E-Series.
Note: The number of entries allowed per
ACL is hardware-dependent. Refer to
your line card documentation for detailed
specification on entries allowed per ACL.

INTERFACE

Apply rules to the new ACL.

access-list-name {in | out}

[implicit-permit] [vlan
vlan-range]

ip access-list [standard |
extended] name

To view which IP ACL is applied to an interface, use the show config command (Figure 232) in the
INTERFACE mode or the show running-config command in the EXEC mode.

130

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 64 Command example: show config in the INTERFACE Mode

Force10(conf-if)#show conf
!
interface GigabitEthernet 0/0
ip address 10.2.1.100 255.255.255.0
ip access-group nimule in
no shutdown
Force10(conf-if)#

Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.

Counting ACL Hits

You can view the number of packets matching the ACL by using the count option when creating ACL
entries. E-Series supports packet and byte counts simultaneously. C-Series and S-Series support only one
at any given time.
To view the number of packets matching an ACL that is applied to an interface:
Step

Task

Create an ACL that uses rules with the count option. See Configure a standard IP ACL on page 122

Apply the ACL as an inbound or outbound ACL on an interface. See Assign an IP ACL to an Interface
on page 129

View the number of packets matching the ACL using the show ip accounting access-list from
EXEC Privilege mode.

Configuring Ingress ACLs

Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs
eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target
traffic, it is a simpler implementation.
To create an ingress ACLs, use the ip access-group command (Figure 233) in the EXEC Privilege mode.
This example also shows applying the ACL, applying rules to the newly created access group, and viewing
the access list:

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

131

Figure 65 Creating an Ingress ACL

Force10(conf)#interface gige 0/0

Force10(conf-if-gige0/0)#ip access-group abcd in
Force10(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd in
no shutdown
Force10(conf-if-gige0/0)#end
Force10#configure terminal
Force10(conf)#ip access-list extended abcd
Force10(config-ext-nacl)#permit tcp any any
Force10(config-ext-nacl)#deny icmp any any
Force10(config-ext-nacl)#permit 1.1.1.2
Force10(config-ext-nacl)#end
Force10#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2

Use the in keyword

to specify ingress.

Begin applying rules

to the ACL named
abcd.

View the access-list.

Configuring Egress ACLs

Layer 2 and Layer 3 ACLs are supported on platform

Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs
onto physical interfaces protects the system infrastructure from attackmalicious and incidentalby
explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs
onto each interface and achieves the same results. By localizing target traffic, it is a simpler
implementation.
An egress ACL is used when users would like to restrict egress traffic. For example, when a DOS attack
traffic is isolated to one particular interface, you can apply an egress ACL to block that particular flow
from exiting the box, thereby protecting downstream devices.
To create an egress ACLs, use the ip access-group command (Figure 234) in the EXEC Privilege mode.
This example also shows viewing the configuration, applying rules to the newly created access group, and
viewing the access list:

132

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 66 Creating an Egress ACL

Force10(conf)#interface gige 0/0
Force10(conf-if-gige0/0)#ip access-group abcd out
Force10(conf-if-gige0/0)#show config
!
gigethernet 0/0
no ip address
ip access-group abcd out
no shutdown
Force10(conf-if-gige0/0)#end
Force10#configure terminal
Force10(conf)#ip access-list extended abcd
Force10(config-ext-nacl)#permit tcp any any
Force10(config-ext-nacl)#deny icmp any any
Force10(config-ext-nacl)#permit 1.1.1.2
Force10(config-ext-nacl)#end
Force10#show ip accounting access-list
!
Extended Ingress IP access list abcd on gigethernet 0/0
seq 5 permit tcp any any
seq 10 deny icmp any any
permit 1.1.1.2

Use the out

keyword to specify
egress.

Begin applying rules

to the ACL named
abcd.
View the access-list.

Egress Layer 3 ACL Lookup for Control-plane IP Traffic

By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping
session from the system, for example, and apply an egress ACL to block this type of traffic on the
interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature
enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and
CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis
whether CPU-generated and CPU-forwarded packets were transmitted successfully..
Task

Command Syntax

Command Mode

Apply Egress ACLs to IPv4 system

traffic.

ip control-plane [egress filter]

CONFIGURATION

Apply Egress ACLs to IPv6 system

traffic.

ipv6 control-plane [egress

filter]

CONFIGURATION

Create a Layer 3 ACL using permit

rules with the count option to
describe the desired CPU traffic

permit ip {source mask | any |

host ip-address} {destination
mask | any | host ip-address}
count

CONFIG-NACL

FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU
traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address
have the interface MAC address instead of VRRP virtual MAC address.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

133

Configuring ACLs to Loopback

ACLs can be supplied on Loopback interfaces supported on platform

Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack
malicious and incidentalby explicate allowing only authorized traffic.
The ACLs on loopback interfaces are applied only to the CPU on the RPMthis eliminates the need to
apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it
is a simpler implementation.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing
protocols, remote access, SNMP, ICMP, and etc. Effective filtering of Layer 3 traffic from Layer 3 routers
reduces the risk of attack.
Note: Loopback ACLs are supported only on ingress traffic.

Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the
fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are
not actually installed the offending rule in CAM.
See also Loopback Interfaces in the Interfaces chapter.

Applying an ACL on Loopback Interfaces

ACLs can be applied on Loopback interfaces supported on platform

To apply an ACL (standard or extended) for loopback, use these commands in the following sequence:
Step

Command Syntax

Command Mode

Purpose

interface loopback 0

CONFIGURATION

Only loopback 0 is supported for the

loopback ACL.

ip access-list [standard |
extended] name

CONFIGURATION

Apply rules to the new ACL.

ip access-group name in

INTERFACE

Apply an ACL to traffic entering loopback.

in: configure the ACL to filter incoming
traffic
Note: ACLs for loopback can only be
applied to incoming traffic.

To apply ACLs on loopback, use the ip access-group command (Figure 235) in the INTERFACE mode.
This example also shows the interface configuration status, adding rules to the access group, and
displaying the list of rules in the ACL:

134

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 67 Applying an ACL to the Loopback Interface

Force10(conf)#interface loopback 0
Force10(conf-if-lo-0)#ip access-group abcd in
Force10(conf-if-lo-0)#show config
!
interface Loopback 0
no ip address
ip access-group abcd in
no shutdown
Force10(conf-if-lo-0)#end
Force10#configure terminal
Force10(conf)#ip access-list extended abcd
Force10(config-ext-nacl)#permit tcp any any
Force10(config-ext-nacl)#deny icmp any any
Force10(config-ext-nacl)#permit 1.1.1.2
Force10(config-ext-nacl)#end
Force10#show ip accounting access-list
!
Extended Ingress IP access list abcd on Loopback 0
seq 5 permit tcp any any
seq 10 deny icmp any any
seq 10 deny icmp any any

Use the in keyword.

Add rules to the ACL

named abcd.
Display the ACL.

Note: See also the section VTY Line Local Authentication and Authorization on page 896.

IP Prefix Lists
Prefix Lists are supported on platforms:

ces

IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching
criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are
processed in sequence so that if a route prefix does not match the criterion in the first filter, the second
filter (if configured) is applied. When the route prefix matches a filter, FTOS drops or forwards the packet
based on the filters designated action. If the route prefix does not match any of the filters in the prefix list,
the route is dropped (that is, implicit deny).
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route
prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be
matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address
112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255.
Below are some examples that permit or deny filters for specific routes using the le and ge parameters,
where x.x.x.x/x represents a route prefix:

To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8

To permit routes with the mask greater than /8 but less than /12, enter permit
To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

x.x.x.x/x ge 8 le 12

135

To permit routes with a mask greater than /20, enter permit

x.x.x.x/x ge 20

The following rules apply to prefix lists:

A prefix list without any permit or deny filters allows all routes.
An implicit deny is assumed (that is, the route is dropped) for all route prefixes that do not match a
permit or deny filter in a configured prefix list.
Once a route matches a filter, the filters action is applied. No additional filters are applied to the route.

Implementation Information
In FTOS, prefix lists are used in processing routes for routing protocols (for example, RIP, OSPF, and
BGP).
Note: The S-Series platform does not support all protocols. It is important to know which protocol you are
supporting prior to implementing Prefix-Lists.

Configuration Task List for Prefix Lists

To configure a prefix list, you must use commands in the PREFIX LIST, the ROUTER RIP, ROUTER
OSPF, and ROUTER BGP modes. Basically, you create the prefix list in the PREFIX LIST mode, and
assign that list to commands in the ROUTER RIP, ROUTER OSPF and ROUTER BGP modes.
The following list includes the configuration tasks for prefix lists:

Configure a prefix list on page 136

Use a prefix list for route redistribution on page 139

For a complete listing of all commands related to prefix lists, refer to the FTOS Command Line Interface
Reference document.

Configure a prefix list

To configure a prefix list, use these commands in the following sequence, starting in the
CONFIGURATION mode:
Step
1

136

Command Syntax

Command Mode

Purpose

ip prefix-list prefix-name

CONFIGURATION

Create a prefix list and assign it a unique

name.
You are in the PREFIX LIST mode.

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Step
2

Command Syntax

Command Mode

Purpose

seq sequence-number {deny |

permit} ip-prefix [ge
min-prefix-length] [le
max-prefix-length]

CONFIG-NPREFIXL

Create a prefix list with a sequence

number and a deny or permit action. The
optional parameters are:
ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).

If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list
filter to permit all routes (permit 0.0.0.0/0 le 32). The permit all filter should be the last filter in your
prefix list. To permit the default route only, enter permit 0.0.0.0/0.
Figure 68 illustrates how the seq command orders the filters according to the sequence number assigned.
In the example, filter 20 was configured before filter 15 and 12, but the show config command displays
the filters in the correct order.
Figure 68 Command Example: seq
Force10(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32
Force10(conf-nprefixl)#seq 12 deny 134.23.0.0 /16
Force10(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16
Force10(conf-nprefixl)#show config
!
ip prefix-list juba
seq 12 deny 134.23.0.0/16
seq 15 deny 120.0.0.0/8 le 16
seq 20 permit 0.0.0.0/0 le 32
Force10(conf-nprefixl)#

Note the last line in the prefix list Juba contains a permit all statement. By including this line in a prefix
list, you specify that all routes not matching any criteria in the prefix list are forwarded.
To delete a filter, use the no seq sequence-number command in the PREFIX LIST mode.
If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence
number based on the order in which the filters are configured. The FTOS assigns filters in multiples of
five.
To configure a filter without a specified sequence number, use these commands in the following sequence
starting in the CONFIGURATION mode:
Step
1

Command Syntax

Command Mode

Purpose

ip prefix-list prefix-name

CONFIGURATION

Create a prefix list and assign it a unique

name.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

137

Step
2

Command Syntax

Command Mode

Purpose

{deny | permit} ip-prefix [ge

min-prefix-length] [le
max-prefix-length]

CONFIG-NPREFIXL

Create a prefix list filter with a deny or

permit action. The optional parameters
are:
ge min-prefix-length: is the minimum
prefix length to be matched (0 to 32).
le max-prefix-length: is the maximum
prefix length to be matched (0 to 32).

Figure 69 illustrates a prefix list in which the sequence numbers were assigned by the software. The filters
were assigned sequence numbers based on the order in which they were configured (for example, the first
filter was given the lowest sequence number). The show config command in the PREFIX LIST mode
displays the two filters with the sequence numbers 5 and 10.
Figure 69 Prefix List
Force10(conf-nprefixl)#permit 123.23.0.0 /16
Force10(conf-nprefixl)#deny 133.24.56.0 /8
Force10(conf-nprefixl)#show conf
!
ip prefix-list awe
seq 5 permit 123.23.0.0/16
seq 10 deny 133.0.0.0/8
Force10(conf-nprefixl)#

To delete a filter, enter the show config command in the PREFIX LIST mode and locate the sequence
number of the filter you want to delete; then use the no seq sequence-number command in the PREFIX
LIST mode.
To view all configured prefix lists, use either of the following commands in the EXEC mode:
Command Syntax

Command Mode

Purpose

show ip prefix-list detail

EXEC Privilege

Show detailed information about configured

Prefix lists.

EXEC Privilege

Show a table of summarized information about

configured Prefix lists.

[prefix-name]
show ip prefix-list summary

[prefix-name]

138

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 70 Command example: show ip prefix-list detail

Force10>show ip prefix detail
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0)
seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
seq 5 deny 100.100.1.0/24 (hit count: 0)
seq 6 deny 200.200.1.0/24 (hit count: 0)
seq 7 deny 200.200.2.0/24 (hit count: 0)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0)
Force10>

Figure 71 Command Example: show ip prefix-list summary

Force10>show ip prefix summary
Prefix-list with the last deletion/insertion: filter_ospf
ip prefix-list filter_in:
count: 3, range entries: 3, sequences: 5 - 10
ip prefix-list filter_ospf:
count: 4, range entries: 1, sequences: 5 - 10
Force10>

Use a prefix list for route redistribution

To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution
command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is
either forwarded or dropped depending on the criteria and actions specified in the prefix list.
To apply a filter to routes in RIP (RIP is supported on C and E-Series.), use either of the following
commands in the ROUTER RIP mode:
Command Syntax

Command Mode

Purpose

router rip

CONFIGURATION

Enter RIP mode

distribute-list prefix-list-name in

CONFIG-ROUTER-RIP

Apply a configured prefix list to incoming

routes. You can specify an interface.
If you enter the name of a nonexistent
prefix list, all routes are forwarded.

CONFIG-ROUTER-RIP

Apply a configured prefix list to outgoing

routes. You can specify an interface or
type of route.
If you enter the name of a non-existent
prefix list, all routes are forwarded.

[interface]

distribute-list prefix-list-name out

[interface | connected | static | ospf]

To view the configuration, use the show config command in the ROUTER RIP mode (Figure 240) or the
show running-config rip command in the EXEC mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

139

Figure 72 Command Example: show config in the ROUTER RIP Mode

Force10(conf-router_rip)#show config
!
router rip
distribute-list prefix juba out
network 10.0.0.0
Force10(conf-router_rip)#router ospf 34

To apply a filter to routes in OSPF, use either of the following commands in the ROUTER OSPF mode:
Command Syntax

Command Mode

Purpose

router ospf

CONFIGURATION

Enter OSPF mode

distribute-list prefix-list-name in
[interface]

CONFIG-ROUTER-OSPF

Apply a configured prefix list to incoming

routes. You can specify an interface.
If you enter the name of a non-existent
prefix list, all routes are forwarded.

distribute-list prefix-list-name
out [connected | rip | static]

CONFIG-ROUTER-OSPF

Apply a configured prefix list to incoming

routes. You can specify which type of
routes are affected.
If you enter the name of a non-existent
prefix list, all routes are forwarded.

To view the configuration, use the show config command in the ROUTER OSPF mode (Figure 241) or
the show running-config ospf command in the EXEC mode.
Figure 73 Command Example: show config in ROUTER OSPF Mode
Force10(conf-router_ospf)#show config
!
router ospf 34
network 10.2.1.1 255.255.255.255 area 0.0.0.1
distribute-list prefix awe in
Force10(conf-router_ospf)#

ACL Resequencing
Resequencing an ACL or Prefix List is supported on platform

ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list. The
placement of rules within the list is critical because packets are matched against rules in sequential order.
Use Resequencing whenever there is no longer an opportunity to order new rules as desired using current
numbering scheme.
For example, Table 10 contains some rules that are numbered in increments of 1. No new rules can be
placed between these, so apply resequencing to create numbering space, as shown in Table 11. In the same
example, apply resequencing if more than two rules must be placed between rules 7 and 10.

140

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result
of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs.

Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It
merely renumbers them so that new rules can be placed within the list as desired.

Table 10 ACL Resequencing Example (Insert New Rules)

seq 5 permit any host 1.1.1.1

seq 6 permit any host 1.1.1.2
seq 7 permit any host 1.1.1.3
seq 10 permit any host 1.1.1.4

Table 11 ACL Resequencing Example (Resequenced)

seq 5 permit any host 1.1.1.1

seq 10 permit any host 1.1.1.2
seq 15 permit any host 1.1.1.3
seq 20 permit any host 1.1.1.4

Resequencing an ACL or Prefix List

Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an
ACL or prefix list use the appropriate command in Table 12. You must specify the list name, starting
number, and increment when using these commands.
Table 12 Resequencing ACLs and Prefix Lists
List

Command

IPv4, IPv6, or MAC ACL resequence access-list {ipv4 | ipv6 | mac} {access-list-name

Command Mode
Exec

StartingSeqNum Step-to-Increment}

IPv4 or IPv6 prefix-list

resequence prefix-list {ipv4 | ipv6} {prefix-list-name

StartingSeqNum Step-to-Increment}

Exec

Figure 74 shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by
2.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

141

Figure 74 Resequencing ACLs

Force10(config-ext-nacl)# show config
!
ip access-list extended test
remark 4 XYZ
remark 5 this remark corresponds to permit any host 1.1.1.1
seq 5 permit ip any host 1.1.1.1
remark 9 ABC
remark 10 this remark corresponds to permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.2
seq 15 permit ip any host 1.1.1.3
seq 20 permit ip any host 1.1.1.4
Force10# end
Force10# resequence access-list ipv4 test 2 2
Force10# show running-config acl
!
ip access-list extended test
remark 2 XYZ
remark 4 this remark corresponds to permit any host 1.1.1.1
seq 4 permit ip any host 1.1.1.1
remark 6 this remark has no corresponding rule
remark 8 this remark corresponds to permit ip any host 1.1.1.2
seq 8 permit ip any host 1.1.1.2
seq 10 permit ip any host 1.1.1.3
seq 12 permit ip any host 1.1.1.4

Remarks and rules that originally have the same sequence number have the same sequence number after
the resequence command is applied. Remarks that do not have a corresponding rule will be incremented
as as a rule. These two mechanisms allow remarks to retain their original position in the list.
For example, in Figure 75, remark 10 corresponds to rule 10 and as such they have the same number before
and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained their
original positions.

142

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 75 Resequencing Remarks

Route Maps
Route-maps are supported on platforms:

ces

Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching
criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists
can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For
example, a route map can be called to filter only specific routes and to add a metric.
Route maps also have an implicit deny. Unlike ACLs and prefix lists, however, where the packet or
traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not
redistributed.

Implementation Information
The FTOS implementation of route maps allows route maps with no match command or no set command.
When there is no match command, all traffic matches the route map and the set command applies.

Important Points to Remember

For route-maps with more than one match clause:

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

143

Two or more match clauses within the same route-map sequence have the same match
commands (though the values are different), matching a packet against these clauses is a
logical OR operation.
Two or more match clauses within the same route-map sequence have different match
commands, matching a packet against these clauses is a logical AND operation.
If no match is found in a route-map sequence, the process moves to the next route-map sequence until
a match is found, or there are no more sequences.
When a match is found, the packet is forwarded; no more route-map sequences are processed.
If a continue clause is included in the route-map sequence, the next or a specified route-map
sequence is processed after a match is found.

Configuration Task List for Route Maps

You configure route maps in the ROUTE-MAP mode and apply them in various commands in the
ROUTER RIP and ROUTER OSPF modes.
The following list includes the configuration tasks for route maps:

Create a route map on page 144 (mandatory)

Configure route map filters on page 146 (optional)
Configure a route map for route redistribution on page 149 (optional)
Configure a route map for route tagging on page 150 (optional)

Create a route map

Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route
map filters are do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters
match certain routes and set or specify values.
To create a route map and enter the ROUTE-MAP mode, use the following command in the
CONFIGURATION mode:
Command Syntax

Command Mode

Purpose

route-map map-name [permit | deny]

CONFIGURATION

Create a route map and assign it a unique

name.
The optional permit and deny keywords are
the action of the route map. The default is
permit.
The optional parameter seq allows you to
assign a sequence number to the route map
instance.

[sequence-number]

The default action is permit and the default sequence number starts at 10. When the keyword deny is used
in configuring a route map, routes that meet the match filters are not redistributed.
To view the configuration, use the show config command in the ROUTE-MAP mode (Figure 244).
144

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 76 Command Example: show config in the ROUTE-MAP Mode

Force10(config-route-map)#show config
!
route-map dilling permit 10
Force10(config-route-map)#

You can create multiple instances of this route map by using the sequence number option to place the route
maps in the correct order. FTOS processes the route maps with the lowest sequence number first. When a
configured route map is applied to a command, like redistribute, traffic passes through all instances of
that route map until a match is found. Figure 77 shows an example with two instances of a route map.
Figure 77 Command Example: show route-map with Multiple Instances of a Route Map
Force10#show route-map
route-map zakho, permit, sequence 10
Match clauses:
Set clauses:
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
Force10#

Route map zakho has two

instances

To delete all instances of that route map, use the no route-map map-name command. To delete just one
instance, add the sequence number to the command syntax (Figure 246).
Figure 78 Deleting One Instance of a Route Map
Force10(conf)#no route-map zakho 10
Force10(conf)#end
Force10#show route-map
route-map zakho, permit, sequence 20
Match clauses:
interface GigabitEthernet 0/1
Set clauses:
tag 35
level stub-area
Force10#

Figure 79 shows an example of a route map with multiple instances. The show config command displays
only the configuration of the current route map instance. To view all instances of a specific route map, use
the show route-map command.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

145

Figure 79 Command Example: show route-map

Force10#show route-map dilling
route-map dilling, permit, sequence 10
Match clauses:
Set clauses:
route-map dilling, permit, sequence 15
Match clauses:
interface Loopback 23
Set clauses:
tag 3444
Force10#

To delete a route map, use the no route-map map-name command in the CONFIGURATION mode.

Configure route map filters

Within the ROUTE-MAP mode, there are match and set commands. Basically, match commands search
for a certain criterion in the routes and the set commands change the characteristics of those routes, either
adding something or specifying a level.
When there are multiple match commands of the same parameter under one instance of route-map, then
FTOS does a match between either of those match commands. If there are multiple match commands of
different parameter, then FTOS does a match ONLY if there is a match among ALL match commands.
The following example explains better:

Example 1
Force10(conf)#route-map force permit 10
Force10(config-route-map)#match tag 1000
Force10(config-route-map)#match tag 2000
Force10(config-route-map)#match tag 3000

In the above route-map, if a route has any of the tag value specified in the match commands, then there is a
match.

Example 2
Force10(conf)#route-map force permit 10
Force10(config-route-map)#match tag 1000
Force10(config-route-map)#match metric 2000

In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is
matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only
then is there a match.

146

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Also, if there are different instances of the same route-map, then its sufficient if a permit match happens in
any instance of that route-map. As an example:
Force10(conf)#route-map force permit 10
Force10(config-route-map)#match tag 1000
Force10(conf)#route-map force deny 20
Force10(config-route-map)#match tag 1000
Force10(conf)#route-map force deny 30
Force10(config-route-map)#match tag 1000

In the above route-map, instance 10 permits the route having a tag value of 1000 and instances 20 & 30
denies the route having a tag value of 1000. In the above scenario, FTOS scans all the instances of the
route-map for any permit statement. If there is a match anywhere, the route is permitted, though other
instances of the route-map denies it.
To configure match criterion for a route map, use any or all of the following commands in the
ROUTE-MAP mode:
Command Syntax

Command Mode

Purpose

match as-path as-path-name

CONFIG-ROUTE-MAP

Match routes with the same AS-PATH

numbers.

match community

CONFIG-ROUTE-MAP

Match routes with COMMUNITY list attributes

in their path.

community-list-name [exact]

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

147

Command Syntax

Command Mode

Purpose

match interface interface

CONFIG-ROUTE-MAP

Match routes whose next hop is a specific

interface. The parameters are:
For a Fast Ethernet interface, enter the
keyword FastEthernet followed by the
slot/port information.
For a 1-Gigabit Ethernet interface, enter
the keyword gigabitEthernet followed
by the slot/port information.
For a loopback interface, enter the
keyword loopback followed by a number
between zero (0) and 16383.
For a port channel interface, enter the
keyword port-channel followed by a
number from 1 to 255 for TeraScale and
ExaScale, 1 to 32 for EtherScale.
For a SONET interface, enter the keyword
sonet followed by the slot/port
information.
For a 10-Gigabit Ethernet interface, enter
the keyword tengigabitEthernet
followed by the slot/port information.
For a VLAN, enter the keyword vlan
followed by a number from 1 to 4094.
E-Series ExaScale platforms support
4094 VLANs with FTOS version 8.2.1.0
and later. Earlier ExaScale supports 2094
VLANS.

match ip address

CONFIG-ROUTE-MAP

Match destination routes specified in a prefix

list (IPv4).

CONFIG-ROUTE-MAP

Match destination routes specified in a prefix

list (IPv6).

match ip next-hop
{access-list-name | prefix-list
prefix-list-name}

CONFIG-ROUTE-MAP

Match next-hop routes specified in a prefix list

(IPv4).

match ipv6 next-hop

{access-list-name | prefix-list
prefix-list-name}

CONFIG-ROUTE-MAP

Match next-hop routes specified in a prefix list

(IPv6).

match ip route-source
{access-list-name | prefix-list
prefix-list-name}

CONFIG-ROUTE-MAP

Match source routes specified in a prefix list

(IPv4).

match ipv6 route-source

{access-list-name | prefix-list
prefix-list-name}

CONFIG-ROUTE-MAP

Match source routes specified in a prefix list

(IPv6).

match metric metric-value

CONFIG-ROUTE-MAP

Match routes with a specific value.

match origin {egp | igp |

incomplete}

CONFIG-ROUTE-MAP

Match BGP routes based on the ORIGIN

attribute.

prefix-list-name

match ipv6 address

prefix-list-name

148

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Command Syntax

Command Mode

Purpose

match route-type {external

[type-1 | type-2] | internal |
level-1 | level-2 | local }

CONFIG-ROUTE-MAP

Match routes specified as internal or external

to OSPF, ISIS level-1, ISIS level-2, or locally
generated.

match tag tag-value

CONFIG-ROUTE-MAP

Match routes with a specific tag.

To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode:
Command Syntax

Command Mode

Purpose

set as-path prepend as-number [...

CONFIG-ROUTE-MAP

Add an AS-PATH number to the beginning

of the AS-PATH

set automatic-tag

CONFIG-ROUTE-MAP

Generate a tag to be added to redistributed

routes.

set level {backbone | level-1 |

level-1-2 | level-2 | stub-area }

CONFIG-ROUTE-MAP

Specify an OSPF area or ISIS level for

redistributed routes.

set local-preference value

CONFIG-ROUTE-MAP

Specify a value for the BGP routes

LOCAL_PREF attribute.

set metric {+ | - | metric-value}

CONFIG-ROUTE-MAP

Specify a value for redistributed routes.

set metric-type {external | internal

| type-1 | type-2}

CONFIG-ROUTE-MAP

Specify an OSPF or ISIS type for

redistributed routes.

set next-hop ip-address

CONFIG-ROUTE-MAP

Assign an IP address as the routes next

hop.

set ipv6 next-hop ip-address

CONFIG-ROUTE-MAP

Assign an IPv6 address as the routes next

hop.

set origin {egp | igp | incomplete}

CONFIG-ROUTE-MAP

Assign an ORIGIN attribute.

set tag tag-value

CONFIG-ROUTE-MAP

Specify a tag for the redistributed routes.

set weight value

CONFIG-ROUTE-MAP

Specify a value as the routes weight.

as-number]

Use these commands to create route map instances. There is no limit to the number of set and match
commands per route map, but the convention is to keep the number of match and set filters in a route map
low. Set commands do not require a corresponding match command.

Configure a route map for route redistribution

Route maps on their own cannot affect traffic and must be included in different commands to affect routing
traffic. To apply a route map to traffic on the E-Series, you must call or include that route map in a
command such as the redistribute or default-information originate commands in OSPF, ISIS, and
BGP.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

149

Route redistribution occurs when FTOS learns the advertising routes from static or directly connected
routes or another routing protocol. Different protocols assign different values to redistributed routes to
identify either the routes and their origins. The metric value is the most common attribute that is changed
to properly redistribute other routes into a routing protocol. Other attributes that can be changed include
the metric type (for example, external and internal route types in OSPF) and route tag. Use the
redistribute command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes that are
redistributed into those protocols.
Route maps add to that redistribution capability by allowing you to match specific routes and set or change
more attributes when redistributing those routes.
In Figure 80, the redistribute command calls the route map static ospf to redistribute only certain static
routes into OSPF. According to the route map static ospf, only routes that have a next hop of
Gigabitethernet interface 0/0 and that have a metric of 255 will be redistributed into the OSPF backbone
area.

Note: When re-distributing routes using route-maps, the user must take care to create the
route-map defined in the redistribute command under the routing protocol. If no route-map
is created, then NO routes are redistributed.
Figure 80 Route Redistribution into OSPF
router ospf 34
default-information originate metric-type 1
redistribute static metric 20 metric-type 2 tag 0 route-map staticospf
!
route-map staticospf permit 10
match interface GigabitEthernet 0/0
match metric 255
set level backbone

Configure a route map for route tagging

One method for identifying routes from different routing protocols is to assign a tag to routes from that
protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the
route as it passes through different routing protocols. This tag can then be used when the route leaves a
routing domain to redistribute those routes again.
In Figure 81, the redistribute ospf command with a route map is used in the ROUTER RIP mode to
apply a tag of 34 to all internal OSPF routes that are redistributed into RIP.

150

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Figure 81 Tagging OSPF Routes Entering a RIP Routing Domain

!
router rip
redistribute ospf 34 metric 1 route-map torip
!
route-map torip permit 10
match route-type internal
set tag 34
!

Continue clause
Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more
route-map modules are processed. If the continue command is configured at the end of a module, the next
module (or a specified module) is processed even after a match is found. Figure 82 shows a continue clause
at the end of a route-map module. In this example, if a match is found in the route-map test module 10,
module 30 will be processed.

Note: If the continue clause is configured without specifying a module, the next sequential module is
processed.
Figure 82 Command Example: continue
!
route-map test permit 10
match commu comm-list1
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

151

152

IP Access Control Lists (ACL), Prefix Lists, and Route-maps

Chapter 7

Bidirectional Forwarding
Detection

Bidirectional Forwarding Detection is supported only on platforms:

BFD is supported on E-Series ExaScale

ex with FTOS 8.2.1.0 and later.

Protocol Overview
Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication
failures between two adjacent systems. It is a simple and lightweight replacement for existing routing
protocol link state detection mechanisms. It also provides a failure detection solution for links on which no
routing protocol is used.
BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a
three-way handshake. After the session has been established, the systems exchange periodic control
packets at sub-second intervals. If a system does not receive a hello packet within a specified amount of
time, routing protocols are notified that the forwarding path is down.
BFD provides forwarding path failure detection times on the order of milliseconds rather than seconds as
with conventional routing protocol hellos. It is independent of routing protocols, and as such provides a
consistent method of failure detection when used across a network. Networks converge faster because BFD
triggers link state changes in the routing protocol sooner and more consistently, because BFD can
eliminate the use of multiple protocol-dependent timers and methods.
BFD also carries less overhead than routing protocol hello mechanisms. Control packets can be
encapsulated in any form that is convenient, and, on Force10 routers, sessions are maintained by BFD
Agents that reside on the line card, which frees resources on the RPM. Only session state changes are
reported to the BFD Manager (on the RPM), which in turn notifies the routing protocols that are registered
with it.
BFD is an independent and generic protocol, which all media, topologies, and routing protocols can
support using any encapsulation. Force10 has implemented BFD at Layer 3 and with UDP encapsulation.
BFD functionality will be implemented in phases. OSPF, IS-IS (not on C-Series), VRRP, VLANs, LAGs,
static routes, and physical ports support BFD, based on the IETF internet draft draft-ietf-bfd-base-03.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

153

How BFD Works

Two neighboring systems running BFD establish a session using a three-way handshake. After the session
has been established, the systems exchange control packets at agreed upon intervals. In addition, systems
send a control packet anytime there is a state change or change in a session parameter; these control
packets are sent without regard to transmit and receive intervals.
Note: FTOS does not support multi-hop BFD sessions.

If a system does not receive a control packet within an agreed-upon amount of time, the BFD Agent
changes the session state to Down. It then notifies the BFD Manager of the change, and sends a control
packet to the neighbor that indicates the state change (though it might not be received if the link or
receiving interface is faulty). The BFD Manager notifies the routing protocols that are registered with it
(clients) that the forwarding path is down, and a link state change is triggered in all protocols.
Note: A session state change from Up to Down is the only state change that triggers a link state change in
the routing protocol client.

BFD packet format

Control packets are encapsulated in UDP packets. Figure 83 shows the complete encapsulation of a BFD
control packet inside an IPv4 packet.

154

Bidirectional Forwarding Detection

Version
(4)

IHL

TOS

Total Length

Preamble

Flags

Start Frame
Delimiter

Frag Offset

Destination MAC

TTL
(255)

Source MAC

Protocol

Ethernet Type
(0x8800)

Header
Checksum

Version
(1)

State

Range: 3784

Source Port

Options

Diag Code

Dest IP Addr

Padding

Checksum

UDP Packet

Detect Mult

My
Discriminator

Your
Discriminator

Random number generated by

remote system to identify a
session

Required
Min RX Interval

Required Min
Echo RX Interval

Auth Type

The minimum interval between

Echo packtes that the local system
is capable of supporting

The minimum interval between

control packets that the local
system is capable of supporting

Desired
Min TX Interval

The intervals at which the local

system would like to transmit
control packets

BFD Control Packet

Random number generated by

the local system to identify
a session

Length

The number of packets that

must be missed in a row in
order to declare a session down

Length

P: Poll
F: Final
C: Control Plane Independent
A: Authentication Present
D: Demand
(Final bit reserved)

Flags

Range: 3784
Echo: 3785

Destination Port

Padding

FCS

Range: 0-31
Code: 0: AdminDown
Range: 0-31
1: Down
Bit:
Code: 0: No Diagnostic
2: Init
1: Control Detection Time Expired
3: Up
2: Echo Function Failed
3: Neighbor Signaled Session Down
4: Forwarding Plane Reset
5: Path Down
6: Concatenated Path Down
7: Administratively Down
8: Reverse Concatenated Path Down
9-31: Reserved for Future Use

Src IP Addr

IP Packet

Auth Length

Auth Data

Figure 83 BFD in IPv4 Packet Format

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

155

Table 13 BFD Packet Fields

Field

Description

Diagnostic Code

The reason that the last session failed.

State

The current local session state. See BFD sessions.

Flag

A bit that indicates packet function. If the poll bit is set, the receiving system must
respond as soon as possible, without regard to its transmit interval. The responding
system clears the poll bit and sets the final bit in its response. The poll and final bits
are used during the handshake and Demand mode (see BFD sessions).
Note: FTOS does not currently support multi-point sessions, Demand mode,
authentication, or control plane independence; these bits are always clear.

Detection Multiplier

The number of packets that must be missed in order to declare a session down.

Length

The entire length of the BFD packet.

My Discriminator

A random number generated by the local system to identify the session.

Your Discriminator

A random number generated by the remote system to identify the session.

Discriminator values are necessary to identify the session to which a control packet
belongs since there can be many sessions running on a single interface.

Desired Min TX Interval

The minimum rate at which the local system would like to send control packets to the
remote system.

Required Min RX Interval

The minimum rate at which the local system would like to receive control packets from
the remote system.

Required Min Echo RX

The minimum rate at which the local system would like to receive echo packets.
Note: FTOS does not currently support the echo function.

Authentication Type
Authentication Length

An optional method for authenticating control packets.

Note: FTOS does not currently support the BFD authentication function.

Authentication Data

Two important parameters are calculated using the values contained in the control packet.

156

Transmit interval Transmit interval is the agreed-upon rate at which a system sends control
packets. Each system has its own transmit interval, which is the greater of the last received remote
Desired TX Interval and the local Required Min RX Interval.
Detection time Detection time is the amount of time that a system does not receive a control
packet, after which the system determines that the session has failed. Each system has its own
detection time.
In Asynchronous mode: Detection time is the remote Detection Multiplier multiplied by
greater of the remote Desired TX Interval and the local Required Min RX Interval.
In Demand mode: Detection time is the local Detection Multiplier multiplied by the greater of
the local Desired Min TX and the remote Required Min RX Interval.

Bidirectional Forwarding Detection

BFD sessions
BFD must be enabled on both sides of a link in order to establish a session. The two participating systems
can assume either of two roles:

ActiveThe active system initiates the BFD session. Both systems can be active for the same session.
PassiveThe passive system does not initiate a session. It only responds to a request for session
initialization from the active system.

A BFD session has two modes:

Asynchronous modeIn Asynchronous mode, both systems send periodic control messages at an
agreed upon interval to indicate that their session status is Up.
Demand modeIf one system requests Demand mode, the other system stops sending periodic
control packets; it only sends a response to status inquiries from the Demand mode initiator. Either
system (but not both) can request Demand mode at any time.
Note: FTOS supports asychronous mode only.

A session can have four states: Administratively Down, Down, Init, and Up.

Administratively DownThe local system will not participate in a particular session.

DownThe remote system is not sending any control packets or at least not within the detection time
for a particular session.
InitThe local system is communicating.
UpThe both systems are exchanging control packets.

The session is declared down if:

A control packet is not received within the detection time.

Sufficient echo packets are lost.
Demand mode is active and a control packet is not received in response to a poll packet.

BFD three-way handshake

A three-way handshake must take place between the systems that will participate in the BFD session. The
handshake shown in Figure 84 assumes that there is one active and one passive system, and that this is the
first session established on this link. The default session state on both ports is Down.
1. The active system sends a steady stream of control packets that indicates that its session state is Down,
until the passive system responds. These packets are sent at the desired transmit interval of the Active
system, and the Your Discriminator field is set to zero.
2. When the passive system receives any of these control packets, it changes its session state to Init, and
sends a response that indicates its state change. The response includes its session ID in the My
Discriminator field, and the session ID of the remote system in the Your Discriminator field.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

157

3. The active system receives the response from the passive system, and changes its session state to Up. It
then sends a control packet indicating this state change. This is the third and final part of of the
handshake. At this point, the discriminator values have been exchanged, and the transmit intervals
have been negotiated.
4. The passive system receives the control packet, changes its state to Up. Both systems agree that a
session has been established. However, since both members must send a control packetthat requires
a responseanytime there is a state change or change in a session parameter, the passive system sends
a final response indicating the state change. After this, periodic control packets are exchanged.
Figure 84 BFD Three-way Handshake
Transmit Interval: User-configurable
Default Session State: Down

ACTIVE System

Default Session State: Down

Version: 1
Diag Code: 0 (assumes no previous session)
State: Down
Flag: P:1
Detect Multiplier: User-configurable
My Discriminator: X ( Active System Session ID)
Your Discriminator: 0
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable

PASSIVE System

Steady Rate of Control Packets

Init State Change
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: 1
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: P: Clear
Detect Multiplier: User-configurable
My Discriminator: X
Your Discriminator: Y
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable

Up State Change

Periodic Control Packet

Version: 1
Diag Code: 0 (assumes no previous session)
State: Init
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y (Passsive System Session ID)
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable
Version: 1
Diag Code: 0 (assumes no previous session)
State: Up
Flag: F: 1
Detect Multiplier: User-configurable
My Discriminator: Y
Your Discriminator: X
Desired Min TX Interval: User-configurable
Required Min RX Interval: User-configurable
Required Min Echo RX Interval: User-configurable

fnC0036mp

Session state changes

Figure 85 shows how the session state on a system changes based on the status notification it receives from
the remote system. For example, if a session on a system is down, and it receives a Down status
notification from the remote system, the session state on the local system changes to Init.

158

Bidirectional Forwarding Detection

Figure 85 BFD State Machine

current session state

Up, Admin Down, Timer

the packet received

Down

Init
Down

Admin Down,
Timer

Down

Init

Init, Up

Admin Down,
Down,
Timer
Up

Up, Init

Important Points to Remember

BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM.
BFD is supported on C-Series and E-Series only.
FTOS supports a maximum of 100 sessions per BFD agent. Each linecard processor has a BFD Agent,
so the limit translates to 100 BFD sessions per linecard (plus, on the E-Series, 100 BFD sessions on
RP2, which handles LAG and VLANs).
BFD must be enabled on both ends of a link.
Demand mode, authentication, and the Echo function are not supported.
BFD is not supported on multi-hop and virtual links.
Protocol Liveness is supported for routing protocols only.
FTOS supports only OSPF, ISIS (E-Series only), and VRRP protocols as BFD clients.

Configuring Bidirectional Forwarding Detection

The remainder of this chapter is divided into the following sections:

Configuring BFD for Physical Ports on page 160

Configuring BFD for Static Routes on page 164
Configuring BFD for OSPF on page 166
Configuring BFD for IS-IS on page 169
Configuring BFD for VRRP on page 172
Configuring BFD for VLANs on page 175
Configuring BFD for Port-Channels on page 178
Configuring Protocol Liveness on page 180
Troubleshooting BFD on page 181

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

159

Configuring BFD for Physical Ports

BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system
fails, the local system does not remove the connected route until the first failed attempt to send a packet.
When BFD is enabled, the local system removes the route as soon as it stops receiving periodic control
packets from the remote system.
Configuring BFD for a physical port is a two-step process:
1. Enable BFD globally. See page 160.
2. Establish a session with a next-hop neighbor. See page 160.

Related configuration tasks

Change session parameters. See page 162.

Disable or re-enable BFD on an interface. See page 163.

Enabling BFD globally

BFD must be enabled globally on both routers, as shown in Figure 87.
To enable BFD globally:
Step
1

Task

Command Syntax

Command Mode

Enable BFD globally.

bfd enable

CONFIGURATION

Verify that BFD is enabled globally using the command show running bfd, as shown in Figure 86.
Figure 86 Enabling BFD Globally
R1(conf)#bfd ?
enable
protocol-liveness
R1(conf)#bfd enable

Enable BFD protocol

Enable BFD protocol-liveness

R1(conf)#do show running-config bfd

!
bfd enable
R1(conf)#

BFD Enabled Globally

Establishing a session on physical ports

To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 87. The configuration parameters do not need to match.

160

Bidirectional Forwarding Detection

Figure 87 Establishing a BFD Session for Physical Ports

R2: ACTIVE Role

R1: ACTIVE Role

4/24

2/1

Force10(config)# bfd enable

Force10(config)# interface gigabitethernet 2/1
Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1
Force10(config)# bfd enable
Force10(config)# interface gigabitethernet 4/24
Force10(conf-if-gi-2/1)# ip address 2.2.2.1/24
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.2

fnC0038mp

To establish a session:
Step

Task

Command Syntax

Command Mode

Enter interface mode

interface

CONFIGURATION

Assign an IP address to the interface if one is not

already assigned.

ip address ip-address

INTERFACE

Identify the neighbor with which the interface will

participate in the BFD session.

bfd neighbor ip-address

INTERFACE

Verify that the session is established using the command show bfd neighbors, as shown in Figure 88.
Figure 88 Viewing Established Sessions for Physical Ports
R1(conf-if-gi-4/24)#do show bfd neighbors
*
- Active session role
Ad Dn
- Admin Down
C
- CLI
I
- ISIS
O
- OSPF
R
- Static Route (RTM)
LocalAddr
* 2.2.2.1

RemoteAddr
2.2.2.2

Interface State Rx-int Tx-int Mult Clients

Gi 4/24
Up
100
100
3
C

BFD Session Enabled

The command show bfd neighbors detail shows more specific information about BFD sessions
(Figure 89).

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

161

Figure 89 Viewing Session Details

R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Role: Active
Delete session on Down: False
Client Registered: CLI
Uptime: 00:03:57
Statistics:
Number of packets received from neighbor: 1775
Number of packets sent to neighbor: 1775
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 4

When both interfaces are configured for BFD, log messages are displayed indicating state changes, as
shown in Message 2.
Message 2 BFD Session State Changes
R1(conf-if-gi-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for
neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.2 on
interface Gi 4/24 (diag: 0)

Changing physical port session parameters

BFD sessions are configured with default intervals and a default role (active). The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if you change a parameter, the change affects all physical
port sessions on that interface. Force10 recommends maintaining the default values.
To change session parameters on an interface:
Step
1

Task

Command Syntax

Command Mode

Change session parameters for

all sessions on an interface.

bfd interval milliseconds min_rx

milliseconds multiplier value role [active |
passive]

INTERFACE

View session parameters using the show bfd neighbors detail command.

162

Bidirectional Forwarding Detection

Figure 90 Changing Session Parameters for Physical Ports

R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive
R1(conf-if-gi-4/24)#do show bfd neighbors detail
Session Discriminator: 1
Neighbor Discriminator: 1
Local Addr: 2.2.2.1
Local MAC Addr: 00:01:e8:09:c3:e5
Remote Addr: 2.2.2.2
Remote MAC Addr: 00:01:e8:06:95:a2
Int: GigabitEthernet 4/24
State: Up
Configured parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Neighbor parameters:
TX: 100ms, RX: 100ms, Multiplier: 3
Actual parameters:
TX: 100ms, RX: 100ms, Multiplier: 4
Role: Passive
Delete session on Down: False
Client Registered: CLI
Uptime: 00:09:06
Statistics:
Number of packets received from neighbor: 4092
Number of packets sent to neighbor: 4093
Number of state changes: 1
Number of messages from IFA about port state change: 0
Number of messages communicated b/w Manager and Agent: 7

Parameter Changes

Disabling and re-enabling BFD

BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If
BFD is disabled, all of the sessions on that interface are placed in an Administratively Down state
(Message 3), and the remote systems are notified of the session state change (Message 4).
To disable BFD on an interface:
Step
1

Task

Command Syntax

Command Mode

Disable BFD on an interface.

no bfd enable

INTERFACE

Message 3 Disabling BFD on a Local Interface

R1(conf-if-gi-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad Dn for
neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)

Message 4 Remote System State Change due to Local State Admin Down
R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.1
on interface Gi 2/1 (diag: 7)

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

163

To re-enable BFD on an interface:

Step
1

Task

Command Syntax

Command Mode

Enable BFD on an interface.

bfd enable

INTERFACE

Configuring BFD for Static Routes

BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to
remove static routes from the routing table as soon as the link state change occurs, rather than having to
wait until packets fail to reach their next hop.
Configuring BFD for static routes is a three-step process:
1. Enable BFD globally. See Enabling BFD globally on page 160.
2. On the local system, establish a session with the next hop of a static route. See page 164.
3. On the remote system, establish a session with the physical port that is the origin of the static route.
See Establishing a session on physical ports on page 160.

Related configuration tasks

Change session parameters. See page 165.

Disable BFD for all static routes. See page 165.

Establishing sessions for static routes

Sessions are established for all neighbors that are the next hop of a static route.
Figure 91 Enabling BFD for Static Routes
Force10(config)# interface gigabitethernet 2/2
Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24
Force10(conf-if-gi-2/2)# no shutdown

Force10(config)# interface gigabitethernet 2/1

Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# no shutdown
Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1

R2
4/24

2/1

2.2.2.1/24

2.2.2.2/24

Force10(config)# interface gigabitethernet 4/24

Force10(conf-if-gi-4/24)# ip address 2.2.2.1/24
Force10(conf-if-gi-4/24)# no shutdown
Force10(config)# ip route 2.2.3.0/24 2.2.2.2
Force10(config)# ip route bfd

2/2

6/0
2.2.3.2/24

2.2.3.1/24
Force10(config)# interface gigabitethernet 6/0
Force10(conf-if-gi-6/0)# ip address 2.2.3.2/24
Force10(conf-if-gi-6/0)# no shutdown

fnC0039mp

164

Bidirectional Forwarding Detection

To establish a BFD session:

Step
1

Task

Command Syntax

Command Mode

Establish BFD sessions for all neighbors that are the

next hop of a static route.

ip route bfd

CONFIGURATION

Verify that sessions have been created for static routes using the command show bfd neighbors, as shown
in Figure 92. View detailed session information using the command show bfd neighbors detail, as shown
in Figure 90.
Figure 92 Viewing Established Sessions for Static Routes
R1(conf)#ip route 2.2.3.0/24 2.2.2.2
R1(conf)#ip route bfd
R1(conf)#do show bfd neighbors
*
Ad Dn
C
I
O
R

Active session role

Admin Down
CLI
ISIS
OSPF
Static Route (RTM)

LocalAddr
2.2.2.1

RemoteAddr
2.2.2.2

BFD for Static Routes Enabled

Interface State Rx-int Tx-int Mult Clients
Gi 4/24
Up
100
100
4
R

Changing static route session parameters

Task

Command Syntax

Command Mode

Change parameters for all static

route sessions.

ip route bfd interval milliseconds min_rx

milliseconds multiplier value role [active |
passive]

CONFIGURATION

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for static routes

If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all
neighbors on the remote systems, and those neighbors change to the Down state (Message 4 on page 163).

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

165

To disable BFD for static routes:

Step
1

Task

Command Syntax

Command Mode

Disable BFD for static routes.

no ip route bfd

CONFIGURATION

Configuring BFD for OSPF

When using BFD with OSPF, the OSPF protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol
that a link state change occurred.
Configuring BFD for OSPF is a two-step process:
1. Enable BFD globally. See Enabling BFD globally on page 160.
2. Establish sessions for all or particular OSPF neighbors. See page 167.

Related configuration tasks

166

Change session parameters. See page 168.

Disable BFD sessions for OSPF. See page 168.

Bidirectional Forwarding Detection

Establishing sessions with OSPF neighbors

BFD sessions can be established with all OSPF neighbors at once, or sessions can be established with all
neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the full
state.
Figure 93 Establishing Sessions with OSPF Neighbors
Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24
Force10(conf-if-gi-2/1)# no shutdown
Force10(conf-if-gi-2/1)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.2.0/24 area 0
Force10(config-router_ospf )# bfd all-neighbors

Force10(conf-if-gi-2/2)# ip address 2.2.3.1/24

Force10(conf-if-gi-2/2)# no shutdown
Force10(conf-if-gi-2/2)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.3.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors

AREA 1

AREA 0
R2

2.2.2.1/24

2.2.2.2/24

Force10(conf-if-gi-4/24)# ip address 2.2.2.1/24

Force10(conf-if-gi-4/24)# no shutdown
Force10(conf-if-gi-4/24)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.2.0/24 area 0
Force10(config-router_ospf )# bfd all-neighbors

R3
2/2

2/1

4/24

6/0
2.2.3.2/24

2.2.3.1/24
Force10(conf-if-gi-6/0)# ip address 2.2.3.2/24
Force10(conf-if-gi-6/0)# no shutdown
Force10(conf-if-gi-6/0)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.3.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors

6/1
2.2.4.1/24

Force10(conf-if-gi-6/1)# ip address 2.2.4.1/24

Force10(conf-if-gi-6/1)# no shutdown
Force10(conf-if-gi-6/1)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.4.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors

R4 2.2.4.2/24
1/1
Force10(conf-if-gi-6/0)# ip address 2.2.4.2/24
Force10(conf-if-gi-6/0)# no shutdown
Force10(conf-if-gi-6/0)# exit
Force10(config)# router ospf 1
Force10(config-router_ospf )# network 2.2.4.0/24 area 1
Force10(config-router_ospf )# bfd all-neighbors

fnC0040mp

To establish BFD with all OSPF neighbors:

Step
1

Task

Command Syntax

Command Mode

Establish sessions with all OSPF neighbors.

bfd all-neighbors

ROUTER-OSPF

To establish BFD for all OSPF neighbors on a single interface:

Step
1

Task

Command Syntax

Command Mode

Establish sessions with all OSPF neighbors on a

single interface.

ip ospf bfd all-neighbors

INTERFACE

View the established sessions using the command show bfd neighbors, as shown in Figure 94.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

167

Figure 94 Viewing Established Sessions for OSPF Neighbors

R2(conf-router_ospf)#bfd all-neighbors
R2(conf-router_ospf)#do show bfd neighbors
*
Ad Dn
C
I
O
R

Active session role

Admin Down
CLI
ISIS
OSPF
Static Route (RTM)

LocalAddr
* 2.2.2.2

RemoteAddr
2.2.2.1

OSPF BFD Sessions Enabled

Interface State Rx-int Tx-int Mult Clients

Gi 2/1
Up
100
100
3
O

Changing OSPF session parameters

BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if
you change a parameter globally, the change affects all OSPF neighbors sessions. If you change a
parameter at interface level, the change affects all OSPF sessions on that interface.
To change parameters for all OSPF sessions:
Step
1

Task

Command Syntax

Command Mode

Change parameters for OSPF

sessions.

bfd all-neighbors interval milliseconds

min_rx milliseconds multiplier value role
[active | passive]

ROUTER-OSPF

To change parameters for OSPF sessions on an interface:

Step
1

Task

Command Syntax

Command Mode

Change parameters for all OSPF

sessions on an interface.

ip ospf bfd all-neighbors interval

milliseconds min_rx milliseconds
multiplier value role [active | passive]

INTERFACE

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for OSPF

If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a
Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the
remote system are placed in a Down state (Message 4 on page 163). Disabling BFD does not trigger a
change in BFD clients; a final Admin Down packet is sent before the session is terminated.

168

Bidirectional Forwarding Detection

To disable BFD sessions with all OSPF neighbors:

Step
1

Task

Command Syntax

Command Mode

Disable BFD sessions with all

OSPF neighbors.

no bfd all-neighbors

ROUTER-OSPF

To disable BFD sessions with all OSPF neighbors out of an interface:

Step
1

Task

Command Syntax

Command Mode

Disable BFD sessions with all

OSPF neighbors out of an
interface

ip ospf bfd all-neighbors disable

INTERFACE

Configuring BFD for IS-IS

BFD for IS-IS is supported on platform:

When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD
sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring
interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS
protocol that a link state change occurred.
Configuring BFD for IS-IS is a two-step process:
1. Enable BFD globally. See Enabling BFD globally on page 160.
2. Establish sessions for all or particular IS-IS neighbors. See page 170.

Related configuration tasks

Change session parameters. See page 171.

Disable BFD sessions for IS-IS. See page 171.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

169

Establishing sessions with IS-IS neighbors

BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all
neighbors out of a specific interface.
Figure 95 Establishing Sessions with IS-IS Neighbors
Force10(conf )# router isis
Force10(conf-router_isis)# net 02.1921.6800.2002.00
Force10(conf-router_isis)# interface gigabitethernet 2/1
Force10(conf-if-gi-2/1)#ip address 2.2.2.2/24
Force10(config-if-gi-2/1)# ip router isis
Force10(config-if-gi-2/1)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors

Force10(conf-router_isis)# interface gigabitethernet 2/2

Force10(conf-if-gi-2/2)#ip address 2.2.3.1/24
Force10(config-if-gi-2/2)# ip router isis
Force10(config-if-gi-2/2)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors

AREA 2

AREA 1

AREA 3

R2: Level 2

R1: Level 1 - 2
4/24

R3: Level 1 - 2

2/1

2/2
6/0

Force10(conf )# router isis

Force10(conf-router_isis)# net 01.1921.6800.1001.00
Force10(conf-router_isis)# interface gigabitethernet 4/24
Force10(config-if-gi-4/24)# ip address 2.2.2.1/24
Force10(config-if-gi-4/24)# ip router isis
Force10(config-if-gi-4/24)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors

Force10(conf )# router isis

Force10(conf-router_isis)# net 03.1921.6800.3003.00
Force10(conf-router_isis)# interface gigabitethernet 6/0
Force10(conf-if-gi-6/0)#ip address 2.2.3.2/24
Force10(config-if-gi-6/0)# ip router isis
Force10(config-if-gi-6/0)# exit
Force10(conf )# router isis
Force10(conf-router_isis)# bfd all-neighbors

6/1
Force10(conf-router_isis)# interface gigabitethernet 6/1
Force10(conf-if-gi-6/1)#ip address 2.2.4.1/24

Non-IS-IS Participating System

fnC0041mp

To establish BFD with all IS-IS neighbors:

Step
1

Task

Command Syntax

Command Mode

Establish sessions with all IS-IS neighbors.

bfd all-neighbors

ROUTER-ISIS

To establish BFD with all IS-IS neighbors out of a single interface:

Step
1

Task

Command Syntax

Command Mode

Establish sessions with all IS-IS neighbors out of an

interface.

isis bfd all-neighbors

INTERFACE

View the established sessions using the command show bfd neighbors, as shown in Figure 96.

170

Bidirectional Forwarding Detection

Figure 96 Viewing Established Sessions for IS-IS Neighbors

R2(conf-router_isis)#bfd all-neighbors
R2(conf-router_isis)#do show bfd neighbors
*
Ad Dn
C
I
O
R

Active session role

Admin Down
CLI
ISIS
OSPF
Static Route (RTM)

LocalAddr
* 2.2.2.2
* 2.2.3.1

RemoteAddr
2.2.2.1
2.2.3.2

IS-IS BFD Sessions Enabled

Interface State Rx-int Tx-int Mult Clients

Gi 2/1
Up
100
100
3
I
Gi 2/2
Up
100
100
3
I

Changing IS-IS session parameters

BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface; if you
change a parameter globally, the change affects all IS-IS neighbors sessions. If you change a parameter at
interface level, the change affects all IS-IS sessions on that interface.
To change parameters for all IS-IS sessions:
Step
1

Task

Command Syntax

Command Mode

Change parameters for all IS-IS

sessions.

bfd all-neighbors interval milliseconds

min_rx milliseconds multiplier value role
[active | passive]

ROUTER-ISIS

To change parameters for IS-IS sessions on an interface:

Step
1

Task

Command Syntax

Command Mode

Change parameters for all IS-IS

sessions out of an interface.

isis bfd all-neighbors interval

milliseconds min_rx milliseconds
multiplier value role [active | passive]

INTERFACE

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for IS-IS

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

171

To disable BFD sessions with all IS-IS neighbors:

Step
1

Task

Command Syntax

Command Mode

Disable BFD sessions with all

IS-IS neighbors.

no bfd all-neighbors

ROUTER-ISIS

To disable BFD sessions with all IS-IS neighbors out of an interface:

Step
1

Task

Command Syntax

Command Mode

Disable BFD sessions with all

IS-IS neighbors out of an
interface

isis bfd all-neighbors disable

INTERFACE

Configuring BFD for VRRP

When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD
sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface
fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol
that a link state change occurred.
Configuring BFD for VRRP is a three-step process:
1. Enable BFD globally. See Enabling BFD globally on page 160.
2. Establish VRRP BFD sessions with all VRRP-participating neighbors.
3. On the master router, establish a VRRP BFD sessions with the backup routers. See page 172.

Related configuration tasks

Change session parameters. See page 174.

Disable or re-enable BFD on an interface. See page 167.

Establishing sessions with all VRRP neighbors

BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a
particular neighbor.

172

Bidirectional Forwarding Detection

Figure 97 Establishing Sessions with VRRP Neighbors

VIRTUAL

IP Address: 2.2.5.4

R1: BACKUP

R2: MASTER
2/3

4/25

Force10(config-if-range-gi-4/25)# ip address 2.2.5.1/24

Force10(config-if-range-gi-4/25)# no shutdown
Force10(config-if-range-gi-4/25)# vrrp-group 1
Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4
Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors
Force10(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.2

IP Address: 2.2.5.3
Gateway: 2.2.5.1

Force10(conf-if-gi-2/3)#ip address 2.2.5.2/24

Force10(config-if-gi-2/3)# no shutdown
Force10(config-if-range-gi-4/25)# vrrp-group 1
Force10(config-if-range-gi-4/25)# virtual-address 2.2.5.4
Force10(config-if-range-gi-4/25)# vrrp bfd all-neighbors
Force10(config-if-range-gi-4/25)# vrrp bfd neighbor 2.2.5.1

fnC0042mp

To establish sessions with all VRRP neighbors:

Step
1

Task

Command Syntax

Command Mode

Establish sessions with all VRRP neighbors.

vrrp bfd all-neighbors

INTERFACE

Establishing VRRP sessions on VRRP neighbors

The master router does not care about the state of the backup router, so it does not participate in any VRRP
BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state. The
master router must be configured to establish an individual VRRP session the backup router.
To establish a session with a particular VRRP neighbor:
Step
1

Task

Command Syntax

Command Mode

Establish a session with a particular VRRP

neighbor.

vrrp bfd neighbor ip-address

INTERFACE

View the established sessions using the command show bfd neighbors, as shown in Figure 98.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

173

Figure 98 Viewing Established Sessions for VRRP Neighbors

R1(conf-if-gi-4/25)#vrrp bfd all-neighbors
R1(conf-if-gi-4/25)#do show bfd neighbor
*
Ad Dn
C
I
O
R
V

Active session role

Admin Down
CLI
ISIS
OSPF
Static Route (RTM)
VRRP

LocalAddr
* 2.2.5.1

RemoteAddr
2.2.5.2

VRRP BFD Sessions Enabled

Interface State Rx-int Tx-int Mult Clients

Gi 4/25
Down 1000
1000
3
V

Session state information is also shown in the show vrrp command output, as shown in Figure 99.
Figure 99 Viewing Established Sessions for VRRP Neighbors
R1(conf-if-gi-4/25)#do show vrrp
-----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1
State: Backup, Priority: 1, Master: 2.2.5.2
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec
Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3
Virtual MAC address:
00:00:5e:00:01:01
Virtual IP address:
2.2.5.4
Authentication: (none)
BFD Neighbors:
VRRP BFD Session State
RemoteAddr
State
2.2.5.2
Up

Changing VRRP session parameters

BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
You can change parameters for all VRRP sessions for a particular neighbor.
To change parameters for all VRRP sessions:
Step
1

174

Task

Command Syntax

Command Mode

Change parameters for all VRRP

sessions.

vrrp bfd all-neighbors interval

milliseconds min_rx milliseconds
multiplier value role [active | passive]

INTERFACE

Bidirectional Forwarding Detection

To change parameters for a particular VRRP session:

Step
1

Task

Command Syntax

Command Mode

Change parameters for a

particular VRRP session.

vrrp bfd neighbor ip-address interval

milliseconds min_rx milliseconds
multiplier value role [active | passive]

INTERFACE

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for VRRP

If any or all VRRP sessions are disabled, the sessions are torn down. A final Admin Down control packet
is sent to all neighbors and sessions on the remote system change to the Down state (Message 4 on
page 163).
To disable all VRRP sessions on an interface:
Step
1

Task

Command Syntax

Command Mode

Disable all VRRP sessions on an

interface.

no vrrp bfd all-neighbors

INTERFACE

To disable all VRRP sessions in a particular VRRP group:

Step
1

Task

Command Syntax

Command Mode

Disable all VRRP sessions in a

VRRP group.

bfd disable

VRRP

Task

Command Syntax

Command Mode

Disable a particular VRRP

session on an interface.

no vrrp bfd neighbor ip-address

INTERFACE

To disable a particular VRRP session:

Step
1

Configuring BFD for VLANs

BFD on Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on
VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails,
the local system does not remove the connected route until the first failed attempt to send a packet. If BFD
is enabled, the local system removes the route when it stops receiving periodic control packets from the
remote system.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

175

There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
Configuring BFD for VLANs is a two-step process:
1. Enable BFD globally on all participating routers. See Enabling BFD globally on page 160.
2. Establish sessions with VLAN neighbors. See page 176.

Related configuration tasks

Change session parameters. See page 177.

Disable BFD for VLANs. See page 167.

Establishing sessions with VLAN neighbors

To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 100. The session parameters do not need to match.
Figure 100 Establishing Sessions with VLAN Neighbors
R1

VLAN 200
4/25
Force10(config-if-gi-4/25)# switchport
Force10(config-if-gi-4/25)# no shutdown
Force10(config-if-gi-4/25)# interface vlan 200
Force10(config-if-vl-200)# ip address 2.2.3.1/24
Force10(config-if-vl-200)# untagged gigabitethernet 4/25
Force10(config-if-vl-200)# no shutdown
Force10(config-if-vl-200)# bfd neighbor 2.2.3.2

2/3
Force10(config-if-gi-2/3)# switchport
Force10(config-if-gi-2/3)# no shutdown
Force10(config-if-gi-2/3)# interface vlan 200
Force10(config-if-vl-200)# ip address 2.2.3.2/24
Force10(config-if-vl-200)# untagged gigabitethernet 2/3
Force10(config-if-vl-200)# no shutdown
Force10(config-if-vl-200)# bfd neighbor 2.2.3.2

fnC0043mp

To establish a BFD session with a VLAN neighbor:

Step
1

Task

Command Syntax

Establish sessions with a VLAN neighbor.

bfd neighbor ip-address

Command Mode
INTERFACE VLAN

View the established sessions using the command show bfd neighbors, as shown in Figure 101.

176

Bidirectional Forwarding Detection

Figure 101 Viewing Established Sessions for VLAN Neighbors

R2(conf-if-vl-200)#bfd neighbor 2.2.3.2
R2(conf-if-vl-200)#do show bfd neighbors
*
Ad Dn
C
I
O
R
V

Active session role

Admin Down
CLI
ISIS
VLAN BFD
OSPF
Static Route (RTM)
VRRP

LocalAddr
* 2.2.3.2

RemoteAddr
2.2.3.1

Sessions Enabled

Interface State Rx-int Tx-int Mult Clients

Vl 200
Up
100
100
3
C

Changing session parameters

BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if a configuration change is made, the change affects all
sessions on that interface.
Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Force10 recommends a
minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final
detection time of (500ms *3) 1500 milliseconds.

To change session parameters on an interface:

Step
1

Task

Command Syntax

Command Mode

Change session parameters for

all sessions on an interface.

bfd interval milliseconds min_rx

milliseconds multiplier value role [active |
passive]

INTERFACE VLAN

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for VLANs

If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system change to the Down state (Message 4 on
page 163).
To disable BFD on a VLAN interface:
Step
1

Task

Command Syntax

Command Mode

Disable all sessions on a VLAN

interface.

no bfd enable

INTERFACE VLAN

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

177

Configuring BFD for Port-Channels

BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a
remote system fails, the local system does not remove the connected route until the first failed attempt to
send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic
control packets from the remote system.
There is one BFD Agent for VLANs and port-channels, which resides on RP2 as opposed to the other
agents which are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is
shared for VLANs and port-channels.
Configuring BFD for port-channels is a two-step process:
1. Enable BFD globally on all participating routers. See Enabling BFD globally on page 160.
2. Enable BFD at interface level at both ends of the port-channel. See page 178.

Related configuration tasks

Change session parameters. See page 180.

Disable BFD a port-channel. See page 180.

Establishing sessions on port-channels

To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in
Figure 87. The session parameters do not need to match.

178

Bidirectional Forwarding Detection

Figure 102 Establishing Sessions on Port-Channels

Force10(config-if-range-gi-4/24-5)# port-channel-protocol lacp
Force10(config-if-range-gi-4/24-5)# port-channel 1 mode active
Force10(config-if-range-gi-4/24-5)# no shutdown
Force10(config-if-range-gi-4/24-5)# interface port-channel 1
Force10(config-if-po-1)# ip address 2.2.2.1/24
Force10(config-if-po-1)# no shutdown
Force10(config-if-po-1)# bfd neighbor 2.2.2.2

2/1

4/24
4
24
Port Channel 1
4
4/25

2/2

Force10(config-if-range-gi-2/1-2)# port-channel-protocol lacp

Force10(config-if-range-gi-2/1-2)# port-channel 1 mode active
Force10(config-if-range-gi-2/1-2)# no shutdown
Force10(config-if-range-gi-2/1-2)# interface port-channel 1
Force10(config-if-po-1)# ip address 2.2.2.2/24
Force10(config-if-po-1)# no shutdown
Force10(config-if-po-1)# bfd neighbor 2.2.2.1

fnC0044mp
To establish a session on a port-channel:
Step
1

Task

Command Syntax

Establish a session on a port-channel.

bfd neighbor ip-address

Command Mode
INTERFACE PORT-CHANNEL

View the established sessions using the command show bfd neighbors, as shown in Figure 96.
Figure 103 Viewing Established Sessions for VLAN Neighbors
R2(conf-if-po-1)#bfd neighbors 2.2.2.1
R2(conf-if-po-1)#do show bfd neighors
*
Ad Dn
C
I
O
R
V

Active session role

Admin Down
CLI
ISIS
Port-channel
OSPF
Static Route (RTM)
VRRP

LocalAddr
* 2.2.2.2

RemoteAddr
2.2.2.1

BFD Sessions Enabled

Interface State Rx-int Tx-int Mult Clients

Po 1
Up
100
100
3
C

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

179

Changing port-channel session parameters

BFD sessions are configured with default intervals and a default role. The parameters that can be
configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
These parameters are configured per interface; if you change a parameter, the change affects all sessions on
that interface.
Caution: When configuring BFD on VLAN or LAG interfaces on the C-Series, Force10 recommends a
minimum value of 500 milliseconds for both the transmit and minimum receive time, which yields a final
detection time of (500ms *3) 1500 milliseconds.

To change session parameters on an interface:

Step
1

Task

Command Syntax

Command Mode

Change session parameters for

all sessions on a port-channel
interface.

bfd interval milliseconds min_rx

milliseconds multiplier value role [active |
passive]

INTERFACE
PORT-CHANNEL

View session parameters using the command show bfd neighbors detail, as shown in Figure 90 on
page 163.

Disabling BFD for port-channels

If BFD is disabled on an interface, sessions on the interface are torn down. A final Admin Down control
packet is sent to all neighbors, and sessions on the remote system are placed in a Down state (Message 4 on
page 163).
To disable BFD for a port-channel:
Step
1

Task

Command Syntax

Command Mode

Disable BFD for a port-channel.

no bfd enable

INTERFACE PORT-CHANNEL

Configuring Protocol Liveness

Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a
client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system
receive an Admin Down control packet and are placed in the Down state (Message 4 on page 163).
To enable Protocol Liveness:
Step
1

180

Task

Command Syntax

Command Mode

Enable Protocol Liveness

bfd protocol-liveness

CONFIGURATION

Bidirectional Forwarding Detection

Troubleshooting BFD
Examine control packet field values using the command debug bfd detail. Figure 104 shows a three-way
handshake using this command.
Figure 104 debug bfd detail Command Output
R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state
to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0)
00:54:38 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24
TX packet dump:
Version:1, Diag code:0, State:Down, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:4, yourDiscrim:0, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38 : Received packet for session with neighbor 2.2.2.2 on Gi 4/24
RX packet dump:
Version:1, Diag code:0, State:Init, Poll bit:0, Final bit:0, Demand bit:0
myDiscrim:6, yourDiscrim:4, minTx:1000000, minRx:1000000, multiplier:3, minEchoRx:0
00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor
2.2.2.2 on interface Gi 4/24 (diag: 0)

Examine control packets in hexadecimal format using the command debug bfd packet.
Figure 105 debug bfd packet Command Output
RX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:13 : Sent packet for
TX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:14 : Received packet
RX packet dump:
20 c0 03 18 00 00
00 01 86 a0 00 00
00:34:14 : Sent packet for
TX packet dump:

00 05 00 00 00 04 00 01 86 a0
00 00
session with neighbor 2.2.2.2 on Gi 4/24
00 04 00 00 00 05 00 01 86 a0
00 00
for session with neighbor 2.2.2.2 on Gi 4/24
00 05 00 00 00 04 00 01 86 a0
00 00
session with neighbor 2.2.2.2 on Gi 4/24

The output for the command debug bfd event is the same as the log messages that appear on the console
by default.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

181

182

Bidirectional Forwarding Detection

Chapter 8

Border Gateway Protocol IPv4

(BGPv4)

Border Gateway Protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on platforms:

ces

Platforms support BGP according to thte following table:

FTOS version

Platform support

8.1.1.0

E-Series ExaScale

7.8.1.0

S-Series

7.7.1.0.

C-Series

pre-7.7.1.0

E-Series TeraScale

ex
s
c
et

This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as
it is supported in the Force 10 Operating System (FTOS).
This chapter includes the following topics:

Protocol Overview
Autonomous Systems (AS)
Sessions and Peers
Route Reflectors
Confederations
BGP Attributes
Best Path Selection Criteria
Weight
Local Preference
Multi-Exit Discriminators (MEDs)
AS Path
Next Hop
Multiprotocol BGP
Implementing BGP with FTOS
Advertise IGP cost as MED for redistributed routes
Ignore Router-ID for some best-path calculations

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

183

4-Byte AS Numbers
AS4 Number Representation
AS Number Migration
BGP4 Management Information Base (MIB)
Important Points to Remember
Configuration Information
Configuration Task List for BGP
MBGP Configuration
Storing Last and Bad PDUs
Capturing PDUs
PDU Counters
Sample Configurations

BGP protocol standards are listed in the Appendix A, Standards Compliance chapter.

Protocol Overview
Border Gateway Protocol (BGP) is an external gateway protocol that transmits interdomain routing
information within and between Autonomous Systems (AS). Its primary function is to exchange network
reachability information with other BGP systems. BGP generally operates with an Internal Gateway
Protocol (IGP) such as OSPF or RIP, allowing you to communicate to external ASs smoothly. BGP adds
reliability to network connections be having multiple paths from one router to another.

Autonomous Systems (AS)

BGP Autonomous Systems (ASs) are a collection of nodes under common administration, with common
network routing policies. Each AS has a number, already assigned by an internet authority. You do not
assign the BGP number.
AS Numbers (ASNs) are important because the ASN uniquely identifies each network on the Internet. The
IANA has reserved AS numbers 64512 through 65534 to be used for private purposes. The ASNs 0 and
65535 are reserved by the IANA and should not be used in a live environment.
Autonomous Systems can be grouped into three categories, defined by their connections and operation.
A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to
remain connected to the internet in the event of a complete failure of one of their connections. However,
this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple
example of this is seen in Figure 106.
A stub AS is one that is connected to only one other AS.

184

Border Gateway Protocol IPv4 (BGPv4)

A transit AS is one that provides connections through itself to separate networks. For example as seen in
Figure 106, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs,
because they provide connections from one network to another. The ISP is considered to be selling transit
service to the customer network, so thus the term Transit AS.

When BGP operates inside an Autonomous System (AS1 or AS2 as seen in Figure 106), it is
referred to as Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates
between Autonomous Systems (AS1 and AS2), it is called External BGP (EBGP Exterior Border
Gateway Protocol). IBGP provides routers inside the AS with the knowledge to reach routers external to
the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain
connectivity and accessibility.
Figure 106 BGP Autonomous Zones
Interior BGP

Interior BGP

Router 3

Router 5

Router 1

Router 4

Router 2

Router 6

Exterior BGP
Router 7

AS 1

AS 2

BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP
is a path vector protocol - a computer network in which BGP maintains the path that update

information takes as it diffuses through the network. Updates traveling through the network and
returning to the same node are easily detected and discarded.
BGP does not use traditional Interior Gateway Protocol (IGP) matrix, but makes routing decisions based
on path, network policies and/or rulesets. Unlike most protocols, BGP uses TCP as its transport protocol.
Since each BGP routers talking to another router is a session, a BGP network needs to be in full mesh.
This is a topology that has every router directly connected to every other router. For example, as seen in
Figure 107, four routers connected in a full mesh have three peers each, six routers have 5 peers each, and
eight routers in full mesh will have seven peers each.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

185

Figure 107 Full Mesh Examples

4 Routers
6 Routers

8 Routers
The number of BGP speakers each BGP peer must maintain increases exponentially. Network
management quickly becomes impossible.

Sessions and Peers

When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of
that session are Peers. A Peer is also called a Neighbor.

Establishing a session
Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic
routing policies.

186

Border Gateway Protocol IPv4 (BGPv4)

In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state
machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For
each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The
BGP protocol defines the messages that each peer should exchange in order to change the session from one
state to another.
The first state is the Idle mode. BGP initializes all resources, refuses all inbound BGP connection attempts,
and initiates a TCP connection to the peer.
The next state is Connect. In this state the router waits for the TCP connection to complete, transitioning
to the OpenSent state if successful.
If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state
when the timer expires.
In the Active state, the router resets the ConnectRetry timer to zero, and returns to the Connect state.
Upon successful OpenSent transition, the router sends an Open message and waits for one in return.
Keepalive messages are exchanged next, and upon successful receipt, the router is placed in the
Established state. Keepalive messages continue to be sent at regular periods (established by the Keepalive
timer) to verify connections.
Once established, the router can now send/receive Keepalive, Update, and Notification messages to/from
its peer.

Peer Groups
Peer Groups are neighbors grouped according to common routing policies. They enable easier system
configuration and management by allowing groups of routers to share and inherit policies.
Peer groups also aid in convergence speed. When a BGP process needs to send the same information to a
large number of peers, it needs to set up a long output queue to get that information to all the proper peers.
If they are members of a peer group, however, the information can be sent to one place then passed onto
the peers within the group.

Route Reflectors
Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and
its client peers form a route reflection cluster. Since BGP speakers announce only the best route for a given
prefix, route reflector rules are applied after the router makes its best path decision.

If a route was received from a nonclient peer, reflect the route to all client peers.
If the route was received from a client peer, reflect the route to all nonclient and all client peers.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

187

To illustrate how these rules affect routing, see Figure 108 and the following steps.Routers B, C, D, E, and
G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster,
where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and
nonclient peers of Router D.
Figure 108 Route Reflection Example
eBGP Route
Router B

Router E

Router A

eBGP Route

Router F

iBGP Routes

Route Reflector
Router D

Route Reflector Client Peers

Router C

Router G
iBGP Routes

Router H

iBGP Route

eBGP Route

1. Router B receives an advertisement from Router A through eBGP. Since the route is learned through
eBGP, Router B advertises it to all its iBGP peers: Routers C and D.
2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is
Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
3. Router D does not advertise the route to Router C because Router C is a nonclient peer and the route
advertisement came from Router B who is also a non-client peer.
4. Router D does reflect the advertisement to Routers E and G because they are client peers of Router D.
5. Routers E and G then advertise this iBGP learned route to their eBGP peers Routers F and H.

Confederations
Communities
BGP communities are sets of routes with one or more common attributes. This is a way to assign
common attributes to multiple routes at the same time.

188

Border Gateway Protocol IPv4 (BGPv4)

BGP Attributes
Routes learned via BGP have associated properties that are used to determine the best route to a destination
when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and
an understanding of how BGP attributes influence route selection is required for the design of robust
networks. This section describes the attributes that BGP uses in the route selection process:

Weight
Local Preference
Multi-Exit Discriminators (MEDs)
Origin
AS Path
Next Hop

Best Path Selection Criteria

Paths for active routes are grouped in ascending order according to their neighboring external AS number
(BGP best path selection is deterministic by default, which means the bgp non-deterministic-med
command is NOT applied).
The best path in each group is selected based on specific criteria. Only one best path is selected at a time.
If any of the criteria results in more than one path, BGP moves on to the next option in the list. For
example, two paths may have the same weights, but different local preferences. BGP sees that the Weight
criteria results in two potential best paths and moves to local preference to reduce the options. If a
number of best paths is determined, this selection criteria is applied to groups best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared
in the order in which they arrive. This method can lead to FTOS choosing different best paths from a set of
paths, depending on the order in which they were received from the neighbors, since MED may or may not
get compared between adjacent paths. In deterministic mode, FTOS compares MED between adjacent
paths within an AS group since all paths in the AS group are from the same AS.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

189

Figure 109 illustrates the decisions BGP goes through to select the best path. The list following the
illustration details the path selection criteria.
Figure 109 BGP Best Path Selection

No, or Not Resulting in a Single Route

Highest
Weight

Highest
Local Pref

Locally
Originated
Path

Shortest
AS Path

Lowest
Origin
Code

Lowest
MED

Learned
via EBGP

Lowest
NEXT-HOP
Cost

Tie Breakers
Lowest
Cluster ID
List
from
Lowest
Router ID
from
Lowest
Neighbor
Addr

A Single Route is Selected and Installed in the Routing Table

Best Path selection details

1. Prefer the path with the largest WEIGHT attribute.
2. Prefer the path with the largest LOCAL_PREF attribute.
3. Prefer the path that was locally Originated via a network command, redistribute command or
aggregate-address command.

Routes originated with the network or redistribute commands are preferred over routes
originated with the aggregate-address command.

4. Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command is
configured, then AS_PATH is not considered). The following criteria apply:

190

Border Gateway Protocol IPv4 (BGPv4)

An AS_SET has a path length of 1, no matter how many ASs are in the set.
A path with no AS_PATH configured has a path length of 0.
AS_CONFED_SET is not included in the AS_PATH length.
AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the
AS_CONFED_SEQUENCE.

5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than
INCOMPLETE).
6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply:

This comparison is only done if the first (neighboring) AS is the same in the two paths; the
MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
If the bgp always-compare-med command is entered, MEDs are compared for all paths.
Paths with no MED are treated as worst and assigned a MED of 4294967295.

7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.

8. Prefer the path with the lowest IGP metric to the BGP next-hop.
9. FTOS deems the paths as equal and does not perform steps 9 through 11 listed below, if the following
criteria is met:

the IBGP multipath or EBGP multipath are configured (maximum-path command)

the paths being compared were received from the same AS with the same number of ASs in
the AS Path but with different NextHops
the paths were received from IBGP or EBGP neighbor respectively

10. If the bgp bestpath router-id ignore command is enabled and:

If the Router-ID is the same for multiple paths (because the routes were received from the
same route) skip this step.
If the Router-ID is NOT the same for multiple paths, Prefer the path that was first received as
the Best Path. The path selection algorithm should return without performing any of the
checks outlined below.

11. Prefer the path originated from the BGP router with the lowest router ID. For paths containing a Route
Reflector (RR) attribute, the originator ID is substituted for the router ID.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a
cluster ID length are set to a 0 cluster ID length.
13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used in
the BGP neighbor configuration, and corresponds to the remote peer used in the TCP connection with
the local router.)
After a number of best paths is determined, this selection criteria is applied to groups best to determine the
ultimate best path.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared
in the order in which they arrive. This method can lead to FTOS choosing different best paths from a set of
paths, depending on the order in which they were received from the neighbors since MED may or may not
get compared between adjacent paths. In deterministic mode, FTOS compares MED between adjacent
paths within an AS group since all paths in the AS group are from the same AS.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

191

Weight
The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns
about more than one route to the same destination, the route with the highest weight will be preferred. The
route with the highest weight is installed in the IP routing table.

Local Preference
Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the
number, the greater the preference for the route.
The Local Preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in
mind that other criteria may impact selection, as shown in Figure 109. For this example, assume that
LOCAL_PREF is the only attribute applied. In Figure 110, AS100 has two possible paths to AS 200.
Although the path through the Router A is shorter (one hop instead of two) the LOCAL_PREF settings
have the preferred path go through Router B and AS300. This is advertised to all routers within AS100
causing all BGP speakers to prefer the path through Router B.
Figure 110 LOCAL_PREF Example

Set Local Preference to 100

Router A

AS 100

T1 Link

Router C

AS 200

Router B

Router E
Set Local Preference to 200

OC3 Link

Router E
Router D

AS 300

Router F

Multi-Exit Discriminators (MEDs)

If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can
be used to assign a preference to a preferred path. The MED is one of the criteria used to determine the best
path, so keep in mind that other criteria may impact selection, as shown in Figure 109.

192

Border Gateway Protocol IPv4 (BGPv4)

One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this
example, assume the MED is the only attribute applied. In Figure 111, AS100 and AS200 connect in two
places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED
for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised
to AS100 routers so they know which is the preferred path.
An MED is a non-transitive attribute. If AS100 sends an MED to AS200, AS200 does not pass it on to
AS300 or AS400. The MED is a locally relevant attribute to the two participating Autonomous Systems
(AS100 and AS200).
Note that the MEDs are advertised across both links, so that if a link goes down AS 1 still has connectivity
to AS300 and AS400.
Figure 111 MED Route Example

AS 100

Set MED to 100

Router A

T1 Link

Router C

AS 200

Router B

Router E

OC3 Link

Router D
Set MED to 50

Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map
advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set
metric value overwrites the default IGP cost.

Origin
The Origin indicates the origin of the prefix, or how the prefix came into BGP. There are three Origin
codes: IGP, EGP, INCOMPLETE.

IGP indicated the prefix originated from information learned through an interior gateway protocol.
EGP indicated the prefix originated from information learned from an EGP protocol, which NGP
replaced.
INCOMPLETE indicates that the prefix originated from an unknown source.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

193

Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally
means that a route was learned from an external gateway protocol. An INCOMPLETE origin code
generally results from aggregation, redistribution or other indirect ways of installing routes into BGP.
In FTOS, these origin codes appear as shown in Figure 112. The question mark (?) indicates an Origin
code of INCOMPLETE. The lower case letter (i) indicates an Origin code of IGP.
Figure 112 Origin attribute reported
Force10#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete

*>
*>
*>

Network
7.0.0.0/29
7.0.0.0/30
9.2.0.0/16

Next Hop
10.114.8.33
10.114.8.33
10.114.8.33

Metric
0
0
10

LocPrf
0
0
0

Weight
18508
18508
18508

Path
?
?
701 i

AS Path
The AS Path is the list of all Autonomous Systems that all the prefixes listed in the update have passed
through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor.
In FTOS the AS Path is shown in Figure 113. Note that the Origin attribute is shown following the AS Path
information.

194

Border Gateway Protocol IPv4 (BGPv4)

Figure 113 AS Path attribute reported

Force10#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount
0x4014154
0
3
0x4013914
0
3
0x5166d6c
0
3
0x5e62df4
0
2
0x3a1814c
0
26
0x567ea9c
0
75
0x6cc1294
0
2
0x6cc18d4
0
1
0x5982e44
0
162
0x67d4a14
0
2
0x559972c
0
31
0x59cd3b4
0
2
0x7128114
0
10
0x536a914
0
3
0x2ffe884
0
1

Metric
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508
18508

Path
701 3549 19421 i
701 7018 14990 i
209 4637 1221 9249 9249 i
701 17302 i
209 22291 i
209 3356 2529 i
209 1239 19265 i
701 2914 4713 17935 i
209 i
701 19878 ?
209 18756 i
209 7018 15227 i
209 3356 13845 i
209 701 6347 7781 i
701 3561 9116 21350 i

Next Hop
The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop
address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address
is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another
BGP speaker outside its local AS. It can also be set when advertising routes within an AS. The Next Hop
attribute also serves as a way to direct traffic to another BGP speaker, rather than waiting for a speaker to
advertise.
FTOS allows you to set the Next Hop attribute in the CLI. Setting the Next Hop attribute lets you
determine a router as the next hop for a BGP neighbor.

Multiprotocol BGP

ec
MBGP for IPv4 Multicast is supported on platform c e s
MBGP for IPv6 unicast is supported on platforms

Multiprotocol Extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of
address families to be distributed in parallel. This allows information about the topology of IP
Multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast
routers. It allows a multicast routing topology different from the unicast routing topology.
Note: It is possible to configure BGP peers that exchange both unicast and multicast network layer
reachability information (NLRI), but you cannot connect Multiprotocol BGP with BGP. Therefor, You
cannot redistribute Multiprotocol BGP routes into BGP.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

195

Implementing BGP with FTOS

Advertise IGP cost as MED for redistributed routes
When using multipath connectivity to an external AS, you can advertise the MED value selectively to each
peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting
others to a constant pre-defined metric as MED value.
FTOS 8.3.1.0 and later support configuring the set metric-type internal command in a route-map to
advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes. The configured set
metric value overwrites the default IGP cost.
By using the redistribute command in conjunction with the route-map command, you can specify
whether a peer advertises the standard MED or uses the IGP cost as the MED.
Note the following when configuring this functionality:

If the redistribute command does not have any metric configured and BGP Peer out-bound route-map
does have metric-type internal configured, BGP advertises the IGP cost as MED.
If the redistribute command has metric configured (route-map set metric or redistribute route-type
metric ) and the BGP Peer out-bound route-map has metric-type internal configured, BGP advertises
the metric configured in the redistribute command as MED.
If BGP peer out-bound route-map has metric configured, then all other metrics are overwritten by this.
Note: When redistributing static, connected or OSPF routes, there is no metric option. Simply assign the
appropriate route-map to the redistributed route.

Table 14gives some examples of these rules.

Table 14 Example MED advertisement

Command Settings

BGP Local Routing

Information Base

MED Advertised to Peer

WITH route-map
WITHOUT route-map
metric-type internal metric-type internal

196

redistribute isis
(IGP cost = 20)

MED: IGP cost 20

MED = 20

MED = 0

redistribute isis
route-map set metric 50

MED: IGP cost 50

MED: 50

redistribute isis metric 100

MED: IGP cost 100

MED: 100

Border Gateway Protocol IPv4 (BGPv4)

Ignore Router-ID for some best-path calculations

FTOS 8.3.1.0 and later allow you to avoid unnecessary BGP best-path transitions between external paths
under certain conditions. The bgp bestpath router-id ignore command reduces network disruption
caused by routing and forwarding plane changes and allows for faster convergence.

4-Byte AS Numbers
FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System
Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN
message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the
messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending
on whether the peer is 4-Byte or 2-Byte BGP speaker.
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS Numbers using the
traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip bgp
commands. For example, an ASN entered as 3183856184 will appear in the show commands as
48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN
from a traditional format, use ASN/65536. ASN%65536.
Table 15 4-Byte ASN Dot Format Examples
Traditional Format

Dot Format

65001

0.65501

65536

The

1.0

100000

Same As

1.34464

4294967295

65535.65535

When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified
routers. You cannot mix them.
Configure the 4-byte AS numbers with the four-octect-support command.

AS4 Number Representation

FTOS version 8.2.1.0 supports multiple representations of an 4-byte AS Numbers: asplain, asdot+, and
asdot.
Note: The ASDOT and ASDOT+ representations are supported only in conjunction with the 4-Byte AS
Numbers feature. If 4-Byte AS Numbers are not implemented, only ASPLAIN representation is supported.

197

All AS Numbers between 0-65535 are represented as a decimal number when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 are represented using ASPLAIN notation as well. 65546 is

represented as 65546.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a
decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>. Some examples are shown in
Table 15.

All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as
well as when displayed in the show command outputs.
AS Numbers larger than 65535 is represented using ASDOT notation as <higher 2 bytes in
decimal>.<lower 2 bytes in decimal>. For example: AS 65546 is represented as 1.10.

ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than
65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the
decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number
65546 appears as 1.10.

Dynamic AS Number Notation application

FTOS 8.3.1.0 applies the ASN Notation type change dynamically to the running-config statements. When
you apply or change an asnotation, the type selected is reflected immediately in the running-configuration
and the show commands (Figure 114 and Figure 115).

198

Border Gateway Protocol IPv4 (BGPv4)

Figure 114 Dynamic changes of the bgp asnotation command in the show running config
ASDOT
Force10(conf-router_bgp)#bgp asnotation asdot
Force10(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Force10(conf-router_bgp)#do show ip bgp
BGP table version is 24901, local router ID is 172.30.1.57
<output truncated>

ASDOT+
Force10(conf-router_bgp)#bgp asnotation asdot+
Force10(conf-router_bgp)#show conf
!
router bgp 100
bgp asnotation asdot+
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Force10(conf-router_bgp)#do show ip bgp
BGP table version is 31571, local router ID is 172.30.1.57
<output truncated>

AS-PLAIN
Force10(conf-router_bgp)#bgp asnotation asplain
Force10(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Force10(conf-router_bgp)#do sho ip bgp
BGP table version is 34558, local router ID is 172.30.1.57
<output truncated>

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

199

Figure 115 Dynamic changes when bgp asnotation command is disabled in the show running config
AS NOTATION DISABLED
Force10(conf-router_bgp)#no bgp asnotation
Force10(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-as-support
neighbor 172.30.1.250 local-as 65057
<output truncated>
Force10(conf-router_bgp)#do sho ip bgp
BGP table version is 28093, local router ID is 172.30.1.57

AS4 SUPPORT DISABLED

Force10(conf-router_bgp)#no bgp four-octet-as-support
Force10(conf-router_bgp)#sho conf
!
router bgp 100
neighbor 172.30.1.250 local-as 65057
Force10(conf-router_bgp)#do show ip bgp
BGP table version is 28093, local router ID is 172.30.1.57

AS Number Migration
When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an
iBGP if the ASN changes. Migration can be difficult as all the iBGP and eBGP peers of the migrating
network need to be updated to maintain network reachability. With this feature you can transparently
change the AS number of entire BGP network and ensure that the routes are propagated throughout the
network while the migration is in progress. Essentially, Local-AS provides a capability to the BGP speaker
to operate as if it belongs to "virtual" AS network besides its physical AS network.
Figure 116 shows a scenario where Router A, Router B and Router C belong to AS 100, 200, 300
respectively. Router A acquired Router B; Router B has Router C as its customer. When Router B is
migrating to Router A, it needs to maintain the connection with Router C without immediately updating
Router C's configuration. Local-AS allows this to happen by allowing Router B to appear as if it still
belongs to Router B's old network (AS 200) as far as communicating with Router C is concerned.

200

Border Gateway Protocol IPv4 (BGPv4)

Figure 116 Local-AS Scenario

Router A
AS 100

Router C
AS 300

Router B
AS 200

Before Migration

Router A

AS 100
AS 100

Router C
AS 300

Router B
Local AS
200

After Migration, with Local-AS enabled

When you complete your migration, and you have reconfigured your network with the new information
you must disable this feature.
If the no prepend option is used, the local-as will not be prepended to the updates received from the
eBGP peer. If no prepend is not selected (the default), the local-as is added to the first AS segment in the
AS-PATH. If an inbound route-map is used to prepend the as-path to the update from the peer, the local-as
is added first. For example, consider the topology described in Figure 116. If Router B has an inbound
route-map applied on Router C to prepend "65001 65002" to the as-path, the following events will take
place on Router B
1. Receive and validate the update
2. Prepend local-as 200 to as-path
3. Prepend "65001 65002" to as-path

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

201

Local-as is prepended before the route-map to give an impression that update passed thru a router in AS
200 before it reached Router B.

BGP4 Management Information Base (MIB)

The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with
many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these
enhancements, download the MIB from the Force10 website, www.force10networks.com.
Note: See the Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation.

Important Points to Remember

202

In f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and

f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices
are assigned to the AS segments and individual ASN in each segment starting from 0. For example, an
AS path list of {200 300 400} 500 consists of two segments: {200 300 400} with segment index 0 and
500 with segment index 1. ASN 200, 300, and 400 are be assigned 0, 1, and 2 element indices in that
order.
Unknown optional transitive attributes within a given path attribute (PA) are assigned indices in order.
These indices correspond to f10BgpM2PathAttrUnknownIndex field in the
f10BgpM2PathAttrUnknownEntry table.
Negotiation of multiple instances of the same capability is not supported.
F10BgpM2PeerCapAnnouncedIndex and f10BgpM2PeerCapReceivedIndex are ignored in the peer
capability lookup.
Inbound BGP soft-reconfiguration must be configured on a peer for
f10BgpM2PrefixInPrefixesRejected to display the number of prefixes filtered due to a policy. If BGP
soft-reconfig is not enabled, the denied prefixes are not accounted for.
F10BgpM2AdjRibsOutRoute stores the pointer to the NLRI in the peer's Adj-Rib-Out.
PA Index (f10BgpM2PathAttrIndex field in various tables) is used to retrieve specific attributes from
the PA table. The Next-Hop, RR Cluster-list, Originator ID attributes are not stored in the PA Table
and cannot be retrieved using the index passed in. These fields are not populated in
f10BgpM2PathAttrEntry, f10BgpM2PathAttrClusterEntry, f10BgpM2PathAttrOriginatorIdEntry.
F10BgpM2PathAttrUnknownEntry contains the optional-transitive attribute details.
Query for f10BgpM2LinkLocalNextHopEntry returns default value for Link-local Next-hop.
RFC 2545 and the f10BgpM2Rfc2545Group are not supported.
An SNMP query will display up to 89 AS paths. A query for a larger AS path count will display as
"" at the end of the output.
SNMP set for BGP is not supported. For all peer configuration tables
(f10BgpM2PeerConfigurationGroup, f10BgpM2PeerRouteReflectorCfgGroup, and
f10BgpM2PeerAsConfederationCfgGroup), an SNMP set operation will return an error. Only SNMP
queries are supported. In addition, the f10BgpM2CfgPeerError, f10BgpM2CfgPeerBgpPeerEntry, and
f10BgpM2CfgPeerRowEntryStatus fields are to hold the SNMP set status and are ignored in SNMP
query.

Border Gateway Protocol IPv4 (BGPv4)

The AFI/SAFI is not used as an index to the f10BgpM2PeerCountersEntry table. The BGP peer's AFI/
SAFI (IPv4 Unicast or IPv6 Multicast) is used for various outbound counters. Counters corresponding
to IPv4 Multicast cannot be queried.
The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that
route-reflector clients are not in a full mesh if BGP client-2-client reflection is enabled and that the
BGP speaker acting as reflector will advertise routes learned from one client to another client. If
disabled, it is assumed that clients are in a full mesh, and there is no need to advertise prefixes to the
other clients.
High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB.
To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large
BGP Loc-RIB), Force10 recommends setting the timeout and retry count values to a relatively higher
number. e.g. t = 60 or r = 5.
To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as
snmpwalk -v 2c -C c -c public <IP_address> <OID>.
An SNMP walk may terminate pre-maturely if the index does not increment lexicographically.
Force10 recommends using options to ignore such errors.
Multiple BPG process instances are not supported. Thus, the F10BgpM2PeerInstance field in various
tables is not used to locate a peer.
Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the
SNMP query response.
F10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used.
Carrying MPLS labels in BGP is not supported. F10BgpM2NlriOpaqueType and
f10BgpM2NlriOpaquePointer fields are set to zero.

4-byte ASN is supported. f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related

parameters based on the configuration.

Traps (notifications) specified in the BGP4 MIB draft <draft-ietf-idr-bgp4-mibv2-05.txt> are not
supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC
1657.

Configuration Information
The software supports BGPv4 as well as the following:

deterministic multi-exit discriminator (MED) (default)

a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff)
the community format follows RFC 1998
delayed configuration (the software at system boot reads the entire configuration file prior to sending
messages to start BGP peer sessions)

The following are not yet supported:

auto-summarization (the default is no auto-summary)

synchronization (the default is no synchronization)

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

203

BGP Configuration
To enable the BGP process and begin exchanging information, you must assign an AS number and use
commands in the ROUTER BGP mode to configure a BGP neighbor.

Defaults
By default, BGP is disabled.
By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp
always-compare-med command is not enabled).
Note: In FTOS, all newly configured neighbors and peer groups are disabled. You must enter the
neighbor {ip-address | peer-group-name} no shutdown command to enable a neighbor or peer
group.

Table 16 displays the default values for BGP on FTOS.

Table 16 FTOS BGP Defaults
Item

Default

BGP Neighbor Adjacency changes

All BGP neighbor changes are logged.

Fast External Fallover feature

Enabled

graceful restart feature

Disabled

Local preference

100

MED

Route Flap Damping Parameters

half-life = 15 minutes
reuse = 750
suppress = 2000
max-suppress-time = 60 minutes

Distance

external distance = 20
internal distance = 200
local distance = 200

Timers

keepalive = 60 seconds
holdtime = 180 seconds

Configuration Task List for BGP

The following list includes the configuration tasks for BGP:

204

Enable BGP
Configure AS4 Number Representations
Configure Peer Groups
BGP fast fall-over

Border Gateway Protocol IPv4 (BGPv4)

Configure passive peering

Maintain existing AS numbers during an AS migration
Allow an AS number to appear in its own AS path
Enable graceful restart
Filter on an AS-Path attribute
Configure IP community lists
Manipulate the COMMUNITY attribute
Change MED attribute
Change LOCAL_PREFERENCE attribute
Change NEXT_HOP attribute
Change WEIGHT attribute
Enable multipath
Filter BGP routes
Redistribute routes on page 226
Configure BGP route reflectors
Aggregate routes
Configure BGP confederations
Enable route flap dampening
Change BGP timers
BGP neighbor soft-reconfiguration
Route map continue

Enable BGP
By default, BGP is not enabled on the system. FTOS supports one Autonomous System (AS) and you must
assign the AS Number (ASN). To establish BGP sessions and route traffic, you must configure at least one
BGP neighbor or peer.
In BGP, routers with an established TCP connection are called neighbors or peers. Once a connection is
established, the neighbors exchange full BGP routing tables with incremental updates afterwards. In
addition, neighbors exchange KEEPALIVE messages to maintain the connection.
In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be
connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP
peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address
of the interface directly connected to the router. First, the BGP process determines if all internal BGP peers
are reachable, and then it determines which peers outside the AS are reachable.
Note: Sample Configurations for enabling BGP routers are found at the end of this chapter.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

205

Use these commands in the following sequence, starting in the CONFIGURATION mode to establish BGP
sessions on the router.
Step
1

Command Syntax

Command Mode

Purpose

router bgp as-number

CONFIGURATION

Assign an AS number and enter the

ROUTER BGP mode.
AS Number: 0-65535 (2-Byte) or
1-4294967295 (4-Byte) or
0.1-65535.65535 (Dotted format)

Only one AS is supported per system

If you enter a 4-Byte AS Number, 4-Byte AS Support is enabled
automatically.
1a

bgp four-octet-as-support

CONFIG-ROUTERBGP

Enable 4-Byte support for the BGP

process.
Note: This is an OPTIONAL command.
Enable if you want to use 4-Byte AS
numbers or if you support AS4 Number
Representation.

Use it only if you support 4-Byte AS Numbers or if you support

AS4 Number Representation. If you are supporting 4-Byte
ASNs, this command must be enabled first.
Disable 4-Byte support and return to the default 2-Byte format by
using the no bgp four-octet-as-support command. You
cannot disable 4-Byte support if you currently have a 4-Byte
ASN configured.
Disabling 4-Byte AS Numbers also disables ASDOT and
ASDOT+ number representation. All AS Numbers will be
displayed in ASPLAIN format.
1b

address-family [ipv4 | ipv6}

CONFIG-ROUTERBGP

Enable IPv4 multicast or IPv6 mode.

Use this command to enter BGP for IPv6
mode (CONF-ROUTER_BGPv6_AF).

neighbor {ip-address |
peer-group name} remote-as
as-number

CONFIG-ROUTERBGP

Add a neighbor as a remote AS.

Formats:
IP Address A.B.C.D
Peer-Group Name: 16 characters
AS-number: 0-65535 (2-Byte) or
1-4294967295 (4-Byte) or
0.1-65535.65535 (Dotted format)

You must Configure Peer Groups before assigning it a remote

AS.
3

206

neighbor {ip-address |
peer-group-name} no shutdown

CONFIG-ROUTERBGP

Enable the BGP neighbor.

Border Gateway Protocol IPv4 (BGPv4)

Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear
ip bgp command in EXEC Privilege mode.

Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration. Use the
show ip bgp summary command in EXEC Privilege mode to view the BGP status. Figure 117 shows
the summary with a 2-Byte AS Number displayed; Figure 118 shows the summary with a 4-Byte AS
Number displayed.
Figure 117 Command example: show ip bgp summary (2-Byte AS Number displayed)
R2#show ip bgp summary
BGP router identifier 192.168.10.2, local AS number 65123
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
1 paths using 72 bytes of memory
BGP-RIB over all using 73 bytes of memory
1 BGP path attribute entrie(s) using 72 bytes of memory
1 BGP AS-PATH entrie(s) using 47 bytes of memory
5 neighbor(s) using 23520 bytes of memory
Neighbor

10.10.21.1
10.10.32.3
100.10.92.9
192.168.10.1
192.168.12.2
R2#

65123
65123
65192
65123
65123

2-Byte AS Number

MsgRcvd

MsgSent

TblVer

InQ

0
0
0
0
0

OutQ Up/Down
0
0
0
0
0

never
never
never
never
never

State/Pfx
Active
Active
Active
Active
Active

Figure 118 Command example: show ip bgp summary (4-Byte AS Number displayed)
R2#show ip bgp summary
BGP router identifier 192.168.10.2, local AS number 48735.59224
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
1 paths using 72 bytes of memory
BGP-RIB over all using 73 bytes of memory
1 BGP path attribute entrie(s) using 72 bytes of memory
1 BGP AS-PATH entrie(s) using 47 bytes of memory
5 neighbor(s) using 23520 bytes of memory
Neighbor

10.10.21.1
10.10.32.3
100.10.92.9
192.168.10.1
192.168.12.2
R2#

65123
65123
65192
65123
65123

MsgRcvd

MsgSent

TblVer

InQ

0
0
0
0
0

4-Byte AS Number

OutQ Up/Down
0
0
0
0
0

never
never
never
never
never

State/Pfx
Active
Active
Active
Active
Active

For the routers identifier, FTOS uses the highest IP address of the Loopback interfaces configured. Since
Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If no
Loopback interfaces are configured, the highest IP address of any interface is used as the router ID.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

207

To view the status of BGP neighbors, use the show ip bgp neighbors (Figure 119) command in EXEC
Privilege mode. For BGP neighbor configuration information, use the show running-config bgp
command in EXEC Privilege mode (Figure 120). Note that the showconfig command in
CONFIGURATION ROUTER BGP mode gives the same information as thew show running-config
bgp.
Figure 119 displays two neighbors, one is an external and the second one is an internal BGP neighbor. The
first line of the output for each neighbor displays the AS number and states whether the link is an external
or internal.

208

Border Gateway Protocol IPv4 (BGPv4)

The third line of the show ip bgp neighbors output contains the BGP State. If anything other than
ESTABLISHED is listed, the neighbor is not exchanging information and routes. For more details on using
the show ip bgp neighbors command, refer to the FTOS Command Line Interface Reference.
Figure 119 Command example: show ip bgp neighbors
Force10#show ip bgp neighbors

BGP neighbor is 10.114.8.60, remote AS 18508, external link

External
BGP version 4, remote router ID 10.20.20.20
BGP state ESTABLISHED, in this state for 00:01:58
Last read 00:00:14, hold time is 90, keepalive interval is 30 seconds
Received 18552 messages, 0 notifications, 0 in queue
Sent 11568 messages, 0 notifications, 0 in queue
Received 18549 updates, Sent 11562 updates
Minimum time between advertisement runs is 30 seconds

BGP neighbor

For address family: IPv4 Unicast

BGP table version 216613, neighbor version 201190
130195 accepted prefixes consume 520780 bytes
Prefix advertised 49304, rejected 0, withdrawn 36143
Connections established 1; dropped 0
Last reset never
Local host: 10.114.8.39, Local port: 1037
Foreign host: 10.114.8.60, Foreign port: 179

BGP neighbor is 10.1.1.1, remote AS 65535, internal link

Internal
Administratively shut down
BGP version 4, remote router ID 10.0.0.0
BGP state IDLE, in this state for 17:12:40
Last read 17:12:40, hold time is 180, keepalive interval is 60 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Received 0 updates, Sent 0 updates
Minimum time between advertisement runs is 5 seconds

BGP neighbor

For address family: IPv4 Unicast

BGP table version 0, neighbor version 0
0 accepted prefixes consume 0 bytes
Prefix advertised 0, rejected 0, withdrawn 0
Connections established 0; dropped 0
Last reset never
No active TCP connection
Force10#

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

209

Figure 120 Command example: show running-config bgp

R2#show running-config bgp
!
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list ISP1in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
neighbor 192.168.10.1 no shutdown
neighbor 192.168.12.2 remote-as 65123
neighbor 192.168.12.2 update-source Loopback 0
neighbor 192.168.12.2 no shutdown
R2#

Configure AS4 Number Representations

Enable one type of AS Number Representation: ASPLAIN, ASDOT+, or ASDOT.

ASPLAIN is the method FTOS has used for all previous FTOS versions. It remains the default method
with FTOS 8.2.1.0 and later. With the ASPLAIN notation, a 32 bit binary AS number is translated into
a decimal value.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by
a decimal point (.): <high-order 16 bit value>.<low-order 16 bit value>.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS Numbers less than
65536 appear in integer format (asplain); AS Numbers equal to or greater than 65536 appear using the
decimal method (asdot+). For example, the AS Number 65526 appears as 65526, and the AS Number
65546 appears as 1.10.
Note: The ASDOT and ASDOT+ representations are supported only in conjunction with the 4-Byte AS
Numbers feature. If 4-Byte AS Numbers are not implemented, only ASPLAIN representation is supported.

Only one form of AS Number Representation is supported at a time. You cannot combine the types of
representations within an AS.
Task

Command Syntax

Command Mode

Enable ASPLAIN AS Number

representation. Figure 121

bgp asnotation asplain

CONFIG-ROUTER-BGP

Note: ASPLAIN is the default method FTOS uses and does not appear in
the configuration display.

210

Border Gateway Protocol IPv4 (BGPv4)

Task

Command Syntax

Command Mode

Enable ASDOT AS Number

representation. Figure 122

bgp asnotation asdot

CONFIG-ROUTER-BGP

Enable ASDOT+ AS Number

representation.Figure 123

bgp asnotation asdot+

CONFIG-ROUTER-BGP

Figure 121 Command example and output: bgp asnotation asplain

Force10(conf-router_bgp)#bgp asnotation asplain
Force10(conf-router_bgp)#sho conf
!
router bgp 100
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
neighbor 172.30.1.250 no shutdown
5332332 9911991 65057 18508 12182 7018 46164 i

Figure 122 Command example and output: bgp asnotation asdot

Force10(conf-router_bgp)#bgp asnotation asdot
Force10(conf-router_bgp)#sho conf
!
router bgp 100
bgp asnotation asdot
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
neighbor 172.30.1.250 no shutdown
5332332 9911991 65057 18508 12182 7018 46164 i

Figure 123 Command example and output: bgp asnotation asdot+

Force10(conf-router_bgp)#bgp asnotation asdot+
Force10(conf-router_bgp)#sho conf
!
router bgp 100
bgp asnotation asdot+
bgp four-octet-as-support
neighbor 172.30.1.250 remote-as 18508
neighbor 172.30.1.250 local-as 65057
neighbor 172.30.1.250 route-map rmap1 in
neighbor 172.30.1.250 password 7
5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957
neighbor 172.30.1.250 no shutdown
5332332 9911991 65057 18508 12182 7018 46164 i

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

211

Configure Peer Groups

To configure multiple BGP neighbors at one time, create and populate a BGP peer group. Another
advantage of peer groups is that members of a peer groups inherit the configuration properties of the group
and share same update policy.
A maximum of 256 Peer Groups are allowed on the system.
You create a peer group by assigning it a name, then adding members to the peer group. Once a peer group
is created, you can configure route policies for it. Refer to Filter BGP routes for information on configuring
route policies for a peer group.
Note: Sample Configurations for enabling Peer Groups are found at the end of this chapter.

Use these commands in the following sequence starting in the CONFIGURATION ROUTER BGP mode
to create a peer group
Step

Command Syntax

Command Mode

Purpose

neighbor peer-group-name
peer-group

CONFIG-ROUTERBGP

Create a peer group by assigning a name

to it.

neighbor peer-group-name
no shutdown

CONFIG-ROUTERBGP

Enable the peer group.

By default, all peer groups are disabled

neighbor ip-address remote-as

CONFIG-ROUTERBGP

Create a BGP neighbor.

as-number

neighbor ip-address no
shutdown

CONFIG-ROUTERBGP

Enable the neighbor.

neighbor ip-address peer-group

peer-group-name

CONFIG-ROUTERBGP

Add an enabled neighbor to the peer

group.

neighbor {ip-address | peer-group

name} remote-as as-number

CONFIG-ROUTERBGP

Add a neighbor as a remote AS.

Formats:
IP Address A.B.C.D
Peer-Group Name16 characters
AS-number: 0-65535 (2-Byte) or
1-4294967295 | 0.1- 65535.65535 (4-Byte)
or 0.1-65535.65535 (Dotted format)

To add an external BGP (EBGP) neighbor, configure the

as-number parameter with a number different from the BGP
as-number configured in the router bgp as-number command.
To add an internal BGP (IBGP neighbor, configure the as-number
parameter with the same BGP as-number configured in the
router bgp as-number command.

212

Border Gateway Protocol IPv4 (BGPv4)

After you create a peer group, you can use any of the commands beginning with the keyword neighbor to
configure that peer group.
When you add a peer to a peer group, it inherits all the peer groups configured parameters.
A neighbor cannot become part of a peer group if it has any of the following commands are configured:

neighbor advertisement-interval
neighbor distribute-list out
neighbor filter-list out
neighbor next-hop-self
neighbor route-map out
neighbor route-reflector-client
neighbor send-community

A neighbor may keep its configuration after it was added to a peer group if the neighbors configuration is
more specific than the peer groups, and the neighbors configuration does not affect outgoing updates.
Note: When you configure a new set of BGP policies for a peer group, always reset the peer
group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege
mode.

Use the show config command in the CONFIGURATION ROUTER BGP mode to view the
configuration. When you create a peer group, it is disabled (shutdown). Figure 124 shows the creation of
a peer group (zanzibar).
Figure 124 Command example: show config (creating peer-group)
Force10(conf-router_bgp)#neighbor zanzibar peer-group
Force10(conf-router_bgp)#show conf
!
router bgp 45
bgp fast-external-fallover
bgp log-neighbor-changes
neighbor zanzibar peer-group
neighbor zanzibar shutdown
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 shutdown
neighbor 10.14.8.60 remote-as 18505
neighbor 10.14.8.60 no shutdown
Force10(conf-router_bgp)#

Configuring neighbor
zanzibar

Use the neighbor peer-group-name no shutdown command in the CONFIGURATION ROUTER

BGP mode to enable a peer group.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

213

Figure 125 Command example: show config (peer-group enabled

Force10(conf-router_bgp)#neighbor zanzibar no shutdown
Force10(conf-router_bgp)#show config
!
router bgp 45
bgp fast-external-fallover
bgp log-neighbor-changes
neighbor zanzibar peer-group
neighbor zanzibar no shutdown
neighbor 10.1.1.1 remote-as 65535
neighbor 10.1.1.1 shutdown
neighbor 10.14.8.60 remote-as 18505
neighbor 10.14.8.60 no shutdown
Force10(conf-router_bgp)#

Enabling neighbor
zanzibar

To disable a peer group, use the neighbor peer-group-name shutdown command in the
CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not
applied to the peer group members. When you disable a peer group, all the peers within the peer group that
are in ESTABLISHED state are moved to IDLE state.

Use the show ip bgp peer-group command in EXEC Privilege mode (Figure 126) to view the status of
peer groups.

214

Border Gateway Protocol IPv4 (BGPv4)

Figure 126 Command example: show ip bgp peer-group

Force10>show ip bgp peer-group

Peer-group zanzibar, remote AS 65535

BGP version 4
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP neighbor is zanzibar, peer-group internal,
Number of peers in this group 26
Peer-group members (* - outbound optimized):
10.68.160.1
10.68.161.1
10.68.162.1
10.68.163.1
10.68.164.1
10.68.165.1
10.68.166.1
10.68.167.1
10.68.168.1
10.68.169.1
10.68.170.1
10.68.171.1
10.68.172.1
10.68.173.1
10.68.174.1
10.68.175.1
10.68.176.1
10.68.177.1
10.68.178.1
10.68.179.1
10.68.180.1
10.68.181.1
10.68.182.1
10.68.183.1
10.68.184.1
10.68.185.1
Force10>

BGP fast fall-over

By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so
frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time
while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly
connected external peer fails.
When fall-over is enabled, BGP tracks IP reachability to the peer remote address and the peer local
address. Whenever either address becomes unreachable (for example, no active route exists in the routing
table for peer IPv6 destinations/local address), BGP brings down the session with the peer.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

215

The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by
default.
Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} fall-over

CONFIG-ROUTER-BGP

Enable BGP Fast Fall-Over

To disable Fast Fall-Over, use the [no] neighbor [neighbor | peer-group] fall-over command in
CONFIGURATION ROUTER BGP mode
Use the show ip bgp neighbors command as shown in Figure 127 to verify that fast fall-over is enabled
on a particular BGP neighbor. Note that since Fast Fall-Over is disabled by default, it will appear only if it
has been enabled

216

Border Gateway Protocol IPv4 (BGPv4)

Figure 127 Command example: show ip bgp neighbors

Force10#sh ip bgp neighbors
BGP neighbor is 100.100.100.100, remote AS 65517, internal link
Member of peer-group test for session parameters
BGP version 4, remote router ID 30.30.30.5
BGP state ESTABLISHED, in this state for 00:19:15
Last read 00:00:15, last write 00:00:06
Hold time is 180, keepalive interval is 60 seconds
Received 52 messages, 0 notifications, 0 in queue
Sent 45 messages, 5 notifications, 0 in queue
Received 6 updates, Sent 0 updates
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)

Fast Fall-Over
Indicator

Fall-over enabled
Update source set to Loopback 0

Peer active in peer-group outbound optimization

For address family: IPv4 Unicast
BGP table version 52, neighbor version 52
4 accepted prefixes consume 16 bytes
Prefix advertised 0, denied 0, withdrawn 0
Connections established 6; dropped 5
Last reset 00:19:37, due to Reset by peer
Notification History
'Connection Reset' Sent : 5

Recv: 0

Local host: 200.200.200.200, Local port: 65519

Foreign host: 100.100.100.100, Foreign port: 179
Force10#

Use the show ip bgp peer-group command to verify that fast fall-over is enabled on a peer-group.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

217

Figure 128 Command example: show ip bgp peer-group

Force10#sh ip bgp peer-group
Peer-group test
Fall-over enabled
BGP version 4
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP neighbor is test
Number of peers in this group 1
Peer-group members (* - outbound optimized):
100.100.100.100*
Force10#
router bgp 65517
neighbor test peer-group
Fast Fall-Over
neighbor test fall-over
neighbor test no shutdown
Indicator
neighbor 100.100.100.100 remote-as 65517
neighbor 100.100.100.100 fall-over
neighbor 100.100.100.100 update-source Loopback 0
neighbor 100.100.100.100 no shutdown
Force10#

Configure passive peering

When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you
enable passive peering for the peer group, the software does not send an OPEN message, but it will
respond to an OPEN message.
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group,
FTOS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor. To
work around this, change the BGP configuration or change the order of the peer group configuration.
Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode
to configure passive peering.
Step

Command Syntax

Command Mode

Purpose

neighbor peer-group-name
peer-group passive

CONFIG-ROUTERBGP

Configure a peer group that does not initiate

TCP connections with other peers.

neighbor peer-group-name
subnet subnet-number mask

CONFIG-ROUTERBGP

Assign a subnet to the peer group. The peer

group will respond to OPEN messages sent
on this subnet.

neighbor peer-group-name no
shutdown

CONFIG-ROUTERBGP

Enable the peer group.

neighbor peer-group-name
remote-as as-number

CONFIG-ROUTERBGP

Create and specify a remote peer for BGP

neighbor.

218

Border Gateway Protocol IPv4 (BGPv4)

Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to
ESTABLISHED. Once the peer group is ESTABLISHED, the peer group is the same as any other peer
group.
For more information on peer groups, refer to Configure Peer Groups on page 212.

Maintain existing AS numbers during an AS migration

The local-as feature smooths out the BGP network migration operation and allows you to maintain
existing ASNs during a BGP network migration.
When you complete your migration, be sure to reconfigure your routers with the new information and
disable this feature.
Command Syntax

Command Mode

Purpose

neighbor {IP address |

peer-group-name local-as as

CONFIG-ROUTERBGP

Allow external routes from this neighbor.

Format:
IP Address: A.B.C.D
Peer Group Name: 16 characters
AS-number: 0-65535 (2-Byte) or
1-4294967295 (4-Byte) or
0.1-65535.65535 (Dotted format)

number [no prepend]

No Prepend specifies that local AS values

are not prepended to announcements from
the neighbor.
You must Configure Peer Groups before assigning it to an AS.
This feature is not supported on passive peer groups.

Disable this feature, using the no neighbor local-as command in CONFIGURATION ROUTER BGP
mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

219

Figure 129 Local-as information shown

R2(conf-router_bgp)#show conf
!
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list Laura in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 local-as 6500
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
neighbor 192.168.10.1 no shutdown
neighbor 192.168.12.2 remote-as 65123
neighbor 192.168.12.2 update-source Loopback 0
neighbor 192.168.12.2 no shutdown
R2(conf-router_bgp)#

Actual AS Number

Local-AS Number 6500

Maintained During Migration

Allow an AS number to appear in its own AS path

This command allows you to set the number of times a particular AS number can occur in the AS path. The
allow-as feature permits a BGP speaker to allow the ASN to be present for specified number of times in
the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the
local ASN is present more than the specified number of times in the command.
Command Syntax

Command Mode

Purpose

neighbor {IP address |

peer-group-name} allowas-in

CONFIG-ROUTERBGP

Allow this neighbor ID to use the AS path the

specified number of times.
Format:
IP Address: A.B.C.D
Peer Group Name: 16 characters
Number: 1-10

number

You must Configure Peer Groups before assigning it to an AS.

To disable this feature, use the no neighbor allow-as in number command in the CONFIGURATION
ROUTER BGP mode.

220

Border Gateway Protocol IPv4 (BGPv4)

Figure 130 Allowas-in information shown

R2(conf-router_bgp)#show conf
!
router bgp 65123
bgp router-id 192.168.10.2
network 10.10.21.0/24
network 10.10.32.0/24
network 100.10.92.0/24
network 192.168.10.0/24
bgp four-octet-as-support
neighbor 10.10.21.1 remote-as 65123
neighbor 10.10.21.1 filter-list Laura in
neighbor 10.10.21.1 no shutdown
neighbor 10.10.32.3 remote-as 65123
neighbor 10.10.32.3 no shutdown
neighbor 100.10.92.9 remote-as 65192
neighbor 100.10.92.9 local-as 6500
neighbor 100.10.92.9 no shutdown
neighbor 192.168.10.1 remote-as 65123
neighbor 192.168.10.1 update-source Loopback 0
neighbor 192.168.10.1 no shutdown
neighbor 192.168.12.2 remote-as 65123
neighbor 192.168.12.2 allowas-in 9
neighbor 192.168.12.2 update-source Loopback 0
neighbor 192.168.12.2 no shutdown
R2(conf-router_bgp)#R2(conf-router_bgp)#

Number of Times ASN 65123

Can Appear in AS PATH

Enable graceful restart

Use this feature to lessen the negative effects of a BGP restart. FTOS advertises support for this feature to
BGP neighbors through a capability advertisement. You can enable graceful restart by router and/or by
peer or peer group.
Note: By default, BGP graceful restart is disabled.

The default role for BGP on is as a receiving or restarting peer. If you enable BGP, when a peer that
supports graceful restart resumes operating, FTOS performs the following tasks:

Continues saving routes received from the peer if the peer advertised it had graceful restart capability.
Continues forwarding traffic to the peer.
Flags routes from the peer as Stale and sets a timer to delete them if the peer does not perform a
graceful restart.
Deletes all routes from the peer if forwarding state information is not saved.
Speeds convergence by advertising a special update packet known as an end-of-RIB marker. This
marker indicates the peer has been updated with all routes in the local RIB.

If you configure your system to do so, FTOS can perform the following actions during a hot failover:

Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary
RPM is coming online.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

221

Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved.
This prompts all peers to continue saving the routes they receive from your E-Series and to continue
forwarding traffic.
Bring the secondary RPM online as the primary and re-open sessions with all peers operating in no
shutdown mode.
Defer best path selection for a certain amount of time. This helps optimize path selection and results in
fewer updates being sent out.

Enable graceful restart using the configure router bgp graceful-restart command. The table below
shows the command and its available options:
Command Syntax

Command Mode

Usage

bgp graceful-restart

CONFIG-ROUTERBGP

Enable graceful restart for the BGP node.

bgp graceful-restart
[restart-time time-in-seconds]

CONFIG-ROUTERBGP

Set maximum restart time for all peers. Default

is 120 seconds.

bgp graceful-restart
[stale-path-time time-in-seconds]

CONFIG-ROUTERBGP

Set maximum time to retain the restarting peers

stale paths. Default is 360 seconds.

bgp graceful-restart [role

receiver-only]

CONFIG-ROUTERBGP

Local router supports graceful restart as a

receiver only.

BGP graceful restart is active only when the neighbor becomes established. Otherwise it is disabled.
Graceful-restart applies to all neighbors with established adjacency.
With the graceful restart feature, FTOS enables the receiving/restarting mode by default. In receiver-only
mode, graceful restart saves the advertised routes of peers that support this capability when they restart.
However, the E-Series does not advertise that it saves these forwarding states when it restarts. This option
provides support for remote peers for their graceful restart without supporting the feature itself.
You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information,
please see the following table or the FTOS Command Line Interface Reference.
Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} graceful-restart

CONFIG-ROUTERBGP

Add graceful restart to a BGP neighbor or

peer-group.

neighbor {ip-address |
peer-group-name} graceful-restart
[restart-time time-in-seconds]

CONFIG-ROUTERBGP

Set maximum restart time for the neighbor or

peer-group. Default is 120 seconds.

neighbor {ip-address |
peer-group-name} graceful-restart
[role receiver-only]

CONFIG-ROUTERBGP

Local router supports graceful restart for this

neighbor or peer-group as a receiver only.

neighbor {ip-address |
peer-group-name} graceful-restart
[stale-path-time time-in-seconds]

CONFIG-ROUTERBGP

Set maximum time to retain the restarting

neighbors or peer-groups stale paths. Default
is 360 seconds.

222

Border Gateway Protocol IPv4 (BGPv4)

Filter on an AS-Path attribute

The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute
contains a sequence of AS numbers representing the routes path. As the route traverses an Autonomous
System, the AS number is prepended to the route. You can manipulate routes based on their AS_PATH to
affect interdomain routing. By identifying certain AS numbers in the AS_PATH, you can permit or deny
routes based on the number in its AS_PATH.
To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC
Privilege mode (Figure 131).
Figure 131 Command example: show ip bgp paths
Force10#show ip bgp paths
Total 30655 Paths
Address
Hash Refcount Metric Path
0x4014154
0
3
18508 701 3549 19421 i
0x4013914
0
3
18508 701 7018 14990 i
0x5166d6c
0
3
18508 209 4637 1221 9249 9249 i
0x5e62df4
0
2
18508 701 17302 i
0x3a1814c
0
26
18508 209 22291 i
0x567ea9c
0
75
18508 209 3356 2529 i
0x6cc1294
0
2
18508 209 1239 19265 i
0x6cc18d4
0
1
18508 701 2914 4713 17935 i
0x5982e44
0
162
18508 209 i
0x67d4a14
0
2
18508 701 19878 ?
0x559972c
0
31
18508 209 18756 i
0x59cd3b4
0
2
18508 209 7018 15227 i
0x7128114
0
10
18508 209 3356 13845 i
0x536a914
0
3
18508 209 701 6347 7781 i
0x2ffe884
0
1
18508 701 3561 9116 21350 i
0x2ff7284
0
99
18508 701 1239 577 855 ?
0x2ff7ec4
0
4
18508 209 3561 4755 17426 i
0x2ff8544
0
3
18508 701 5743 2648 i
0x736c144
0
1
18508 701 209 568 721 1494 i
0x3b8d224
0
10
18508 209 701 2019 i
0x5eb1e44
0
1
18508 701 8584 16158 i
0x5cd891c
0
9
18508 209 6453 4759 i
--More--

AS-PATH ACLs use regular expressions to search AS_PATH values. AS-PATH ACLs have an implicit
deny. This means that routes that do not meet a deny or match filter are dropped.
Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an
AS-PATH ACL to filter a specific AS_PATH value.
Step
1

Command Syntax

Command Mode

Purpose

ip as-path access-list

CONFIGURATION

Assign a name to a AS-PATH ACL and enter

AS-PATH ACL mode.

as-path-name

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

223

Step

Command Syntax

Command Mode

Purpose

{deny | permit} filter

CONFIG-AS-PATH

Enter the parameter to match BGP AS-PATH for

filtering. This is the filter that will be used to match
the AS-path. The entries can be any format,
letters, numbers, or regular expressions.
This command can be entered multiple times if
multiple filters are desired.
See Table 17 for accepted expressions.

exit

AS-PATH ACL

Return to CONFIGURATION mode

router bgp as-number

CONFIGURATION

Enter ROUTER BGP mode.

neighbor {ip-address |

CONFIG-ROUTERBGP

Use a configured AS-PATH ACL for route filtering

and manipulation.
If you assign an non-existent or empty AS-PATH
ACL, the software allows all routes.

parameter

peer-group-name}
filter-list as-path-name

{in | out}

Regular Expressions as filters

Regular expressions are used to filter AS paths or community lists. A regular expression is a special
character used to define a pattern that is then compared with an input string.
For an AS-path access list as shown in the commands above, if the AS path matches the regular expression
in the access list, then the route matches the access list.
Figure 132 applies access list Eagle to routes inbound from BGP peer 10.5.5.2. Access list Eagle uses a
regular expression to deny routes originating in AS 32.

224

Border Gateway Protocol IPv4 (BGPv4)

Figure 132 Filtering with Regular Expression

Force10(config)#router bgp 99
Force10(conf-router_bgp)#neigh AAA peer-group
Force10(conf-router_bgp)#neigh AAA no shut
Force10(conf-router_bgp)#show conf
!
router bgp 99
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor 10.155.15.2 remote-as 32
neighbor 10.155.15.2 shutdown
Force10(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in
Force10(conf-router_bgp)#ex
Force10(conf)#ip as-path access-list Eagle
Force10(config-as-path)#deny 32$
Force10(config-as-path)#ex
Force10(conf)#router bgp 99
Force10(conf-router_bgp)#neighbor AAA filter-list Eagle in
Force10(conf-router_bgp)#show conf
!
router bgp 99
neighbor AAA peer-group
neighbor AAA filter-list Eaglein
neighbor AAA no shutdown
neighbor 10.155.15.2 remote-as 32
neighbor 10.155.15.2 filter-list 1 in
neighbor 10.155.15.2 shutdown
Force10(conf-router_bgp)#ex
Force10(conf)#ex
Force10#show ip as-path-access-lists
ip as-path access-list Eagle
deny 32$
Force10#

Create the Access List and Filter

Regular Expression shown

as part of Access List filter

Table 17 lists the Regular Expressions accepted in FTOS.

Table 17 Regular Expressions
Regular
Expression

Definition

^ (carrot)

Matches the beginning of the input string.

Alternatively, when used as the first character within brackets [^ ] matches any number
except the ones specified within the brackets.

$ (dollar)

Matches the end of the input string.

. (period)

Matches any single character, including white space.

* (asterisk)

Matches 0 or more sequences of the immediately previous character or pattern.

+ (plus)

Matches 1 or more sequences of the immediately previous character or pattern.

? (question)

Matches 0 or 1 sequence of the immediately previous character or pattern.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

225

Table 17 Regular Expressions

Regular
Expression

Definition

( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier
metacharacters: asterisk *, plus sign +, or question mark ?
[ ] (brackets)

Matches any enclosed character; specifies a range of single characters

- (hyphen)

Used within brackets to specify a range of AS or community numbers.

_ (underscore)

Matches a ^, a $, a comma, a space, a {, or a }. Placed on either side of a string to

specify a literal and disallow substring matching. Numerals enclosed by underscores
can be preceded or followed by any of the characters listed above.

| (pipe)

Matches characters on either side of the metacharacter; logical OR.

As seen in Figure 132, the expressions are displayed when using the show commands. Use the show
config command in the CONFIGURATION AS-PATH ACL mode and the show ip as-path-access-list
command in EXEC Privilege mode to view the AS-PATH ACL configuration.
For more information on this command and route filtering, refer to Filter BGP routes.

Redistribute routes
In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP
process. With the redistribute command syntax, you can include ISIS, OSPF, static, or directly
connected routes in the BGP process.
Use any of the following commands in ROUTER BGP mode to add routes from other routing instances or
protocols.
Command Syntax

Command Mode

Purpose

redistribute {connected | static}

[route-map map-name]

ROUTER BGP or
CONF-ROUTER_BGPv6
_AF

Include, directly connected or

user-configured (static) routes in BGP.
Configure the following parameters:
map-name: name of a configured
route map.

redistribute isis [level-1 | level-1-2 |

level-2] [metric value] [route-map
map-name]

ROUTER BGP or
CONF-ROUTER_BGPv6
_AF

Include specific ISIS routes in BGP.

Configure the following parameters:
level-1, level-1-2, or level-2:
Assign all redistributed routes to a
level. Default is level-2.
metric range: 0 to 16777215.
Default is 0.
map-name: name of a configured
route map.

226

Border Gateway Protocol IPv4 (BGPv4)

Command Syntax

Command Mode

Purpose

redistribute ospf process-id [match

external {1 | 2} | match internal]
[metric-type {external | internal}]
[route-map map-name]

ROUTER BGP or
CONF-ROUTER_BGPv6
_AF

Include specific OSPF routes in IS-IS.

Configure the following parameters:
process-id range: 1 to 65535
match external range: 1 or 2
match internal
metric-type: external or internal.
map-name: name of a configured
route map.

Configure IP community lists

Within FTOS, you have multiple methods of manipulating routing attributes. One attribute you can
manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group
of destinations. In FTOS, you can assign a COMMUNITY attribute to BGP routers by using an IP
Community list. After you create an IP Community list, you can apply routing decisions to all routers
meeting the criteria in the IP Community list.
IETF RFC 1997 defines the COMMUNITY attribute and the pre-defined communities of INTERNET,
NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the
INTERNET community. In the RFC, the other communities are defined as follows:

All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to
CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS.
All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a
BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.

FTOS also supports BGP Extended Communities as described in RFC 4360BGP Extended
Communities Attribute.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

227

Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an
IP community list.
Step

Command Syntax

Command Mode

Purpose

ip community-list

CONFIGURATION

Create a Community list and enter the

COMMUNITY-LIST mode.

CONFIG-COMMUNITYLIST

Configure a Community list by denying or

permitting specific community numbers or types
of community
community-number: use AA:NN format where
AA is the AS number (2 or 4 Bytes) and NN is
a value specific to that autonomous system.
local-AS: routes with the COMMUNITY
attribute of NO_EXPORT_SUBCONFED.
no-advertise: routes with the COMMUNITY
attribute of NO_ADVERTISE.
no-export: routes with the COMMUNITY
attribute of NO_EXPORT.
quote-regexp: followed by any number of
regular expressions. The software applies all
regular expressions in the list.
regexp: followed by a regular expression.

community-list-name

{deny | permit}
{community-number |
local-AS | no-advertise |
no-export | quote-regexp
regular-expression-list |
regexp regular-expression}

Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an
IP extended community list.
Step
1

Command Syntax

Command Mode

Purpose

ip extcommunity-list

CONFIGURATION

Create a extended community list and enter the

EXTCOMMUNITY-LIST mode.

CONFIG-COMMUNITYLIST

Two types of extended communities are

supported. Filter routes based on the type of
extended communities they carry using one of
the following keywords:
rt: Route Target
soo: Route Origin or Site-of-Origin.
Support for matching extended communities
against regular expression is also supported.
Match against a regular expression using the
following keyword:
regexp: regular expression

extcommunity-list-name

{permit | deny} {{rt | soo}

{ASN:NN | IPADDR:N} | regex
REGEX-LINE}

To set or modify an extended community attribute, use the set extcommunity {rt | soo} {ASN:NN |
IPADDR:NN} command.
To view the configuration, use the show config command in the CONFIGURATION
COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip
{community-lists | extcommunity-list} command in EXEC Privilege mode (Figure 133).

228

Border Gateway Protocol IPv4 (BGPv4)

Figure 133 Command example: show ip community-lists

Force10#show ip community-lists
ip community-list standard 1
deny 701:20
deny 702:20
deny 703:20
deny 704:20
deny 705:20
deny 14551:20
deny 701:112
deny 702:112
deny 703:112
deny 704:112
deny 705:112
deny 14551:112
deny 701:667
deny 702:667
deny 703:667

Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP
Community list or Extended Community List to filter routes, you must apply a match community filter
to a route map and then apply that route map to a BGP neighbor or peer group.
Step

Command Syntax

Command Mode

Purpose

route-map map-name [permit

| deny] [sequence-number]

CONFIGURATION

Enter the ROUTE-MAP mode and

assign a name to a route map.

match {community
community-list-name [exact] |
extcommunity
extcommunity-list-name [exact]}

CONFIG-ROUTE-MAP

Configure a match filter for all routes

meeting the criteria in the IP
Community or Extended Community
list.

exit

CONFIG-ROUTE-MAP

Return to the CONFIGURATION

mode.

router bgp as-number

CONFIGURATION

Enter the ROUTER BGP mode.

AS-number: 0-65535 (2-Byte) or
1-4294967295 (4-Byte) or
0.1-65535.65535 (Dotted format)

neighbor {ip-address |
peer-group-name} route-map
map-name {in | out}

CONFIG-ROUTER-BGP

Apply the route map to the neighbor or

peer groups incoming or outgoing
routes.

To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
To view which BGP routes meet an IP Community or Extended Community lists criteria, use the show ip
bgp {community-list | extcommunity-list} command in EXEC Privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

229

Manipulate the COMMUNITY attribute

In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can
manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route
information.
By default, FTOS does not send the COMMUNITY attribute.
Use the following command in the CONFIGURATION ROUTER BGP mode to send the COMMUNITY
attribute to BGP neighbors.
Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} send-community

CONFIG-ROUTERBGP

Enable the software to send the routers

COMMUNITY attribute to the BGP neighbor or
peer group specified.

To view the BGP configuration, use the show config command in the CONFIGURATION ROUTER
BGP mode.
If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route
map with one or both of the following statements in the route map. Then apply that route map to a BGP
neighbor or peer group. Use these commands in the following sequence, starting in the
CONFIGURATION mode:
Step
1

230

Command Syntax

Command Mode

Purpose

route-map map-name
[permit | deny]
[sequence-number]

CONFIGURATION

Enter the ROUTE-MAP mode and assign a

name to a route map.

Border Gateway Protocol IPv4 (BGPv4)

Step

Command Syntax

Command Mode

Purpose

set comm-list

CONFIG-ROUTE-MAP

Configure a set filter to delete all

COMMUNITY numbers in the IP Community
list.

set community
{community-number |
local-as | no-advertise |
no-export | none}

CONFIG-ROUTE-MAP

Configure a Community list by denying or

permitting specific community numbers or
types of community
community-number: use AA:NN format
where AA is the AS number (2 or 4
Bytes) and NN is a value specific to that
autonomous system.
local-AS: routes with the COMMUNITY
attribute of NO_EXPORT_SUBCONFED
and are not sent to EBGP peers.
no-advertise: routes with the
COMMUNITY attribute of
NO_ADVERTISE and are not advertised.
no-export: routes with the
COMMUNITY attribute of NO_EXPORT.
none: remove the COMMUNITY
attribute.
additive: add the communities to
already existing communities.

exit

CONFIG-ROUTE-MAP

Return to the CONFIGURATION mode.

router bgp as-number

CONFIGURATION

Enter the ROUTER BGP mode.

neighbor {ip-address |
peer-group-name}
route-map map-name
{in | out}

CONFIG-ROUTER-BGP

Apply the route map to the neighbor or peer

groups incoming or outgoing routes.

community-list-name

delete

To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP
mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Use the show ip bgp community command in EXEC Privilege mode (Figure 134) to view BGP routes
matching a certain community number or pre-defined BGP community.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

231

Figure 134 Command example: show ip bgp community (Partial)

Force10>show ip bgp community
BGP table version is 3762622, local router ID is 10.114.8.48
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

* i
*>i
* i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i
*>i

Network
3.0.0.0/8
4.2.49.12/30
4.21.132.0/23
4.24.118.16/30
4.24.145.0/30
4.24.187.12/30
4.24.202.0/30
4.25.88.0/30
6.1.0.0/16
6.2.0.0/22
6.3.0.0/18
6.4.0.0/16
6.5.0.0/19
6.8.0.0/20
6.9.0.0/20
6.10.0.0/15

Next Hop
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16
195.171.0.16

Metric

LocPrf
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

Weight
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Path
209 701 80 i
209 i
209 6461 16422 i
209 i
209 i
209 i
209 i
209 3561 3908 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i
209 7170 1455 i

Change MED attribute

By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the
same AS.
Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how
the MED attribute is used.
Command Syntax

Command Mode

Purpose

bgp always-compare-med

CONFIG-ROUTERBGP

Enable MED comparison in the paths from

neighbors with different ASs.
By default, this comparison is not performed.

bgp bestpath med {confed |

missing-as-best}

CONFIG-ROUTERBGP

Change the bestpath MED selection to one of the

following:
confed: Chooses the bestpath MED comparison
of paths learned from BGP confederations.
missing-as-best: Treat a path missing an MED
as the most preferred one

Use the show config command in the CONFIGURATION ROUTER BGP mode to view the nondefault
values.

Change LOCAL_PREFERENCE attribute

In FTOS, you can change the value of the LOCAL_PREFERENCE attribute.

232

Border Gateway Protocol IPv4 (BGPv4)

Use the following command in the CONFIGURATION ROUTER BGP mode to change the default values
of this attribute for all routes received by the router.
Command Syntax

Command Mode

Purpose

bgp default local-preference

CONFIG-ROUTERBGP

Change the LOCAL_PREF value.

value range: 0 to 4294967295
Default is 100.

value

Use the show config command in CONFIGURATION ROUTER BGP mode or the show
running-config bgp command in EXEC Privilege mode to view BGP configuration.
A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map.
Use these commands in the following sequence, starting CONFIGURATION mode to change the default
value of the LOCAL_PREF attribute for specific routes.
Step

Command Syntax

Command Mode

Purpose

route-map map-name [permit

| deny] [sequence-number]

CONFIGURATION

Enter the ROUTE-MAP mode and

assign a name to a route map.

set local-preference value

CONFIG-ROUTE-MAP

Change LOCAL_PREF value for routes

meeting the criteria of this route map.

exit

CONFIG-ROUTE-MAP

Return to the CONFIGURATION mode.

router bgp as-number

CONFIGURATION

Enter the ROUTER BGP mode.

neighbor {ip-address |
peer-group-name} route-map
map-name {in | out}

CONFIG-ROUTER-BGP

Apply the route map to the neighbor or

peer groups incoming or outgoing
routes.

To view the BGP configuration, use the show config command in the CONFIGURATION ROUTER
BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege
mode.

Change NEXT_HOP attribute

You can change how the NEXT_HOP attribute is used.
Use the following command in the CONFIGURATION ROUTER BGP mode to change the how the
NEXT_HOP attribute is used.
Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} next-hop-self

CONFIG-ROUTERBGP

Disable next hop processing and configure the

router as the next hop for a BGP neighbor.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

233

Use the show config command in CONFIGURATION ROUTER BGP mode or the show
running-config bgp command in EXEC Privilege mode to view BGP configuration.
You can also use route maps to change this and other BGP attributes. For example, you can include the
following command in a route map to specify the next hop address:
Command Syntax

Command Mode

Purpose

set next-hop ip-address

CONFIG-ROUTEMAP

Sets the next hop address.

Change WEIGHT attribute

Use the following command in CONFIGURATION ROUTER BGP mode to change the how the WEIGHT
attribute is used.
Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} weight weight

CONFIG-ROUTERBGP

Assign a weight to the neighbor connection.

weight range: 0 to 65535
Default is 0

Command Mode

Purpose

set weight weight

CONFIG-ROUTE-MAP

Sets weight for the route.

weight range: 0 to 65535

Enable multipath
By default, the software allows one path to a destination. You can enable multipath to allow up to 16
parallel paths to a destination.
Use the following command in the CONFIGURATION ROUTER BGP mode to allow more than one path.
Command Syntax

Command Mode

Purpose

maximum-paths {ebgp | ibgp}

number

CONFIG-ROUTERBGP

Enable multiple parallel paths.

number range: 1 to 16
Default is 1

The show ip bgp network command includes multipath information for that network.

234

Border Gateway Protocol IPv4 (BGPv4)

Filter BGP routes

Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps,
AS-PATH ACLs or IP Community lists (via a route map) to control which routes are accepted and
advertised by the BGP neighbor or peer group. Prefix lists filter routes based on route and prefix length,
while AS-Path ACLs filter routes based on the Autonomous System number. Route maps can filter and set
conditions, change attributes, and assign update policies.
Note: FTOS supports up to 255 characters in a set community statement inside a route map.

Note: With FTOS, you can create inbound and outbound policies. Each of the commands used for
filtering, has in and out parameters that must be applied. In FTOS, the order of preference varies
depending on whether the attributes are applied for inbound updates or outbound updates.

For inbound and outbound updates the order of preference is:

prefix lists (using neighbor distribute-list command)

AS-PATH ACLs (using neighbor filter-list command)
route maps (using neighbor route-map command)

Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used.
Refer to Chapter 6, IP Access Control Lists (ACL), Prefix Lists, and Route-maps, on page 115 for
configuration information on prefix lists, AS-PATH ACLs, and route maps.
Note: When you configure a new set of BGP policies, always reset the neighbor or peer group by
entering the clear ip bgp command in EXEC Privilege mode.

Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes
using prefix lists.
Step

Command Syntax

Command Mode

Purpose

ip prefix-list prefix-name

CONFIGURATION

Create a prefix list and assign it a name.

seq sequence-number {deny |

permit} {any | ip-prefix [ge | le] }

CONFIG-PREFIX
LIST

Create multiple prefix list filters with a

deny or permit action.
ge: Minimum prefix length to be matched
le: maximum prefix length to me matched
Refer to Chapter 6, IP Access Control
Lists (ACL), Prefix Lists, and
Route-maps, on page 115 for information
on configuring prefix lists.

exit

CONFIG-PREFIX
LIST

Return to the CONFIGURATION mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

235

Step
4
5

Command Syntax

Command Mode

Purpose

router bgp as-number

CONFIGURATION

Enter ROUTER BGP mode.

neighbor {ip-address |
peer-group-name} distribute-list
prefix-list-name {in | out}

CONFIG-ROUTERBGP

Filter routes based on the criteria in the

configured prefix list. Configure the
following parameters:
ip-address or peer-group-name: enter
the neighbors IP address or the peer
groups name.
prefix-list-name: enter the name of a
configured prefix list.
in: apply the prefix list to inbound
routes.
out: apply the prefix list to outbound
routes.

As a reminder, below are some rules concerning prefix lists:

If the prefix list contains no filters, all routes are permitted.

If none of the routes match any of the filters in the prefix list, the route is denied. This action is called
an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must
configure a prefix list filter to permit all routes. For example, you could have the following filter as the
last filter in your prefix list permit 0.0.0.0/0 le 32).
Once a route matches a filter, the filters action is applied. No additional filters are applied to the route.

To view the BGP configuration, use the show config command in the ROUTER BGP mode. To view a
prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary
commands in EXEC Privilege mode.
Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes
using a route map.
Step

Command Syntax

Command Mode

Purpose

route-map map-name
[permit | deny]
[sequence-number]

CONFIGURATION

Create a route map and assign it a

name.

{match | set}

CONFIG-ROUTE-MAP

Create multiple route map filters with a

match or set action.
Refer to Chapter 6, IP Access Control
Lists (ACL), Prefix Lists, and
Route-maps, on page 115 for information
on configuring route maps.

exit

CONFIG-ROUTE-MAP

Return to the CONFIGURATION mode.

router bgp as-number

CONFIGURATION

Enter ROUTER BGP mode.

236

Border Gateway Protocol IPv4 (BGPv4)

Step

Command Syntax

Command Mode

Purpose

neighbor {ip-address |
peer-group-name} route-map
map-name {in | out}

CONFIG-ROUTER-BGP

Filter routes based on the criteria in the

configured route map. Configure the
following parameters:
ip-address or peer-group-name: enter
the neighbors IP address or the peer
groups name.
map-name: enter the name of a
configured route map.
in: apply the route map to inbound
routes.
out: apply the route map to outbound
routes.

Use the show config command in CONFIGURATION ROUTER BGP mode to view the BGP
configuration. Use the show route-map command in EXEC Privilege mode to view a route map
configuration.
Use these commands in the following sequence, beginning in the CONFIGURATION mode to filter routes
based on AS-PATH information.
Step
1

Command Syntax

Command Mode

Purpose

ip as-path access-list

CONFIGURATION

Create a AS-PATH ACL and assign it a

name.

AS-PATH ACL

Create a AS-PATH ACL filter with a deny or

permit action.

as-path-name

{deny | permit}
as-regular-expression

exit

AS-PATH ACL

Return to the CONFIGURATION mode.

router bgp as-number

CONFIGURATION

Enter ROUTER BGP mode.

neighbor {ip-address |
peer-group-name} filter-list
as-path-name {in | out}

CONFIG-ROUTERBGP

Filter routes based on the criteria in the

configured route map. Configure the
following parameters:
ip-address or peer-group-name: enter
the neighbors IP address or the peer
groups name.
as-path-name: enter the name of a
configured AS-PATH ACL.
in: apply the AS-PATH ACL map to
inbound routes.
out: apply the AS-PATH ACL to
outbound routes.

Use the show config command in CONFIGURATION ROUTER BGP mode and show ip
as-path-access-list command in EXEC Privilege mode to view which commands are configured.
Include this filter permit .* in your AS-PATH ACL to forward all routes not meeting the AS-PATH ACL
criteria.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

237

Configure BGP route reflectors

BGP route reflectors are intended for Autonomous Systems with a large mesh and they reduce the amount
of BGP control traffic. With route reflection configured properly, IBGP routers are not fully meshed within
a cluster but all receive routing information.
Configure clusters of routers where one router is a concentration router and others are clients who receive
their updates from the concentration router.
Use the following commands in the CONFIGURATION ROUTER BGP mode to configure a route
reflector.
Command Syntax

Command Mode

Purpose

bgp cluster-id cluster-id

CONFIG-ROUTERBGP

Assign an ID to a router reflector cluster.

You can have multiple clusters in an AS.

neighbor {ip-address |
peer-group-name}
route-reflector-client

CONFIG-ROUTERBGP

Configure the local router as a route reflector and

the neighbor or peer group identified is the route
reflector client.

To view a route reflector configuration, use the show config command in the CONFIGURATION
ROUTER BGP mode or show running-config bgp in EXEC Privilege mode.
When you enable a route reflector, FTOS automatically enables route reflection to all clients. To disable
route reflection between all clients in this reflector, use the no bgp client-to-client reflection command
in CONFIGURATION ROUTER BGP mode. All clients should be fully meshed before you disable route
reflection.

Aggregate routes
FTOS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of
the aggregate must be in the routing table for the configured aggregate to become active.

238

Border Gateway Protocol IPv4 (BGPv4)

Use the following command in the CONFIGURATION ROUTER BGP mode to aggregate routes.
Command Syntax

Command Mode

Purpose

aggregate-address ip-address
mask [advertise-map map-name]
[as-set] [attribute-map map-name]
[summary-only] [suppress-map
map-name]

CONFIG-ROUTERBGP

Assign the IP address and mask of the prefix to

be aggregated.
Optional parameters are:
advertise-map map-name: set filters for
advertising an aggregate route

as-set: generate path attribute information

and include it in the aggregate.
attribute-map map-name: modify attributes
of the aggregate, except for the AS_PATH and
NEXT_HOP attributes
summary-only: advertise only the aggregate
address. Specific routes will not be advertised
suppress-map map-name: identify which
more-specific routes in the aggregate are
suppressed

AS_SET includes AS_PATH and community information from the routes included in the aggregated route.
In the show ip bgp command, aggregates contain an a in the first column and routes suppressed by the
aggregate contain an s in the first column.
Figure 135 Command Example: show ip bgp
Force10#show ip bgp
BGP table version is 0, local router ID is 10.101.15.13
Status codes: s suppressed, d damped, h history, * valid, > best
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 7.0.0.0/29
*> 7.0.0.0/30
*>a 9.0.0.0/8
*> 9.2.0.0/16
*> 9.141.128.0/24
Force10#

Next Hop
10.114.8.33
10.114.8.33
192.0.0.0
10.114.8.33
10.114.8.33

Metric
0
0

Aggregate
Indicators

LocPrf Weight
0
0
32768
Route
0
0

Path
18508
18508
18508
18508
18508

?
?
701 {7018 2686 3786} ?
701 i
701 7018 2686 ?

Configure BGP confederations

Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP
confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering
involving a large number of IBGP peering sessions per router. Basically, when you configure BGP
confederations, you break the AS into smaller sub-AS, and to those outside your network, the
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed
and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

239

Use the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP
confederations.
Command Syntax

Command Mode

Purpose

bgp confederation identifier

CONFIG-ROUTERBGP

Specifies the confederation ID.

AS-number: 0-65535 (2-Byte) or 1-4294967295
(4-Byte)

CONFIG-ROUTERBGP

Specifies which confederation sub-AS are peers.

AS-number: 0-65535 (2-Byte) or 1-4294967295
(4-Byte)

as-number

bgp confederation peers

as-number [... as-number]

All Confederation routers must be either 4-Byte or 2-Byte. You cannot

have a mix of router ASN support,

Use the show config command in the CONFIGURATION ROUTER BGP mode to view the
configuration.

Enable route flap dampening

When EBGP routes become unavailable, they flap and the router issues both WITHDRAWN and
UPDATE notices. A flap is when a route

is withdrawn
is readvertised after being withdrawn
has an attribute change

The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP
process. To minimize this instability, you may configure penalties, a numeric value, for routes that flap.
When that penalty value reaches a configured limit, the route is not advertised, even if the route is up. In
FTOS, that penalty value is 1024. As time passes and the route does not flap, the penalty value decrements
or is decayed. However, if the route flaps again, it is assigned another penalty.
The penalty value is cumulative and penalty is added under following cases:

Withdraw
Readvertise
Attribute change

When dampening is applied to a route, its path is described by one of the following terms:

history entryan entry that stores information on a downed route

dampened patha path that is no longer advertised
penalized patha path that is assigned a penalty

The CLI example below shows configuring values to start reusing or restarting a route, as well as their
default values.

240

Border Gateway Protocol IPv4 (BGPv4)

Figure 136 Setting Reuse and Restart Route Values

Force10(conf-router_bgp)#bgp dampening ?
Set time before
<1-45>
Half-life time for the penalty (default = 15)
route-map
Route-map to specify criteria for dampening
value decrements
<cr>
Force10(conf-router_bgp)#bgp dampening 2 ?
Set readvertise value
<1-20000>
Value to start reusing a route (default = 750)
Force10(conf-router_bgp)#bgp dampening 2 2000 ?
Set suppress value
<1-20000>
Value to start suppressing a route (default = 2000)
Set time to suppress
Force10(conf-router_bgp)#bgp dampening 2 2000 3000 ?
a route
<1-255>
Maximum duration to suppress a stable route (default = 60)
Force10(conf-router_bgp)#bgp dampening 2 2000 3000 10 ?
route-map
Route-map to specify criteria for dampening
<cr>

Use the following command in the CONFIGURATION ROUTER BGP mode to configure route flap
dampening parameters.
Command Syntax

Command Mode

Purpose

bgp dampening [half-life

| reuse | suppress
max-suppress-time]
[route-map map-name]

CONFIG-ROUTERBGP

Enable route dampening.

Enter the following optional parameters to configure route
dampening parameters:
half-life range: 1 to 45. Number of minutes after which
the Penalty is decreased. After the router assigns a
Penalty of 1024 to a route, the Penalty is decreased by
half after the half-life period expires. (Default: 15
minutes)
reuse range: 1 to 20000. This number is compared to
the flapping routes Penalty value. If the Penalty value
is less than the reuse value, the flapping route is once
again advertised (or no longer suppressed). Withdrawn
routes are removed from history state. (Default: 750)
suppress range: 1 to 20000. This number is compared
to the flapping routes Penalty value. If the Penalty
value is greater than the suppress value, the flapping
route is no longer advertised (that is, it is suppressed).
(Default: 2000.)
max-suppress-time range: 1 to 255. The maximum
number of minutes a route can be suppressed. The
default is four times the half-life value. (Default: 60
minutes.)
route-map map-name: name of a configured route
map. Only match commands in the configured route
map are supported. Use this parameter to apply route
dampening to selective routes.

To view the BGP configuration, use show config in the CONFIGURATION ROUTER BGP mode or
show running-config bgp in EXEC Privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

241

To set dampening parameters via a route map, use the following command in CONFIGURATION
ROUTE-MAP mode:

Command Syntax

Command Mode

Purpose

set dampening half-life reuse

CONFIG-ROUTE-MAP

Enter the following optional parameters to

configure route dampening parameters:
half-life range: 1 to 45. Number of minutes
after which the Penalty is decreased. After
the router assigns a Penalty of 1024 to a
route, the Penalty is decreased by half
after the half-life period expires. (Default:
15 minutes)
reuse range: 1 to 20000. This number is
compared to the flapping routes Penalty
value. If the Penalty value is less than the
reuse value, the flapping route is once
again advertised (or no longer
suppressed). (Default: 750)
suppress range: 1 to 20000. This number
is compared to the flapping routes Penalty
value. If the Penalty value is greater than
the suppress value, the flapping route is no
longer advertised (that is, it is
suppressed). (Default: 2000.)
max-suppress-time range: 1 to 255. The
maximum number of minutes a route can
be suppressed. The default is four times
the half-life value. (Default: 60 minutes.)

suppress max-suppress-time

To view a count of dampened routes, history routes and penalized routes when route dampening is enabled,
look at the seventh line of the show ip bgp summary command output (Figure 137).
Figure 137 Command example: show ip bgp summary
Force10>show ip bgp summary
BGP router identifier 10.114.8.131, local AS number 65515
BGP table version is 855562, main routing table version 780266
122836 network entrie(s) and 221664 paths using 29697640 bytes of memory
34298 BGP path attribute entrie(s) using 1920688 bytes of memory
29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory
184 BGP community entrie(s) using 7616 bytes of memory
Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths
Neighbor

10.114.8.34
10.114.8.33
Force10>

18508
18508

MsgRcvd MsgSent
82883
117265

79977
25069

TblVer

InQ

780266
780266

0
0

OutQ Up/Down
2 00:38:51
20 00:38:50

Dampening
Information

State/PfxRcd
118904
102759

To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in
EXEC Privilege mode.

242

Border Gateway Protocol IPv4 (BGPv4)

Use the following command in EXEC Privilege mode to clear information on route dampening and return
suppressed routes to active state.
Command Syntax

Command Mode

Purpose

clear ip bgp dampening

[ip-address mask]

EXEC Privilege

Clear all information or only information on a

specific route.

Use the following command in EXEC and EXEC Privilege mode to view statistics on route flapping.
Command Syntax

Command Mode

Purpose

show ip bgp flap-statistics

[ip-address [mask]] [filter-list
as-path-name] [regexp
regular-expression]

EXEC
EXEC Privilege

View all flap statistics or for specific routes

meeting the following criteria:
ip-address [mask]: enter the IP address and
mask
filter-list as-path-name: enter the name of an
AS-PATH ACL.
regexp regular-expression: enter a regular
express to match on.

By default, the path selection in FTOS is deterministic, that is, paths are compared irrespective of the order
of their arrival. You can change the path selection method to non-deterministic, that is, paths are compared
in the order in which they arrived (starting with the most recent). Furthermore, in non-deterministic mode,
the software may not compare MED attributes though the paths are from the same AS.
Use the following command in CONFIGURATION ROUTER BGP mode to change the path selection
from the default mode (deterministic) to non-deterministic.
Command Syntax

Command Mode

Purpose

bgp non-deterministic-med

CONFIG-ROUTERBGP

Change the best path selection method to

non-deterministic.

Note: When you change the best path selection method, path selection for existing paths remains
unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

243

Change BGP timers

Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to
configure BGP timers.
Command Syntax

Command Mode

Purpose

neighbors {ip-address |
peer-group-name} timers keepalive

CONFIG-ROUTERBGP

Configure timer values for a BGP neighbor or

peer group.
keepalive range: 1 to 65535. Time interval, in
seconds, between keepalive messages sent
to the neighbor routers. (Default: 60 seconds)
holdtime range: 3 to 65536. Time interval, in
seconds, between the last keepalive message
and declaring the router dead. (Default: 180
seconds)

CONFIG-ROUTERBGP

Configure timer values for all neighbors.

keepalive range: 1 to 65535. Time interval, in
seconds, between keepalive messages sent
to the neighbor routers. (Default: 60 seconds)
holdtime range: 3 to 65536. Time interval, in
seconds, between the last keepalive message
and declaring the router dead. (Default: 180
seconds)

holdtime

timers bgp keepalive holdtime

Use the show config command in CONFIGURATION ROUTER BGP mode or the show
running-config bgp command in EXEC Privilege mode to view non-default values.
Timer values configured with the neighbor timers command override the timer values configured with
the timers bgp command.
When two neighbors, configured with different keepalive and holdtime values, negotiate for new values,
the resulting values will be as follows:

the lower of the holdtime values is the new holdtime value, and
whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is
the new keepalive value.

BGP neighbor soft-reconfiguration

Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies
to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the
time it takes to re-establish the session. BGP soft reconfig allows for policies to be applied to a session
without clearing the BGP Session. Soft-reconfig can be done on a per-neighbor basis and can either be
inbound or outbound.
BGP Soft Reconfiguration clears the policies without resetting the TCP connection.

244

Border Gateway Protocol IPv4 (BGPv4)

Use the clear ip bgp command in EXEC Privilege mode at the system prompt to reset a BGP connection
using BGP soft reconfiguration.
Command Syntax

Command Mode

Purpose

clear ip bgp {* | neighbor-address

| AS Numbers | ipv4 |
peer-group-name} [soft [in | out]]

EXEC Privilege

Clear all information or only specific details.

*: Clear all peers
neighbor-address: Clear the neighbor with this IP
address
AS Numbers: Peers AS numbers to be cleared
ipv4: Clear information for IPv4 Address family
peer-group-name: Clear all members of the
specified peer group

neighbor {ip-address |
peer-group-name}

CONFIG-ROUTERBGP

Enable soft-reconfiguration for the BGP neighbor

specified. BGP stores all the updates received by
the neighbor but does not reset the peer-session.

soft-reconfiguration inbound

Entering this command starts the storage of updates, which is required

to do inbound soft reconfiguration. Outbound BGP soft reconfiguration
does not require inbound soft reconfiguration to be enabled.

When soft-reconfiguration is enabled for a neighbor and the clear ip bgp soft in command is executed,
the update database stored in the router is replayed and updates are reevaluated. With this command, the
replay and update process is triggered only if route-refresh request is not negotiated with the peer. If the
request is indeed negotiated (upon execution of clear ip bgp soft in), then BGP sends a route-refresh
request to the neighbor and receives all of the peers updates.
To use soft reconfiguration, or soft reset, without preconfiguration, both BGP peers must support the soft
route refresh capability, which is advertised in the open message sent when the peers establish a TCP
session.
To determine whether a BGP router supports this capability, use the show ip bgp neighbors command.
If a router supports the route refresh capability, the following message should be displayed:
Received route refresh capability from peer.

If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group
inherit the characteristic configured with this command.
The following (Figure 138) enables inbound soft reconfiguration for the neighbor 10.108.1.1. All updates
received from this neighbor are stored unmodified, regardless of the inbound policy. When inbound soft
reconfiguration is done later, the stored information is used to generate a new set of inbound updates.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

245

Figure 138 Command example: router bgp

Force10>router bgp 100
neighbor 10.108.1.1 remote-as 200
neighbor 10.108.1.1 soft-reconfiguration inbound

Route map continue

The BGP route map continue feature (in ROUTE-MAP mode) allows movement from one route-map
entry to a specific route-map entry (the sequence number). If the sequence number is not specified, the
continue feature moves to the next sequence number (also known as an implied continue). If a match
clause exists, the continue feature executes only after a successful match occurs. If there are no successful
matches, continue is ignored.
continue [sequence-number]

Match Clause with a Continue Clause

The continue feature can exist without a match clause. Without a match clause, the continue clause
executes and jumps to the specified route-map entry. With a match clause and a continue clause, the match
clause executes first and the continue clause next in a specified route map entry. The continue clause
launches only after a successful match. The behavior is:

A successful match with a continue clausethe route map executes the set clauses and then goes to the
specified route map entry upon execution of the continue clause.
If the next route map entry contains a continue clause, the route map executes the continue clause if a
successful match occurs.
If the next route map entry does not contain a continue clause, the route map evaluates normally. If a
match does not occur, the route map does not continue and falls-through to the next sequence number,
if one exists.

Set Clause with a Continue Clause

If the route-map entry contains sets with the continue clause, then the set actions operation is performed
first followed by the continue clause jump to the specified route map entry.

246

If a set actions operation occurs in the first route map entry and then the same set action occurs with a
different value in a subsequent route map entry, the last set of actions overrides the previous set of
actions with the same set command.
If the set community additive and set as-path prepend commands are configured, the
communities and AS numbers are prepended.

Border Gateway Protocol IPv4 (BGPv4)

MBGP Configuration

et c
MBGP for IPv4 Multicast is supported on platform c et s
MBGP is not supported on the E-Series ExaScale ex platform.
MBGP for IPv6 unicast is supported on platforms

Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of
routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast
routing are used by the Protocol Independent Multicast (PIM) to build data distribution trees.
FTOS MBGP is implemented as per RFC 1858. The MBGP feature can be enabled per router and/or per
peer/peer-group.
Default is IPv4 Unicast routes.
Command Syntax

Command Mode

Purpose

address family ipv4 multicast

CONFIG-ROUTER-BGP

Enables support for the IPv4 Multicast

family on the BGP node

neighbor [ip-address |
peer-group-name] activate

CONFIG-ROUTER-BGP-AF
(Address Family)

Enable IPv4 Multicast support on a

BGP neighbor/peer group

When a peer is configured to support IPv4 Multicast, FTOS takes the following actions:

Send a capacity advertisement to the peer in the BGP Open message specifying IPv4 Multicast as a
supported AFI/SAFI (Subsequent Address Family Identifier).
If the corresponding capability is received in the peers Open message, BGP will mark the peer as
supporting the AFI/SAFI.
When exchanging updates with the peer, BGP sends and receives IPv4 Multicast routes if the peer is
marked as supporting that AFI/SAFI.
Exchange of IPv4 Multicast route information occurs through the use of two new attributes called
MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively.
If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.

Most FTOS BGP IPv4 Unicast commands are extended to support the IPv4 Multicast RIB using extra
options to the command. See the FTOS Command Line Interface Reference for a detailed description of the
MBGP commands.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

247

BGP Regular Expression Optimization

BGP policies that contain regular expressions to match against as-paths and communities might take a lot
of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get
filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
FTOS optimizes processing time when using regular expressions by caching and re-using regular
expression evaluated results, at the expense of some memory in RP1 processor. This feature is turned on by
default. Use the command bgp regex-eval-optz-disable in CONFIGURATION ROUTER BGP

mode to disable it if necessary.

Retain NH in BGP Advertisement

Retain NH in BGP Advertisement is available only on platform:

BGP does not update the NEXT_HOP attribute if it is a Route-Reflector. bgp retain-ibgp-nexthop can be
configured to retain the NEXT_HOP attribute when advertising to internal BGP peer.

Debugging BGP
Use any of the commands in EXEC Privilege mode to enable BGP debugging.
Command Syntax

Command Mode

Purpose

debug ip bgp [ip-address | peer-group

peer-group-name] [in | out]

EXEC Privilege

View all information on BGP, including

BGP events, keepalives, notifications, and
updates.

debug ip bgp dampening [in | out]

EXEC Privilege

View information on BGP route being

dampened.

debug ip bgp [ip-address | peer-group

peer-group-name] events [in | out]

EXEC Privilege

View information on local BGP state

changes and other BGP events.

debug ip bgp [ip-address | peer-group

peer-group-name] keepalive [in | out]

EXEC Privilege

View information about BGP KEEPALIVE

messages.

debug ip bgp [ip-address | peer-group

peer-group-name] notifications [in |
out]

EXEC Privilege

View information about BGP notifications

received from or sent to neighbors.

debug ip bgp [ip-address | peer-group

peer-group-name] updates [in | out]
[prefix-list name]

EXEC Privilege

View information about BGP updates and

filter by prefix name

248

Border Gateway Protocol IPv4 (BGPv4)

Command Syntax

Command Mode

Purpose

debug ip bgp {ip-address |

peer-group-name}
soft-reconfiguration

EXEC Privilege

Enable soft-reconfiguration debug. Enable

soft-reconfiguration debug.
To enhance debugging of soft reconfig, use
the following command only when
route-refresh is not negotiated to avoid the
peer from resending messages:
bgp soft-reconfig-backup

In-BGP is shown via the show ip

protocols command.

FTOS displays debug messages on the console. To view which debugging commands are enabled, use the
show debugging command in EXEC Privilege mode.
Use the keyword no followed by the debug command To disable a specific debug command. For example,
to disable debugging of BGP updates, enter no debug ip bgp updates command.
Use no debug ip bgp to disable all BGP debugging.
Use undebug all to disable all debugging.

Storing Last and Bad PDUs

FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last
bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the
command show ip bgp neighbor, as shown in Figure 139.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

249

Figure 139 Viewing the Last Bad PDU from BGP Peers
Force10(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2
BGP neighbor is 1.1.1.2, remote AS 2, external link
BGP version 4, remote router ID 2.4.0.1
BGP state ESTABLISHED, in this state for 00:00:01
Last read 00:00:00, last write 00:00:01
Hold time is 90, keepalive interval is 30 seconds
Received 1404 messages, 0 in queue
3 opens, 1 notifications, 1394 updates
6 keepalives, 0 route refresh requests
Sent 48 messages, 0 in queue
3 opens, 2 notifications, 0 updates
43 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
For address family: IPv4 Unicast
BGP table version 1395, neighbor version 1394
Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer
Prefixes advertised 0, rejected 0, 0 withdrawn from peer
Connections established 3; dropped 2
Last reset 00:00:12, due to Missing well known attribute
Notification History
'UPDATE error/Missing well-known attr' Sent : 1
'Connection Reset' Sent : 1 Recv: 0

Recv: 0

Last notification (len 21) sent 00:26:02 ago

Last PDUs
ffffffff ffffffff ffffffff ffffffff 00160303 03010000
Last notification (len 21) received 00:26:20 ago
ffffffff ffffffff ffffffff ffffffff 00150306 00000000
Last PDU (len 41) received 00:26:02 ago that caused notification to be issued
ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201 00024003 04141414
0218c0a8
01000000
Local host: 1.1.1.1, Local port: 179
Foreign host: 1.1.1.2, Foreign port: 41758

Capturing PDUs
Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu
neighbor direction. Disable capturing using the no form of this command.

250

Border Gateway Protocol IPv4 (BGPv4)

The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers
are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are
received for a given neighbor or direction. Setting the buffer size to a value lower than the current max,
might cause captured PDUs to be freed to set the new limit.
Note: Memory on RP1 is not pre-allocated, and is allocated only when a PDU needs to be captured.

Use the command capture bgp-pdu max-buffer-size (Figure 140) to change the maximum buffer size.
View the captured PDUs using the command show capture bgp-pdu neighbor.
Figure 140 Viewing Captured PDUs
Force10#show capture bgp-pdu neighbor 20.20.20.2
Incoming packet capture enabled for BGP neighbor 20.20.20.2
Available buffer size 40958758, 26 packet(s) captured using 680 bytes
PDU[1] : len 101, captured 00:34:51 ago
ffffffff ffffffff ffffffff ffffffff 00650100 00000013 00000000 00000000 419ef06c
00000000
00000000 00000000 00000000 00000000 0181a1e4 0181a25c 41af92c0 00000000 00000000
00000000
00000000 00000001 0181a1e4 0181a25c 41af9400 00000000
PDU[2] : len 19, captured 00:34:51 ago
ffffffff ffffffff ffffffff ffffffff 00130400
PDU[3] : len 19, captured 00:34:51 ago
ffffffff ffffffff ffffffff ffffffff 00130400
PDU[4] : len 19, captured 00:34:22 ago
ffffffff ffffffff ffffffff ffffffff 00130400
[. . .]
Outgoing packet capture enabled for BGP neighbor 20.20.20.2
Available buffer size 40958758, 27 packet(s) captured using 562 bytes
PDU[1] : len 41, captured 00:34:52 ago
ffffffff ffffffff ffffffff ffffffff 00290104 000100b4 14141401 0c020a01 04000100
01020080
00000000
PDU[2] : len 19, captured 00:34:51 ago
ffffffff ffffffff ffffffff ffffffff 00130400
PDU[3] : len 19, captured 00:34:50 ago
ffffffff ffffffff ffffffff ffffffff 00130400
PDU[4] : len 19, captured 00:34:20 ago
ffffffff ffffffff ffffffff ffffffff 00130400
[. . .]

The buffers storing the PDU free memory when:

BGP is disabled
A neighbor is unconfigured
clear ip bgp is issued
New PDU are captured and there is no more space to store them
The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space
consumed and the new limit.)

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

251

With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as
shown in Figure 141.
Figure 141 Required Memory for Captured PDUs
Force10(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250
Incoming packet capture enabled for BGP neighbor 172.30.1.250
Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes
[. . .]
Force10(conf-router_bgp)#do sho ip bg s
BGP router identifier 172.30.1.56, local AS number 65056
BGP table version is 313511, main routing table version 313511
207896 network entrie(s) and 207896 paths using 42364576 bytes of memory
59913 BGP path attribute entrie(s) using 2875872 bytes of memory
59910 BGP AS-PATH entrie(s) using 2679698 bytes of memory
3 BGP community entrie(s) using 81 bytes of memory
Neighbor

1.1.1.2
172.30.1.250

2
18508

MsgRcvd

MsgSent

TblVer

InQ

17
243295

18966
25

0
313511

0
0

OutQ Up/Down

State/Pfx

0 00:08:19 Active
0 00:12:46
207896

PDU Counters
FTOS version 7.5.1.0 introduces additional counters for various types of PDUs sent and received from
neighbors. These are seen in the output of the command show ip bgp neighbor.

Sample Configurations
The following configurations are examples for enabling BGP and setting up some peer groups. These are
not comprehensive directions. They are intended to give you a some guidance with typical configurations.
You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to
support your own IP Addresses, Interfaces, Names, etc.
Figure 142 is a graphic illustration of the configurations shown on the following pages. These
configurations show how to create BGP areas using physical and virtual links. They include setting up the
interfaces and peers groups with each other.

252

Border Gateway Protocol IPv4 (BGPv4)

Figure 142 Sample Configuration Illustration

Physical Links

AS 99

Virtual Links

GigE 1/21
10.0.1.21 /24

GigE 2/11
10.0.1.22 /24

Peer Group AAA

e
Pe

Loopback
ck 1
192.168.128.1 /24

rG
u
ro
p
BB

GigE 1/31
10.0.3.31 /24

Loopback 1
Lo
192.168.128.2 /24
19

er
Pe

GigE 3/11
10.0.3.33 /24

o
Gr

C
CC
p
u

GigE 2/31
10.0.2.2 /24

GigE 3/21
10.0.2.3 /24

Loopback 1
192.168.128.3 /24

AS 100

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

253

Figure 143 Enable BGP - Router 1

R1# conf
R1(conf)#int loop 0
R1(conf-if-lo-0)#ip address 192.168.128.1/24
R1(conf-if-lo-0)#no shutdown
R1(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.1/24
no shutdown
R1(conf-if-lo-0)#int gig 1/21
R1(conf-if-gi-1/21)#ip address 10.0.1.21/24
R1(conf-if-gi-1/21)#no shutdown
R1(conf-if-gi-1/21)#show config
!
interface GigabitEthernet 1/21
ip address 10.0.1.21/24
no shutdown
R1(conf-if-gi-1/21)#int gig 1/31
R1(conf-if-gi-1/31)#ip address 10.0.3.31/24
R1(conf-if-gi-1/31)#no shutdown
R1(conf-if-gi-1/31)#show config
!
interface GigabitEthernet 1/31
ip address 10.0.3.31/24
no shutdown
R1(conf-if-gi-1/31)#router bgp 99
R1(conf-router_bgp)#network 192.168.128.0/24
R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut
R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0
R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100
R1(conf-router_bgp)#neighbor 192.168.128.3 no shut
R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0
R1(conf-router_bgp)#show config
!
router bgp 99
network 192.168.128.0/24
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R1(conf-router_bgp)#end
R1#
R1#show ip bgp summary
BGP router identifier 192.168.128.1, local AS number 99
BGP table version is 4, main routing table version 4
4 network entrie(s) using 648 bytes of memory
6 paths using 408 bytes of memory
BGP-RIB over all using 414 bytes of memory
3 BGP path attribute entrie(s) using 144 bytes of memory
2 BGP AS-PATH entrie(s) using 74 bytes of memory
2 neighbor(s) using 8672 bytes of memory

254

Neighbor

192.168.128.2
192.168.128.3
R1#

99
100

MsgRcvd

MsgSent

TblVer

InQ

4
5

5
4

4
1

0
0

OutQ Up/Down
0 00:00:32
0 00:00:09

State/Pfx
1
4

Border Gateway Protocol IPv4 (BGPv4)

Figure 144 Enable BGP - Router 2

R2# conf
R2(conf)#int loop 0
R2(conf-if-lo-0)#ip address 192.168.128.2/24
R2(conf-if-lo-0)#no shutdown
R2(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.2/24
no shutdown
R2(conf-if-lo-0)#int gig 2/11
R2(conf-if-gi-2/11)#ip address 10.0.1.22/24
R2(conf-if-gi-2/11)#no shutdown
R2(conf-if-gi-2/11)#show config
!
interface GigabitEthernet 2/11
ip address 10.0.1.22/24
no shutdown
R2(conf-if-gi-2/11)#int gig 2/31
R2(conf-if-gi-2/31)#ip address 10.0.2.2/24
R2(conf-if-gi-2/31)#no shutdown
R2(conf-if-gi-2/31)#show config
!
interface GigabitEthernet 2/31
ip address 10.0.2.2/24
no shutdown
R2(conf-if-gi-2/31)#
R2(conf-if-gi-2/31)#router bgp 99
R2(conf-router_bgp)#network 192.168.128.0/24
R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99
R2(conf-router_bgp)#neighbor 192.168.128.1 no shut
R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0
R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100
R2(conf-router_bgp)#neighbor 192.168.128.3 no shut
R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0
R2(conf-router_bgp)#show config
!
router bgp 99
bgp router-id 192.168.128.2
network 192.168.128.0/24
bgp graceful-restart
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R2(conf-router_bgp)#end
R2#show ip bgp summary
BGP router identifier 192.168.128.2, local AS number 99
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
192.168.128.1
192.168.128.3
R2#

AS
99
100

MsgRcvd
40
4

MsgSent
35
4

TblVer
1
1

InQ
0
0

OutQ Up/Down State/Pfx

0 00:01:05
1
0 00:00:16
1

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

255

Figure 145 Enable BGP - Router 3

R3# conf
R3(conf)#
R3(conf)#int loop 0
R3(conf-if-lo-0)#ip address 192.168.128.3/24
R3(conf-if-lo-0)#no shutdown
R3(conf-if-lo-0)#show config
!
interface Loopback 0
ip address 192.168.128.3/24
no shutdown
R3(conf-if-lo-0)#int gig 3/11
R3(conf-if-gi-3/11)#ip address 10.0.3.33/24
R3(conf-if-gi-3/11)#no shutdown
R3(conf-if-gi-3/11)#show config
!
interface GigabitEthernet 3/11
ip address 10.0.3.33/24
no shutdown
R3(conf-if-lo-0)#int gig 3/21
R3(conf-if-gi-3/21)#ip address 10.0.2.3/24
R3(conf-if-gi-3/21)#no shutdown
R3(conf-if-gi-3/21)#show config
!
interface GigabitEthernet 3/21
ip address 10.0.2.3/24
no shutdown
R3(conf-if-gi-3/21)#
R3(conf-if-gi-3/21)#router bgp 100
R3(conf-router_bgp)#show config
!
router bgp 100
R3(conf-router_bgp)#network 192.168.128.0/24
R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99
R3(conf-router_bgp)#neighbor 192.168.128.1 no shut
R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0
R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99
R3(conf-router_bgp)#neighbor 192.168.128.2 no shut
R3(conf-router_bgp)#neighbor 192.168.128.2 update loop 0
R3(conf-router_bgp)#show config
!
router bgp 100
network 192.168.128.0/24
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
R3(conf)#end
R3#show ip bgp summary
BGP router identifier 192.168.128.3, local AS number 100
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
AS
MsgRcvd MsgSent
TblVer InQ OutQ Up/Down State/Pfx
192.168.128.1
99
24
25
1
0
0 00:14:20
1
192.168.128.2
99
14
14
1
0
0 00:10:22
1
R3#

256

Border Gateway Protocol IPv4 (BGPv4)

Figure 146 Enable Peer Group - Router 1

R1#conf
R1(conf)#router bgp 99
R1(conf-router_bgp)# network 192.168.128.0/24
R1(conf-router_bgp)# neighbor AAA peer-group
R1(conf-router_bgp)# neighbor AAA no shutdown
R1(conf-router_bgp)# neighbor BBB peer-group
R1(conf-router_bgp)# neighbor BBB no shutdown
R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA
R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB
R1(conf-router_bgp)#
R1(conf-router_bgp)#show config
!
router bgp 99
network 192.168.128.0/24
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor BBB peer-group
neighbor BBB no shutdown
neighbor 192.168.128.2 remote-as 99
neighbor 192.168.128.2 peer-group AAA
neighbor 192.168.128.2 update-source Loopback 0
neighbor 192.168.128.2 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 peer-group BBB
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R1#
R1#show ip bgp summary
BGP router identifier 192.168.128.1, local AS number 99
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 96 bytes of memory
2 BGP AS-PATH entrie(s) using 74 bytes of memory
2 neighbor(s) using 8672 bytes of memory
Neighbor

MsgRcvd

192.168.128.2
99
192.168.128.3
100
!
R1#show ip bgp neighbors

23
30

MsgSent

TblVer

InQ

24
29

1
1

0
0

OutQ Up/Down
(0) 00:00:17
(0) 00:00:14

State/Pfx
1
1

BGP neighbor is 192.168.128.2, remote AS 99, internal link

Member of peer-group AAA for session parameters
BGP version 4, remote router ID 192.168.128.2
BGP state ESTABLISHED, in this state for 00:00:37
Last read 00:00:36, last write 00:00:36
Hold time is 180, keepalive interval is 60 seconds
Received 23 messages, 0 in queue
2 opens, 0 notifications, 2 updates
19 keepalives, 0 route refresh requests
Sent 24 messages, 0 in queue
2 opens, 1 notifications, 2 updates
19 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

257

Figure 147 Enable Peer Groups - Router 1 continued

Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 2; dropped 1
Last reset 00:00:57, due to user reset
Notification History
'Connection Reset' Sent : 1 Recv: 0
Last notification (len 21) sent 00:00:57 ago
ffffffff ffffffff ffffffff ffffffff 00150306 00000000
Local host: 192.168.128.1, Local port: 179
Foreign host: 192.168.128.2, Foreign port: 65464
BGP neighbor is 192.168.128.3, remote AS 100, external link
Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.3
BGP state ESTABLISHED, in this state for 00:00:37
Last read 00:00:36, last write 00:00:36
Hold time is 180, keepalive interval is 60 seconds
Received 30 messages, 0 in queue
4 opens, 2 notifications, 4 updates
20 keepalives, 0 route refresh requests
Sent 29 messages, 0 in queue
4 opens, 1 notifications, 4 updates
20 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 4; dropped 3
Last reset 00:00:54, due to user reset
R1#

258

Border Gateway Protocol IPv4 (BGPv4)

Figure 148 Enable Peer Groups - Router 2

R2#conf
R2(conf)#router bgp 99
R2(conf-router_bgp)# neighbor CCC peer-group
R2(conf-router_bgp)# neighbor CC no shutdown
R2(conf-router_bgp)# neighbor BBB peer-group
R2(conf-router_bgp)# neighbor BBB no shutdown
R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut
R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB
R2(conf-router_bgp)# neighbor 192.168.128.3 no shut
R2(conf-router_bgp)#show conf
!
router bgp 99
network 192.168.128.0/24
neighbor AAA peer-group
neighbor AAA no shutdown
neighbor BBB peer-group
neighbor BBB no shutdown
neighbor 192.168.128.1 remote-as 99
neighbor 192.168.128.1 peer-group CCC
neighbor 192.168.128.1 update-source Loopback 0
neighbor 192.168.128.1 no shutdown
neighbor 192.168.128.3 remote-as 100
neighbor 192.168.128.3 peer-group BBB
neighbor 192.168.128.3 update-source Loopback 0
neighbor 192.168.128.3 no shutdown
R2(conf-router_bgp)#end
R2#
R2#show ip bgp summary
BGP router identifier 192.168.128.2, local AS number 99
BGP table version is 2, main routing table version 2
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor
192.168.128.1
192.168.128.3

AS
99
100

MsgRcvd
140
138

MsgSent
136
140

TblVer
2
2

InQ
0
0

OutQ Up/Down State/Pfx

(0) 00:11:24
1
(0) 00:18:31
1

R2#show ip bgp neighbor

BGP neighbor is 192.168.128.1, remote AS 99, internal link
Member of peer-group AAA for session parameters
BGP version 4, remote router ID 192.168.128.1
BGP state ESTABLISHED, in this state for 00:11:42
Last read 00:00:38, last write 00:00:38
Hold time is 180, keepalive interval is 60 seconds
Received 140 messages, 0 in queue
6 opens, 2 notifications, 19 updates
113 keepalives, 0 route refresh requests
Sent 136 messages, 0 in queue
12 opens, 3 notifications, 6 updates
115 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 5 seconds
Minimum time before advertisements start is 0 seconds

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

259

Figure 149 Enable Peer Group - Router 3

R3#conf
R3(conf)#router bgp 100
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)# neighbor
R3(conf-router_bgp)#

AAA peer-group
AAA no shutdown
CCC peer-group
CCC no shutdown
192.168.128.2 peer-group BBB
192.168.128.2 no shutdown
192.168.128.1 peer-group BBB
192.168.128.1 no shutdown

R3(conf-router_bgp)#end
R3#show ip bgp summary
BGP router identifier 192.168.128.3, local AS number 100
BGP table version is 1, main routing table version 1
1 network entrie(s) using 132 bytes of memory
3 paths using 204 bytes of memory
BGP-RIB over all using 207 bytes of memory
2 BGP path attribute entrie(s) using 128 bytes of memory
2 BGP AS-PATH entrie(s) using 90 bytes of memory
2 neighbor(s) using 9216 bytes of memory
Neighbor

MsgRcvd

192.168.128.1
99
192.168.128.2
99
R3#show ip bgp neighbor

93
122

MsgSent

TblVer

InQ

99
120

1
1

0
0

OutQ Up/Down
(0) 00:00:15
(0) 00:00:11

State/Pfx
1
1

BGP neighbor is 192.168.128.1, remote AS 99, external link

Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.1
BGP state ESTABLISHED, in this state for 00:00:21
Last read 00:00:09, last write 00:00:08
Hold time is 180, keepalive interval is 60 seconds
Received 93 messages, 0 in queue
5 opens, 0 notifications, 5 updates
83 keepalives, 0 route refresh requests
Sent 99 messages, 0 in queue
5 opens, 4 notifications, 5 updates
85 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer

260

Border Gateway Protocol IPv4 (BGPv4)

Figure 150 Enable Peer Groups - Router 3 continued

Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 2, neighbor version 2
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer
Connections established 6; dropped 5
Last reset 00:12:01, due to Closed by neighbor
Notification History
'HOLD error/Timer expired' Sent : 1 Recv: 0
'Connection Reset' Sent : 2 Recv: 2
Last notification (len 21) received 00:12:01 ago
ffffffff ffffffff ffffffff ffffffff 00150306 00000000
Local host: 192.168.128.2, Local port: 65464
Foreign host: 192.168.128.1, Foreign port: 179
BGP neighbor is 192.168.128.3, remote AS 100, external link
Member of peer-group BBB for session parameters
BGP version 4, remote router ID 192.168.128.3
BGP state ESTABLISHED, in this state for 00:18:51
Last read 00:00:45, last write 00:00:44
Hold time is 180, keepalive interval is 60 seconds
Received 138 messages, 0 in queue
7 opens, 2 notifications, 7 updates
122 keepalives, 0 route refresh requests
Sent 140 messages, 0 in queue
7 opens, 4 notifications, 7 updates
122 keepalives, 0 route refresh requests
Minimum time between advertisement runs is 30 seconds
Minimum time before advertisements start is 0 seconds
Capabilities advertised to neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
Capabilities received from neighbor for IPv4 Unicast :
MULTIPROTO_EXT(1)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
ROUTE_REFRESH(2)
CISCO_ROUTE_REFRESH(128)
Update source set to Loopback 0
Peer active in peer-group outbound optimization
For address family: IPv4 Unicast
BGP table version 2, neighbor version 2
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer
Prefixes advertised 1, denied 0, withdrawn 0 from peer

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

261

262

Border Gateway Protocol IPv4 (BGPv4)

Chapter 9

Content Addressable Memory

Content Addressable Memory is supported on platforms

c et s

Note: Different platforms support varying levels of CAM adjustment. Be sure to read this chapter carefully
prior to changing any CAM parameters. CAM configuration is for the E-Series ExaScale is documented
separately in Chapter 10, Content Addressable Memory for ExaScale.

Content Addressable Memory on page 263

CAM Profiles on page 264
Microcode on page 266
CAM Profiling for ACLs on page 267
When to Use CAM Profiling on page 269
Differences Between EtherScale and TeraScale on page 270
Important Points to Remember on page 270
Select CAM Profiles on page 270
CAM Allocation on page 271
Test CAM Usage on page 272
View CAM Profiles on page 273
View CAM-ACL settings on page 274
View CAM-ACL settings on page 274
Configure IPv4Flow Sub-partitions on page 276
Configure Ingress Layer 2 ACL Sub-partitions on page 278
Return to the Default CAM Configuration on page 280
CAM Optimization on page 281
Applications for CAM Profiling on page 281
Troubleshoot CAM Profiling on page 282

Content Addressable Memory

Content Addressable Memory (CAM) is a type of memory that stores information in the form of a lookup
table. On Force10 systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists
(ACL), flows, and routing policies. On Force10 systems, there are one or two CAM (Dual-CAM) modules
per port-pipe depending on the type of line card.

The ExaScale EH and EJ series line cards are single-CAM line cards that support 10M and 40M CAM
for storing the lookup information.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

263

The TeraScale EG-series line cards are dual-CAM and use two 18 Megabit CAM modules with a
dedicated 512 IPv4 Forwarding Information Base (FIB), and flexible CAM allocations for Layer2,
FIB, and ACLs.
Either ExaScale 10G or 40G CAM line cards can be used in a system.

CAM Profiles
Force10 systems partition each CAM module so that it can store the different types of information. The
size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including
each RPM. The same profile must be on every line card and RPM in the chassis.
There is a default CAM profile and several other CAM profiles available so that you can partition the
CAM according to your performance requirements. For example, the default profile has 1K Layer 2
ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl.
Table 18 describes the available profiles. The default profile is an all-purpose profile that allocates CAM
space according to the way Force10 systems are most commonly used. In general, non-default profiles
allocate more space to particular regions to accommodate specific applications. The size of CAM
partitions is measured in entries. The total CAM space is finite, therefor adding entries to one region
necessarily decreases the number available to other regions.
Note: Not all CAM profiles and microcodes are available for all systems. Refer to the Command Line
Interface Reference Guide for details regarding available profiles for each system.
Table 18 CAM Profile Descriptions
CAM Profile

Description

Default

An all-purpose profile that allocates CAM space according to the way Force10 systems are
most commonly used.
Available Microcodes: default, lag-hash-align, lag-hash-mpls

eg-default

For EG-series line cards only. EG series line cards have two CAM modules per Port-pipe.
Available Microcodes: default, ipv6-extacl

ipv4-320k

Provides 320K entries for the IPv4 Forwarding Information Base (FIB) and reduces the IPv4
Flow partition to 12K.
Available Microcodes: default, lag-hash-mpls

ipv4-egacl-16k

Provides 16K entries for egress ACLs

Available Microcodes: acl-group

ipv6-extacl

Provides IPv6 functionality.

Available Microcodes: ipv6-extacl

l2-ipv4-inacl

Provides 32K entries for Layer 2 ingress ACLs and 28K entries for Layer 3 IPv4 ingress ACLs.
Available Microcodes: default

264

Content Addressable Memory

Table 18 CAM Profile Descriptions

CAM Profile

Description

unified-default

Maintains the CAM allocations for the and IPv4 FIB while allocating more CAM space for the
Ingress and Egress Layer 2 ACL, and IPv4 ACL regions.
Available Microcodes: ipv6-extacl

ipv4-VRF

Provides VRF functionality for IPv4.

Available Microcodes:ipv4-vrf

ipv4-v6-VRF

Provides VRF functionality for both IPv4 and I.Pv6

Available Microcodes: ipv4-v6-vrf

ipv4-64k-ipv6

Provides IPv6 functionality; an alternate to ipv6-extacl that redistributes CAM space from the
IPv4FIB to IPv4Flow and IPv6FIB.
Available Microcodes: ipv6-extacl

The size of CAM partitions is measured in entries. Table 18 shows the number of entries available in each
partition for all CAM profiles. The total CAM space is finite, therefor adding entries to one region
necessarily decreases the number available to other regions.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

265

L2ACL

IPv4FIB

IPv4ACL

IPv4Flow

EgL2ACL

EgIPv4ACL

Reserved

IPv6FIB

IPv6ACL

IPv6Flow

EgIPv6ACL

Default

32K

256K

12K

24K

eg-default

32K

512K

12K

24K

32K

ipv4-320k

32K

320K

12K

pv4-egacl-16k

32K

192K

24K

16K

ipv6-extacl

32K

192K

12K

l2-ipv4-inacl

32K

33K

64K

27K

unified-default

32K

192K

IPv4-VRF

32K

160K

12K

IPv4-v6-VRF

32K

64K

12K

11K

18K

ipv4-64k-ipv6

32K

64K

12K

24K

16K

Partition

L2FIB

Table 19 CAM entries per partition

Profile

Microcode
Microcode is a compiled set of instructions for a CPU. On Force10 systems, the microcode controls how
packets are handled.
There is a default microcode, and several other microcodes are available, so that you can adjust packet
handling according to your application. Specifying a microcode is mandatory when selecting a CAM
profile (though you are not required to change it).
Note: Not all CAM profiles and microcodes are available for all systems. Refer to the Command Line
Interface Reference Guide for details regarding available profiles for each system.
Table 20 Microcode Descriptions
Microcode

Description

default

Distributes CAM space for a typical deployment

lag-hash-align

For applications that require the same hashing for bi-directional traffic (for example, VoIP
call or P2P file sharing). For port-channels, this microcode maps both directions of a
bi-directional flow to the same output link.

266

Content Addressable Memory

Table 20 Microcode Descriptions

Microcode

Description

lag-hash-mpls

For hashing based on MPLS labels (up to five labels deep). With the default microcode,
MPLS packets are distributed over a port-channel based on the MAC source and
destination address. With the lag-hash-mpls microcode, MPLS packets are distributed
across the port-channel based on IP source and destination address and IP protocol. This
is applicable for MPLS packets with up to five labels. When the IP header is not available
after the 5th label, hashing for default load-balance is based on MPLS labels. For packets
with more than 5 labels, hashing is always based on the MAC source and destination
address.

ipv6-extacl

Use this microcode when IPv6 is enabled.

acl-group

For applications that need 16k egress IPv4 ACLs (for example, the VLAN ACL Group
feature, which permits group VLANs IP egress ACLs.

ipv4-vrf

Apply to IPv4 VRF CAM profile.

ipv4-v6-vrf

Enable IPv4 and IPv6 CAM profiles for VRF.

CAM Profiling for ACLs

CAM Profiling for ACLs is supported on platform

et only.

Refer to Chapter 10, Content Addressable Memory for ExaScale for E-Series ExaScale ex CAM
descriptions.
The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2
ingress ACLs, select the profile l2-ipv4-inacl.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS
rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP
rules with port range options might require more than one CAM entry.
The Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 21 lists the
sub-partition and the percentage of the Layer 2 ACL CAM partition that FTOS allocates to each by default.
Table 21 Layer 2 ACL CAM Sub-partition Sizes
Partition

% Allocated

Sysflow

L2ACL

*PVST

QoS

L2PT

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

267

Table 21 Layer 2 ACL CAM Sub-partition Sizes

Partition
FRRP

% Allocated
5

Boot Behavior
The profile and microcode loaded on the primary RPM determines the profile and microcode that is
required on all other chassis components and is called the chassis profile. A profile mismatch condition
exists if either the CAM profile or the microcode does not match. The following points describe line

card boot behavior when the line card profile does not match the chassis profile.

A microcode mismatch constitutes a profile mismatch.

When the line card profile and chassis profile are of the same type (single-CAM or dual-CAM), but
their CAM profiles do not match, the line card must load a new profile and therefore takes longer to
come online.
If you insert a single-CAM line card into a chassis with a dual-CAM profile, the system displays
Message 5. The line card boots with the default (single-CAM) profile and remains in a problem state
(Figure 151). The line card cannot forward traffic in a problem state.
If you insert a dual-CAM line card into a chassis with a single-CAM profile, the line card boots with a
matching profile, but operates with a lower capability.

Message 5 EF Line Card with EG Chassis Profile Error

# Before reload:
01:09:56: %RPM0-P:CP %CHMGR-4-EG_PROFILE_WARN: If EG CAM profile is selected, non-EG cards
will be in problem state after reload
# After reload:
00:04:46: %RPM0-P:CP %CHMGR-3-PROFILE_MISMATCH: Mismatch: line card 1 has mismatch CAM
profile or microcode

268

Content Addressable Memory

Message 6 EH Line Card with EG Chassis Profile Error

# Before reload:
01:09:56: %RPM0-P:CP %CHMGR-4-EH_PROFILE_WARN: If EH CAM profile is selected, non-EJ cards
will be in problem state after reload
# After reload:
00:04:46: %RPM0-P:CP %CHMGR-3-PROFILE_MISMATCH: Mismatch: line card 1 has mismatch CAM
profile or microcode

Figure 151 EF Line Card with EG Chassis ProfileCard Problem

R1#show linecard 1 brief
-- Line card
Status
Next Boot
Required Type
Current Type
Hardware Rev
Num Ports
Up Time
FTOS Version
Jumbo Capable

1
:
:
:
:
:
:
:
:
:

-card problem - mismatch cam profile

online
E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF)
E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF)
Base - 1.1 PP0 - 1.1 PP1 - 1.1
48
0 sec
7.6.1.0
yes

Figure 152 EH Line Card with EG Chassis ProfileCard Problem

R1#show linecard 1 brief
-- Line card
Status
Next Boot
Required Type
Current Type
Hardware Rev
Num Ports
Up Time
FTOS Version
Jumbo Capable

1
:
:
:
:
:
:
:
:
:

-card problem - mismatch cam profile

online
E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces (EH)
E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces (EH)
Base - 0.3 PP0 - 1.1 PP0 - PP1 90
0 sec
8.1.1.0
yes

When to Use CAM Profiling

The CAM profiling feature enables you to partition the CAM to best suit your application. For example:

Configure more Layer 2 FIB entries when the system is deployed as a switch.
Configure more Layer 3 FIB entries when the system is deployed as a router.
Configure more ACLs (when IPv6 is not employed).
Hash MPLS packets based on source and destination IP addresses for LAGs. See LAG Hashing on
page 281.
Hash based on bidirectional flow for LAGs. See LAG Hashing based on Bidirectional Flow on
page 282.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

269

Optimize the VLAN ACL Group feature, which permits group VLANs for IP egress ACLs. See CAM
profile for the VLAN ACL group feature on page 282.

Important Points to Remember

CAM Profiling is available on the E-Series TeraScale with FTOS versions 6.3.1.1 and later. Refer to
Chapter 10, Content Addressable Memory for ExaScale for E-Series ExaScale CAM descriptions.
All line cards within a single system must have the same CAM profile; this profile must match the
system CAM profile (the profile on the primary RPM).
FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to
match the system CAM profile by saving the correct profile on the card and then rebooting it.
The CAM configuration is applied to entire system when you use CONFIGURATION mode
commands. You must save the running-configuration to affect the change.
All CAM configuration commands require you to reboot the system.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and
QoS rules might consume more than one CAM entry depending on complexity. For example, TCP and
UDP rules with port range options might require more than one CAM entry. See Pre-calculating
Available QoS CAM Space on page 824.
After you install a secondary RPM, copy the running-configuration to the startup-configuration so that
the new RPM has the correct CAM profile.

Differences Between EtherScale and TeraScale

Only one CAM profile and microcode is available on EtherScale systems.

Only EtherScale systems can sub-partition the IPv4ACL partition.
Both EtherScale and TeraScale systems can sub-partition the IPv4Flow CAM partition.

Select CAM Profiles

A CAM profile is selected in CONFIGURATION mode. The CAM profile is applied to entire system,
however, you must save the running-configuration to affect the change.
All components in the chassis must have the same CAM profile and microcode. The profile and microcode
loaded on the primary RPM determines the profile that is required on all other chassis components.

270

If a newly installed line card has a profile different from the primary RPM, the card reboots so that it
can load the proper profile.
If a the standby RPM has a profile different from the primary RPM, the card reboots so that it can load
the proper profile.

Content Addressable Memory

To change the CAM profile on the entire system:

Step
1

Task

Command Syntax

Command Mode

Select a CAM profile.

cam-profile profile microcode

microcode

CONFIGURATION

Note: If selecting a cam-profile for VRF (cam-profile ipv4-vrf or ipv4-v6-vrf), implement the
command in the CONFIGURATION mode only. If you use EXEC Privilege mode, the linecards may
go into an error state.
2

Save the running-configuration.

copy running-config
startup-config

EXEC Privilege

Verify that the new CAM profile will be

written to the CAM on the next boot.

show cam-profile summary

EXEC Privilege

Reload the system.

reload

EXEC Privilege

CAM Allocation
User Configurable CAM Allocations is available on platforms:

Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and
S-Series by using the cam-acl command in CONFIGURATION mode.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. The default
CAM Allocation settings on a C-Series system are:

L3 ACL (ipv4acl): 5
L2 ACL(l2acl) : 6
IPv6 L3 ACL (ipv6acl): 0
L3 QoS (ipv4qos): 1
L2 QoS (l2qos): 1
L2PT (l2pt): 0
MAC ACLs (ipmacacl): 0
ECFMACL (ecfmacl): 0
VMAN QoS (vman-qos): 0
VMAN Dual QoS (vman-dual-qos): 0
Note: The ipmacacl region was introduced for Secure DHCP. These ACL are not created through CLI,
but rather are system generated from the DHCP snooping table. Whenever a new DHCP client is
assigned an IP, and ip dhcp snooping source-address-validation ipmac is configured on the interface
connected to the client, a single ACL is installed on the interface to permit (only) the source IP and source
MAC pair.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

271

The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other
profile allocations can use either even or odd numbered ranges.
You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the
system for the new settings to take effect.
To configure the IPv4 and IPv6 ACLs and Qos regions on the entire system:
Step
1

Task

Command Syntax

Command Mode

Select a cam-acl action

cam-acl [default | l2acl]

CONFIGURATION

Note: Selecting default resets the CAM entires to the default settings. Select l2acl to allocate space
for the ACLs, and QoS regions.
2

Enter the number of FP blocks for each

region.

l2acl number ipv4acl number

ipv6acl number, ipv4qos number
l2qos number, l2pt number
ipmacacl number ecfmacl number
[vman-qos | vman-dual-qos

EXEC Privilege

number
3

Verify that the new settings will be

written to the CAM on the next boot.

show cam-acl

EXEC Privilege

Reload the system.

reload

EXEC Privilege

Test CAM Usage

The test cam-usage command is supported on platforms

ces

This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS
optimization for IPv6 ACLs.

272

Content Addressable Memory

Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege
mode to verify the actual CAM space required. Figure 153 gives a sample of the output shown when
executing the command. The status column indicates whether or not the policy can be enabled.
Figure 153 Command Example: test cam-usage (C-Series)
Force10#test cam-usage service-policy input TestPolicy linecard all
Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status
-----------------------------------------------------------------------------------------2 |
1 | IPv4Flow
|
232 |
0 | Allowed
2 |
1 | IPv6Flow
|
0 |
0 | Allowed
4 |
0 | IPv4Flow
|
232 |
0 | Allowed
4 |
0 | IPv6Flow
|
0 |
0 | Allowed
Force10#

View CAM Profiles

View the current CAM profile for the chassis and each component using the command show cam-profile,
as shown in Figure 154. This command also shows the profile that will be loaded upon the next chassis or
component reload.
Figure 154 Viewing CAM Profiles on E-Series TeraScale
Force10#show cam-profile
-- Chassis CAM Profile -CamSize
Profile Name
L2FIB
L2ACL
IPv4FIB
IPv4ACL
IPv4Flow
EgL2ACL
EgIPv4ACL
Reserved
FIB
:
ACL
:
Flow
:
EgACL
:
MicroCode Name
--More--

:
:
:
:
:
:
:
:
:
:
:
0
0
0
0

18-Meg
Current Settings
Default
32K entries
1K entries
256K entries
12K entries
24K entries
1K entries
1K entries
8K entries
entries
: 0
entries
: 0
entries
: 0
entries
: 0
: Default

:
:
:
:
:
:
:
:
:
:

Next Boot
Default
32K entries
1K entries
256K entries
12K entries
24K entries
1K entries
1K entries
8K entries
entries
entries
entries
entries
: Default

View a brief output of the command show cam-profile using the summary option.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

273

The command show running-config cam-profile shows the current profile and microcode (Figure 155).
Note: If you select the CAM profile from CONFIGURATION mode, the output of this command does not
reflect any changes until you save the running-configuration and reload the chassis.

Figure 155 Viewing CAM Profile Information in the Running-configuration

Force10#show running-config cam-profile
!
cam-profile default microcode default
Force10#

View CAM-ACL settings

View the current cam-acl settings for the C-Series and S-Series systems chassis and each component using
the command show cam-acl, as shown in Figure 156.

274

Content Addressable Memory

Figure 156 View CAM-ACl settings on C-Series and S-Series

Force10# show cam-acl
-- Chassis Cam ACL -Current Settings(in block sizes)
L2Acl
:
2
Ipv4Acl
:
2
Ipv6Acl
:
2
Ipv4Qos
:
2
L2Qos
:
2
L2PT
:
1
IpMacAcl
:
2
VmanQos
:
0
VmanDualQos :
0
-- Line card 0 -Current Settings(in block sizes)
L2Acl
:
2
Ipv4Acl
:
2
Ipv6Acl
:
2
Ipv4Qos
:
2
L2Qos
:
2
L2PT
:
1
IpMacAcl
:
2
VmanQos
:
0
VmanDualQos :
0
-- Line card 6 -Current Settings(in block sizes)
L2Acl
:
2
Ipv4Acl
:
2
Ipv6Acl
:
2
Ipv4Qos
:
2
L2Qos
:
2
L2PT
:
1
IpMacAcl
:
2
VmanQos
:
0
VmanDualQos :
0

View CAM Usage

View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and
Layer 2 ACL sub-partitions) using the command show cam-usage from EXEC Privilege mode, as shown
in Figure 157.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

275

Figure 157 Viewing CAM Usage Information

R1#show cam-usage
Linecard|Portpipe| CAM Partition
| Total CAM
| Used CAM
|Available CAM
========|========|=================|=============|=============|==============
1
|
0
| IN-L2 ACL
|
1008
|
320
|
688
|
| IN-L2 FIB
|
32768
|
1132
|
31636
|
| IN-L3 ACL
|
12288
|
2
|
12286
|
| IN-L3 FIB
|
262141
|
14
|
262127
|
| IN-L3-SysFlow
|
2878
|
45
|
2833
|
| IN-L3-TrcList
|
1024
|
0
|
1024
|
| IN-L3-McastFib |
9215
|
0
|
9215
|
| IN-L3-Qos
|
8192
|
0
|
8192
|
| IN-L3-PBR
|
1024
|
0
|
1024
|
| IN-V6 ACL
|
0
|
0
|
0
|
| IN-V6 FIB
|
0
|
0
|
0
|
| IN-V6-SysFlow
|
0
|
0
|
0
|
| IN-V6-McastFib |
0
|
0
|
0
|
| OUT-L2 ACL
|
1024
|
0
|
1024
|
| OUT-L3 ACL
|
1024
|
0
|
1024
|
| OUT-V6 ACL
|
0
|
0
|
0
1
|
1
| IN-L2 ACL
|
320
|
0
|
320
|
| IN-L2 FIB
|
32768
|
1136
|
31632
|
| IN-L3 ACL
|
12288
|
2
|
12286
|
| IN-L3 FIB
|
262141
|
14
|
262127
|
| IN-L3-SysFlow
|
2878
|
44
|
2834
--More--

Configure IPv4Flow Sub-partitions

IPv4Flow sub-partitions are supported on platform

The IPv4Flow CAM partition has sub-partitions for several types of information. Table 22 lists the types of
information stored in this partition and the number of entries that FTOS allocates to each type.
Table 22 IPv4Flow CAM Sub-partition Sizes
Space Allocated
(EtherScale)

Space Allocated
(TeraScale)

Space Allocated
(ExaScale)

ACL

Multicast FIB/ACL

PBR

QoS

System Flow

Partition

Trace Lists

You can re-configure the amount of space allocated for each type of entry. FTOS requires that you specify
an amount of CAM space for all types and in the order shown in Table 22. .

276

Content Addressable Memory

The IPv4Flow configuration is applied to entire system when you enter the command cam-ipv4flow
from CONFIGURATION mode, however, you must save the running-configuration to affect the
change.

The amount of space that is allocated among the sub-partitions must be equal to the amount of CAM space
allocated to IPv4Flow by the selected CAM profile (see Table 18.); Message 7 is displayed if the total
allocated space is not correct.
Message 7 IPv4Flow Configuration Error
% Error: Total size must add up to match IPv4flow size of 24K required by the configured
profile.

The minimum amount of space that can be allocated to any sub-partition is 1K, except for System flow, for
which the minimum is 4K.
To re-allocate CAM space within the IPv4Flow partition on the entire system:
Step

Task

Command Syntax

Command Mode

Re-allocate CAM space within the

IPv4Flow partition.

cam-ipv4flow

CONFIGURATION

Save the running-configuration.

copy running-config
startup-config

EXEC Privilege

Verify that the new CAM configuration

will be written to the CAM on the next
boot.

show cam-ipv4flow

EXEC Privilege

Reload the system.

reload

EXEC Privilege

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

277

Figure 158 Configuring IPv4Flow on the Entire System

Force10(conf)#cam-ipv4flow default
Force10#copy running-config startup-config
File with same name already exist.
Proceed to copy the file [confirm yes/no]: yes
!
3914 bytes successfully copied
Force10#sh cam-ipv4flow
-- Chassis Cam Ipv4Flow -Current Settings
Multicast Fib/Acl :
8K
Pbr
:
2K
Qos
:
7K
System Flow
:
6K
Trace Lists
:
1K

Next Boot
9K
1K
8K
5K
1K

-- Line card 0 --

Multicast Fib/Acl
Pbr
Qos
System Flow
Trace Lists

:
:
:
:
:

Current Settings
8K
2K
7K
6K
1K

Next Boot
9K
1K
8K
5K
1K

Current Settings

Next Boot

-- Line card 1 --

Multicast Fib/Acl
Pbr
Qos
System Flow
Trace Lists

:
:
:
:
:

8K
2K
7K
6K
1K

9K
1K
8K
5K
1K

Configure Ingress Layer 2 ACL Sub-partitions

IPv4Flow sub-partitions are supported on platform

The Ingress Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 23 lists
the sub-partition and the percentage of the Ingress Layer 2 ACL CAM partition that FTOS allocates to
each by default.
Table 23 Layer 2 ACL CAM Sub-partition Sizes
Partition

278

% Allocated

Sysflow

L2ACL

*PVST

QoS

Content Addressable Memory

Table 23 Layer 2 ACL CAM Sub-partition Sizes

Partition

% Allocated

L2PT

FRRP

You can re-configure the amount of space, in percentage, allocated to each sub-partition.

Apply the Ingress Layer 2 ACL configuration to entire system by entering the command cam-l2acl
from CONFIGURATION mode, however, you must save the running-configuration to affect the
change.

The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that
the selected CAM profile allocates to the Ingress Layer 2 ACL partition (see Table 18). FTOS requires that
you specify the amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%.
FTOS displays message Message 8 if the total allocated space is not correct.
Message 8 Layer 2 ACL Configuration Error
% Error: Sum of all regions does not total to 100%.

Note: You must allocate at least (<number of VLANs> * <Number of switching ports per port-pipe>)
entries at least when employing PVST+ . For example, the default CAM Profile allocates 1000 entries to
the Ingress Layer 2 ACL CAM region, and a 48-port linecard has two port-pipes with 24 ports each. If
you have 5 VLANs, then you must allocate at least 120 (5*24) entries to the PVST Ingress Layer 2 ACL
CAM region, which is 12% of the total 1000 available entries.

To re-allocate CAM space within the Ingress Layer 2 ACL partition on the entire system (Figure 159):

Step

Task

Command Syntax

Command Mode

Re-allocate CAM space within the

Ingress Layer 2 ACL partition.

cam-l2acl

CONFIGURATION

Save the running-configuration.

copy running-config
startup-config

EXEC Privilege

Verify that FTOS will write the new CAM

configuration to the CAM on the next
boot.

show cam-l2acl

EXEC Privilege

Reload the system.

reload

EXEC Privilege

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

279

Figure 159 Configuring Ingress Layer 2 ACL on the Entire System

Force10(conf)#do show cam-l2acl | find Line card 1
-- Line card 1 -Current Settings(in percent)
Sysflow :
6
L2Acl
:
14
Pvst
:
50
Qos
:
12
L2pt
:
13
Frrp
:
5
[output omitted]
Force10(conf)#cam-l2acl system-flow 100 l2acl 0 p 0 q 0 l 0 f 0
Force10(conf)#do show cam-l2acl | find Line card 1
-- Line card 1 -Current Settings(in percent)
Sysflow :
6
L2Acl
:
14
Pvst
:
50
Qos
:
12
L2pt
:
13
Frrp
:
5
[output omitted]
Force10(conf)#do copy run start
File with same name already exist.
Proceed to copy the file [confirm yes/no]: yes
!
8676 bytes successfully copied
02:00:49: %RPM0-P:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by
default
Force10(conf)#do show cam-l2acl | find Line card 1
-- Line card 1 -Current Settings(in percent) Next Boot(in percent)
Sysflow :
6
100
L2Acl
:
14
5
Pvst
:
50
5
Qos
:
12
5
L2pt
:
13
5
Frrp
:
5
5

Return to the Default CAM Configuration

Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the
keyword default from EXEC Privilege mode or from CONFIGURATION mode, as shown in Figure 160.

280

Content Addressable Memory

Figure 160 Returning to the default Configuration

Force10(conf)#cam-profile ?
default
Enable default CAM profile
eg-default
Enable eg-default CAM profile
ipv4-320k
Enable 320K CAM profile
ipv4-egacl-16k
Enable CAM profile with 16K IPv4 egress ACL
ipv6-extacl
Enable CAM profile with extended ACL
l2-ipv4-inacl
Enable CAM profile with 32K L2 and 28K IPv4 ingress ACL
unified-default
Enable default unified CAM profile
Force10(conf)#cam-profile default microcode ?
default
Enable default microcode
lag-hash-align
Enable microcode with LAG hash align
lag-hash-mpls
Enable microcode with LAG hash MPLS
Force10(conf)#cam-profile default microcode default
Force10(conf)#cam-ipv4flow ?
default
Reset IPv4flow CAM entries to default setting
multicast-fib
Set multicast FIB entries
Force10(conf)#cam-l2acl ?
default
Reset L2-ACL CAM entries to default setting
system-flow
Set system flow entries

CAM Optimization
CAM optimization is supported on platforms

Applications for CAM Profiling

LAG Hashing
FTOS includes a CAM profile and microcode that treats MPLS packets as non-IP packets. Normally,
switching and LAG hashing is based on source and destination MAC addresses. Alternatively, you can
base LAG hashing for MPLS packets on source and destination IP addresses. This type of hashing is
allowed for MPLS packets with 5 labels or less.
MPLS packets are treated as follows:

When MPLS IP packets are received, FTOS looks up to 5 labels deep for the IP header.
When an IP header is present, hashing is based on IP 3 tuple (source IP address, destination IP address,
and IP protocol).
If an IP header is not found after the 5th label, hashing is based on the MPLS labels.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

281

If the packet has more than 5 MPLS labels, hashing is based on the source and destination MAC
address.

To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls.

LAG Hashing based on Bidirectional Flow

To hash LAG packets such that both directions of a bidirectional flow (for example, VoIP or P2P file
sharing) are mapped to the same output link in the LAG bundle, use the default CAM profile with the
microcode lag-hash-align.

CAM profile for the VLAN ACL group feature

IPv4Flow sub-partitions are supported on platform

et only.

To optimize for the VLAN ACL Group feature, which permits group VLANs for the IP egress ACL, use
the CAM profile ipv4-egacl-16k with the default microcode.
Note: Do not use this CAM profile for Layer 2 egress ACLs.

Troubleshoot CAM Profiling

CAM Profile Mismatches
The CAM profile on all cards must match the system profile. In most cases, the system corrects
mismatches by copying the correct profile to the card, and rebooting the card. If three resets do not bring
up the card, or if the system is running an FTOS version prior to 6.3.1.1, the system presents an error
message. In this case, manually adjust the CAM configuration on the card to match the system
configuration.
Force10 recommends the following to prevent mismatches:

282

Use the eg-default CAM profile in a chassis that has only EG Series line cards. If this profile is used in
a chassis with non-EG line cards, the non-EG line cards enter a problem state.
Before moving a card to a new chassis, change the CAM profile on a card to match the new system
profile.
After installing a secondary RPM into a chassis, copy the running-configuration to the
startup-configuration.
Change to the default profile if downgrading to and FTOS version earlier than 6.3.1.1.
Use the CONFIGURATION mode commands so that the profile is change throughout the system.
Use the EXEC Privilege mode commands to match the profile of a component to the profile of the
target system.
Content Addressable Memory

QoS CAM Region Limitation

The default CAM profile allocates a partition within the IPv4Flow region to store QoS service policies. If
the QoS CAM space is exceeded, messages similar to the ones in Message 9 are displayed.
Message 9 QoS CAM Region Exceeded
%EX2YD:12 %DIFFSERV-2-DSA_QOS_CAM_INSTALL_FAILED: Not enough space in L3 Cam(PolicyQos) for
class 2 (Gi 12/20) entries on portpipe 1 for linecard 12
%EX2YD:12 %DIFFSERV-2DSA_QOS_CAM_INSTALL_FAILED: Not enough space in L3 Cam(PolicyQos) for class 5 (Gi 12/22)
entries on portpipe 1 for linecard 12

If you exceed the QoS CAM space:

Step

Task

Verify that you have configured a CAM profile that allocates 24K entries to the IPv4 system flow region.
See View CAM Profiles on page 273.

Allocate more entries in the IPv4Flow region to QoS. See Configure IPv4Flow Sub-partitions on
page 276.

FTOS version 7.4.1 introduced the ability to view the actual CAM usage before applying a service-policy.
The command test cam-usage service-policy provides this test framework, see Pre-calculating Available
QoS CAM Space on page 824.
Note: For troubleshooting other CAM issues see the E-Series Network Operations Guide.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

283

284

Content Addressable Memory

Memory
Chapter 10 Content Addressable
for ExaScale
This Content Addressable Memory for ExaScale chapter discusses CAM/SRAM profiles for the E-Series
ExaScale

ex platform. Refer to Chapter 9, Content Addressable Memory for information regarding

the E-Series TeraScale, C-Series and S-Series platforms.

Content Addressable Memory on page 285

Static Random Access Memory on page 285
CAM-profile templates on page 286
Default CAM-profile on page 287
Recommended CAM-profile templates on page 288
CAM/SRAM region minimums and maximums on page 290
Microcode on page 292
Boot Behavior on page 292
Select a CAM-profile template on page 293
Select pre-defined CAM-profile template on page 294
Create new CAM-profile on page 295
Assign a microcode to the CAM-profile template on page 296
Validate CAM-profile templates on page 296
Show CAM-profile templates on page 296

Content Addressable Memory

The ExaScale EH and EJ series line cards are single-CAM line cards that support 10M and 40M CAM
for storing the lookup information.
Either ExaScale 10G or 40G CAM line cards can be used in a system.

Static Random Access Memory

Static Random Access Memory (SRAM) is a rapidly accessed memory that stores information in the form
of a lookup table. On Force10 systems, the SRAM stores multicast forwarding information, MPLS routing.
FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

285

Figure 161 CAM/SRAM Lookup Tables

CAM Tables:
L2Fib
L2Acl
Ipv4Fib
Ipv4Acl
Ipv4Flow

eFPTM

EgL2Acl
EgIpv4Acl

iFPTM

Mpls
Ipv6Fib
Ipv6Acl
EgIpv6Acl
EgAcl
Ipv6Flow

Line Card
Switch

CPU
CAM

SRAM

SRAM Tables:
EpiIpMcast
EpiEoMpls
Fhop
Nhop
EpiPP
IgMcastFlow

CAM-profile templates
Force10 systems partition each CAM/SRAM module so that it stores different types of information. The
size of each partition is specified in the CAM-profile template. The enabled CAM-profile template is
stored on every card, including line cards and the RPMs. The same profile must be on every line card and
RPM in the chassis.
Note: Although these templates are called CAM-profile templates, they do apply to both the CAM and
SRAM lookup tables. There is no need for a separate profile for the SRAM.

There is a default CAM profile and microcode that is preprogrammed in the system.You can configure
additional CAM profiles using the templates described in this chapter, as well as define your own
CAM-profiles. The provided templates have been qualified by Force10 Networks. FTOS also supports
creating individual CAM-profiles, but Force10 Networks does not certify that these templates will function
as expected. Applying different CAM profile templates changes the amount of space availability in each
region.

286

Content Addressable Memory for ExaScale

Table 24 lists and describes the recommended CAM-profile templates. In general, non-default profiles
allocate more space to particular regions to accommodate specific applications. The size of the partitions is
measured in entries. The total CAM space is finite, therefor adding entries to one region necessarily
decreases the number available to other regions.
Table 24 CAM-profile Templates
CAM Profile

Description

Default

An all-purpose profile that allocates CAM/SRAM space according to the way

Force10 systems are most commonly used.
Available Microcodes: default

10M-L2

Allocates space to support IPv4 Layer 2 switching on line cards with 10M CAM.
Available Microcodes: default

10M-L2-IPv6-Switching

Allocates space to support IPv4 and IPv6 Layer 2 switching on line cards with 10M
CAM.
Available Microcodes: default

40M-L2-IPv6-IPv4

Allocates space to support IPv4 and IPv6 Layer 2 routing on line cards with 40M
CAM.
Available Microcodes: default

40M-L2-IPv4Only

Allocates space to support IPv4 Layer 2 routing on line cards with 40M CAM.
Available Microcodes: default

VRF

Allocates CAM/SRAM space to support Virtual Routing and Forwarding (VRF).

Available microcode: vrf

MAX-IPv4-FIB

Allocates the maximum space supported for IPv4 FIB support.

Available microcode: default

Default CAM-profile
The size of CAM partitions is measured in entries. Table 25 shows the number of entries available in each
partition for the Default CAM profile.
Table 25 Default CAM Profile Partition Size
Partition

Default 10M line card

Default 40M line card

L2FIB

16K

L2ACL

IPv4FIB

56K

512K

IPv4ACL

12K

16K

IPv4Flow

24K

EgL2ACL

EgIPv4ACL

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

287

Table 25 Default CAM Profile Partition Size

Partition

Default 10M line card

Default 40M line card

IPv6FIB

12K

IPv6ACL

IPv6Flow

EgIPv6ACL

Note: Note the following:

The L2FIB region includes the MAC learning region.
The L2ACL region includes the L2 ACL, FRRP, L2PT, L2 QoS, and L2 System Flow regions.
The IPv4Flow region includes multicast FIB, PBR, QoS, and System Flow regions.
The IPv6Flow region includes multicast FIB, PBR, QoS, and System Flow regions.

Recommended CAM-profile templates

Table 26 shows the number of entries available in each partition for the recommended CAM-profile
templates. The total CAM space is finite, therefor adding entries to one region necessarily decreases the
number available to other regions.
Table 26 CAM-profile Template Allocations
10M-L2

10M-L2-IPv6Switching

40M-L2
IPv6-IPv4

40M
L2-IPv4Only

VRF

MAX-IPv4FIB

L2FIB

56K

24K

56K

15K

L2 Ingress ACL

17K

L2 Egress ACL

L2 Learning

L2 System
Flow

512 entries

102 entries

FRRP

512 entries

102 entries

L2PT

512 entries

266 entries

L2 QOS

500 entries

512 entries

500 entries

L3 FIB

16K

128K

256K

712K

L3 Egress ACL

16K

L3 Ingress ACL

16K

24K

16K

Partition

L2 Flow

L3 Flow
Multicast-FIB

288

Content Addressable Memory for ExaScale

10M-L2

10M-L2-IPv6Switching

40M-L2
IPv6-IPv4

40M
L2-IPv4Only

VRF

MAX-IPv4FIB

PBR

QOS

10K

System Flow

IPv6 FIB

12K

IPv6 Egress ACL

IPv6 Ingress ACL

IPv6 Flow

Multicast-FIB

PBR

QOS

System Flow

60K

Partition

MPLS

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

289

CAM/SRAM region minimums and maximums

You can create your own CAM-profiles. They are created the same way the CAM-profile templates are
created (Select a CAM-profile template), except that you define the region allocations rather than using
Force10 Networks calculations.
Note: The CAM-profile templates listed in Table 24 have been qualified by Force10 Networks. Force10
Networks does not certify that user-defined templates will function as expected.

Table 27 lists the minimum and maximum values allowed for each region. Remember: the total CAM/
SRAM space is finite and adding entries to one region must decrease the range available to other regions.

290

Content Addressable Memory for ExaScale

Table 27 Minimum and Maximum CAM/SRAM Region Values

Partition

40M CAM

10M CAM

L2FIB

7-256 K

2-64 K

L2 Ingress ACL

2-256 K

1-32K

L2 Egress ACL

2-256 K

1-32 K

1-16K

1-16 K

102-1024 entries

FRRP

0-1024 entries

L2PT

0-1024 entries

0-16 K

L3 FIB

16-892 K

16-64 K

L3 Ingress ACL

1-256 K

1-16 K

L3 Egress ACL

2-256 K

2-16 K

Multicast-FIB

0-32 K

0-16 K

PBR

0-32 K

0-16 K

QOS

0-32 K

0-16 K

System Flow

2-32 K

2-16 K

IPv6 FIB

0-128 K

0-8 K

IPv6 Egress ACL

0-64 K

0-4 K

IPv6 Ingress ACL

0-64 K

0-4 K

Multicast-FIB

0-32 K

0-8 K

PBR

0-32 K

0-8 K

QOS

0-32 K

0-8 K

System Flow

0-32 K

0-8 K

0-256 K

L2 Learning
L2 Flow
L2 System Flow

L2 QOS

L3 Flow

IPv6 Flow

MPLS

Note: Not all maximum values have been qualified by Force10 Networks.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

291

Microcode
A microcode is a compiled set of instructions for the FPTM. On Force10 systems, the microcode controls
how packets are sent through the lookup tables and ultimately forwarded through the system.
The default microcode is used with all CAM-profile templates, except VRF. VRF uses its own microcode.
A microcode is required for each CAM-profile. If you do not specify one, the default microcode is
implemented.
Table 28 Microcode Descriptions
Microcode

Description

default

Distributes CAM space for a typical deployment.

Applies to the Default CAM-profile and the recommended CAM-profile templates.
Recommended for any user-defined CAM-profiles.

vrf

Distributes space to best manage IPv4 and IPv6 VRF packet forwarding
Applies to the VRF CAM-profile template only.
Note: IPv6 is not supported with VRF microcode on the E-Series ExaScale.

lag-hash-align

Distributes space for applications that require the same hashing for bi-directional traffic
(for example, VoIP call or P2P file sharing). For port-channels, this microcode maps both
directions of a bi-directional flow to the same output link.
Recommended for any user-defined CAM-profiles.

ipv6-switched

Use when the user wants to achieve IPv6 switched traffic at line rate.
Recommended for any user-defined CAM-profiles. Note that since this microcode
does only IPv6 switching, if you use it with 10M L2 IPv6 Switching and 40M L2
IPv6-IPv4 CAM-profile templates all the space allocated to IPv6 CAM regions will be
wasted.

card boot behavior when the line card profile does not match the chassis profile.

292

A microcode mismatch constitutes a profile mismatch.

When the line card profile and chassis profile are of the same type, but their CAM profiles do not
match, the line card must load a new profile and therefore takes longer to come online.

Content Addressable Memory for ExaScale

If you insert a line card into a chassis with a different line card CAM profile, the system displays
Message 10. The line card boots with the default profile and remains in a problem state (Figure 162).
The line card cannot forward traffic in a problem state.

Message 10 EH Line Card with EJ Chassis Profile Error

01:09:56: %RPM0-P:CP %CHMGR-4-EH_PROFILE_WARN: If EH CAM profile is selected, non-EJ cards
will be in problem state after reload
# After reload:
0:03:07: %RPM0-P:CP %CHMGR-2-CARD_DOWN: Major alarm: Line card 7 down - card problem:
unsupported CAM size

Figure 162 EH Line Card with Card Problem

Force10#show linecard 7 brief
-- Line card
Status
Next Boot
Required Type
Current Type
Hardware Rev
Num Ports
Up Time
FTOS Version
Jumbo Capable
Force10#

7
:
:
:
:
:
:
:
:
:

-card problem - unsupported line card config(CAM size)

online
EXW10SH - 10-port 10GE LAN/WAN PHY line card with SFP+ options 10M CAM (EH)
EXW10SH - 10-port 10GE LAN/WAN PHY line card with SFP+ options 10M CAM (EH)
Base PP0 PP1 10
0 sec
yes

Select a CAM-profile template

The CAM-profile is selected in CONFIGURATION mode.

The CAM-profile template is applied to entire system. You must save the running-configuration to
enable the change. Saving the running-configuration also ensures that the CAM-profile selected
remains in the case of a reboot.
All components in the chassis must have the same CAM-profile and microcode. The profile and
microcode loaded on the primary RPM determines the profile that is required on all other chassis
components.
If a newly installed line card has a profile different from the primary RPM, the card reboots so that it
can load the proper profile.
If the standby RPM has a profile different from the primary RPM, the RPM reboots so that it can load
the proper profile.
Enabling a CAM-profile immediately replaces the existing CAM-profile. You will be prompted to save
the running-configuration and reload the system to implement the new CAM-profile.
Note: The CAM-profiles are NOT automatically created when you select one of the templates. You must
enter the region allocations manually. Use the CAM-profile allocations in Table 26.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

293

Select pre-defined CAM-profile template

Pre-defined CAM-profiles have been verified by Force10 Networks. You must configure the regions and
their parameters to get the template desired.
Select a pre-defined (Force10 Networks recommended) CAM-profile template.
Step
1

Task

Command Syntax

Command Mode

Select a CAM-profile template.

cam-profile template [10M-CAM]

CONFIGURATION

template is the name of a pre-defined

Force10 CAM-profile template:10M-L2,
10M-L2-IPv6-Switching, 40M-L2-IPv6-IPv4,
40M-L2-IPv4Only, VRF, MAX-IPv4-FIB

Note: Enter 10M-CAM to specify the 10M CAM line card. Otherwise, the system defaults to the 40M
CAM line card settings.
2

Configure the regions as

defined for the template in
Table 26.

<regions and values>

The Regions :
Layer 2 : layer-2 eg-acl {value} fib {value}
frrp {value} ing-acl {value} learn {value} l2pt
{value} qos {value} system-flow {value}
Layer 3: layer-3 [ipv4 | ipv6] eg-acl {value}
fib {value} ing-acl {value}
Flow: flow [ipv4 | ipv6] multicast-fib {value}
pbr {value} qos {value} system-flow {value}

CONFIGURATIONCAM-profile-template

Enable the CAM-profile

template.

enable

CONFIGURATIONCAM-profile-template

When you enable a template, you are

prompted to save the running-configuration
and reload the system (Figure 164).

Figure 163 Enable CAM-profile template

Force10(conf-cam-prof-10M-L2)#enable
Updating the cam-profile will need a chassis reboot.
System configuration has been modified. Save? [yes/no]: n
Proceed with reload [confirm yes/no]: n
Force10(conf-cam-prof-10M-L2)#

Note: The message above does not appear if the default CAM-profile is enabled when you try to enable a
new CAM-profile. The validation message appears when changing from a non-default CAM-profile to
another non-default CAM-profile.

294

Content Addressable Memory for ExaScale

Create new CAM-profile

FTOS supports creating individual CAM-profiles, but Force10 Networks does not certify that these
templates will function as expected. Follow these steps to create a new CAM-profile.
Step
1

Task

Command Syntax

Command Mode

Define a CAM-profile template.

cam-profile template [10M-CAM]

template is a 16 character string used as a

CONFIGURATION

template name
Note: Enter 10M-CAM to specify the 10M CAM line card. Otherwise, the system defaults to the 40M
CAM line card settings.
2

Configure the CAM/SRAM

regions.

Layer 2 : layer-2 eg-acl {value} fib {value}

frrp {value} ing-acl {value} learn {value} l2pt

{value} qos {value} system-flow {value}
Layer 3: layer-3 [ipv4 | ipv6] eg-acl {value}
fib {value} ing-acl {value}
Flow: flow [ipv4 | ipv6] multicast-fib {value}
pbr {value} qos {value} system-flow {value}

CONFIGURATIONCAM-profile

Note: You do not need to enter every parameter for a region. You
can enter only the ones you need.
Note: User configured CAM-profiles are automatically validated
(Figure 164).
3

Enable the CAM-profile template.

enable

When you enable a template, you are

prompted to save the running-configuration
and reload the system (Figure 164).

CONFIGURATIONCAM-profile

Figure 164 Create and Validate a new CAM-profile template

Force10(conf-cam-prof-Customer 001)#flow ipv4 multicast-fib 10 pbr 20 qos 25 system-flow 3
Force10(conf-cam-prof-Customer 001)#enable
CAM profile '10M-L2-Switched' is currently enabled.
Do you want to disable it and continue? [yes/no]: y
Updating the cam-profile will need a chassis reboot.
System configuration has been modified. Save? [yes/no]: y
Proceed with reload [confirm yes/no]: n
Force10(conf)#cam-profile Customer001
Force10(conf-cam-prof-Customer001)#flow ipv4 multicast-fib 10 pbr 20 qos 25 system-flow 30
!
% Error: cam-profile validation fail
Force10(conf-cam-prof-Customer 001)#

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

295

Assign a microcode to the CAM-profile template

Every CAM-profile template must have a microcode to control how packets go through the lookup tables
and are forwarded through the system. The default microcode is used with all CAM-profile templates,
except VRF. VRF uses its own microcode. Specifying a microcode is mandatory when selecting a CAM
profile (though you are not required to change it)
Task

Command Syntax

Command Mode

Assign microcode to a defined

CAM-profile template.

microcode {default | ipv6-switched |

CONFIGURATION-CAM-profile

lag-hash-align | vrf}

Validate CAM-profile templates

Validating the template confirms that defined allocations fit within certain hardware bounds. Force10
Networks recommends using the test cam-profile command to validate a template prior to implementing it.
Task

Command Syntax

Command Mode

Validate a CAM-profile template

test cam-profile template

EXEC Privilege

Figure 165 Command Example: test cam-usage

Force10#test cam-profile test
cam-profile 'test' can be applied to the system.
Force10#test cam-profile Customer002
% Error: 'test cam-profile Customer002 failed. Please check all profile parameters.
Force10

Show CAM-profile templates

The show cam-profile command gives the output of the current cam-profile loaded on the chassis
Figure 166.
The show cam-profile profile-name displays a specific cam-profile template to make it easier to view the
profiles regional allocations prior to enabling it Figure 167. The output looks exactly like the show
cam-profile output, but it is not yet applied to the chassis."show running cam-profile" can be used to get all
the configured cam-profile templates.
Use the show running cam-profile command to list all the configured cam-profile templates. Note that in
Figure 167 the running cam-profile list also identifies which cam-profile template is enabled (default).
Note: When you enable a CAM-profile template, the output of the show cam-profile command does not
reflect any changes until you save the running-configuration and reload the chassis.

296

Content Addressable Memory for ExaScale

Figure 166 Output example: show cam-profile

Force10#show cam-profile
-- Chassis CAM Profile -CamSize
: 40-Meg
: Current Settings
Profile Name
: default
Microcode Name : Default
L2FIB
: 15K entries
Learn
: 1K entries
L2ACL
: 5K entries
System Flow
: 102 entries
Qos
: 500 entries
Frrp
: 102 entries
L2pt
: 266 entries
IPv4FIB
: 512K entries
IPv4ACL
: 16K entries
IPv4Flow
: 24K entries
Mcast Fib/Acl : 9K entries
Pbr
: 1K entries
Qos
: 10K entries
System Flow
: 4K entries
EgL2ACL
: 2K entries
EgIpv4ACL
: 4K entries
Mpls
: 60K entries
IPv6FIB
: 12K entries
IPv6ACL
: 6K entries
IPv6Flow
: 6K entries
Mcast Fib/Acl : 3K entries
Pbr
: 0K entries
Qos
: 1K entries
System Flow
: 2K entries
EgIpv6ACL
: 1K entries
GenEgACL
: 0.5K entries
IPv4FHOP
: 4K entries
IPv6FHOP
: 4K entries
IPv4/IPv6NHOP
: 12K entries
MPLS LSP Count : 0K entries
EoMPLS Encap
: 0K entries
EoMPLS Decap
: 0K entries
-- Line card 2 - per Port Pipe -CamSize
: 40-Meg
: Current Settings
Profile Name
: default
Microcode Name : Default
L2FIB
: 15K entries
Learn
: 1K entries
L2ACL
: 5K entries
System Flow
: 102 entries
Qos
: 500 entries
Frrp
: 102 entries
L2pt
: 266 entries
IPv4FIB
: 512K entries
IPv4ACL
: 16K entries
IPv4Flow
: 24K entries
Mcast Fib/Acl : 9K entries
Pbr
: 1K entries
Qos
: 10K entries
System Flow
: 4K entries
------------output truncated------------------

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

297

Figure 167 Output example: show running cam-profile and show cam-profile profile-name
Force10#show running cam-profile
!
cam-profile default
enable
!
cam-profile vrf
microcode vrf
Force10#
Force10#show cam-profile vrf
-- Chassis CAM Profile -CamSize

:
:
Profile Name
:
Microcode Name :
L2FIB
:
Learn
:
L2ACL
:
System Flow
:
Qos
:
Frrp
:
L2pt
:
IPv4FIB
:
IPv4ACL
:
IPv4Flow
:
Mcast Fib/Acl :
Pbr
:
Qos
:
System Flow
:
EgL2ACL
:
EgIpv4ACL
:
Mpls
:
IPv6FIB
:
IPv6ACL
:
IPv6Flow
:
Mcast Fib/Acl :
Pbr
:
Qos
:
System Flow
:
EgIpv6ACL
:
GenEgACL
:
IPv4FHOP
:
IPv6FHOP
:
IPv4/IPv6NHOP
:
MPLS LSP Count :
EoMPLS Encap
:
EoMPLS Decap
:

40-Meg
Current Settings
vrf
VRF
15K entries
1K entries
5K entries
102 entries
500 entries
102 entries
266 entries
256K entries
16K entries
24K entries
9K entries
1K entries
10K entries
4K entries
2K entries
4K entries
60K entries
12K entries
6K entries
6K entries
3K entries
0K entries
1K entries
2K entries
1K entries
0.5K entries
4K entries
4K entries
12K entries
0K entries
0K entries
0K entries

Force10#

View a brief summary output of the currently enabled cam-profile template with the show cam-profile
summary command.

298

Content Addressable Memory for ExaScale

Figure 168 Output example: show cam-profile summary

Force10#show cam-profile summary
-- Chassis CAM Profile -CamSize
Profile Name
Microcode Name

:
:
:
:

40-Meg
Current Settings
default
Default

-- Line card 2 - per Port Pipe -CamSize

Profile Name
Microcode Name

:
:
:
:

40-Meg
Current Settings
default
Default

Force10#

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

299

300

Content Addressable Memory for ExaScale

Chapter 11

Configuration Replace and

Rollback

Configuration Replace and Rollback is supported on platforms

The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later.
Configuration Replace and Rollback enables you to replace the current running-configuration with
different configuration without restarting the chassis.
Without this feature, if you want to load a new running configuration, you must copy the desired
configuration file to the startup-configuration (using the command copy file startup-configuration) and
reboot the chassis (using the command reload). Copying the desired configuration file to the
running-configuration file (using the command copy file running-configuration) merely appends the
running configuration; any conflicts between the two files is reported to the console, but FTOS does not
overwrite the running configuration, therefore the new configuration is not fully implemented.
The reboot process takes several minutes by default, and if your startup-configuration is extensive, the
process can take several minutes more. As a result, when the Force10 system is deployed in production
environment, you must wait for a maintenance window to load a new configuration.
The Configuration Replace and Rollback feature allows you to archive your running configuration, and at
a later time, replace your running configuration with the archived one without rebooting the chassis.
During replacement FTOS calculates and applies only the difference between the archived file and the
running-configuration, making the process faster. Once the archived configuration is loaded, you can
confirm the replacement, or revert (roll back) to your previous configuration. Rolling back allows you to
view and test a configuration before completing the change.

Archived Files
Archived files are stored on the internal flash in a hidden directory. The maximum number of archived files
is configurable between 10 and 15. If you archive more than the configured maximum, the oldest archived
file is deleted to create space. You can view the name, size, and date of creation of a file, but you cannot
view the contents of the archived file directly (using the command show file). To view the contents of a
file you can backup the archive file to another location and then use the command show file, or view the
the differences between the archived file and another file using the show diff command.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

301

Configuring Configuration Replace and Rollback

Configuring Configuration Replace and Rollback is a three-step process:
1. Enable the archive service. See page 302.
2. Archive a running-configuration. See page 303.
3. Replace the running-configuration with an archived configuration. See page 303.

Related Configuration Tasks

Configuring an Archive File Maximum on page 305

Configuring Auto-archive on page 307
Copying and Deleting an Archive File on page 307
Viewing and Editing the Contents of an Archive File on page 308

Important Points to Remember

FTOS automatically locks CONFIGURATON mode during the replace and rollback operation; see
Lock CONFIGURATION mode on page 74. Therefore, when using this feature, no other user may be
in CONFIGURATION mode. The lock is released when the replace or rollback operation is complete.
Configuration Replace and Rollback cannot remove some FTOS configuration statements. See the
release notes for your FTOS version for details.

Enabling the Archive Service

Before you can archive a configuration, you must enter ARCHIVE mode using the command archive from
CONFIGURATION mode, as shown in Figure 169. This enables the archiving service. If you do not
enable the archive service, Message 11 appears when you attempt to archive a configuration.
Message 11 Archive Service Error Message
% Warning: archive service is not enabled yet.

Figure 169 Entering Archive Mode

Force10#archive config
% Warning: archive service is not enabled yet.
Force10#config
Force10(conf)#archive
Force10(conf-archive)#exit
Force10(conf)#exit
Force10#archive config
configuration archived as archive_1
Force10#

302

Configuration Replace and Rollback

You do not have to enable the archive service again if you save the running configuration after completing
task. If you reload the system or upgrade your FTOS version without saving the running configuration you
must enable the archive service again.

Archiving a Configuration File

Archive the current running configuration file using the command archive config from EXEC Privilege
mode.
Figure 170 Archiving a Configuration File
R1#archive ?
config
Archive the running configuration
backup
Backup the archive file
R1#archive config
configuration archived as archive_0
R1#show archive
Archive directory: flash:/CFGARCH_DIR
#
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
R1#

Archive
archive_0
-

Date
11/19/2007

Time
14:29:26

Size
6040

Comment
Most recently archived

Viewing the Archive Directory

The archive directory is a hidden directory that FTOS does not display in the output of the command dir.
View the archive directory using the command show archive from EXEC Privilege mode, as shown in
Figure 170.

Replacing the Current Running Configuration

Replace the current running configuration with an archived configuration using the command configure
replace from EXEC Privilege mode.
In Figure 171:

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

303

1. The hostname of the Force10 system is changed from R1 to Force10.

2. The running configuration is replaced with archive_0, in which the hostname is R1.
Figure 171 Replacing the Running-configuration with and Archived Configuration
R1#config
R1(conf)#hostname Force10
Force10#configure replace archive_0
This will apply all nessesary additions and deletions
to replace the current running-config with the contents
of the specified configuration file,
Confirmation Dialog
which is assumed to be complete configuration,
not a partial configuration
Please confirm if you want to proceed [yes/no]:yes
2d3h3m: %RPM0-P:CP %CLI-6-RBACKSTART: start rollback to file flash:/CFGARCH_DIR/archive_0
2d3h3m: %RPM0-P:CP %SYS-5-CONFIG_LOAD: Loading configuration file
2d3h3m: %RPM0-P:CP %CLI-6-RBACKCOMPLETE: completed rollback to flash:/CFGARCH_DIR/archive_0
R1#

Use the keyword force to bypass the FTOS confirmation dialog, as shown in Figure 172.
Figure 172 Replacing the Running-configuration without a Confirmation Dialog
R1(conf)#hostname Force10
Force10#exit
Force10#configure replace archive_0 force
2d3h8m: %RPM0-P:CP %CLI-6-RBACKSTART: start rollback to file flash:/CFGARCH_DIR/archive_0
2d3h8m: %RPM0-P:CP %SYS-5-CONFIG_LOAD: Loading configuration file
2d3h8m: %RPM0-P:CP %CLI-6-RBACKCOMPLETE: completed rollback to flash:/CFGARCH_DIR/archive_0
R1#

Rolling Back to the Previous Configuration

FTOS allows you to implement an archived configuration for a specified amount of time, before reverting
to the previous running-configuration using the command configure replace from EXEC Privilege mode;
FTOS requires you to enter the amount of time in seconds. This feature enables you to test a configuration
before committing the system to it.

304

If you do not like the configuration, wait for the specified time to expire, as shown in Figure 173.
If you like the configuration, enter the command configure confirm from EXEC Privilege mode
before the specified time, as shown in Figure 174.

Configuration Replace and Rollback

Figure 173 Configuring FTOS to Rollback to a Previous Configuration

Force10#configure replace archive_0 time ?
<60-1800>
Time value (in seconds)
Force10#configure replace archive_0 time 60
This will apply all nessesary additions and deletions
to replace the current running-config with the contents
of the specified configuration file,
which is assumed to be complete configuration,
not a partial configuration
Please confirm if you want to proceed [yes/no]:yes
3d4h45m: %RPM0-P:CP %CLI-6-RBACKSTART: start rollback to file flash:/CFGARCH_DIR/archive_0
3d4h45m: %RPM0-P:CP %SYS-5-CONFIG_LOAD: Loading configuration file
3d4h45m: %RPM0-P:CP %CLI-6-RBACKCOMPLETE: completed rollback to flash:/CFGARCH_DIR/archive_0
R1#
R1#Warning: time is expired before confirm. Replace with flash://CFGARCH_DIR/archive_1
Force10#

Figure 174 Committing to an Archived Configuration

Force10#config replace archive_0 time 60
This will apply all nessesary additions and deletions
to replace the current running-config with the contents
of the specified configuration file,
which is assumed to be complete configuration,
not a partial configuration
Please confirm if you want to proceed [yes/no]:yes
3d5h26m: %RPM0-P:CP %CLI-6-RBACKSTART: start rollback to file flash:/CFGARCH_DIR/archive_0
3d5h26m: %RPM0-P:CP %SYS-5-CONFIG_LOAD: Loading configuration file
3d5h26m: %RPM0-P:CP %CLI-6-RBACKCOMPLETE: completed rollback to flash:/CFGARCH_DIR/archive_0
R1#configure confirm

Configuring an Archive File Maximum

The maximum number of archive files is configurable between 2 and 15. Default maximum is 10. Use the
command maximum from ARCHIVE mode to configure this parameter, as shown in Figure 175.

If you attempt to archive more configurations than the maximum allowed, the oldest archived
configuration is deleted (Figure 176) to create space. However, the number in the name of the archived
file is still incremented (up to 14, after which the numbering convention restarts at 0; if present,
archive_0 is overwritten).
If you configure a maximum less than the number of archived files you already have, then archived
files are deleted to satisfy the maximum.

Figure 175 Configuring an Archive Maximum

R1(conf-archive)#maximum 2
R1(conf-archive)#show config
!
archive
maximum 2
R1(conf-archive)#

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

305

Figure 176 Configuring the Maximum Number of Archive Files (continued)

R1#archive config
configuration archived as archive_1
R1#show archive
Archive directory: flash:/CFGARCH_DIR
#
Archive
Date
Time
0
archive_0
11/20/2007 09:45:24
1
archive_1
11/20/2007 10:54:12
2
3
4
5
6
7
8
9
10
11
12
13
14
R1#archive config
configuration archived as archive_2
R1#show archive
Archive directory: flash:/CFGARCH_DIR

Size
6120
6120

Comment
Archived
Most recently archived

#
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
R1#

Comment
Deleted
Archived
Most recently archived

306

Archive
archive_1
archive_2
-

Date

Time

Size

11/20/2007
11/20/2007

10:54:12
10:54:28

6120
6120

Configuration Replace and Rollback

Configuring Auto-archive
You can configure the system to archive the running-configuration periodically so that you do not have to
archive manually. Configure auto-archiving using the command time-period from ARCHIVE mode. Note
that if you do not make any changes to the running-configuration for the configured length of time, then
the running-configuration is not archived, and periodic archiving pauses; it resumes when you make a
change to the running-configuration.
Figure 177 Configuring an Archive Time-period
R1(conf-archive)#time-period 5
R1(conf-archive)#show config
!
archive
maximum 2
time-period 5
R1(conf-archive)#

Copying and Deleting an Archive File

Copy an archive file to another location using the command archive backup, as shown in Figure 178.
Delete an archive file using the command archive delete from CONFIG ARCHIVE mode.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

307

Viewing and Editing the Contents of an Archive File

You cannot view or edit the contents of archived files. FTOS disallows these functions to ensure that
archived configurations are error-free when they are used in a replace or rollback function. You can,
however, copy the file to another location using the command archive backup, and then view and edit the
copy. If you copy the file to another location on FTOS, then you can view the contents of the file using the
command show file, as shown in Figure 178.
Figure 178 Viewing an Archive File
R1#archive backup archive_2 flash://archive_2
!
6120 bytes successfully copied
R1#dir
Directory of flash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14

drwdrwx
drwdrwdrwdrwd---rw-rw-rw-rw-rw-rw-rw-

32768
512
8192
8192
8192
8192
8192
6115
32999090
33059550
23234380
6115
34
6120

Jan
Nov
Mar
Mar
Mar
Mar
Mar
Nov
Jun
May
May
Nov
Nov
Nov

01
16
11
11
11
11
11
19
11
31
30
19
19
20

1980
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007

00:00:00
13:20:22
00:23:40
00:23:40
00:23:40
00:23:40
00:23:40
18:35:32
20:22:32
20:58:56
06:38:14
18:15:00
19:23:00
11:17:52

.
..
TRACE_LOG_DIR
CRASH_LOG_DIR
NVTRACE_LOG_DIR
CORE_DUMP_DIR
ADMIN_DIR
startup-config
FTOS-EF-7.4.1.0.bin
FTOS-EF-7.4.2.0.bin
FTOS-EF-6.5.4.0.bin
startup-config.bak
arc_delta.cfg
archive_2

flash: 520962048 bytes total (320643072 bytes free)

R1#show file flash://archive_2
! Version E_MAIN4.7.5.353
! Last configuration change at Tue Nov 20 10:54:05 2007 by default
! Startup-config last updated at Mon Nov 19 18:35:30 2007 by default
!
boot system rpm0 primary flash://FTOS-EF-4.7.5.353.bin
boot system rpm0 secondary flash://FTOS-EF-7.4.2.0.bin
boot system rpm0 default flash://FTOS-EF-6.5.4.0.bin
boot system rpm1 primary flash://FTOS-EF-7.5.1.0.bin
boot system rpm1 secondary flash://FTOS-EF-7.4.2.0.bin
boot system rpm1 default flash://FTOS-EF-6.5.4.0.bin
!
redundancy auto-failover-limit count 3 period 60
redundancy auto-synchronize full
redundancy disable-auto-reboot rpm
redundancy primary rpm0
!
--More--

308

Configuration Replace and Rollback

Viewing the Difference between Configuration Files

View the difference between the running-configuration and an archived configuration using the command
show run diff. In Figure 179, the running-configuration is archived as archive_3, and then the hostname is
changed to Force10. The command show run diff lists each difference in the two files; in this case, there
is only one, the hostname.
Figure 179 Viewing the Difference between Configuration Files
R1#archive config
configuration archived as archive_3
R1(conf)#hostname Force10
Force10(conf)#do show run diff archive_3
running-config
------< hostname Force10
flash:/CFGARCH_DIR/archive_3
------> hostname R1
Force10(conf)#

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

309

310

Configuration Replace and Rollback

Chapter 12

Dynamic Host Configuration

Protocol

Dynamic Host Configuration Protocol is available on platforms:

ces

This chapter contains the following sections:

Protocol Overview on page 311

Implementation Information on page 314
Configuration Tasks on page 314
Configure the System to be a DHCP Server on page 314
Configure the System to be a Relay Agent on page 322
Configure Secure DHCP on page 323

Protocol Overview
Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dynamically assigns IP
addresses and other configuration parameters to network end-stations (hosts) based on configuration
policies determined by network administrators. DHCP:

relieves network administrators of manually configuring hosts, which is a can be a tedious and
error-prone process when hosts often join, leave, and change locations on the network.
reclaims IP addresses that are no longer in use to prevent address exhaustion.

DHCP is based a client-server model. A host discovers the DHCP server and requests an IP address, and
the server either leases or permanently assigns one. There are three types of devices that are involved in
DHCP negotiation:

DHCP Servera network device offering configuration parameters to the client.

DHCP Clienta network device requesting configuration parameters from the server.
Relay agentan intermediary network device that passes DHCP messages between the client and
server when the server is not on the same subnet as the host.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

311

DHCP Packet Format and Options

DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client
listens on port 68 and transmits to port 67. The configuration parameters are carried as options in the
DHCP packet in Type, Length, Value (TLV) format; many options are specified in RFC 2132. To limit the
number parameters that servers must provide, hosts specify the parameters that they require, and the server
sends only those; some common options are given in Table 29.
Figure 180 DHCP Packet Format
op

htype

hlen

hops

xid

secs

flags

ciaddr

yiaddr

siaddr

giaddr

chaddr

sname

Code

options

file

Length

Value

Table 29 Common DHCP Options

Option

Code

Description

Subnet Mask

Specifies the clients subnet mask.

Router

Specifies the router IP addresses that may serve as the clients default
gateway.

Domain Name Server

Specifies the the DNS servers that are available to the client.

Domain Name

Specifies the domain name that client should use when resolving
hostnames via DNS.

IP Address Lease Time

Specifies the amount of time that the client is allowed to use an

assigned IP address.

DHCP Message Type

1: DHCPDISCOVER
2: DHCPOFFER
3: DHCPREQUEST
4: DHCPDECLINE
5:DHCPACK
6:DHCPNACK
7:DHCPRELEASE
8:DHCPINFORM

Parameter Request List

Clients use this option to tell the server which parameters it requires. It
is a series of octects where each octet is DHCP option code.

Renewal Time

Specifies the amount of time after the IP address is granted that the
client attempts to renew its lease with the original server.

Rebinding Time

Specifies the amount of time after the IP address is granted that the
client attempts to renew its lease with any server, if the original server
does not respond.

End

255

Signals the last option in the DHCP packet.

312

Dynamic Host Configuration Protocol

Assigning an IP Address using DHCP

When a client joins a network:
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available
DHCP servers. This message includes the parameters that the client requires and might include
suggested values for those parameters.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that
offers to the client values for the requested parameters. Multiple servers might respond to a single
DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered
values.
4. Upon receiving a DHCPREQUEST, the server binds the clients unique identifier (the hardware
address plus IP address) to the accepted configuration parameters and stores the data in a database
called a binding table. The server then broadcasts a DHCPACK message, which signals to the client
that it may begin using the assigned parameters.
5. When the client leaves the network, or the lease time expires, returns its IP address to the server in a
DHCPRELEASE message.
There are additional messages that are used in case the DHCP negotiation deviates from the process
previously described and shown in Figure 181.

DHCPDECLINEA client sends this message to the server in response to a DHCPACK if the
configuration parameters are unacceptable, for example, if the offered address is already in use. In this
case, the client starts the configuration process over by sending a DHCPDISCOVER.
DHCPINFORMA client uses this message to request configuration parameters when it assigned an
IP address manually rather than with DHCP. The server responds by unicast.
DHCPNAKA server sends this message to the client if it is not able to fulfill a DHCPREQUEST,
for example if the requested address is already in use. In this case, the client starts the configuration
process over by sending a DHCPDISCOVER.

Figure 181 Assigning Network Parameters using DHCP

Client

Relay Agent

Server

1. DHCPDISCOVER
2. DHCPOFFER
3. DHCPREQUEST
4. DHCPACK
5. DHCPRELEASE

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

313

Implementation Information

The Force10 implementation of DHCP is based on RFC 2131 and RFC 3046.
DHCP is available on VLANs and Private VLANs.
IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to
implement this feature and as such, you cannot apply ACLs to an interface which has IP Source
Address Validation. If you configure IP Source Address Validation on a member port of a VLAN and
then attempt to apply a access list to the VLAN, FTOS displays the first line in Message 12. If you first
apply an ACL to a VLAN and then attempt enable IP Source Address Validation an one of its member
ports, FTOS displays the second line in Message 12.

Message 12 DHCP Snooping with VLAN ACL Compatibility Error

% Error: Vlan member has access-list configured.
% Error: Vlan has an access-list configured.

FTOS provides 40K entries that can be divided between leased addresses and excluded addresses. By
extension, the maximum number of pools you can configure depends on the on the subnet mask that
you give to each pool. FTOS displays an error message for configurations that exceed the allocated
memory.
E-Series supports 16K DHCP Snooping entries across 500 VLANs.
C-Series and S-Series support 4K DHCP Snooping entries.
All platforms support DAI on 16 VLANs per system.

Configuration Tasks

Configure the System to be a DHCP Server on page 314

Configure the System to be a Relay Agent on page 322
Configure Secure DHCP on page 323

Configure the System to be a DHCP Server

Configure the System to be a DHCP Server is supported only on platforms:

A DHCP server is a network device that has been programmed to provide network configuration
parameters to clients upon request. Servers typically serve many clients, making host management much
more organized and efficient.
The key responsibilities of DHCP servers are:
1. Address Storage and Management: DHCP servers are the owners of the addresses used by DHCP
clients.The server stores the addresses and manages their use, keeping track of which addresses have
been allocated and which are still available.

314

Dynamic Host Configuration Protocol

2. Configuration Parameter Storage and Management: DHCP servers also store and maintain other
parameters that are sent to clients when requested. These parameters specify in detail how a client is to
operate.
3. Lease Management: DHCP servers use leases to allocate addresses to clients for a limited time. The
DHCP server maintains information about each of the leases, including lease length.
4. Responding To Client Requests: DHCP servers respond to different types of requests from clients,
primarily, granting, renewing, and terminating leases.
5. Providing Administration Services: The DHCP server includes functionality that allows an
administrator to implement policies that govern how DHCP performs its other tasks.

Configuration Tasks
To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration
parameters and policy information including IP address ranges, lease length specifications, and
configuration data that DHCP hosts need.
Configuring the Force10 system to be a DHCP server is a 3-step process:
1. Configure the Server for Automatic Address Allocation
2. Specify a Default Gateway
3. Enable DHCP Server

Related Configuration Tasks

Specify a DHCP Database Agent

Configure a Method of Hostname Resolution on page 318
Specify Values for DHCP Options on page 319
Allocate Addresses to BOOTP Clients on page 319
Create Manual Binding Entries on page 319
Enable DHCP Filtering on page 321
Client Configuration on page 321
Check for Address Conflicts on page 321
DHCP Clear Commands on page 322

Configure the Server for Automatic Address Allocation

Automatic Address Allocation is an address assignment method, by which the DHCP server leases an IP
address to a client from a pool of available addresses.

Create an IP Address Pool

An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are
indexed by subnet number.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

315

To create an address pool:

Step

Task

Command Syntax

Command Mode

Access the DHCP server CLI context.

ip dhcp server

CONFIGURATION

Create an address pool and give it a name.

pool name

DHCP

Specify the range of IP addresses from

which the DHCP server may assign
addresses.
network is the subnet address.
prefix-length specifies the number of bits
used for the network portion of the
address you specify.

network network /prefix-length

DHCP <POOL>

Display the current pool configuration.

show config

Prefix-length Range: 17-31

DHCP <POOL>

Once an IP address is leased to a client, only that client may release the address. FTOS performs a IP +
MAC source address validation to ensure that no client can release another clients address. This is a default
behavior, and is separate from IP+MAC Source Address Validation on page 330.

Exclude Addresses from the Address Pool

The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to
DHCP clients. You must specify the IP address that the DHCP server should not assign to clients.
Task

Command Syntax

Command Mode

Exclude an address range from DHCP assignment. The

exclusion applies to all configured pools.

excluded-address

DHCP

Specify an Address Lease Time

Task

Command Syntax

Command Mode

Specify an address lease time for the

addresses in a pool.

lease {days [hours] [minutes] | infinite}

DHCP <POOL>

Default: 24 hours

Specify a Default Gateway

The IP address of the default router should be on the same subnet as the client.
Task

Command Syntax

Command Mode

Specify default gateway(s) for the clients on the subnet,

in order of preference.

default-router address

DHCP <POOL>

316

Dynamic Host Configuration Protocol

Enable DHCP Server

DHCP server is disabled by default.
Step

Task

Command Syntax

Command Mode

Enter the DHCP command-line context.

ip dhcp server

CONFIGURATION

Enable DHCP server.

no disable

DHCP

Default: Disabled
3

Display the current DHCP configuration.

show config

DHCP

In Figure 182, an IP phone is powered by PoE and has acquired an IP address from the Force10 system,
which is advertising LLDP-MED. The leased IP address is displayed using show ip dhcp binding, and
confirmed with show lldp neighbors.
Figure 182 Configuring DHCP Server

DNS Server

7/1

Relay Agent

Specify a DHCP Database Agent

A DHCP database agent is an FTP or TFTP server that stores the binding table. You can configure
multiple DHCP database agents.
To specify the device the database agent:
Task

Command Syntax

Command Mode

Specify the FTP or TFTP server(s) that

will store the binding table. Optional:
Specify the amount of time the
system waits before aborting an
update if it cannot reach the agent.
Specify the period between binding
table updates.

ip dhcp database [timeout | update-delay]

Default timeout: 300 seconds
Default update-delay: 300 seconds

CONFIGURATION

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

317

Configure a Method of Hostname Resolution

Force10 systems are capable of providing DHCP clients with parameters for two methods of hostname
resolution.

Address Resolution using DNS

A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host
names to IP addresses.
Step

Task

Command Syntax

Command Mode

Create a domain.

domain-name name

DHCP <POOL>

Specify in order of preference the DNS servers that are

available to a DHCP client.

dns-server address

DHCP <POOL>

Address Resolution using NetBIOS WINS

Windows Internet Naming Service (WINS) is a name resolution service that Microsoft DHCP clients use
to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of
four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid.
Step

318

Task

Command Syntax

Command Mode

Specify the NetBIOS Windows Internet Naming

Service (WINS) name servers, in order of
preference, that are available to Microsoft
Dynamic Host Configuration Protocol (DHCP)
clients.

netbios-name-server address

DHCP <POOL>

Specify the NetBIOS node type for a Microsoft

DHCP client. Force10 recommends specifying
clients as hybrid.

netbios-node-type type

DHCP <POOL>

Dynamic Host Configuration Protocol

Specify Values for DHCP Options

DHCP provides a framework for passing configuration information to hosts on a TCP/IP network.
Configuration parameters and other control information are carried in tagged data items that are stored in
the options field of the DHCP message. The data items themselves are also called options. The current set
of DHCP options are documented in RFC 2132.
Task

Command Syntax

Command Mode

Code specifies the DHCP option code.

Instance number is a number that can range
from 0 to 255 that is used when the data in an
option is too long for a single TLV.

option code [instance number] {ascii

string | hex string | ip address}

DHCP

Default Instance: 0

Allocate Addresses to BOOTP Clients

Network segments may have both BOOTP and DHCP clients. In this kind of environment, there might be
a BOOTP server and a DHCP server to serve the two types of clients separately. However, DHCP servers
respond to a BOOTP requests, which in this case would be undesirable because BOOTP clients might
receive an address from the DHCP pool. To prevent this, you can configure the DHCP server to ignore
BOOTP request packets so that only the BOOTP server serves BOOTP clients.
Task

Command Syntax

Command Mode

Enables address allocation to BOOTP clients.

The addresses are from the DHCP address
pool for the subnet.

ip dhcp bootp automatic

DHCP

Selectively ignore BOOTP request packets.

ip dhcp bootp ignore

DHCP

Create Manual Binding Entries

An address binding is a mapping between the IP address and Media Access Control (MAC) address of a
client. The DHCP server assign the client an available IP address automatically, and then creates a entry in
the binding table. However, the administrator can manually create an entry for a client; manual bindings
are useful when you want to guarantee that particular network device receives a particular IP address.
Manual bindings can be considered single-host address pools. There is no limit on the number of manual
bindings, but you can only configure one manual binding per host.
Note: FTOS does not prevent you from using a network IP as a host IP; be sure to not use a network IP
as a host IP.

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

319

To create a manual binding:

Step

320

Task

Command Syntax

Command Mode

Create an address pool

pool name

DHCP

Specify the client IP address.

host address

DHCP <POOL>

Specify the client hardware address

or client-identifier.
hardware-address is the client
MAC address.
type is the protocol of the hardware
platform. The default protocol is
Ethernet.
client-identifier is required for
Microsoft clients instead of a
hardware addresses. The client
identifier is formed by
concatenating the media type and
the MAC address of the client.
Refer to the "Address Resolution
Protocol Parameters" section of
RFC 1700Assigned Numbers, for
a list of media type codes.

hardware-address hardware-address type

DHCP <POOL>

client-identifier unique-identifier

Dynamic Host Configuration Protocol

Enable DHCP Filtering

Task

Command Syntax

Command Mode

Configure the system to block DHCP packets

on all physical and VLAN interfaces.

ip dhcp filtering

CONFIGURATION

This command overrides the global DHCP

filtering command for a specific interface.

ip dhcp filtering

INTERFACE

Client Configuration
Task

Command Syntax

Command Mode

To specify the name of a Dynamic Host Configuration Protocol

(DHCP) client, use the client-name DHCP pool configuration
command. The client name should not include the domain name.

client-name name

DHCP

The boot file stores the boot image for the client. The boot image
is generally the clients operating system. Specify a boot file for
the DHCP client.

bootfile filename

DHCP

Specify the next server(s), in order of preference, in a client's boot

process.
address is the IP address of the next server in the boot process,
which is typically a TFTP server.
If next-server configured the DHCP server uses the inbound
interface helper addresses as boot servers.

next-server address

DHCP

Check for Address Conflicts

By default, the DHCP server pings an address from the pool twice before assigning the address to a client
to attempt to verify that it is not in use. If the ping is unanswered, the DHCP server assumes that the
address is not in use and assigns the address. By default, the DHCP server waits 500 milliseconds before
timing out a ping packet.
Task

Command Syntax

Command Mode

Specify the number of ping packets the DHCP server

sends to the pool address before assigning the
address.

ip dhcp ping packets number

CONFIGURATION

Change the amount of time the server waits for a ping

reply before considering the ping a failure.

ip dhcp ping timeout

milliseconds

Default: 2
CONFIGURATION

Default: 500 milliseconds

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

321

An address conflict occurs when two hosts use the same IP address. The server checks for a conflict using
ping and the client checks for conflict using gratuitous ARP. If a conflict is detected, the address is
removed from the pool. The address will not be assigned until the administrator resolves the conflict.
Task

Command Syntax

Command Mode

Log IP address conflicts.

ip dhcp conflict logging

CONFIGURATION

Task

Command Syntax

Command Mode

Clear DHCP binding entries for the entire

binding table.

clear ip dhcp binding

EXEC Privilege

Clear a DHCP binding entry for an individual

IP address.

clear ip dhcp binding ip address

EXEC Privilege

Clear a DHCP address conflict.

clear ip dhcp conflict

EXEC Privilege

Clear DHCP server counters.

clear ip dhcp server statistics

EXEC Privilege

DHCP Clear Commands

Configure the System to be a Relay Agent

DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not
receive a response to its request and therefore cannot access the network.
You can configure an interface on the Force10 system to relay the DHCP messages to a specific DHCP
server using the command ip helper-address dhcp-address from INTERFACE mode, as shown in
Figure 183. Specify multiple DHCP servers by entering the ip helper-address dhcp-address command
multiple times.
When ip helper-address is configured, the system listens for DHCP broadcast messages on port 67. The
system rewrites packets received from the client and forwards it via unicast; the system rewrites the
destination IP address and writes its own address as the relay device. Responses from the server are unicast
back to the relay agent on port 68, and the relay agent rewrites the destination address and forwards the
packet to the client subnet via broadcast.
Note: DHCP Relay is not available on Layer 2 interfaces.
Note: In a Private VLAN, ip helper-address is configured from Interface VLAN mode of the Primary
VLAN. When ip helper-address is configured, the system listens for DHCP broadcast messages on port
67. The system rewrites packets received from the clients on primary and secondary (community and
isolated) VLANs and forwards it via unicast; the system rewrites the destination IP address and writes
primary VLANs IP as the relay device. Responses from the server are unicast back to the relay agent on
port 68, and the relay agent rewrites the destination address and forwards the packet to the client subnet
via broadcast.

322

Dynamic Host Configuration Protocol

Figure 183 Configuring Force10 Systems as a DHCP Relay Device

DHCP Server
10.11.2.5

Unicast
Source IP : 10.11.1.5
Destination IP: 10.11.0.3
Source Port: 67
Destination Port: 68

Unicast

Broadcast
Source IP : 10.11.1.5
Destination IP: 255.255.255.255
Source Port: 67
Destination Port: 68

DHCP Server

10.11.1.5

1/4
Broadcast
Source IP : 0.0.0.0
Destination IP: 255.255.255.255
Source Port: 68
Destination Port: 67
Relay Agent Address: 0.0.0.0

1/3
Unicast
Source IP : 0.0.0.0
Destination IP: 10.11.1.5
Source Port: 68
Destination Port: 67
Relay Agent Address: 10.11.0.3

R1(conf-if-gi-1/3)#show config
!
interface GigabitEthernet 1/3
ip address 10.11.0.3/24
ip helper-address 10.11.1.5
ip helper-address 10.11.2.5
no shutdown

DHCP 001

To view the ip helper-address configuration for an interface, use the command show ip interface from
EXEC privilege mode, Figure 250.
Figure 184 Displaying the Helper Address Configuration
R1_E600#show ip int gig 1/3
GigabitEthernet 1/3 is up, line protocol is down
Internet address is 10.11.0.1/24
Broadcast address is 10.11.0.255
Address determined by user input
IP MTU is 1500 bytes
Helper address is 192.168.0.1
192.168.0.2
Directed broadcast forwarding is disabled
Proxy ARP is enabled
Split Horizon is enabled
Poison Reverse is disabled
ICMP redirects are not sent
ICMP unreachables are not sent

Configure Secure DHCP

DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a
suite of features that protects networks that use dynamic address allocation from spoofing and attacks.

Option 82 on page 324

FTOS version 8.3.2.0 Configuration Guide Publication Date: July 9, 2010

323

DHCP Snooping on page 324

Dynamic ARP Inspection on page 327
Source Address Validation on page 329

Option 82
RFC 3046 (Relay Agent Information option, or Option 82) is used for class-based IP address assignment.
The code for the Relay Agent Information option is 82, and is comprised of two sub-options, Circuit ID
and Remote ID.

Circuit ID is the interface on which the client-originated message is received.

Remote ID identifies the host from which the message is received. The value of this sub-option is the
MAC address of the relay agent that adds Option 82.

The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can
use this information to:

track the number of address requests per relay agent; restricting the number of addresses available per
relay agent can harden a server against address exhaustion attacks.
associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing
the same MAC address on a different relay agent.
assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to
requests from an unauthorized relay agent.

The server echoes the option back to the relay agent in its response, and the relay agent can use the
information in the option to forward a reply out the interface on which the request was received rather than
flooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
Task
Insert Option 82 into DHCP
packets. For routers between the
relay agent and the DHCP server,
enter the trust-downstream
option.

Command Syntax

Command Mode

ip dhcp relay information-option

CONFIGURATION

[trust-downstream]

DHCP Snooping
DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either
trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers
cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

324

Dynamic Host Configuration Protocol

When DHCP Snooping is enabled, the relay agent builds a binding tableusing DHCPACK messages
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.
The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,
DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is
legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded
to the the server for validation. This check-point prevents an attacker from spoofing a client and declining
or releasing the real clients address. Server-originated packets (DHCPOFFER, DHCPACK,
DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker
from impostering as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, DHCPDECLINE.
FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP Snooping was available for Layer 3 only
and dependent on DHCP Relay Agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP
Snooping to Layer 2, and you do not have to enable relay agent to snoop on Layer 2 interfaces.
FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent
encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.2, line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped
VLANs, while these packets are forwarded across non-snooped VLANs. Since DHCP packets are
dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE
packets are allowed so that the DHCP snooping table can decrease in size. Once the table usage falls
below the maximum limit of 4000 entries, new IP address assignments are allowed.

FTOS Behavior: In 8.2.1 releases, ip dhcp snooping trust was required on the port-channel interface
as well as on channel members. In subsequent releases, it is no longer necessary nor permitted to
configure port-channel members as trusted; configuring the port-channel interface alone as trusted is
sufficient, and ports must have the default configuration to be a channel members. When upgrading
from 8.2.1 releases, the channel-member configurations are applied first, so when the port-channel is
configured, its membership configuration is rejected, since the member ports no longer have the
default configuration. In this case, you must manually remove ip dhcp snooping trust on the channel
members add the ports to the port-channel.

Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP
snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the
server-connected port.

Enable DCHP snooping

Step

Task

Command Syntax

Command Mode

Enable DHCP Snooping globally.

ip dhcp snooping<