IP CHEAT SHEET

Connecting Via Console Cable Troubleshooting: show flash

Typical File names: (First two letters is device type, third letter is code type.
Connect the serial console port on the device to the Male DB-9 Serial Port of
Remaining digits is the version number). FCX images start with FCX and the
a PC using a straight through cable. The serial communications is 9600 Baud, th
4 letter is either an S or R. No base Layer-3 exists. The boot-monitor code
8 bits, parity none, 1 stop bit, and no flow control.
for an FCX is grz. When upgrading the CES/CER, the boot file is both the boot
and monitor file. It must be loaded twice, once with “boot” and once with
“monitor”.
Using the Command Line Interface
There are three modes: non-privileged, privileged, and configuration. In order FEB = Boot FEL = Base Layer-3
to execute commands to configure, reload, upgrade, etc, you must be in FEM = Monitor FER = Full Layer-3
privilege mode. For help at any time, press <tab> or <?>. Commands may be FES = Switch
abbreviated to the extent that no other command is recognized by the
abbreviated command. To remove a configuration statement, use “no” in front Example:
of it. There is a start-up configuration and a running configuration. To commit
changes so they are not lost during power failure or a reload, issue “write copy tftp flash 192.168.10.2 fes04000.bin pri | sec | boot | monitor
memory”. To view the start-up configuration, type “show configuration”. To
view the running configuration, type “show run”
Upgrading software for MLX/MXR Chassis (RX Chassis Similar)
CLI Navigation Example:
Prerequisites: Refer to the release notes for specific upgrade procedures
FCX> enable and requirements
Password: ********* Notes: You can do hitless firmware upgrades (hitless-reload) provided that no
FCX# show run (output not shown) hardware (FPGA) images require upgrades and the version you are upgrading
to is “hitless-allowed” from the current running version.
FCX# configure terminal
Troubleshooting: show flash
FCX(config)#hostname MySwitch
Typical File names:
MySwitch(config)#no hostname
FCX(config)#exit xm = combined image for both management and line cards
FCX#wr m xmprm – management module boot code
xmb – management module monitor code
Setting IP Address & default gateway on a switch mbridge – management module FPGA image
xmlprm – line card boot code
Notes: This is for a device running switch code. For devices in Layer-3 mode,
refer to “Configuring Router Interfaces” or “Configuring Virtual Router xmlb – line card monitor code
Interfaces” to assign an IP. To assign a default-grateway on a router, use “ip pbifsp2 – FPGA image for all line cards
route 0.0.0.0/0 <IP address of Default Gateway>” xppsp2 – FPGA image for all line cards
Troubleshooting: show ip xgmacsp2 – FPGA image for 10G line cards
Configuration Example: lpfpga – All FPGA images combined for line cards
ip address 192.168.10.2/24 Example:
ip default-gateway 192.168.10.1
! Upgrade the boot and monitor images on the management
! and line cards (Only do this if the release specifies an upgraded version)
Setting Passwords
copy tftp flash 192.168.1.1 xmprm03500.bin boot
Notes: By default, a device has no passwords assigned and will allow access. copy tftp flash 192.168.1.1 xmb03500f.bin monitor
Configuration Example: copy tftp lp 192.168.1.1 xmlprm03500.bin boot all
enable telnet password <password> copy tftp lp 192.168.1.1 xmlb03500f.bin monitor all
enable super-user <password> ! Upgrade image in primary flash for both management
! and line processors (must be release 3.5 or greater)

Password Recovery copy tftp image 192.168.1.1 xm03600d.bin

! Upgrade mbridge on management modules:
Prerequisites: Must have physical access to the switch and console port
copy tftp mbridge 192.168.1.1 mbridge_03600d.xvsf
Notes: Press ‘b’ within 3-seconds of power-cycling the switch to enter the
boot prompt. This removes passwords in the running configuration, so be sure ! Upgrade FPGA's on line processors (1G & 10G)
to set passwords. Alternatively, you can reset the configuration to factory copy tftp lp 192.168.1.1 pbifsp2_03600d.bin fpga-pbif all
defaults by replacing the command “no password” with “use default”. This only copy tftp lp 192.168.1.1 xppsp2_03600d.bin fpga-xpp all
effects the running configuration, so be sure to “write mem” or “erase start”
once you’re into the CLI. copy tftp lp 192.168.1.1 xgmacsp2_03600d.bin fpga-xgmac all
Example: ! If on release 4.0 or greater, you can upgrade all FPGA’s
! on the line processors at once with this command
Boot>no password
copy tftp lp 192.168.1.1 lpfpga04000.bin fpga-all all
Boot>boot system flash primary

Backing up the Configuration

Upgrading Software
Prerequisites: A TFTP server or Secure Copy program and SSH enabled on
Prerequisites: Refer to the release notes for specific upgrade procedures the the device
and requirements
Notes: TFTP commands are issued on the device. SCP commands are
Notes: For most devices, there is boot code, monitor code, and a running issued on the server.
image. You can store two versions on the device at a time unless both images
are 7.2.02 router code or greater on devices with only 8MB flashes. Example Commands for TFTP:

PAGE 1
 IP CHEAT SHEET

Backing up the device: aaa authentication login privilege-mode

copy run tftp 192.168.10.2 myswitch.cfg
Restoring the device: Securing Web Access
copy tftp start 192.168.10.2 myswitch.cfg
Prerequisites: Standard ACL created (optional) and user (if using aaa
reload authentication, see example for creating users in Enabling SSH)
Example Commands for SCP: Notes: By default, the web-server responds and can be authenticated using
user “get” and the read-only SNMP community string as the password.
Backing up the device: Alternatively, if a read-write community string is created, it can be accessed
scp [email protected]:runConfig myswtich.cfg via “set” and the read-write community string. Changing the aaa
authentication method will change this behavior. Also, it is advised to change
Restoring the device:
access from http to https or disable it all together with “no web-management
scp myswitch.cfg [email protected]:startConfig http”
Reload the switch for the restored configuration to take effect. Configuration Example:
crypto-ssl cert generate
Securing Remote Access with ACL’s no web-management http
Notes: Creating a standard ACL for use in restricting access. Standard web-management https
access list are numbered from 1 to 99. Items are grouped by number and web access-group 10
executed in order. At the end of each access-list is an explicit “deny ip any”.
These ACL numbers are used for restricting access to SSH, Telnet, Web, aaa authentication web-server default local
SNMP, etc.
Troubleshooting: show access-list Securing Management to Specific Router IPs
Configuration Example:
Prerequisites: Appropriate telnet/snmp/syslog/ssh/web configurations
access-list 10 remark MGMT ACCESS Notes: Using a loopback interface is best as it’s not tied to an interface that
access-list 10 permit host 192.168.10.24 potential can go down. Some options may not be available on some devices.
access-list 10 deny host 192.168.20.5 Configuration Example:
access-list 10 permit 192.168.20.0/24 interface loopback 1
ip address 192.168.100.1/32
Enabling Secure Shell Access (SSH) !
Prerequisites: Standard ACL created (optional) ip telnet source-interface loopback 1
Notes: Requires username/passwords to be created. ip ssh source-interface loopback 1
Configuration Example: ip web source-interface loopback 1
snmp-server trap source-interface loopback 1
crypto key generate
ip syslog source-interface loopback 1
user <username> privi 0 password <password>
aaa authentication login default local
ssh access-group 10 Using and Securing SNMPv2
ip ssh idle-time 20 Prerequisites: Standard ACL created for additional security (optional)
ip ssh timeout 60 Notes: By default, a read-only community string of “public” is defined. It will
not appear in the configuration, but is present. You need to change this from
the default value. A snmp-server host is the server to which SNMP traps will
Securing Telnet be sent. IMPORTANT: If you remove all SNMPv2 strings, the system will
replace “public” on reload.
Prerequisites: Standard ACL created (optional) and user (if using enable
telnet authentication, see example for creating users in Enabling SSH) Troubleshooting: show snmp server
Notes: Typically for security, telnet is disabled; however in addition to Configuration Example:
disabling it (no telnet server), it is advised to secure it as if it was enabled, just snmp-server host 192.168.10.2
in case someone inadvertently turns it on.
no snmp-server community public ro
Configuration Example:
snmp-server community <secret> ro 10
telnet access-group 10 snmp-server community <secret> rw 10
telnet timeout 10
enable telnet authentication
Using and Securing SNMPv3
Prerequisites: Standard ACL created for additional security (optional)
Requiring Username and Password to enter Enable Mode
Notes: SNMPv3 using encryption to send and receive SNMP traffic.
Prerequisites: Local users configured or RADIUS/TACACS+ server for Configuration Example:
remote authentication
Configuration Example: snmp-server group <group> v3 auth access 10 read all write all notify all
snmp-server user <user> <group> v3 auth md5 <pass> priv aes <pass>
aaa authentication enable default local
snmp-server host 192.168.10.2 version v3 privacy <user>
Optional additional configuration: To use the user’s access-level provided
in the first initial authentication, instead of requiring users to re-enter their
credentials to enter enable (privilege) mode, use the following command:

PAGE 2
 IP CHEAT SHEET

Dynamic (LACP) Configuration Example:

Enabling sFlow (RFC 3176)
int e 1
Prerequisites: sFlow collector to receive the sFlow information
link-aggregate configure key 10000
Notes: sFlow samples packets flowing through the switch and reports them
back to a collector for analysis. The devices process the packets in hardware; link-aggregate active
however, care should be taken in selecting a sample rate as not to overwhelm int e 2
processing and storage space of the collector. Most devices only sample on link-aggregate configure key 10000
the inbound direction, so all ports must be enable to report all traffic on the
device. link-aggregate active
Configuration Example:
Creating a Link Aggregation (Core Switch)
sflow destination 192.168.100.2
sflow sample 512 Prerequisites: v.3.7.00 or greater; otherwise, use configuration for edge
switch. The ports that are to be aggregated must be the same speed, same
sflow enable
VLAN, etc to be combined.
int e 1 to 24
Notes: To enable or disable individual ports within a trunk, you must use the
sflow forwarding disable/enable command within the lag commands.
Troubleshooting: show lag brief
Syslog and NTP Server Static Configuration Example:
Prerequisites: A syslog server to receive messages and a NTP time source. lag blue static id 1
Notes: Logging on the devices is limited by space. It’s advised to send a copy ports ethernet 3/1 ethernet 7/2
to a server for more permanent storage. primary port 3/1
Configuration Example: deploy
sntp server 192.168.10.3 Dynamic (LACP) Configuration Example:
logging 192.168.10.2
lag red dynamic id 1
logging buffered 100
ports ethernet 3/4 to 3/5
primary port 3/4
Securing the Console Port
deploy
Prerequisites: aaa authenication methods configured
Configuration Example:
Configuring Multi-Chassis Trunking (MCT)
enable aaa console Prerequisites: VLANs created with ports assigned, 802.3ad LAGs setup on
console timeout 10 non-MCT devices, and ICL port is tagged into vlans that are to use MCT.
Notes: Multi-Chassis Trunking is a way to increase redundancy while
decreasing complexity in the network. Two NetIron devices may appear
Creating a IronStack w/ Hitless Failover
logically as one to all downstream devices, allowing for 802.3ad LAG groups
Prerequisites: FCX Stackable switches to form between the three devices. This allows for one MCT device to fail
without a hit to traffic.
Notes: After issuing the command “stack secure-setup” in the privilege level
to create the stack, configure two of the stack members with the same priority Troubleshooting: show cluster
(this prevents the master from taking back over after a failure). The stack mac Configuration Example: Here, a four port LAG will form, 2 from each of A
can be derived from the mac of one of the devices. It’s used so STP packets, and B
etc are sourced from the same mac before and after failover.
Troubleshooting: show stack ROUTER A:

Configuration Example: vlan 4090 name Session-VLAN !—Does not have to be 4090
tag e 2/1 !—Link going between the two routers, called an ICL
stack unit 1
router-interface ve 200
priority 250
int ve 200
stack unit 2
ip addr 10.1.1.1/30
priority 250
lag blue dynamic
stack mac 0024.00e1.1111
ports ethernet 3/1 ethernet 4/1 !—Interfaces that go to non-MCT device
hitless-failover enable
primary port 3/1
deploy
Creating a Link Aggregation (Edge Switch) Cluster <name> <ID> !—ID must match on A and B
Prerequisites: The ports that are to be aggregated must be the same speed, rbridge-id 1 !—ID must be unique for each device
same VLAN, etc to be combined. session-vlan 4090
Notes: Depending on the device, there may be restrictions on which ports can keep-alive-vlan <#> !—vlan to use if ICL is lost
be combined to create aggregated links. Once created, all configurations for
the link aggregation group are done via the primary port. member-vlan 10 !—vlan(s) that are to traverse the LAG
Troubleshooting: show trunk icl <name> eth 2/1 !—define ICL to be used for this cluster
Static Configuration Example: peer <ip of B> rbridge-id <ID of B> icl <name from line above>
deploy
trunk e 1 to 2
client edge1
trunk deploy
rbridge-id 3 !—This ID must match on both A and B

PAGE 3
 IP CHEAT SHEET

client-interface ethernet 3/1 Creating a management VLAN for switches

deploy
Prerequisites: VLAN created with ports assigned.
ROUTER B:
Notes: By default, a switch will respond to requests on all VLAN’s provided
vlan 4090 name Session-VLAN !—Does not have to be 4090 the Layer-3 addressing matches. Creating a management VLAN stops that
tag e 2/1 !—Link going between the two routers, called an ICL behavior and the switch management will only answer requests the are on the
specified VLAN.
router-interface ve 200
Caveats: Only one management VLAN can be assigned. If a “ip default-
int ve 200
gateway” has already been assigned, it will be moved into the VLAN
ip addr 10.1.1.1/30 configuration as “default-gateway”.
lag blue dynamic Configuration Example:
ports ethernet 3/1 ethernet 4/1 !—Interfaces that go to non-MCT device
vlan 10 name Management
primary port 3/1
management-vlan
deploy
default-gateway 192.168.10.1 1
Cluster <name> <ID> !—ID must match on A and B
rbridge-id 2 !—ID must be unique for each device
Dual-Mode Ports
session-vlan 4090
keep-alive-vlan <#> !—vlan to use if ICL is lost Prerequisites: VLANs created with ports assigned.
member-vlan 10 !—vlan(s) that are to traverse the LAG Notes: In some situations, like connecting to a Cisco ® device or VoIP device,
traffic may appear on an interface both tagged and untagged. For example,
icl <name> eth 2/1 !—define ICL to be used for this cluster
Cisco native vlan will not have a VLAN tag on a Cisco 802.1Q link. A port that
peer <ip of B> rbridge-id <ID of B> icl <name from line above> is dual-mode, will send/receive untagged packets and place it into the
deploy appropriate VLAN while also accepting normal tagged traffic.
client edge1 Configuration Example (Edge Device):
rbridge-id 3 !—This ID must match on both A and B vlan 10 name Voice
client-interface ethernet 3/1 tagged e 1
deploy vlan 20 name Data
tagged e 1
Enabling Foundry Discovery Protocol (FDP) or Cisco Discovery int e 1
Protocol (CDP) dual-mode 20 !— Untagged traffic to VLAN 20
Prerequisites: None Configuration Example (Core Devices):
Notes: FDP enables Brocade devices to periodically advertise themselves to For any given port, only one vlan can be “untagged”.
other Brocade devices on the network. CDP is a Cisco proprietary protocol
used to configure their VoIP handsets and other edge devices. vlan 10 name Voice
Troubleshooting: show fdp neighbors tagged e 1/1
Configuration Example: vlan 20 name Data
fdp run untagged e 1/1
cdp run By default, ports will remain untagged in the default vlan as you tag them into
other vlans unless you remove them. To stop this behavior globally, use the
command “no dual-mode-default-vlan”.
Creating a VLAN
vlan 1 name DEFAULT-VLAN
Prerequisites: None
no untagged e 1/1
Notes: VLAN’s segment ports into separate broadcast/multicast domains.
Brocade’s implementation is based on IEEE 802.1Q which defines “tagged”
packets. Ports that are defined as “tagged” send the 801.Q VLAN ID Configuring Power over Ethernet (POE/POE+)
embedded in the packets. Ports defined as “untagged” do not send the VLAN
ID in the packet. Prerequisites: POE/POE+ Capable switch and ports. POE power supplies
installed for the SX chassis.
Caveats: “Untagged” ports can only belong to one VLAN. Only ports
belonging to the Default VLAN can be assigned to another VLAN. If you wish Notes: By default, POE is not enabled on the interfaces. This is because the
to move “untagged” ports from one VLAN to another, they must first be placed system will calculate power delivery and if there is not enough power supplies
back into the Default VLAN by the command “no untagged e <port number>” for the configured inline power ports, then starting with the highest interface
number (unless power priority is configured), power will be disabled on the
Configuration Example:
excess ports.
vlan 10 name Accounting Troubleshooting: show inline power
tagged e 49 Configuration Example:
untagged e 1 to 10
int e 1
untagged e 15
inline-power
no untagged e 8
To configure multiple vlans at once, use the following:
vlan 5 8 to 10
tagged e 1

PAGE 4
 IP CHEAT SHEET

Configuring Quality of Service (QoS) Configuring Root Guard

Prerequisites: None. Prerequisites: None.
Notes: QoS prioritizes the use of bandwidth for a link. Traffic can be dropped, Notes: Used to prevent undesired Spanning Tree topologies. When deployed
prioritized for guaranteed delivery, or subject to limited delivery options as on a physical port, if the switch receives a BPDU with a lower root priority (i.e.
configured by a number of different mechanisms. In campus deployments, this change in root), it ignores the BPDU, and errdisables the ports. The
typically means guaranteeing the delivery of VoIP traffic through the network. Administrator must then manually disable and re-enable the port, or may set a
Traffic is typically marked with a DSCP value on the phone, which Brocade timeout value.
switches then honor. Troubleshooting: show spanning-tree root-protect
Configuration Example: Configuration Example:
int e 1 int e 1
trust dscp spanning-tree root-protect
spanning-tree root-protect timeout 120
Per VLAN Spanning Tree
Prerequisites: VLAN created with ports assigned DHCP Server
Notes: By default, devices running switch code have Per-VLAN STP running. Prerequisites: FastIron code 7.1 or greater (7.2 for SX). In an IronStack,
Devices running router code do not. Default spanning tree priority is 32768. “stack mac” must be configured.
Troubleshooting: show spanning-tree Notes: Up to 1000 DHCP clients. Information will be stored on flash. Multiple
Configuration Example: pools can be configured.
vlan 10 Troubleshooting: show ip dhcp-server summary and show ip shcp-server
bind
spanning-tree
Configuration Example:
spanning-tree priority 256
ip dhcp-server pool guests
dhcp-default-router 192.168.50.1
Per VLAN Rapid Spanning Tree
dns-server 192.168.10.1
Prerequisites: VLAN created with ports assigned
domain-name brocade.com
Notes: All switches in the VLAN need to be running RSTP. All switch to
network 192.168.50.0/24
switch interfaces must be defined as “admin-pt2pt-mac ports”. Priority only
needs to be assigned on the primary and backup root switches. deploy
Troubleshooting: show 802-1w !
Configuration Example: ip dhcp-server enable

vlan 10
spanning-tree 802-1w SNTP Time Server
spanning-tree 802-1w priority 256 Prerequisites: FastIron code 7.3 or greater, NetIron code 5.0 or greater.
int e 49 Notes: MD5 authenication of timeserver packets is optional
spanning-tree 802-1w admin-pt2pt-mac Troubleshooting: show sntp server, show sntp association
Configuration Example:
MSTP (802.1s) – IEEE based per Vlan Rapid Spanning Tree
! The following gets the time from another server using MD5 (optional) and
Prerequisites: VLAN created with ports assigned issues the time to clients
Notes: mstp name and revision number must be same across all switches. in sntp server 192.168.100.1 authentication 1 <secret>
the same region. MSTP operates just like RSTP.
sntp poll-interval 1800 !—Adjust polling interval if neccessary
Troubleshooting: show mstp config
sntp server-mode authentication <secret>
Configuration Example:
!
mstp name Campus ! The following issues the time to clients using the local time on the device
mstp revision 1
mstp instance 6 vlan 6 sntp server-mode use-local-clock stratum 3 authentication-key 2 <secret>
mstp instance 6 priority 8192 !
mstp admin-pt2pt-mac ethe 1/5 to 1/20 ! Specify which interface to use as the server
mstp start ip sntp source-interface loopback 1

Configuring BPDU Guard

Prerequisites: None.
Notes: Used to prevent rogue switches from connecting to the network. If a
STP BPDU is seen on an interface with BPDU guard enabled, the port will be
put into an ‘errdisable’ state and must be manually re-enabled by the
Administrator. Best used on ports at or near the access layer.
Troubleshooting: show stp-bpdu-guard
Configuration Example:
int e 1
stp-bpdu-guard

PAGE 5
 IP CHEAT SHEET

Notes: Passive interface do not transmit OSPF hello’s. This is for security on
Enabling MAC-Based Port Security subnets that don’t have neighboring routers. Additionally, consider MD5
Notes: Interface can be set up to accept a certain number of MAC address authentication of neighbors. Configuring a loopback interface is recommended
per port and automatically shutdown/restrict the port if mac changes or more as the router-id for OSPF.
than number of mac addresses are discovered on the port. Troubleshooting: show ip ospf
Troubleshooting: show port security, clear port security Configuration Example:
Configuration Example: interface loopback 1
port-security ip address 192.168.100.1/32
violation shutdown 10 !—shutdown the port for 10 min router ospf
autosave 60 !—save learned macs to flash every 60 min area 0
int e 1 to 24 int e 1
port security ip ospf area 0
enable ip ospf md5-authentication key-id 1 key <shared key>
maximum 1 !—Note: 1 is the default, so this command will not show int ve 10
ip opsf area 0
Enabling Multicast for Layer-2 Switches ip ospf passive
Notes: By default, ICMP snooping is disable. This means that any multicast
packet will be treated as a broadcast packet. Active should only be used Configuring VRRP
when no routers are configured for IGMP/PIM in the network.
Prerequisites: Switch is running Full Layer-3 code and IP address are
Configuration Example: already assigned to interface or virtual interfaces.
Ip multicast passive Notes: VRRP provides redundancy for routers. One router is the owner of the
In
IP and one (or more) routers backup the owner of the IP.
Configuring Router Interfaces Troubleshooting: show ip vrrp brief
Configuration Example:
Prerequisites: Switch is in Full Layer-3 code
Notes: The route-only statement ensures that no broadcast will leak between ROUTER A:
the ports that are assigned to the same VLAN. Doing this precludes the need router vrrp
to have every port in its own VLAN.
int ve 10
Troubleshooting: show ip int
ip address 192.168.10.1/24
Configuration Example:
ip vrrp-extended vrid 10
int e 1 owner
ip address 192.168.10.1/24 ip-address 192.168.10.1
route-only activate
ROUTER B:
Configuring Virtual Router Interfaces
router vrrp
Prerequisites: Switch is in Base Layer-3 or Full Layer-3 code and ports are int ve 10
assigned to a VLAN.
ip address 192.168.10.2/24
Notes: This is to assign a router interface to a group of ports with a VLAN.
ip vrrp vrid 10
Troubleshooting: show ip int
backup priority 150
Configuration Example:
ip-address 192.168.10.1
vlan 10 advertise backup
untagged e 1 to 2 activate
router-interface ve 10
interface ve 10 Configuring VRRP-Extended
ip address 192.168.10.1/24 Prerequisites: Switch is running Full Layer-3 code and IP address are
already assigned to interface or virtual interfaces.
Configuring Static Routes Notes: VRRP Extended is similar to VRRP, except all routers are configured
as backups and the backup router with the highest priority is the Master for
Prerequisites: Switch is running Base Layer-3 or Full Layer-3 code and IP
the IP. In addition, VRRP Extended introduces track-ports. For each track port
address are already assigned to interface or virtual interfaces.
that is down, the track priority is subtracted from the overall priority. In the
Notes: Although the next hop can be the interface name, Do NOT use this. example below, if Router A’s track port is down, the overall priority would be
Always specify the IP address of the next router for which the packets should 170. Since 170 would be lower than Router B’s priority of 180, Router B will
be sent to. become Master. This is useful to have VRRP-E follow the status of the uplinks
Troubleshooting: show ip route from the devices.
Configuration Example: Troubleshooting: show ip vrrp-e brief
Configuration Example:
ip route 192.168.10.0/24 192.168.2.1
ROUTER A:
Configuring OSPF router vrrp-extended
Prerequisites: Switch is running Full Layer-3 code and IP address are int ve 10
already assigned to interface or virtual interfaces ip address 192.168.10.2/24

PAGE 6
 IP CHEAT SHEET

ip vrrp-extended vrid 10
backup priority 200 track-priority 30
track-port ethernet 1/1
ip-address 192.168.10.1
advertise backup
activate
ROUTER B:
router vrrp-extended
int ve 10
ip address 192.168.10.3/24
ip vrrp-extended vrid 10
backup priority 180 track-priority 30
track-port ethernet 2/2
ip-address 192.168.10.1
advertise backup
activate

Enabling Multicast (PIM-DM) for Routers

Prerequisites: A routing protocol and loopback address configured.
Notes: When enabling PIM, the default is Dense Mode. All interfaces that will
participate in multicast should have PIM enabled. This includes the router-to-
router links and the links to user subnets. Enabling PIM on an interface
enables IGMP as well.
Troubleshooting: show ip pim nbr; show ip pim mcache
Configuration Example:

router pim
int e 1/1
ip pim
In

PAGE 7
 IP CHEAT SHEET

Configuring VLL with LDP int loopback 1

ip address 10.1.1.1/32
Prerequisites: MPLS capable device with OSPF running and a loopback
configured. ip ospf area 0
Notes: Route-only should not be configured on MPLS-Interfaces. FDP and router bgp
CDP cannot be configured on untagged VLL endpoints (ie. Customer local-as 10
interface). Constomer facing interfaces can be tagged or untagged. !-- Repeat the following for all the iBGP peers in the VPLS network
Troubleshooting: show mpls ldp, show mpls vll neighbor 10.1.1.2 remote-as 10
Configuration Example: router mpls
router mpls mpls-interface e 2/1
mpls-interface e 2/1 ldp-enable
ldp-enable vpls CustomerA 200
vll Test_VLL 100 auto-discovery
vll-peer 192.168.100.100 !-- Loopback IP of end-point vlan 100
vlan 100 untagged e 4/1 !—Customer Interface
untagged e 4/1 !—Customer Interface router bgp
address-family l2vpn vpls
Configuring VPLS with LDP !-- Repeat the following for all the iBGP peers in the VPLS network
Prerequisites: MPLS capable device with OSPF running and a loopback neighbor 10.10.1.2 activate
configured.
Notes: Route-only should not be configured on MPLS-Interfaces. Bridge Configuring static LSP (RSVP-TE)
PDU’s (BPDU’s) do not go across VPLS unless you configure “no vpls-bpdu- Prerequisites: MPLS capable device with OSPF running and a loopback
block” on the physical interface. FDP and CDP can not be configured on configured.
untagged VPLS endpoints (ie. Customer interface). Constomer facing
Interfaces can be tagged or untagged. Notes: Specifying a path is optional. If no path is specified, then the standard
IP routing or constrained shortest path first (CSPF), if enabled, will be used to
Troubleshooting: show mpls ldp, show mpls vlps, show mac vpls build a path.
Configuration Example: Troubleshooting: show mpls path, show mpls lsp, show mpls route
router mpls Configuration Example:
mpls-interface e 2/1 router mpls
ldp-enable path R1_to_R3 !—Path’s are optional
vplsl Test_VPLS 200 strict 192.168.100.10 !- Must go to this device
vpls-peer 192.168.100.10 192.168.100.20 loose 192.168.100.50 !- Take any way to this device
!-- Loopback IP(s) of peer MPLS routers lsp R1_to_R3
vlan 100 to 192.168.100.100
untagged e 4/1 !—Customer Interface primary R1_to_R3 !—Optional
secondary R1-to_R3_Alt !—Alt path
Securing LDP
standby !- Pre-signal the standby LSP for <50ms failover
Prerequisites: MPLS Routers using LDP
Notes: Requiring authentication of LDP packets provides security.
Securing RSVP-TE
Troubleshooting: show mpls ldp interface; show mpls ldp neighbor;
Prerequisites: MPLS Routers using RSVP
Configuration Example:
Notes: Requiring authentication of RSVP packets provides security.
router mpls Troubleshooting: show mpls rsvp interface; show mpls rsvp session;
ldp Configuration Example:
!—Repeat for all other MPLS router loopbacks
router mpls
session 192.100.255.3 key <secret>
mpls-interface e 2/1
session 192.100.255.1 key <secret>
rsvp-authentication key <secret>
Configuring VPLS with BGP Autodiscovery
Prerequisites: MPLS capable device with OSPF running and a loopback
configured.
Notes: In Autodiscovery, the vpls-peer does not have to be specified. An
extension to BGP is utilized to exchange peer information. It is recommended
you following(delete) the steps below in configuring the VPLS. Notice, BGP
configuration is split between configuring and activating. This prevents you
from having to clear the entire peering session. The endpoints of the VPLS
instance are associated via the VCID (200 in this example). The name of the
VPLS instance is not exchanged.
Troubleshooting: clear ip bgp l2vpn vpls neighbor all; show ip bgp l2vpn vpls
sum
Configuration Example:

PAGE 8
 IP CHEAT SHEET

ACL Configuration Example:

Configuring BGP/L3VPN
ipv6 access-list RemoteAccess
Prerequisites: MPLS capable device with LDP or RSVP and a loopback
configured. permit ipv6 host 2100::1 any
Notes: When placing an Interface or VE into a VRF, all previous IP address ssh access-group ipv6 RemoteAccess
information will be removed. Route-targets are used to determine which telnet access-group ipv6 RemoteAccess
routes shared among customers. In this example, the VRF for Customer A web access-group ipv6 RemoteAccess
has route distinguisher (rd) of 100:1 and its peer route has an rd of 100:2.
Importing and exporting of rd 100:2 allows the router to learn each other’s snmp-server community <secret> ro ipv6 RemoteAccess
networks that belong to CustomerA.
Troubleshooting: show ip bgp vrf <name>; ping vrf <name> <ip address> Configuring IPv6 Router Interfaces
Configuration Example: Prerequisites: IPv6 Router
!—Create each customer’s VRF Context Notes: Enabling IPv6 on the interface will automatically generate a link-local
address. Follow the example to add a global address to the interface. Adding
vrf CustomerA route-only ensures that the port will only route and not switch between other
rd 100:1 ports in the default vlan. For interfaces with computers, the network prefix has
route-target both 100:2 to be /64.
address-family ipv4 Troubleshooting: show ip int
interface e 1/1 Configuration Example:
vrf forwarding CustomerA interface e 5
ip address 172.16.100.1/24 ipv6 enable
ip ospf area 1 !—If doing OSPF with customer ipv6 address 2001:470:20::1/64
router bgp route-only
local-as 65001
!-- Repeat the following for all the iBGP peers in the MPLS network Configuring Virtual IPv6 Router Interfaces
neighbor 192.168.100.1 remote-as 65001 Prerequisites: Switch is in Base Layer-3 or Full Layer-3 code and ports are
neighbor 192.168.100.1 update-source loopback 1 assigned to a VLAN.
neighbor 192.168.100.1 password <secret> !—for security Notes: This is to assign a router interface to a group of ports with a VLAN. For
interfaces with computers, the network prefix has to be /64.
address-family vpnv4 unicast
Troubleshooting: show ip int
!-- Repeat the following for all the iBGP peers in the MPLS network
Configuration Example:
neighbor 192.168.100.1 activate
neighbor 192.168.100.1 send-community extended vlan 10
!—Repeat for each customer vrf untagged e 1 to 2
address-family ipv4 unicast vrf CustomerA router-interface ve 10
redistribute connected interface ve 10
redistribute ospf !—if other routers connect via OSPF ipv6 enable
redistribute static !—If static routes exist in VRF ipv6 address 2001:470:10::1/64
router ospf vrf customerA !—If using ospf with Customer, configure and
redistribute into bgp Configuring Static Routes
area 1 Prerequisites: IPv6 Router and IP address are already assigned to interface
redistribute bgp or virtual interfaces
Notes: Statically assigned IPv6 routes always reference interface and link-
local address of the next hop.
Securing Access Via IPv6 Troubleshooting: show ipv6 route
Prerequisites: None Configuration Example:
Notes: Since IPv4 and IPv6 are different protocols, access-list created for ipv6 route 2001:100::1/32 eth 1 fe80::1
IPv4 do not apply to IPv6. If you enable IPv6, you must also secure remote
access. If you prefer, instead of using access-list to define clients, you can
define individual clients (up to 10). For example “web client ipv6 2100:5” or Configuring OSPFv3
“all-client ipv6 2100::5” to assign web, telnet, snmp, and ssh commands at Prerequisites: IPv6 Router and IP address are already assigned to interface
once. Currently, an IPv6 ACL cannot be applied to SNMPv3 traffic in the or virtual interfaces
command; however, the snmp-client will take care of it.
Notes: OSPFv3 is exclusively for IPv6. Passive interface do not transmit
Troubleshooting: show ipv6 access-list all
OSPF hello’s. This is for security on subnets that don’t have neighboring
Client Configuration Example: routers. Additionally, consider ipsec authentication of neighbors (example not
show). Configuring a loopback interface is recommended as the router-id for
All-client ipv6 2100::1 !—Up to 10 clients can be configured OSPFv3.
!—The above statement results in the statements below. The all-client Troubleshooting: show ipv6 ospf
command is a shortcut instead of having to enter them individually.
Configuration Example:
telnet client ipv6 2100::1
snmp-client ipv6 2100::1 interface loopback 1
web client ipv6 2100::1 ipv6 enable
ip ssh client ipv6 2100::1 ipv6 address 2001:470:ff::1/128

PAGE 9
 IP CHEAT SHEET

ipv6 router ospf © 2011 by Brocade Communications - Version 1.1-20110323

area 0 Tim Braly, BCNP, BCFP, BCLE, Senior Systems Engineer
interface e 1 [email protected]
ipv6 enable With Assistance From Craig Sanford, Systems Engineer
[email protected]
ipv6 address 2001:470:30::1/126
ipv6 ospf area 0
Coming soon to version 1.2:
interface ve 10
ADD 802.1X, GRE
ipv6 enable
ipv6 opsf area 0
ipv6 ospf passive

Configuring VRRPv3
Prerequisites: IPv6 Router (NetIron)
Notes: VRRP provides redundancy for routers. Two (or more) routers
backup a single IPv6 Address. A common link-local address has to be
configured.
Troubleshooting: show ipv6 vrrp brief
Configuration Example:

ROUTER A:
ipv6 router vrrp
int ve 10
ipv6 enable
ipv6 address fe80::1 link-local
ipv6 address 2001:470:10::1/64
ipv6 vrrp vrid 10
owner
ipv6-address fe80::1
ipv6-address 2001:470:10::1
advertise backup
activate
ROUTER B:
ipv6 router vrrp
int ve 10
ipv6 enable
ipv6 address fe80::2 link-local
ipv6 address 2001:470:10::2/64
ipv6 vrrp vrid 10
backup priority 100
ipv6-address fe80::1
ipv6-address 2001:470:10::1
advertise backup
activate

Configuring an IPv6 over IPv4 Tunnel

Prerequisites: IPv6 Router
Notes: This feature allows two IPv6 networks to be connected via an IPv4
network
Configuration Example:
interface tunnel 1
tunnel mode ipv6ip
tunnel source 192.168.10.180
tunnel destination 172.32.226.238
ipv6 address 2001:470:a:514::2/64
ipv6 enable
!
ipv6 route ::/0 tunnel 1

PAGE 10