Brocade Network OS Administrator’s Guide v4.1.1 Bedienungsanleitung

53-1003225-0419 June 2014Network OSAdministrator’s GuideSupporting Network OS v4.1.1

Configuring SSH server key exchange... 307Configuring an authentication policy ...

Enter the ntp server ip_address command.switch(config)# ntp server 192.168.10.1Displaying the active NTP serverUse the show ntp status command to disp

Configuration Management● Configuration management overview...101● Displaying

Standard switch configuration files (Continued)TABLE 11 Configuration file DescriptionRunning configuration• running-configCurrent configuration act

• The running configuration is nonpersistent.• To save configuration changes, you must copy the running configuration to the startup configuration.If

Saving the running configurationTo save the configuration changes you made, copy the running configuration to the startupconfiguration. The next time

NOTEThis operation is not supported in logical chassis cluster mode, because the running-config will be auto-synced to the startup-config.The followin

• Interface management IP address• Software feature licenses installed on the switch• Virtual IP addressNOTEConfiguration files that were created usin

Managing configurations on a modular chassisNOTEWhen the switch is in logical chassis cluster mode, the running-config file is saved automatically and

• When you change the VCS configuration (VCS mode, RBridge ID, or VCS ID), the configurationchange is synchronized with the standby management module

1. Configure one switch.2. Copy the running configuration to the startup configuration as described in Saving the runningconfiguration on page 104.3.

Assigning an FCoE map onto a LAG member ... 351Configuring FCoE over LAG...

priority-group-table 2 weight 60 pfc offpriority-group-table 15.0 pfc offpriority-table 2 2 2 1 2 2 2 15.0!interface Vlan 1shutdown!port-profile defau

Installing and Maintaining Firmware● Firmware management overview... 11

The firmware can only be downloaded from the file server through the management Ethernet port, soall nodes must have the management Ethernet port conn

Automatic firmware synchronizationWhen you replace or insert a second management module into a chassis, the active managementmodule automatically sync

Upgrading firmware on a local switchThis section provides overviews and examples of upgrading firmware in a variety of ways.Preparing for a firmware d

Use the show interface management command to display the IP addresses for the managementmodules.switch# show interface managementinterface Management

firmware. On a modular chassis, if you enter if you enter the firmware download command on theactive MM without any options, the command by default wi

1. Ensure that the USB device is connected to the switch.2. Enter the usb on command in privileged EXEC mode.switch# usb onTrying to enable USB device

Downloading firmware by using the manual optionThe following procedure applies to a compact switch or a single management module.1. Verify that the FT

4. At the Do Auto-Commit after Reboot [y/n]: prompt, enter n if you want to commit thefirmware manually after downloading the firmware.switch# firmwar

RSTP...408MSTP...

After the firmware download completes, you can verity that the download has completed properly bydoing the following:1. Execute the show version all-p

Another method for upgrading the logical chassis cluster is by specifying the logical-chassis andrbridge-id options in the firmware download command,

NOTEAll of the nodes specified in the rbridge-id parameter in the firmware activate command will berebooted at the same time.switch# firmware activate

• VDX 6730-60• VDX 6740 and VDX 6740T• VDX 8770-4 and VDX 8770-8The example approach presented here, tested in a Brocade lab topology, is intended as

FIGURE 15 Tested topologyThe following table summarizes the tested components.Tested components and rolesTABLE 13 Position VCS name Chassis type Des

Upgrading nodes by using an odd/even approachTo reduce downtimes during planned software upgrades, the network design illustrated here has beenprovisi

!sw87#4. Check the state of the system by using the following show commands.a) Verify that all the nodes to be upgraded are running the same version,

Link: Te 87/0/14 (0x571807000D) sync: 1 Link: Te 87/0/15 (0x571807800E) sync: 1 Link: Te 87/0/16 (0x571808000F) sync: 1 Link: Te 87/

a)NOTEIn logical chassis cluster mode, the copy running-config startup-config command is notapplicable. Use copy running-config ftp or copy running-co

• Access ports that face servers or hosts. These can be port-channel or physical interfaces, dependingupon the host or server configuration.• Uplink i

Clearing LLDP-related information...459Configuring ACLs ...

NOTEBecause the fabric principal and multicast rood nodes have already been identified previously as"even" nodes, we reload the "odd&qu

Traffic outage times: "Odd" switches, upgrading from 3.0.1c to 4.0.1TABLE 15 Tool Traffic path 2 Traffic path 1Layer 2 traffic 0 ms (withi

Downgrading firmware in the VCS FabricDo the following to downgrade firmware on nodes in the VCS Fabric.CAUTIONThe downgrade process will disrupt serv

Configuring SNMP● Simple Network Management Protocol overview...133● SNMP configuration...

Basic SNMP operationEvery Brocade device carries an agent and management information base (MIB), as shown in the nextfigure. The agent accesses inform

Brocade MIB structureEach MIB variable is assigned an object identifier (OID). The OID is the sequence of numeric labels onthe nodes along a path from

MIB access levelsTABLE 19 Access level Descriptionnot accessible You cannot read or write to this variable.read create Specifies a tabular object th

Agent Capabilities (Continued)TABLE 20 Capability MIBs DescriptionBROCADE-LLDP-EXT-DOT3-CAPABILITY-MIB Provides the implementation details for the L

Brocade SNMP MIB dependenciesTABLE 21 MIB Name DependenciesBrocade-REG-MIB RFC1155-SMIBrocade-TC Brocade-REG-MIBSNMPv2-TCSNMPv2-SMIBRCD_NOS_PRODUCTS

Brocade SNMP MIB dependencies (Continued)TABLE 21 MIB Name DependenciesFOUNDRY-SN-NOTIFICATION.mib SNMPv2-SMIFOUNDRY-SN-ROOT-MIBIF-MIBDOT3-OAM-MIBFO

Configuring sFlow ... 525sFlow protocol ove

• The string variable specifies the community string name. The string can be from 2 to 16characters long.• The ro or rw option specifies whether the s

• The ipv4_host | ipv6_host | dns_host variable specifies the IP address of the host.• The community-string variable sets the community string.• The v

The example changes the default location string to "Building 3 Room 214." You must enclose thetext in double quotes if the text contains spa

Enter the show running-config snmp-server command.switch# show running-config snmp-serversnmp-server contact "Field Support."snmp-server loc

Displaying SNMP configurations144 Network OS Administrator’s Guide53-1003225-04

Configuring Brocade VCS Fabrics● Fabric overview...

‐ Brocade Link Discovery Protocol (BLDP) attempts to discover if a Brocade VCS Fabric-capable switch is connected to any of the edge ports. Refer to N

Brocade trunksNetwork OS 4.0.0 and later supports Brocade trunks (hardware-based link aggregation groups, orLAGs). These LAGs are dynamically formed b

NOTEBrocade VDX Data Center switches are shipped with factory-programmed world wide names (WWNs)that are unique.NOTEIn a logical chassis cluster, you

Command examples for enabling logical chassis cluster mode (Continued)TABLE 22 Command Command Behaviorswitch# vcs vcsid 22 rbridge-id 15 logical-ch

IP Route Policy...561IP route polic

Adding a new switch into a fabricComplete the following configuration steps to add a new switch into a fabric.1. Connect to the switch and log in usin

the local interface is ISL disabled. Upon receiving such information, a neighbor switch stops its ISLformation activity regardless of its current inte

Multicast distribution tree-root selectionNetwork OS v4.0.0 software supports the following distribution tree behaviors.• The root of the distribution

Configuring VCS virtual IP addressesA virtual IP address is assigned for each VCS cluster. This virtual IP address is tied to the principalswitch in t

Virtual IP address configuration scenarios (Continued)TABLE 25 Scenario DescriptionVirtual IP configuration When you configure the virtual IP addres

ECMP load-balancing operandsTABLE 26 Operand Descriptiondst-mac-vid Destination MAC address and VID-based load balancingsrc-dst-ip Source and Destin

Configuring fabric ECMP load balancing156 Network OS Administrator’s Guide53-1003225-04

Configuring Metro VCS● Metro VCS overview... 157● Co

FIGURE 20 Metro VCS configuration exampleIf Metro VCS is configured by using standard ISLs, with distances of up to 1000 m, no limitations occurfor su

Metro VCS supports long-distance ISL ports up to 30 km on the Brocade VDX platforms listed below.Links up to 10 km are lossless. You can have eight 1-

Disabling OSPF on the router... 595Configuring VRRP...

Conditions for long-distance Metro VCS (Continued)TABLE 28 Condition Extended ISL upto 2 kmExtended ISL upto 5 kmExtended ISL upto 10 kmExtended ISL

Metro VCS using standard-distance ISLsIn order to deploy Metro VCS using standard-distance ISLs, no configuration is required on the ISL. Thedefault c

Standard Metro VCS port-group schema TABLE 30 Platform Port groups Number of port groupson platformBrocade VDX 6720-60 (10 GbE) 1–10, 11–20, 21–30,

FIGURE 22 Metro VCS and distributed Ethernet fabricsIn order to connect two distinct VCS Ethernet fabrics between data centers, a third Metro VCS fabr

FIGURE 23 Connecting local VCS clusters over long-distance using vLAGGuidelines and restrictions for Distributed Ethernet Fabrics using vLAGNote the f

Src Src Nbr NbrIndex Interface Index Interface Nbr-WWN BW Trunk Nbr-Name------------------

switchport trunk tag native-vlan spanning-tree shutdown shutdown5. Add member interfaces to the port-channel interface by using the channel-group com

Administering Zones● Zoning overview... 167●

FIGURE 24 ZoningConnecting to another network through a Fibre Channel (FC) router, you can create a Logical SAN(LSAN) zone to include zone objects on

FIGURE 25 LSAN zoningNOTEZoning in Network OS 4.0.0 and later has the following restrictions:• Zone objects based on physical port number or port ID (

Using route maps... 632Configuring BGP...

You can define and manage LSANs using the same zone management tools as for regular zones. TheFC router makes LSAN zoning possible by importing device

Refer to the Fabric OS Command Reference Manual for details about the portCfgExport andfcrXlateConfig commands.Approaches to zoningThe following lists

Approaches to fabric-based zoning (Continued)TABLE 31 Zoning approach DescriptionNo zoning Using no zoning is the least desirable zoning option beca

Several zone configurations can reside on a switch at once, and you can quickly alternate betweenthem. For example, you might want to have one configu

Considerations for zoning architecture (Continued)TABLE 32 Item DescriptionConfirming operation After changing or enabling a zone configuration, you

| cfg-disable} command or the zoning enabled-configuration cfg-name cfg_name command tocommit the operation before re-attempting a firmware download.

If a fabric segments, the newly elected principal RBridge determines whether transaction data areretained. If a segment retains the original principal

3. Enter the zoning enabled-configuration cfg-action cfg-save or zoning enabled-configurationcfg-name command to commit the ongoing transaction and sa

Creating an alias1. In privileged EXEC mode, enter the show name-server detail command to list the WWNs ofdevices and targets available in the Brocade

switch(config)# zoning defined-configuration alias alias1switch(config-alias-alias1)# member-entry 10:00:00:00:00:00:00:02;10:00:00:00:00:00:00:03swit

CID card is corrupted... 680CPU use is unexpectedly high...

switch(config)# no zoning defined-configuration alias alias1switch(config)# do show running-config zoningzoning enabled-configuration cfg-name "&

Adding a member to a zone1. In privileged EXEC mode, enter the show name-server detail command to list the WWNs of devicesand targets available on the

switch(config)# zoning defined-configuration zone zone1 switch(config-zone-zone1)# no member-entry 50:05:07:61:00:09:20:b4switch(config-zone-zone1)# n

member-zone zone_0_3 member-zone zone_0_4 member-zone zone_same!zoning defined-configuration cfg cfg1 member-zone zone_1_1 member-zone zone_1_2 membe

CAUTIONWhen edits are made to the defined configuration, and those edits affect a currently enabledzone configuration, issuing a "cfg-save"

The command prompt changes to indicate a subconfiguration mode.3. Enter the member-zone subconfiguration mode command and specify the name of at least

1. In privileged EXEC mode, enter the configure terminal command to enter global configurationmode.2. Enter the zoning enabled-configuration cfg-name

1. In privileged EXEC mode, enter the configure terminal command to enter global configurationmode.2. Enter the no zoning defined-configuration cfg co

• If no enabled zone configuration exists, enter the zoning enabled-configuration cfg-actioncfg-save command.• If an enabled zone configuration exists

The following example adds the configuration in the file named myconfig on the attached USB device tothe defined configuration.switch# copy usb://myco

Preface● Document conventions...19● Brocade resources

8. Enter the zoning running-config defined-configuration command to view the defined zoneconfiguration.9. Enter the zoning enabled-configuration cfg-n

If you are adding a switch that is already configured for zoning, you must clear the zone configurationon that switch before connecting it to the zone

The transaction state after the merge depends on which switch is elected as the principal RBridge.The newly elected principal RBridge retains the same

Zone merging scenarios: Defined and enabled configurations (Continued)TABLE 33 Description Switch A Switch B Expected resultsSwitch A and Switch Bha

Zone merging scenarios: Different content TABLE 34 Description Switch A Switch B Expected resultsEnabled configurationmismatch.defined: cfg1 zone1:1

Zone merging scenarios: Default access mode (Continued)TABLE 36 Description Switch A Switch B Expected resultsEnabled zoneconfiguration.No enabled c

FIGURE 27 LSAN zones exampleThe following example steps create this set of LSAN zones.1. Obtain the host WWN in fabric_01:a) Log in to any switch in f

Fabric Port Name: 20:08:00:05:1e:34:11:e5 Permanent Port Name: 50:05:07:61:00:5b:62:edNL 0508ef; 3; 50:05:07:61:00:49:20:b4; 50:05:07:61:00:09:20

Exists PID in Fabric -------------------------------------------- 75 10:00:00:00:c9:2b:c9:0c c700

Configuring Fibre Channel Ports● Fibre Channel ports overview... 1

© 2014, Brocade Communications Systems, Inc. All Rights Reserved.Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron,

Convention Descriptionvalue In Fibre Channel products, a fixed value provided as input to a commandoption is printed in plain text, for example, --sho

storage and services. Refer to Fibre Channel ports overview on page 199 for information on how tocreate LSAN zones.The following shows an FC connectio

attributes (desire-distance, fill-word, isl-r_rdy, long-distance, speed, trunk-enable, and vc-link-init commands).• show running-config interface Fibr

Configuring and viewing Fibre Channel port attributesThis section introduces the options for configuring a variety of Fibre Channel port attributes an

Viewing Fibre Channel port attributesTo view the Fibre Channel port attributes for a single port, in privileged EXEC mode, enter the showrunning-confi

The following example sets the port speed to 4 Gbps.switch# configure terminalEntering configuration mode terminalswitch(config)# interface FibreChann

Configuring a Fibre Channel port for long-distance operationTo configure a Fibre Channel port for long-distance operation, follow these steps:1. In pr

Monitoring Fibre Channel portsTo monitor a Fibre Channel port, in privileged EXEC mode, enter the show interface FibreChannelrbridge-id/slot/port comm

tim_txcrd_z_vc 4- 7: 0 0 0 0 tim_txcrd_z_vc 8-11: 0 0 0 0 tim_txcrd_z_vc 12-15: 0 0 0

Monitoring Fibre Channel ports208 Network OS Administrator’s Guide53-1003225-04

Using Access Gateway● Access Gateway basic concepts...209● Enabling Ac

Brocade resourcesVisit the Brocade website to locate related documentation for your product and additional Brocaderesources.You can download additiona

FIGURE 29 Hosts connecting to FC fabric through VDX Switch in AG modeNOTEAn AG switch can connect to only one Fibre Channel SAN. Ports on this switch

FIGURE 30 Connecting Network OS fabric to FC fabric without AG modeSwitches in AG mode are logically transparent to the host and the fabric. Therefore

FIGURE 31 Using AG VDX switch for connecting FC and VCS fabricsAccess Gateway and native VCS modesIn this document, VCS "native" mode refers

For more information enabling and disabling AG mode, refer to Enabling Access Gateway mode onpage 219 and Disabling Access Gateway mode on page 220.Ac

‐ By default, each switch is assigned 64 VF_Ports.‐ There is no limit the number of VF_Ports that you can map to an N_Port.‐ Up to 64 NPIV logins are

A non-AG VDX 6730 switch using an ISL connection between its FC E_Port and an EX_Port on anFCR, consumes domain ID resources that may impact scalabili

FIGURE 33 VDX 6730 and FC switch portsAccess Gateway features, requirements and limitationsAlthough Access Gateway provides standard features for conn

For more information on Port Grouping policy modes, refer to Port Grouping policy modes on page230.N_Port Monitoring for unreliable linksThe N_Port mo

‐ FC hosts or targets cannot be directly attached to the VDX switch.‐ The VDX AG switch cannot be connected to a Fabric OS Access Gateway in a Cascade

‐ You can configure the maximum number of FCoE devices that can be logged intoa switch by using the fcoe_enodes command.‐ Newly allocated VF_Ports are

• OEM/Solution Providers are trained and certified by Brocade to support Brocade® products.• Brocade provides backline support for issues that cannot

The switch reboots and AG mode is enabled. Switch FC ports are automatically enabled as N_Portsand mapped to VF_Ports. The N_Ports and VF_Ports are al

NOTEDisplay of current, active mapping, or configured mapping for a port group using the show ag rbridge-id rbridge-id and show running-config rbridge

Port Group information : PG_ID PG_Name PG_Mode PG_Members ---------------------------------------------------------- 0 p

Displaying port mappingYou can display current and configured VF_Port to N_Port mapping on a specific switch or on allswitches enabled for Access Gate

Current and configured mapping displayDisplay of current, active mapping, or configured mapping for a port group usingthe show ag map and show running

Default port mappingWhen Access Gateway is enabled for the switch, VF_Ports are mapped to available N_Ports in a round-robin fashion as Enodes log in.

1. Perform steps under Displaying port mapping on page 223 to display current and configured portmapping.2. Enter the configure terminal command to en

FIGURE 34 Port groups connecting to FC fabricFollowing are considerations and limitations for the Port Grouping policy.• An ENode can log in• A port c

The following is an example of command output for RBridge 5:switch# show ag pg rbridge-id 5Rbridge-ID 5:----------------------------------------------

1. Enter the configure terminal command to enter global configuration mode.switch# configure terminal2. Enter the rbridge-id id command to enter RBrid

About This Document● Supported hardware and software... 23● What’s new

NOTEN_Ports are designated by the format rbridge-id/slot/N_Port, such as 3/0/4 for RBridge 3, slot 0, andN_Port 4. You must use this format to correct

• When LB mode is disabled for a port group, the same configured VF_Port to N_Port mappingdisplays for the show running-config ag or show ag commands.

Modified Managed Fabric Name Monitoring modeModified Managed Fabric Name Monitoring (M-MFNM) mode prevents connections from the AG VDXswitch to multip

N_Port also go offline. Once the number of SCNs drops below the set threshold, the port is deemedreliable again and the N_Port and mapped VF_Ports go

Setting and displaying the reliability counter for N_Port monitoring234 Network OS Administrator’s Guide53-1003225-04

Using System Monitor and Threshold Monitor● System Monitor overview...

• Fan• Power supply• CID card• SFP• Line cardPossible states for all monitored FRUs are removed, inserted, on, off, and faulty. A state of noneindicat

Hardware platform default settings for supported switches (Continued)TABLE 37 Platform Hardware component Default setting MarginalthresholdsDown thr

Hardware platform default settings for supported switches (Continued)TABLE 38 Platform Hardware component Default setting MarginalthresholdsDown thr

Setting system thresholdsEach component can be in one of two states, down or marginal, based on factory-defined or user-configured thresholds. (The de

What’s new in this documentThis document supports Network OS 4.1.1; and the new features in this release include:• VXLANFor complete information, refe

Sendmail agent configurationThe following system-monitor-mail relay host commands allow the sendmailagent on the switch to resolve the domain name and

apply actions and thresholds separately. For example, you can choose to use default threshold settingstogether with a customized subset of available a

Default values for CPU and memory threshold monitoring (Continued)TABLE 39 Operand Memory CPUretry 3 3SFP monitoringThe SFP parameters that can be m

Factory thresholds for SFP types and monitoring areas (Continued)TABLE 41 SfpType Area Default ValueTXP (µW) 1000 60Current (mA) 12 21 GLR Temperatu

Factory thresholds for SFP types and monitoring areas (Continued)TABLE 41 SfpType Area Default ValueCurrent (mA) 10 1Threshold valuesHigh and low th

Interface errors that can be monitored on external interfaces TABLE 43 Interface area Description Port FencingsupportThreshold defaultsMissingTermin

NOTEFor CLI details, refer to the Network OS Command ReferenceViewing threshold statusTo view the status of currently configured thresholds, enter the

The following example changes the thresholds from the default, adjusts pollingand retry attempts, and causes a RASLog message to be sent when threshol

Security monitoringSecurity monitoring allows you to set security threshold and alert options, including login-violation ortelnet-violation alerts.Vie

To disable monitoring of a particular type, enter the threshold-monitor [cpu |interface | memory |security | sfp] pause command.To re-enable monitorin

Section I: Network OS Administration• Introduction to Network OS and Brocade VCS Fabric Technology on page 27• Using the Network OS CLI on page 41• Ba

Pausing and continuing threshold monitoring250 Network OS Administrator’s Guide53-1003225-04

Using VMware vCenter● vCenter and Network OS integration overview... 251● vCenter discovery.

• Special characters in the port group names are replaced with the URL-encoded values.• Standard port groups with the same name that reside in differe

Step 1: Enabling QoSYou must edit the network resource pool settings and set QoS priorities. Refer to the latest VMwarevSphere Networking documentatio

An invalid state or condition of a vCenter can cause the deletion of all auto-port-profiles in a system.To prevent this from happening, configure the

• When a switch boots up.• When a new vCenter is configured on the VDX switch and activated (activation turns on the timerprocessing, set to 180-secon

Viewing the discovered virtual assets256 Network OS Administrator’s Guide53-1003225-04

Configuring Remote Monitoring● RMON overview...

Configuring RMON Ethernet group statistics collectionYou can collect RMON Ethernet group statistics on an interface. RMON alarms and events must becon

Section II: Network OS Security Configuration• Managing User Accounts on page 261• Configuring External Server Authentication on page 277• Configuring

Section I: Network OS Administration26 Network OS Administrator’s Guide53-1003225-04

Section II: Network OS Security Configuration260 Network OS Administrator’s Guide53-1003225-04

Managing User Accounts● Understanding and managing user accounts...261● Understanding and

User account attributes TABLE 44 Parameter Descriptionname The name of the account. The user account name is case-sensitive, must not exceed 40chara

ExamplesUse the show running-config username command in privileged EXEC mode todisplay all configured users.switch# show running-config usernameuserna

Unlocking a user accountA user account is automatically locked by the system when the configured threshold for repeatedfailed login attempts has been

3. Enter user configuration mode.switch(config-alias-config)# user john smith4. Set the user-level alias.switch(config-alias-config-user)# alias manag

Password policy parameters (Continued)TABLE 45 Parameter Descriptionmax-retry Specifies the number of failed password logins permitted before a user

The account remains locked until explicit administrative action is taken to unlock the account. A useraccount cannot be locked manually. An account th

1. In privileged EXEC mode, use the configure terminal command to enter global configurationmode.2. Enter the password-attributes command with the spe

switch# show running-config password-attributespassword-attributes max-retry 4password-attributes character-restriction numeric 1password-attributes c

Introduction to Network OS and Brocade VCS FabricTechnology● Introduction to Brocade Network OS...

A user-defined role has a mandatory name and an optional description, as shown in the followingtable.Role attributes TABLE 46 Parameter Descriptionn

Creating a VCS Fabric security administrator role and accountThe following steps create and configure a typical Brocade VCS Fabric security administra

Command access rule attributes TABLE 47 Parameter Descriptionindex A numeric identifier of the rule in the range between 1 and 512.role The name of

Configuring rules for operational commandsRules can be created for the specified operational commands. By default, every role can display all theopera

In the following example, the user associated with the NetworkAdmin role cannot perform some ofthe clear and show operations related to all tengigabit

Adding a ruleYou add a rule to a role by entering the rule command with appropriate options. Any updates to theauthorization rules will not apply to t

After rule 155 is deleted, the SecAdminUser can no longer access the role command.Displaying a ruleEnter the show running-config rule command in privi

Configuring External Server Authentication● Understanding and configuring remote server authentication...277● Unde

By default, external AAA services are disabled, and AAA services default to the switch-local userdatabase. Any environment requiring more than 64 user

Setting and verifying the login authentication modeThe following procedure configures TACACS+ as the primary source of authentication and the switch-l

NetworkconvergenceData Center Bridging (DCB)-based lossless Ethernet service provides isolation between IP andstorage traffic over a unified network i

Understanding and configuring RADIUSThe remote authentication dial-in user service (RADIUS) protocol manages authentication,authorization, and account

Configuring server side RADIUS supportWith RADIUS servers, you should set up user accounts by their true network-wide identity, rather thanby the acco

Configuring a Brocade user accountWhen you use network information service (NIS) for authentication, the only way to enableauthentication with the pas

FIGURE 35 Windows server VSA configurationConfiguring client side RADIUS supportEach Brocade switch client must be individually configured to use RADI

RADIUS server parameters (Continued)TABLE 49 Parameter Descriptionprotocol The authentication protocol to be used. Options include CHAP, PAP, and PE

3. Enter the exit command to return to global configuration mode.switch(config-host-10.38.37.180)# exit4. Enter the do show running-config radius-serv

support, management of Brocade switches seamlessly integrates into these environments. Onceconfigured to use TACACS+, a Brocade switch becomes a netwo

TACACS+ server parameters TABLE 50 Parameter Descriptionhost IP address (IPv4 or IPv6) or domain/host name of the TACACS+ server. Host namerequires

1. In the privileged EXEC mode, enter configure terminal to enter the global configuration mode.switch# configure terminalEntering configuration mode

Configuring TACACS+ accounting on the client sideOnce the fundamentals of TACACS+ authentication support are configured on the client, a variety ofopt

The following shows an example of a data center with a classic hierarchical Ethernet architecture andthe same data center with a Brocade VCS Fabric ar

operations. To enable login or command accounting, at least one TACACS+ server must beconfigured. Similarly, if either login or command accounting is

Example: Command accountingThe following example record shows the successful execution of the username command by the adminuser.<102> 2012-04-09

pap = cleartext "pap password"service = exec {brcd-role = vlanadmin;}}The following example assigns the user "Agnes" a single pass

Configuring TACACS+ for a mixed vendor environmentNetwork OS uses Role Based Access Control (RBAC) to authorize access to system objects byauthenticat

If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.User authenticationA Brocade switch can be config

Server authorizationThe Active Directory (AD) server is used only for authentication. Command authorization of the ADusers is not supported in the AD

1. In privileged EXEC mode, enter configure terminal to change to global configuration mode.switch# configure terminalEntering configuration mode term

1. In privileged EXEC mode, use the configure terminal command to enter global configuration mode.switch# configure terminalEntering configuration mod

Standalone modeswitch# certutil import ldapca directory /usr/ldapcacert/ file cacert.pem protocol SCP host 10.23.24.56 user jane password password: **

Logical chassis cluster modeTo view the output in logical chassis cluster mode, enter show cert-utilldapcacert followed by the desired RBridge ID. Thi

ContentsPreface...19Do

FIGURE 2 Ethernet fabric with multiple pathsThe Ethernet fabric has the following characteristics:• It is a switched network. The Ethernet fabric util

When no syslog CA certificate is presentswitch# no certutil syslogcacert% Error: syslog CA certificate does not exist.When a syslog CA certificate exi

Removing the mapping of an Active Directory to a switch roleThe following example removes the mapping between the Brocade admin role and the Active Di

3. In global configuration mode, set the login authentication mode on the switch to use LDAP only andverify the change.switch# configure terminalEnter

Configuring Fabric Authentication● Fabric authentication overview...

the local device may authenticate. Every device may share a secret key pair with any other device orhost in a fabric.Shared secret keys have the follo

database, the connecting device is allowed to join the fabric. If the neighboring device is not specified inthe SCC policy active list, both devices a

Port security configuration commandsPort security is enabled on an interface by means of a series of switchport commands. Forconfiguration examples, r

• A port mode change is not allowed when port security is enabled on the interface.• Organizationally Unique Identifier (OUI)-based port security is n

By default the policy is set to PASSIVE and you can change the policy. All changes to the AUTH policytake effect during the next authentication reques

• The world wide name (WWN) of the peer.• The secret of the peer that authenticates the peer to the local switch.• The local secret that authenticates

FIGURE 3 Distributed intelligence in an Ethernet fabricDistributed intelligence has the following characteristics:• The fabric is self-forming. When t

fcsp auth hash md5fcsp auth policy switch onConfiguring a Brocade VDX 6730 to access a SAN fabricConfiguring a Brocade VDX 6730 switch to access a SAN

This command places you into the defined SCC configuration mode where you can add policymember WWNs.3. Specify a policy member with the member-entry W

Modifying the SCC policyThe same command sequence that creates the Switch Connection Control (SCC) policy addsadditional members. The defined SCC memb

VCS mode exampleswitch# secpolicy activate rbridge-id 3switch# do show running-config rbridge-id 3 secpolicy defined-policy rbridge-id 3secpolicy defi

Removing the SCC_POLICY entry of rbridge-id 3 in VCS modeswitch# config Entering configuration mode terminalswitch(config)# rbridge-id 3switch(config-

1. Enable interface subconfiguration mode for the interface you want to modify.switch(config)# interface TenGigabitEthernet 1/02. Put the interface in

3. Enable switchport security by using the switchport port-security command.switch(conf-if-te-1/0)# switchport port-security oui 2000.3000.40004. Conf

Section III: Network OS Layer 2 Switch Features• Administering Edge-Loop Detection on page 319• Configuring AMPP on page 327• Configuring FCoE interfa

Section III: Network OS Layer 2 Switch Features318 Network OS Administrator’s Guide53-1003225-04

Administering Edge-Loop Detection● Edge-loop detection overview...

FIGURE 4 Logical chassis in Ethernet fabricEach physical switch in the fabric is managed as if it were a blade in a chassis. When a Brocade VCSFabric

FIGURE 37 Missing LAG causes loopThe following figure shows another example for which ELD could be used to detect and break a Layer2 loop. In this cas

FIGURE 38 Interconnected Brocade VCS Fabric clusters cause loopHow ELD detects loopsELD works by multicasting Protocol Data Unit (PDU) packets on edge

FIGURE 39 Interconnected Brocade VCS Fabric clusters with ELD enabledWith all ELD enabled edge ports sending PDUs at the same rate, VCS1 reaches its p

any port before determining that a loop exists. This value is the pdu-rx-limit . You must also set theinterval between sending PDUs by using the hello

The number value must be in the range 10 through 1440 (10 minutes through 24 hours). Thedefault value is 0, indicating that the port is not automatica

NOTEIf an edge-port becomes an ISL port because a remote port’s VCS ID was changed, a port thatwas already shutdown by ELD must be cycled with the shu

Troubleshooting edge-loop detection326 Network OS Administrator’s Guide53-1003225-04

Configuring AMPP● AMPP overview...327● Confi

The italic text in the following example highlights the vLAG information in the port profile:switch# show port-profile status Port-Profile

destination port as the profiled port, or the reverse. SPAN allows the capability to mirror the traffic learnton the profiled port.For complete inform

Automatic ISL formation and hardware-based trunkingWhen a switch joins an Ethernet fabric, ISLs automatically form between directly connected switches

In addition, all the combinations can be mixed up with some security rules grouped under a security-profile.NOTEA port-profile does not contain some o

AMPP behavior and failure descriptions (Continued)TABLE 56 AMPP event Applicable behavior and failuresDe-activate port-profile • This event removes

1. Configure the physical interface, LAG, or vLAG as a port-profile port.switch(if-te-2/0/1)# port-profile-port2. Create and configure a new port-prof

Configuring FCoE profilesOnly the FCoE profile of the default profile can be modified. The FCoE profile can only be part of thedefault profile. When i

• Without PFC.switch(config-qos-profile)# qos flowcontrol tx on rx on• With PFC for each CoS.switch(config-qos-profile)# qos flowcontrol pfc 1 tx on r

The following example activates the mode for the 10-gigabit Ethernet interface in slot 0/port 0.switch(config)# interface tengigabitethernet 1/0/12. U

1 005a.8402.0006 Dynamic Active Not Profiled Te 111/0/241 005a.8402.0007 Dynamic Active Profiled(T) Te 111/0/241 005b.8

Configuring FCoE interfaces● FCoE overview...

FCoE terminology TABLE 57 Term DescriptionFCoE Fibre Channel over EthernetDCB Data Center BridgingVN_Port FCoE equivalent of an FC N_PortVF_Port FCo

and the network happens to the router’s MAC address at Layer 2. This means VN1 is alwayscommunicating with VF1 at Layer 2.2. In a Brocade VCS Fabric i

FIGURE 5 Pair of Brocade VDX switches at the top of each server rackThe servers perceive a single top-of-rack switch, allowing for active/active conne

original MAC header is now transformed as follows: the DA is changed from VF1 to FCF-C and theSA is changed from VN1 to FCF-A. This occurs at point 2

FIGURE 42 Multiple switch fabric configurationLayer 2 forwardingLayer 2 Ethernet frames are forwarded on the DCB ports. 802.1Q VLAN support is used to

For detailed information on configuring these protocols, refer to Configuring STP-Type Protocols onpage 407.The Brocade VDX hardware handles Ethernet

NOTEOnly a single switch-wide VLAN is capable of forwarding FCoE traffic.For detailed information on configuring VLANs, refer to Configuring 802.1Q VL

Congestion control and queuingThe Brocade VDX hardware supports several congestion control and queuing strategies. As an outputqueue approaches conges

The traffic rate of the traffic streams that are uncongested remains high. The outbound portsshould carry some multicast frames from all the inbound p

The 802.3ad Link Aggregation Control Protocol (LACP) is used to combine multiple links to create atrunk with the combined bandwidth of all the individ

• VLAN 1 — The Brocade VDX hardware should not forward FIP frames on VLAN 1 because it isreserved for management traffic only.• A fabric-provided MAC

If FKA timeouts are enabled on the switch, the VN_Port will be implicitly logged out in the event of aVN_Port FKA timeout.Name server operationThe Bro

command with the keyword of local (the default). The user can choose the global keyword to maintainthe previous configuration model In this case, the

Large-scale server virtualization use caseThe following shows a logical two-tier architecture with Brocade VCS fabrics at the edge. Each BrocadeVCS fa

‐ Extra FCoE interfaces (the difference between the value of max-enodes and that of fcoe-enodes) are deleted.‐ In logical chassis cluster mode, the va

Assigning an FCoE map onto an interfaceThe FCoE map cannot be edited if it is associated with any interfaces.The FCoE map can be applied, irrespective

6. Confirm the changes to the interface with the show running-config command.switch# show running-config interface tengigabitethernet 3/0/19interface

Configuring logical FCoE portsWhen the switch boots, a pool of 64 FCoE ports is created. These ports are not bound to any physicalports. The bindings

Troubleshooting FCoE interfacesThe following commands can be used to troubleshoot FCoE interfaces.Command Descriptionshow fcoe fabric-map Displays VLA

Configuring 802.1Q VLANs● 802.1Q VLAN overview...355● Co

‐ Any tagged frames coming with a VLAN tag equal to the configured native VLAN areprocessed.‐ For ingress and egress, non-native VLAN tagged frames ar

• The VLAN filtering behavior on logical Layer 2 interfaces such as LAG interfaces is the same as onport interfaces.• The VLAN filtering database (FDB

Default VLAN configuration TABLE 59 Parameter Default settingDefault VLAN VLAN 1Interface VLAN assignment All interfaces assigned to VLAN 1VLAN stat

1. Enter the configure terminal command to access global configuration mode.2. Enter the interface command to specify the interface port type and slot

Brocade VCS Fabric connectivity with Fibre Channel SANIn Network OS 2.1.1 and later, Fibre Channel ports on the Brocade VDX 6730 provide support forco

Disabling STP on a VLANOnce all of the interface ports have been configured for a VLAN, you can disable STP for all membersof the VLAN with a single c

1. Enter the configure terminal command to access global configuration mode.2. Enter the interface command to specify the DCB interface type and slot/

Configuring protocol-based VLAN classifier rulesYou can configure VLAN classifier rules to define specific rules for classifying frames to selectedVLA

1. Enter the configure terminal command to change to global configuration mode.switch# configure terminal2. Enter the vlan classifier rule command to

1. Enter the show interface command to display the configuration and status of the specifiedinterface.The gigabitethernet rbridge-id/slot/port operand

VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs. Secondary VLANs canbe configured as one of two types: either isolated V

• For private VLANs, egress ACLs on the primary VLAN are applied only for the traffic that ingressesand egresses from the primary VLAN, and not for th

Configuring a tagged PVLAN host port.switch(conf-if-te-0/1)# switchport mode private-vlan trunk hostConfiguring a tagged PVLAN host port.switch(conf-i

Displaying PVLAN information368 Network OS Administrator’s Guide53-1003225-04

Configuring a VXLAN Gateway● Introduction to VXLAN Gateway... 369● VXL

Topology and scalingUp to 24 switches can exist in a Brocade VCS Fabric. Although you can use any network topology tobuild a Brocade VCS Fabric, the f

VXLAN tunnel endpointsVXLAN creates large-scale, isolated virtual L2 networks for virtualized and multi-tenant environmentsby encapsulating frames in

Coordination of activitiesBe sure to coordinate your activities with the administrators of the virtual network and NSX Controller tohelp ensure a succ

9. Enter the virtual ip address of the virtual-router-extended group, as in the following example:switch(config-vrrp-extended-group-100)# virtual-ip 6

d) Run the attach vlan vlan_ID command to export specified VLANs (these are VLANs thancan be mapped to VXLAN domains), as shown in the example below:s

Additional commandsMost of the VXLAN-gateway-related commands were used in the configuration example in the section VXLAN Gateway configuration steps

Configuring Virtual Fabrics● Virtual Fabrics overview...

A service VF thus represents a virtualized, normalized VLAN domain, where different link-protocolVLAN identifiers (port number, MAC address, and custo

STP supportThe correct configuration of xSTP is the responsibility of the user. Much as the user must ensure thatVLAN configurations and VLAN instance

frames that arrive on an ISL. If the frame exists in the fabric, it must have been allowed to enter thefabric at the edge. In fabric cluster mode, Net

NOTEIf the fabric state is VF-incapable, the vcs virtual-fabric enable command will not succeed.Disabling VFsTo disable VFs in the fabric, the user mu

High performance and low latency are ensured because throughput is high and the hop count is low.Throughput is high because multiple core switches sha

Feature scalabilityThe scalability numbers of VLAN features remains same as in the previous release. The following listsVF resource numbers for the Br

A VLAN ACL requires an IVID allocation for the target VLAN. If the target VLAN is configured on thelocal switch port, the ACL can be applied on the IV

FIGURE 45 VLAN virtualizationVirtual data center deploymentThe following illustrates an example VDC infrastructure that supports a VMware deployment.V

FIGURE 46 VDC infrastructureIn a VMware-based cloud provider network, a VCS Fabric is connected to multiple vCenters, whereeach data center manages it

AMPP provisioning with service VFsWhen the Automatic Migration of Port Profiles (AMPP) feature is used in Network OS 4.1.0 and later, aVCS Fabric is p

a. switchport access vlan 8001b. switchport access vlan 8002 mac 2.2.2c. switchport access vlan 8002 mac 3.3.36. The following example configurations

• The deleted user or auto port-profile is automatically deleted from the default port-profile domain.• The show running-config command or the show po

Configuration status before and after upgradeTABLE 62 Network OS 4.0.0 Network OS 4.1.1port-profile defaultallow non-profiled-macsvlan-profileswitch

configurations, whether 802.1Q or service VF. This is necessary for STP to operate correctly acrossthe fabric. All other switch ports that do not part

‐ The VCS Fabric and the attached vDCs belong to the same MSTP region.‐ VLAN-to-instance mapping must be the same in the VCS Fabric and for each vDC.‐

FIGURE 10 Full mesh topologyThis topology is highly reliable and fast, but it does not scale well. It is reliable because it provides manypaths throug

from the flood membership of the VLAN. For tagged BPDUs (as in PVST), a BPDU is tunneled on itsown service-VF flood domain.PVLANs with service VFsPriv

FIGURE 49 Transport serviceThe transport VFs that can extend outside of the VCS Fabric are numbered up through 4095, bound bythe 802.1Q interface. Bec

‐ Untagged control traffic is not subject to transport VF classification rules. It is handledaccording to the respective protocol configuration (that

Service and transport VF classification with native VLANsThis section addresses two ways to classify service and transport VFs with native VLANs: a de

• VLAN 1 cannot be used as a classification CTAG.• Ingress and egress tagging behavior is controlled by the interface-level configuration, not by theg

• Default VLAN 1 is not implicitly created in this mode.• Native VLAN commands that are applicable in default-VLAN trunk mode are not supported in thi

‐ switchport trunk tag native-vlan‐ switchport trunk native vlan vlan_id‐ dot1q tag native-vlan (a global command that does not apply to a port)• All

The following illustrates configuration in no-default-native-VLAN trunk mode.switch(config)# int vlan 5000switch(config)# int vlan 6000switch(config-V

Configuring a service VF instanceConfiguring a service VF instance consists of enabling VF configuration in the fabric, and thenconfiguring a service

Configuring transport VF classification to a trunk interfaceThe following example command sequence illustrates the configuration of VF classification

Basic Switch Management...47Switch management overvie

Full mesh topology40 Network OS Administrator’s Guide53-1003225-04

Configuring a native VLAN in no-default-native-VLAN trunk modeThe following examples illustrate the configuration of a native VLAN in a trunk mode whe

Configuring physical interfaces1. Create classification rules for the primary and secondary VLAN at the respective primary and hostports.The classific

The following configures non-PVLAN VFs.switch(conf-if-te-1/4/1)# switchport private-vlan trunk allowed vlan add 400switch(conf-if-te-1/4/1)# switchpor

NOTEOnly one MAC address can be deleted at a time.switch(config)# mac-group 1switch(config-mac-group 1)# no mac 0004.0004.0004Configuring an interface

Layer 3 configurations are applicable to service VFs, by means of existing interface ve commands.Each virtual Ethernet (VE) interface is mapped to a s

a) Remove all service or transport VF configurations in the fabric.b) In global configuration mode, issue the no vcs virtual-fabric enable command to

Troubleshooting Virtual Fabrics406 Network OS Administrator’s Guide53-1003225-04

Configuring STP-Type Protocols● STP overview...

• From learning to forwarding, blocking, or disabled• From forwarding to disabledThe following STP features are considered optional features although

provides rapid reconvergence of edge ports, new root ports, and ports connected through point-to-pointlinks.The RSTP interface states for every Layer

Using the Network OS CLI● Network OS CLI overview... 41● A

NOTEIn MSTP mode, RSTP is automatically enabled to provide rapid convergence.Multiple switches must be configured consistently with the same MSTP conf

PVST+ is not a scalable model when there are many VLANs in the network, as it consumes a lot ofCPU power. A reasonable compromise between the two extr

tree topology. Each RBridge updates all the other members about its best information for a givenspanning tree instance.Each RBridge maintains a table

The following table lists those switch defaults which apply only to MSTP configurations.Default MSTP configuration TABLE 68 Parameter Default settin

Configuring basic STPNOTEThe gigabitethernet rbridge-id/slot/port keyword is used only for the Brocade VDX 6710, BrocadeVDX 8770-4, and Brocade VDX 87

All other switch ports connect to other switches and bridges are automatically placed in blockingmode.This does not apply to ports connected to workst

NOTEPort fast only needs to be enabled on ports that connect to workstations or PCs. Repeat thesecommands for every port connected to workstations or

5. Map a VLAN to an MSTP instance by using the instance command. Refer to Mapping a VLAN to anMSTP instance on page 417 for more details.switch(config

To map a VLAN to an MSTP instance, perform the following steps from privileged EXEC mode.1. Enter the configure terminal command to change to global c

To specify a revision number for an MSTP configuration, perform the following steps from privilegedEXEC mode.1. Enter the configure terminal command t

For information on creating a user-defined role, refer to User-defined roles on page 269.Accessing the Network OS CLI through TelnetNOTEWhile this exa

Shutting down STP, RSTP, MSTP, PVST+, or R-PVST+ globallyTo shut down STP, RSTP, MSTP, PVST+, or R-PVST+ globally, perform the following steps frompri

3. Specify the bridge priority. The range is 0 through 61440 and the priority values can be set only inincrements of 4096. The default priority is 326

1. Enter the configure terminal command to change to global configuration mode.switch# configure terminal2. Enter the protocol command to enable STP,

enable the port from the disabled state. For details on configuring the error disable timeout interval,refer to Specifying the error disable timeout i

To specify the transmit hold count, perform the following steps from privileged EXEC mode.1. Enter the configure terminal command to change to global

Enabling automatic edge detection (DCB)From the DCB interface, use this command to automatically identify the edge port. The port canbecome an edge po

Enabling a port (interface) as an edge port (DCB)From the DCB interface, use this command to enable the port as an edge port to allow the port toquick

The gigabitethernet rbridge-id/slot/port keyword is used only for the Brocade VDX 6710, BrocadeVDX 8770-4, and Brocade VDX 8770-8. The prompt for thes

4. Enter the spanning-tree command to specify the restrictions for an MSTP instance on a DCBinterface.switch(conf-if-te-0/1)# spanning-tree instance 5

3. Enter the no shutdown command to enable the DCB interface.switch(conf-if-te-0/1)# no shutdown4. Enter the spanning-tree command to enable port fast

Network OS CLI keyboard shortcuts (Continued)TABLE 2 Keystroke DescriptionCtrl+A Moves the cursor to the beginning of the command line.Ctrl+E Moves

Restricting the topology change notification (DCB)From the DCB interface, use this command to restrict the topology change notification BPDUs sent ont

The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, BrocadeVDX 8770-4, and Brocade VDX 8770-8. The prompt for thes

Configuring DiST432 Network OS Administrator’s Guide53-1003225-04

Configuring UDLD● UDLD overview... 433● Conf

FIGURE 50 Four-switch example for UDLDIn the figure above, STP detects that the port on switch D that is connected to switch C should be putinto a blo

Configuring UDLDFollow the steps below to configure basic UDLD on your switch.1. Enter global configuration mode by entering the configure command fro

Other UDLD-related commands436 Network OS Administrator’s Guide53-1003225-04

Configuring Link Aggregation● Link aggregation overview... 43

• Passive mode — LACP responds to Link Aggregation Control Protocol Data Units (LACPDUs)initiated by its partner system but does not initiate the LACP

You can configure a maximum of 24 LAGs with up to 16 links per standard LAG, or four links perBrocade-proprietary LAG. Each LAG is associated with an

If there is more than one command or keyword associated with the characters typed, the Network OSCLI displays all choices. For example, at the CLI com

vLAG configuration overviewNetwork OS 4.0 and later supports the option of setting the "Allowed Speed" of the port-channel toeither 1 Gbps o

Configuring vLAGs to minimize packet lossThis topic provides background on configuring a vLAG to minimize packet loss.In scenarios where a vLAG spans

FIGURE 51 vLAG configuration of the ignore-split featureTo reduce vLAG failover down time, you must configure ignore-split on all of the legs in the v

Configuring the vLAG ignore-split featureThis topic describes how to configure the vLAG ignore-split feature.To configure the vLAG ignore-split featur

NOTEWhen configuring load balancing on a Brocade VDX 6710, Brocade VDX 6720, Brocade VDX 6730, orBrocade VDX 6740, it should be configured consistentl

To add additional interfaces to an existing LAG, repeat this procedure using the same LAG groupnumber for the new interfaces.Enter the copy running-co

Clearing LACP counter statistics on a LAGThis topic describes how to clear LACP counter statistics on a single LAG.Enter clear lacp LAG_group_number c

If a Brocade-based dynamic trunk is configured on a link and the link is not able to join the LAG, do thefollowing:• Make sure that both ends of the l

Troubleshooting LACP448 Network OS Administrator’s Guide53-1003225-04

Configuring LLDP● LLDP overview... 449● Con

The Network OS CLI accepts abbreviations for commands. This example is the abbreviation for theshow qos interface all command.switch# sh q i aIf the s

In LLDP the link discovery is achieved through the exchange of link-level information between two linkpartners. The link-level information is refreshe

‐ MAC/PHY configuration/status TLV — Indicates duplex and bit rate capabilities and thecurrent duplex and bit rate settings of the local interface. It

ETS priority grouping of IPC, LAN, and SAN traffic (Continued)TABLE 73 Priority Priority group Bandwidth check6 2 Yes5 2 Yes4 2 Yes3 1 Yes2 1 Yes1 2

Configuring and managing LLDPThe following sections discuss working with the Link Layer Discovery Protocol (LLDP) on Brocadedevices.Understanding the

1. Enter the protocol lldp command to enter protocol configuration mode.switch(config)# protocol lldp2. Enter the disable command to disable LLDP glob

Specifying a user description for LLDPTo specify a user description for LLDP, perform the following steps from privileged EXEC mode. Thisdescription i

1. Enter the configure terminal command to access global configuration mode.2. Enter LLDP configuration mode.switch(config)# protocol lldp3. Advertise

NOTEBrocade recommends against advertising dot1.tlv and dot3.tlv LLDPs if your network contains CNAsfrom non-Brocade vendors, as doing so may cause fu

An explanation of syntax "priority-table 1 2 2 2 2 2 2 15.0" is as follows:This shows the definition of a CEE Map with Priority to Priority

1. Use the show lldp command to display LLDP general information.switch# show lldp2. Use the show lldp command to display LLDP interface-related infor

Considerations for show command outputNetwork OS contains many versions of the show command. The output of the show commandchanges depending on your c

Clearing LLDP-related information460 Network OS Administrator’s Guide53-1003225-04

Configuring ACLs● ACL overview... 461● Co

• Logical interfaces (LAGs)• VLANsIP ACLsThe IP ACLs control access to the switch. The policies do not control the egress and outboundmanagement traff

IP ACL parameters TABLE 75 ACL / Rule type IP ACLparameterIP ACL parameter definitionStandard IP ACL name The name of the standard IP ACL. The name

IP ACL parameters (Continued)TABLE 75 ACL / Rule type IP ACLparameterIP ACL parameter definitionhard drop Overrides the trap behavior for control fr

• The default action of "deny any" is inserted at the end of a bounded L3 ACL. This default rule is notexposed to the user.• Applying a hard

4. Enter the permit command to create a rule in the MAC ACL to permit traffic with the source MACaddress.switch(conf-macl-std)# permit 0022.5555.3333

NOTEThe DCB interface must be configured as a Layer 2 switch port before an ACL can be applied as anaccess-group to the interface.To apply a MAC ACL t

1. Enter the configure terminal command to access global configuration mode.2. Enter the mac command to specify the ACL called test_02 for modificatio

Creating an extended IP ACLTo create an extended IP ACL, perform the following steps in global configuration mode.1. Use the ip access-list extended c

Basic Switch Management● Switch management overview... 47● Ethern

NOTEBefore downgrading firmware, you must unbind any ACLs on the management interface, or thedowngrade will be blocked.Displaying the IP ACL configura

Configuring QoS● QoS overview...471● Conf

LOG indication for the disabled interface. This feature is supported on Brocade VDX 8770 series,VDX 6740, and VDX 6740-T platforms.• Data Center Bridg

Tail dropTail drop queuing is the most basic form of congestion control. Frames are queued in FIFO order andqueue buildup can continue until all buffe

Instead of using the standard priority values, you can assign anywhere from 0% through 100% priorityto any threshold, as long as the sum of all eight

device receives a PAUSE frame, it must stop sending any data on the interface for the specified lengthof time, once it completes the transmission of a

NOTEThe Brocade VDX 6740 series platforms support only two PFCs.Ethernet Priority Flow Control includes the following features:• Everything operates e

‐ 1-gigabit Ethernet‐ 10-gigabit Ethernet‐ 40-gigabit Ethernet‐ 100-gigabit Ethernet• BUM storm control and input service-policy are mutually exclusiv

FIGURE 54 WRR schedule — two queuesDeficit Weighted Round Robin (DWRR) is an improved version of WRR. DWRR remembers theexcess used when a queue goes

FIGURE 55 Strict priority and Weighted Round Robin schedulerMulticast queue schedulingThe multicast traffic classes are numbered from 0 to 7; higher n

Telnet and SSH overviewTelnet and Secure Shell (SSH) are mechanisms for allowing secure access to management functionson a remote networking device. S

The DCB Priority Group Table defines each Priority Group ID (PGID) and its scheduling policy (StrictPriority versus DWRR, DWRR weight, relative priori

congestion control because the set of priorities mapped to the Priority Group is not known, which leadsinto the DCB Priority Table.The DCB Priority Ta

• DSCP trust is disabled in VCS mode as it is for CoS trust.• There are no default DSCP maps in VCS mode. Default maps occur when DSCP trust is enable

• Traffic flagged to the green or "conform" color priority conforms to the committed information rate(CIR) as defined by the cir-rate variab

The eir parameter defines the value of the EIR as the rate provided in the eir-rate variable. Acceptablevalues are in multiples of 40000 in the range

Configuration rules and considerations for PolicerThe following are rules for configuring maps and using policing parameters for the Policer feature:•

Policer behavior for L2 and L3 control packets TABLE 81 Protocol Ingress Policer Egress PolicerLLDP Enabled if protocol is not enabled and disabled

Understanding default user-priority mappings for untrusted interfacesWhen Layer 2 QoS trust is set to untrusted , then the default is to map all Layer

IEEE 802.1Q default priority mapping (Continued)TABLE 83 Incoming CoS User Priority6 67 7Configuring QoS mappingsConsider the topics discussed below

Configuring user-priority mappingsTo configure user-priority mappings, perform the following steps from privileged EXEC mode.1. Enter global configura

Feature support for TelnetThe following features are not supported with Telnet:• Displaying Telnet sessions• Terminating hung Telnet sessionsFeature s

5. Return to privileged EXEC mode.switch(conf-if-te-2/1/2)# end6. Enter the copy command to save the running-config file to the startup-config file.sw

NOTENote the restrictions for using this feature in VCS mode under Restrictions for Layer 3 features in VCSmode on page 481.To configure DSCP trust mo

• DSCP values 1, 3, 5, and 7 are set to output as DSCP number 9.• DSCP values 11, 13, 15, and 17 are set to output as DSCP number 19.• DSCP values 12,

Creating a DSCP-to-CoS mutation mapYou can use the incoming DSCP value of ingress packets to remap the outgoing 802.1P CoS priorityvalues by configuri

DSCP trust mode classifies packets based on the incoming DSCP value. If the incoming packet ispriority tagged, fallback is to classify packets based o

Default user priority for unicast traffic class mapping TABLE 85 User priority Traffic class0 11 02 23 34 45 56 67 7You are allowed to override thes

Configuring CoS-to-traffic-class mapsConsider the topics discussed below when configuring the CoS-to-traffic-class mappings.Mapping a CoS to a traffic

Verifying CoS-to-Traffic-Class mappingTo verify a CoS-to-Traffic-Class mapping, you can use one or both of the following options from globalconfigurat

Applying the DSCP-to-traffic-class mapping to an interfaceTo activate a DSCP-to-Traffic Class mapping, perform the following steps from privileged EXE

Configuring Random Early DiscardConsider the topics discussed below when configuring Random Early Discard (RED) mappings.Understanding RED profilesCon

Date and time settings... 97Time zone settings...

configuration. For node replacement in logical chassis cluster mode, the switch is set to the defaultconfiguration.NOTEThe DAD process is disruptive t

NOTETo deactivate the map from an interface, enter no qos random-detect cos value4. Return to privileged EXEC mode.switch(conf-if-te-1/2/2)# end5. Ent

1. Enter global configuration mode.switch# configure terminal2. Specify the Ethernet interface.The gigabitethernet rbridge-id/slot/port operand is use

NOTETo deactivate storm control from an interface, enter no storm-control ingress followed by themode (broadcast, unknown-unicast, or multicast) the l

Defining a DCB priority group tableTo define a priority group table map, perform the following steps from privileged EXEC mode.1. Enter global configu

4. Return to privileged EXEC mode.switch(conf-if-te-101/0/2)# end5. Enter the copy command to save the running-config file to the startup-config file.

3. Configure a policy-map to associate QoS and policing parameters to traffic belonging to specificclassification maps. Each policy-map can contain on

The police priority-map will re-mark CoS values according to color-based green (conform), yellow(exceed), and red (violate) priorities. Creating a pol

To delete a policy-map, use the no keyword as in the following example.switch(config)# no policy-map policymap13. Configure a class map in the policy-

NOTETo configure a class map in the policy-map you must create the class map first using the class-map command while in global configuration mode. Ref

1. Select the policy map.switch(config)# policy-map p12. Select the class.switch(config-policymap)# class class-default3. Specify the shaping rate for

Configuring the DHCP Automatic Deployment process for replacing logical chassis clusterswitchesProvides procedures for configuring DHCP Automatic Depl

Binding the policy-map to an interfaceUse the service-policy command to associate a policy-map to an interface to apply policingparameters.1. Enable t

Operational cir:39944 cbs:6518 eir:0 ebs:0 Conform Byte:0 Exceed Byte:0 Violate Byte:0Entering show policymap without identifying a

NOTEAs this command was created primarily to benefit Network Attached Storage devices, the commandsused in the following sections use the term “NAS”.

‐ Logical chassis cluster mode without any extra configuration‐ Fabric cluster mode with the proper Converged Enhanced Ethernet (CEE) mapconfiguration

When Auto QoS is enabled, the modified CEE map will be similar to the following:switch# show cee mapsCEE Map 'default' Precedence: 1 Rem

The Differentiated Services Code Point (DSCP) value affects how Auto QoS operates by specifyingthe priority value for Network Attached Storage traffic

The following example shows a typical output of this command, showing that Auto-NAS is enabledon two IP address (one using VLAN, and one using VRF), t

• vlan vlan_ID• vrf vrf_Name2. Press Enter after you add each individual address entry.The following example removes two addresses, one using a VLAN m

-----------nas server-ip 10.1.1.1/32 vrf default-vrf matches 0 packets 0 bytes switch# show nas statistics server-ip 10.1.1.0/24 vrf brad nas serv

Configuring 802.1x Port Authentication● 802.1x protocol overview...

1. Establish a DAD environment for the new switch. (Make sure DHCP is enabled on the managementinterface.)a) The management interface of the switch mu

Configuring authenticationThe radius-server command attempts to connect to the first RADIUS server. If the RADIUS server isnot reachable, the next RAD

• 802.1x readiness can be checked on a per-interface basis. Readiness check for all interfaces at onceis not supported.• The 802.1x test timeout is sh

Configuring 802.1x port reauthentication on specific interface portsTo configure 802.1x port reauthentication on a specific interface port, perform th

The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX8770-4, and VDX 8770-8. The prompt for these ports is in th

The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, VDX8770-4, and VDX 8770-8. The prompt for these ports is in th

Configuring sFlow● sFlow protocol overview...525● Configu

Packet counter samplesA polling interval defines how often the sFlow octet and packet counter for a specific interface are sentto the sFlow collector,

sFlow feature support (Continued)TABLE 87 Feature Brocade VDX 8770 Brocade VDX 67xxSample rate calculation Dropped packets (such as errors andACL dr

For complete information on the sFlow CLI commands for the Brocade switch, refer to the Network OSCommand Reference.To configure sFlow globally, perfo

Enabling and customizing sFlow on specific interfacesPerform the following steps in privileged EXEC mode to enable and customize sFlow on an interface

Brocade VDX Ethernet interfacesThe Brocade VDX compact switches have a single configurable Ethernet interface, Eth0, which can beconfigured as a manag

Disabling sFlow on specific interfacesNOTEDisabling sFlow on the interface port does not completely shut down the network communication onthe interfac

Disabling flow-based sFlow on specific interfacesTo disable sFlow on a specific interface, perform the following steps in interface configuration mode

Disabling flow-based sFlow on specific interfaces532 Network OS Administrator’s Guide53-1003225-04

Configuring Switched Port Analyzer● Switched Port Analyzer protocol overview... 533●

Standard SPAN guidelines and limitationsBrocade recommends that you be aware of the following standard guidelines for and limitations ofSPAN connectio

SPAN in logical chassis cluster guidelines and limitationsIn addition to the standard SPAN limitations, note the following guidelines and limitations

Limitations for mirroring across RSPANNetwork OS 4.0.0 and later use Inter-Switch Links (ISLs) to mirror packets across RBridges to reachthe destinati

The destination port is always an external port. The source and destination ports must be in thesame port group for the Brocade VDX 6720-60.switch(con

Deleting a SPAN sessionTo remove a SPAN session, do the following:1. Display the existing configuration of the monitor session.switch# show monitor se

4. Open a monitor session and assign a session numberswitch(config)# monitor session 15. Configure the source port and the destination port, with the

Switch attributesA switch can be identified by its IP address, World Wide Name (WWN), switch ID or RBridge ID, or byits host name and chassis name. Yo

Configuring RSPAN540 Network OS Administrator’s Guide53-1003225-04

Configuring SFP Breakout Mode● SFP breakout overview...

Platforms supporting breakoutTABLE 88 Platform Port configuration QSFP portsVDX 6740VDX 6740TVDX 6740T-1G48 10G plus 4 40GVDX 6740T-1G ports can be

SFP breakout valuesTABLE 89 SFP # (rbridge/slot/port ) SFP type Interface nameBreakout disabled Breakout enabled3/2/1 QSFP (4 x10G) Fo 3/2/1 Te 3/2/

the line card powered off, you can configure Performance mode on specific 27x40GbE ports, thenenable breakout mode for these ports. For more informati

switch# show ip int briInterface IP-Address Status Protocol========================== ========== ====== =====

a) The Brocade VDX 6740, 6740T, and 6740T-1G create interfaces corresponding to theSFP breakout mode of each port. For a QSFP, a single Fo interface i

TenGigabitEthernet 48/0/47 unassigned default-vrf up downTenGigabitEthernet 48/0/48 unassigned default-vrf up downTenGig

Releasing a 40G QSFP port while in breakout modeThe following example shows you how to release a 40G QSFP port while in breakout mode.switch(config-dp

Section IV: Network OS Layer 3 Routing Features• Configuring In-Band Management on page 551• IP Route Policy on page 561• Configuring IP Route Managem

Mapping switchType to Brocade product names (Continued)TABLE 4 switchType Brocade product name Description1001.x VDX 8770-8 8 I/O slot chassis suppo

Section IV: Network OS Layer 3 Routing Features550 Network OS Administrator’s Guide53-1003225-04

Configuring In-Band Management● In-band management overview...551● C

necessary to configure IP routes throughout the network to allow the communication to take place.You can configure the management interface to use eit

Configuring an in-band management interface in standalone modeThe figure below shows the configuration of an in-band management interface in standalon

NOTEYou must configure a primary IP address only. Secondary IP addresses are not supported.5. Enter the ip mtu command to set the interface IP Maximum

FIGURE 57 In-band management in a VCS fabric with dynamic routes (OSPF)Basic configuration for a standalone in-band managementThe following configurat

RB1(config)# do show vcsstate : Disabled2. C1 is a management station and automatically Telnets into node RB1.3. Verify that the in-band management

NOTEIf you are configuring this in a logical chassis cluster mode, you do not configure the VLAN again onRB2 because RB1 (the principal node) would di

17 10:00:00:05:33:77:31:9C* 10.24.73.80 Online RB118 >10:00:00:05:33:77:23:6C 10.24.73.85 Online RB24. Verify the in-band man

Total Number of Nodes : 2Rbridge-Id WWN Management IP Status HostName---------------------------------------------------------

Logical chassis cluster mode characteristicsThe following are the main characteristics of logical chassis cluster mode:• The maximum number of nodes s

Configuring a management connection in VCS fabric cluster mode560 Network OS Administrator’s Guide53-1003225-04

IP Route Policy● IP route policy overview... 561● Configu

may contain more than one match condition. The overall matching condition of the instance is trueonly if all matching conditions are met. The followin

Configuring IP Route Management● IP route management overview... 563●

Configuring static routesYou can add a static route to IP route management by using the ip route commands in RBridge IDconfiguration mode. With these

To configure a default route with a next hop address of 10.95.6.157, enter the following ip routecommand.switch(config)# rbridge-id 30switch(config-rb

Using additional IP routing commands566 Network OS Administrator’s Guide53-1003225-04

Configuring PBR● Policy-Based Routing...567● Policy-B

Route-map levelpermit and denyactionsACL clause permit anddeny actionsResulting Ternary Content Addressable Memory (TCAM)actionPermit Permit The “set”

The set clauses are evaluated in the following order:1. Set clauses where the next hop is specified.2. Set interface NULL0.The order in which you ente

Logical chassis cluster mode configurationIn logical chassis cluster mode, any operation that results in writing to the configuration database getsaut

set ip next-hop 4.4.4.4!6. View the route map application.sw0# show route-map pulp-fictionInterface TenGigabitEthernet 3/3 route-map pulp-fiction p

sw0(config-routemap pulp_fiction)# set ip vrf pulp_fiction next-hop 3.3.3.3sw0(config-routemap pulp_fiction)# set ip interface NULL03. Create the seco

Providing the default stanza enables a mechanism whereby if any packet is received that does notmeet the match criteria set by the route map, the traf

Configuring PIM● PIM overview...573● PIM

PIM Sparse devices are organized into domains. A PIM Sparse domain is a contiguous set of devicesthat all implement PIM and are configured to operate

FIGURE 58 Single VCS deploymentThe following requirements apply to the single-VCS deployment depicted in the figure above:• Top of rack switches can b

The figure below shows the components for a two-tier VCS PIM topology.FIGURE 59 Two-tier VCS deploymentThe following requirements apply to the two-tie

• PIM can be enabled on all Brocade VDX 8770 or VDX 6740 models where VRRP-E is enabled.• PIM DR-priority is configured on ve interfaces of all PIM-ca

• A timer mechanism must be available.• An IGMP module should be available for correct operation of PIM when working as a DR.PIM standards conformityT

• 32 virtual interfaces. The virtual interfaces can be either Layer 3 VLAN or router ports• 32 output interfaces• 4,000 Layer 3 multicast group IDs• 2

• Brocade VDX 6740• Brocade VDX 6740T• Brocade VDX 6740T-1GIf the chassis is not connected to another switch, it forms a "single node VCS fabric.

PIM configuration prerequisites• VLAGs must belong to PIM-enabled VLANs. For more information, refer to Configuring LinkAggregation on page 437.• Set

j) Exit interface configuration mode.switch(config-Vlan-30)# exitk) Enter VLAN interface configuration mode for the fourth VLAN.switch (config)# int v

j) Enable PIM Sparse for this interface.switch (config-ve-10)# ip pim-sparsek) Exit Ve configuration mode.switch (config-ve-10)# endl) Repeat the conf

Configuring OSPF● OSPF overview... 583● Conf

FIGURE 61 OSPF operating in a networkNOTEFor details of components and virtual links, refer to OSPF components and roles on page 584 and Virtual links

given area. The routers within the same area have identical topological databases. An ABR isresponsible for forwarding routing information or changes

NOTEBy default, the Brocade device’s router ID is the IP address configured on the lowest numberedloopback interface. If the device does not have a lo

unavailable, OSPF automatically elects the ABR with the next highest router ID to take overtranslation of LSAs for the NSSA. The election process for

FIGURE 63 OSPF network containing an NSSAThis example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside theNSSA imports exte

NOTEBy default, a device’s router ID is the IP address configured on the lowest numbered loopback interface.If the device does not have a loopback int

Management modulesTwo management modules (MMs) provide redundancy and act as the main controller on the BrocadeVDX 8770-4 and VDX 8770-8 chassis. The

FIGURE 65 OSPF example in a VCS environmentOSPF considerations and limitations• OSPF must be configured in a Virtual Cluster Switching (VCS) environme

• OSPF can be configured on either a point-to-point or broadcast network.• OSPF can be enabled on the following interfaces: gigabitethernet, tengigabi

Router A# configureRouter A(config) # interface vlan 1001Router A(config-Vlan-1001) # rbridge 10Router A(config-rbridge-id-10) # interface Ve 1001Rout

range addresses. For example, to define an area range for subnets on 0.0.0.10 and 0.0.0.20, do thefollowing:1. In privileged EXEC mode, issue the conf

9. Enter the area operand followed by the area ID, and repeat as necessary.10.Enter the area operand followed by the area address in decimal or dotted

j) Enter the ip ospf area operand followed by the area ID to assign the interface to this area.k) Enter the no shutdown command:RB1# conf tRB1(config)

Understanding the effects of disabling OSPFConsider the following before disabling OSPF on a router:• If you disable OSPF, the device removes all the

Configuring VRRP● VRRP overview... 597● Conf

The virtual router shown in the figure above is identified as Group 1. A physical router forwardspackets for the virtual router. This physical router

FIGURE 67 Two routers configured for dual redundant network access for the hostIn this example, Router 1 and Router 2 use VRRP-E to load share as well

Upgrading firmware by using the manual option...118Downloading firmware by using the default-config option...119

ISSUs are supported in both fabric cluster mode and logical chassis cluster mode for the followingdowngrade path: 4.1.0 to 4.0.1High Availability beha

Only the master answers an ARP request for the virtual router IP address. Any backup router thatreceives this request forwards the request to the mast

FIGURE 68 Short path forwardingVRRP considerations and limitationsVirtual routers must be configured in a Virtual Cluster Switching (VCS) environment.

‐ Brocade VDX 8770-4‐ Brocade VDX 8770-8• Brocade supports two VRRP protocols:‐ Standard VRRP — The standard router redundancy protocol, VRRP v2 suppo

NOTEYou can assign a group number in the range of 1 through 255.7. Assign a virtual router IP address.sw1(config-vrrp-group-1)# virtual-ip 192.53.5.1N

Enabling VRRP preemptionYou can allow a backup router that is acting as the master to be preempted by another backup routerwith a higher priority valu

7. In interface configuration mode, enter the vrrp-extended-group command.switch(config-Ve-10)# vrrp-extended-group 1008. In group configuration mode,

NOTE(For VRRP-E only) The address you enter with the virtual-ip command cannot be the same as areal IP address configured on the interface.8. To confi

6. Configure the tengigabitethernet port 102/3/2 as the tracking port for interface ve 10, with a trackpriority of 20.sw102(config-vrrp-extended-group

Configuring Router 2 as master for second virtual router group608 Network OS Administrator’s Guide53-1003225-04

Virtual Routing and Forwarding configuration● VRF overview...

Slot numbering and configurationThe slot number specifies the physical location of a module in a switch or router, and the number ofavailable slots of

FIGURE 69 VRF topologyOSPF VRF-Lite for customer-edge routersA customer edge (CE) router acts as the provider edge (PE) router in VRF-Lite. When a typ

a) Enter VRF configuration mode and specify "orange" as the VRF name.switch(config-rbridge-id-1)# vrf orangeb) Specify the router differenti

5. Enable the VRRP or VRRP-E protocol for the interface. (In this example, VRRP-E.)switch(config-rbridge-id-1)# vrrp-extended 106. Set the virtual IP

A static route conflict may happen when the same prefix is reachable by two different nexthops in thetarget VRF. The forwarding behavior would be diff

1. Set the switch to config mode.2. Configure the VRF instances you want to be the leaker (source VRF) and where the route is beingleaked to (destinat

5. Navigate to the source VRF address family context for configuring static route leak.switch(config)# rbridge-id 1switch(conf-rbridge-id-1)# vrf Reds

Inter-VRF route leaking and DHCP relay616 Network OS Administrator’s Guide53-1003225-04

Configuring BGP● BGP overview... 617● Unde

The figure below illustrates connectivity to the core through an MLX. The RBridges use OSPF andIBGP to communicate with each other, connecting to the

FIGURE 73 Connectivity to the core without an MLXThe figure below illustrates the role of BGP in communicating through multiple VCS clusters andautono

• Refer to the Brocade VDX Hardware Reference manuals for information on connecting through theserial port.• Refer to Configuring Ethernet management

FIGURE 74 BGP with multiple VCS clusters and autonomous systemsThe figure below illustrates a BGP topology that incorporates a route-reflector server

• KEEPALIVE• NOTIFICATION• ROUTE REFRESHBGP peering can be internal or external, depending on whether the two BGP peers belong to the sameAS or differ

messages. When two neighbors have different hold-time values, the lowest value is used. A hold-timevalue of 0 means "always consider neighbor to

• Finite state-machine error• Cease (voluntarily)Error SubcodeProvides specific information about the error reported.Error DataContains data based on

The device compares the MEDs of two otherwise equivalent paths if and only if the routes werelearned from the same neighboring AS. This behavior is ca

Configuring BGPTo enable BGP on an RBridge, enter Bridge ID configuration mode and issue the router bgpcommand:switch(config-rbridge-id-12)# router bg

• Address-family-specific neighbor configuration• Explicit specification of networks to advertiseThe following illustrates CLI options in address-fami

an AS number of the neighbor. For each neighbor, you can specify a set of attributes. However, in casea set of neighbors share same set of attributes,

• Applying policy changes without resetting neighbor• Keepalive and hold time• Specifying of routes not to be suppressed in route aggregation• Specify

switch(config-bgp-ipv4u)# redistribute ?Possible completions: connected Connected ospf Open Shortest Path First (OSPF) st

NOTEYou can override the default port by using the telnet ip_address command with the optional portoperand (range 0-65535). However, the device must b

When there is more than one route-reflector, they should all belong to the same cluster. By default, thevalue for cluster-id is used as the device ID.

NOTEA dampening value for half-life can also be adjusted through a route map, by means of the setdampening option for the route-map command.Default ro

When next-hop recursion is enabled, if the first lookup for the destination IP address results in anIBGP path that originated in the same AS, the devi

• If a route does not match any match statements in the route map, then the route is denied. This isthe default action. To change the default action,

• If you specify deny, the device does not advertise or learn the route.• If you specify permit, the device applies the match and set clauses associat

Setting parameters in the routesUse the following command to define a set statement that prepends an AS number to the AS path oneach route that matche

If the system scans all route-map instances but finds no matches, or if a deny condition isencountered, then it does not update the routes. Whenever a

Matching on a community ACLTo configure a route map that matches on community ACL 1:switch(config)# rbridge-id 5switch(config-rbridge-id-5)# ip commun

NOTEThese commands configure an additional community ACL, std_2, that contains community numbers23:45 and 57:68. Route map mycommroutemap3 compares ea

NOTEThe first command configures a community ACL containing community numbers 12:99 and 12:86. Theremaining commands configure a route map that matche

Connecting with SSHConnecting to a switch using the SSH (Secure Socket Handling) protocol permits a secure (encrypted)connection.For a listing and des

To unsuppress all suppressed BGP4 routes:switch# clear ip bgp dampeningTo clear the dampening statistics for a BGP4 route:switch# clear ip bgp flap-st

Configuring IGMP● IGMP overview...641● IGMP

• By sending an unsolicited IGMP join request.• By sending an IGMP join request as a response to a general query from a multicast router.In response t

IGMP snooping scalabilityHere are the scalability limits of IGMP snooping feature in various modes of switch operation forNetwork OS 4.1.0. The table

IGMP snooping: four-node cluster metrics (Continued)TABLE 94 Metric Limit CommentsMaximum number of VLANs supported with IGMPconfiguration128Maximum

IGMP snooping: IP multicast metrics (Continued)TABLE 97 Metric Limit CommentsIGMP interfaces supported 32IGMP snooping interfaces supported 256Learn

NOTEAn IGMP snooping querier cannot be configured on the same interface as a multicast router (mrouter)interface.Refer to the Network OS Command Refer

NOTERefer to the Network OS Command Reference for additional information on IGMP CLI commands.Using additional IGMP commandsThe following commands pro

Using additional IGMP commands648 Network OS Administrator’s Guide53-1003225-04

Configuring IP DHCP Relay● DHCP protocol...

NOTEIf you are in VCS mode, you must enter RBridge ID configuration mode beforeissuing the command, as shown in the example below.switch# certutil imp

Brocade IP DHCP Relay overviewThe Brocade IP DHCP Relay feature on allows forwarding of requests and replies between DHCPservers and clients connected

The only unsupported configuration is a Network DHCP server. Client 1 is on a different subnet thanServer 3 and Server 4, which are on the same subnet

• You can configure the feature in standalone mode (applicable switches only) or VCS mode.• You can configure up to four DHCP server IP addresses per

Example: VCS modeThe following is an example of configuring two IP DHCP Relay addresses on aphysical 1 GbE interface in slot 2, port 4 on RBridge ID 2

Displaying IP DHCP Relay addresses for an interfaceYou can display IP DHCP Relay addresses configured on a specific interfaces of a local switch,speci

Example: Displaying addresses for specific interfaces on range of switchesThe following is an example for displaying addresses on for a specific Virtu

Example: Displaying addresses on local RBridgeThe following is an example of displaying addresses configured on interfaces ofa local switch. Notice th

Displaying IP DHCP Relay statisticsDisplay information about the DHCP Relay function, such as the DHCP Server IP address configuredon the switch and t

Displaying statistics for specific switchesThe following is an example of displaying statistics for a cluster with RBridge 1and RBridge 3.sw0# show ip

router or switch to have multiple containers of routing tables or Forwarding Information Bases (FIBs),with one routing table for each VRF instance. Th

Re-enabling the SSH serviceRe-enabling the SSH (Secure Socket Handling) service permits SSH access to a switch.You must be in global configuration mod

High availability supportIP DHCP Relay address configurations are maintained when control is switched from the active to thestandby management module

Section V: Network OS Troubleshooting• Using the Chassis ID (CID) Recovery Tool on page 663• Troubleshooting procedures on page 667• TACACS+ Accountin

Section V: Network OS Troubleshooting662 Network OS Administrator’s Guide53-1003225-04

Using the Chassis ID (CID) Recovery Tool● CID overview...

• The FRU history table, which contains logs of insertions and removals of FRUs into and from thechassis. The content of this table is not audited or

• Recover BAD from GOOD. This option is offered only if one CID card contains good data and theother card contains corrupt data. If you select this op

Understanding CID card failure666 Network OS Administrator’s Guide53-1003225-04

Troubleshooting procedures● Troubleshooting overview... 667●

Using information resourcesThe following information is helpful for incident investigation and resolution when you contact yourswitch-support provider

e) If the switch is part of a VCS Fabric cluster, verify that the MAC address tables aresynchronized properly across all Brocade VDX switches in the c

ATTENTIONSetting static IP addresses and using DHCP are mutually exclusive. If DHCP is enabled, remove theDHCP client before you configure a static IP

To interoperate with MLX switches or other vendors’ switches, enter the following command ininterface configuration mode:switch(conf-if-te-0/1)# spann

Load balancing algorithms (Continued)TABLE 98 Feature AlgorithmLACP Provides adaptive load balancing based on up to seven criteria (7-tuple), depend

Multicast traffic in vLAGFlooding traffic always goes through a primary link of the vLAG. You should consider this restrictionwhen provisioning bandwi

ATTENTIONThis condition can cause packet duplication or unexpected packet loss.Traffic protection during split-brain conditionsBy default, Network OS

Principal routing bridge availabilityIf a new principal routing bridge is introduced into a working VCS Fabric cluster, or if the principalrouting bri

NIC teaming with vLAGNIC teaming permits link aggregation between server and switch. It can be one of two types: active/passive model or active/active

For the flow control solution, enable flow control either on the ports receiving the traffic from end-devices (servers or personal computers) and the

Process exceptions can sometimes occur with the L2SYSD process when combinations of ACL limitsare approached or exceeded.Constant MAC learning and flu

• The port-profile is not activated or is not associated with the correct MAC address. Refer to Verifying the port-profile state on page 679.• The VM

Verifying the port-profile stateFor the correct functioning of AMPP, the port-profile must be active and must be associated with thecorrect MAC addres

enter, "209.157.22.99/24" for an IP address that has a network mask with 24 leading 1s in thenetwork mask, representing 255.255.255.0.switch

Verifying that port profiles do not conflict1. Enter the show port-profile name pp1_name name pp2_name validate command to validatewhether multiple po

1. Link the wwncardshow command to survey the extent of the damage. (This does not have to bedone for single boards.)switch# ln -s /fabos/cliexec/em /

Verifying SEEPROM data1. To verify the SEEPROM, copy the test_symod file to /fabos/bin as test_sysmod , and select option10 for i2c and option 27 to V

• Check the that fabric membership information is what you expect. Refer to Verifying the fabric onpage 683.• Ensure that MAC addresses are not moving

interface Fcoe 1/11/2no shutdown!interface Fcoe 1/11/3no shutdown!interface Fcoe 1/11/4no shutdown!interface Fcoe 1/11/5no shutdown!interface Fcoe 1/1

1. Check for db packet capture. Below are the commands to enable and view a capture.db 8/0/1 rte enable capture alldb 8/0/1 rte start capturedb 8/0/1

• LLDP is not reporting its neighbors. Refer to Verifying LLDP on page 688.• An overloaded CPU fails to generate keepalive packets. Refer to Checking

Verifying VCS Fabric configuration and RBridge IDFor the ISL to function correctly, the following criteria must be true:• Both switches must have VCS

Total Number of Nodes : 1Rbridge-Id WWN Management IP VCS Status Fabric Status HostName------------------

VCS Fabric license Feature name:VCS_FABRIC2. If the FCoE or DPOD license appears in the show license command output, but the feature does notwo

NOTEWhen you connect the DHCP-enabled switch to the network and power on the switch, the switchautomatically obtains the Ethernet IP address, prefix l

Dead Interval: 120 secsRemaining Life : 104 secsChassis ID: 0005.1e78.f004LLDP PDU Transmitted: 2412 Received: 2372OPTIONAL TLVs==============DCBX TLV

5. Enter the show qos interface command to check the QoS configuration.switch# show qos interface tengigabitethernet 66/0/55Interface TenGigabitEthern

Unicasts: 10641, Multicasts: 2637, Broadcasts: 1976 64-byte pkts: 10874, Over 64-byte pkts: 3294, Over 127-byte pkts: 117 Over 255-byte pkts: 969,

Enter this command on other switches in the fabric to ensure that those switches can detect thisMAC address.switch# show mac-address-tableVlanId Mac-

Replace any non-Brocade SFP transceiver.b) Try replacing the SFP transceiver.c) Try replacing the cable.Recovering the root password by using the root

To obtain the Boot PROM recovery password from your switch support provider, perform the followingsteps:1. Connect to the serial console port of the s

Re-enter Recovery Password: YnfG9DDrlFMDVkNM0RkPtg== 8. When prompted with "New password:", enter a new Boot PROM password, and reenter it w

5. At the prompt, enter the Boot PROM password.password: *******=>6. To reset the password, enter the resetpw command.=> resetpw..Done7. To allo

If you still have access to the admin account, you can change the admin account password or changepasswords on user accounts by using normal password-

• Recovering the root password for Brocade VDX 67xx platforms: Quick reference on page 699• Recovering the root password for Brocade VDX 67xx platform

Administering Zones... 167Zoning overview...

ipv6 ipv6-address [ ] ipv6 ipv6-gateways [ fe80::21b:edff:fe0f:bc00 fe80::21b:edff:fe0c:c200 ] line-speed actual "1000baseT, Duplex: Full"

Recover password Used to generate a character string for your support provider to recover the BootPROM password.ATTENTIONUse this feature only when di

NOTEFor Network OS, the passwddefault command restores the passwords of factory default accounts totheir default values and removes nondefault user ac

To perform the recovery procedure for dual Management Modules, stop both MMs in the commandshell prompt. Then follow the listed recovery steps in the

4. Log in as root and enter the following commands in sequence:a) nosclib) configurec) username named) password new-password5. Restore nondefault user

=> setenv bootargs "root=/dev/sda1 rootfstype=ext4 quiet S"7. Enter the printenv command to verify the change.=> printenvAutoLoad=yesL

18.Use the following syntax of the username command to reset passwords for the admin or useraccounts, or for any other nondefault users.username accou

RBridge ID is duplicatedSwitches with the same RBridge ID cannot coexist in the same VCS Fabric cluster. Any attempt to adda switch with the same RBri

• The management port is down. Refer to Verifying the status of the management port on page 707for details.• Access to the management interface is den

1. Enter the show running-config interface command to determine which interfaces have trunkingenabled.switch# show running-config interfaceinterface M

• If the interface is disabled, enable it with the no shutdown command.• If misconfiguration is apparent, refer to Trunk member not used for informati

Do the following to set and display a banner.1. In privileged EXEC mode, issue the configure terminal command to enter global configurationmode.2. Ent

NOTEIt is not necessary to reboot the switch to enable the VCS Fabric license.switch# show licenseRbridge-Id: 66xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. On both switches, enter the show lacp counter command to verify that LACPDUs are transmittedand received, and there are no error PDUs.switch# show

Dual-CLI sessions from the same switch: If you start a zone transaction from CLI-Session1 andthen try to perform a zone modification from CLI-Session2

a) Enter the portCfgExPort ‐d Fabric OS command to set a unique front phantom domain ID.b) Enter the fcrXlateConfig importedFID exportedFID preferredD

Blocking zone merge after rebootTo be sure of blocking zone merge following a switch reboot, enter the no fabric isl enable commandto disable the ISL

FIGURE 78 Normal Layer 2 packet traversing a VCS fabricIn the figure above, an Ethernet packet arrives from MAC 1 at the VCS fabric edge. TRILL header

FIGURE 79 Verifying path continuity with immediate neighborThe table below shows the packet header information for the request and response. The added

FIGURE 80 Verifying path continuity— second hop TTL countThe table below shows the packet header information for the request and response packets.Info

From the output, choose the source and destination MAC address:• Source MAC address: 0050.5685.0003• Destination MAC address: 0024.3878.e7202. Enter t

show commands used for troubleshooting (Continued)TABLE 104 Command group Commands Specific fields or purposeInterface commands show interfaceshow m

Setting and displaying the chassis name1. In privileged EXEC mode, issue the configure terminal command to enter global configurationmode.2. Enter the

Using debug commandsYou can perform the following operations related to debugging features:• To enable debugging on a feature, use the debug command.d

ASICs and portsTABLE 105 Network OSswitchASIC Port numbersBrocade VDX6720-60 andBrocade VDX6730-760 te0/1 through te0/101 te0/11 through te0/202 te0

short command, which typically takes 10 to 15 minutes. Alternatively, you can run subsets of theoffline commands that check various parts of the hardw

Use the show fabric route pathinfo command to display routing information from a source port on thelocal switch to a destination port on another switc

Using the packet capture utility724 Network OS Administrator’s Guide53-1003225-04

TACACS+ Accounting Exceptions● TACACS+ command-accounting limitations... 725● Unsupporte

Unsupported Network OS CLI commands in privileged EXEC mode (Continued)TABLE 108 Command name Command Descriptionclear mcagt Clears the MCAGT agent.

Unsupported Network OS CLI commands in privileged EXEC mode (Continued)TABLE 108 Command name Command Descriptionshow cee maps Displays CEE maps.sho

Unsupported Network OS CLI commands in privileged EXEC mode (Continued)TABLE 108 Command name Command Descriptionshow ssm Displays the switch servic

Supported NTP Regions and Time Zones● Africa...

FIGURE 12 Five-node logical chassis clusterTo create a logical chassis cluster, follow the steps in the example below:1. Log into one switch that will

AmericaThe table below lists region and city time zones supported in the America region.Region/city time zones in America regionTABLE 111 America/An

Region/city time zones in America region (Continued)TABLE 111 America/Boa_VistaAmerica/ManausAmerica/EirunepeAmerica/Rio_BrancoAmerica/NassauAmerica

Region/city time zones in Asia regionTABLE 114 Asia/DubaiAsia/KabulAsia/YerevanAsia/BakuAsia/DhakaAsia/BahrainAsia/BruneiAsia/ThimphuAsia/ShanghaiAs

AustraliaThe table below lists region and city time zones supported in the Australia region.Region/city time zones in Australia regionTABLE 116 Aust

IndianThe table below lists region and city time zones supported in the Indian region.Region/city time zones in Indian regionTABLE 118 Indian/CocosI

Index802.1Q default mapping 494802.1xactivity monitoring 520configuration guidelines and restrictions 519configuring interface-specific administrative

access-group 334ACL 334Auto QoS restrictions 512flow control 333port-profile 329port-profile states 330priority 333QoS profile 333security profile 334

configuration 501considerations 476storm control 476BUM storm controlconsiderations and limitations 476CCA certificate 301capturing supportSave data 8

802.1x interface-specific administrative features520802.1x port-control 522authentication 277FCoE VLAN interface 358Inter-VRF route leaking 613LINUX R

management interface, configuring 66management interfaces 52Ethernet, forwarding 341Ethernet pauseenabling 500Ethernet Pauseconfiguration 475Ethernet

Taking precautions for mode transitionsEnsure that all nodes to be transitioned are running the same version of Network OS. Logical chassiscluster mod

interfacetimeout setting 423timeout setting, enabling 422interface portsconfiguring 802.1x port-control 522reauthenticating 522interfacesuntrusted 487

adding a node 78characteristics 55configuration 57configuring SPAN in 538creating 72description 55mode conversions 77, 78mode transitions 74, 76princi

area border routers (ABRs) 584area ranges 592autonomous system boundary routers (ASBRs)584configuration 591designated routers 585Link State Advertisem

guidelines and restrictions 411QQoScongestion control 472data center bridging map configuration overview479multicast rate limiting 476overview 471port

RRADIUSauthentication, configuring 520RADIUS server, LINUX configuration 281Random Early Discardconfiguring RED thresholds 474Rapid Per VLAN Spanning

configuration overview 536configuring for bidirectional 537configuring for egress 536configuring for ingress 536configuring in logical chassis cluster

Uunderstanding MIBs 134understanding SNMP basics 134UniDirectional Link Detection (UDLD)commands 435example 433requirements 433untrusted interfacesdef

Zzonealias, adding membersadding alias members 178alias, deleting 179alias, removing membersremoving alias members 179aliases, creating and managing 1

748 Network OS Administrator’s Guide53-1003225-04

spanning-tree shutdownmac access-group test2 inno shutdownATTENTIONBe sure to take the following precautions.• Note that the copy default-config to st

NOTEYou can enter the RBridge ID configuration mode for any RBridge in the cluster from the clusterprincipal node.NOTEYou can change the principal nod

9. Verify that the global configuration is available by running the show global-running-configcommand.10.While logged on to the principal node in the

3. Run the following command to convert all RBridge IDs: no vcs logical-chassis enable rbridge-idall default-config.NOTETo convert just one RBridge ID

standalone mode.) If the no vcs logical-chassis enable command is executed on a switch that iscurrently in logical chassis cluster mode, the switch bo

Using System Monitor and Threshold Monitor...235System Monitor overview...

NOTEIf the new node is not yet VCS enabled, you can do so at the same time you assign the RBridge ID.Refer to the vcs command options in the Network O

Examples of global and local configurationsThe table below provides examples of global and local configuration commands that are available underthe re

Configuring a switch in fabric cluster modeRefer also to Fabric cluster mode on page 57. When you issue the show vcs command to display theVCS configu

Enter the show interface interface_type rbridge_id/slot/port command to display the configurationdetails for the specified interface.switch# show inte

config startup-config command after the line card reaches the online state and before the systemreboots.Replacing a line cardYou can remove a line car

Configuring high availabilityThe following sections provide you with information on configuring High Availability (HA) support onBrocade switches.Usin

Expected behaviors for uncontrolled failoverTABLE 8 Command syntax Behavior in fabric cluster and logical chassis clusterPanic Warm failover to stan

Rebooting a modular chassisA chassis reboot brings up the system in sequential phases. First, software services are launched onthe management modules

1. Enter the usb on command to enable the USB device.2. Enter the usb dir command to display the default directories.3. Enter the copy support usbdire

Displaying the autoupload configurationEnter the show running-config support autoupload-param command to display the autouploadconfiguration on the lo

Password policies overview... 265Configuring password policies...

Options for optimizing route profiles (Continued)TABLE 9 Keyword Optimizes resources for . . .ipv4-min-v6 IPv4 routes in dual-stack configurationsip

ATTENTIONThe hardware-profile command is disruptive. To apply the most recent profile, you must reboot(reload) the switch.The following example select

Using hardware profile show commandsYou can view route table and TCAM profiles in the running configuration, and also see the currentactive profile in

Displaying the hardware profile configuration default profile in fabriccluster modeThe following shows the use of the show hardware-profile command in

Brocade support for OpenstackOpenstack is an open source infrastructure as a service (IaaS) initiative for creating and managinglarge groups of virtua

3. The physical switch configuration parameters and the Brocade-specific database configuration isspecified in the brocade.ini configuration file.% ca

Configuring Openstack to access Network OS96 Network OS Administrator’s Guide53-1003225-04

Using Network Time Protocol● Network Time Protocol overview...97● Co

Configuring NTPThe following sections discuss how to correctly configure the Network Time Protocol for Brocadeswitches.Configuration considerations fo

Refer to refer to Using Network Time Protocol on page 97 for a complete list of configurable regions andcities.Enter the clock timezone region/city co