0% found this document useful (0 votes)

43 views

Vossuserguide 8.7 Ug

Uploaded by

albabserver1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views

Vossuserguide 8.7 Ug

Uploaded by

albabserver1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 3984

VOSS User Guide

For VOSS Release 8.7

9037368-00 Rev AD
September 2022
Copyright © 2022 Extreme Networks, Inc.

Legal Notice
Extreme Networks, Inc. reserves the right to make changes in specifications and other information
contained in this document and its website without prior notice. The reader should in all cases
consult representatives of Extreme Networks to determine whether any such changes have been
made.
The hardware, firmware, software or any specifications described or referred to in this document
are subject to change without notice.

Trademarks
Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of
Extreme Networks, Inc. in the United States and/or other countries.
All other names (including any product names) mentioned in this document are the property
of their respective owners and may be trademarks or registered trademarks of their respective
companies/owners.
For additional information on Extreme Networks trademarks, see: www.extremenetworks.com/
company/legal/trademarks

Open Source Declarations

Some software files have been licensed under certain open source or third-party licenses.
End-user license agreements and open source declarations can be found at: https://
www.extremenetworks.com/support/policies/open-source-declaration/
About this Document
Purpose on page 3
Conventions on page 3
Documentation and Training on page 5
Help and Support on page 6
Send Feedback on page 7

This section discusses the purpose of this document, ways to provide feedback, additional help, and
information regarding other Extreme Networks publications.

Purpose
This document provides information on features in VSP Operating System Software (VOSS). VOSS runs
on the following product families:
• ExtremeSwitching VSP 4450 Series
• ExtremeSwitching VSP 4900 Series
• ExtremeSwitching VSP 7200 Series
• ExtremeSwitching VSP 7400 Series
• ExtremeSwitching VSP 8200 Series
• ExtremeSwitching VSP 8400 Series
• ExtremeSwitching VSP 8600 Series
• ExtremeSwitching XA1400 Series

Note
VOSS is licensed on the XA1400 Series as a Fabric Connect VPN (FCVPN) application,
which includes a subset of VOSS features. FCVPN transparently extends Fabric Connect
services over third-party provider networks.

Conventions
To help you better understand the information presented in this guide, the following topics describe the
formatting conventions used for notes, text, and other elements.

VOSS User Guide for version 8.7 3

Text Conventions About this Document

Text Conventions
The following tables list text conventions that can be used throughout this document.

Table 1: Notes and warnings

Icon Notice type Alerts you to...
Tip Helpful tips and notices for using the product.

Note Useful information or instructions.

Important Important features or instructions.

Caution Risk of personal injury, system damage, or loss of data.

Warning Risk of severe personal injury.

Table 2: Text Conventions

Convention Description
Angle brackets ( < > ) Angle brackets ( < > ) indicate that you choose the
text to enter based on the description inside the
brackets. Do not type the brackets when you enter
the command.
If the command syntax is cfm maintenance-
domain maintenance-level <0-7> ,
you can enter cfm maintenance-domain
maintenance-level 4.
Bold text Bold text indicates the GUI object name you must
act upon.
Examples:
• Click OK.
• On the Tools menu, choose Options.

Braces ( { } ) Braces ( { } ) indicate required elements in syntax

descriptions. Do not type the braces when you
enter the command.
For example, if the command syntax is ip
address {A.B.C.D}, you must enter the IP
address in dotted, decimal notation.

4 VOSS User Guide for version 8.7

About this Document Documentation and Training

Table 2: Text Conventions (continued)

Convention Description
Brackets ( [ ] ) Brackets ( [ ] ) indicate optional elements in
syntax descriptions. Do not type the brackets
when you enter the command.
For example, if the command syntax is show
clock [detail], you can enter either show
clock or show clock detail.
Ellipses ( … ) An ellipsis ( … ) indicates that you repeat the last
element of the command as needed.
For example, if the command syntax
is ethernet/2/1 [ <parameter>
<value> ]..., you enter ethernet/2/1 and
as many parameter-value pairs as you need.
Italic Text Italics emphasize a point or denote new terms at
the place where they are defined in the text. Italics
are also used when referring to publication titles
that are not active links.
Plain Courier Text Plain Courier text indicates command names,
options, and text that you must enter. Plain
Courier text also indicates command syntax and
system output, for example, prompts and system
messages.
Examples:
• show ip route
• Error: Invalid command syntax
[Failed][2013-03-22 13:37:03.303
-04:00]

Separator ( > ) A greater than sign ( > ) shows separation in menu

paths.
For example, in the Navigation tree, expand the
Configuration > Edit folders.
Vertical Line ( | ) A vertical line ( | ) separates choices for command
keywords and arguments. Enter only one choice.
Do not type the vertical line when you enter the
command.
For example, if the command syntax is access-
policy by-mac action { allow |
deny } , you enter either access-policy
by-mac action allow or access-policy
by-mac action deny, but not both.

Documentation and Training

Find Extreme Networks product information at the following locations:
Current Product Documentation
Release Notes

VOSS User Guide for version 8.7 5

Help and Support About this Document

Hardware and software compatibility for Extreme Networks products

Extreme Optics Compatibility
Other resources such as white papers, data sheets, and case studies

Extreme Networks offers product training courses, both online and in person, as well as specialized
certifications. For details, visit www.extremenetworks.com/education/.

Help and Support

If you require assistance, contact Extreme Networks using one of the following methods:
Extreme Portal
Search the GTAC (Global Technical Assistance Center) knowledge base; manage support cases and
service contracts; download software; and obtain product licensing, training, and certifications.
The Hub
A forum for Extreme Networks customers to connect with one another, answer questions, and
share ideas and feedback. This community is monitored by Extreme Networks employees, but is not
intended to replace specific guidance from GTAC.
Call GTAC
For immediate support: (800) 998 2408 (toll-free in U.S. and Canada) or 1 (408) 579 2826. For the
support phone number in your country, visit: www.extremenetworks.com/support/contact

Before contacting Extreme Networks for technical support, have the following information ready:
• Your Extreme Networks service contract number, or serial numbers for all involved Extreme
Networks products
• A description of the failure
• A description of any actions already taken to resolve the problem
• A description of your network environment (such as layout, cable type, other relevant environmental
information)
• Network load at the time of trouble (if known)
• The device history (for example, if you have returned the device before, or if this is a recurring
problem)
• Any related RMA (Return Material Authorization) numbers

Subscribe to Product Announcements

You can subscribe to email notifications for product and software release announcements, Field
Notices, and Vulnerability Notices.

1. Go to The Hub.
2. In the list of categories, expand the Product Announcements list.
3. Select a product for which you would like to receive notifications.
4. Select Subscribe.
5. To select additional products, return to the Product Announcements list and repeat steps 3 and 4.

You can modify your product selections or unsubscribe at any time.

6 VOSS User Guide for version 8.7

About this Document Send Feedback

Send Feedback
The Information Development team at Extreme Networks has made every effort to ensure that this
document is accurate, complete, and easy to use. We strive to improve our documentation to help you
in your work, so we want to hear from you. We welcome all feedback, but we especially want to know
about:
• Content errors, or confusing or conflicting information.
• Improvements that would help you find relevant information.
• Broken links or usability issues.

To send feedback, do either of the following:

• Access the feedback form at https://www.extremenetworks.com/documentation-feedback/.
• Email us at [email protected].

Provide the publication title, part number, and as much detail as possible, including the topic heading
and page number if applicable, as well as your suggestions for improvement.

VOSS User Guide for version 8.7 7

New in this Document
Notice about Feature Support on page 9

The following sections detail what is new in this document.

Endpoint Tracking on VSP 4900 Series

This release adds support for Endpoint Tracking on VSP 4900 Series. Endpoint Tracking provides
dynamic assignment of virtual machines (VMs) to IP subnets as they move across servers connected
through a Shortest Path Bridging (SPB) cloud.

For more information, see Endpoint Tracking on page 997.

IPv4 ACL Filter Enhancements for VSP 7400 Series

This release introduces a change to the ACL architecture for VSP 7400 Series.

In earlier releases, ACL ACE rules were defined as:

• Security: ACE ID range 1-1000
• QoS: ACE ID range 1001-2000

Security ACEs were used to perform permit or deny actions on a match. QoS ACEs were used to
perform remarking actions on a match. The switch performed a parallel search on both Security and
QoS ACE lists, which resulted in distinct and non-conflicting actions.

Now, ACL ACE rules can be defined as:

• Primary Bank: ACE ID range 1-1000
• Secondary Bank: ACE ID range 1001-2000

You can use both Primary and Secondary Banks for Security and QoS ACEs. The switch performs a
parallel search on both ACE lists. If actions do not conflict, both actions apply. If actions conflict, the
action from the Primary Bank has precedence.

Note
As a best practice, apply deny actions to Primary Bank ACEs in configurations where ACEs in
Primary and Secondary Banks with deny and permit actions applied can match the same flow.

8 VOSS User Guide for version 8.7

New in this Document Reauthentication on Ports through RADIUS

Reauthentication on Ports through RADIUS

Prior to this release, you could only enable reauthentication on ports manually through CLI. Now you
can enable reauthentication dynamically through RADIUS VSA Extreme-Dynamic-Config. To identify
the origin of configuration, the origin displays as either CONFIG or RADIUS.

For more information, see Extreme-Dynamic-Config on page 2784.

OSPFv2 Point-to-Point Interface

You can now configure OSPFv2 point-to-point network interface type, which provides a single
connection between two specific points or OSPF routers. In earlier releases, you could only configure
broadcast, non-broadcast multiple access, and passive OSPFv2 network interface types.

For more information, see the following sections:

• OSPF Interfaces on page 2449
• Configure an OSPF area on a VLAN or port on page 2483
• Configure OSPF for a Port or VLAN on page 2472
• Configure OSPF on a Port on page 2548
• Configure OSPF on a VLAN on page 2554

Support for VLAN ID 0

Prior to this release, packets tagged with VLAN ID 0 were dropped. This release provides support for
VLAN ID 0.

Third Party Virtual Machine Version

In this release, the Third Party Virtual Machine (TPVM) version is based on Ubuntu 20.04.04 LTS.

Upgrade Fabric IPsec Gateway

A new procedure, Upgrade a Fabric IPsec Gateway VM on page 882, is added to the document.

View the Fan Speed in RPM

In this release, you can use CLI and EDM to view the current operational speed of the chassis fan in
rotations per minute (RPM).

For more information, see the following sections:

• View Fan Information on page 565 in CLI
• View Fan Information on page 619 in EDM

Notice about Feature Support

This document includes content for multiple hardware platforms across different software releases. As a
result, the content can include features not supported by your hardware in the current software release.

VOSS User Guide for version 8.7 9

Notice about Feature Support New in this Document

If a documented command, parameter, tab, or field does not display on your hardware, it is not
supported.

For information about physical hardware restrictions, see your hardware documentation.

10 VOSS User Guide for version 8.7

Installation and Commissioning Documentation
Use installation and commissioning documentation to install the product hardware and software, and
perform the initial configuration.

Table 3: Installation and commissioning documents

Technical document Description
VSP 4450 Series
Installing the Virtual Services Platform 4450GSX- This document provides procedures and
PWR+ conceptual information to install the VSP
4450GSX-PWR+ .
Installing the Virtual Services Platform 4450GTX- This document provides procedures and
HT-PWR+ conceptual information to install the VSP
4450GTX-HT-PWR+.
Virtual Services Platform 4450GSX Series switch This document provides quick installation
Quick Install Guide instructions to install the VSP 4450GSX-PWR+
switch.
Virtual Services Platform 4450GTX-HT-PWR+ This document provides quick installation
Quick Install Guide instructions to install the VSP 4450GTX-HT-PWR+
switch.
VSP 4900 Series
VSP 4900 Series Switches: Hardware Installation This document provides procedures and
Guide conceptual information to install the VSP 4900
Series.
VSP 4900 Series Switches Quick Reference This document provides quick installation
instructions to install the VSP 4900 Series.
VSP 7200 Series
Installing the Virtual Services Platform 7200 Series This document provides procedures and
conceptual information to install the VSP 7200
Series.
Virtual Services Platform 7200 Series Quick Install This document provides quick installation
Guide instructions to install the VSP 7200 Series.
VSP 7400 Series
VSP 7400 Series Switches: Hardware Installation This document provides procedures and
Guide conceptual information to install the VSP 7400
Series.
VSP 7400 Series Switches Quick Reference This document provides quick installation
instructions to install the VSP 7400 Series.
VSP 8200 Series and VSP 8400 Series

VOSS User Guide for version 8.7 11

Installation and Commissioning Documentation

Table 3: Installation and commissioning documents (continued)

Technical document Description
Installing the Virtual Services Platform 8000 Series This document provides procedures and
conceptual information to install the VSP 8200
Series and VSP 8400 Series.
Virtual Services Platform 8000 Series Quick Install This document provides quick installation
Guide instructions to install the VSP 8200 Series and
VSP 8400 Series hardware.
VSP 8600 Series
Installing the Virtual Services Platform 8600 This document provides procedures and
conceptual information to install the VSP 8600
Series.
Virtual Services Platform 8608 Chassis Installation This document provides quick installation
instructions and commissioning for the VSP 8600
Series.
Virtual Services Platform 8608 Module Installation This document provides quick installation
instructions for the VSP 8600 Series I/O and
control (IOC) and switch fabric (SF) modules.
XA1400 Series
XA1400 Series Switches: Hardware Installation This document provides procedures and
Guide conceptual information to install the XA1400
Series.
XA1400 Series Switches Quick Reference This document provides quick installation
instructions to install the XA1400 Series.
All Products
Extreme Optics website This guide provides descriptions of the pluggable
transceiver modules supported by Extreme
Networks switches and routers, along with
information about how to install and use them.

Table 4: Installation and commissioning reference documents

Technical document Description
Regulatory Reference for Virtual Services Platform These documents provide information about
4000 Series regulatory conformity and compliance.
Regulatory Reference for Virtual Services Platform
7200 Series
Regulatory Reference for Virtual Services Platform
8000 Series
Locating Software and Release Notes for Virtual These documents ship with their respective VOSS
Services Platform 4000 Series components.
Locating Software and Release Notes for Virtual
Services Platform 7200 Series
Locating Software and Release Notes for Virtual
Services Platform 8000 Series

12 VOSS User Guide for version 8.7

Installation and Commissioning Documentation

Table 4: Installation and commissioning reference documents (continued)

Technical document Description
Minimum Software Requirements to Support This document provides the minimum software
Virtual Services Platform 8400 ESMs release for each module in the VSP 8400 Series.
Read Me First—Important Notes and Minimum This document provides important information to
Software Requirements for VSP 8600 Modules read before you install modules in the VSP 8600
Series, and also provides the minimum software
release for each IOC and SF module.

VOSS User Guide for version 8.7 13

Zero Touch Capabilities
Auto-sense on page 15
Auto-sense Logical Flowcharts on page 42
IP Phone Support on page 48
Zero Touch Deployment on page 58
Zero Touch Provisioning Plus on page 60
Zero Touch Fabric Configuration on page 63
Configuration Example to Create an IS-IS Adjacency between the VSP 8600 Series and
Auto-sense Switches on page 67

The switch supports the following zero touch capabilities:

• Auto-sense support for the following features:
◦ Fabric Attach (FA)
◦ Extensible Authentication Protocol (EAP) and non-EAPoL (NEAP)
◦ IP Phones
• Zero Touch Deployment
• Zero Touch Provisioning Plus (ZTP+)
• Zero Touch Fabric Configuration including Auto-sense for network-to-network interface (NNI)

Note
For bridged or routed reachability of the management servers (DHCP, RADIUS,
ExtremeCloud IQ ‑ Site Engine, or ExtremeCloud IQ) the onboarding I-SID must be manually
mapped to the management segment on at least one Backbone Edge Bridge (BEB) in the
network prior to zero touch deployments of new switches. Additionally, you must enable a
Dynamic Nickname server on at least one node. For more information, see VOSS Release
Notes.

14 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense

Auto-sense

Table 5: Auto-sense product support

Feature Product Release introduced
Auto-sense VSP 4450 Series VOSS 8.3
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Auto-sense ports can apply VSP 4450 Series VOSS 8.4.2
Fabric Attach (FA)-specific
configuration VSP 4900 Series VOSS 8.4.2
VSP 7200 Series VOSS 8.4.2
VSP 7400 Series VOSS 8.4.2
VSP 8200 Series VOSS 8.4.2
VSP 8400 Series VOSS 8.4.2
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Auto-sense is a port-based functionality that supports zero touch capabilities on the switch. Auto-sense
dynamically configures the port to act as an IS-IS network-to-network interface (NNI), Fabric UNI
(Flex-UNI), Fabric Attach (FA), or voice (IP phone) interface, based on the Link Layer Discovery
Protocol (LLDP) events. Auto-sense provides global configuration options for IS-IS authentication, FA
authentication, and voice configuration for IP phones, on the switch. For more information about IP
Phone Support, see IP Phone Support on page 48.

When a switch boots in Zero Touch Fabric Configuration mode, all ports on the switch automatically
operate in Auto-sense mode, unless you manually change the port configuration. For more information
on Zero Touch Fabric Configuration, see Zero Touch Fabric Configuration on page 63.

With Auto-sense functionality, ports on a switch can detect whether they connect to a Shortest Path
Bridging (SPB) device, an FA client, FA Proxy, Voice IP devices, or an undefined host:
• If a port connects to an SPB device or an FA client, then the system establishes Fabric architecture.
• If a port connects to any undefined host, then the system moves all untagged traffic on the port to
an onboarding service network, also known as the onboarding I-SID.
• If a port operates in Auto-sense mode, Extensible Authentication Protocol (EAP) is enabled globally
with a RADIUS configuration, and the Auto-sense port does not detect an SPB or Fabric Attach
proxy neighbor, then the system automatically activates EAP and Non-EAP (NEAP) authentication
on them, for untagged traffic.

VOSS User Guide for version 8.7 15

Implementation on Upgraded Switches with Existing
Configuration Zero Touch Capabilities

When you manually disable Auto-sense on a specific port, the switch removes the dynamic
configuration on that port unless you use an optional parameter to convert the dynamic configuration
to a manual configuration. If you do not use the optional parameter, the software removes all Auto-
sense state configuration and reverts the port to the default configuration.

If you enable Auto-sense on a port with a conflicting feature configuration, the software automatically
deletes the conflicting configuration from the port. Conflicting configurations include the following
commands or features:
• access-diffserv command
• flex-uni enable command
• mac-security limit-learning command
• qos 802.1p-override enable command
• Other feature configurations on the port:
◦ brouter port
◦ port tagging (encapsulation) - If a port has encapsulation enabled and you enable Auto-sense,
the port remains with encapsulation enabled. Disabling Auto-sense transitions the encapsulation
value to disabled. If a port has encapsulation disabled and you enable Auto-sense, port
encapsulation is enabled.
◦ Extensible Authentication Protocol over LAN (EAPoL)
◦ FA
◦ IS-IS interface
◦ Link Aggregation Control Protocol (LACP) and Virtual Link Aggregation Control Protocol
(VLACP)
◦ LLDP enable
◦ LLDP MED network policies
◦ private VLAN
◦ MLT member
◦ Switched UNI (S-UNI) or Transparent Port UNI (T-UNI) interface
◦ VLAN member

Implementation on Upgraded Switches with Existing Configuration

If the switch does not boot in Zero Touch Fabric Configuration mode and you want to use Auto-sense
functionality with an existing switch configuration, you must:
• Enable Auto-sense on the applicable port or ports.
• Create a new VLAN 4048. If the existing configuration uses VLAN 4048, you must configure a new
VLAN for those original purposes.
• Configure I-SID 15999999 as the Auto-sense onboarding I-SID.
• Assign onboarding I-SID 15999999 to private VLAN 4048.

Auto-Sense Data I-SID

Auto-sense supports global configuration of a data I-SID on the switch, which applies to all Auto-sense
enabled ports. You can also configure Auto-sense data I-SID on each port to separate the data traffic
into individual port specific data I-SIDs. For example, if device A and device B connect to different Auto-

16 VOSS User Guide for version 8.7

Zero Touch Capabilities IS-IS Authentication

sense enabled ports and you configure an Auto-sense data I-SID on each port, the switch separates the
data traffic of device A from the data traffic of device B. A port-level data I-SID and the global data
I-SID can use the same value. The system prioritizes the I-SIDs in the following order:

1. Untagged I-SID assigned per client by EAP/NEAP MHMV

2. Untagged voice I-SID
3. Port data I-SID
4. Global data I-SID
5. Onboarding I-SID

The show running-config output includes the configured Auto-sense data I-SID for the port
module only if you enable Auto-sense on the port. If you disable Auto-sense on the port, the
configuration remains on the switch even though the command output does not include it. If you
disable Auto-sense on the port and use the convert-to-config parameter, the port remains in the
I-SID until you manually remove the data I-SID configuration from the port. If you re-enable Auto-sense
on the port, you must reconfigure the data I-SID on the port.

If you remove the Auto-sense data I-SID from a port, then the port uses either the global Auto-sense
data I-SID, if one exists, or the Auto-sense onboarding I-SID.

IS-IS Authentication
Auto-sense supports global configuration of IS-IS authentication key on the switch. All ports operating
in Auto-sense mode and transitioned to the NNI state, use the global IS-IS authentication key that you
configure using the auto-sense isis hello-auth type command. For more information, see
Configure Auto-sense IS-IS Authentication on page 24.

FA Configuration
Depending on the device that the Auto-sense port detects, the software can apply different FA-specific
configurations that you define:
• You can configure an I-SID for FA clients such as FA wap-type 1, FA camera, and FA open-virtual-
switch (OVS). The software prefers the FA I-SID over the onboarding I-SID.
• You can configure a specific I-SID and customer VLAN ID to use as the management I-SID when the
port is in the Auto-sense FA PROXY state. If you do not configure a management I-SID, the port uses
the onboarding I-SID for untagged traffic.
• You can disable EAPoL authentication requirements for specific FA client types (wap-type1, camera,
and ovs).

FA Authentication
Auto-sense supports FA message authentication on switches. You can enable FA message
authentication globally on a switch. All ports operating in Auto-sense mode use the global
authentication key. A preconfigured authentication key exists on the switch, by default, which you can
change. For more information, see Configure Auto-sense Fabric Attach (FA) Authentication on page
31.

VOSS User Guide for version 8.7 17

Auto-sense Voice Capabilities Zero Touch Capabilities

Auto-sense Voice Capabilities

Auto-sense voice capabilities are based on the events when the switch detects an IP phone in the
network. For more information, see Auto-sense Voice on page 50.

Loop Prevention
Auto-sense ports between two switches that have transitioned to NNI state are not prone to loops.
Any connection can be wired and SPB establishes the shortest path connections. On Auto-sense NNI
links BVID information, as well as IS-IS area information, is exchanged enabling Zero Touch Fabric
functionality.

Auto-sense ports that connect to non-SPB switches operate in UNI mode, or FA Proxy mode in the
case of ERS, EXOS, and Switch Engine switches. In UNI mode, VOSS devices send Spanning Tree BPDU
packets emulating root bridge behavior ensuring that any potential UNI loop is broken by the attached
spanning tree enabled devices.

For more information on the port states, see Auto-sense Port States on page 18.

Running Configuration
If you view the running configuration, the global Auto-sense configuration displays under the port
module. Use the command show running-config module port.

Auto-sense Port States

The system uses a per-interface state to adapt to all Auto-sense events. Each state transition
determines background configuration on the port. The system does not display these configurations
in the output of the show running-config command or in the saved configuration file but if
you disable Auto-sense on the port and use the convert-to-config parameter, the dynamic
configuration becomes a manual configuration and is visible in the show running-config output.
Use show auto-sense commands to monitor the running states of each port.

For flowcharts that describe the system logic for Auto-sense port state detection, see Auto-sense
Logical Flowcharts on page 42.

Port Down State

If you run the auto-sense enable command on a port that is disabled or has an inactive link, the
port transitions to the Auto-sense Port Down state. This state transitions to the Auto-sense Wait state
after the port becomes operational or the link becomes active.

Wait State
The port modifies outgoing LLDP packets to represent the enhanced properties of the port and
analyzes incoming LLDP packets for possible transitions to advanced states like network-to-network
interface (NNI), Fabric Attach (FA), or VOICE. If the port does not receive LLDP packets, the port
transitions to the UNI state.

18 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Port States

UNI State
This state grants onboarding and data connectivity to the port if you configure the onboarding I-SID,
or a data I-SID in the global Auto-sense configuration or at the port level. The system also applies the
trusted and untrusted Auto-sense global configuration. As with the Wait state, the port continues to
monitor received LLDP packets for transitions to other states.

Network Access Control (NAC) support, through EAP/NEAP, is enabled by default on each Auto-sense
port, but disabled globally. If you require EAP/NEAP operation on Auto-sense ports, you must globally
enable EAP and configure a RADIUS server.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto
eapol multihost radius-non-eap-enable
eapol multihost eap-oper-mode mhmv
[qos 802.1p-override enable]
[access-diffserv enable]
on port X interface, if onboarding I-SID Y is configured without data I-SID:
eapol guest i-sid Y
on onboarding I-SID interface, if it is configured without data I-SID:
untagged-traffic port X
on data I-SID interface, if it is configured:
untagged-traffic port X

An Auto-sense port in the UNI state remains in PVLAN isolated mode when any additional untagged
I-SID is applied to the port. Auto-sense ports support multiple VLAN/I-SIDs and PVLAN/I-SIDs on the
same port at any time concurrently. Typically, this operational mode is required when you configure
NAC support with Multiple Host Multiple VLAN (MHMV). The software then assigns clients to their
VLAN/I-SIDs based on their NAC authentication results.

NNI States
The NNI states are as follows:
• NNI
• NNI onboarding
• NNI IS-IS
• NNI pending

If, while in the Wait state, the port receives a Fabric Connect LLDP packet, the port transitions to the
NNI state and adds the IS-IS SPBM instance on the interface. The system tries to establish an IS-IS
adjacency and, if successful, transitions the port to the NNI IS-IS state. The port remains in the NNI IS-IS
state until the adjacency fails, at which time it returns to the NNI state.

The system performs the following background configurations on port x:

isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration

If the system cannot establish the adjacency, it transitions the port to the NNI onboarding state. The
system creates a Switched UNI (S-UNI) with the onboarding I-SID.

VOSS User Guide for version 8.7 19

Auto-sense Port States Zero Touch Capabilities

The system performs the following background configurations:

flex-uni enable
isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration
on onboarding i-sid interface, if it exists:
untagged-traffic port X

Fabric Attach (FA) States

The FA states are as follows:
• FA - this state is used for FA capable wireless access points, Camera or OVS devices
• FA PROXY - this state is used for interaction with ERS, EXOS, and Switch Engine switches, which are
capable of FA proxy function
• FA PROXY NOAUTH - this state is used for interaction with ERS, EXOS, and Switch Engine switches,
which are capable of FA proxy function

LLDP uses the FA TLV to detect FA-capable neighbors.

The port enters the FA state after LLDP detects an access point, an FA client that is not another switch.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto
eapol multihost radius-non-eap-enable
eapol multihost eap-oper-mode mhmv
eapol guest i-sid X
fa enable
on onboarding i-sid interface, if it exists:
untagged-traffic port X

If LLDP detects an FA proxy switch such as an ERS, EXOS, or Switch Engine switch that uses FA
message authentication, the port transitions to the FA PROXY state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
fa message-authentication
fa management-isid

Note
By default, the FA PROXY state uses the onboarding I-SID as the management I-SID but you
can override this with a specific I-SID and customer VLAN ID combination.

If the FA proxy switch does not use FA message authentication, the port transitions to the FA PROXY
NOAUTH state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
on onboarding i-sid interface, if it exists:
untagged-traffic port X

20 VOSS User Guide for version 8.7

Zero Touch Capabilities DHCP Port Snooping

Depending on the device that the Auto-sense port detects, the switch can apply different FA-specific
configurations that you define. For more information, see Auto-sense on page 15.

When a port is in the FA state, the system uses the following priority for untagged traffic:

1. EAP/NEAP assigned I-SID

2. WAP, camera, or open virtual switch (OVS) I-SID
3. Onboarding I-SID
4. Drop

Voice State
If the port detects an LLDP packet from a phone, the port transitions to the VOICE state. A global
Auto-sense voice configuration is not required to transition to the VOICE state except a specific voice
VLAN shall be signaled to the phone.

For more information on Auto-sense voice, see Auto-sense Voice on page 50.

DHCP Port Snooping

For zero touch onboarding, if a port answers Dynamic Host Configuration Protocol (DHCP) requests
sent by the switch and the port is in the Auto-sense UNI state, the system automatically changes the
port's Private VLAN configuration from isolated mode to promiscuous mode.

Without this port type change on the Private VLAN, the other devices in the network cannot receive
an IP address through the DHCP server if they are in the Zero Touch Fabric Configuration mode unless
you disable Auto-sense on the port and manually change the port from isolated mode to promiscuous
mode.

Auto-sense Configuration using CLI

To change the Auto-sense configuration on a port using EDM, see Configure Basic Port Parameters on
page 584.

Enable Auto-sense on Port(s)

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to manually enable Auto-sense on a specific port.

Note
After a switch boots without a configuration file, Auto-sense is enabled on all ports, by
default.

VOSS User Guide for version 8.7 21

Auto-sense Configuration using CLI Zero Touch Capabilities

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable Auto-sense on the port:

auto-sense enable

Example

Enabling Auto-sense on port 1/2:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#auto-sense enable
Warning: Enabling Auto-Sense will default port configurations.

Disable Auto-sense on Port(s)

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to disable Auto-sense on a specific port. You also have the option to disable
Auto-sense on the port but retain the configuration that the system applied dynamically.

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Disable Auto-sense on the port:

no auto-sense enable [convert-to-config]

22 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

Example

Disable Auto-sense on port 1/2 but retain the configuration. The dynamic configuration becomes a
manual configuration and is visible in the show running-config output and can be saved to the
configuration file using the save config command.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface interface gigabitEthernet 1/2
Switch:1(config-if)#no auto-sense enable convert-to-config
Switch:1(config-if)#save config

Variable Definitions

The following table defines parameters for the no auto-sense enable command.

Variable Value
convert-to- Retains the Auto-sense configuration that the system applies dynamically on the
config specific port. The dynamic configuration becomes a manual configuration and is
visible in the show running-config output. If you run the "no auto-sense
enable" command without the "convert-to-config" option, then the configuration
will be removed from the port and the port returns to the default state where VLAN
1 is assigned.

Configure the Auto-sense Wait Interval

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

About This Task

Perform this task to configure the time, in seconds, for Auto-sense to wait for a Link Layer Discovery
Protocol (LLDP) neighbor to be detected in the Auto-sense wait state before transitioning to the
Auto-sense onboarding state.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the Auto-sense wait interval:
auto-sense wait-interval <10-120>
3. Verify the Auto-sense wait interval information:
show auto-sense wait-interval

Examples

Configure the Auto-sense wait interval as 50 seconds:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense wait-interval 50

VOSS User Guide for version 8.7 23

Auto-sense Configuration using CLI Zero Touch Capabilities

Verify the Auto-sense wait-interval information:

Switch:1>show auto-sense wait-interval
============================================================================
AUTO-SENSE GLOBAL Config
============================================================================
WAIT
INTERVAL
----------------------------------------------------------------------------
50
----------------------------------------------------------------------------

----------------------------------------------------------------------------
0 out of 0 Total Num of AUTO-SENSE entries displayed
----------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the auto-sense wait-interval command.

Variable Value
<10-120> Specifies the wait interval, in seconds, for Auto-sense ports. The default value is 35.

Configure Auto-sense IS-IS Authentication

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

Before You Begin

Enable IS-IS globally.

About This Task

Perform this procedure to configure a global IS-IS authentication key for ports that are operating in
Auto-sense mode.

Note
If the IS-IS authentication keys on auto-sense ports between two switches do not match, then
the auto-sense port state will be auto-sense UNI onboarding, until the keys are matching, then
an IS-IS adjacency will be established.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the authentication type for IS-IS hello packets on Auto-sense ports:
auto-sense isis hello-auth type {none|simple|hmac-md5|hmac-sha-256}
[key WORD<1-16>] [key-id <1-255>]

24 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

Example

Configuring simple authentication for IS-IS hello packets on Auto-sense ports:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense isis hello-auth type simple key Secure

Variable Definitions

The following table defines parameters for the auto-sense isis hello-auth type command.

Variable Value
{none|simple| Specifies the authentication type for IS-IS hello packets on Auto-sense ports:
hmac-md5| • none
hmac-sha-256} • simple - simple password authentication uses a text password in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the packet.
• hmac-md5 - MD5 authentication creates an encoded checksum in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the MD5 checksum of the packet.
• hmac-sha–256 - with SHA-256 authentication, the switch adds an hmac-sha–
256 digest to each Hello packet. The switch that receives the Hello packet
computes the digest of the packet and compares it with the received digest.

Note: Secure Hashing Algorithm 256 bits (SHA-256) is a cipher and a

cryptographic hash function of SHA2 authentication. You can use SHA-256
to authenticate ISIS Hello messages. This authentication method uses the
SHA-256 hash function and a secret key to establish a secure connection
between switches that share the same key. This feature is in full compliance
with RFC 5310.

The default authentication type is none.

key Specifies the authentication key (password) used by the receiving router to verify
WORD<1-16> the packet.
key-id <1-255> Specifies the key ID.

Configure Auto-sense Access Ports

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure ports operating in Auto-sense mode to determine the Layer
3 Quality of Service (QoS) actions the switch performs. The Auto-sense access ports override the
Differentiated Services Code Point (DSCP) markings.

VOSS User Guide for version 8.7 25

Auto-sense Configuration using CLI Zero Touch Capabilities

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure Auto-sense access ports:
auto-sense access-diffserv [enable]

Example

Configure the Auto-sense access ports:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#auto-sense access-diffserv enable

Variable Definitions

The following table defines parameters for the auto-sense access-diffserv command.

Variable Value
enable Configures the ports operating in Auto-sense
mode to determine the Layer 3 Quality of Service
(QoS) actions the switch performs. The Auto-
sense access ports override the Differentiated
Services Code Point (DSCP) markings. The default
configuration is enabled.

Disable Auto-sense DHCP Server Detection

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to disable Dynamic Host configuration Protocol (DHCP) server detection in
Auto-sense mode.

Note
By default Auto-sense DHCP server detection is enabled. This ensures automatic detection of
the DHCP uplink ports in Zero Touch Deployment.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable DHCP server detection:
no auto-sense dhcp-detection

26 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

Example

Enable DHCP server detection:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no auto-sense dhcp-detection

Configure the Auto-sense Onboarding I-SID on the Switch

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure the onboarding I-SID for ports that are operating in Auto-sense
mode. The onboarding I-SID is typically used to onboard networking devices such as switches and
non FA capable access points. By default, the onboarding I-SID provides automatic reachability when
switches are booted from factory without a configuration file. For security reasons, the onboarding I-SID
forms an isolated PVLAN/ETREE to block any unwanted port to port cross talk.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the onboarding I-SID:
auto-sense onboarding i-sid <1-15999999>

Example

Configuring the Auto-sense onboarding I-SID:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense onboarding i-sid 15000000

Variable Definitions

The following table defines parameters for the auto-sense onboarding command.

Variable Value
i-sid<1-15999999> Specifies the service instance identifier (I-SID). The default onboarding I-SID
value is 15999999.

Configure a Auto-sense Global Data I-SID

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

VOSS User Guide for version 8.7 27

Auto-sense Configuration using CLI Zero Touch Capabilities

Before You Begin

• Enable Auto-sense on the port.
• Associate a VLAN with the I-SID before you configure it as the global data I-SID.

About This Task

Perform this task to configure Auto-sense data traffic information for ports that are operating in
Auto-sense mode.

Note
This option applies to the auto-sense UNI and voice states only, it replaces the onboarding
I-SID and places an (untagged) client device into a pre-defined global data I-SID.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the data service instance identifier (I-SID):
auto-sense data i-sid <1-15999999>

Example

Configuring the Auto-sense data I-SID:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense data i-sid 1000

Variable Definitions

The following table defines parameters for the auto-sense data command.

Variable Value
i-sid <1-15999999> Specifies the service instance identifier (I-SID).

Configure an Auto-sense Port Data I-SID

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

Before You Begin

• Enable Auto-sense on the port.
• Associate a VLAN with the I-SID before you configure it as the data I-SID on the port. This does not
apply to a DvR leaf.

28 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

About This Task

Perform this procedure to configure a data I-SID on a port.

Note
This option applies to the Auto-sense UNI and voice states only, it replaces the onboarding
I-SID and places an (untagged) client device into a pre-defined port specific data I-SID.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the Auto-sense port data I-SID:

auto-sense data i-sid <1-15999999>

Example

Configuring the Auto-sense data I-SID for ports 1/1 to 1/5:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1-1/5
Switch:1(config-if)#auto-sense data i-sid 15000000

Variable Definitions

The following table defines parameters for the auto-sense data command.

Variable Value
i-sid <1-15999999> Specifies the service instance identifier (I-SID).

Configure Layer 2 Trusted Auto-sense Ports

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to override incoming 802.1p bits on ports that operate in Auto-sense UNI or
voice mode.

VOSS User Guide for version 8.7 29

Auto-sense Configuration using CLI Zero Touch Capabilities

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure Auto-sense ports as Layer 2 untrusted:
auto-sense qos 802.1p-override

Example

Configure Auto-sense ports as Layer 2 trusted:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense qos 802.1p-override

Configure EAPoL Authentication Requirements for Auto-sense Fabric Attach Clients

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

You can disable EAPoL authentication for specific Fabric Attach (FA) client types.

About This Task

By default, authentication is required before the connection is authorized.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure EAPoL authentication requirements from the following choices:
• For auto-sensed cameras: auto-sense fa camera eapol status {authorized |
auto}
• For auto-sensed virtual switches: auto-sense fa ovs eapol status {authorized |
auto}
• For auto-sensed wireless access points (WAP): auto-sense fa wap-type1 eapol
status {authorized | auto}

30 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

Variable Definitions

The following table defines parameters for the auto-sense commands related to EAPoL
authentication for Fabric Attach (FA).

Variable Value
{authorized | Configures the EAPoL authentication requirement for the specific client type.
auto} Choose from the following options:
• authorized — the port skips EAPoL authentication and authorizes the
connection.
• auto — authorization depends on the result of EAPoL authentication.
By default, authentication is required before the connection is authorized.

Configure Auto-sense Fabric Attach (FA) Authentication

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure FA authentication for ports that are operating in Auto-sense mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the FA authentication key:
auto-sense fa authentication-key WORD<0-32>
3. Enable FA message authentication:
auto-sense fa message-authentication

Example

Configuring FA message authentication globally:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense fa message-authentication

Variable Definitions

The following table defines parameters for the auto-sense fa command.

Variable Value
authentication-key Specifies the authentication key value.
WORD<0-32>
message-authentication Enables Fabric Attach (FA) message authentication globally,
for ports that operate in Auto-sense mode.

VOSS User Guide for version 8.7 31

Auto-sense Configuration using CLI Zero Touch Capabilities

Configure an I-SID for Auto-sense Fabric Attach Clients

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

For Zero Touch Deployment and assignments of dedicated I-SIDs for FA capable cameras, Wireless
Access Points, FA proxy switches and Open Virtual Switches (OVS), configure a specific I-SID to use
instead of the onboarding I-SID when a port is in an Auto-sense Fabric Attach (FA) state and detects an
FA client.

Before You Begin

• Create the I-SID.
• Associate the I-SID with either a platform or private VLAN; this association is not required on a DvR
Leaf.

About This Task

You can create only one I-SID of each type.

The FA I-SID can be the same as the voice I-SID because they are used by different Auto-sense port
states.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the FA I-SID from the following choices:
• For auto-sensed cameras: auto-sense fa camera i-sid <1-15999999>
• For auto-sensed FA client switches that do not use FA message authentication, like EXOS or
Switch Engine: auto-sense fa proxy-no-auth i-sid <1-15999999>
• For auto-sensed virtual switches: auto-sense fa ovs i-sid <1-15999999>
• For auto-sensed wireless access points (WAP): auto-sense fa wap-type1 i-sid
<1-15999999>

Variable Definitions

The following table defines parameters for the auto-sense commands related to Fabric Attach (FA)
I-SIDs.

Variable Value
i-sid <1-15999999> Specifies the service instance identifier (I-SID).

Configure a Management I-SID for Auto-sense Fabric Attach Proxy Switches

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

32 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using CLI

Configure a specific I-SID and customer VLAN ID to use as the management I-SID when a port is in the
Auto-sense FA PROXY state.

About This Task

The switch creates this I-SID dynamically and uses it instead of the onboarding I-SID.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the management I-SID:
auto-sense fa proxy management i-sid <1-15999999> c-vid <1-4094>

Variable Definitions

The following table defines parameters for the auto-sense fa proxy management command.

Variable Value
c-vid <1-4094> Specifies the customer VLAN ID.
i-sid <1-15999999> Specifies the service instance identifier (I-SID).

Display Auto-sense Configuration on the Switch

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to display the Auto-sense configuration on the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the Auto-sense configuration:
show auto-sense [access-differv] [data] [dhcp-detection] [eapol] [fa]
[isis] [onboarding] [qos] [voice] [wait-interval]
3. Display the Auto-sense status and state on a port:
show interfaces gigabitEthernet auto-sense [{slot/port[/sub-port][-
slot/port[/sub-port]][,...]}]

Examples

Display the Auto-sense configuration related to voice:

Switch:1>show auto-sense voice
===============================================================================
AUTO-SENSE VOICE Config
===============================================================================

VOSS User Guide for version 8.7 33

Auto-sense Configuration using CLI Zero Touch Capabilities

TYPE LDDP-AUTH ENABLE I-SID C-VID DSCP PRIORITY

-------------------------------------------------------------------------------
phone FALSE 2000 2000 46 6
-------------------------------------------------------------------------------
1 out of 1 Total Num of AUTO-SENSE entries displayed
-------------------------------------------------------------------------------

Display the Auto-sense status and state on a range of ports:

Switch:1>show interfaces gigabitethernet auto-sense 1/1-1/5
======================================================================
Port Auto-sense
======================================================================
----------------------------------------------------------------------
PORT AUTO-SENSE AUTO-SENSE AUTO-SENSE
NUM STATUS STATE PORT-DATA-ISID
----------------------------------------------------------------------
1/1 Enable UNI-ONBOARDING 500
1/2 Disable OFF
1/3 Disable OFF
1/4 Disable OFF
1/5 Disable OFF

Display the Auto-sense status for Fabric Attach (FA):

Switch:1>show auto-sense fa
==================================================================================
AUTO-SENSE FA Config
==================================================================================
MSG-AUTH MSG-AUTH-KEY
----------------------------------------------------------------------------------
enabled ****
----------------------------------------------------------------------------------

==================================================================================
AUTO-SENSE FA Client specific config
==================================================================================
TYPE EAPOL STATUS I-SID VLANID C-VID MGMT I-SID MGMT C-VID
----------------------------------------------------------------------------------
camera Auto 100 100 untag - -
wap-type1 Auto 200 200 untag - -
open-virtual-switch Auto - - - - -
proxy-no-auth Auth 300 300 untag - -
proxy Auth 400 n/a 400 400 400
----------------------------------------------------------------------------------
6 out of 6 Total Num of AUTO-SENSE entries displayed
----------------------------------------------------------------------------------

Display the Auto-sense wait-interval information.

34 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using EDM

Auto-sense Configuration using EDM

The following sections provide procedural information to configure Auto-sense on the switch using
Enterprise Device Manager (EDM). Auto-sense configuration can include both global- and port-level
configuration.
• Auto-sense Global Configuration using EDM on page 35
• Auto-sense Port Configuration using EDM on page 41

Auto-sense Global Configuration using EDM

Perform the procedures in this section to configure Auto-sense globally using Enterprise Device
Manager (EDM).

Enable LLDP Authentication of IP Phones

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

Before You Begin

You must enable EAPoL globally.

About This Task

Perform this procedure to enable Link Layer Discovery Protocol (LLDP) authentication of IP phones. The
switch authenticates the phone after it receives LLDP packets from the phone.

Auto-sense LLDP authentication applies to Auto-sense ports in the VOICE state. Auto-sense LLDP
authentication does not require a global Auto-sense voice configuration.

The system removes the LLDP session for the following reasons:
• You disable EAPoL globally.
• You disable Auto-sense on the port.
• The LLDP neighbor is removed.

If the LLDP authentication configuration exists and one of the following situations occur, the LLDP
session is recreated:
• You renable EAPoL globally.
• You renable Auto-sense on the port.
• The LLDP neighbor is recreated.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select AutoSense.
3. Select the Globals tab.
4. Select EapolVoiceLldpAuthEnable, to enable the EAPoL LLDP authorization for voice Auto-sense
ports.
5. Select Apply.

VOSS User Guide for version 8.7 35

Auto-sense Configuration using EDM Zero Touch Capabilities

Configure Auto-sense Voice Information for IP Phones

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

The switch applies the Auto-sense voice configuration on specific port(s), after it discovers IP phones on
the port through LLDP packets.

Before You Begin

If you boot the switch with a configuration file, and not through Zero Touch Fabric Configuration, you
must manually enable Auto-sense on specific port(s).

About This Task

Perform this procedure to configure Auto-sense voice information for IP phones. A global Auto-sense
voice configuration does not require LAuto-senseLDP authentication.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select AutoSense.
3. Select the Globals tab.
4. For VoiceIsid, type the I-SID value.
5. For VoiceCvid, type the CVID value associated with the voice I-SID.
6. Select Apply.

Disable Auto-sense DHCP Server Detection

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to disable DHCP server detection in Auto-sense mode.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select AutoSense.
3. Select the Globals tab.
4. Select DhcpDetection to disable DHCP detection.
5. Select Apply.

Configure Auto-sense Onboarding I-SID Globally

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

36 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using EDM

About This Task

Perform this procedure to configure the onboarding I-SID for ports that are operating in Auto-sense
mode.

1. In the navigation pane, expand Configuration > Fabric.

VOSS User Guide for version 8.7 37

Auto-sense Configuration using EDM Zero Touch Capabilities

2. Select AutoSense.
3. Select the Globals tab.
4. Select Qos8021pOverrideEnable to override incoming 802.1p bits on ports that operate in Auto-
sense mode.
5. Select Apply.

Configure Auto-sense IS-IS Authentication

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure a global IS-IS authentication key for ports that are operating in
Auto-sense mode.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select AutoSense.
3. Select the Globals tab.
4. For IsisHelloAuthType, select a type of IS-IS hello authentication.
5. For IsisHelloAuthKeyId, type the key ID for IS-IS authentication for the Auto-sense ports.
6. For IsisHelloAuthKey, type the key for IS-IS authentication for the Auto-sense ports.
7. Select Apply.

Configure Auto-sense Access Ports

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure ports operating in Auto-sense mode to determine the Layer 3 QoS
actions the switch performs. The Auto-sense access ports override the Differentiated Services Code
Point (DSCP) markings.

Procedure
1. In the navigation pane, expand Configuration > Fabric.
2. Select AutoSense.
3. Select the Globals tab.
4. Select AccessDiffservEnable to enable differentiated serve type as access for Auto-sense ports.
5. Select Apply.

Configure Auto-sense for Fabric Attach

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

38 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using EDM

Perform this procedure for the following purposes:

• Configure Fabric Attach (FA) authentication for ports that are operating in Auto-sense mode.
• For Zero Touch Deployment and assignments of dedicated I-SIDs for FA capable cameras, Wireless
Access Points, FA proxy switches and Open Virtual Switches (OVS), you can configure a specific
I-SID to use instead of the onboarding I-SID when a port is in an Auto-sense Fabric Attach (FA) state
and detects an FA client.
• Configure a specific I-SID and customer VLAN ID to use as the management I-SID when a port is in
the Auto-sense FA PROXY state.

Before You Begin

• Create the I-SID.
• Associate the I-SID with either a platform or private VLAN; this association is not required on a DvR
Leaf.

About This Task

You can create only one I-SID of each type.

The FA I-SID can be the same as the voice I-SID because they are used by different Auto-sense port
states.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select AutoSense.
3. Select the Globals tab.
4. Configure Fabric Attach authentication:
a. Select FaMsgAuthEnable, to enable FA message authentication.
b. For FaAuthenticationKey, type the key for FA authentication for the Auto-sense ports.
5. Configure a specific I-SID to use instead of the onboarding I-SID:
a. For auto-sensed cameras, type the I-SID in FaCameraIsid.
b. For auto-sensed FA client switches that do not use FA message authentication, like EXOS or
Switch Engine, type the I-SID in FaProxyNoAuthIsid.
c. For auto-sensed virtual switches, type the I-SID in FaVirtualSwitchIsid.
d. For auto-sensed wireless access points (WAP), type the I-SID in FaWapType1Isid.
6. Configure a specific I-SID and customer VLAN ID to use as the management I-SID:
a. In FaProxyMgmtIsid, type the I-SID.
b. In FaProxyMgmtCvid, type the customer VLAN ID.
7. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

VOSS User Guide for version 8.7 39

Auto-sense Configuration using EDM Zero Touch Capabilities

Name Description
AccessDiffservEnable Enables or disables the differentiated service type as access for Auto-
sense ports. The default is enabled.
DataIsid Specifies the data I-SID used by the Auto-sense ports.
EapolVoiceLldpAuthEnable Enables the EAPoL LLDP authentication for Auto-sense voice ports. The
default is disabled.
FaMsgAuthEnable Enables or disables the FA message authentication for Auto-sense ports.
The default is enabled.
FaAuthenticationKey Specifies the FA authentication key for Auto-sense ports.
IsisHelloAuthType Specifies the authentication type for IS-IS hello packets on Auto-sense
ports:
• None
• simple - simple password authentication uses a text password in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the packet.
• hmac-md5 - MD5 authentication creates an encoded checksum in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the MD5 checksum of the packet.
• hmac-sha256 - with SHA-256 authentication, the switch adds an
hmac-sha–256 digest to each Hello packet. The switch that receives
the Hello packet computes the digest of the packet and compares it
with the received digest.

Note: Note: Secure Hashing Algorithm 256 bits (SHA-256) is a cipher

and a cryptographic hash function of SHA2 authentication. You can
use SHA-256 to authenticate ISIS Hello messages. This authentication
method uses the SHA-256 hash function and a secret key to establish
a secure connection between switches that share the same key. This
feature is in full compliance with RFC 5310.

The default authentication type is none.

IsisHelloAuthKeyId Specifies the IS-IS hello authentication number key id for the Auto-sense
ports.
IsisHelloAuthKey Specifies the IS-IS hello authentication number key for the Auto-sense
ports. You must configure the IS-IS hello authentication key along with
the IS-IS hello authentication type.
OnboardingIsid Specifies the onboarding I-SID used by the Auto-sense ports.
Qos8021pOverrideEnable Overrides the incoming 802.1p bits on ports that operate in Auto-sense
mode. The default is enabled.
VoiceIsid Specifies the voice I-SID used by Auto-sense ports.
VoiceCvid Specifies the customer VLAN ID associated with the voice I-SID used by
Auto-sense ports. Voice C-Vid is configured for tagged voice traffic only.
You must configure the Auto-sense voice customer VLAN ID along with
the auto-sense voice I-SID.
DhcpDetection Enables or disables the DHCP detection in Auto-sense mode. The default
is enabled.
FaCameraIsid Specifies the FA camera I-SID used by auto-sense ports.
FaProxyMgmtIsid Specifies the FA proxy management I-SID used by auto-sense ports.

40 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Configuration using EDM

Name Description
FaProxyMgmtCvid Specifies the FA proxy management Client-VLAN ID (c-vid) used by
auto-sense ports.
FaProxyNoAuthIsid Specifies the FA proxy no-auth I-SID used by auto-sense ports.
FaVirtualSwitchIsid Specifies the FA virtual-switch I-SID used by auto-sense ports.
FaWapType1Isid Specifies the FA WAP type-1 I-SID used by auto-sense ports.
FaCameraEapolStatus Specifies the FA EAPOL status for Camera I-SID used by auto-sense
ports.
FaEapolOVSStatus Specifies the FA EAPOL status for OVS (Open-Virtual-Switch) I-SID used
by auto-sense ports.
FaEapolWap1Status Specifies the FA EAPOL status for Wap-type-1 I-SID used by auto-sense
ports.
WaitInterval Specifies the wait interval in seconds for the 'WAIT' state of auto-sense's
finite state machine.

Auto-sense Port Configuration using EDM

Perform the procedures in this section to configure Auto-sense on specific ports using Enterprise
Device Manager (EDM).

Enable Auto-sense on Port(s)

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to enable Auto-sense on one or more ports.

If you select more than one port, the format of the tab changes to a table-based tab.

Note
• After a switch boots without a configuration file, Auto-sense is enabled on all ports, by
default.
• Auto-sense is disabled by default for existing configurations but enabled for new Zero
Touch Fabric Configuration deployments.

Procedure

1. In the Device Physical View tab, select one or more ports.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the Interface tab.
5. For AutoSense, select enable.
6. Select Apply.

VOSS User Guide for version 8.7 41

Auto-sense Logical Flowcharts Zero Touch Capabilities

Disable Auto-sense on Port(s)

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to disable Auto-sense on one or more ports. You also have the option to disable
Auto-sense on the port but retain the configuration that the system applied dynamically. The dynamic
configuration becomes a manual configuration and is visible in the show running-config output.

If you select more than one port, the format of the tab changes to a table-based tab.

Procedure

1. In the Device Physical View tab, select one or more ports.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the Interface tab.
5. For AutoSense, select disable.
6. (Optional) Select AutoSenseKeepAutoConfig to retain the configuration that the system applies
dynamically.
7. Select Apply.

Configure an Auto-sense Data I-SID on a Port

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

About This Task

Perform this procedure to configure an Auto-sense Data I-SID on a port.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the Interface tab.
5. For AutoSenseDataIsid, type the data I-SID value. The range is 0 to 15999999.
6. Select Apply.

Auto-sense Logical Flowcharts

The system uses a per-interface state to adapt to all Auto-sense events. Each state transition
determines background configuration on the port. The system does not display Auto-sense port
configurations in the show running-config command or in the saved configuration file; instead
use the show auto-sense commands to show global and port specific Auto-sense information..

42 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Fabric NNI

The following flowcharts describe the system logic for Auto-sense port state detection, how the system
configurations change the logic path, and the Auto-sense configuration results.

Note
The vlan create CLI command examples do not apply to DvR leaf switch configurations.
DvR leaf switches create VLANs automatically.

Auto-sense Fabric NNI

Detection of a Fabric network-to-network interface (NNI) results in tagged Backbone VLAN IDs (B-VID)
with IS-IS NNI enabled.

Figure 1: Auto-sense Fabric NNI

Auto-sense UNI Client without NAC

Detection of a user-to-network interface (UNI) client without network access control (NAC) results in
untagged data configuration based on system configuration.

Figure 2: Auto-sense UNI client without NAC

Auto-sense UNI Client with NAC

Detection of a user-to-network interface (UNI) client with network access control (NAC) results in
untagged, tagged, or dropped data configuration based on system configuration.

VOSS User Guide for version 8.7 43

Auto-sense Voice without NAC Zero Touch Capabilities

Figure 3: Auto-sense UNI client with NAC

Auto-sense Voice without NAC

Detection of voice without network access control (NAC) results in untagged, tagged, or dropped data
based on system configuration.

44 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense Voice with NAC

Figure 4: Auto-sense voice without NAC

Auto-sense Voice with NAC

Detection of voice with network access control (NAC) results in untagged, tagged, or dropped data
based on system configuration.

VOSS User Guide for version 8.7 45

Auto-sense FA Proxy Switch Zero Touch Capabilities

Figure 5: Auto-sense voice with NAC

Auto-sense FA Proxy Switch

Detection of a Fabric Attach (FA) proxy switch results in untagged or tagged data based on system
configuration.

46 VOSS User Guide for version 8.7

Zero Touch Capabilities Auto-sense FA WAP, Camera, or OVS without NAC

Figure 6: Auto-sense FA proxy switch

Auto-sense FA WAP, Camera, or OVS without NAC

Detection of a Fabric Attach (FA) wireless access point (WAP), camera, or open virtual switch
(OVS) without network access control (NAC) results in untagged or tagged data based on system
configuration.

Figure 7: Auto-sense FA WAP / camera / OVS without NAC

VOSS User Guide for version 8.7 47

Auto-sense FA WAP, Camera, or OVS with NAC Zero Touch Capabilities

Auto-sense FA WAP, Camera, or OVS with NAC

Detection of a Fabric Attach (FA) wireless access point (WAP), camera, or open virtual switch (OVS)
with network access control (NAC) results in untagged or tagged data based on system configuration.

*priority for untagged traffic

Figure 8: Auto-sense FA WAP / camera / OVS with NAC

IP Phone Support

Table 6: IP Phone product support

Feature Product Release introduced
IP Phone Support VSP 4450 Series VOSS 8.3
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported

48 VOSS User Guide for version 8.7

Zero Touch Capabilities IP Phone Support

The IP phone support feature focusses on the following key points:

• Works only on the Flex UNI-enabled and Auto-sense ports.
• For Avaya phones, you can choose to configure and send call server and file server Link
Layer Discovery Protocol (LLDP) Type-Length-Value (TLV) options through the lldp vendor-
specific CLI command.
• To reduce configuration overhead, this feature includes the Auto-sense voice mechanism to detect
IP phones from LLDP signalling. After the switch detects the phone, this mechanism manages the
following tasks:
◦ Provides the voice VLAN to the phone, tagging, Differentiated Services Code Point (DSCP), and
priority parameters through the LLDP Media Endpoint Discovery (MED) signaling options.
◦ Configures a switched UNI for phone traffic and sends it to the Service Instance Identifier (I-SID)
that is associated with the voice VLAN.
◦ Handles the configuration, whether “trusted” or “untrusted” on the port and priority re-markings.
◦ Integrates with the Auto-sense functionality. For more information on Auto-sense, see Auto-
sense on page 15.

Note
This feature does not support auto-creation of voice VLAN and MultiLink Trunking (MLT) or
Split Multi-Link Trunking (SMLT).

This feature has the following connectivity models:

• Standalone IP phone, which connects to a switch port.
• IP Phone with PC behind it, where the IP Phone has a small inbuilt bridge, and a PC connects to that
bridge port.

Note
Phone traffic is tagged with the voice VLAN whereas the PC traffic is untagged. However, you
can configure the phone to send the traffic as untagged.

The IP phone connectivity supports the following scenarios:

• Call server and file Server LLDP TLV options—These TLVs are Avaya proprietary. Use them only with
the Avaya IP phones to detect the IP addresses of a Call server and File Server.
• Phone detection through LLDP messaging—Use the Capabilities and Enabled Capabilities field in the
LLDP packet to detect a phone. A “T” capability identifies a phone.
• Auto-sense voice option, without Network Access Control (NAC)—Use this functionality to specify
the voice VLAN and voice I-SID in a single CLI command.
• Auto-ISID-Offset—Use this functionality if the voice VLAN is received without an I-SID from a Radius
response. The Auto-ISID-Offset functionality determines an I-SID automatically to send the data
traffic.
• Auto-sense voice, LLDP authentication, and Non- EAP (NEAP) (MAC authentication) connectivity—If
you have enabled NEAP, it authorizes all the MAC addresses received on the port and IP phone.
With the LLDP authentication option, a device, such as phone, is trusted and does not require a
Remote Authentication Dial-in User (RADIUS) authentication. For this authentication, the Extensible
Authentication Protocol (EAP) is notified after a phone is detected and the port is in the Auto-sense
voice state. Then, the MAC address of the phone is added to EAP or NEAP host table.

VOSS User Guide for version 8.7 49

Auto-sense Voice Zero Touch Capabilities

Auto-sense Voice

The Auto-sense voice feature is an addition to the Auto-sense module. Based on the events of the
phone discovery in the network, you can use this feature to configure phone devices without manual
intervention.

After the switch discovers a Link Layer Discovery Protocol (LLDP) packet with phone capabilities, the
port transitions to the "voice" state. The port receives a message on the voice event details.

With the Auto-sense voice feature, you can configure the voice I-SID and the voice VLAN. If you
configure the I-SID as untagged, the phone receives VLAN as zero. When you configure Auto-sense
voice, switched UNI is configured in VOICE I-SID for each port that is in "voice" state. The switch
adds the Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) policies for voice and
voice-signaling Type-Length-Value (TLVs) to the LLDP packet and sends LLDP packets to the phone. It
uses the configured voice VLAN and default values for Differentiated Services Code Point (DSCP) (46)
and priority (6). After you run the auto-sense voice command, a filter is installed to prioritize the
traffic that passes through the configured I-SID. The filter applies to traffic that reaches the VOICE I-SID,
which implies the voice traffic.

Note
To change the Auto-sense voice configuration on the switch, delete the earlier configured
voice I-SID and VLAN entry.

After you configure auto-sense voice, following tasks take place:

• The I-SID <I-SID value> and C-VID <C-VID value> are saved in the control plane.
• The voice I-SID is created.
• The ports that are in the "voice" state process the voice configuration message and begin the
dynamic configuration. This configuration includes the following tasks:
◦ Creation of voice Switched UNI (S-UNI).
◦ Deletion of onboarding and data I-SID, or S-UNI, if you configured auto-sense as "untagged".
◦ Addition of LLDP-MED voice and voice-signaling TLVs to the LLDP packet and sending of LLDP
packets to the phone.
• The voice filter is updated. After you run the auto-sense voice command, a filter is installed to
prioritize the traffic that passes through the configured I-SID. The filter applies to the traffic in Voice

50 VOSS User Guide for version 8.7

Zero Touch Capabilities IP Phone Configuration using CLI

I-SID. The traffic that passes through this I-SID is internally prioritized with level 6 and forwarded
with a dot1p value of 6, for tagged packets. For the IP packets, the DSCP value of 46 is forwarded.

Note
• To disable Auto-sense on the port but keep the dynamic configurations made by Auto-
sense, use the command no auto-sense enable convert-to-config. The voice
S-UNI loses its Auto-sense origin and has a config origin instead. The LLDP-MED policies
installed by Auto-sense are preserved.
• If you use the no auto-sense voice command, the system removes the voice S-UNI
and the LLDP-MED policies. The voice I-SID is removed if it was installed by using the
auto-sense voice command. If the I-SID existed before you used the auto-sense
voice command, the system does not remove the I-SID but the I-SID does lose its
Auto-sense origin.
• A port exits the voice state in one of the following scenarios:
◦ If the port is down
◦ If the LLDP session fails between the switch and the phone
◦ If Auto-sense is disabled on the port that connects to the IP phone

After a port exits the voice state, the Switched UNI (S-UNI), LLDP voice and voice-
signaling are deleted.

IP Phone Configuration using CLI

Configure Auto-sense Voice Information for IP Phones

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

The switch applies the voice configuration on Auto-sense-enabled ports, after it discovers IP phones on
the port through Link Layer Discovery Protocol (LLDP) packets.

Before You Begin

If you boot the switch with a configuration file, and not through Zero Touch Fabric Configuration, you
must manually enable Auto-sense on specific ports.

About This Task

Perform this procedure to configure Auto-sense voice information for IP phones.

A global Auto-sense voice configuration does not require Auto-sense LLDP authentication based on the
following cases.
• In a non NAC, a phone is classified based on the phones LLDP signaling.
• In a NAC, a phone is authenticated based on EAP/NEAP radius authenticated, or if configured, it is
LLDP authenticated

VOSS User Guide for version 8.7 51

IP Phone Configuration using CLI Zero Touch Capabilities

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the customer VLAN ID:
auto-sense voice i-sid <1-15999999> c-vid <c-vid>
3. Configure the traffic as untagged:
auto-sense voice i-sid <1-15999999> untagged

Note
The phone receives VLAN ID as 0 and the tagging is configured as "untagged".

Example

Configure VLAN tagging as untagged:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense voice i-sid 1234 untagged

Variable Definitions

The following table defines parameters for the auto-sense voice command.

Variable Value
i-sid<1-15999999> Specifies the service instance identifier (I-SID).
c-vid<c-vid> Specifies the customer VLAN ID. Different hardware platforms support
different customer VLAN ID ranges. Use the CLI Help to see the available
range for the switch.
untagged Specifies the VLAN tagging type as untagged.

Note:
The phone receives VLAN ID as 0 and the tagging is configured as
"untagged".

Enable Auto-sense LLDP Authentication of IP Phones

Note
This procedure does not apply to VSP 8600 Series and XA1400 Series.

Before You Begin

• You must enable Extensible Authentication Protocol over LAN (EAPoL) globally.

About This Task

Perform this procedure to enable Link Layer Discovery Protocol (LLDP) authentication of IP phones. The
switch authenticates the phone after it receives LLDP packets from the phone if EAP/NEAP is enabled.

52 VOSS User Guide for version 8.7

Zero Touch Capabilities IP Phone Configuration using CLI

Auto-sense LLDP authentication applies to Auto-sense ports in the VOICE state. Auto-sense LLDP
authentication does not require a global Auto-sense voice configuration.

The no auto-sense eapol voice lldp-auth command removes all Auto-sense LLDP sessions
and removes the Auto-sense LLDP authentication configuration.

The system removes the LLDP session for the following reasons:
• You disable EAPoL globally.
• You disable Auto-sense on the port.
• The LLDP neighbor is removed.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable LLDP authentication:
auto-sense eapol voice lldp-auth

Example

Enabling LLDP authentication on the switch:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#auto-sense eapol voice lldp-auth

Variable Definitions

The following table defines parameters for the auto-sense eapol voice command.

Variable Value
lldp-auth Enables Link Layer Discovery Protocol (LLDP) authentication
of IP phones. By default, LLDP authentication of IP phones is
disabled on the switch.

VOSS User Guide for version 8.7 53

IP Phone Configuration using CLI Zero Touch Capabilities

Configure LLDP Vendor Specific Information

About This Task

Use this procedure to configure the Link Layer Discovery Protocol (LLDP) vendor-specific information
on a call server or a file server.

Note
After you configure LLDP vendor specific call server information, the SIP Proxy of the phone is
configured as transport type Transport Layer Security (TLS) port 5061. This option is available
depending on the operating system of the call server.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. To configure LLDP vendor-specific information for a call server server, enter:
lldp vendor-specific call-server <1-8> <A.B.C.D>
3. To configure LLDP vendor-specific information for a file server, enter
lldp vendor-specific file-server <1-4> <A.B.C.D>

Example

Configure the LLDP vendor-specific information on a call server:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#lldp vendor-specific call-server 1 192.0.2.0

Variable Definitions

The following table defines parameters for the lldp vendor-specific command.

Variable Value
call-server <1-8> Specifies the Link Layer Discovery Protocol (LLDP) vendor specific
<A.B.C.D> information on the call server number and the IP address.
file-server <1-4> Specifies an LLDP vendor specific information on the file server
<A.B.C.D> number and the IP address.

View LLDP Vendor Specific Information

About This Task

Use this procedure to view the Link Layer Discovery Protocol (LLDP) vendor-specific information on a
call server or a file server.

Procedure
1. Enter Privileged EXEC mode:
enable

54 VOSS User Guide for version 8.7

Zero Touch Capabilities IP Phone Configuration using CLI

2. To view LLDP vendor-specific information for a call server, enter:

show lldp vendor-specific call-server
3. To configure LLDP vendor-specific information for a file server, enter
show lldp vendor-specific file-server

Example

Display the LLDP vendor-specific information on a call server:

Switch:1>enable
Switch:1#show lldp vendor-specific call-server
==========================================================
LLDP Call-Server
==========================================================
NUM IP
----------------------------------------------------------
1 192.0.2.0
2 198.51.100.0
----------------------------------------------------------
All 2 out of 2 Total Num of call-server entries displayed

View LLDP Neighbor Vendor Specific Information

About This Task

Use this procedure to view the remote Link Layer Discovery Protocol (LLDP) vendor-specific
information on a call server or a file server.

Procedure

1. Enter Privileged EXEC mode:

enable
2. To view remote LLDP vendor-specific information for a call server, enter:
show lldp neighbor vendor-specific call-server
3. To view remote LLDP vendor-specific information for a file server, enter:
show lldp neighbor vendor-specific file-server

Example

Display remote LLDP vendor-specific information on a file server:

Switch:1>enable
Switch:1#show lldp neighbor vendor-specific file-server
================================================================
Remote LLDP File-Server IP Addresses
================================================================
PORT IP
----------------------------------------------------------------
203 192.0.2.0, 198.51.100.0, 203.0.113.0
----------------------------------------------------------------
All 3 out of 3 Total Num of remote file-server entries displayed

VOSS User Guide for version 8.7 55

IP Phone Configuration using CLI Zero Touch Capabilities

Enable LLDP Voice Authentication on a Specific Port

Note
This procedure does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.

About This Task

Perform this procedure to enable Link Layer Discovery Protocol (LLDP) voice authentication of IP
phones on a port.

You cannot manually enable LLDP voice authentication on an Auto-sense-enabled port. If the system
detects a phone on an Auto-sense port, then “eapol voice lldp-auth” configuration is automatically
applied on the port that connects to the phone. This procedure applies to ports with Auto-sense
disabled.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable LLDP voice authentication on a specific port:

eapol voice lldp-auth

Example

Enabling LLDP voice authentication on a specific port:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#eapol voice lldp-auth

Variable Definitions

The following table defines parameters for the eapol voice command.

Variable Value
lldp-auth Enables Link Layer Discovery Protocol (LLDP) voice
authentication of IP phones on the selected port. By default,
LLDP authentication of IP phones is disabled on the switch.

56 VOSS User Guide for version 8.7

Zero Touch Capabilities IP Phone Configuration using EDM

IP Phone Configuration using EDM

View Vendor Specific Call Server Information

About This Task

Perform this procedure to view inventory attributes for vendor-specific call server information.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics > 802_1ab.
2. Select Vendor Specific.
3. Select the Call Server tab.

Vendor Specific Call Server Field Descriptions

Use the data in the following table to use the Call Server tab.

Name Description
CallServerNum Specifies the call server ID.
CallServerAddressType Specifies the IP address type of the call server.
CallServerAddress Specifies the IP address of the call server.

View Vendor Specific File Server Information

About This Task

Perform this procedure to view inventory attributes for vendor-specific file server information.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics > 802_1ab.
2. Select Vendor Specific.
3. Select the File Server tab.

Vendor Specific File Server Field Descriptions

Use the data in the following table to use the File Server tab.

Name Description
FileServerNum Specifies the file server ID.
FileServerAddressType Specifies the IP address type of the file server.
FileServerAddress Specifies the IP address of the file server.

VOSS User Guide for version 8.7 57

Zero Touch Deployment Zero Touch Capabilities

Zero Touch Deployment

Table 7: Zero Touch Deployment product support

Feature Product Release introduced
Zero Touch Deployment VSP 4450 Series VOSS 8.2
VSP 4900 Series VOSS 8.2
VIMs: VIM5-4YE, VIM5-4X,
VIM5-4XE, and VIM5-2Y only
VSP 7200 Series VOSS 8.2
VSP 7400 Series VOSS 8.2
VSP 8200 Series VOSS 8.2
VSP 8400 Series VOSS 8.2
VSP 8600 Series Not supported
XA1400 Series VOSS 8.2

For the most current information on switches supported by ExtremeCloud™ IQ, see ExtremeCloud™ IQ
Learning What’s New.

Zero Touch Deployment enables a switch to be deployed automatically with ExtremeCloud IQ but you
still need to onboard the switch on the ExtremeCloud IQ side. When the switch powers on, the Dynamic
Host Configuration Protocol (DHCP) Client obtains the IP address and gateway from a DHCP Server,
and discovers the Domain Name Server, connecting the switch automatically to ExtremeCloud IQ ‑ Site
Engine or to ExtremeCloud IQ cloud management application.

The switch integrates with ExtremeCloud IQ using IQAgent.

Zero Touch Provisioning Plus (ZTP+) provides ExtremeCloud IQ ‑ Site Engine connectivity to the switch.

For more information about ExtremeCloud IQ Agent, see ExtremeCloud IQ Agent on page 841. For
more information about ZTP+, see Zero Touch Provisioning Plus on page 60 .

To use zero touch functionality, your switch must be in a Zero Touch Deployment-ready configuration
mode, which means the switch cannot have existing primary or secondary configuration files loaded.
Factory shipped switches are Zero Touch Deployment ready because they deploy without configuration
files. However, existing switches require manual preparation before Zero Touch Deployment can
function.

To prepare an existing switch for Zero Touch Deployment, the switch must boot without a configuration
file. Perform one of the following actions:
• Rename existing primary and secondary configuration files. Use the mv command to rename the
existing configuration files. For example, mv config.cfg config.cfg.backup.

This is the preferred option as it ensures that the primary and secondary files are removed while
making a backup of them at the same time. This option also ensures that the switch uses the default
config.cfg file for the final configuration after it has successfully onboarded.
• Boot from non-existent configuration files. Use the boot config choice command to configure
the primary and backup configuration files to reference files that do not exist on the switch:

58 VOSS User Guide for version 8.7

Zero Touch Capabilities Configuration Considerations

boot config choice primary config-file nonexistent1.cfg

boot config choice primary backup-config-file nonexistent2.cfg

This option also works, however, after the switch has successfully onboarded, it does not use the
default config.cfg file but uses the alternative configuration file name provided instead, which might
not be desired.
• Delete the existing primary and secondary configuration files. Create a backup of these files before
you delete them.

Configuration Considerations
The switch configuration depends on whether you use factory default mode or Zero Touch Deployment.

Zero Touch Deployment Configuration

With Zero Touch Deployment, the switch configuration consists of the following:
• The ssh and sshd boot configuration flags are enabled by default.
• All ports are Private VLAN isolated ports, except on the XA1400 Series.
• VLAN 4048 is created as an onboarding-vlan for host-only connectivity for In Band management.
On all platforms, except the XA1400 Series, all front panel ports are members of VLAN 4048.
• In Band management is enabled.
• Dynamic Host Configuration Protocol (DHCP) client requests are cycled between In Band and Out of
Band ports, except on the XA1400 Series and VSP 4450 Series. XA1400 Series and VSP 4450 Series
support In Band management only.
• If the switch resets after the IP address is obtained from the DHCP Server, the entire DHCP process
does not need to be repeated. Instead, the switch can directly send the DHCP Request to the DHCP
Server for the IP stored in the /intflash/dhcp/dhclient.leases file.
• Out of Band management is enabled, except on the XA1400 Series and VSP 4450 Series. XA1400
Series and VSP 4450 Series support In Band management only.
• All ports are administratively enabled, except on the XA1400 Series. Only Port 1/8 is administratively
enabled on the XA1400 Series, which means the administrator must plug in and use only port 1/8 for
Zero Touch Deployment on an XA1400 Series.
• IQAgent is enabled by default.
• Zero Touch Provisioning Plus (ZTP+) for ExtremeCloud IQ ‑ Site Engine onboarding is enabled by
default.
• Initiates Zero Touch Fabric Configuration.
• After the Zero Touch Fabric establishes successfully, the onboarding VLAN 4048 is automatically
assigned to onboarding I-SID 15999999.

For information about IQAgent, see ExtremeCloud IQ Agent on page 841.

VOSS User Guide for version 8.7 59

Zero Touch Provisioning Plus Zero Touch Capabilities

Factory Default Mode

The switch continues to support the boot configuration flag boot config flags
factorydefaults to return an existing switch to factory default configuration.

Note
Zero Touch Deployment does not run on a switch returned to factory default configuration in
this manner.

For more information, see Boot Sequence on page 147.

Zero Touch Provisioning Plus

Table 8: Zero Touch Provisioning Plus product support

Feature Product Release introduced
Zero Touch Provisioning Plus VSP 4450 Series VOSS 8.2.5
VSP 4900 Series VOSS 8.2.5
VSP 7200 Series VOSS 8.2.5
VSP 7400 Series VOSS 8.2.5
VSP 8200 Series VOSS 8.2.5
VSP 8400 Series VOSS 8.2.5
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.2.5

With zero touch functionality, switches are automatically discovered on the network within minutes of
when they are connected.

Zero Touch Provisioning Plus (ZTP+) enables you to deploy and configure switches in
ExtremeCloud IQ ‑ Site Engine with minimal server configuration and intervention. ZTP+ enabled
switches send information, such as the serial number, software version, MAC, management IP, and port
information to ExtremeCloud IQ ‑ Site Engine automatically.

When the switch powers on, the DHCP Client obtains the IP address and gateway from the DHCP server,
discovers the Domain Name Server, and connects the switch to ExtremeCloud IQ ‑ Site Engine.

ZTP+ uses HTTPS for communication between the switch and the ExtremeCloud IQ ‑ Site Engine
server. The switch discovers theExtremeCloud IQ ‑ Site Engine server by resolving the DNS name
extremecontrol.<domain-name>.

Important
This feature requires a Zero Touch Deployment-ready configuration. For more information,
see Zero Touch Deployment on page 58.

60 VOSS User Guide for version 8.7

Zero Touch Capabilities ZTP+ Phases of Operation

ZTP+ Phases of Operation

Zero Touch Provisioning Plus (ZTP+) auto-provisioning occurs in phases after you connect the switch to
the network, if the switch is in factory ship state with no valid configuration saved on the device.

Connect
The Connect phase is the first phase of ZTP+ during which the switch connects to the
ExtremeCloud IQ ‑ Site Engine server on the network. The ExtremeCloud IQ ‑ Site Engine server is
discovered by resolving the DNS name extremecontrol.<domain-name>.

If the attempt is successful, the ExtremeCloud IQ ‑ Site Engine server responds with an Accept message.
When connectivity is established, the switch communicates with the ExtremeCloud IQ ‑ Site Engine
server securely and transmits information, such as its serial number, model number. The switch then
progresses to the next phase of ZTP+.

Upgrade
After a successful connect to the ExtremeCloud IQ ‑ Site Engine server, the next phase of ZTP+ is the
Upgrade phase. This phase verifies that the switch is running the image file version that is currently
selected as the reference version on the ExtremeCloud IQ ‑ Site Engine server.

Image file validation is initiated by the switch. After a successful connect, the switch sends an image
file upgrade request to the ExtremeCloud IQ ‑ Site Engine server with details on the current image file
version. If the image file versions on the switch and the ExtremeCloud IQ ‑ Site Engine server match,
no upgrade is initiated, and the switch moves to the next phase of ZTP+. If the ExtremeCloud IQ ‑ Site
Engine server detects a different image file version, ZTP+ initiates the .tgz image file download from a
specified URL location.

After a successful image upgrade, the switch reboots and reconnects to the ExtremeCloud IQ ‑ Site
Engine server. If there are errors in the image upgrade process, an event is added to the server log. The
switch then retries the image upgrade.

Configuration
The next phase after the image upgrade is ZTP+ Configuration phase. During this phase, the
switch queries the ExtremeCloud IQ ‑ Site Engine server for configuration updates, and initiates auto-
provisioning by transmitting information, such as the image version, model name, and serial number.
The switch then attempts to apply the configuration that is pushed from the ExtremeCloud IQ ‑ Site
Engine server.

If the switch can still communicate with the ExtremeCloud IQ ‑ Site Engine server after the configuration
is applied, the new configuration is automatically saved on the switch. The switch can be managed
through the ExtremeCloud IQ ‑ Site Engine using Simple Network Management Protocol (SNMP).
However, if the configuration that is pushed from the ExtremeCloud IQ ‑ Site Engine server breaks
switch connectivity to the ExtremeCloud IQ ‑ Site Engine server, the switch reboots without saving the
configuration. After the switch reboots, the ZTP+ onboarding restarts.

Any configurations pushed from the ExtremeCloud IQ ‑ Site Engine server to devices using the initial
ZTP+ configuration push are not displayed in the show log file detail command output. The
logs associated with the Cloud connector are logged internally to state_machine.txt and ztp_plus.txt
files located in /intflash/cc/cc_logs/.

VOSS User Guide for version 8.7 61

ZTP+ Considerations Zero Touch Capabilities

ExtremeCloud IQ ‑ Site Engine uses ZTP+ to configure the following items:

• Link Layer Discovery Protocol (LLDP) neighbor discovery

Note
Based on the LLDP discovery, port templates can be used on the ExtremeCloud IQ ‑ Site
Engine server. Enabling or disabling LLDP is not supported.
• Login
• Network Time Protocol (NTP)
• Ports configuration
• SNMP
• VLANs

Note
ZTP+ cannot manage VLAN port membership. With ZTP+, new VLANs are created with
no ports. Ports cannot be removed from the onboarding VLAN. Ports cannot be added to
another VLAN. VLAN port membership is managed through Auto-sense functionality or
through manual configuration after initial onboarding is complete.

ZTP+ Considerations
The following considerations apply to Zero Touch Provisioning Plus (ZTP+) :
• Fabric configurations are not supported with ZTP+. After ZTP+ is configured, ExtremeCloud IQ ‑ Site
Engine server can use Simple Network Management Protocol (SNMP) to remotely configure Fabric-
related configurations on the switch using SNMP MIBs.
• Only the Out-of-Band (OOB) port or the Management VLAN interface are used to connect the
ExtremeCloud IQ ‑ Site Engine server.

Note
ZTP+ cannot change the Management VLAN interface. If onboarding started on the
Management onboarding VLAN, this cannot be changed while using ZTP+.

Configuring ZTP+ using the CLI

This section provides procedures to configure and manage Zero Touch Provisioning Plus (ZTP+) using
the Command Line Interface (CLI).

After your device is onboarded, you have access to ExtremeCloud IQ ‑ Site Engine.

Note
You must configure a Segmented Management Instance to use ZTP+. For more information,
see Segmented Management Instance Configuration using the CLI on page 87.

For information about onboarding switches, see https://www.extremenetworks.com/support.

62 VOSS User Guide for version 8.7

Zero Touch Capabilities Zero Touch Fabric Configuration

View ZTP+ Status

About This Task

Use this procedure to verify the status of Zero Touch Provisioning Plus (ZTP+) on the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Verify that ZTP+ is enabled:
show application auto-provision

Example

The following is an example output of the show application auto-provision command:

Switch:1>show application auto-provision

Admin state : Enabled

Operational state : Running

Zero Touch Fabric Configuration

Table 9: Zero Touch Fabric Configuration product support

Feature Product Release introduced
Zero Touch Fabric Configuration VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0.5
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported
LLDP Fabric Connect TLV VSP 4450 Series VOSS 8.3
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series VSP 8600 8.1
XA1400 Series Not Supported

You can use Zero Touch Fabric Configuration to deploy Fabric-capable switches in a plug and play
manner with no initial configuration. The switches form a new Fabric automatically or they can connect
to an existing Fabric that is Auto-sense-capable, obtain an IP address and Domain Name System
(DNS) information from a Dynamic Host Configuration Protocol (DHCP) server using the onboarding

VOSS User Guide for version 8.7 63

Default IS-IS Parameters Zero Touch Capabilities

I-SID/VLAN, which then permits the system to automatically onboard to the management servers, such
as ExtremeCloud IQ or ExtremeCloud IQ ‑ Site Engine, to conduct actual provisioning deployment of
the switch. For more information about Auto-sense, see Auto-sense on page 15.

Zero Touch Fabric Configuration automatically configures Shortest Path Bridging MAC (SPBM) and IS-IS
without user intervention if you boot the switch in Zero Touch Deployment-ready configuration mode,
meaning you boot without a configuration file. Zero Touch Fabric Configuration uses LLDP to signal
Fabric capability and exchanges SPB backbone VLAN IDs information to ensure seamless joining to any
existing fabric deployment. The switches use the chassis MAC addresses as their system ID. To ensure
participation in the correct area, newly joining ZTF switches listen to IS-IS update packets for area
information. A unique nick-name is as assigned by a pre-configured nick-name server switch. For more
information, see Zero Touch Deployment on page 58.

Important
To add new Zero Touch Fabric Configuration devices or implement Zero Touch Fabric
Configuration on existing devices, the network requires a nickname server and reachability
to the DHCP server. How you implement this depends on if the network is a new deployment
or an existing Fabric network that you upgrade. In a new deployment, you can meet the
network requirements with one node, known as a seed node. In an existing network, functions
may already exist on different nodes. For more information, see VOSS Release Notes.

Zero Touch Fabric Configuration uses the port-based Auto-sense features, that enables all ports on the
switch, by default, and all ports operate in Auto-sense mode. With the support of Auto-sense, Zero
Touch Fabric Configuration onboards all ports on the switch to an existing network, without having to
manually enable each port. Auto-sense automatically detects neighbor capabilities and performs the
configuration on the port to reach the desired connectivity with the neighbor without user invention.

With Auto-sense functionality, ports on a switch can detect whether they connect to a Shortest Path
Bridging (SPB) device, a Fabric Attach (FA) client, FA Proxy, Voice IP devices, or an undefined host,
and then make the necessary configuration. For more information about Auto-sense, see Auto-sense on
page 15.

If you start two nodes in a network without an existing configuration file, then Zero Touch Fabric
Configuration, through Auto-sense, dynamically establishes an IS-IS adjacency between them. For more
information, see Establishing IS-IS Adjacencies on page 65.

Default IS-IS Parameters

Zero Touch Fabric Configuration automatically configures the Shortest Path Bridging (SPB) and
Intermediate System-to-Intermediate System (IS-IS) infrastructure to enable Fabric architecture on
a switch. The system initializes the following items after you start the switch in Zero Touch Fabric
Configuration mode:
• Enables Shortest Path Bridging MAC (SPBM).
• Creates a private VLAN 4048.
• Creates the Auto-sense onboarding I-SID 15999999.

64 VOSS User Guide for version 8.7

Zero Touch Capabilities Establishing IS-IS Adjacencies

• Assigns the Auto-sense onboarding I-SID 15999999 to private VLAN 4048 and also includes the
management VLAN.

Note
As a best practice, use the onboarding I-SID for onboarding purposes and, whenever
possible, configure a management VLAN or management CLIP on a different I-SID after
the onboarding procedures have been successfully completed.

• Enables Auto-sense on all ports.

• Configures Auto-sense access ports and layer 2 trusted Auto-sense ports.
• Creates an SPBM instance.
• Enables IS-IS globally.

Parameter Default value

SPBM instance 1
Primary B-VLAN 4051
Secondary B-VLAN 4052
Manual area Initialize to 00.1515.fee1.900d.1515.fee1.900d

Note:
You can change the manual area dynamically,
without disabling IS-IS, only when the area is the
Zero Touch Fabric Configuration area.
When IS-IS is enabled, you cannot delete the last
manual area.

Auto-sense onboarding I-SID 15999999

Establishing IS-IS Adjacencies

Zero Touch Fabric Configuration automatically triggers when the switch boots without a configuration
file, the platform enables Intermediate System-to-Intermediate System (IS-IS) without a configured
nickname or manual area. The system creates default backbone VLANs (B-VLAN) (4051 and 4052)
and IS-IS manual area values. As a result, if you start two nodes in a network without an existing
configuration file, then Zero Touch Fabric Configuration dynamically establishes an IS-IS adjacency
between them.

The switch uses the Auto-sense functionality with the Zero Touch Fabric Configuration feature to
establish the adjacency between two nodes. For more information about how and when the system
tries to establish the adjacency, see Auto-sense Port States on page 18 .
• If you manually configure an SPBM instance on a node, then the system removes the SPBM instance
that is dynamically created by Zero Touch Fabric Configuration. The system uses the LLDP Fabric
Connect TLV to send user-defined B-VLANs to other nodes in the network. Only the first pair of
B-VLANs is learned. If the switch already learned the B-VLANs from neighbor_A, the switch ignores
the B-VLANs received from neighbor_B, if those are different.

VOSS User Guide for version 8.7 65

Establishing IS-IS Adjacencies Zero Touch Capabilities

• If a switch operating in Zero Touch Fabric Configuration mode in the network receives B-VLANs
from a neighboring switch, which do not match the default B-VLANs configured through Zero Touch
Fabric Configuration, then the switch will perform the following actions:
◦ Disables ISIS.
◦ Deletes its VLANs.
◦ Unassigns the B-VLANs.
◦ Assigns the values received through LLDP Fabric Connect TLV.
◦ Creates the corresponding VLANs.
◦ Re enables ISIS and log a message on the console.

LLDP Fabric Connect TLV

The system uses the Link Layer Discovery Protocol (LLDP) Fabric Connect Type-Length-Value (TLV) to
communicate B-VLANs and system IDs between nodes in the SPB cloud. For more information about
LLDP and its interaction with Fabric Attach, see Link Layer Discovery Protocol (802.1AB) Fundamentals
on page 2198.

Table 10: LLDP Fabric Connect TLV Format

TLV TLV OUI Subtype Fabric B- B- B- System System
Type Length Connect VLANs VLAN-1 VLAN-2 ID ID
Capabilit Number Length
y
7 bits 9 bits 3 octets 1 byte 1 byte 1 byte 2 bytes 2 bytes 1 byte 6 bytes

Table 11: LLDP Fabric Connect TLV Field Descriptions

TLV Field Description
OUI Specifies the Extreme OID value (0xd88466).
Fabric Connect capability Fabric Connect capability is enabled on all nodes
that support Zero Touch Fabric Configuration. The
value is 0 if the LLDP Fabric Connect TLV is not
carrying any information in it. By default, the value
is set to 1 on all ports.
B-VLANs number Specifies the number of B-VLANs that the TLV
can carry. The LLDP Fabric Connect TLV supports
an unlimited number of B-VLANs, but Zero Touch
Fabric Configuration sends two B-VLANs through
the TLV. The value is 0 if the node is sending
default B-VLAN values.
B-VLANs Specifies the B-VLAN that is user-configured or
dynamically learned from a neighbor node in the
network.
System ID Length Specifies the length (in bytes) of the System ID.
System ID Specifies the IS-IS system ID.

66 VOSS User Guide for version 8.7

Configuration Example to Create an IS-IS Adjacency
Zero Touch Capabilities between the VSP 8600 Series and Auto-sense Switches

Configuration Example to Create an IS-IS Adjacency between the VSP 8600 Series
and Auto-sense Switches
Link Layer Discovery Protocol (LLDP) stations that connect to a local area network (LAN) advertise the
station capabilities to each other, allowing the discovery of physical topology information for network
management. When the system enables a switch as a Fabric Attach (FA) server in the Shortest Path
Bridging (SPB) network, it receives LLDP messages from the FA Client and the FA Proxy devices using
the LLDP Fabric Connect Type-Length-Value (TLV). For more information, see LLDP Fabric Connect TLV
on page 66.

Following are the steps to create an Intermediate-System-to-Intermediate-System (IS-IS) adjacency

between the VSP 8600 Series and Auto-sense switches.

On the VSP 8600 Series switch:

1. Disable the High Availability-CPU mode.

2. Enable the Shortest path bridging MAC (SPBM) mode.
3. Create an SPBM instance.
4. Create an SPBM B-VLAN.
5. Configure the port that links to the VOSS switch.

On the VOSS switch:

1. Enable the Shortest path bridging MAC (SPBM) mode.

2. Enable Auto-sense on the port that links to the VSP 8600 Series switch.

Example
Create an IS-IS adjacency:

On the VSP 8600 Series switch:

enable
configure terminal
no boot config flags ha-cpu
boot config flags spbm-config-mode
spbm
router isis
spbm 1
spbm 1 b-vid 100,101 primary 100
spbm 1 nick-name 1.44.66
manual-area c1
exit
vlan create 100 type spbm-bvlan
vlan create 101 type spbm-bvlan
vlan members remove 1 1/3
interface gigabitEthernet 1/3
isis
isis spbm 1
isis enable
router isis enable

On the VOSS switch:

enable
configure terminal
boot config flags spbm-config-mode
interface gigabitEthernet 1/3
auto-sense enable
1 YYYY-MM-DD HH:MM:SS.622Z Switch - 0x00374589 - 00000000 GlobalRouter FA INFO Fabric Attach Assignments will
be rejected since ISIS is disabled.
1 YYYY-MM-DD HH:MM:SS.779Z Switch - 0x001dc703 - 00000000 GlobalRouter ISIS INFO B-VLANs (100,101) dynamically
learnt through LLDP. ISIS Restarted
1 YYYY-MM-DD HH:MM:SS.779Z Switch - 0x002d0609 - 00000000 GlobalRouter LLDP INFO New LLDP Neighbor Discovered

VOSS User Guide for version 8.7 67

Example Zero Touch Capabilities

on interface 1/3
1 YYYY-MM-DD HH:MM:SS.954Z Switch - 0x00004727 - 00000000 GlobalRouter SNMP INFO SPBM detected adj INIT on
Port1/3, neighbor f873.a201.03df
1 YYYY-MM-DD HH:MM:SS.984Z Switch - 0x00004727 - 00000000 GlobalRouter SNMP INFO SPBM detected adj UP on
Port1/3, neighbor f873.a201.03df
show isis adjacencies
================================================================================================================
ISIS Adjacencies
================================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
----------------------------------------------------------------------------------------------------------------
Port1/3 1 UP 00:05:18 127 21 f873.a201.03df VSP-8608 ACTIVE HOME

----------------------------------------------------------------------------------------------------------------
Home: 1 out of 1 interfaces have formed an adjacency
----------------------------------------------------------------------------------------------------------------

68 VOSS User Guide for version 8.7

Segmented Management
Migration to Segmented Management Instance on page 71
Interface Types on page 77
Management Applications on page 81
DHCP Client for Segmented Management Instance on page 84
Dynamic Change Options for Segmented Management Instance Attributes on page 86
Segmented Management Instance Configuration using the CLI on page 87
Segmented Management Instance Configuration for VOSS using EDM on page 116
Segmented Management Instance Configuration for VSP 8600 Series using
EDM on page 136

Table 12: Segmented Management Instance product support

Feature Product Release introduced
Segmented Management VSP 4450 Series VOSS 7.0
Instance - Management Interface
CLIP VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series VSP 8600 8.0
XA1400 Series VOSS 8.1.1 - IPv4 only

Note:
VOSS 8.1.50 does not support
this feature.

Segmented Management VSP 4450 Series Not Supported

Instance - Management Interface
OOB VSP 4900 Series VOSS 8.2
VSP 7200 Series VOSS 8.2
VSP 7400 Series VOSS 8.2
VSP 8400 Series VOSS 8.2
VSP 8600 Series Not Supported
XA1400 Series Not Supported

VOSS User Guide for version 8.7 69

Segmented Management

Table 12: Segmented Management Instance product support (continued)

Feature Product Release introduced
Segmented Management VSP 4450 Series VOSS 7.0
Instance - Management Interface
VLAN VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.1.1 - IPv4 only
VOSS 8.2 added IPv6

Note:
VOSS 8.1.50 does not support
this feature.

Segmented Management VSP 4450 Series VOSS 8.2

Instance — ability to migrate
VLAN or loopback IP address VSP 4900 Series VOSS 8.2
VSP 7200 Series VOSS 8.2
VSP 7400 Series VOSS 8.2
VSP 8200 Series VOSS 8.2
VSP 8400 Series VOSS 8.2
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.2
Segmented Management VSP 4450 Series VOSS 8.2
Instance — DHCP Client for OOB not supported
Management Interface OOB or
Management Interface VLAN VSP 4900 Series VOSS 8.2
VSP 7200 Series VOSS 8.2
VSP 7400 Series VOSS 8.2
VSP 8200 Series VOSS 8.2
VSP 8400 Series VOSS 8.2
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.2
OOB not supported

A Management Instance is required to provide access to specific management applications.

With Segmented Management, the Management plane (management protocols) is separated from the
Control Plane (routing plane) from a process and data-path perspective. Segmented Management is
the only method to manage switches. One or a combination of the following management interface/
management instance types can be used:
• Out-of-Band (OOB) management IP address (IPv4 and IPv6)

70 VOSS User Guide for version 8.7

Segmented Management Migration to Segmented Management Instance

• In-band Loopback/circuitless IP (CLIP) management IP address (IPv4 and IPv6)

• In-band management VLAN IP address (IPv4 and IPv6)

Important
The Segmented Management Instance provides support for management interfaces that
transmit and receive packets directly to and from the system native Linux IP stack. Unlike
a traditional management interface, for example, a CLIP in the GRT that is part of the
OS networking IP stack, Segmented Management Instance interfaces do not route packets
through the OS networking IP stack.

Segmented Management provides better security because you cannot reach the management instance
from outside the VRF (in case of CLIP) or outside VLAN/I-SID (in case of management VLAN), and
because it has a built-in firewall for the management plane. There is also more predictability with
symmetric traffic flows for management traffic originating from and terminating on the switch, for
instance:
• Sessions originated from switch (client mode) - Source IP of packets is determined based on
Management IP stack routing table weights (configurable).
• Sessions connecting to switch (server mode) - Source IP is derived from session connection and
reply will go out on management interface packet.

Migration to Segmented Management Instance

Important
VOSS 8.2 introduced changes to Segmented Management Instance that required migration
of legacy management interfaces. Before you upgrade to VOSS 8.2 or later from an earlier
release, you must consider your management interface configuration and migration scenario
requirements. Backup and save your configuration files off the switch before upgrading to this
release.
If the switch already runs VOSS 8.2 or later, you can ignore this section. This section does not
apply to VSP 8600 Series.

Important
Management interface access to the switch can be lost if you do not perform the applicable
migration scenarios before upgrading to this release. Loss of management access after an
upgrade can result in an automatic roll-back to the previous software version.
You must perform a manual software commit after upgrading from VOSS Release 8.1.5.0 or
earlier to VOSS 8.2 or later. Management interface access is required to input the software
commit CLI command within 10 minutes after the upgrade. If the time expires the system
initiates an automatic roll-back to the previous release.

VOSS User Guide for version 8.7 71

Migration to Segmented Management Instance Segmented Management

You must ensure the switch runs VOSS 8.1.x before you upgrade to VOSS 8.2 or later to support the
migrate-to-mgmt functionality.

Note
If the network environment must migrate static IPv6 routes, the switches must run VOSS
Release 8.1.2.0 or later before you upgrade to VOSS 8.2 or later.
Not all upgrade paths are validated by Extreme Networks for each new software release. To
understand the validated upgrade paths, see VOSS Release Notes.

Ensure you understand the Management Instance interface types before you begin the upgrade and
migration. For more information, see Interface Types on page 77.

You must consider the following legacy management interface migration scenarios before you upgrade
to VOSS 8.2 or later:

Table 13: Management Interface Migration Scenarios

Mgmt Interface Mgmt Scenario Migration Description
DvR leaf Automatic migration during upgrade. DvR leaf settings migrate
automatically during the software
upgrade process. The DvR inband-
mgmt-ip CLIP automatically
becomes the new Segmented
Management Instance CLIP.

Note:
Leaf nodes only support the
management CLIP as part of the
Global Routing Table (GRT).

OOB Automatic migration during upgrade. Out-of-Band management settings

migrate automatically during the
software upgrade process.

72 VOSS User Guide for version 8.7

Segmented Management Migration to Segmented Management Instance

Table 13: Management Interface Migration Scenarios (continued)

Mgmt Interface Mgmt Scenario Migration Description
CLIP Specify a Circuitless IP (CLIP) interface You can use this interface type for
for migration to management interface CLIP management network routing
before you upgrade. in a Fabric network or Layer 3
routing network.
Use the migrate-to-mgmt
command in the Loopback Interface
Configuration mode of the CLI
to specify the CLIP interface for
management before starting the
software upgrade process.
You can designate the IP Shortcut
CLIP to migrate to the Management
Instance CLIP. After the upgrade,
the IS-IS source IP address moves
to the Management Instance CLIP.
You should configure a new GRT
CLIP using a different IP address and
assign that as the new IS-IS source
IP.
Save the configuration before
upgrading.

Important:
Ensure that the management CLIP
IP address does not fall into the
range of a configured VLAN IP
address range as this is not allowed.

VLAN Specify a VLAN interface for migration You can use this interface type for
to management interface before you management of Layer 2 switches or
upgrade. for Zero-Touch onboarding of newly
deployed devices. Use the CLIP
Management Instance for routed
management.
Use the migrate-to-mgmt
command in the VLAN Interface
Configuration mode of the CLI
to specify the VLAN interface for
management before starting the
software upgrade process.

Important:
Choose a VLAN that does not
have an IP interface on it.
The upgrade process removes
the IP configuration and network
connectivity can be impacted.

Save the configuration before

upgrading.
The VLAN Management Instance
does not route to or from the GRT.

VOSS User Guide for version 8.7 73

Automatic Migration Segmented Management

Table 13: Management Interface Migration Scenarios (continued)

Mgmt Interface Mgmt Scenario Migration Description
Bridged management traffic must
ingress on the VLAN or I-SID.

Automatic Migration
Out-of-Band management interface and DvR leaf configurations automatically migrate during the
upgrade process. The management port interface, and all associated applications are moved to the
Segmented Management Instance .

A DvR leaf has a single management interface that also automatically migrates during the upgrade
process to the Segmented Management Instance.

Static Route Migration

When a VLAN designated as management interface or an Out-of-Band management interface migrates
to the Segmented Management Instance, static routes might be required for IP reachability. Static
routes are always required for Out-of-Band management interfaces but can also be used with in-band
VLAN management.

Static route migration is completed by the upgrade process and no commands are necessary to prepare
for the migration. The following logic is applied during the upgrade process to the static routes:
• Out-of-Band management interfaces
◦ All IPv4 routes in the VRF 512 / mgmtrouter context are moved to the Segmented Management
Instance.
◦ All IPv6 routes in GRT with a nexthop IP address that exists in the same subnet as the IPv6
address are moved to the Segmented Management Instance.
• In-Band VLAN management
◦ All IPv4 routes from the VRF bound to the migrated VLAN and that have a nexthop IP address in
the same subnet as the IPv4 address being migrated are moved to the Segmented Management
Instance.
◦ All IPv6 routes from the VRF bound to the migrated VLAN and that have a nexthop IP address in
the same subnet as the IPv6 address being migrated are moved to the Segmented Management
Instance.

Important
The IP interface and all routing protocols attached to the original VLAN are deleted post
migration.

Consider the following example of In-Band VLAN management. The static route configuration listed
below is in the GRT:
ip route 192.168.20.0 255.255.255.0 192.168.10.2 weight 1
ip route 192.168.30.0 255.255.0.0 192.168.10.50 weight 1
ip route 192.168.40.0 255.255.255.0 192.168.20.99 weight 1
ip route 192.168.50.0 255.255.255.0 192.168.10.2 weight 1
no ip route 192.168.50.0 255.255.255.0 192.168.10.2 enable

74 VOSS User Guide for version 8.7

Segmented Management Segmented Management Instance Migration

The GRT is associated with VLAN 10 with an IP address of 192.168.10.1. This is the VLAN to be
migrated. After the upgrade, the 192.168.20.0, 192.168.30.0, and, 192.168.50.0 routes are migrated to the
management instance because their nexthop IP address is associated with the 192.168.10.0/24 subnet.

Note
All routes with a nexthop IP address associated with the subnet are migrated. This includes
administratively disabled routes. Administratively disabled routes must be manually deleted
after the upgrade if the route is not needed.
ECMP static route migration is not supported for the Segmented Management Instance. For
an ECMP static route, only the first path in the configuration file migrates.
After upgrading to VOSS Release 8.1.60 or later, any administratively disabled static routes
that migrated to the OOB or VLAN Segmented Management Instance subnet become active.
Administratively disabled routes must be manually deleted after the upgrade if the route is
not needed.

The static route configuration in the Management VLAN configuration block will be the following after
the upgrade:
mgmt vlan 10
ip address 192.168.10.1/24
ip route 192.168.20.0/24 next-hop 192.168.10.2
ip route 192.168.30.0/16 next-hop 192.168.10.50
ip route 192.168.50.0/24 next-hop 192.168.10.2

Segmented Management Instance Migration

You have two command options to change attributes of a Management Instance:
• convert command
• migrate-to-mgmt command

As a best practice, use the convert command.

With the convert command, you can dynamically change the attributes of a Management Instance
while you actively manage the switch over that same Management Instance without requiring the
switch to reboot. This option also has rollback functionality to recover from unwanted changes.

For more information, see the following sections:

• Dynamic Change Options for Segmented Management Instance Attributes on page 86
• Change Management Instance Attributes on page 100

You can use the migrate-to-mgmt command to move a management VLAN to a different VLAN ID,
or a management CLIP to a different VRF. However, if you use this option, you must reboot your switch
after you save the configuration changes.

VOSS User Guide for version 8.7 75

XA1400 Series Management Migration with a Fabric
Extend Source IP VLAN Segmented Management

The following is an outline of the steps required for management migration using the migrate-to-
mgmt command:

1. Configure a new or existing VLAN or CLIP management interface using Interface Configuration
mode in the CLI (interface vlan <vlan_id> or interface loopback <clip_id>) or
EDM.

Important
The IP interface and all routing protocols attached to the original VLAN are deleted post
migration.

2. Add required routes to reach management services and subnets from the new interface.
3. Test connectivity to the new interface using ping and traceroute, and from the switch to
management stations and servers.
4. Use the migrate-to-mgmt command from the new interface CLI mode.
5. Save the configuration and reboot.

Note
During boot, the migrate-to-mgmt settings are parsed and override the existing
management interface with the new interface.
6. Access and manage the switch from the new interface.

For more information see, Migrate a VLAN or CLIP IP address to the Segmented Management Instance
on page 87 (using CLI) or Migrate an IP Address to a Segmented Management Instance on page 116
(using EDM).

XA1400 Series Management Migration with a Fabric Extend Source IP VLAN

Before VOSS Release 8.1.60, a single IP address could be used for both routing or management,
however Segmented Management Instance separates the routing and management networking stacks.
Because migrate-to-mgmt can only move an IP from the routing stack to the management stack,
see the following scenario for a before and after upgrade process required to manage an XA1400 Series
with the Fabric Extend (FE) tunnel Source IP using Segmented Management Instance:

Before upgrading to VOSS Release 8.1.60 or later:

1. Configure a CLIP Management Instance or designate an existing loopback IP for migration.

2. Save configuration and reboot.

After upgrading to VOSS Release 8.1.60 or later:

1. Manage the XA1400 Series using the CLIP Management Instance.

2. Create the VLAN Management Instance with the same VLAN ID and IP address as the FE tunnel
source VLAN.
3. Modify the default route or create static routes to the VLAN Management Instance.
4. Manage the XA1400 Series with the VLAN or CLIP Management Instance.

76 VOSS User Guide for version 8.7

Segmented Management Interface Types

Interface Types
The Management Instance supports the following interface types:
• CLIP on page 77
• OOB on page 78
• VLAN on page 78

You can configure a maximum of three Management Instance interfaces, one of each type.

You can configure the route priority for the Segmented Management Instance. The Source IP default
route priority is management CLIP (weight 100), then management VLAN (weight 200), then
management OOB interface (weight 300). You can route packets through a different management
interface than the default configuration, but you must add a specific static route or change the default
weight of the management interface.

Note
If you change the default route weight, the management interface with the lowest weight
value becomes the default route for all segmented management interface traffic.
The VSP 8600 Series Segmented Management Instance does not support ACL based filters or
use of ping with -Q option to change the internal priority of management traffic.

You can configure the default topology IP for LLDP and SONMP advertisements. Both LLDP and
SONMP advertise the same topology IP. SONMP supports only IPv4 addresses. If multiple IPv4
addresses are configured on an OOB or VLAN management interface, the advertised IP priority is
static IP address, then DHCP IP address, then link-local IP address.

IPSec is not supported on Segmented Management Instance management interfaces.

CLIP
You can use this interface type for CLIP management network routing in a Fabric network or Layer 3
routing network.

Important
A CLIP Management Instance is not a management CLIP created in the GRT. You must create
the CLIP Management Instance using the Segmented Management Instance configuration.

The following list defines the abilities of this interface type:

• You can assign a circuitless management IP (CLIP) address bound to a VRF.
• You can associate only one VRF ID with a CLIP Management Instance IP address.
• The IP address is not bound to a physical network; it does not transmit nor receive IPv4 Address
Resolution Protocol (ARP) or IPv6 Neighbor Discovery (ND) messages.
• You do not need to configure a default or static route. This interface type uses all routing information
learned by protocols attached to the associated VRF.
• Packets can ingress on any port or VLAN that belongs to the VRF associated with the CLIP
Management Instance.

VOSS User Guide for version 8.7 77

OOB Segmented Management

• You must configure accept policies or configure inter-VRF route redistribution to access the CLIP
Management Instance from a different VRF. Inter-VRF access is not permitted with traditional IP
routing using OSPF, BGP, or RIP. Packets ingressing the switch from a VLAN that belongs to a
different VRF without a configured accept policy will not reach the CLIP Management Instance
IP address. For more information, see Redistribution of CLIP Segmented Management Instance
Examples on page 113.
• If you migrate the current IS-IS IP source address to the CLIP Management Instance, after the
upgrade the IS-IS source IP address moves to the CLIP Management Instance. You must configure a
new GRT CLIP using a different IP address and assign that as the new IS-IS source IP.
• Advertisement of the IPv4 or IPv6 address for the CLIP Management Instance to IS-IS in the GRT
occurs automatically. Advertisement of the IPv4 or IPv6 address in the VRF Layer 3 VSN bound
to the CLIP Management Instance occurs automatically. You must configure route redistribution
to advertise the CLIP Management Instance to different protocols. For more information, see
Redistribution of CLIP Segmented Management Instance Examples on page 113.

OOB
You can use this interface type for OOB management network routing, as an alternative to in-band
network routing management.

Note
The OOB Segmented Management Instance is not supported on VSP 4450 Series, VSP 8600
Series. or XA1400 Series.

The following list defines the abilities of this interface type:

• You can assign a management IP address bound to the Out-of-Band (OOB) interface.
• You can associate only one OOB interface with an OOB Management Instance IP address.
• The Dynamic Host Configuration Protocol (DHCP) Client can request an IPv4 address for the OOB
Management Instance interface.
• You must configure a default or static route to reach the next-hop gateway; no routing protocol
information is used to access off-link networks.
• You can configure only Layer 3 networking parameters in the Management Instance Configuration
mode (mgmt OOB) in CLI.
• You can configure only Layer 1 and Layer 2 networking parameters in the mgmtEthernet Interface
Configuration mode (interface mgmtEthernet mgmt) in CLI.

VLAN
You can use this interface type for management of Layer 2 switches or for Zero-Touch onboarding of
newly deployed devices.

For more information on Zero-Touch onboarding, see Zero Touch Capabilities on page 14.

78 VOSS User Guide for version 8.7

Segmented Management VLAN

You can configure a Management Instance VLAN on a DvR Leaf node by specifying the I-SID. For more
information, see Management I-SID Assignment to DvR Leaf on page 702.

Note
XA1400 Series and VSP 8600 Series do not support configuring a Management Instance
VLAN on a DvR Leaf node by specifying the I-SID.

Note
The VLAN Segmented Management Instance is not supported on VSP 8600 Series.

The following list defines the abilities of this interface type:

• You can assign a Management Instance IP address to an inband VLAN.
• You can associate only one VLAN ID with a VLAN Management Instance IP address.
• The DHCP Client can request an IPv4 address for the VLAN Management Instance interface.
• The interface resides on the physical VLAN segment, behaving as a host for sending and receiving
IPv4 ARP and IPv6 ND messages.
• You must configure a default or static route to reach the next-hop gateway; no routing protocol
information is used to access off-link (other subnets) networks.
• For the VLAN Management Instance to take route priority when used in conjunction with the CLIP
Management Instance, you must configure a default route for the VLAN Management Instance
with a value lower than 100, or configure static routes for direct communication over the VLAN
Management Instance and management networks.
• No internal routing occurs between the VLAN Management Instance and other non Management
Instance VLANs. The VLAN Management Instance does not route to or from the GRT. Packets must
ingress on one of the ports in the VLAN Management Instance.

Packets sent to the VLAN Management Instance IP address must ingress the switch from a VLAN
or network-to-network interface (NNI) port (or contain the VLAN ID) associated with the VLAN
Management Instance. The system does not route packets between the network operating system
(NOS) routing VLAN and the VLAN Management Instance.

If you configure the same VLAN ID for NOS routing and for the VLAN Management Instance, the
NOS routing stack transmits and receives all ARP, ND, and ICMP packets. In this scenario, the packets
are only counted and shown in the NOS routing KHI port statistics. The management statistics and
KHI management statistics do not count or show the packets.
• You can bind the VLAN Management Instance to an I-SID, which bridges all management traffic to
a single I-SID in a Fabric network. Also, other normal VLAN related operations such as VLAN port
member changes are valid.
• Bridged management traffic must ingress on the VLAN or I-SID.
• The VLAN Management Instance can be routed by upstream routers.

Coexistence Restrictions
IPv4 and IPv6 address coexistence for both a NOS routing VLAN and VLAN Management Instance is
supported, however you must manually match both IP address configurations between the VLANs.

If you configure the VLAN Management Instance with a manual IPv4 address and a DHCP IPv4 address
first, you cannot add a IPv4 address to a NOS routing VLAN.

VOSS User Guide for version 8.7 79

VLAN Segmented Management

If you configure the VLAN Management Instance with an IPv6 address first, you can only add one IPv6
global address to a NOS routing VLAN.

The following restrictions apply when a VLAN Management Instance coexists with a port-based VLAN
or with a brouter port:
• If you want a dual stack IPv4 and IPv6 coexistence between a NOS VLAN and VLAN Management
Instance, you must configure the same IPv4 and IPv6 addresses on the VLAN Management Instance
and on the NOS VLAN.

You cannot configure the VLAN Management Instance with both IPv4 and IPv6 and configure the
NOS VLAN with IPv4 or IPv6 only.
• If you disable NOS routing for IPv4, then you must disable routing for IPv6, and vice versa.

Configuration Example - Coexistence with Port-Based VLAN

The following example shows how the VLAN Management Instance can be configured to share the
same IP address as a routing port-based VLAN.

You can configure the NOS VLAN first, and then configure the VLAN Management Instance, or in
reverse order. You can remove or add the coexistence at any time.

Note
With the coexistence between NOS routing stack and the VLAN Management Instance,
packets sent to the VLAN Management Instance IP address must ingress the switch from a
VLAN port (or contain the VLAN ID) associated with the VLAN Management Instance. The
system does not route packets between the NOS routing VLAN and the VLAN Management
Instance.

IPv4
vlan create 10 type port-mstprstp 0
vlan members add 10 1/1
interface vlan 10
ip address 192.0.2.0/24
exit
mgmt vlan 10
ip address 192.0.2.0/24
ip route 0.0.0.0/0 next-hop 192.0.2.1
enable

IPv6
vlan create 10 type port-mstprstp 0
vlan members add 10 1/1
interface vlan 10
ipv6 interface address 2001:DB8::/32
ipv6 interface enable
exit
mgmt vlan 10
ipv6 address 2001:DB8::/32
ipv6 route 0::0/0 next-hop 2001::1
enable

80 VOSS User Guide for version 8.7

Segmented Management Management Applications

Configuration Example - Coexistence with Port-Based VLAN Zero Touch Deployment

For XA1400 Series branch deployments, the NOS routing IP stack requires the VLAN Management
Instance to work in coexistence mode where both the management IP stack and the routing IP stack
share the same IP address and default routes. This configuration is required if you need to use the
management IP as IPsec source address.

You can manually configure the coexistence as in the preceding example, or you can use the
propagate-to-routing command to propagate the management VLAN IP and static routes from
the management IP stack to the NOS routing IP stack on the same VLAN ID. If you do not include the
VRF name, the system uses the existing VRF of the NOS routing VLAN.

IPv4
mgmt vlan 10
enable
exit
mgmt dhcp-client vlan
mgmt vlan
propagate-to-routing vrf vrf24

Configuration Example - Coexistence with Brouter Port

The following example shows how the VLAN Management Instance can be configured to share the
same IP address as a brouter interface.

You must configure the brouter interface before you enable the VLAN Management Instance. When the
VLAN Management Instance is enabled, you must disable the VLAN Management Instance before you
disable the brouter port.

IPv4
interface GigabitEthernet 1/1
no shutdown
brouter port 1/1 vlan 10 subnet 192.0.2.0/24
mgmt vlan 10
ip address 192.0.2.0/24
enable

IPv6
interface GigabitEthernet 1/1
no shutdown
ipv6 interface vlan 10
ipv6 interface address 2001:DB8::/32
ipv6 interface enable
mgmt vlan 10
ipv6 address 2001:DB8::/32
enable

Management Applications
The Segmented Management Instance provides support for management interfaces that transmit and
receive packets directly to and from the system native Linux IP stack. Unlike a traditional management
interface, for example, a CLIP in the GRT that is part of the networking IP stack, Segmented
Management Instance interfaces do not route packets through the networking IP stack.

VOSS User Guide for version 8.7 81

Management Applications Segmented Management

The following management applications use the Segmented Management Instance directly to transmit
or receive packets with segmented management interfaces and addresses.

Note
The VSP 8600 Series only supports Ping, Traceroute, and NTPv4.

Segmented Client Server IPv4 IPv6

Management
Instance
Applications and
Protocols
Digital Certificates Yes Yes
DHCP Client Yes Yes
DNS Yes Yes Yes
FTP Yes Yes Yes Yes
HTTP/HTTPS Yes Yes Yes
IQAgent Yes Yes
NTPv4 Yes Yes Yes Yes
OVSDB protocol Yes Yes Yes
support for VXLAN
Gateway
Ping Yes Yes Yes Yes
RADIUS Yes Yes Yes
RADIUS Security Yes Yes Yes
(RADSec)
Representational Yes Yes
State Transfer
Configuration
Protocol
(RESTCONF)
SSH/SCP/SFTP Yes (SSH only) Yes Yes Yes
Syslog Yes Yes Yes
TACACS+ Yes Yes
Telnet Yes Yes Yes Yes
TFTP Yes Yes Yes Yes
Traceroute Yes Yes Yes Yes

82 VOSS User Guide for version 8.7

Segmented Management Operational Notes for UDP Management Applications

The following management applications do not use the Segmented Management Instance directly to
transmit or receive packets, but can integrate with segmented management interfaces and addresses.

Applications and Protocols IPv4 IPv6

Link Layer Discovery Protocol Yes Yes
(LLDP)
SynOptics Network Management Yes
Protocol (SONMP)
Sampled Flow (sFlow) Yes
Remote Network Monitoring Yes
version 2 (RMON2)

Note
The following management applications do not use the Segmented Management Instance
and are deprecated in VOSS.
• NTPv3
• Remote Login (rlogin)
• Remote Shell (RSH)

Operational Notes for UDP Management Applications

Management applications that use UDP, such as TFTP, RADIUS dynamic server, or SNMP can have
restrictions when multiple Segmented Management Instances are configured with overlapping or
asymmetrical routing.

Note
The restrictions listed do not apply to TCP applications or if a single Management Instance is
configured.

Asymmetrical routing can occur in any of the following scenarios. For the first two scenarios you can
use the OOB or VLAN Management Instance IP address instead of the CLIP Management Instance IP
address. Also, use FTP or SCP file transfer as an alternative because those protocols are TCP based.

In the third scenario, you can configure more specific static routes for networks originating UDP client
communication to the OOB or VLAN Management Instance IP address if the CLIP Management Instance
is also configured.

1. Client communication to the CLIP Management Instance IP address is from the same subnet as the
VLAN Management Instance.
2. Client communication to the CLIP Management Instance IP address when specific static routes or
default route with higher preference back to the client network exist on OOB Management Instance
or VLAN Management Instance.

VOSS User Guide for version 8.7 83

DHCP Client for Segmented Management Instance Segmented Management

3. Client communication to the OOB Management Instance IP address or VLAN Management Instance
IP address that relies on a default route with a lower preference than the internal default route used
by the CLIP Management Instance.
4. Client communication to the CLIP Management Instance IP address is from the same subnet as the
OOB Management Instance (even if the OOB port is down).

DHCP Client for Segmented Management Instance

To support Zero Touch Deployment, a DHCP Client is used for the Segmented Management
Instance VLAN management interface or Out-of-Band (OOB) management interface. The DHCP Client
configuration supports a VLAN mode, OOB mode, and a cycle mode. DHCP Client cycle mode
alternates IP address requests between the VLAN management interface and OOB management
interface until an IP address is obtained on one of the interfaces. Priority is given to the OOB
management interface.

You can also manually configure the DHCP Client to request an IPv4 address from a DHCP server for
the In-band VLAN management interface, or the OOB management interface, or to cycle requests until
an IP address is obtained on a VLAN or OOB management interface. The DHCP Client supports IPv4
addresses only, and cannot be enabled on multiple management interfaces simultaneously.

Note
If a default route is configured on an OOB or VLAN management interface, and then you
configure DHCP so that it replaces the default route, the original default route is restored if
you disable DHCP.
However, if the DHCP default route is updated or deleted after it is created by DHCP, the
default route will not be replaced by the original route when DHCP is disabled.

DHCP Client Restrictions

DHCP Client for the Segmented Management Instance supports IPv4 addresses only, and cannot be
enabled on multiple management interfaces simultaneously. The DHCP Client only supports the in-band
VLAN management interface, or the OOB management interface, or to cycle requests on the the VLAN
then OOB management interface until an IP address is obtained on one of the interfaces.

Note
The DHCP Client is disabled by default on previously configured or upgraded switches.
The DHCP Client is enabled by default in cycle mode when:
• The switch ships directly from manufacturing with VOSS Release 8.1.60 or later.
• The primary and secondary configuration file is not on the switch.
• The primary and secondary configuration file fail to load on the switch.

The DHCP Client is not available if RMON2 is configured on a Management Instance, and RMON2 is not
available if the DHCP Client is configured on a Management Instance.

When DHCP is enabled on a Management Instance interface, the DHCP Client initial broadcast discovery
packet and initial response from the DHCP server are not counted or shown in KHI management
statistics for the management interface. Only the packets after the DHCP IP address assignment

84 VOSS User Guide for version 8.7

Segmented Management DHCP Option 43

completes are counted and shown. After an IP address is assigned, a UDP socket opens and packets are
counted on the interface.

If you change the DHCP Client configuration between management VLAN, OOB, or cycle, the default
route provided by the DHCP server might delete and add with a different nexthop or network. DHCP
Client configuration changes can cause interruptions to existing management connections.

DHCP static routes are not saved in the configuration file or displayed in show running-config.
You can view DHCP static routes with show mgmt ip route static. If the DHCP Client adds a
default route to an interface, the previous default route is deleted. If you modify a default route created
by the DHCP Client, the route type output of show mgmt ip route static changes from DHCP
to STATIC. You can save the modified to static default route to the configuration file, but on reboot the
DHCP Client deletes the modified default route and restores the default static route the DHCP server
specifies.

DHCP Option 43
DHCP option 43 requests specific vendor options from the DHCP server. Only sub-option 226
(EXTREME.cloudiq-ip) is supported to change the value of the ExtremeCloud IQ server IP address
on the switch.

With the support of DHCP option 43, DHCP can dynamically configure the IP address of a private/
non-public ExtremeCloud IQ server for zero touch deployments when the default ExtremeCloud IQ
server (hac.extremecloudiq.com) is not desired.

For information about configuring the switch to support ExtremeCloud IQ, see ExtremeCloud IQ Agent
on page 841.

DHCP Option 43 Configuration Examples

This section provides examples to configure DHCP Option 43 on a Linux server and on Windows Server.

ISC DHCP Server configuration on Linux:

/etc/dhcp/dhcpd.conf
default-lease-time 60;
max-lease-time 7200;
option space EXTREME;
option EXTREME.cloudiq-ip code 226 = ip-address;

class "Edge-without-POE" {
match if (option vendor-class-identifier = "EXTREME");
vendor-option-space EXTREME;
option EXTREME.cloudiq-ip 10.16.231.131;
}

subnet 30.30.30.0 netmask 255.255.255.0 {

pool {
range 30.30.30.10 30.30.30.20;
allow members of "Edge-without-POE";
}
option domain-name-servers 10.1.10.1;
option domain-name "labs.extremenetworks.com";
option routers 30.30.30.250;

VOSS User Guide for version 8.7 85

Dynamic Change Options for Segmented Management
Instance Attributes Segmented Management

default-lease-time 3600;
}

Windows Server configuration:

1. Go to scope options for defined DHCP pool.

2. Enter the following for Option 43: e2 04 0a 10 e7 83

Value Description
e2 04 vendor ID prefix (e2 is the hexadecimal value of the code 226 used to identify
sub-option EXTREME.cloudiq-ip and 04 the hexadecimal value of the length
of an IP address in bytes)
0a 10 e7 83 IP address 10.16.231.131 converted to hexadecimal

Dynamic Change Options for Segmented Management Instance Attributes

You can now dynamically change the attributes of a Management Instance while you actively manage
the switch over that same Management Instance without requiring the switch to reboot. For example,
if your switch onboards using VLAN 4048, you can change that Management Instance VLAN to a new
VLAN.

You can change the following attributes for the Management Instance:
• Management Instance VLAN:
◦ VLAN ID
◦ IPv4 address
◦ default gateway
◦ I-SID (on a DvR Leaf)
◦ ports-tagged
◦ ports-untagged
• Management Instance CLIP
◦ IPv4 address
◦ vrf
• Management Instance Out-of-Band (OOB)
◦ IPv4 address
◦ default gateway

Operational Considerations
The following are operational considerations when you change Management Instance attributes using
the convert command:

• IPv6 is not supported and is removed during conversion, if an IPv6 address exists.
• You cannot change parameters for more than one Management Instance operation at a time. You
must issue the mgmt convert-commit command before you use the convert command for
either the same or a different Management Instance.
• If you attempt to change attributes for an existing Management Instance VLAN, you cannot
configure ports-tagged, ports-untagged, and I-SID parameters. Make configuration changes to the

86 VOSS User Guide for version 8.7

Segmented Management Instance Configuration using
Segmented Management the CLI

existing Management InstanceVLAN first before you use the convert command. If you change
your switch to a DvR leaf node, you can change the I-SID parameter.
• If you attempt to change attributes for a Management Instance VLAN and the VLAN does not exist,
a VLAN is automatically created in the background. You can specify ports-tagged, ports-untagged,
and I-SID parameters to be associated with this new VLAN. The new VLAN is assigned to the default
Spanning Tree Group, which is 0.
• If you attempt to change attributes for a Management Instance VLAN and the VLAN does not exist,
and you do not specify ports-tagged, ports-untagged, or I-SID parameters, then this is a special
case. If any untagged ports in the old VLAN have dynamic Address Resolution Protocol (ARP)
entries then these ports automatically move from the old VLAN to the new VLAN. For example,
VLAN 200 has port members 1/1, 1/2, and 1/3. ARP entries are configured on ports 1/1 and 1/2. VLAN
300 is created in the background and only ports 1/1 and 1/2 automatically move to this new VLAN.

If an MLT ID is associated with the old VLAN, the association is removed and re-added to the new
Management Instance VLAN ID.
• If you attempt to change the vrf attribute for a Management Instance CLIP but the vrf does not exist,
a vrf is automatically created in the background. In order for this vrf to function properly, you must
configure either SPBM Layer 3 VSN or IP interfaces and routing protocols.

The best practice is to configure and test vrf connectivity before you use the convert command.
• The following applies when you change static routes attributes on a Management Instance VLAN or
Management Instance OOB interface:
◦ If you provide the static route next-hop gateway, all next-hop gateway direct to the new gateway.
◦ If you do not provide the static route next-hop gateway and the new subnet is the same as the
old subnet, all routes are re-added as is.
◦ If you do not provide a gateway and the new subnet is different, routes are discarded.
• Dynamic routes added by DHCP convert to static routes.

Segmented Management Instance Configuration using the CLI

This section provides procedures to configure segmented management instance using the command
line interface (CLI).

Migrate a VLAN or CLIP IP address to the Segmented Management Instance

In releases prior to VOSS release 8.1.60, perform this procedure to identify a pre-existing VLAN or
loopback management interface to migrate to the Segmented Management Instance after you upgrade.
This action moves the IP interface from the routing stack to the management stack to use with
management applications. In releases later than VOSS 8.1.60, you can perform this procedure to migrate
a new routing VLAN with a new IP address or a new loopback IP address under a different VRF to the
Segmented Management Instance. Alternatively, you can also use the convert command. For more
information, see Change Management Instance Attributes on page 100.

Important
Choose a VLAN that does not have an IP interface on it. The upgrade process removes the IP
configuration and network connectivity will be impacted.

VOSS User Guide for version 8.7 87

Migrate a VLAN or CLIP IP address to the Segmented
Management Instance Segmented Management

About This Task

Note
Do not migrate interfaces used for routing purposes, for example, where you configure Layer
3 routing protocols.

This command does not apply to the OOB or mgmtEthernet interface. Releases that support this
migration procedure automatically move the IP address on the mgmtEthernet interface from the
routing stack to the Segmented Management Instance during the upgrade to this release.

Procedure

1. Enter Interface Configuration mode for either a VLAN or loopback interface:

enable

configure terminal

interface vlan <1–4059> or interface loopback <1–256>

2. Select the interface address for migration:
migrate-to-mgmt
3. View the designated interface addresses selected for migration:
show mgmt migration
4. Save the configuration selected for migration:
save config

Example

Identify an IP address currently assigned to an inband VLAN to migrate to the Management VLAN. The
example assumes you already identified a CLIP address. The VRF column in show mgmt migration
indicates where the interface is being moved from.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface vlan 20
Switch:1(config-if)#migrate-to-mgmt
Switch:1(config-if)#show mgmt migration

=============================================================================
Mgmt Migration Information
=============================================================================
IFINDEX DESCR VRF IPV4 IPV6
-----------------------------------------------------------------------------
1344 CLIP-1 GlobalRouter 192.0.2.102/32 10:0:0:0:0:0:0:1/128
2068 VLAN-20 GlobalRouter 198.51.100.6/24 20:0:0:0:0:0:0:1/64

2 out of 2 Total Num of mgmt migrate entries displayed

-----------------------------------------------------------------------------

Switch:1(config-if)#save config

88 VOSS User Guide for version 8.7

Configure a Segmented Management Instance Using
Segmented Management quick-config-mgmt Utility

Configure a Segmented Management Instance Using quick-config-mgmt Utility

Use the following procedure to run the quick-config-mgmt utility script to ease the transition to the
Segmented Management Instance.

Note
XA1400 Series does not support the OOB Management Instance.

Note
Product Notice: quick-config-mgmt is not supported on VSP 8600 Series.

The quick-config-mgmt utility recognizes existing configuration. For the OOB Management Instance,
you can overwrite the existing configuration only. However, for the VLAN Management Instance, you
can overwrite the existing configuration, or you can migrate the existing configuration to a coexistence
of IP on both the routing VLAN and the management VLAN.

The quick-config-mgmt utility supports the following:

• IPv4 only
• only one interface at one time
• Out-of-Band mangagement and In-Band VLAN management

About This Task

You can use this procedure to help you transition to a new Segmented Management Instance. You can
configure IPv4, static routes, and DHCP support for the Out-of-Band (OOB) Management Instance or
for the In-Band VLAN Management Instance. If configuration exists for the interface type you selected,
you are prompted to replace the configured interface or to quit the utility.

Important
If you configure DHCP, any other running DHCP instance is stopped and a new DHCP instance
is created on the interface. This might cause loss of connectivity.

The default values are given in square brackets. You can input your values at the prompt or you can
press Enter to accept the default values.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enter the following command to start the utility:
quick-config-mgmt

Important
If DHCP mode cycle is enabled, the following warning message displays to inform you that
DHCP client will be disabled, if you continue.
Continuing will disable dhcp and may affect your connectivity
to the DUT. Do you want to continue? y/n [n]:

VOSS User Guide for version 8.7 89

Configure a Segmented Management Instance Using
quick-config-mgmt Utility Segmented Management

Examples
The following examples show outputs from the quick-config-mgmt utility.

Configure the OOB Management Instance:

Switch:1(config)#quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the
configuration.

Replace an existing OOB Management Instance configuration:

Once the basic parameters are configured, additional configuration can proceed using
other management interfaces.
Press q to abort at any time.
Management interface types:
1 - Out of band management port
3 - In-band port-based VLAN
Please enter management interface type or "q" to quit. [1]:
MGMT OOB is already configured.
Continuing may remove parts or all of current config.
Do you want to continue? y/n [y]:
Please enter management interface type or "q" to quit. [1]:
Please enter the Management Address IPv4 address, "d" for DHCP configuration or "q" to
quit [192.0.2.2]:
Please enter the Management Address Mask IPv4 address or "q" to quit [255.255.255.0]:
Please enter the Default Gateway Address IPv4 address, 0.0.0.0 for no default gateway,
or "q" to quit [192.0.2.5] :
Management interface created successfully

Configure the In-band port-based VLAN Management Instance by removing parts of or all of the
existing VLAN configuration:
Switch:1(config)#quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the
configuration.

Once the basic parameters are configured, additional configuration can proceed using
other management interfaces.
Press q to abort at any time.

90 VOSS User Guide for version 8.7

Configure a Segmented Management Instance Using
Segmented Management quick-config-mgmt Utility

Management interface types:

1 - Out of band management port
3 - In-band port-based VLAN
Please enter management interface type or "q" to quit. [1]: 3
MGMT VLAN is already configured.
Continuing may remove parts or all of current config.
Do you want to continue? y/n [n]: y
Please enter VLAN ID (2-4059) or "q" to quit [4059]: 2
VLAN 2 is already in use.
Do you want to re-use existing vlan configuration? y/n/q: [n]
This option will remove all current config on VLAN 2.
Please enter port to be added to the in-band management VLAN or "q" to quit [1/1]:
Please enter the Management Address Mask IPv4 address or "q" to quit [255.255.255.0]:
Please enter the Default Gateway Address IPv4 address, 0.0.0.0 for no default gateway,
or "q" to quit [192.0.2.5] :
Management interface created successfully

Configure the In-band port-based VLAN Management Instance by reusing the existing VLAN
configuration:
Switch:1(config)#quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the
configuration.

Once the basic parameters are configured, additional configuration can proceed using
other management interfaces.
Press q to abort at any time.
Management interface types:
1 - Out of band management port
3 - In-band port-based VLAN
Please enter management interface type or "q" to quit. [1]: 3
MGMT VLAN is already configured.
Continuing may remove parts or all of current config.
Do you want to continue? y/n [n]: y
Please enter VLAN ID (2-4059) or "q" to quit [4059]: 2
VLAN 2 is already in use.
Do you want to re-use existing vlan configuration? y/n/q: [y]
Please enter port to be appended to the in-band management VLAN or leave empty
to keep currently configured ports or "q" to quit []: 1/1
Please enter the Management Address IPv4 address, "d" for DHCP configuration or "q" to
quit [192.0.2.2]:
Please enter the Management Address Mask IPv4 address or "q" to quit [255.255.255.0]:
Please enter the Default Gateway Address IPv4 address, 0.0.0.0 for no default gateway,
or "q" to quit [192.0.2.5] :
Management interface created successfully

Configure the In-band port-based VLAN Management Instance by reusing the existing VLAN
configuration when IP address is configured and coexistance of mgmt and routing on same VLAN
is desired:
Switch:1(config)#quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the
configuration.

VOSS User Guide for version 8.7 91

Create a Segmented Management Instance Segmented Management

3 - In-band port-based VLAN

Please enter management interface type or "q" to quit. [1]: 3
MGMT VLAN is already configured.
Continuing may remove parts or all of current config.
Do you want to continue? y/n [n]: y
Please enter VLAN ID (2-4059) or "q" to quit [4059]: 2
VLAN 2 is already in use.
Do you want to re-use existing vlan configuration? y/n/q: [y]
Please enter port to be appended to the in-band management VLAN or leave empty
to keep currently configured ports or "q" to quit []: 1/1
IP address is already configured on VLAN 2.
Do you want to configure coexistence of mgmt and routing on the same vlan? y/n/q: [y]
Please enter the Management Address IPv4 address, "d" for DHCP configuration or "q" to
quit [192.0.2.2]:
Please enter the Management Address Mask IPv4 address or "q" to quit [255.255.255.0]:
Please enter the Default Gateway Address IPv4 address, 0.0.0.0 for no default gateway,
or "q" to quit [192.0.2.5] :
Management interface created successfully

Configure the In-band port-based VLAN Management Instance by reusing the existing VLAN
configuration when IP address is configured but coexistance of mgmt and routing on same VLAN is
not desired:
Switch:1(config)#quick-config-mgmt
Welcome to the management interface setup utility.
You will be requested for information to initially configure the switch.
When finished the information will be applied and stored as a part of the
configuration.

Once the basic parameters are configured, additional configuration can proceed using
other management interfaces.
Press q to abort at any time.
Management interface types:
1 - Out of band management port
3 - In-band port-based VLAN
Please enter management interface type or "q" to quit. [1]: 3
MGMT VLAN is already configured.
Continuing may remove parts or all of current config.
Do you want to continue? y/n [n]: y
Please enter VLAN ID (2-4059) or "q" to quit [4059]: 2
VLAN 2 is already in use.
Do you want to re-use existing vlan configuration? y/n/q: [y]
Please enter port to be appended to the in-band management VLAN or leave empty
to keep currently configured ports or "q" to quit []: 1/1
IP address is already configured on VLAN 2.
Do you want to configure coexistence of mgmt and routing on the same vlan? y/n/q: [n]
Management interface created successfully

Create a Segmented Management Instance

You must create a Management Instance to gain access to specific management applications. After you
create the Management Instance, you can add an IP address to it and configure route redistribution to
advertise reachability of the Management Instance to the rest of the network.

About This Task

The Management Instance supports different management interface types. When you create the
Management Instance, you specify the interface type and the switch automatically creates the
appropriate instance ID for that type.

92 VOSS User Guide for version 8.7

Segmented Management Create a Segmented Management Instance

A management VLAN is used for Layer 2 deployments. In a Layer 3 routing or Fabric deployment, use a
management CLIP. For Out-of-band Management, use a management OOB.

Each Management Instance supports a IPv4 and IPv6 (global scope) management address for use by
management applications.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Create the Management Instance required for your deployment:
a. To create a management CLIP:
mgmt clip [vrf WORD<1–16>]

Note
If you do not specify a VRF, the management CLIP uses the GRT. You cannot use
mgmtrouter as the VRF.

OR
b. To create a management OOB:
mgmt oob

OR
c. To create a management VLAN and associate it with an existing port-based VLAN:
mgmt vlan <2-4059>
3. Enable the Management Instance:
enable

Example

Create and enable a Management CLIP:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt clip
Switch:1(mgmt:clip)#enable

Create and enable a Management OOB:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt oob
Switch:1(mgmt:oob)#enable

Create and enable a Management VLAN:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

VOSS User Guide for version 8.7 93

Delete a Segmented Management Instance Segmented Management

Switch:1(config)#mgmt vlan 20
Switch:1(mgmt:vlan)#enable

Delete a Segmented Management Instance

Use this task to delete a Management Instance. Deleting the Management Instance removes the IP
address, and changes the associated VRF for a management CLIP.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#ip address 192.0.2.12/24

Add an IPv4 address to the OOB Management Instance:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt oob
Switch:1(mgmt:oob)#ip address 192.0.2.12 255.255.255.0

VOSS User Guide for version 8.7 95

Configure a Segmented Management Instance Interface
as Default Topology IP Segmented Management

Add an IPv6 address to the CLIP Management Instance:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt clip
Switch:1(mgmt:clip)#ipv6 address 2001:DB8::1/128

Configure a Segmented Management Instance Interface as Default Topology IP

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure a Management Instance with a default topology IP.

Note
You can only configure one Management Instance interface as the default topology IP.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the configuration mode for the Management Instance:
mgmt {clip | oob | vlan}
3. Configure the Management Instance as the default topology IP.
force-topology-ip

Example

The following example configures the Segmented Management Instance VLAN as the default topology
IP:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#force-topology-ip

Configure Static Routes for a Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure static routes for Management Instances.

About This Task

96 VOSS User Guide for version 8.7

Segmented Management Configure Static Routes for a Management Instance

how to associate a VRF with the CLIP interface, see Create a Segmented Management Instance on page
92.

For the Management Instance OOB and VLAN, you must configure a default or static route to reach the
next-hop gateway; no routing protocol information is used to access off-link networks.

You can configure up to 100 IPv4 and IPv6 static routes.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the configuration mode for the Management Instance:
mgmt {clip | oob | vlan}
3. Configure a static route:
ip route <A.B.C.D A.B.C.D | A.B.C.D/X> next-hop <A.B.C.D> [weight <1–
65535>]

ipv6 route WORD<0-255> [next-hop WORD<0-255>] [weight <1–65535>]

Example

Add a static route to configure routing for a Management Instance:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#ip route 192.0.2.2/24 next-hop 198.51.100.1

Variable definitions
The following table defines parameters for the ip route and ipv6 route commands.

Variable Value
<A.B.C.D A.B.C.D | Specifies the IP address and mask in one of the following formats:
A.B.C.D/X> • A.B.C.D A.B.C.D
• A.B.C.D/X

next-hop <A.B.C.D> Specifies the next hop address for the static route.
or next-hop Use an IP in the same subnet as the management VLAN IP address.
WORD<0-255>

VOSS User Guide for version 8.7 97

Configure Fragmented ICMP Packet Filtering on a
Segmented Management Instance Segmented Management

Variable Value
weight <1–65535> Specifies the static route cost. The default is 100 for CLIP, 200 for VLAN,
and 300 for OOB.
The management CLIP uses an internal static route with a weight of 100.
If you use both CLIP and VLAN and need to force all default traffic out
the management VLAN interface, configure a default static route with a
weight lower than 100.
WORD<0-255> Specifies the IPv6 address.

Configure Fragmented ICMP Packet Filtering on a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

About This Task

Use this task to enable fragmented ICMP packet filtering on a Segmented Management Instance.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the configuration mode for the Management Instance:
mgmt {clip | oob | vlan}
3. Enable fragmented ICMP packet filtering:
• For IPv4:

ip icmp drop-fragments
• For IPv6:

ipv6 icmp drop-fragments

Note
The ipv6 icmp drop-fragments command does not apply to XA1400 Series.

View Fragmented ICMP packet filtering Statistics on a Segmented Management

Instance
Note
This procedure does not apply to VSP 8600 Series.

About This Task

Use this task to view Fragmented ICMP packet filtering details on a Management Instance.

98 VOSS User Guide for version 8.7

Segmented Management Configure MAC-offset for a Management VLAN Instance

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View Fragmented ICMP packet filtering:
• For IPv4:

show mgmt ip icmp [clip | oob | vlan]

• For IPv6:

show mgmt ipv6 icmp [clip | oob | vlan]

Note
This command does not apply to XA1400 Series.

Variable Definitions
The following table defines parameters for the show mgmt ip icmp command.

Variable Value
clip Displays the IPv4 or IPv6 ICMP information specific to the
management CLIP.
oob Displays the IPv4 or IPv6 ICMP information specific to the
management OOB.
vlan Displays the IPv4 or IPv6 ICMP information specific to the
management VLAN.

Configure MAC-offset for a Management VLAN Instance

Use this task to configure MAC-offset for a Management VLAN instance.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the MAC-offset for a Management VLAN instance:
mgmt vlan mac-offset <MAC-offset>

Note
Different hardware platforms support different ranges.

Example

Configure the MAC-offset for the Management VLAN instance:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

VOSS User Guide for version 8.7 99

Configure Management VLAN and VOSS Routing VLAN
Coexistence Through Propagation Segmented Management

Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#mac-offset <0-511>

Variable Definitions
The following table defines parameters for the mgmt vlan interface.

Variable Value
mac-offset Specifies a number by which to offset the MAC address from the chassis MAC
<MAC-offset> address. This ensures that each IP address has a different MAC address. If you omit
this variable, a unique MAC offset is automatically generated. Different hardware
platforms support different ranges. To see which range is available on the switch,
use the CLI command completion Help.

Configure Management VLAN and VOSS Routing VLAN Coexistence Through

Propagation
Note
This procedure only applies to XA1400 Series.

For XA1400 Series branch deployments, the VOSS routing IP stack requires the VLAN Management
Instance to work in coexistence mode where both the management IP stack and the routing IP stack
share the same IP address and default routes. This is required for an IPsec source address.

About This Task

You can manually configure the coexistence or you can use the propagate-to-routing command
to propagate the management VLAN IP and static routes from the management IP stack to the VOSS
routing IP stack on the same VLAN ID. If you do not include the VRF name, the system uses the existing
VRF of the VOSS routing VLAN.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the configuration mode for the Management Instance VLAN:
mgmt vlan
3. Configure the coexistence:
propagate-to-routing [vrf WORD<0-16>]

Change Management Instance Attributes

Note
This procedure does not apply to VSP 8600 Series.

100 VOSS User Guide for version 8.7

Segmented Management Change Management Instance Attributes

Use this task to change the IP address, VLAN, VRF, or default gateway for a Management Instance while
you actively manage the switch over the same instance.

Important
Change the parameters in the following order:

1. VLAN or VRF
2. ports-tagged, ports-untagged-, or I-SID
3. IP address or default gateway

About This Task

You cannot change parameters for more than one Management Instance operation at a time.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enter the configuration mode for the Management Instance:
mgmt {clip | oob | vlan}
3. Use one of the following Management Instances interfaces to configure the new values:
a. Configure new Management Instance VLAN parameters:
convert [vlan <1-4059>] [i-sid <1-16777215>] [ports-tagged {slot/
port[/sub-port][-slot/port[/sub-port]][,...]}] [ports-untagged{slot/
port[/sub-port][-slot/port[/sub-port]][,...]}] [ip {<A.B.C.D/X>|
<A.B.C.D> <A.B.C.D>}] [gateway <A.B.C.D>] [rollback <0-3600>]

Important
After you configure the new values, the existing Management Instance VLAN is deleted
and connectivity to the switch can be lost. You must reconnect to the switch before
you can issue the mgmt convert-commit command.

b. Configure new Management Instance OOB parameters:

convert [ip {<A.B.C.D/X>|<A.B.C.D> <A.B.C.D>}] [gateway <A.B.C.D>]
[rollback <0-3600>]
c. Configure new Management Instance CLIP parameters:
convert [vrf WORD <1-16>] [ip {<A.B.C.D/X>|<A.B.C.D> <A.B.C.D>}]
[rollback <0-3600>]

Note
If the VRF does not exist before you issue the convert command, the VRF is
automatically created in the background. For this VRF to function properly, you must
configure either SPBM Layer 3 VSN or IP interfaces and routing protocols.

VOSS User Guide for version 8.7 101

Change Management Instance Attributes Segmented Management

4. Log on to Global Configuration mode to commit the parameter changes:

mgmt convert-commit

Note
Commit the change within 120 seconds (default) of issuing the mgmt convert-commit
command. Otherwise, the configuration changes automatically roll back to the previous
configuration.

Examples
The following examples show the change options attributes for a Management Instance VLAN:

Convert a management VLAN to a new VLAN ID:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300

Switch1:(mgmt:vlan)#1 2021-09-24T21:41:54.627Z 4902 CP1 - 0x003c8677 -

00000000 GlobalRouter NLS_BASE INFO Mgmt convert: Dynamically moved the following ports
from vlan 10 to
new mgmt vlan 300 that had ARP entries: 1/1,
1 2021-09-24T21:41:54.627Z 4902 CP1 - 0x003c8671 -00000000 GlobalRouter NLS_BASE INFO
Mgmt convert: new
vlan 300 created successfully
1 2021-09-24T21:41:54.651Z 4902 CP1 - 0x003c8672 -00000000 GlobalRouter NLS_BASE INFO
Mgmt convert: existing
mgmt vlan instance deleted successfully
1 2021-09-24T21:41:54.719Z 4902 CP1 - 0x003c8673 -00000000 GlobalRouter NLS_BASE INFO
Mgmt convert: new mgmt
vlan instance created successfully with IP address 100.1.1.66/24
1 2021-09-24T21:41:54.719Z 4902 CP1 - 0x003c867e - 00000000 GlobalRouter NLS_BASE INFO
Convert on mgmt vlan
instance: Mgmt convert executed successfully

.
<reconnect to switch…>
Login: rwa
Password: ***

Mgmt convert: Please issue 'mgmt convert commit' before 120 seconds rollback timer
expires otherwise mgmt vlan
config change will be reverted

Convert a management VLAN to new IP address in the same subnet and in the same VLAN:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert ip 10.10.10.30/24

Convert a management VLAN to new IP address in a different subnet.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert ip 11.11.11.30/24 gateway 11.11.11.1

102 VOSS User Guide for version 8.7

Segmented Management Change Management Instance Attributes

Convert a management VLAN to new VLAN ID with specified port or ports:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300 ports-untagged 1/2 ports-tagged 1/4

Convert a management VLAN to new VLAN ID with a specified I-SID:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300 i-sid 4300

Convert a management VLAN to new VLAN ID with a new IP address and default Gateway:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300 ip 11.11.11.30/24 gateway 11.11.11.1

Convert a management VLAN with all options:

Convert a management VLAN to new I-SID (DvR Leaf only):

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert i-sid 4000

Convert a management VLAN with a faster rollback option (default is 120 seconds):
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300 rollback 60

Convert a management VLAN with no rollback option:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt vlan
Switch:1(mgmt:vlan)#convert vlan 300 rollback 0

The following examples show the change options attributes for Management Instance CLIP.

Convert a management CLIP from one VRF to another VRF. The IP address is the same:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt clip
Switch:1(mgmt:clip)#convert vrf blue

VOSS User Guide for version 8.7 103

Change Management Instance Attributes Segmented Management

WARNING: the specified vrf does not exist - connectivity to the mgmt clip will be lost
until l3vsn or
ip interfaces for the given vrf are provisioned.
Continue with this operation (y/n) ? n

Note
If the VRF does not exist before you issue the convert command, the VRF is automatically
created in the background. In order for this VRF to function properly, you must configure
either SPBM Layer 3 VSN or IP interfaces and routing protocols.

Convert a management CLIP to a new IP address. The VRF is the same:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt clip
Switch:1(mgmt:vlan)#convert ip 30.30.30.100/32

Convert a management CLIP to new IP address and VRF:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt clip
Switch:1(mgmt:vlan)#convert vrf blue ip 30.30.30.100/32

The following examples show the change options attributes for Management Instance Out-Of-Band
(OOB):

Convert a management OOB to a new IP address in the same subnet:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt oob
Switch:1(mgmt:vlan)#convert ip 20.20.20.100/24

Convert a management OOB IP address to a different subnet:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#mgmt oob
Switch:1(mgmt:vlan)#convert ip 21.21.21.100/24 gateway 21.21.21.1

104 VOSS User Guide for version 8.7

Segmented Management Change Management Instance Attributes

Variable Definitions
The following table defines parameters for the convert command.

Variable Value
<A.B.C.D A.B.C.D | A.B.C.D/X> Specifies the IP address and subnet mask.
This parameter applies to the following
Management Instance interface types:
• CLIP
• OOB
• VLAN

<A.B.C.D> Specifies the gateway IP address.

This parameter applies to the following
Management Instance interface types:
• OOB
• VLAN

<1-16777215> Specifies the service instance identifier (I-SID).

This parameter applies to the Management
Instance VLAN interface type.

Note: You can specify the I-SID for a switch not

configured as a DvR Leaf node.

{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following

sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.
<0-3600> Specifies the time in seconds between when
the command is issued and when the command
changes automatically roll back to the previous
configuration.
The default is 120 seconds. To disable the rollback,
enter 0.
<2-4059> Specifies the VLAN ID in the range of 2 to 4059.
VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1. By default, the system
reserves VLAN IDs 4060 to 4094 for internal use.
On switches that support the vrf-scaling and
spbm-config-mode boot configuration flags, if
you enable these flags, the system also reserves
VLAN IDs 3500 to 3998.
This parameter applies to the Management
Instance VLAN interface type only.
WORD<0-16> Specifies the vrf name.
This parameter applies to the Management
Instance CLIP interface type only.

VOSS User Guide for version 8.7 105

View Segmented Management Instance Information Segmented Management

View Segmented Management Instance Information

Use this task to view Management Instance information.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. View general configuration information:
show mgmt interface [clip | oob | vlan]
3. View operational routes for the Management Instance:
show mgmt ip route [clip | oob | vlan]

show mgmt ipv6 route [clip | oob | vlan]

Note
Routes with a type of LOCAL have a metric equal to 1.

4. View configured static routes for the Management Instance:

show mgmt ip route static [vlan | oob | clip]

show mgmt ipv6 route static [vlan | oob | clip]

Note
Routes with a type of LOCAL have a metric equal to 256.

5. View the ARP or Neighbor Discovery cache information for the Management Instance:
show mgmt ip arp [clip | oob | vlan]

show mgmt ipv6 neighbor [clip | oob | vlan]

Example
Switch:1>show mgmt interface vlan
=======================================================================================
Mgmt Interface Information
=======================================================================================
INST DESCR TYPE ADMIN VLAN PORT VRF PHYSICAL
---------------------------------------------------------------------------------------
4 Mgmt-vlan VLAN enable 2 - 192.0.2.188

1 out of 1 Total Num of mgmt interfaces displayed

--------------------------------------------------------------------------------
Switch:1>show mgmt ip route
========================================================================================
Mgmt IPv4 Route Information - Table main
========================================================================================
DEST/MASK NEXTHOP METRIC INTERFACE TYPE
----------------------------------------------------------------------------------------
0.0.0.0/0 0.0.0.0 100 Mgmt-clip INTERNAL
0.0.0.0/0 0.0.0.0 300 Mgmt-oob1 DHCP

106 VOSS User Guide for version 8.7

View IP Address Information for a Segmented
Segmented Management Management Instance

192.0.2.189/24 0.0.0.0 256 Mgmt-vlan LOCAL

2 out of 2 Total Num of mgmt ip route displayed
----------------------------------------------------------------------------------------
Switch:1>show mgmt ip route static
========================================================================================
Mgmt IPv4 Static Route Information - Table main
========================================================================================
INTERFACE DEST/MASK NEXTHOP METRIC STATE TYPE
----------------------------------------------------------------------------------------
Mgmt-vlan 192.0.2.1/24 10.0.0.30 200 ACTIVE STATIC
Mgmt-vlan 198.51.100.5/24 10.0.0.40 200 ACTIVE STATIC
Mgmt-oob1 0.0.0.0/0 192.0.2.5 300 ACTIVE DHCP
Switch:1>show mgmt ipv6 route static
========================================================================================
Mgmt IPv6 Static Route Information - Table main
========================================================================================
INTERFACE DEST/MASK NEXTHOP METRIC STATE
----------------------------------------------------------------------------------------
Mgmt-vlan 40:0:0:0:0:0:0:0/64 10:0:0:0:0:0:0:40 200 ACTIVE
Mgmt-vlan 50:0:0:0:0:0:0:0/64 10:0:0:0:0:0:0:50 200 ACTIVE
Switch:1>show mgmt ip arp
========================================================================================
Mgmt IP ARP Information
========================================================================================
IP_ADDRESS INTERFACE MAC_ADDRESS STATE
----------------------------------------------------------------------------------------
10.10.10.1 Mgmt-vlan 00:1d:af:64:a2:14 REACHABLE
10.10.10.22 Mgmt-vlan 00:18:b0:5a:92:14 STALE
10.10.10.33 Mgmt-vlan 00:50:56:8c:43:55 FAILED
Switch:1>show mgmt ipv6 neighbor
========================================================================================
Mgmt IPv6 Neighbor Information
========================================================================================
IPV6_ADDRESS INTERFACE MAC_ADDRESS STATE
----------------------------------------------------------------------------------------
10::1 Mgmt-vlan 00:1d:af:64:a2:14 REACHABLE
10::22 Mgmt-vlan 00:18:b0:5a:92:14 STALE
10::33 Mgmt-vlan 00:50:56:8c:43:53 FAILED

View IP Address Information for a Segmented Management Instance

Use this task to view the IP address information for a Management Instance.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. View Segmented Management Instance IP address information:
show mgmt ip [<clip | oob | vlan>]

show mgmt ipv6 [<clip | oob | vlan>]

3. View Segmented Management Instance topology IP address information:
show mgmt topology-ip

Example
Switch:1>#show mgmt ip vlan

VOSS User Guide for version 8.7 107

View Segmented Management Instance Statistics Segmented Management

==========================================================================================
Mgmt IP Information
==========================================================================================
INST DESCR IPV4 IPV6 GLOBAL/PREFIX LENGTH IPV6 LINKLOCAL
------------------------------------------------------------------------------------------
4 Mgmt-vlan 192.0.2.12/24 0:0:0:0:0:0:0:0/0 0:0:0:0:0:0:0:0

1 out of 1 Total Num of mgmt ip displayed

------------------------------------------------------------------------------------------
Switch:1>)#show mgmt topology-ip

==========================================================================================
Mgmt Topology IP Information
==========================================================================================
IPv4:
Address: 192.0.2.10
Instance: 1
Description: oob1

IPv6:
No address to display

Force-topology-ip setting: none

View Segmented Management Instance Statistics

Use this task to view Management Instance statistics.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View general Segmented Management Instance statistics:
show mgmt statistics [clip | oob | vlan]
3. View ICMP statistics for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip icmp-statistics

show mgmt ipv6 icmp-statistics

4. View IP statistics for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip ip-statistics

show mgmt ipv6 ip-statistics

108 VOSS User Guide for version 8.7

Segmented Management View Segmented Management Instance Statistics

5. View the TCP connections for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip tcp-connections

show mgmt ipv6 tcp-connections

6. View the TCP statistics for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip tcp-statistics

show mgmt ipv6 tcp-statistics

7. View the UDP endpoints for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip udp-endpoints

show mgmt ipv6 udp-endpoints

8. View the UDP statistics for the Management Instance:

Note
This step does not apply to VSP 8600 Series.

show mgmt ip udp-statistics

show mgmt ipv6 udp-statistics

9. Enter Privileged EXEC mode:
enable
10. (Optional) Clear all of the statistics for the Management Instance:
clear mgmt statistics

Examples
Switch:1>show mgmt statistics

==================================================================================================================================
Mgmt Interface Stats Information
==================================================================================================================================
INST DESCR RX-PKTS RX-ERROR RX-DROP TX-PKTS TX-ERROR TX-DROP

VOSS User Guide for version 8.7 109

View Segmented Management Instance Statistics Segmented Management

----------------------------------------------------------------------------------------------------------------------------------
1 Mgmt-oob1 111667 0 0 21412 0 0

1 out of 1 Total Num of mgmt interfaces displayed

----------------------------------------------------------------------------------------------------------------------------------

Switch:1>show mgmt ip icmp-statistics

================================================================================
Mgmt ICMP Statistics Information
================================================================================
InMsgs : 44
InErrors : 0
InCsumErrors : 0
InDestUnreachs : 44
InTimeExcds : 0
InParmProbs : 0
InSrcQuenchs : 0
InRedirects : 0
InEchos : 0
InEchoReps : 0
InTimestamps : 0
InTimestampReps : 0
InAddrMask : 0
InAddrMaskReps : 0
OutMsgs : 53
OutErrors : 0
Switch:1>show mgmt ipv6 icmp-statistics

================================================================================
Mgmt ICMPv6 Statistics Information
================================================================================
InMsgs : 58
InErrors : 0
InCsumErrors : 0
InDestUnreachs : 0
InTimeExcds : 0
InParmProbs : 0
InPktTooBigs : 0
InRedirects : 0
InEchos : 0
InEchoReps : 0
InGroupMembQueries : 0
InGroupMembReductions : 0
InRouterSolicits : 0
InRouterAdvertisements : 55
InNeighborSolicits : 0
InNeighborAdvertisements : 3
InMLDv2Reports : 0
InType134 : 55
InType136 : 3
OutMsgs : 69
OutErrors : 0
OutDestUnreachs : 0
OutTimeExcds : 0
OutParmProbs : 0
OutPktTooBigs : 0
OutRedirects : 0
OutEchos : 0
OutEchoReps : 0
OutGroupMembQueries : 0
OutGroupMembResponses : 0
OutGroupMembReductions : 0
OutRouterSolicits : 0
OutRouterAdvertisements : 0
OutNeighborSolicits : 13

110 VOSS User Guide for version 8.7

Segmented Management View Segmented Management Instance Statistics

OutNeighborAdvertisements : 0
OutMLDv2Reports : 56
OutType133 : 56
OutType135 : 13
OutType143 : 0

--------------------------------------------------------------------------------
Switch:1>show mgmt ip ip-statistics

================================================================================
Mgmt IP Statistics Information
================================================================================
InReceives : 1231729
InHdrErrors : 0
InAddrErrors : 489
InUnknownProtos : 0
InDiscards : 0
InDelivers : 1221886
OutRequests : 1212585
OutDiscards : 20
OutNoRoutes : 0
ForwDatagrams : 0
ReasmTimeout : 0
ReasmReqds : 0
ReasmOKs : 0
ReasmFails : 0
FragOKs : 0
FragFails : 0
FragCreates : 0

--------------------------------------------------------------------------------
Switch:1>show mgmt ipv6 ip-statistics

================================================================================
Mgmt IPv6 Statistics Information
================================================================================
InReceives : 226
InHdrErrors : 0
InAddrErrors : 0
InUnknownProtos : 0
InDiscards : 0
InDelivers : 62
InTooBigErrors : 0
InNoRoutes : 0
InTruncatedPkts : 0
InMcastPkts : 224
InOctets : 20556
InMcastOctets : 20416
InBcastOctets : 0
InNoECTPkts : 226
InECT1Pkts : 0
InECT0Pkts : 0
InCEPkts : 0
OutRequests : 71
OutDiscards : 0
OutNoRoutes : 0
OutForwDatagrams : 0
OutMcastPkts : 69
OutOctets : 5412
OutMcastOctets : 5272
OutBcastOctets : 0
ReasmTimeout : 0
ReasmReqds : 0
ReasmOKs : 0

VOSS User Guide for version 8.7 111

View Segmented Management Instance Statistics Segmented Management

ReasmFails : 0
FragOKs : 0
FragFails : 0
FragCreates : 0

--------------------------------------------------------------------------------
Switch:1>show mgmt ip tcp-connections

==================================================================================================================================
Mgmt IP TCP connections
==================================================================================================================================
STATE RECV-Q SEND-Q Local Address:Port Peer Address:Port
----------------------------------------------------------------------------------------------------------------------------------
LISTEN 0 5 0.0.0.0:ftp 0.0.0.0:*
LISTEN 0 5 0.0.0.0:telnet 0.0.0.0:*
LISTEN 0 40 0.0.0.0:https 0.0.0.0:*
LISTEN 0 1 0.0.0.0:login 0.0.0.0:*
ESTAB 0 0 192.0.2.10:https 198.51.100.1:50694
ESTAB 0 3 192.0.2.10:telnet 198.51.100.1:58862
ESTAB 0 0 192.0.2.10:https 198.51.100.1:59774
----------------------------------------------------------------------------------------------------------------------------------
Switch:1>show mgmt ipv6 tcp-connections

==================================================================================================================================
Mgmt IPv6 TCP connections
==================================================================================================================================
STATE RECV-Q SEND-Q Local Address:Port Peer Address:Port
----------------------------------------------------------------------------------------------------------------------------------
LISTEN 0 5 *:ftp *:*
LISTEN 0 5 *:telnet *:*
LISTEN 0 40 *:https *:*
LISTEN 0 1 *:login *:*
----------------------------------------------------------------------------------------------------------------------------------

Switch:1>show mgmt ip tcp-statistics

================================================================================
Mgmt Combined IPv4/v6 TCP Statistics Information
================================================================================
TcpActiveOpens : 9571
TcpPassiveOpens : 9658
TcpAttemptFails : 17
TcpEstabResets : 86
TcpInSegs : 1207867
TcpOutSegs : 1199088
TcpRetransSegs : 42
TcpInErrs : 0
TcpOutRsts : 89
TcpInCsumErrors : 0
--------------------------------------------------------------------------------
Switch:1>show mgmt ipv6 tcp-statistics

================================================================================
Mgmt Combined IPv4/v6 TCP Statistics Information
================================================================================
TcpActiveOpens : 9626
TcpPassiveOpens : 9713
TcpAttemptFails : 17
TcpEstabResets : 86
TcpInSegs : 1212159
TcpOutSegs : 1203293
TcpRetransSegs : 42
TcpInErrs : 0
TcpOutRsts : 89
--------------------------------------------------------------------------------
Switch:1>show mgmt ip udp-endpoints

==================================================================================================================================
Mgmt IP UDP endpoints
==================================================================================================================================
STATE RECV-Q SEND-Q Local Address:Port Peer Address:Port
----------------------------------------------------------------------------------------------------------------------------------

112 VOSS User Guide for version 8.7

Redistribution of CLIP Segmented Management
Segmented Management Instance Examples

UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:*

UNCONN 0 0 0.0.0.0:tftp 0.0.0.0:*
UNCONN 0 0 192.0.2.10:ntp 0.0.0.0:*
UNCONN 0 0 0.0.0.0:ntp 0.0.0.0:*
UNCONN 0 0 0.0.0.0:snmp 0.0.0.0:*
----------------------------------------------------------------------------------------------------------------------------------
Switch:1>show mgmt ipv6 udp-endpoints

==================================================================================================================================
Mgmt IPv6 UDP endpoints
==================================================================================================================================
STATE RECV-Q SEND-Q Local Address:Port Peer Address:Port
----------------------------------------------------------------------------------------------------------------------------------
UNCONN 0 0 [0:0:0:0:0:0:0:1]:domain *:*
UNCONN 0 0 *:tftp *:*
UNCONN 0 0 [fe80:0:0:0:f66e:95ff:fe9f:81]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:f66e:95ff:fe9f:a5]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:a8bb:ccff:fedd:ee01]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:fce7:79ff:fe04:999c]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:609a:4aff:fe4e:cf04]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:c482:2aff:fe75:2e66]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:c80a:73ff:fe00:364e]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:80cc:e9ff:fec7:b9e2]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:64da:41ff:fec5:489e]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:f8d7:d6ff:feda:62bc]:ntp *:*
UNCONN 0 0 [fe80:0:0:0:f66e:95ff:fe9f:0]:ntp *:*
UNCONN 0 0 [0:0:0:0:0:0:0:1]:ntp *:*
UNCONN 0 0 *:ntp *:*
UNCONN 0 0 *:snmp *:*

----------------------------------------------------------------------------------------------------------------------------------

Switch:1>show mgmt ip udp-statistics

================================================================================
Mgmt UDP Statistics Information
================================================================================
UdpInDatagrams : 63622
UdpNoPorts : 44
UdpInErrors : 0
UdpOutDatagrams : 63666
UdpIgnoredMulti : 0
UdpRcvbufErrors : 0
UdpSndbufErrors : 0
UdpInCsumErrors : 0
--------------------------------------------------------------------------------
Switch:1>show mgmt ipv6 udp-statistics

================================================================================
Mgmt UDP6 Statistics Information
================================================================================
Udp6InDatagrams : 0
Udp6NoPorts : 0
Udp6InErrors : 0
Udp6OutDatagrams : 0
Udp6IgnoredMulti : 0
Udp6RcvbufErrors : 0
Udp6SndbufErrors : 0
Udp6InCsumErrors : 0
--------------------------------------------------------------------------------

Redistribution of CLIP Segmented Management Instance Examples

The CLIP Management Instance is added as a LOCAL route in the Control Processor Route Table
Manager table and change list infrastructure. Existing route redistribution mechanisms redistribute local
routes into the desired routing protocols within the associated VRF or across VRF instances.

VOSS User Guide for version 8.7 113

Redistribution of CLIP Segmented Management
Instance Examples Segmented Management

Redistribute IPv4 CLIP Management Instance to OSPF in GRT

router ospf
redistribute direct
redistribute direct enable
exit
ip ospf apply redistribute direct

Redistribute IPv6 CLIP Management Instance to OSPF in GRT

router ospf
ipv6 redistribute direct
ipv6 redistribute direct enable
ipv6 ospf apply redistribute direct

Redistribute IPv4 CLIP Management Instance to OSPF in VRF

router vrf red
ip ospf redistribute direct
ip ospf redistribute direct enable
exit
ip ospf apply redistribute direct vrf red

Redistribute IPv6 CLIP Management Instance to OSPF in VRF

router vrf red
ipv6 ospf redistribute direct
ipv6 ospf redistribute direct enable
exit
ipv6 ospf apply redistribute direct vrf red

Redistribute IPv4 CLIP Management Instance to BGP in GRT

router bgp
redistribute direct
redistribute direct enable
ip bgp apply redistribute direct

Redistribute IPv6 CLIP Management Instance to BGP in GRT

router vrf
redistribute ipv6-direct
redistribute ipv6-direct enable
ipv6 bgp apply redistribute direct

Redistribute IPv4 CLIP Management Instance to BGP in VRF

router vrf red
ip bgp redistribute direct
ip bgp redistribute direct enable
exit
ip bgp apply redistribute direct vrf red

Redistribute IPv6 CLIP Management Instance to BGP in VRF

router vrf red
ip bgp redistribute ipv6-direct
ip bgp redistribute ipv6-direct enable
exit
ipv6 bgp apply redistribute direct vrf red

114 VOSS User Guide for version 8.7

Redistribution of CLIP Segmented Management
Segmented Management Instance Examples

Accept Policy for IPv4 CLIP Management Instance in GRT to VRF Red (I-SID 200)
#grt-->vrf
router vrf red
isis accept i-sid 0
isis accept i-sid 0 enable
isis redistribute direct
isis redistribute direct enable
exit
isis apply accept vrf red
isis apply redistribute direct vrf red

#vrf-->grt
router isis
accept i-sid 200
accept i-sid 200 enable
exit
isis apply accept

Accept Policy for IPv6 CLIP Management Instance in GRT to VRF Red (I-SID 200)
#grt-->vrf
router vrf red
ipv6 isis accept i-sid 0
ipv6 isis accept i-sid 0 enable
ipv6 isis redistribute direct
ipv6 isis redistribute direct enable
exit
ipv6 isis apply accept vrf red
ipv6 isis apply redistribute direct vrf red

#vrf-->grt
router isis
ipv6 accept i-sid 200
ipv6 accept i-sid 200 enable
exit
ipv6 isis apply accept

Accept Policy for IPv4 CLIP Management Instance in VRF Blue (I-SID 300) to GRT
#vrf --> grt
router isis
accept i-sid 300
accept i-sid 300 enable
redistribute direct
redistribute direct enable
exit
isis apply accept
isis apply redistribute direct

#grt --> vrf

router vrf blue
isis accept i-sid 0
isis accept i-sid 0 enable
exit
isis apply accept vrf blue

Accept Policy for IPv6 CLIP Management Instance in VRF Blue (I-SID 300) to GRT
#vrf --> grt
router isis
ipv6 accept i-sid 300
ipv6 accept i-sid 300 enable

VOSS User Guide for version 8.7 115

Segmented Management Instance Configuration for
VOSS using EDM Segmented Management

ipv6 redistribute direct

ipv6 redistribute direct enable
exit
ipv6 isis apply accept
ipv6 isis apply redistribute direct

#grt --> vrf

router vrf blue
ipv6 isis accept i-sid 0
ipv6 isis accept i-sid 0 enable
exit
ipv6 isis apply accept vrf blue

Segmented Management Instance Configuration for VOSS using EDM

Note
This section does not apply to VSP 8600 Series.

This section provides procedures to configure segmented management instance using the EDM.

Migrate an IP Address to a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Important
Choose a VLAN that does not have an IP interface on it. The upgrade process removes the IP
configuration and network connectivity will be impacted.

About This Task

You cannot migrate interfaces used for routing purposes, for example, where you configure Layer 3
routing protocols.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Mgmt.
4. Select the Migrate tab.

116 VOSS User Guide for version 8.7

Segmented Management Configure a Segmented Management Instance

5. Select Insert.
6. Select the instance type, either clip or vlan.
7. Specify the existing VLAN or loopback ID.
8. Select Insert.

Migrate field descriptions

Use the data in the following table to use the Migrate tab.

Name Description
InstanceId Specifies the interface instance to migrate.
InterfaceIndex Shows the interface index of the identified
interface.
InterfaceType Shows the interface type.
Description Shows the interface description.
VlanId Specifies the VLAN ID for a port-based VLAN.
LoopbackId Specifies the loopback ID.
VrfName Shows the VRF associated with the loopback
interface.
IpAddress Shows the IPv4 address to migrate.
IpMask Shows the subnet mask for the IPv4 address.
Ipv6Address Shows the IPv6 address to migrate.
Ipv6PrefixLength Shows the prefix length for the IPv6 address.

Configure a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

You must create a Management Instance to gain access to specific management applications.

About This Task

In a Layer 2 routing deployment, use a management VLAN. In a Layer 3 routing or Fabric deployment,
use a management CLIP. To separate management network from Layer 2 and Layer 3, use a
management OOB.

Each Management Instance supports a IPv4 and IPv6 (global scope) management address for use by
management applications.

VOSS User Guide for version 8.7 117

Configure a Segmented Management Instance Segmented Management

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Expand Mgmt Instance.
3. Select Mgmt.
4. Select the Interface tab.
5. Select Insert.
6. In the InstanceId field, select the type of Management Instance to create.
7. (Optional) For a CLIP Management Instance, in the VrfName field, type the VRF name to associate
with the CLIP instance.

Note
If you want to associate the GRT with the CLIP instance, type GlobalRouter in the
VrfName field. You cannot use mgmtrouter as the VRF.

8. For a VLAN Management Instance, in the VlanId field, type the VLAN ID to associate the
management VLAN with an existing port-based VLAN.
9. For an OOB Management Instance, in the OOBIfindex field, select the interface port number to
associate for Out-of-Band management.
10. Select the State check box to enable the instance.
11. To specify the interface as the default topology IP for LLDP advertisements, select
InterfaceTopologyIpFlag.
12. To administratively enable RMON for the interface, select RmonAdminEnable.
13. For a DvR Leaf node, in the Isid field, type the I-SID value to associate with the Management
Instance VLAN.
14. Select Insert.

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Name Description
InstanceId Indicates the Management Instance type associated with
this entry.
InterfaceType Indicates the interface type.
VlanId Specifies the VLAN ID to associate with the management
VLAN.
OOBIfindex Specifies the interface ID to associate with the management
OOB.
VrfName Specifies the VRF name to associate with the management
CLIP .
State Indicates if the interface is enabled for this instance. The
default is disabled.
InterfaceMacAddr Indicates the MAC address for the interface.
InterfaceName Indicates the interface name.
InterfaceTopologyIpFlag Specifies if the interface is the default topology source IP.

118 VOSS User Guide for version 8.7

Configure DHCP Client for a Segmented Management
Segmented Management Instance

Name Description
ZtpOn Identifies the Zero Touch Provisioning status for the
interface.
RmonAdminEnable Specifies if RMON is administrative enabled for the interface.
RmonOperEnable Indicates the RMON operational status for the interface.
RmonIpAddress Indicates the RMON IP address for the interface.
MacOffset Translates the IP address into a MAC address.
DropIcmpFragEnable Enables IPv4 Fragmented ICMP packet filtering on the
Management Instance. The default is disabled.
Note: Exception: Not supported on VSP
8600 Series and XA1400 Series.

DropIcmpv6FragEnable Enables IPv6 Fragmented ICMP packet filtering on the

Management Instance. The default is disabled.
Note: Exception: Not supported on VSP
8600 Series and XA1400 Series.

Isid Specifies the I-SID number that associated with the

Management Instance VLAN for the DvR Leaf node. For non
Note: Exception: Not supported on VSP DvR node, the default I-SID value is 0 and this value cannot
8600 Series. be edited.

Configure DHCP Client for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure a DHCP Client on a management interface.

Procedure

1. In the navigation pane, expand Configuration > Edit > Mgmt Instance.
2. Select Mgmt.
3. Select the Dhcp tab.
4. In the Client field, select an option to configure the DHCP Client.
5. Select Apply.

Dhcp Field Descriptions

Use the data in the following table to use the Dhcp tab.

VOSS User Guide for version 8.7 119

View IPv4 ARP Information for a Segmented
Management Instance Segmented Management

Name Description
Client Specifies the DHCP client configuration:
• oob - DHCP Client on the Out-of-Band
management interface.
• vlan - DHCP Client on the VLAN management
interface.
• cycle - DHCP Client cycles between in-band
and Out-of-Band management interfaces until
an IP address is obtained on one management
interface.
• disable - DHCP Client is disabled.

ClientPreferredInterface Shows the DHCP Client preferred management

interface when in cycle mode. On reboot, the
system first attempts to aquire a DHCP IP address
on the preferred interface.

View IPv4 ARP Information for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view IPv4 Address Resolution Protocol (ARP) information.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Expand Mgmt Instance.
3. Select Mgmt.
4. Select the IpArp tab.

IpArp Field Descriptions

Use the data in the following table to use the IpArp tab.

Name Description
Address Shows the IPv4 address of the ARP entry.
Instance Shows the Management Instance ID.
IntfName Shows the Management Instance interface name
for the ARP entry.
MacAddr Shows the MAC address for the ARP entry.
State Shows the state of the ARP entry. The state can be
one of the following:
• reachable
• stale
• permanent
• failed
• delay

120 VOSS User Guide for version 8.7

View IPv6 ND Information for a Segmented
Segmented Management Management Instance

View IPv6 ND Information for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view IPv6 Neighbor Discovery (ND) information.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Expand Mgmt Instance.
3. Select Mgmt.
4. Select the Ipv6Neighbor tab.

Ipv6Neighbor Field Descriptions

Use the data in the following table to use the Ipv6Neighbor tab.

Name Description
Addr Shows the IPv6 address of the neighbor entry.
Instance Shows the Management Instance ID.
IntfName Shows the Management Instance interface name
for the neighbor entry.
MacAddr Shows the MAC address for the neighbor entry.
State Shows the state of the neighbor entry. The state
can be one of the following:
• reachable
• stale
• permanent
• failed
• delay

Configure IPv4 Static Routes for a Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure IPv4 static routes for Management Instances.

About This Task

For the Management Instance CLIP, you do not need to configure a default or static route. This interface
type uses all routing information learned by protocols attached to the VRF. For more information about
how to associate a VRF with the CLIP interface, see Configure a Segmented Management Instance on
page 117.

For the Management Instance OOB and VLAN, you must configure a default or static route to reach the
next-hop gateway; no routing protocol information is used to access off-link networks.

VOSS User Guide for version 8.7 121

Configure IPv6 Static Routes for a Management
Instance Segmented Management

You can configure up to 100 IPv4 and IPv6 static routes.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Expand Mgmt Instance.
3. Select Mgmt.
4. Select the IpStaticRoute tab.
5. Select Insert.
6. For the Instance, select the type of Management Instance interface.
7. Type the destination IP address and mask.
8. Type the next hop IP address.
9. Type a metric value.
10. Select Insert.

IpStaticRoute Field Descriptions

Use the data in the following table to use the IpStaticRoute tab.

Name Description
Instance Specifies the Management Instance.
DestAddr Specifies the destination IP address.
DestMask Specifies the destination mask.
NextHop Specifies the next hop address for the static route.
Use an IP address in the same subnet as the
management VLAN IP address.
IntfName Specifies the Management Instance interface
name for the route entry.
Metric Specifies the static route cost. The default is 200.
The management CLIP uses an internal static
route with a weight of 100. If you use both CLIP
and VLAN and need to force all default traffic
out the management VLAN interface, configure a
default static route with a weight lower than 100.
State Shows if the route is active or inactive.

Configure IPv6 Static Routes for a Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure IPv6 static routes for Management Instances.

About This Task

122 VOSS User Guide for version 8.7

Ipv6Route Field Descriptions

Use the data in the following table to use the Ipv6Route tab.

124 VOSS User Guide for version 8.7

View Topology IP for a Segmented Management
Segmented Management Instance

Name Description
DestAddr Shows the destination address of the route entry.
PrefixLen Shows the destination prefix length of the route
entry.
Metric Shows the metric, or cost, assigned to the
route entry. If multiple entries exist to the same
destination, the metric determines which route is
used.
Routes with a type of LOCAL have a metric equal
to 256.
Instance Shows the Management Instance ID.
NextHop Shows the next hop for the route entry.
IntfName Shows the Management Instance interface name
for the route entry.
Type Shows the type of route entry.

View Topology IP for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view the default topology IP address for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Mgmt.
4. Select the TopologyIp tab.

TopologyIp Field Descriptions

Use the data in the following table to use the TopologyIp tab.

Name Description
AddrType Shows the IP address type for the topology IP.
Addr Shows the IP address for the topology IP.
InterfaceName Shows the interface name of the identified
interface for the topology IP.
InstanceId Specifies the interface instance for the topology IP.

VOSS User Guide for version 8.7 125

Configure an IP Address for a Segmented Management
Instance Segmented Management

Configure an IP Address for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure and view IPv4 address information for a Segmented Management Instance.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Mgmt.
4. Select the IpAddress tab.
5. Select Insert.
6. Select the Segmented Management Instance interface type.
7. Type the address information.
8. Select Insert.

IpAddress Field Descriptions

Use the data in the following table to use the IpAddress tab.

Name Description
InstanceId Specifies the interface instance.
Address Specifies IPv4 address for the interface instance.
Ensure that the management CLIP IP address
does not fall into the range of a configured VLAN
IP address range as this is not allowed.
Mask Specifies the subnet mask of the IP address.
AddrOrigin Shows the IP address origin.
IntfName Shows the interface name.

Configure an IPv6 Address for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to configure or view IPv6 address information for a Segmented Management Instance.

126 VOSS User Guide for version 8.7

Segmented Management View Segmented Management Instance Statistics

Before You Begin

• Ensure the IP address you plan to assign is not in use by an existing VLAN or CLIP IP subnet
configured on the switch.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Mgmt.
4. Select the Ipv6Address tab.
5. Select Insert.
6. Select the Segmented Management Instance interface type.
7. Type the address information.
8. Select Insert.

Ipv6Address Field Descriptions

Use the data in the following table to use the Ipv6Address tab.

Name Description
InstanceId Specifies the interface instance.
Address Specifies the IPv6 address for the interface
instance.
Ensure that the management CLIP IP address
does not fall into the range of a configured VLAN
IP address range as this is not allowed.
PrefixLength Specifies the prefix length for the IPv6 address.
AddrOrigin Shows the IPv6 address origin.
IntfName Shows the interface name.
DadStatus Shows the IPv6 DAD status of the address.

View Segmented Management Instance Statistics

Note
This procedure does not apply to VSP 8600 Series.

View operational statistics for the Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Mgmt.
4. Select the Interface tab.
5. Select a Management Instance by placing the cursor in a cell within the applicable row.
6. Select Graph.

VOSS User Guide for version 8.7 127

View IP Address Statistics for a Segmented
Management Instance Segmented Management

Interface Counters Field Descriptions

Use the data in the following table to use the Interface Counters tab.

Name Description
RxPkts Counts the packets received on the Segmented
Management Instance.
RxError Counts the packets received with errors on the
Segmented Management Instance.
RxDrop Counts the packets received and dropped on the
Segmented Management Instance.
TxPkts Counts the packets transmitted on the Segmented
Management Instance.
TxError Counts the packets transmitted with errors on the
Segmented Management Instance.
TxDrop Counts the packets dropped before transmission
on the Segmented Management Instance.

View IP Address Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view IP address statistics for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IP tab.
5. To clear IP statistics, select Clear Stats.
6. To clear IP counters, select Clear Counters.

IP Field Descriptions
Use the data in the following table to use the IP tab.

Name Description
InReceives Shows the inbound packet statistics.
InHdrErrors Shows the inbound packets with header errors
statistics.
InAddrErrors Shows the inbound packets with address errors
statistics.
InUnknownProtos Shows the inbound packets with unknown
protocols statistics.

128 VOSS User Guide for version 8.7

View IPv6 Address Statistics for a Segmented
Segmented Management Management Instance

Name Description
InDiscards Shows the inbound packets discarded statistics.
InDelivers Shows the inbound packets delivered statistics.
OutRequests Shows the outbound packet requests statistics.
OutDiscards Shows the outbound packets discarded statistics.
OutNotRoutes Shows the outbound packets with no routes
statistics.
ForwDatagrams Shows the forwarded datagram packets statistics.
ReasmTimeout Shows the packet reassembly timeouts statistics.
ReasmReqds Shows the packet reassembly requests statistics.
ReasmOKs Shows the successfully reassembled packets
statistics.
ReasmFails Shows the failed reassembled packets statistics.
FragOKs Shows the successfully fragmented packets
statistics.
FragFails Shows the failed fragmented packets statistics.
FragCreates Shows the fragments created statistics.

View IPv6 Address Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

Use this task to view IPv6 address statistics for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IPv6 tab.
5. To clear IP statistics, select Clear Stats.
6. To clear IP counters, select Clear Counters.

IPv6 Field Descriptions

Use the data in the following table to use the IPv6 tab.

Name Description
InReceives Shows the inbound packet statistics.
InHdrErrors Shows the inbound packets with header errors
statistics.

VOSS User Guide for version 8.7 129

View IPv6 Address Statistics for a Segmented
Management Instance Segmented Management

Name Description
InAddrErrors Shows the inbound packets with address errors
statistics.
InUnknownProtos Shows the inbound packets with unknown
protocols statistics.
InDiscards Shows the inbound packets discarded statistics.
InDelivers Shows the inbound packets delivered statistics.
InTooBigErrors Shows the inboud packets too big errors statistics.
InNoRoutes Shows the inbound packets with no routes
statistics.
InTruncatedPkts Shows the inbound packets truncated statistics.
InMcastPkts Shows the inbound multicast packets statistics.
InOctets Shows the inbound octets statistics.
InMcastOctets Shows the inbound multicast octets statistics.
InBcastOctets Shows the inbound broadcast octets statistics
InNoECTPkts Shows the inbound packets with no Explicit
Congestion Notification (ECN) statistics.
InECT1Pkts Shows the inbound packets with ECT(1) statistics.
InECT0Pkts Shows the inbound packets with ECT(0) statistics.
InCEPkts Shows the inbound packets with Congestion
Ecountered (CE) statistics.
OutRequests Shows the outbound packet requests statistics.
OutDiscards Shows the outbound packets discarded statistics.
OutNoRoutes Shows the outbound packets with no routes
statistics.
OutForwDatagrams Shows the forwarded datagram packets statistics.
OutMcastPkts Shows the outbound multicast packets statistics.
OutOctets Shows the outbound octets statistics.
OutMcastOctets Shows the outbound multicast octets statistics.
OutBcastOctets Shows the outpound broadcast octets statistics.
ReasmTimeout Shows the packet reassembly timeouts statistics.
ReasmReqds Shows the packet reassembly requests statistics.
ReasmOKs Shows the successfully reassembled packets
statistics.
ReasmFails Shows the failed reassembled packets statistics.
FragOKs Shows the successfully fragmented packets
statistics.
FragFails Shows the failed fragmented packets statistics.
FragCreates Shows the fragments created statistics.

130 VOSS User Guide for version 8.7

View IP ICMP Statistics for a Segmented Management
Segmented Management Instance

View IP ICMP Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view IP ICMP statistics for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IP-ICMP tab.
5. To clear IP statistics, select Clear Stats.
6. To clear IP counters, select Clear Counters.

IP-ICMP Field Descriptions

Use the data in the following table to use the IP-ICMP tab.

Name Description
InMsgs Shows the inbound messages statistics.
InErrors Shows the inbound errors statistics.
InCsumErrors Shows the inbound checksum errors statistics.
InDestUnreachs Shows the inbound destination unreachable
statistics.
InTimeExcds Shows the inbound time exceeded statistics.
InParmProbs Shows the inbound parameter problems statistics.
InSrcQuenchs Shows the inbound source quenchs statistics.
InRedirects Shows the inbound redirects statistics.
InEchos Shows the inbound echos statistics.
InEchoReps Shows the inbound echo replies statistics.
InTimestamps Shows the inbound timestamps statistics.
InTimestampsReps Shows the inbound timestamp replies statistics.
InAddrMasks Shows the inbound address masks statistics.
InAddrMaskReps Shows the inbound address mask replies statistics.
OutMsgs Shows the outbound messages statistics.
OutErrors Shows the outbound errors statistics.
OutDestUnreachs Shows the outbound destination unreachable
statistics.
OutTimeExcds Shows the outbound time exceeded statistics.
OutParmProbs Shows the outbound parameter problems
statistics.

VOSS User Guide for version 8.7 131

View IPv6 ICMP Statistics for a Segmented Management
Instance Segmented Management

Name Description
OutSrcQuenchs Shows the outbound source quenchs statistics.
OutRedirects Shows the outbound redirects statistics.
OutEchos Shows the outbound echos statistics.
OutEchoReps Shows the outbound echo replies statistics.
OutTimestamps Shows the outbound timestamps statistics.
OutTimestampReps Shows the outbound timestamps replies statistics.
OutAddrMasks Shows the outbound address masks statistics.
MsgInType0 Shows the inbound Type0 messages statistics.
MsgOutType8 Shows the outbound Type8 messages statistics.

View IPv6 ICMP Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view IPv6 ICMP statistics for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IPv6-ICMP tab.
5. To clear IP statistics, select Clear Stats.
6. To clear IP counters, select Clear Counters.

IPv6-ICMP Field Descriptions

Use the data in the following table to use the IPv6-ICMP tab.

132 VOSS User Guide for version 8.7

View IPv6 ICMP Statistics for a Segmented Management
Segmented Management Instance

Name Description
InEchoReplies Shows the inbound echo replies statistics.
InGroupMembQueries Shows the inbound group member queries
statistics.
InGroupMembResponses Shows the inbound group member responses
statistics.
InGroupMembReductions Shows the inbound group member reductions
statistics.
InRouterSolicits Shows the inbound router solicits statistics.
InRouterAdvertisements Shows the inbound router advertisements
statistics.
InNeighborSolicits Shows the inbound neighbor solicits statistics.
InNeighborAdvertisements SHows the inbound neighbor advertisements
statistics.
InMLDv2Reports Shows the inbound MLDv2 reports statistics.
InType134 Shows the inbound type134 statistics.
InType136 Shows the inbound type136 statistics.
OutMsgs Shows the outbound messages statistics.
OutErrors Shows the outbound errors statistics.
OutDestUnreachs Shows the outbound destination unreachable
statistics.
OutTimeExcds Shows the outbound time exceeded statistics.
OutParmProbs Shows the outbound parameter problems
statistics.
OutPktTooBigs Shows the outbound packets too big statistics.
OutRedirects Shows the outbound redirects statistics.
OutEchos Shows the outbound echos statistics.
OutEchoReps Shows the outbound echo replies statistics.
OutGroupMembQueries Shows the outbound group member queries
statistics.
OutGroupMembResponses Shows the outbound group member responses
statistics.
OutGroupMembReductions Shows the outbound group member reductions
statistics.
OutRouterStatistics Shows the outbound router statistics
OutRouterAdvertisements Shows the outbound router advertisements
statistics.
OutNeighborSolicits Shows the outbound neighbor solicits statistics.
OutNeighborAdvertisements Shows the outbound neighbor advertisements
statistics.
OutMLDv2Reports Shows the outbound MLDv2 reports statistics.

VOSS User Guide for version 8.7 133

View UDP Statistics for a Segmented Management
Instance Segmented Management

Name Description
OutType133 Shows the outbound Type133 statistics.
OutType135 Shows the outbound Type135 statistics.
OutType143 Shows the outbound Type143 statistics.

View UDP Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view UDP statistics for a Segmented Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IP/IPv6 UDP tab.

IP/IPv6 UDP Field Descriptions

Use the data in the following table to use the IP/IPv6 UDP tab.

Name Description
IPVersion Shows the IP address version as ipv4 or ipv6.
InDatagrams Shows the input datagram statistics.
NoPorts Shows the number of ports statistics.
InErrors Shows the input errors statistics.
OutDatagrams Shows the output datagram statistics.
IgnoredMulti Show the ignored multiport statistics.
RcvbufErrors Shows the received buffer errors statistics.
SndbufErrors Shows the send buffer errors statistics.
InCsumErrors Shows the input checksum errors statistics.
Clear Specifies to clear the statistics. Default is false.

View TCP Statistics for a Segmented Management Instance

Note
This procedure does not apply to VSP 8600 Series.

Use this task to view TCP statistics for a Segmented Management Instance.

134 VOSS User Guide for version 8.7

View TCP Connections and UDP Endpoints Statistics for
Segmented Management a Segmented Management Instance

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IP/IPv6 TCP tab.

IP/IPv6 TCP Field Descriptions

Use the data in the following table to use the IP/IPv6 TCP tab.

Name Description
IPVersion Shows the IP address version as ipv4 or ipv6.
ActiveOpens Shows the active open TCP connections statistics.
PassiveOpens Shows the passive open TCP connections
statistics.
AttemptFails Shows the TCP connection attempt failures
statistics.
EstabResets Shows the TCP connection esablished resets
statistics.
InSegs Shows the input segments statistics.
OutSegs Shows the output segments statistics.
RetransSegs Shows the retransmit segments statistics.
InErrs Shows the input checksum errors statistics.
OutRsts Shows the output resets statistics.
InCsumErrors Shows the input checksum errors statistics.
Clear Specifies to clear the statistics. Default is false.

View TCP Connections and UDP Endpoints Statistics for a Segmented Management
Instance
Note
This procedure does not apply to VSP 8600 Series.

Use this task to view TCP connections and UDP endpoints statistics for a Segmented Management
Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select Stats.
4. Select the IP/IPv6 Socket (TCP/UDP) tab.

VOSS User Guide for version 8.7 135

Segmented Management Instance Configuration for
VSP 8600 Series using EDM Segmented Management

IP/IPv6 Socket (TCP/UDP) Field Descriptions

Use the data in the following table to use the IP/IPv6 Socket (TCP/UDP) tab.

Name Description
IPVersion Shows the IP address version as ipv4 or ipv6.
Type Shows the connection type as tcp or udp.
Index Shows the index ID for the connection.
State Shows the link state for the connection.
RecvQ Shows the connection received quanitity.
SendQ Shows the connection sent quantity.
LocalAddressAndPort Shows the local IP address and port.
PeerAddressAndPort Shows the peer IP address and port.

Segmented Management Instance Configuration for VSP 8600 Series using EDM
Note
This section only applies to VSP 8600 Series.

This section provides procedures to configure segmented management instance using the EDM.

Configure a Segmented Management Instance

Note
This procedure only applies to VSP 8600 Series.

You must create a Management Instance to gain access to specific management applications.

About This Task

In a Layer 3 routing or Fabric deployment, use a management CLIP.

Each Management Instance supports a single IPv4 and IPv6 (global scope) management address for
use by management applications.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select the MgmtInterface tab.
4. Select Insert.
5. Select the type of Management Instance to create.

136 VOSS User Guide for version 8.7

Configure a Segmented Management Instance IP
Segmented Management Address

6. (Optional) For a CLIP Management Instance, in the VrfName field, type the VRF name to associate
with the CLIP instance.

Note
If you want to associate the GRT with the CLIP instance, type GlobalRouter in the
VrfName field. You cannot use mgmtrouter as the VRF.
If you specify a non-default VRF, you must enable Layer 3 VSN to achieve IPv6 CLIP
connectivity.

7. Select the State check box to enable the instance.

8. Select Insert.

MgmtInterface field descriptions

Use the data in the following table to use the MgmtInterface tab.

Name Description
InstanceId Shows a value that identifies the Management Instance type associated with this
entry.
InterfaceType Indicates the interface type.
VlanId Specifies the ID of a port based VLAN to associate with a particular management
IP instance, if the management VLAN interface is supported.
OOBIfIndex Specifies the interface index of the OOB port to associate with a particular
management IP instance, if the management OOB interface is supported.
VrfName Specifies the VRF name to associate with the management CLIP .
State Indicates if the interface is enabled for this instance. The default is disabled.
InterfaceMacAddr Shows the MAC address for the interface.
InterfaceName Shows the interface name.

Configure a Segmented Management Instance IP Address

MgmtIpv6Route Field Descriptions

Use the data in the following table to use the MgmtIpv6Route tab.

VOSS User Guide for version 8.7 139

Migrate an IP Address to a Segmented Management
Instance Segmented Management

Name Description
IntfName Shows the Management Instance interface name
for the route entry.
Type Shows the type of route entry.

Migrate an IP Address to a Segmented Management Instance

Note
This procedure only applies to VSP 8600 Series.

Use this procedure to designate an existing VLAN or loopback IP address as a Segmented Management
Instance. This action moves the IP interface from the VOSS routing stack to the management stack to
use with management applications.

About This Task

You cannot migrate interfaces used for routing purposes, for example, where you configure Layer 3
routing protocols.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select the MgmtMigrate tab.
4. Select Insert.
5. Select the instance type, either clip or vlan.
6. Specify the existing VLAN or loopback ID.
7. Select Insert.

MgmtMigrate field descriptions

Use the data in the following table to use the MgmtMigrate tab.

140 VOSS User Guide for version 8.7

Segmented Management View Segmented Management Instance Statistics

Name Description
VrfName Shows the VRF associated with the loopback
interface.
IpAddress Shows the IPv4 address to migrate.
IpMask Shows the subnet mask for the IPv4 address.
Ipv6Address Shows the IPv6 address to migrate.
Ipv6PrefixLength Shows the prefix length for the IPv6 address.

View Segmented Management Instance Statistics

Note
This procedure only applies to VSP 8600 Series.

View operational statistics for the Management Instance.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Mgmt Instance.
3. Select the Mgmt Instance tab.
4. Select a Management Instance by placing the cursor in a cell within the applicable row.
5. Select Graph.

Interface Counters Field Descriptions

Use the data in the following table to use the Interface Counters tab.

VOSS User Guide for version 8.7 141

Basic Administration
Fundamentals on page 142
Basic Configuration on page 164
Verification on page 190
Basic Administration Procedures using CLI on page 194
Basic administration procedures using EDM on page 210
Boot parameter configuration using the CLI on page 211
Run-time process management using CLI on page 227
Hardware status using EDM on page 235

The following topics provide instructions to perform basic configuration of, and administrative tasks for,
the switch and software.

Examples and network illustrations may illustrate only one of the supported platforms. Unless otherwise
noted, the concept illustrated applies to all supported platforms.

Fundamentals
This section includes the minimum, but essential, configuration steps to:
• provide a default, starting point configuration
• establish basic security on the node

For more information about hardware specifications and installation procedures, see the following
documents:
• Installing the Virtual Services Platform 4450GSX-PWR+
• Installing the Virtual Services Platform 4450GTX-HT-PWR+
• VSP 4900 Series Switches: Hardware Installation Guide
• Installing the Virtual Services Platform 7200 Series
• VSP 7400 Series Switches: Hardware Installation Guide
• Installing the Virtual Services Platform 8000 Series
• Installing the Virtual Services Platform 8600
• XA1400 Series Switches: Hardware Installation Guide

142 VOSS User Guide for version 8.7

Basic Administration advanced-feature-bandwidth-reservation Boot Flag

advanced-feature-bandwidth-reservation Boot Flag

Table 14: Advanced Feature Bandwidth Reservation product support

Feature Product Release introduced
Advanced Feature Bandwidth VSP 4450 Series Not Supported
Reservation
VSP 4900 Series Not Supported
Note: VSP 7200 Series Not Supported
If your switch does not have
this boot flag, it is because VSP 7400 Series VOSS 8.0
the hardware reserves the VSP 8200 Series Not Supported
bandwidth automatically with no
user interaction. VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.0.50
XA1480 only- demonstration
feature

The switch enables the boot config flags advanced-feature-bandwidth-reservation

command by default to use advanced features on the switch. If you disable the boot config flags
advanced-feature-bandwidth-reservation command and attempt to enable an advanced
feature, the switch displays an error message to explain why the advanced feature failed to start, and to
remind you that you must enable this boot configuration flag for that advanced feature.

Important
If you change the configuration, you must save the configuration, and then reboot the switch
for the change to take effect.
If you disable this feature and save the configuration, any configuration for advanced features
remains saved in the configuration file but is not used.

VSP 7400 Series

By default, this boot configuration flag is enabled with the low level option.

When disabled, you can use all ports for Layer 2 or Layer 3 forwarding of standard unicast and
multicast features. Use this mode if you are not configuring advanced features. The syntax for disabling
this boot configuration flag is no boot config flags advanced-feature-bandwidth-
reservation.

When enabled, also known as Full Feature mode, the switch supports advanced features by reassigning
some of the front panel ports to be loopback ports. The following advanced features require loopback
ports:
• Fabric Extend
• SPB
• SMLT
• vIST
• VXLAN Gateway
• Fabric RSPAN (Mirror to I-SID)

VOSS User Guide for version 8.7 143

advanced-feature-bandwidth-reservation Boot Flag Basic Administration

• Application Telemetry
• IS-IS Accept Policies
• Segmented Management Instance CLIP interface

Note
Full Feature mode does not support PIM.

The syntax for enabling the boot flag for this mode is: boot config flags advanced-feature-
bandwidth-reservation [low | high ].

The high level parameter means that the switch reserves the maximum bandwidth for the advanced
features.

The low level parameter means that the switch reserves less bandwidth to support minimum
functionality for advanced features.

After the switch reserves the appropriate ports to become loopback ports, the ports are no longer
visible in the output when you enter show interfaces gigabitEthernet.

The following table lists the ports reserved as loopback ports:

Product Reserved loopback ports

VSP 7432CQ Low reserves ports 1/31 and 1/32.
High reserves ports 1/29, 1/30, 1/31, and 1/32.
VSP 7400-48Y Low reserves ports 1/55 and 1/56.
High reserves ports 1/53, 1/54, 1/55, and 1/56

Important
You must ensure your configuration does not include reserved ports before you enable this
feature. If the configuration includes reserved ports after you enable this feature and restart
the switch, the switch stops loading the configuration.

XA1400 Series

Note
Product Notice: This feature is available in demo mode only on XA1480 and supports low level
parameter configuration automatically, which cannot be modified.

When disabled, all I-SID bindings are removed and the switch can only operate as a Backbone Core
Bridge (BCB). The syntax for disabling this boot configuration flag is: no boot config flags
advanced-feature-bandwidth-reservation.

144 VOSS User Guide for version 8.7

Basic Administration spbm-config-mode boot flag

When enabled, the switch reserves CPU cores for Backbone Edge Bridge (BEB) functionality. The
syntax for enabling the boot flag for this mode is: boot config flags advanced-feature-
bandwidth-reservation low.

spbm-config-mode boot flag

Table 15: spbm-config-mode product support

Feature Product Release introduced
spbm-config-mode (boot VSP 4450 Series VOSS 4.1
config flags spbm-
VSP 4900 Series VOSS 8.1
config-mode)
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Supported

Shortest Path Bridging (SPB) and Protocol Independent Multicast (PIM) cannot interoperate with each
other on the switch at the same time. To ensure that SPB and PIM stay mutually exclusive, the software
uses a boot flag called boot config flags spbm-config-mode.
• The boot config flags spbm-config-mode flag is enabled by default. This enables you to
configure SPB and IS-IS, but you cannot configure PIM and IGMP either globally or on an interface.
• If you disable the boot flag, save the configuration, and then reboot with the saved configuration.
When the flag is disabled, you can configure PIM and IGMP Snooping, but you cannot configure SPB
or IS-IS.

Important
After you change the boot config flags spbm-config-mode flag, you must save the
configuration, and then reboot the switch for the change to take effect.

For more information about this boot flag and Simplified vIST, see IP Multicast on page 1457.

VOSS User Guide for version 8.7 145

nni-mstp boot config flag Basic Administration

nni-mstp boot config flag

Table 16: nni-mstp boot flag product support

Feature Product Release introduced
nni-mstp boot flag (boot VSP 4450 Series VOSS 6.0
config flags nni-mstp)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported

The nni-mstp boot flag changes the default behavior of the MSTP on SPBM network-to-network
interface (NNI) ports. The Common and Internal Spanning Tree (CIST) is disabled automatically on the
NNI, and the NNI ports can only be members of backbone VLANs (B-VLAN).
• During startup, if you have non-B-VLAN on SPBM NNI ports in your configuration file, the system
sets the nni-mstp flag to true (if it was not already set to true) and enables MTSP on SPBM NNI
ports, and all other configurations remain the same. Save your configuration file. If you do not save
your configuration, you continue to see the following message on reboot:
Warning
Detected brouter and/or vlans other than BVLANs on NNI ports. Setting the boot config
flag nni-mstp to true. Saving configuration avoids repetition of this warning on
reboot.

Note
When the nni-mstp flag is set to true, only MSTI 62 is disabled on the SPBM NNI ports. You
can add the SPBM NNI ports to any VLAN.

• If you configure the nni-mstp boot configuration flag to false (default), the system checks to make
sure that the SPBM NNI ports do not have brouter (IPv4 or IPv6) or non-SPBM VLANs configured.
The nni-mstp flag is then set to false. Save your configuration file, and reboot the switch for the
configuration change to take effect.

Note
Ensure that all SPBM NNI ports in non-B-VLAN are removed prior to setting the nni-mstp
flag to false.

Example: Configuring nni-mstp to true

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#boot config flags nni-mstp
Warning: Please save the configuration and reboot the switch for this configuration to
take effect.
Switch:1(config)#

146 VOSS User Guide for version 8.7

Basic Administration System Connections

System Connections
Connect the serial console interface (an RJ–45 jack) to a PC or terminal to monitor and configure
the switch. The port uses a RJ–45 connector that operates as data terminal equipment (DTE). Some
switches also provide a USB port or micro USB port for serial console interface connectivity. See your
hardware documentation for available ports.

The default communication protocol settings for the console port are:
• Baud rate:
◦ VSP 4450 Series — 9600
◦ VSP 4900 Series — 115200
◦ VSP 7200 Series — 9600
◦ VSP 7400 Series — 115200
◦ VSP 8200 Series — 9600
◦ VSP 8400 Series — 9600
◦ VSP 8600 Series — 115200
◦ XA1400 Series — 115200
• 8 data bits
• 1 stop bit
• No parity
• No flow control.

To use the console port, you need a terminal or teletypewriter (TTY)-compatible terminal, or a portable
computer with a serial port and terminal-emulation software.

Depending on the hardware platform, the console port can display as console port or 10101.

Boot Sequence

Table 17: Linux kernel version product support

Feature Product Release introduced
Linux kernel version VSP 4450 Series 4.9 as of VOSS 7.0

Important: VSP 4900 Series 5.4 as of VOSS 8.6

For VSP 4450 Series, VSP 7200 VSP 7200 Series 4.9 as of VOSS 7.0
Series, VSP 8200, and VSP 8400
Series, kernel version 4.9 has VSP 7400 Series 5.4 as of VOSS 8.6
special upgrade considerations VSP 8200 Series 4.9 as of VOSS 7.0
the first time you upgrade to
a release that supports it. You VSP 8400 Series 4.9 as of VOSS 7.0
must first upgrade to a stepping- VSP 8600 Series 4.9 as of VSP 8600 8.0
stone release, 6.1.x , before you
upgrade to the release with the XA1400 Series 5.4 as of VOSS 8.6
new kernel.

The switch goes through a boot sequence before it becomes fully operational. After you turn on power
to the switch, the system starts.

VOSS User Guide for version 8.7 147

Boot Sequence Basic Administration

The boot sequence consists of the following stages:

• Loading Linux on page 148
• Loading the Primary Release on page 149
• Deploying Zero Touch on page 149 or Loading the Configuration File on page 149

The following figure shows a summary of the boot sequence.

Figure 9: Boot Sequence

Loading Linux
Depending on the Linux kernel used, the boot image is stored either in a boot flash partition, Secure
Digital (SD), or Solid State Drive (SSD) flash card. The boot image includes the boot loader, and the
Linux kernel and applications.

148 VOSS User Guide for version 8.7

Basic Administration Boot Sequence

The boot location contains two versions of the boot image: a committed version (the primary release)
and a backup version. A committed version is one that is marked as good (if you can start the system
using that version). The system automatically uses the backup version if the system fails the first time
you start with a new version.

Loading the Primary Release

The switch can install a maximum of six releases but can only load one of two—a primary (committed)
release or a backup release.

The system saves software image files to the /intflash/release/ directory.

After loading the primary release, the CPU and basic system devices, such as the console port,
initializes. Depending on the hardware platform, the console port displays as console or 10101. At this
stage, the I/O ports are not available; the system does not initialize the I/O ports until the port sends
configuration data.

Deploying Zero Touch

Important
Zero Touch Deployment does not function if primary or secondary configuration files exist.

After the system loads the primary release and the switch is in a Zero Touch Deployment-ready
configuration mode, the switch automatically deploys without intervention.

For more information, see Zero Touch Deployment on page 58.

Loading the Configuration File

After the system loads the primary release, it identifies the location and file name of the primary
configuration file. You can save this file in internal flash.

If the primary configuration file does not exist, the system looks for the backup configuration file, as
identified by version.cfg. If this file does not exist, the system initiates Zero Touch functionality on
the switch that enables Zero Touch Fabric Configuration. For more information, see Zero Touch Fabric
Configuration on page 63.

Note
Exception: for VSP 8600 Series and XA1400 Series, if the configuration file does not exist,
the system loads the factory-default configuration, which is the equivalent of using the boot
config flags factorydefaults command.

The switch configuration consists of higher-level functionality, including:

• Chassis configuration
• Port configuration
• Virtual LAN (VLAN) configuration
• Routing configuration
• IP address assignments
• Remote monitoring (RMON) configuration

VOSS User Guide for version 8.7 149

Boot Sequence Basic Administration

The default switch configuration in Zero Touch Fabric Configuration mode includes the following:
• Shortest Path Bridging MAC (SPBM) instance is created.
• Intermediate System-to-Intermediate System (IS-IS) is enabled.
• All ports are enabled and operating in Auto-sense mode.
• The switch issues DHCP requests on the out-of-band (OOB) management port and the
management VLAN.

The default switch configuration in factory default mode includes the following:
• A single, port-based default VLAN with a VLAN identification number of 1
• No interface assigned IP addresses
• Traffic priority for all ports configured to normal priority
• All ports as untagged ports
• Default communication protocol settings for the console port. For more information about these
protocol settings, see System Connections on page 147.

Configuration File Statements

In the configuration file, statements preceded by both the number sign (#) and exclamation point (!)
load prior to the general configuration parameters. Statements preceded by only the number sign are
comments meant to add clarity to the configuration; they do not load configuration parameters. The
following table illustrates the difference between these two statement formats.

Table 18: Configuration file statements

Sample statement Action
# software version : 8.6.0.0 Adds clarity to the configuration by identifying the
software version.
#!no boot config flags sshd Configures the flag to the false condition, prior to
loading the general configuration.

Boot Sequence Modification

You can change the boot sequence in the following ways:
• Change the primary designations for file sources.
• Change the file names from the default values. You can store several versions of the configuration
file and specify a particular one by file name. The specified configuration file only gets loaded when
the chassis starts. To load a new configuration file, you need to restart the system.
• Start the system without loading an existing configuration file so that the system uses the factory
default configuration. You can do this by running the boot config flags factorydefaults
command.

The factorydefaults boot flag removes the runtime, primary, and backup configuration files, resets
all local default user account passwords, and removes all digital certificates. The Radsec, IPsec, IKE,
OSPF, SNMP, SSL, SSH, OVSDB, and NTP files are also removed. The CLI displays a warning that the
configurations, passwords, and files will be reset, and the system logs an informational message. The
configuration and file removals occur during the next boot sequence when the factorydefaults boot

150 VOSS User Guide for version 8.7

Basic Administration Boot Sequence

flag is enabled. After the switch reboots, the security mode setting is retained. To enable Zero Touch
Onboarding after a factorydefaults boot, reboot the switch again without saving a configuration.
• Start the system in Zero Touch Deployment mode, which includes Zero Touch Fabric Configuration.
For more information, see Zero Touch Deployment on page 58.

Runtime
After the switch is operational, you can use the runtime commands to perform configuration and
management functions necessary to manage the system. These functions include the following
• Resetting or restarting the switch
• Adding, deleting, and displaying address resolution protocol (ARP) table entries
• Pinging another network device
• Viewing and configuring variables for the entire system and for individual ports
• Configuring and displaying MultiLink Trunking (MLT) parameters
• Creating and managing port-based VLANs or policy-based VLANs

To access the runtime environment you need a connection from a PC or terminal to the switch. You can
use a direct connection to the switch through the console port or remotely through Telnet, rlogin, or
Secure Shell (SSH) sessions.

Note
rlogin is only supported on VSP 8600 Series.

Important
Before you attempt to access the switch using one of the preceding methods, ensure you first
enable the corresponding daemon flags.

VOSS User Guide for version 8.7 151

System logon Basic Administration

System logon
After the platform boot sequence is complete, the system opens the logon prompt. The following table
shows the default values for logon and password for console and Telnet sessions.

Note
With enhanced secure mode enabled, the person in the role-based authentication level
of administrator configures the login and password values for the other role-based
authentication levels. The administrator initially logs on to the switch using the default login
of admin and the default password of admin. After the initial login, the switch prompts the
administrator to create a new password.

Table 19: Access levels and default logon values

Access level Description Default Default
logon password
Read-only Permits view-only configuration and ro ro
status information. Is equivalent to
Simple Network Management Protocol
(SNMP) read-only community access.
Layer 1 read/write View most switch configuration and l1 l1
status information and change physical
port settings.
Layer 2 read/write View and change configuration and l2 l2
status information for Layer 2 (bridging
and switching) functions.
Layer 3 read/write View and change configuration and l3 l3
status information for Layer 2 and Layer
3 (routing) functions.
Read/write View and change configuration and rw rw
status information across the switch.
You cannot change security and
password settings. This access level
is equivalent to SNMP read/write
community access.
Read/write/all Permits all the rights of read/write rwa rwa
access and the ability to change
security settings, including CLI and
web-based management user names
and passwords and the SNMP
community strings.

System flags
After you enable or disable certain modes and functions, you need to save the configuration and restart
the switch for your change to take effect. This section lists parameters and indicates if they require a
switch restart.

152 VOSS User Guide for version 8.7

Basic Administration System flags

The following table lists parameters you configure in the CLI using the boot config flags
command. For information on system flags and their configuration, see Configure Boot Flags on page
214.

Note
Flag support can vary across hardware models.

Table 20: Boot config flags

CLI flag Restart
advanced-feature-bandwidth-reservation Yes

Note:
Exception: Only supported on VSP 7400 Series and XA1480.

block-snmp No
debug-config Yes
debugmode Yes
dvr-leaf-mode No

Note:
The switch does not require a restart when you enable the dvr-leaf-mode
flag, as long as there is no unsupported configuration on the switch.

enhancedsecure-mode Yes
factorydefaults Yes
flow-control-mode Yes

Note:
Exception: Not supported on VSP 8600 Series.

ftpd No
ha-cpu Yes, the standby CPU
restarts automatically.
Note: Modifying this flag does
Exception: Only supported on VSP 8600 Series. not require a system
restart.
hsecure Yes
linerate-directed-broadcast Yes

Note:
Exception: Only supported on VSP 4450 Series.

ipv6-egress-filter Yes

Note:
Exception: Not supported on VSP 8600 Series or XA1400 Series.

VOSS User Guide for version 8.7 153

System flags Basic Administration

Table 20: Boot config flags (continued)

CLI flag Restart
ipv6-mode Yes

Note:
Exception: Not supported on VSP 4450 Series, VSP 8600 Series, or XA1400
Series.

logging No
nni-mstp Yes

Note:
Exception: Not supported on VSP 8600 Series or XA1400 Series.

reboot No
rlogind No

Note:
Exception: Only supported on VSP 8600 Series.

savetostandby No
Exception: Only supported on VSP 8600 Series.
spanning-tree-mode Yes
spbm-config-mode Yes
sshd No
telnetd No
tftpd No
trace-logging No
urpf-mode Yes

Note:
Exception: Not supported on VSP 8600 Series or XA1400 Series.

verify-config Yes
vrf-scaling Yes
vxlan-gw-full-interworking-mode Yes
Exception: Only supported on VSP 7200 Series, VSP 7400 Series , VSP 8200
Series, and VSP 8400 Series.

154 VOSS User Guide for version 8.7

Basic Administration Secure and Nonsecure Protocols

Secure and Nonsecure Protocols

The following table describes the secure and nonsecure protocols that the switch supports.

Table 21: Secure and nonsecure protocols for IPv4 and IPv6
Nonsecure protocols Default Equivalent secure protocols Default status
status
FTP and Trivial FTP Disabled Secure Copy (SCP) and Secure File Disabled
Transfer Protocol (SFTP)

Note:
File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) support both IPv4 and IPv6
addresses, with no difference in functionality or configuration.

Telnet Disabled Secure Shell version 2 (SSHv2) Disabled

SNMPv1, SNMPv2 Enabled SNMPv3 Enabled
rlogin Disabled SSHv2 Disabled

Note:
Exception: only supported
only on VSP 8600 Series.

HTTP Disabled HTTPS Enabled

Important:
Take the appropriate security precautions
within the network if you use HTTP.

You must use the web-server enable

command in CLI before you can access
EDM.

Client and Server Support

Table 22: Client and Server product support

Feature Product Release introduced Release deprecated
File Transfer Protocol VSP 4450 Series VSP 4000 4.0 Not Applicable
(FTP) server and client
(IPv4) VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VSP 8200 4.0 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable

VOSS User Guide for version 8.7 155

Client and Server Support Basic Administration

Table 22: Client and Server product support (continued)

Feature Product Release introduced Release deprecated
File Transfer Protocol VSP 4450 Series VOSS 4.1 Not Applicable
(FTP) server and client
(IPv6) VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.1 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported Not Applicable
Hypertext Transfer VSP 4450 Series VOSS 4.1 Not Applicable
Protocol (HTTP) and
Hypertext Transfer VSP 4900 Series VOSS 8.1 Not Applicable
Protocol Secure VSP 7200 Series VOSS 4.2.1 Not Applicable
(HTTPS) (IPv4)
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VSP 8200 4.0 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable
Hypertext Transfer VSP 4450 Series VOSS 4.1 Not Applicable
Protocol (HTTP) and
Hypertext Transfer VSP 4900 Series VOSS 8.1 Not Applicable
Protocol Secure VSP 7200 Series VOSS 4.2.1 Not Applicable
(HTTPS) (IPv6)
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.1 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported Not Applicable
Remote Login (Rlogin) VSP 4450 Series VSP 4000 4.0 VOSS 8.2
server/client (IPv4)
VSP 4900 Series VOSS 8.1 VOSS 8.2
VSP 7200 Series VOSS 4.2.1 VOSS 8.2
VSP 7400 Series VOSS 8.0 VOSS 8.2
VSP 8200 Series VSP 8200 4.0 VOSS 8.2
VSP 8400 Series VOSS 4.2 VOSS 8.2
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 VOSS 8.2

156 VOSS User Guide for version 8.7

Basic Administration Client and Server Support

Table 22: Client and Server product support (continued)

Feature Product Release introduced Release deprecated
Rlogin server (IPv6) VSP 4450 Series VOSS 4.1 VOSS 8.2
VSP 4900 Series VOSS 8.1 VOSS 8.2
VSP 7200 Series VOSS 4.2.1 VOSS 8.2
VSP 7400 Series VOSS 8.0 VOSS 8.2
VSP 8200 Series VOSS 4.1 VOSS 8.2
VSP 8400 Series VOSS 4.2 VOSS 8.2
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported VOSS 8.2
Rlogin client (IPv6) VSP 4450 Series VOSS 7.0 VOSS 8.2
VSP 4900 Series VOSS 8.1 VOSS 8.2
VSP 7200 Series VOSS 7.0 VOSS 8.2
VSP 7400 Series VOSS 8.0 VOSS 8.2
VSP 8200 Series VOSS 7.0 VOSS 8.2
VSP 8400 Series VOSS 7.0 VOSS 8.2
VSP 8600 Series VSP 8600 8.0 Not Applicable
XA1400 Series Not Supported VOSS 8.2
Remote Shell (RSH) VSP 4450 Series VSP 4000 4.0 VOSS 8.2
server/client
VSP 4900 Series VOSS 8.1 VOSS 8.2
VSP 7200 Series VOSS 4.2.1 VOSS 8.2
VSP 7400 Series VOSS 8.0 VOSS 8.2
VSP 8200 Series VSP 8200 4.0 VOSS 8.2
VSP 8400 Series VOSS 4.2 VOSS 8.2
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 VOSS 8.2
Secure Copy (SCP) VSP 4450 Series VSP 4000 4.0 Not Applicable

Note: VSP 4900 Series VOSS 8.1 Not Applicable

The switch does not VSP 7200 Series VOSS 5.0 Not Applicable
support the WinSCP
client. VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VSP 8200 4.0 Not Applicable
VSP 8400 Series VOSS 5.0 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable

VOSS User Guide for version 8.7 157

Client and Server Support Basic Administration

Table 22: Client and Server product support (continued)

Feature Product Release introduced Release deprecated
Secure File Transfer VSP 4450 Series VOSS 4.2 Not Applicable
Protocol (SFTP) server
(IPv4) VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.2 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable
Secure File Transfer VSP 4450 Series VOSS 4.2 Not Applicable
Protocol (SFTP) server
(IPv6) VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.2 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported Not Applicable
Telnet server and client VSP 4450 Series VSP 4000 4.0 Not Applicable
(IPv4)
VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VSP 8200 4.0 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable
Telnet server and client VSP 4450 Series VOSS 4.1 Not Applicable
(IPv6)
VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.1 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported Not Applicable

158 VOSS User Guide for version 8.7

Basic Administration Client and Server Support

Table 22: Client and Server product support (continued)

Feature Product Release introduced Release deprecated
Trivial File Transfer VSP 4450 Series VSP 4000 4.0 Not Applicable
Protocol (TFTP) server
and client (IPv4) VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VSP 8200 4.0 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 4.5 Not Applicable
XA1400 Series VOSS 8.0.50 Not Applicable
TFTP server (IPv6) VSP 4450 Series VOSS 4.1 Not Applicable
VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 4.2.1 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 4.1 Not Applicable
VSP 8400 Series VOSS 4.2 Not Applicable
VSP 8600 Series VSP 8600 6.2 Not Applicable
XA1400 Series Not Supported Not Applicable
TFTP client (IPv6) VSP 4450 Series VOSS 7.0 Not Applicable
VSP 4900 Series VOSS 8.1 Not Applicable
VSP 7200 Series VOSS 7.0 Not Applicable
VSP 7400 Series VOSS 8.0 Not Applicable
VSP 8200 Series VOSS 7.0 Not Applicable
VSP 8400 Series VOSS 7.0 Not Applicable
VSP 8600 Series VSP 8600 8.0 Not Applicable
XA1400 Series Not Supported Not Applicable

Table 23: Secure Shell product support

Feature Product Release introduced
VSP 4450 Series VSP 4000 4.0

VOSS User Guide for version 8.7 159

Client and Server Support Basic Administration

Table 23: Secure Shell product support (continued)

Feature Product Release introduced
Secure Shell (SSH) server (IPv4) VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Secure Shell (SSH) client (IPv4) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Secure Sockets Layer (SSL) VSP 4450 Series VOSS 4.1
certificate management
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
SSH server (IPv6) VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported

160 VOSS User Guide for version 8.7

Basic Administration Client and Server Support

Table 23: Secure Shell product support (continued)

Feature Product Release introduced
SSH client (IPv6) VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported
SSH client disable VSP 4450 Series VOSS 6.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
SSH key sizes in multiples of VSP 4450 Series VOSS 5.1.2
1024
VSP 4900 Series VOSS 8.1
Note: VSP 7200 Series VOSS 5.1.2
VOSS Releases 6.0 and 6.0.1 do
not support this change. VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1.2
VSP 8400 Series VOSS 5.1.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
SSH rekey VSP 4450 Series VOSS 5.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.1

The client-server model partitions tasks between servers that provide a service and clients that request
a service.

VOSS User Guide for version 8.7 161

Password encryption Basic Administration

For active CLI clients, users initiate a client connection from the switch to another device.

Note
Both FTP and TFTP clients are supported by the switch. The switch does not launch FTP
and TFTP clients explicitly as a separate command; you can launch them through the CLI
copy command. If you have configured the username through the boot config host
command, the FTP client is used to transfer files to and from the switch using the CLI copy
command; If you have not configured the username, the TFTP client is used to transfer files to
and from the switch using the CLI copy command.
Configuring the boot config flags ftpd or boot config flags tftpd enables
the FTP or TFTP Servers on the switch.

For non-active clients, the client exists on the switch and the switch console initiates the request, with
no intervention from users after the initial setup. For instance, Network Time Protocol (NTP) is a non
active client. The switch initiates the client request to the central server to obtain the up-to-date time.

Password encryption
The platform stores passwords in encrypted format and not in the configuration file.

Important
For security reasons, configure the passwords to values other than the factory defaults.

Enterprise Device Manager

The switch includes Enterprise Device Manager (EDM), an embedded graphical user interface (GUI)
that you can use to manage and monitor the platform through web-based access without additional
installations.

For more information about EDM, see Enterprise Device Manager on page 263.

Enterprise Device Manager access

To access EDM, enter one of the following addresses in your web browser:
• http://<A.B.C.D>
• https://<A.B.C.D>

Where <A.B.C.D> is the device IP address.

Ensure you use a supported browser version. For more information about supported browsers, see
Supported Browsers on page 264.

Important
• You must enable the web server from CLI to enable HTTP access to the EDM. If you want
HTTP access to the device, you must also disable the web server secure-only option. The
web server secure-only option, allowing for HTTPS access to the device, is enabled by
default. Take the appropriate security precautions within the network if you use HTTP.
• EDM access is available to read-write users only.

162 VOSS User Guide for version 8.7

Basic Administration Enterprise Device Manager

If you experience any issues while connecting to the EDM, check the proxy settings. Proxy settings may
affect EDM connectivity to the switch. Clear the browser cache and do not use proxy when connecting
to the device. This should resolve the issue.

Default user name and password

The following table contains the default user name and password that you can use to log on to the
switch using EDM. For more information about changing the passwords, see Change Passwords on
page 3062.

Table 24: EDM default username and password

Username Password
admin password

Important
The default passwords and community strings are documented and well known. As a best
practice, change the default passwords and community strings immediately after you first log
on. For more information about changing user names and passwords, see Change Passwords
on page 3062.

TLS server for secure HTTPS

Table 25: TLS server for secure HTTPS product support

Feature Product Release introduced
TLS server for secure HTTPS VSP 4450 Series VOSS 5.1.2

Note: VSP 4900 Series VOSS 8.1

VOSS Releases 6.0 and 6.0.1 do VSP 7200 Series VOSS 5.1.2
not support this feature.
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1.2
VSP 8400 Series VOSS 5.1.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50

This feature enhances communications security by implementing Mocana NanoSSL to secure HTTPS
server using Transport Layer Security (TLS) cryptographic protocol.

The following are the key properties of Secure web server with TLS:
• This feature can be implemented on a maximum of only 10 concurrent client connections.
• The switch supports version TLS 1.2 and above by default. You can explicitly configure TLS 1.0 and
TLS 1.1 version support using CLI or EDM.
• This feature replaces SSL 3.0 with TLS. SSL 3.0 is not supported.

VOSS User Guide for version 8.7 163

IP Address for the Management Port Basic Administration

• TLS server does not support RC4, DES, TDES, and MD5 based cipher suites.
• The minimum password length for the web server is 8 characters, by default. You can change this
using CLI or EDM.

For information about the certificate order priority when the Transport Layer Security (TLS) server and
switch connect, see Certificate Order Priority on page 3009.

IP Address for the Management Port

At startup, the system loads the runtime configuration file, which is stored in the internal flash of the
CPU. If the file is present, the system assigns the IP address for the management port from that file.

You can configure an IP address for the management port if one is not in the configuration file. For more
information, see Configure an IP Address for the Management Port on page 551. This procedure only
applies to VSP 8600 Series. For other products, see Segmented Management on page 69.

Basic Configuration

Connect a Terminal
Before You Begin
• To use the console port, you need the following equipment:
◦ A terminal or Teletypewriter (TTY)-compatible terminal, or a portable computer with a serial port
and terminal-emulation software.
◦ A specific cable with an RJ–45 or USB connector for the console port on the switch. The other
end of the cable must use a connector appropriate to the serial port on the computer or terminal.
• To comply with emissions regulations and requirements, you must shield the cable that connects to
the console port.

Note
If you are using the VSP 4900 Series USB console port with a terminal running Windows 10,
you must install the CP210x USB to UART Bridge Virtual COM Port (VCP) driver from Silicon
Labs before you connect to the terminal.

About This Task

Connect a terminal to the serial console interface to monitor and configure the system directly.

Procedure

1. Configure the terminal protocol as follows:

• 9600 baud or 115200 baud, depending on the hardware platform.
• 8 data bits
• 1 stop bit
• No parity
• No flow control

164 VOSS User Guide for version 8.7

Basic Administration Changing passwords

2. Connect the RJ–45 or USB cable to the console port on the switch.
3. Connect the other end of the cable to the terminal or computer serial port.
4. Turn on the terminal.
5. Log on to the switch.

Changing passwords
Configure new passwords for each access level, or change the logon or password for the different
access levels of the switch. After you receive the switch, use default passwords to initially access CLI.
If you use Simple Network Management Protocol version 3 (SNMPv3), you can change encrypted
passwords.

If you enable the hsecure flag, after the aging time expires, the system prompts you to change your
password. If you do not configure the aging time, the default is 90 days.

If you enable enhanced secure mode with the boot config flags enhancedsecure-mode
command, you enable new access levels, along with stronger password complexity, length, and
minimum change intervals. For more information on system access fundamentals and configuration,
see System access fundamentals on page 3313.

Before You Begin

• You must use an account with read-write-all privileges to change passwords. For security, the switch
saves passwords to a hidden file.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Change a password:
cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|
read-write-all}
3. Enter the old password.
4. Enter the new password.
5. Re-enter the new password.
6. Configure password options:
password [access-level WORD<2–8>] [aging-time day <1-365>] [default-
lockout-time <60-65000>] [lockout WORD<0–46> time <60-65000>] [min-
passwd-len <10-20>] [password-history <3-32>]

Example

Switch:1> enable

Switch:1# configure terminal

Change a password:

Switch:1(config)# cli password rwa read-write-all

VOSS User Guide for version 8.7 165

Changing passwords Basic Administration

Enter the old password: ***

Enter the new password: ***

Re-enter the new password: ***

Set password to an access level of read-write-all and the expiration period for the password to 60 days:

Switch:1(config)# password access-level rwa aging-time 60

Variable Definitions

Use the data in the following table to use the cli password command.

Use the data in the following table to use the password command.

Variable Value
access-level WORD<2–8> Permits or blocks this access level. The available
access level values are as follows:
• layer1
• layer2
• layer3
• read-only
• read-write
• read-write-all

aging-time day <1-365> Configures the expiration period for passwords in

days, from 1–365. The default is 90 days.
default-lockout-time <60-65000> Changes the default lockout time after three
invalid attempts. Configures the lockout time, in
seconds, and is in the 60–65000 range. The
default is 60 seconds.
To configure this option to the default value, use
the default operator with the command.
lockout WORD<0–46> time <60-65000> Configures the host lockout time.
• WORD<0–46> is the host IPv4 or IPv6 address.
• <60-65000> is the lockout-out time, in
seconds, in the 60–65000 range. The default
is 60 seconds.

166 VOSS User Guide for version 8.7

Basic Administration Configuring system identification

Variable Value
min-passwd-len <10-20> Configures the minimum length for passwords in
high-secure mode. The default is 10 characters.
To configure this option to the default value, use
the default operator with the command.
password-history <3-32> Specifies the number of previous passwords the
switch stores. You cannot reuse a password that is
stored in the password history. The default is 3.
To configure this option to the default value, use
the default operator with the command.

Configuring system identification

Configure system identification to specify the system name, contact person, and location of the switch.

Procedure

1. Log on as rwa.
2. Enter Global Configuration mode:
enable

configure terminal
3. Change the system name:
sys name WORD<0–255>
4. Configure the system contact:
snmp-server contact WORD<0–255>
5. Configure the system location:
snmp-server location WORD<0–255>

Example

Change the system name, configure the system contact, and configure the system location:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#sys name Floor3Lab2
Floor3Lab2:1(config)#snmp-server contact http://companyname.com
Floor3Lab2:1(config)#snmp-server location "12 Street, City, State, Zip"

Variable Definitions
Use the data in the following table to use the system-level commands.

VOSS User Guide for version 8.7 167

Configuring the CLI Banner Basic Administration

Variable Value
contact WORD<0–255> Identifies the contact person who manages the node.
To include blank spaces in the contact, use quotation
marks (") around the text.
location WORD<0–255> Identifies the physical location of the node. To include
blank spaces in the location, use quotation marks (")
around the text.
name WORD<0–255> Configures the system or root level prompt name for
the switch. WORD<0–255> is an ASCII string from 1–255
characters (for example, LabSC7 or Closet4).

Configuring the CLI Banner

Configure the logon banner to display a message to users before authentication and configure a system
login message-of-the-day in the form of a text banner that displays after each successful logon.

About This Task

You can use the custom logon banner to display company information, such as company name and
contact information. For security, you can change the default logon banner of the switch, which
contains specific system information, including platform type and software release.

Use the custom message-of-the-day to update users on a configuration change, a system update or
maintenance schedule. For security purposes, you can also create a message-of-the-day with a warning
message to users that, “Unauthorized access to the system is forbidden.”

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the switch to use a custom banner or use the default banner:
banner <custom|static>
3. Create a custom banner:
banner WORD<1–80>

Note
To enter multiple lines for a message, use the banner command before each new line of
the message. To provide a string with spaces, include the text in quotation marks.

4. Create the message-of-the-day:

banner motd WORD<1–1516>

Note
To enter multiple lines for a message, use the banner motd command before each new
line of the message. To provide a string with spaces, include the text in quotation marks.

168 VOSS User Guide for version 8.7

Basic Administration Configure the Date

5. Enable the custom message-of-the-day:

banner displaymotd
6. Save the configuration:
save config
7. Display the banner information:
show banner
8. Logon again to verify the configuration.
9. (Optional) Disable the banner:
no banner [displaymotd][motd]

Example

Configure the custom banner to “Company, www.Companyname.com.” and configure the message of
the day to “Unauthorized access to this system is forbidden. Please logout now.”
Switch:1> enable
Switch:1#configure terminal
Switch:1(config)# banner custom
Switch:1(config)# banner Company
Switch:1(config)# banner www.Companyname.com
Switch:1(config)# banner motd "Unauthorized access to this system is forbidden"
Switch:1(config)# banner motd "Please logout now"
Switch:1(config)#banner displaymotd
Switch:1(config)#show banner
Company
www.company.com
defaultbanner : false
custom banner :

displaymotd : true
custom motd :
Unauthorized access to this system is forbidden
Please logout now

Variable definitions
Use the data in the following table to use the banner command.

Variable Value
custom Disables the use of the default banner.
static Activates the use of the default banner.
WORD <1–80> Adds lines of text to the CLI logon banner.
motd WORD<1–1516> Create the message of the day. To provide a string with spaces, include the
text in quotation marks (“).
displaymotd Enable the custom message of the day.

Configure the Date

Configure the calendar time in the form of month, day, year, hour, minute, and second.

VOSS User Guide for version 8.7 169

Enable Remote Access Services Basic Administration

About This Task

Log on as rwa to perform this procedure.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Configure the date:
clock set <MMddyyyyhhmmss>
3. Verify the configuration:
show clock

Example

Configure the date and time, and then verify the configuration.
Switch:1>enable
Switch:1#clock set 19042014063030
Switch:1#show clock
Wed Mar 19 06:30:32 2014 EDT

Variable Definitions
Use the data in the following table to use the clock set command.

Variable Value
MMddyyyyhhmmss Specifies the date and time in the format month,
day, year, hour, minute, and second.

Enable Remote Access Services

Before You Begin
• When you enable the rlogin flag, you must configure an access policy to specify the user name of
who can access the switch. For more information about the access policy commands, see Access
Policies for Services on page 2997.

Note
Rlogin is only supported on VSP 8600 Series.

About This Task

Enable the remote access service to provide multiple methods of remote access.

File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP) and Telnet server support both IPv4
and IPv6 addresses, with no difference in functionality or configuration.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

170 VOSS User Guide for version 8.7

Basic Administration Enable Remote Access Services

2. Enable the access service:

boot config flags {ftpd | rlogind | sshd | telnetd | tftpd}
3. Repeat as necessary to activate the desired services.
4. Save the configuration.

Example

Enable the access service for Telnet:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#boot config flags telnetd

Variable Definitions
The following table defines parameters for the boot config flags command.

VOSS User Guide for version 8.7 171

Enable Remote Access Services Basic Administration

Variable Value
debug-config [console] | [file] Enables you to debug the configuration file during
loading configuration at system boot up. The
default is disabled. You do not have to restart
the switch after you enable debug-config, unless
you want to immediately debug the configuration.
After you enable debug-config and save the
configuration, the debug output either displays on
the console or logs to an output file the next time
the switch reboots.
The options are:
• debug-config [console]—Displays the line-by-
line configuration file processing and result of
the execution on the console while the device
loads the configuration file.
• debug-config [file]— Logs the line-by-line
configuration file processing and result of
the execution to the debug file while
the device loads the configuration file.
The system logs the debug config output
to /intflash/debugconfig_primary.txt for the
primary configuration file. The system
logs the debug config output to /intflash/
debugconfig_backup.txt for the backup
configuration, if the backup configuration file
loads.

debugmode Enables a TRACE on any port by prompting the

selection on the console during boot up. This
allows the user start trace for debugging earlier
on specified port. Works on console connection
only. The default is disabled.

Important:
Do not change this parameter unless directed by
technical support.

dvr-leaf-mode Enables an SPB node to be configured as a DvR

Leaf.
A node that has this flag set cannot be configured
as a DvR Controller.
The boot flag is disabled by default.

172 VOSS User Guide for version 8.7

Basic Administration Enable Remote Access Services

Variable Value
enhancedsecure-mode {jitc | non- Enables enhanced secure mode in either the Joint
jitc} Interoperability Test Command (JITC) or non-JITC
sub-modes.

Note:
As a best practice, enable the enhanced secure
mode in the non-JITC sub-mode, because the
JITC sub-mode is more restrictive and prevents
the use of some CLI commands that are
commonly used for troubleshooting.

When you enable enhanced secure mode in

either the JITC or non-JITC sub-modes, the
switch provides role-based access levels, stronger
password requirements, and stronger rules on
password length, password complexity, password
change intervals, password reuse, and password
maximum age use.
factorydefaults Specifies whether the switch uses the factory
default settings at startup. The default value is
disabled. This flag is automatically reset to the
default setting after the CPU restarts. If you
change this parameter, you must restart the
switch.

Note:
The factorydefaults flag deletes the runtime,
primary and backup configuration files, local
password files, authentication keys, and
certificates. After a factory default, you must
change the password on first login.

flow-control-mode Enables or disables flow control globally. When

disabled, the system does not generate nor
Note: configure the transmission of flow control
Exception: not supported on VSP 8600 Series. messages. The system always honors received
flow control messages regardless of the flow
control mode status. You must enable this mode
before you configure an interface to send pause
frames.
The default is disabled.
ftpd Activates or disables the FTP server on the switch.
The default value is disabled. To enable FTP,
ensure that the tftpd flag is disabled.
ha-cpu Activates or disables High Availability-CPU (HA-
CPU) mode. Switches with two CPUs use HA
Note: mode to recover quickly from a failure of one of
Exception: only supported on VSP 8600 Series. the CPUs.
If you enable or disable HA mode, the secondary
CPU resets automatically to load settings from the
saved configuration file.

VOSS User Guide for version 8.7 173

Enable Remote Access Services Basic Administration

Variable Value
hsecure Activates or disables High Secure mode.
The hsecure command provides the following
password behavior:
• 10 character enforcement
• The password must contain a minimum of 2
uppercase characters, 2 lowercase characters,
2 numbers, and 2 special characters.
• Aging time
• Failed login attempt limitation
The default value is disabled. If you enable High
Secure mode, you must restart the switch to
enforce secure passwords. If you operate the
switch in High Secure mode, the switch prompts
a password change if you enter invalid-length
passwords.
ipv6-egress-filter Enables IPv6 egress filters. The default is disabled.
If you change this parameter, you must restart the
Note: switch.
Exception: not supported on VSP 8600 Series and
XA1400 Series.

ipv6–mode Enables IPv6 mode on the switch.

Note:
Exception: not supported on VSP 4450 Series, VSP
8600 Series, and XA1400 Series.

linerate-directed-broadcast {true | Enables or disables support for IP Directed

false} Broadcast in hardware without requiring CPU
intervention. Setting this boot flag will put port
Note: 1/46 into loopback mode, making it unusable
Exception: only supported on VSP 4450 Series. for external connections, so you need to move
any existing connections on this port first. After
setting this boot flag, save the configuration, and
then restart the switch.
The default value is disabled.

Important:
The software cannot be upgraded or downgraded
to a software release that does not contain this
directed broadcast hardware assist functionality
without first disabling this feature and saving the
configuration.

174 VOSS User Guide for version 8.7

Basic Administration Enable Remote Access Services

Variable Value
logging Activates or disable system logging. The default
value is enabled. The system names log files
according to the following:
• The system displays the file names in 8.3
(log.xxxxxxxx.sss) format.
• The first 6 characters of the file name contain
the last three bytes of the chassis base MAC
address.
• The next two characters in the file name
specify the slot number of the CPU that
generated the logs.
• The last three characters in the file name are
the sequence number of the log file.
The system generates multiple sequence numbers
for the same chassis and same slot if the system
reaches the maximum log file size.
nni-mstp Enables MSTP and VLAN configuration on
network-to-network interface (NNI) ports. The
Note: default is disabled.
Exception: not supported on VSP 8600 Series and
XA1400 Series. Note:
Spanning Tree is disabled on all NNIs.

You cannot add an SPBM NNI port or MLT port

to any non SPBM B-VLAN. You cannot add
additional C-VLANs to a brouter port.
reboot Activates or disables automatic reboot on a fatal
error. The default value is activated.

Important:
Do not change this parameter unless directed by
technical support.

rlogind Activates or disables the rlogin and rsh server. The

default value is disabled.
Note:
Exception: rlogin and rsh are only supported on
VSP 8600 Series.

savetostandby Activates or disables automatic save of the

configuration file to the standby CPU. The default
Note: value is enabled. If you operate a dual CPU
Exception: only supported on VSP 8600 Series. system, enable this flag for ease of operation.

spanning-tree-mode <mstp|rstp> Specifies the Multiple Spanning Tree Protocol

VOSS User Guide for version 8.7 175

Enable Remote Access Services Basic Administration

Variable Value
spbm-config-mode Enables you to configure SPB and IS-IS, but you
cannot configure PIM and IGMP either globally or
on an interface.
Use the no operator so that you can configure
PIM and IGMP.
The boot flag is enabled by default. To set this flag
to the default value, use the default operator
with the command.
sshd Activates or disables the SSHv2 server service.
The default value is disabled.
syslog-rfc5424-format Controls the format of the syslog output and
logging. By default, the switch uses the RFC5424
format. If the RFC based format is disabled, the
older format is used.
telnetd Activates or disables the Telnet server service. The
default is disabled.
tftpd Activates or disables Trivial File Transfer Protocol
server service. The default value is disabled.
trace-logging Activates or disables the creation of trace logs.
The default value is disabled.

Important:
Do not change this parameter unless directed by
technical support.

urpf-mode Enables Unicast Reverse Path Forwarding (uRPF)

globally. You must enable uRPF globally before
Note: you configure it on a port or VLAN. The default is
Exception: not supported on VSP 8600 Series and disabled.
XA1400 Series.

176 VOSS User Guide for version 8.7

Basic Administration Enable Remote Access Services

Variable Value
verify-config Activates syntax checking of the configuration file.
The default is enabled.
• Primary config behavior: When the
verifyconfig flag is enabled, the primary config
file is pre-checked for syntax errors. If the
system finds an error, the primary config file
is not loaded, instead the system loads the
backup config file.

If the verify-config flag is disabled, the system

does not pre-check syntax errors. When the
verify-config flag is disabled, the system
ignores any lines with errors during loading of
the primary config file. If the primary config file
is not present or cannot be found, the system
tries to load the backup file.
• Backup config behavior: If the system loads
the backup config file, the system does not
check the backup file for syntax errors. It does
not matter if the verify-config flag is disabled
or enabled. With the backup config file, the
system ignores any lines with errors during the
loading of the backup config file.

If no backup config file exists, the system

defaults to factory defaults.
As a best practice, disable the verify-config flag.
vrf-scaling Increases the maximum number of VRFs and
Layer 3 VSNs that the switch supports. This flag
is disabled by default.

Important:
If you enable both this flag and the spbmconfig-
mode flag, the switch reduces the number of
configurable VLANs. For more information about
maximum scaling numbers, see VOSS Release
Notes.

vxlan-gw-full-interworking-mode Enables VXLAN Gateway in Full Interworking

Mode, which supports SPB, SMLT, and vIST.
Note: By default, the Base Interworking Mode is enabled
Exception: only supported on VSP 7200 Series, and Full Interworking Mode is disabled. You
VSP 7400 Series, VSP 8200 Series, and VSP 8400 change modes by enabling this boot configuration
Series. flag.
The no operator is the default Base Interworking
Mode. In this mode, VXLAN Gateway supports
Layer 2 gateway communication between VXLAN
and traditional VLAN environments.
For more information about feature support, see
VOSS Feature Support Matrix.

VOSS User Guide for version 8.7 177

Using Telnet to Log on to the Device Basic Administration

Using Telnet to Log on to the Device

About This Task

Use Telnet to log on to the device and remotely manage the switch.

Procedure
1. From a PC or terminal, start a Telnet session:
telnet <ipv4 or ipv6 address>
2. Enter the logon and password when prompted.

Example
C:\Users\jsmith>telnet 192.0.2.40
Connecting to 192.0.2.40.....
Login:rwa
Password:rwa

Enable the Web Management Interface

About This Task

Note
DEMO FEATURE - Read Only User for EDM is a demonstration feature on some products.
Demonstration features are provided for testing purposes. Demonstration features are for lab
use only and are not for use in a production environment. For more information, see VOSS
Feature Support Matrix.

Enable the web management interface to provide management access to the switch using a web
browser.

HTTP and HTTPS, and FTP support both IPv4 and IPv6 addresses, with no difference in functionality or
configuration.

Important
To enable HTTP access to the device, you must disable the web server secure-only option. To
enable HTTPS access to the device, the web server secure-only option is enabled by default.
The TFTP server supports both IPv4 and IPv6 TFTP clients.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the web server:
web-server enable
3. To enable the secure-only option (for HTTPS access), enter:
web-server secure-only
4. (Optional) To disable the secure-only option (for HTTP access), enter:
no web-server secure-only

178 VOSS User Guide for version 8.7

Basic Administration Enable the Web Management Interface

5. Configure the username and the access password:

web-server password rwa WORD<1–20>

Important
The default passwords and community strings are documented and well known. Change
the default passwords and community strings immediately after you first log on.

6. Enter and confirm your password.

7. Enable read-only user:
web-server read-only-user enable
8. Save the configuration:
save config
9. Display the web server status:
show web-server

Example
Enable the secure-only web-server.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#web-server enable
Switch:1(config)#web-server secure-only
Switch:1(config)#web-server read-only-user enable
Switch:1(config)#web-server password rwa smith2
Enter the New password : ********
Re-enter the New password : ********
Password changed.
Switch:1(config)#web-server password ro jones6
Enter the New password : ********
Re-enter the New password : ********
Password changed.

Switch:1(config)#show web-server
Web Server Info :

Status : off
Secure-only : enabled
TLS-minimum-version : tlsv12
RO Username Status : disabled
RO Username : user
RO Password : ********
RWA Username : admin
RWA Password : ********
Def-display-rows : 30
Inactivity timeout : 900 sec
Html help tftp source-dir :
HttpPort : 80
HttpsPort : 443
NumHits : 0
NumAccessChecks : 0
NumAccessBlocks : 0
NumRxErrors : 0

NumTxErrors : 0
NumSetRequest : 0
Minimum password length : 8
Last Host Access Blocked : 0.0.0.0

VOSS User Guide for version 8.7 179

Enable the Web Management Interface Basic Administration

In use certificate : Self signed

Certificate Truspoint CA Name :
Certificate with Subject Name : 823

Ciphers-Tls : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA

Variable Definitions
Use the data in the following table to use the web-server command.

Variable Value
def-display-rows <10-100> Configures the number of rows each page
displays, between 10 and 100.
enable Enables the web interface. To disable the web
server, use the no form of this command:
no web-server [enable]
help-tftp <WORD/0-256> Configures the TFTP or FTP directory for Help
files, in one of the following formats: a.b.c.d:/|
peer:/ [<dir>]. The path can use 0–256 characters.
The following example paths illustrate the correct
format:
• 192.0.2.1:/help
• 192.0.2.1:/

http-port <80-49151> Configures the web server HTTP port. The default
port is 80.
https-port <443-49151> Configure the web server HTTPS port. The default
port is 443.
inactivity-timeout<30–65535> Configures the web-server session inactivity
timeout. The default is 900 seconds (15 minutes).
password {ro | rwa} WORD<1-20> Configures the logon and password for the web
interface.
password min-passwd-len<1–32> Configures the minimum password length. By
default, the minimum password length is 8
characters.
read-only-user Enables read-only user for the web server.

Note:
read-only-user enable is available for
demonstration purposes on some products. For
more information, see VOSS Feature Support
Matrix.

180 VOSS User Guide for version 8.7

Basic Administration Enable the Web Server RO User

Variable Value
secure-only Enables secure-only access for the web server.
tls-min-ver<tlsv10|tlsv11|tlsv12> Configures the minimum version of the TLS
protocol supported by the web-server. You can
select among the following:
• tlsv10 – Configures the version to TLS 1.0.

Note:
tlsv10 is not supported in enhanced secure
mode.
• tlsv11 – Configures the version to TLS 1.1.
• tlsv12 – Configures the version to TLS 1.2
The default is tlsv12.

Enable the Web Server RO User

About This Task

Perform this procedure to enable the web server RO user, which is disabled by default after a software
upgrade.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the read-only user:
web-server read-only-user enable

Example
Switch:1>enable
Switch:1#configure terminal

Enable the default ro username:

Switch1:(config)#web-server read-only-user enable

Display the output of the show web-server command with the ro username enabled:
Switch:1(config)#show web-server
Web Server Info :

Status : on
Secure-only : enabled
TLS-minimum-version : tlsv12

VOSS User Guide for version 8.7 181

Configure the TLS Protocol Version Basic Administration

RO Username Status : enabled

RO Username : jones6
RO Password : ********
RWA Username : smith2
RWA Password : ********
Def-display-rows : 30
Inactivity timeout : 900 sec
Html help tftp source-dir :
HttpPort : 80
HttpsPort : 443
NumHits : 87
NumAccessChecks : 4
NumAccessBlocks : 0
NumRxErrors : 73
NumTxErrors : 0
NumSetRequest : 0
Minimum password length : 8
Last Host Access Blocked : 0.0.0.0
In use certificate : Self signed

Configure the TLS Protocol Version

The switch by default supports version TLS 1.2 and above. You can explicitly configure TLS 1.0 and TLS
1.1 version support using CLI.

About This Task

Disable the web server before changing the TLS version. By disabling the web server, other existing
users with a connection to the web server are not affected from changing to a different version after
you run the tls-min-ver command.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Disable the web server:
no web-server enable
3. Set the TLS protocol version:
web-server tls-min-ver [tlsv10 | tlsv11 | tlsv12]
4. Enable the web server:
web-server enable
5. Verify the protocol version:
show web-server

Example
Switch> enable
Switch# configure terminal
Switch(config)# web-server tls-min-ver tlsv12

Verify the protocol version.

Switch:1(config)#show web-server

182 VOSS User Guide for version 8.7

Basic Administration Configure the TLS Protocol Version

Web Server Info :

NumTxErrors : 0
NumSetRequest : 0
Minimum password length : 8
Last Host Access Blocked : 0.0.0.0
In use certificate : Self signed
Certificate Truspoint CA Name :
Certificate with Subject Name : 823

Variable Definitions
Use the data in the following table to use the web-server command.

VOSS User Guide for version 8.7 183

Access the Switch Through the Web Interface Basic Administration

Variable Value
http-port <80-49151> Configures the web server HTTP port. The default
port is 80.
https-port <443-49151> Configure the web server HTTPS port. The default
port is 443.
inactivity-timeout<30–65535> Configures the web-server session inactivity
timeout. The default is 900 seconds (15 minutes).
password {ro | rwa} WORD<1-20> Configures the logon and password for the web
interface.
password min-passwd-len<1–32> Configures the minimum password length. By
default, the minimum password length is 8
characters.
read-only-user Enables read-only user for the web server.

Note:
read-only-user enable is available for
demonstration purposes on some products. For
more information, see VOSS Feature Support
Matrix.

secure-only Enables secure-only access for the web server.

tls-min-ver<tlsv10|tlsv11|tlsv12> Configures the minimum version of the TLS
protocol supported by the web-server. You can
select among the following:
• tlsv10 – Configures the version to TLS 1.0.

Note:
tlsv10 is not supported in enhanced secure
mode.
• tlsv11 – Configures the version to TLS 1.1.
• tlsv12 – Configures the version to TLS 1.2
The default is tlsv12.

Access the Switch Through the Web Interface

Before You Begin

You must enable the web server using CLI.

About This Task

Monitor the switch through a web browser from anywhere on the network. The web interface uses
a 15-minute timeout period. If no activity occurs for 15 minutes, the system logs off the switch web
interface, and you must re-enter the password information.

184 VOSS User Guide for version 8.7

Basic Administration Configuring the minimum version of the TLS protocol

Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) support both IPv4
and IPv6 addresses, with no difference in functionality or configuration.

Note
By default the web server is configured with the secure-only option, which requires you to
use HTTPS to access EDM. To access EDM using HTTP, you must disable the secure-only
option. For more information about configuring the secure-only option, see Enable the Web
Management Interface on page 178.

Procedure

1. Start your web browser.

2. Type the switch IP address as the URL in the web address field.
3. In the User Name box, type admin and in the Password box, type password.
4. Select Login.

Configuring the minimum version of the TLS protocol

Use the following procedure to configure the minimum version of the TLS protocol.

Earlier releases used a self-signed certificate generated using the OpenSSL API, and this self-signed
certificate was installed in /inflash/.ssh. The self-signed certificate is now generated with the
Mocana API.

Disable the web server before changing the TLS version. By disabling the web server, other existing
users with a connection to the web server are not affected by changing to a different version.

The switch by default supports version TLS 1.2 and above. You can explicitly configure TLS 1.0 and TLS
1.1 version support.

Procedure

1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Select General and then select Web tab.
3. In the TlsMinimumVersion field, select the TLS version you want to configure as the minimum on the
system.

Web Field Descriptions

Use the data in the following table to use the Web tab.

Name Description
WebRWAUserName Specifies the RWA username from 1–20
characters. The default is admin.
WebRWAUserPassword Specifies the password from 1–32 characters. The
default is 12345678.

VOSS User Guide for version 8.7 185

Configuring the minimum version of the TLS protocol Basic Administration

Name Description
WebROEnable Enables the web server read-only (RO) user, which
is disabled by default after a software upgrade.
Note:
Exception: not supported on VSP 8600 Series.

WebEncryptionType Specifies the ciphers for preset version of TLS for

the web server.
WebCertSubjectName Specifies the digital certificate subject Name used
as identity certificate in the web server.
WebCertCAName Specifies the digital certificate CA trustpoint name
used for the certificate in the web server.
WebROUserName Specifies the RO username. The default is user.

Note:
Product Notice: For VSP 8600 Series the web
server RO username must be enabled in CLI.

WebROUserPassword Specifies the password from 1–32 characters. The

default is password.
MinimumPasswordLength Configures the minimum password length. By
default, the minimum password length is 8
characters.
HttpPort Specifies the HTTP port for web access. The
default value is 80.
HttpsPort Specifies the HTTPS port for web access. The
default value is 443.
SecureOnly Controls whether the secure-only option is
enabled. The default is enabled.
InactivityTimeout Specifies the idle time (in seconds) to wait before
the EDM login session expires. The default value is
900 seconds (15 minutes).
TlsMinimumVersion Configures the minimum version of the TLS
protocol supported by the web-server. You can
select from the following options:
• tlsv10 – Configures the version to TLS 1.0.
• tlsv11 – Configures the version to TLS 1.1.
• tlsv12 – Configures the version to TLS 1.2
The default is tlsv12.
InUseCertType Shows if the certificate is self-signed or user-
installed.
Note:
Exception: not supported on VSP 8600 Series. Note:
Product Notice: For VSP 8600 Series use the
show web-server command in CLI to view this
information.

186 VOSS User Guide for version 8.7

Basic Administration Saving the configuration

Name Description
HelpTftp/Ftp_SourceDir Configures the TFTP or FTP directory for Help
files, in one of the following formats: a.b.c.d:/|
peer:/ [<dir>]. The path can use 0–256 characters.
The following example paths illustrate the correct
format:
• 192.0.2.1:/Help
• 192.0.2.1:/

DefaultDisplayRows Configures the web server display row width

between 10–100. The default is 30.
LastChange Shows the last web-browser initiated
configuration change.
NumHits Shows the number of hits to the web server.
NumAccessChecks Shows the number of access checks performed by
the web server.
NumAccessBlocks Shows the number of access attempts blocked by
the web server.
LastHostAccessBlockedAddressType Shows the address type, either IPv4 or IPv6, of the
last host access blocked by the web server.
LastHostAccessBlockedAddress Shows the IP address of the last host access
blocked by the web server.
NumRxErrors Shows the number of receive errors the web
server encounters.
NumTxErrors Shows the number of transmit errors the web
server encounters.
NumSetRequest Shows the number of set-requests sent to the web
server.

Saving the configuration

Save the configuration to a file to retain the configuration settings.

About This Task

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) support both IPv4 and IPv6
addresses, with no difference in functionality or configuration.

Note
If you use File Transfer Protocol (FTP) or Trivial File Transfer Protocol (TFTP), ensure that you
enable the FTP or TFTP server.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Save the running configuration:
save config [backup WORD<1–99>] [file WORD<1–99>] [verbose]

VOSS User Guide for version 8.7 187

Backing up configuration files Basic Administration

Example

Switch:1> enable

Save the file to the default location:

Switch:1# save config

Variable Definitions
Use the data in the following table to use the save config command.

Variable Value
backup WORD<1–99> Saves the specified file name and identifies the file
as a backup file.
WORD
uses one of the following formats:
• a.b.c.d:<file>
• /intflash/<file>
The file name, including the directory structure,
can include up to 99 characters.
file WORD<1–99> Specifies the file name in one of the following
formats:
• a.b.c.d:<file>
• /intflash/<file>
The file name, including the directory structure,
can include up to 99 characters.
verbose Saves the default and current configuration. If
you omit this parameter, the command saves only
parameters you change.

Backing up configuration files

Before and after you upgrade your switch software, make copies of the configuration files. If an error
occurs, use backup configuration files to return the switch to a previous state.

Before You Begin

• If you use File Transfer Protocol (FTP) or Trivial File Transfer Protocol (TFTP), ensure that you enable
the FTP or TFTP server. File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) support
both IPv4 and IPv6 addresses, with no difference in functionality or configuration.

About This Task

Keep several copies of backup files.

Procedure

1. Enter Privileged EXEC mode:

enable

188 VOSS User Guide for version 8.7

Basic Administration Resetting the platform

2. Determine the configuration file names:

show boot config choice
3. Save the configuration files. Assuming the files use the default file names, enter:
save config
4. Copy the files to a safe place:
copy /intflash/config.cfg /intflash/config_backup.cfg

copy /intflash/config.cfg a.b.c.d:/dir/config_backup.cfg

Example

Determine the configuration file names, save the configuration files, and copy the files to a safe place.
Switch:1>enable
Switch:1#show boot config choice
choice primary config-file "/intflash/config.cfg"
choice primary backup-config-file "/intflash/config.cfg"
Switch:1#save config
Switch:1#copy /intflash/config.cfg 00:11:f9:5b:10:42/dir/config_backup.cfg
Do you want to continue? (y/n)
y

Resetting the platform

About This Task

Reset the platform to reload system parameters from the most recently saved configuration file.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Reset the switch:
reset [-y]

Example

Reset the switch:

Switch:1>enable
Switch:1#reset
Are you sure you want to reset the switch? (y/n)
y

Variable Definitions
Use the data in the following table to use the reset command.

Variable Value
-y Suppresses the confirmation message before the
switch resets. If you omit this parameter, you must
confirm the action before the system resets.

VOSS User Guide for version 8.7 189

Remove a Software Build Basic Administration

Remove a Software Build

Use the following procedure to remove a software build for the switch.

Note
A maximum of 6 software releases can be installed on the switch. When the limit is reached,
you are prompted to remove one release before you can proceed with adding and activating a
new software release.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Remove the software build:
software remove WORD<1-99>

Example

Remove the software build:

Switch:1>enable
Switch:1#software remove w.x.y.z

Verification

Verify Boot Configuration Flags

Verify the boot configuration flags to verify boot configuration settings. Boot configuration settings
only take effect after you reset the system. Verification of these parameters is essential to minimize
system downtime and the resets to change them.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Verify the flags:
show boot config flags

Example

Note
Flag support can vary across hardware models.

Switch:1#show boot config flags

190 VOSS User Guide for version 8.7

Basic Administration Verify the Software Release

flags ha-cpu true

flags hsecure false
flags ipv6-egress-filter true
flags ipv6-mode false
flags linerate-directed-broadcast false
flags logging true
flags nni-mstp false
flags reboot true
flags rlogind false
flags savetostandby true
flags spanning-tree-mode mstp
flags spbm-config-mode true
flags sshd true
flags syslog-rfc5424-format true
flags telnetd true
flags tftpd true
flags trace-logging false
flags urpf-mode true
flags verify-config true
flags vrf-scaling true
flags vxlan-gw-full-interworking-mode false

Verify the Software Release

About This Task

Use CLI to verify your installed software. It is important to verify your software version before you place
a device into a production environment.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Verify the software release:
show software detail

Example

The following is an example of the output of the show software detail command.
Switch:1#show software detail

================================================================================
software releases in /intflash/release/
================================================================================
VSPSwitch.X.X.X.X_GA
MP
UBOOT int009
KERNEL 2.6.32_int29
ROOTFS 2.6.32_int29
APPFS VSPSwitch.X.X.X.X_GA
AVAILABLE ENCRYPTION MODULES
No Modules Added

VSPSwitch.X.X.X.X_GA (Backup Release)

MP
UBOOT int009
KERNEL 2.6.32_int29
ROOTFS 2.6.32_int29

VOSS User Guide for version 8.7 191

Verifying the software version on the slots Basic Administration

APPFS VSPSwitch.X.X.X.X_GA
AVAILABLE ENCRYPTION MODULES
No Modules Added

VSPSwitch.X.X.X.X_GA (Primary Release)

MP
UBOOT int009
KERNEL 2.6.32_int29
ROOTFS 2.6.32_int29
APPFS VSPSwitch.X.X.X.X_GA
AVAILABLE ENCRYPTION MODULES
No Modules Added

--------------------------------------------------------------------------------
Auto Commit : enabled
Commit Timeout : 10 minutes

Verifying the software version on the slots

Note
This procedure only applies to VSP 8600 Series.

About This Task

Use CLI to verify the software version running on each slot.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Verify the software version running on each slot:
show software slot

Example

The following is an example of the output of the show software slot command.
Switch:1#show software slot

==========================================================================================
Software running on chassis

==========================================================================================

Slot Release

---- -------
1 VOSS8600.voss_4.5.0.0int011
2 VOSS8600.voss_4.5.0.0int011
4 VOSS8600.voss_4.5.0.0int011
SF 1 VOSS8600.voss_4.5.0.0int011
SF 2 VOSS8600.voss_4.5.0.0int011

Display local alarms

View local alarms to monitor alarm conditions.

192 VOSS User Guide for version 8.7

Basic Administration Display log files

Local alarms are raised and cleared by applications running on the switch. Local alarms are an
automatic mechanism run by the system that do not require any additional user configuration. The
raising and clearing of local alarms also creates a log entry for each event. Check alarms occasionally to
ensure no alarms require additional operator attention.

For more information, see Alarm Database on page 3505.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display local alarms:
show alarm database

Example

Display local alarms:

Note
The switches that support SF cards display warning messages when SFIs are down.

Switch:1#show alarm database

ALARM EVENT ALARM ALARM CREATION UPDATED CLEARED
SLOT ID CODE TYPE STATUS SEVERITY FREQ TIME TIME TIME REASON
----------------------------------------------------------------------------------------------------------------------------
CP1 00300001.238 0x0000c5e7 DYNAMIC SET INFO 1 [11/17/15 06:42:55.928] [11/17/15 06:42:55.928] [--/--/-- --:--:--.---] Link
Down(1/47)
CP1 00300001.239 0x0000c5e7 DYNAMIC SET INFO 1 [11/17/15 06:42:55.946] [11/17/15 06:42:55.946] [--/--/-- --:--:--.---] Link
Down(1/48)
CP1 00300001.241 0x0000c5e7 DYNAMIC SET INFO 1 [11/17/15 06:42:55.971] [11/17/15 06:42:55.971] [--/--/-- --:--:--.---] Link
Down(1/50)
CP1 00400005 0x000045e5 DYNAMIC SET INFO 1 [11/17/15 06:43:41.929] [11/17/15 06:43:41.929] [--/--/-- --:--:--.---] Sending
Cold-Start Trap

Display log files

Use this procedure to display log files.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display log files:
show logging file

Example

Display log files:

Switch:1>show logging file
CP1 [02/05/15 12:35:28.690:UTC] 0x00270428 00000000 GlobalRouter SW INFO Lifecy
cle: Start
CP1 [02/05/15 12:35:29.906:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s sockserv started, pid:4950
CP1 [02/05/15 12:35:29.907:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s oom95 started, pid:4951
CP1 [02/05/15 12:35:29.907:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s oom90 started, pid:4952
CP1 [02/05/15 12:35:29.908:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s imgsync.x started, pid:4953
CP1 [02/05/15 12:35:30.346:UTC] 0x0026452f 00000000 GlobalRouter SW INFO No pat
ch set.

VOSS User Guide for version 8.7 193

Basic Administration Procedures using CLI Basic Administration

CP1 [02/05/15 12:35:30.909:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces

s logServer started, pid:4996
CP1 [02/05/15 12:35:30.910:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s trcServer started, pid:4997
CP1 [02/05/15 12:35:30.910:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s oobServer started, pid:4998
CP1 [02/05/15 12:35:30.911:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s cbcp-main.x started, pid:4999
CP1 [02/05/15 12:35:30.912:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s rssServer started, pid:5000
CP1 [02/05/15 12:35:30.912:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s dbgServer started, pid:5001
CP1 [02/05/15 12:35:30.913:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s dbgShell started, pid:5002
CP1 [02/05/15 12:35:30.914:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s coreManager.x started, pid:5003
CP1 [02/05/15 12:35:30.914:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s ssio started, pid:5004
CP1 [02/05/15 12:35:30.915:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s hckServer started, pid:5005
CP1 [02/05/15 12:35:30.916:UTC] 0x0027042b 00000000 GlobalRouter SW INFO Proces
s remCmdAgent.x started, pid:5006
CP1 [02/05/15 12:35:32.910:UTC] 0x000006cc 00000000 GlobalRouter SW INFO rcStar
t: FIPS Power Up Self Test SUCCESSFUL - 0
CP1 [02/05/15 12:35:32.911:UTC] 0x000006c2 00000000 GlobalRouter SW INFO rcStar
t: Security Stack Init SUCCESSFUL - 0
CP1 [02/05/15 12:35:32.911:UTC] 0x000006c3 00000000 GlobalRouter SW INFO rcStar
t: IPSEC Init SUCCESSFUL
CP1 [02/05/15 12:35:32.911:UTC] 0x000006bf 00000000 GlobalRouter SW INFO rcStar
t: Security Stack Log init SUCCESSFUL - 0
CP1 [02/05/15 12:35:34.330:UTC] 0x000005c0 00000000 GlobalRouter SW INFO Licens
eLoad = ZERO, loading premier license for developer debugging
IO1 [02/05/15 12:35:35.177:UTC] 0x0011054a 00000000 GlobalRouter COP-SW INFO De
tected Master CP in slot 1

--More-- (q = quit)

Basic Administration Procedures using CLI

The following section describes common procedures that you use while you configure and monitor the
switch operations using the Command Line Interface (CLI).

Note
Unless otherwise stated, to perform the procedures in this section, you must log on to the
Privileged EXEC mode in the CLI. For more information about how to use CLI, see CLI
Procedures on page 253.

Restarting the platform

Before You Begin

Note
The command mode is key for this command. If you are logged on to a different command
mode, such as Global Configuration mode, rather than Privileged EXEC mode, the system
displays different options for this command.

194 VOSS User Guide for version 8.7

Basic Administration Restarting the platform

About This Task

Restart the switch to implement configuration changes or recover from a system failure. When you
restart the system, you can specify the boot config file name. If you do not specify a boot source and
file, the boot command uses the configuration files on the primary boot device defined by the boot
config choice command.

After the switch restarts normally, it sends a cold trap within 45 seconds after the restart.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Restart the switch:
boot [config WORD<1–99>] [-y]

Important
If you enter the boot command with no arguments, you cause the switch to start using
the current boot choices defined by the boot config choice command.
If you enter a boot command and the configuration file name without the directory, the
device uses the configuration file from /intflash/.

Example

Switch:1> enable

Restart the switch:

Switch:1# boot config /intflash/config.cfg

Switch:1# Do you want to continue? (y/n)

Switch:1# Do you want to continue? (y/n) y

Variable Definitions
The following table defines parameters for the boot command.

Variable Value
config WORD<1–99> Specifies the software configuration device and
file name in one of the following formats:
• /intflash/ <file>
The file name, including the directory structure,
can include up to 99 characters.
-y Suppresses the confirmation message before
the switch restarts. If you omit this parameter,
you must confirm the action before the system
restarts.

VOSS User Guide for version 8.7 195

Resetting the platform Basic Administration

Resetting the platform

About This Task

Reset the platform to reload system parameters from the most recently saved configuration file.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Reset the switch:
reset [-y]

Example

Switch:1> enable

Reset the switch:

Switch:1# reset

Are you sure you want to reset the switch? (y/n) y

Variable Definitions
The following table defines parameters for the reset command.

Variable Value
-y Suppresses the confirmation message before the
switch resets. If you omit this parameter, you must
confirm the action before the system resets.

Shutting Down the System

Use the following procedure to shut down the system.

Caution
Before you unplug the AC power cord, always perform the following shutdown procedure.
This procedure:
• Flushes any pending data to ensure data integrity.
• Ensures the completion of recent configuration save actions, thus preventing the system
from inadvertently booting up with incorrect configuration.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Shut down the system:
sys shutdown

196 VOSS User Guide for version 8.7

Basic Administration Configure the Default Ping and Traceroute Context

3. Before you unplug the power cord, wait until you see the following message:
System Halted, OK to turn off power

Example

Shut down a running system.

Switch:1#sys shutdown
Are you sure you want shutdown the system? Y/N (y/n) ? y
CP1 [05/08/14 15:47:50.164] 0x00010813 00000000 GlobalRouter HW INFO System shutdown
initiated from CLI
CP1 [05/08/14 15:47:52.000] LifeCycle: INFO: Stopping all processes
CP1 [05/08/14 15:47:53.000] LifeCycle: INFO: All processes have stopped
CP1 [05/08/14 15:47:53.000] LifeCycle: INFO: All applications shutdown, starting power
down sequence
INIT: Sending processes the TERM signal
Stopping OpenBSD Secure Shell server: sshdno /usr/sbin/sshd found; none killed
Stopping vsp...Error, do this: mount -t proc none /proc
done
sed: /proc/mounts: No such file or directory
sed: /proc/mounts: No such file or directory
sed: /proc/mounts: No such file or directory
Deconfiguring network interfaces... done.
Stopping syslogd/klogd: no syslogd found; none killed
Sending all processes the TERM signal...
Sending all processes the KILL signal...
/etc/rc0.d/S25save-rtc.sh: line 5: /etc/timestamp: Read-only file system
Unmounting remote filesystems...
Stopping portmap daemon: portmap.
Deactivating swap...
Unmounting local filesystems...
[24481.722669] Power down.
[24481.751868] System Halted, OK to turn off power

Configure the Default Ping and Traceroute Context

About This Task

Ping commands and traceroute commands execute in Global Router (GRT) context by default. You can
configure ping commands and traceroute commands to execute in management (mgmt) context or in
Virtual Router Forwarding (vrf) context.

Note
This procedure is not supported on VSP 8600 Series.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the default ping command and traceroute command context:
sys default-ping-context {grt | mgmt | vrf}

VOSS User Guide for version 8.7 197

Calculate and Verify the MD5 Checksum for a File on the
Switch Basic Administration

Variable Definitions
The following table defines parameters for the sys default-ping-context command.

Variable Value
grt Specifies Global Routing Table (grt) context as the default context for ping
commands and traceroute commands. The default configuration is grt as the
default context.
mgmt Specifies management (mgmt) context as the default context for ping
commands and traceroute commands. The default configuration is grt as
the default context.
vrf Specifies Virtual Router Forwarding (VRF) context as the default context for
ping commands and traceroute commands. The default configuration is grt
as the default context.

Calculate and Verify the MD5 Checksum for a File on the Switch
Perform this procedure to verify that the software files are downloaded properly to the switch. The MD5
checksum for each release is available on the Extreme Networks Support website.

Before You Begin

• Download the MD5 checksum to an intermediate workstation or server where you can open and
view the contents.
• Download the image file to the switch.

About This Task

Calculate and verify the MD5 checksum after you download software files.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View the list of files:
ls *.tgz
3. Calculate the MD5 checksum for the file:
file-checksum md5 WORD<1-99>
4. Compare the number generated for the file on the switch with the number that displays in the
MD5 checksum on the workstation or server. Ensure that the MD5 checksum of the software suite
matches the system output generated from calculating the MD5 checksum from the downloaded
file.

Example

View the contents of the MD5 checksum on the workstation or server:

3242309ad6660ef09be1b945be15676d VSP8200.4.0.0.0_edoc.tar
d000965876dee2387f1ca59cf081b9d6 VSP8200.4.0.0.0_mib.txt
897303242c30fd944d435a4517f1b3f5 VSP8200.4.0.0.0_mib.zip
2fbd5eab1c450d1f5feae865b9e02baf VSP8200.4.0.0.0_modules.tgz
a9d6d18a979b233076d2d3de0e152fc5 VSP8200.4.0.0.0_OpenSource.zip
8ce39996a131de0b836db629b5362a8a VSP8200.4.0.0.0_oss-notice.html
80bfe69d89c831543623aaad861f12aa VSP8200.4.0.0.0.tgz

198 VOSS User Guide for version 8.7

Calculate and Verify the MD5 Checksum for a File on a
Basic Administration Client Workstation

a63a1d911450ef2f034d3d55e576eca0 VSP8200.4.0.0.0.zip
62b457d69cedd44c21c395505dcf4a80 VSP8200v400_HELP_EDM_gzip.zip

Calculate the MD5 checksum for the file on the switch:

Switch:1>ls *.tgz
-rw-r--r-- 1 0 0 44015148 Dec 8 08:18 VSP8200.4.0.0.0.tgz
-rw-r--r-- 1 0 0 44208471 Dec 8 08:19 VSP8200.4.0.1.0.tgz
Switch:1>file-checksum md5 VSP8200.4.0.0.0.tgz
MD5 (VSP8200.4.0.0.0.tgz) = 80bfe69d89c831543623aaad861f12aa

Variable Definitions
The following table defines parameters for the file-checksum md5 command:

Variable Value
WORD<1-99> Specifies the file name.

Calculate and Verify the MD5 Checksum for a File on a Client Workstation
Perform this procedure on a Unix or Linux machine to verify that the software files downloaded
properly. The MD5 checksum for each release is available on the Extreme Networks Support website.

About This Task

Calculate and verify the MD5 checksum after you download software files.

Procedure
1. Calculate the MD5 checksum of the downloaded file:
$ /usr/bin/md5sum <downloaded software-filename>

Typically, downloaded software files are in the form of compressed Unix file archives (.tgz files).
2. Verify the MD5 checksum of the software suite:
$ more <md5–checksum output file>
3. Compare the output that displays on the screen. Ensure that the MD5 checksum of the software
suite matches the system output generated from calculating the MD5 checksum from the
downloaded file.

Example

Calculate the MD5 checksum of the downloaded file:

$ /usr/bin/md5sum VSP4K.4.0.40.0.tgz

02c7ee0570a414becf8ebb928b398f51 VSP4K.4.0.40.0.tgz

View the MD5 checksum of the software suite:

$ more VSP4K.4.0.40.0.md5
285620fdc1ce5ccd8e5d3460790c9fe1 VSP4000v4.0.40.0.zip

a04e7c7cef660bb412598574516c548f VSP4000v4040_HELP_EDM_gzip.zip
ac3d9cef0ac2e334cf94799ff0bdd13b VSP4K.4.0.40.0_edoc.tar
29fa2aa4b985b39843d980bb9d242110 VSP4K.4.0.40.0_mib_sup.txt

VOSS User Guide for version 8.7 199

Calculating the File Checksum Basic Administration

c5f84beaf2927d937fcbe9dd4d4c7795 VSP4K.4.0.40.0_mib.txt
ce460168411f21abf7ccd8722866574c VSP4K.4.0.40.0_mib.zip
1ed7d4cda8b6f0aaf2cc6d3588395e88 VSP4K.4.0.40.0_modules.tgz
1464f23c99298b80734f8e7fa32e65aa VSP4K.4.0.40.0_OpenSource.zip
945f84cb213f84a33920bf31c091c09f VSP4K.4.0.40.0_oss-notice.html
02c7ee0570a414becf8ebb928b398f51 VSP4K.4.0.40.0.tgz

Calculating the File Checksum

About This Task

Perform the following procedure to calculate or comapre the MD5 or SHA512 digest for a specific file.
The file-checksum command calculates the MD5 or SHA512 digest for files on the internal flash and
either shows the output on screen or stores the output in a file that you specify. The file-checksum
command compares the calculated MD5 or SHA512 digest with that in a checksum file on flash, and the
compared output displays on the screen. By verifying the MD5 or SHA512 checksum, you can verify that
the file is transferred properly to the switch.

Important
• If the MD5 key file parameters change, you must remove the old file and create a new file.
• Use the file-checksum command with reserved files (for example, a password file)
only if you possess sufficient permissions to access these files.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Calculate the file checksum:
file-checksum {md5 | sha512} WORD<1–99> [-a] [-c] [-f WORD<1–99>] [-r]

Example

Switch:1>file-checksum md5 password -a -f password.md5

Variable Definitions
The following table defines parameters for the file-checksum command.

Variable Value
md5 Calculates or compares the MD5 digest for a
specific file.
sha512 Calculates or compares the SHA512 digest for a
specific file.
-a Adds data to the output file instead of overwriting
it.
You cannot use the -a option with the -c option.

200 VOSS User Guide for version 8.7

Basic Administration Resetting system functions

Variable Value
-c Compares the checksum of the specified file
with the MD5 checksum present in the checksum
file name. You can specify the checksum file
name using the -f option. If the checksum
filename is not specified, the file /intflash/
checksum.md5 is used for comparison.
If the supplied checksum filename and the default
file are not available on flash, the system displays
the following error message on the switch:
Error: Checksum file <filename> not present.
The -c option also
• calculates the checksum of the specified files
• compares the checksum with all keys in the
checksum file, even if filenames do not match
• displays the output of comparison

-f Stores the result of MD5 checksum to a file on

internal flash.
If the output file specified with the -f option is
reserved filenames on the switch, the command
fails with the error message:
Error: Invalid operation.
If the output file specified with the -f option is
files for which to compute MD5 checksum, the
command fails with the error message:
Switch:1# md5 *.cfg -f
config.cfg Error: Invalid
operation on file <filename>
If the checksum filename specified by the -f
option exists on the switch (and is not one of
the reserved filenames), the system displays the
following message on the switch:
File
exists. Do you wish to overwrite?
(y/n)
-r Reverses the output. Use with the -f option to
store the output to a file.
You cannot use the -r option with the -c option.
WORD<1–99> Specifies the file name.

Resetting system functions

About This Task

Reset system functions to reset all statistics counters on the console port. Depending on your hardware
platform, the console port displays as console or 10101.

Procedure

1. Enter Privileged EXEC mode:

enable

VOSS User Guide for version 8.7 201

Sourcing a Configuration Basic Administration

2. Reset system functions:

sys action reset {console|counters}

Example

Switch:1> enable

Reset the statistics counters:

Switch:1# sys action reset counters

Are you sure you want to reset system counters (y/n)? y

Variable Definitions
The following table defines parameters for the sys action command.

Variable Value
reset {console|counters} Reinitializes the hardware universal asynchronous receiver
transmitter (UART) drivers. Use this command only if the console
connection does not respond. Resets all the statistics counters in
the switch to zero. Resets the console port.

Sourcing a Configuration
Source a configuration to merge a script file into the running configuration or verify the syntax of a
configuration file.

About This Task

The source cli command is intended for use with a switch that is running with a factory default
configuration to quick load a pre-existing configuration from a file. If you source a configuration file to
merge that configuration into a running configuration, it can result in operational configuration loss if
the sourced configuration file contains any configuration that has dependencies on or conflicts with the
running configuration. Use the source command to merge smaller portions of a configuration into the
existing configuration.

Not all CLI commands are included in configuration files. Typical examples include, but are not limited
to some operational and security-related commands. Ensure that you understand what configuration
options are included or not included in a configuration file, when you use that file to build new
configurations.

The operational modes in the boot configuration file must be configured for some features (for
example, spbm-config-mode true/false). Before sourcing a configuration file, you need to
configure the boot config flag, save the configuration, and reboot the system. After the reboot,
you can source the configuration file without fail.

Important
Do not source a verbose configuration (verbose.cfg) with the debug stop option. The
sourcing process cannot complete if you use these two options with a verbose configuration.

202 VOSS User Guide for version 8.7

Basic Administration Using the USB Device

Procedure

1. Enter Privileged EXEC mode:

enable
2. Source a configuration:
source WORD<1–99> [debug] [stop] [syntax]

Example

Switch:1> enable

Debug the script output:

Switch:1# source testing.cfg debug

Variable Definitions
The following table defines parameters for the source command.

Variable Value
debug Debugs the script by outputting the configuration
commands to the screen.
stop Stops the sourcing of a configuration if an error
occurs.
syntax Checks the syntax of the configuration file. This
parameter does not load the configuration file;
only verifies the syntax.
If you use this parameter with the stop
parameter (source WORD<1-99> stop
syntax), the output displays on screen and
verification stops if it encounters an error.
If you use this parameter with the debug
parameter (source WORD<1-99> debug
syntax), the output does not stop if it
encounters an error; you must review the on-
screen output to verify if an error exists.
If you use this parameter by itself, it does not
output to the screen or stop on error; it shows an
error message, syntax errors in script,
to indicate if errors exist in the configuration file.
WORD<1–99> Specifies a filename and location in one of the
following format:
• a.b.c.d:<file>
• /intflash/<file>
<file> is a string.

Using the USB Device

The following sections describe common procedures that you can use with the USB device.

VOSS User Guide for version 8.7 203

Using the USB Device Basic Administration

Save a File to an External USB Device

Use the following procedure to save the configuration file or log file to an external USB device.

Caution
Always use the usb-stop command to safely unplug the USB drive from the USB slot.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Save the file to an external USB device:
a. To save the configuration file to an external USB device, enter:
save config file WORD<1–99>
b. To save the log file to an external USB device, enter:
save log file WORD<1–99>

Example
Switch:1#save config file /usb/test.cfg
CP-1: Save config to file /usb/test.cfg successful.
WARNING: Choice Primary Node Config file is "/intflash/soak.cfg".

Switch:1#
Switch:1#save log file /usb/test.log

Save log to file /usb/test.log successful.

Save log to file /usb/test.log successful.
Switch:1#

Variable definitions

The following table defines parameters for the save command.

Variable Value
config file Specifies the software configuration device and configuration file name in one of
WORD<1–99> the following formats:
• a.b.c.d:<file>
• /intflash/<file>
• /usb/<file>
The file name, including the directory structure, can include up to 99 characters.
log file Specifies the software configuration device and log file name in one of the
WORD<1–99> following formats:
• a.b.c.d:<file>
• /intflash/<file>
• /usb/<file>
The file name, including the directory structure, can include up to 99 characters.

204 VOSS User Guide for version 8.7

Basic Administration Using the USB Device

Back Up and Restore the Compact Flash to an External USB Device

Perform this procedure to back up and restore the contents of the internal compact flash to a USB flash
device without entering multiple copy commands. This procedure is useful if you want to copy the
complete compact flash contents to another chassis.

Caution
Always use the usb-stop command to safely unplug the USB drive from the USB slot.

Before You Begin

• Important
Disable logging using the command: no boot config logging.

• You must have a USB storage device ready to use that is at least 2 GB. The switch supports USB 1
and 2.

About This Task

The system verifies that the USB flash device has enough available space to perform the backup
operation. If the USB flash device does not have enough available space, the system displays an
error message. The backup command uses the following filepath on the USB flash device: /usb/
intflash/intflashbackup_yyyymmddhhmmss.tgz.

The backup action can take up to 10 minutes.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Backup the internal flash to USB:
backup intflash
3. Restore the data to the internal flash:
restore intflash

Example

Switch:1#backup intflash
Warning: Command will backup all data from /intflash to /usb/intflash.
It will take a few minutes and may cause high CPU utilization.

Are you sure you want to continue? (y/n) ? y

For file system /intflash:

7252475904 total bytes on the filesystem
990920704 used bytes on the filesystem
6261555200 free bytes on the filesystem

For file system /usb:

2021216256 total bytes on the filesystem
12038144 used bytes on the filesystem
2009178112 free bytes on the filesystem

cd /intflash ; /bin/tar -czvf /usb/intflash/intflashbackup_20140610074501.tgz *

; /bin/sync

VOSS User Guide for version 8.7 205

Using the USB Device Basic Administration

Info: Backup /intflash to filename /usb/intflash/intflashbackup_20140610074501.tgz is

complete!

Do you want to stop the usb? (y/n) ? n

Copy Configuration and Log Files from a USB Device to Intflash

Copy configuration and log files from an external USB device to the internal Flash memory.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Copy configuration or log files from the USB device to Intflash:
copy /usb/<srcfile> /intflash/<destfile>

Example

Switch:1#enable

Switch:1#copy /usb/test.cfg /intflash/test.cfg

Variable Definitions

The following table defines parameters for the copy command.

Variable Value
<destfile> Specifies the name of the configuration or log file when copied to the internal Flash
memory. The destination file name must be lower case and have a file extension of .cfg
or .log. For example, test.cfg or test.log.
The file name, including the directory structure, can include up to 255 characters.
<srcfile> Specifies the name of the configuration or log file on the USB device. For example, test.cfg
or test.log.
The file name, including the directory structure, can include up to 255 characters.

Display the Contents of a USB File

Use the following procedure to view content of a USB file.

Caution
Always use the usb-stop command to safely unplug the USB drive from the USB slot.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display content of a USB file:
more WORD<1-99>

206 VOSS User Guide for version 8.7

Basic Administration Using the USB Device

Example

Switch:1#enable

Switch:1#more /usb/test.cfg

Variable definitions

The following table defines parameters for the more command.

Variable Value
WORD<1–99> Specifies the file name in the following format:
• /usb/<file>
The file name, including the directory structure, can include up to 99 characters.

Move a File to or from a USB Device

Use the following procedure to move a file from the internal Flash memory (Intflash) to an external USB
device, or from a USB device to Intflash.

Caution
Always use the usb-stop command to safely unplug the USB drive from the USB slot.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Move a file to a safe location:
a. To move a file from Intflash to a USB device:
mv /intflash/<srcfile> /usb/<destfile>
b. To move a file from a USB device to Intflash:
mv /usb/<srcfile> /intflash/<destfile>

Example
Switch:1#enable
Switch:1#mv /intflash/test.cfg /usb/test.cfg
Switch:1#enable
Switch:1#mv /usb/test.cfg /intflash/test.cfg

VOSS User Guide for version 8.7 207

Using the USB Device Basic Administration

Variable Definitions

The following table defines parameters for the mv command.

Variable Value
<destfile> Specifies the name of the configuration or log file when moved to the USB device. The
destination file name must be lower case and have a file extension of .cfg or .log. For
example, test.cfg or test.log.
The file name, including the directory structure, can include up to 255 characters.
<srcfile> Specifies the name of the configuration or log file on the internal flash memory. For
example, test.cfg or test.log.
The file name, including the directory structure, can include up to 255 characters.

Delete a file from a USB Device

Use the following procedure to delete a file from an external USB device.

Caution
Always use the usb-stop command to safely unplug the USB drive from the USB slot.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Delete a file from a USB device:
delete WORD<1–255>

Example

Switch:1#enable
Switch:1#delete /usb/test.cfg
Are you sure (y/n) ? y

Variable Definitions

The following table defines parameters for the delete command.

Variable Value
WORD<1–255> Specifies the file name in the following format:
• /usb/<file>

208 VOSS User Guide for version 8.7

Basic Administration Back Up Configuration Files to ZIP

Back Up Configuration Files to ZIP

Table 26: ExtremeCloud IQ ‑ Site Engine backup configuration ZIP file product support
Feature Product Release introduced
ExtremeCloud IQ ‑ Site Engine VSP 4450 Series VOSS 6.1.2
backup configuration ZIP file
For more information, see VSP 4900 Series VOSS 8.1
ExtremeCloud IQ ‑ Site Engine VSP 7200 Series VOSS 6.1.2
documentation.
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.1.2
VSP 8400 Series VOSS 6.1.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50

ExtremeCloud IQ ‑ Site Engine has a configuration backup feature with a requirement to be able to
backup configuration related files.

Note
License files are not backed up.

Backing up configuration files to a ZIP file

About This Task

Use this procedure to back up configuration files.

Important
Only the RWA user can use the backup command.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Use the backup command:
backup configure WORD<1–99>

Example
Switch:1>enable
Switch:1#backup configure /intflash/backup02072018

Successfully backed up config /intflash to /intflash/backup02072018.tgz

Restoring configuration files from a ZIP file

About This Task

Use the following procedure to restore previously backed up configuration files.

VOSS User Guide for version 8.7 209

Basic administration procedures using EDM Basic Administration

Before You Begin

• Download the backup file to the /intflash directory.
• If restoring the configuration files on a new switch, you must do one of the following:
◦ Disable ISIS on the old switch .
◦ Power the old switch down.
◦ Remove the old switch from the network.
• If restoring the configuration files on a different switch, use the “isis dup-detection-temp-disable
“ command on the new switch to suspend duplicate detection prior to its insertion into the existing
SPBM topology.

Important
This must be done after the original unit has been completely removed or isolated from
the SPBM topology.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Run the restore command to restore the configuration files.
restore configure WORD<1–99>

Example
Switch:1>enable
Switch:1#restore configure /intflash/backup02072018.tgz

Warning: Command will restore your backup setup and access files
The current files will be overwritten.

Are you sure you want to continue? (y/n) ?y

Restore /intflash from /intflash/backup02072018.tgz is complete!

Reboot is required for the new configuration to be effective

Basic administration procedures using EDM

The following section describes common procedures that you use while you configure and monitor the
switch operations using Enterprise Device Manager (EDM).

Reset the Platform

Reset the platform to reload system parameters from the most recently saved configuration file. Use the
following procedure to reset the device using EDM.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the System tab.
4. From ActionGroup1, select saveRuntimeConfig.
5. Select Apply.

210 VOSS User Guide for version 8.7

Basic Administration Show the MTU for the System

6. From ActionGroup4, select softReset .

7. Select Apply.

Show the MTU for the System

About This Task

Perform this procedure to show the MTU configured for the system.

Procedure

1. On the Device Physical View, select the Device.

2. In the navigation pane, expand Configuration > Edit.
3. Click Chassis.
4. Click on the Chassis tab.
5. Verify the selection for the MTU size.

Save the Configuration

About This Task

After you change the configuration, you must save the changes on the device. Save the configuration to
a file to retain the configuration settings.

Note
When you logout of the EDM interface, a dialog box automatically prompts if you want to
save the configuration. If you want to save the configuration, click OK. If you want to close
without saving the configuration, click Cancel. If you no longer see the prompt, clear your
browser cache, restart your browser and reconnect.

Procedure

1. In the Device Physical View tab, select the Device.

2. In the navigation pane, expand Configuration > Edit.
3. Click Chassis.
4. Click the System tab.
5. (Optional) Specify a filename in ConfigFileName.
If you do not specify a filename, the system saves the information to the default file.
6. In ActionGroup1, select saveRuntimeConfig.
7. Click Apply.

Boot parameter configuration using the CLI

Use the procedures in this section to configure and manage the boot process.

VOSS User Guide for version 8.7 211

Modify the Boot Sequence Basic Administration

Modify the Boot Sequence

About This Task

Modify the boot sequence to prevent the switch from using the factory default settings or, conversely,
to prevent loading a saved configuration file.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Bypass the loading of the switch configuration file and load the factory defaults:
boot config flags factorydefaults
3. Use a configuration file and not the factory defaults:
no boot config flags factorydefaults

Important
If the switch fails to read and load a saved configuration file after it starts, check the log
file to see if the log file indicates that the factorydefaults setting was enabled, before you
investigate other options.

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#boot config flags factorydefaults

Configuring the remote host logon

Before You Begin
• The FTP server must support the FTP passive (PASV) command. If the FTP server does not support
the passive command, the file transfer is aborted, and then the system logs an error message that
indicates that the FTP server does not support the passive command.

About This Task

Configure the remote host logon to modify parameters for FTP and TFTP access. The defaults enable
TFTP transfers. If you want to use FTP as the transfer mechanism, you need to change the password to
a non-null value.

Important
tftp-debug should be used exclusively to transfer small files less than 1MB in size. Using it for
larger files might cause unwanted behavior, such as transfer failure.

212 VOSS User Guide for version 8.7

Changing the primary or secondary boot configuration
Basic Administration files

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Define conditions for the remote host logon:
boot config host {ftp-debug|password WORD<0–16>|tftp-debug|tftp-hash|
tftp-rexmit <1–120>|tftp-timeout <1–120>|user WORD<0–16>}
3. Save the changed configuration.

Example

Switch:1> enable

Switch:1# configure terminal

Enable console tftp/tftpd debug messages:

Switch:1# boot config host tftp-debug

Switch:1# save config

Changing the primary or secondary boot configuration files

About This Task

Change the primary or secondary boot configuration file to specify which configuration file the system
uses to start.

Configure the primary boot choices.

You have a primary configuration file that specifies the full directory path and a secondary configuration
file that also contains the full directory path.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Change the primary boot choice:
boot config choice primary {backup-config-file|config-file} WORD<0–
255>
3. Save the changed configuration.
4. Restart the switch.

Example

Switch:1> enable

Switch:1# configure terminal

VOSS User Guide for version 8.7 213

Configure Boot Flags Basic Administration

Specify the configuration file in internal flash memory as the primary boot source:

Switch:1(config)# boot config choice primary config-file /intflash/

config.cfg

Switch:1(config)# save config

Switch:1(config)# reset

Variable Definitions
The following table defines parameters for the boot config command.

Variable Value
{backup-config-file| Specifies that the boot source uses either the configuration file or
config-file} a backup configuration file.
WORD<0–255> Identifies the configuration file. WORD<0–255> is the device and
file name, up to 255 characters including the path, in one of the
following format:
• a.b.c.d:<file>
• /usb/<file>
• /intflash/<file>
To set this option to the default value, use the default operator
with the command.

Configure Boot Flags

Before You Begin
• If you enable the hsecure flag, you cannot enable the flags for the web server or SSH password-
authentication.

Important
After you change certain configuration parameters using the boot config flags
command, you must save the changes to the configuration file.

About This Task

Configure the boot flags to enable specific services and functions for the chassis.

Note
Flag support can vary across hardware models.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

214 VOSS User Guide for version 8.7

Basic Administration Configure Boot Flags

2. Enable boot config flag(s) on the switch using the boot config flags command.
Enable the following flags, as needed:
• advanced-feature-bandwidth-reservation [low | high]
• block-snmp
• debug-config [file
• debugmode
• dvr-leaf-mode
• enhancedsecure-mode <jitc|non-jitc>
• factorydefaults
• flow-control-mode
• ftpd
• ha-cpu
• hsecure
• ipv6-egress-filter
• ipv6–mode
• linerate-directed-broadcast
• logging
• nni-mstp
• reboot
• rlogind
• savetostandby
• spanning-tree-mode <mstp|rstp>
• spbm-config-mode
• sshd
• syslog-rfc5424-format
• telnetd
• tftpd
• trace-logging
• urpf-mode
• verify-config
• vrf-scaling
• vxlan-gw-full-interworking-mode
3. Save the changed configuration.
4. Restart the switch.

Example

Activate High Secure mode:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#boot config flags hsecure

VOSS User Guide for version 8.7 215

Configure Boot Flags Basic Administration

Switch:1(config)#save config
Switch:1(config)#reset

Variable Definitions
The following table defines parameters for the boot config flags command.

Variable Value
advanced-feature-bandwidth- Enables the switch to support advanced features
reservation [low | high ] by reserving ports as loopback ports. When
disabled, you can use all ports on the switch, but
Note: advanced features do not work.
Exception: only supported on VSP 7400 Series The default is enabled with low level.
and XA1480. • The high level means that the switch reserves
the maximum bandwidth for the advanced
features.
• The low level means that the switch
reserves less bandwidth to support minimum
functionality for advanced features.
If you change this parameter, you must restart the
switch.
block-snmp Activates or disables Simple Network
Management Protocol management. The default
value is false (disabled), which permits SNMP
access.
debug-config [console] | [file] Enables you to debug the configuration file during
loading configuration at system boot up. The
default is disabled. You do not have to restart
the switch after you enable debug-config, unless
you want to immediately debug the configuration.
After you enable debug-config and save the
configuration, the debug output either displays on
the console or logs to an output file the next time
the switch reboots.
The options are:
• debug-config [console]—Displays the line-by-
line configuration file processing and result of
the execution on the console while the device
loads the configuration file.
• debug-config [file]— Logs the line-by-line
configuration file processing and result of
the execution to the debug file while
the device loads the configuration file.
The system logs the debug config output
to /intflash/debugconfig_primary.txt for the
primary configuration file. The system
logs the debug config output to /intflash/
debugconfig_backup.txt for the backup
configuration, if the backup configuration file
loads.

216 VOSS User Guide for version 8.7

Basic Administration Configure Boot Flags

Variable Value
debugmode Enables a TRACE on any port by prompting the
selection on the console during boot up. This
allows the user start trace for debugging earlier
on specified port. Works on console connection
only. The default is disabled.

Important:
Do not change this parameter unless directed by
technical support.

dvr-leaf-mode Enables an SPB node to be configured as a DvR

Leaf.
A node that has this flag set cannot be configured
as a DvR Controller.
The boot flag is disabled by default.
enhancedsecure-mode {jitc | non- Enables enhanced secure mode in either the Joint
jitc} Interoperability Test Command (JITC) or non-JITC
sub-modes.

When you enable enhanced secure mode in

VOSS User Guide for version 8.7 217

Configure Boot Flags Basic Administration

Variable Value
flow-control-mode Enables or disables flow control globally. When
disabled, the system does not generate nor
Note: configure the transmission of flow control
Exception: not supported on VSP 8600 Series. messages. The system always honors received
flow control messages regardless of the flow
control mode status. You must enable this mode
before you configure an interface to send pause
frames.
The default is disabled.
ftpd Activates or disables the FTP server on the switch.
The default value is disabled. To enable FTP,
ensure that the tftpd flag is disabled.
ha-cpu Activates or disables High Availability-CPU (HA-
CPU) mode. Switches with two CPUs use HA
Note: mode to recover quickly from a failure of one of
Exception: only supported on VSP 8600 Series. the CPUs.
If you enable or disable HA mode, the secondary
CPU resets automatically to load settings from the
saved configuration file.
hsecure Activates or disables High Secure mode.
The hsecure command provides the following
password behavior:
• 10 character enforcement
• The password must contain a minimum of 2
uppercase characters, 2 lowercase characters,
2 numbers, and 2 special characters.
• Aging time
• Failed login attempt limitation
The default value is disabled. If you enable High
Secure mode, you must restart the switch to
enforce secure passwords. If you operate the
switch in High Secure mode, the switch prompts
a password change if you enter invalid-length
passwords.
ipv6-egress-filter Enables IPv6 egress filters. The default is disabled.
If you change this parameter, you must restart the
Note: switch.
Exception: not supported on VSP 8600 Series and
XA1400 Series.

ipv6–mode Enables IPv6 mode on the switch.

Note:
Exception: not supported on VSP 4450 Series, VSP
8600 Series, and XA1400 Series.

218 VOSS User Guide for version 8.7

Basic Administration Configure Boot Flags

Variable Value
linerate-directed-broadcast {true | Enables or disables support for IP Directed
false} Broadcast in hardware without requiring CPU
intervention. Setting this boot flag will put port
Note: 1/46 into loopback mode, making it unusable
Exception: only supported on VSP 4450 Series. for external connections, so you need to move
any existing connections on this port first. After
setting this boot flag, save the configuration, and
then restart the switch.
The default value is disabled.

logging Activates or disable system logging. The default

value is enabled. The system names log files
according to the following:
• The system displays the file names in 8.3
(log.xxxxxxxx.sss) format.
• The first 6 characters of the file name contain
the last three bytes of the chassis base MAC
address.
• The next two characters in the file name
specify the slot number of the CPU that
generated the logs.
• The last three characters in the file name are
the sequence number of the log file.
The system generates multiple sequence numbers
for the same chassis and same slot if the system
reaches the maximum log file size.
nni-mstp Enables MSTP and VLAN configuration on
network-to-network interface (NNI) ports. The
Note: default is disabled.
Exception: not supported on VSP 8600 Series and
XA1400 Series. Note:
Spanning Tree is disabled on all NNIs.

You cannot add an SPBM NNI port or MLT port

to any non SPBM B-VLAN. You cannot add
additional C-VLANs to a brouter port.
reboot Activates or disables automatic reboot on a fatal
error. The default value is activated.

Important:
Do not change this parameter unless directed by
technical support.

VOSS User Guide for version 8.7 219

Configure Boot Flags Basic Administration

Variable Value
rlogind Activates or disables the rlogin and rsh server. The
default value is disabled.
Note:
Exception: rlogin and rsh are only supported on
VSP 8600 Series.

savetostandby Activates or disables automatic save of the

configuration file to the standby CPU. The default
Note: value is enabled. If you operate a dual CPU
Exception: only supported on VSP 8600 Series. system, enable this flag for ease of operation.

spanning-tree-mode <mstp|rstp> Specifies the Multiple Spanning Tree Protocol

or Rapid Spanning Tree Protocol mode. If you
do not specify a protocol, the switch uses the
default mode. The default mode is mstp. If you
change the spanning tree mode, you must save
the current configuration and restart the switch.
spbm-config-mode Enables you to configure SPB and IS-IS, but you
cannot configure PIM and IGMP either globally or
on an interface.
Use the no operator so that you can configure
PIM and IGMP.
The boot flag is enabled by default. To set this flag
to the default value, use the default operator
with the command.
sshd Activates or disables the SSHv2 server service.
The default value is disabled.
syslog-rfc5424-format Controls the format of the syslog output and
logging. By default, the switch uses the RFC5424
format. If the RFC based format is disabled, the
older format is used.
telnetd Activates or disables the Telnet server service. The
default is disabled.
tftpd Activates or disables Trivial File Transfer Protocol
server service. The default value is disabled.
trace-logging Activates or disables the creation of trace logs.
The default value is disabled.

Important:
Do not change this parameter unless directed by
technical support.

urpf-mode Enables Unicast Reverse Path Forwarding (uRPF)

globally. You must enable uRPF globally before
Note: you configure it on a port or VLAN. The default is
Exception: not supported on VSP 8600 Series and disabled.
XA1400 Series.

220 VOSS User Guide for version 8.7

Basic Administration Configure Boot Flags

If the verify-config flag is disabled, the system

If no backup config file exists, the system

Important:
If you enable both this flag and the spbmconfig-
mode flag, the switch reduces the number of
configurable VLANs. For more information about
maximum scaling numbers, see VOSS Release
Notes.

vxlan-gw-full-interworking-mode Enables VXLAN Gateway in Full Interworking

VOSS User Guide for version 8.7 221

Specify the Primary CPU and the Standby Delay Basic Administration

Specify the Primary CPU and the Standby Delay

Note
This procedure only applies to VSP 8600 Series.

Specify the primary CPU to designate which CPU becomes the primary after the switch performs a full
power cycle. This procedure applies only to hardware with two CPUs.

About This Task

Configure the standby delay to set the number of seconds a standby CPU waits before trying to
become the primary CPU. The standby delay applies when two CP modules boot at the same time. The
designated standby CP waits for the configured number of seconds before attempting to assert itself as
the primary. Only one CP can be the primary in a chassis.

Caution
If you configure the standby delay to too short a value, the configured standby CP can
become a primary. If you configure the standby delay to too long, it can delay the standby CP
asserting itself and continue booting when the designated CP is inserted, but fails booting.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. View the current configuration for the primary CPU:
show boot config master
3. Specify the slot of the primary CPU:
boot config master <1–2>
4. Save the changed configuration.
5. Configure the number of seconds a standby CPU waits before trying to become the primary CPU:
boot config delay <0–255>
6. Save the changed configuration.
7. Restart the switch.

Example
Switch:1>enable
Switch:1#configure terminal

Specify the slot number, either 1 or 2, for the primary CPU:

Switch:1(config)# boot config master 2
Switch:1(config)# save config

Specify the number of seconds a standby CPU waits before trying to become the primary CPU:
Switch:1(config)# boot config delay 30
Switch:1(config)# save config
Switch:1(config)# reset

222 VOSS User Guide for version 8.7

Basic Administration Reserve Bandwidth for Advanced Features

Variable Definitions
The following table defines parameters for the boot config master command.

Variable Value
<1–2> Specifies the slot number, either 1 or 2, for the
primary CPU. The default value is slot 1.

Reserve Bandwidth for Advanced Features

Use this procedure if you want the switch to support advanced features. When you enable this boot
flag, you need to save and reboot with the new configuration.

Before You Begin

Product Notice: For VSP 7400 Series, you must ensure your configuration does not include reserved
ports before you enable this feature. If the configuration includes reserved ports after you enable this
feature and restart the switch, the switch stops loading the configuration.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the boot flag:
boot config flags advanced-feature-bandwidth-reservation [low | high]
3. Save the configuration, and then reboot the switch.

Important
A change to the advanced-feature-bandwidth-reservation boot flag requires a reboot for
the change to take effect.

4. Verify the boot flag configuration:

show boot config flags
5. Verify that the switch reserved the ports as loopback ports. Reserved ports are not visible in the
output of the following command:

Note
This step only applies to VSP 7400 Series.

show interfaces gigabitEthernet

Example

Enable this feature to the low level.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#boot config flags advanced-feature-bandwidth-reservation low
Warning: Please note that the configuration for the following ports 1/31-1/32

VOSS User Guide for version 8.7 223

Display Advanced Feature Bandwidth Reservation Ports Basic Administration

will be removed from the configuration file.

Are you sure you want to continue (y/n) ? y
Warning: Please save the configuration and reboot the switch
for this to take effect.
Flag advanced-feature-bandwidth-reservation is changed to enable (low).

Display Advanced Feature Bandwidth Reservation Ports

Note
This procedure only applies to VSP 7400 Series.

After you configure the advanced-feature-bandwidth-reservation boot flag and reboot

with the new configuration, you can use the following procedure to verify that the switch reserved ports
for configuring advanced features.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the Advanced Feature Bandwidth Reservation mode and reserved ports:
show sys-info

Example
Switch#show sys-info

General Info :

SysDescr : Switch1 (w.x.y.z) BoxType: Switch1

SysName : Switch1
.
.
.

Advanced Feature Bandwidth Reservation:

--------------------------------------------------------------------------------

Reservation Mode : low

Port Usage Info : 1/31 and 1/32 are not available to use

Display the Boot Configuration

About This Task

Display the configuration to view current or changed settings for the boot parameters.

Procedure

1. Enter Privileged EXEC mode:

224 VOSS User Guide for version 8.7

Basic Administration Configure Serial Port Devices

Example

Show the current boot configuration. (If you omit verbose, the system only displays the values that you
changed from their default value.):

Switch:1>enable

Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1#(config)#show boot config running-config

#
#Mon Feb 13 13:32:58 2017 EST
#
boot config flags debug-config file
boot config flags debugmode
boot config flags ftpd
no boot config flags spbm-config-mode
boot config flags sshd
boot config flags telnetd
boot config flags tftpd
no boot config flags verify-config
boot config choice primary backup-config-file "/intflash/config.cfg"
#boot config sio console baud 115200

Variable Definitions
The following table defines parameters for the show boot config command.

Variable Value
choice Shows the current boot configuration choices.
flags Shows the current flag settings.
general Shows system information.
host Shows the current host configuration.
master Shows the master information.
running-config Shows the current boot configuration.
[verbose] If you use verbose, the system displays all possible information. If you
omit verbose, the system displays only the values that you changed
from their default value.
sio Specifies the current configuration of the serial ports.

Configure Serial Port Devices

Configure the serial port devices to define connection settings for the console port. Depending on your
hardware platform the console port displays as console or 10101.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 225

Configure Serial Port Devices Basic Administration

2. View the current baud rate configuration:

show boot config sio
3. Change the console baud rate:
boot config sio console baud <9600–115200> <1–8>|<SF1–SF3>
4. Save the changed configuration.
5. Restart the switch.

Example
Switch:1>enable
Switch:1#config terminal
Switch:1(config)#show boot config sio
sio console baud 115200 2
sio console baud 115200 5
sio console baud 115200 8
sio console baud 115200 SF1
sio console baud 115200 SF3

Configure the baud rate to 9600 for the console port in IOC module slot 2:
Switch:1(config)#boot config sio console baud 9600 2
Switch:1(config)#show boot config sio
sio console baud 9600 2
sio console baud 115200 5
sio console baud 115200 8
sio console baud 115200 SF1
sio console baud 115200 SF3

Variable Definitions
The following table defines parameters for the boot config sio console command.

226 VOSS User Guide for version 8.7

Basic Administration Run-time process management using CLI

Variable Value
baud <9600–115200> Configures the baud rate for the port from one of the following:
• 9600
• 19200
• 38400
• 57600
• 115200
The default value differs depending on hardware platform:
• VSP 4450 Series — 9600
• VSP 4900 Series — 115200
• VSP 7200 Series — 9600
• VSP 7400 Series — 115200
• VSP 8200 Series — 9600
• VSP 8400 Series — 9600
• VSP 8600 Series — 115200
• XA1400 Series — 115200

<1–8> | <SF1–SF3> Configures the individual console baud rate for the IOC modules in
slots 1 through 8 or the switch fabric (SF) modules in slots SF1 through
Note: SF3.
Exception: only supported on
VSP 8600 Series.

Run-time process management using CLI

Configure and manage the run-time process using the Command Line Interface (CLI).

Configuring the time zone

About This Task

Configure the time zone to use an internal system clock to maintain accurate time. The time zone data
in Linux includes daylight changes for all time zones up to the year 2038. You do not need to configure
daylight savings.

The default time zone is Coordinated Universal Time (UTC).

Important
In October 2014, the government of Russia moved Moscow from UTC+4 into the UTC+3 time
zone with no daylight savings.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the time zone by using the following command:
clock time-zone WORD<1–10> WORD<1–20> WORD<1–20>

VOSS User Guide for version 8.7 227

Configure the Run-time Environment Basic Administration

3. Save the changed configuration.

Example

Configure the system to use the time zone data file for Vevay:

Switch:1(config)# clock time-zone America Indiana Vevay

Variable Definitions
The following table defines parameters for the clock time-zone command.

Variable Value
WORD<1–10> Specifies a directory name or a time zone name in /usr/share/zoneinfo,
for example, Africa, Australia, Antarctica, or US. To see a list of options,
enter
clock time-zone
at the command prompt without variables.
WORD<1–20> WORD<1– The first instance of WORD<1–20> is the area within the timezone. The
20> value represents a time zone data file in /usr/share/zoneinfo/
WORD<1–10>/, for example, Shanghai in Asia.
The second instance of WORD<1–20>is the subarea. The value
represents a time zone data file in /usr/share/zoneinfo/
WORD<1–10>/WORD<1–20>/, for example, Vevay in America/Indiana.
To see a list of options, enter clock time-zone at the command
prompt without variables.

Configure the Run-time Environment

About This Task

Configure the run-time environment to define generic configuration settings for CLI sessions.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Change the login prompt:
login-message WORD<1-1513>
3. Change the password prompt:
passwordprompt WORD<1-1510>
4. Configure the number of supported rlogin sessions:
max-logins <0-8>

Note
This step only applies to VSP 8600 Series.

5. Configure the number of supported inbound Telnet sessions:

telnet-access sessions <0-8>

228 VOSS User Guide for version 8.7

Basic Administration Configure the Run-time Environment

6. Configure the idle timeout period before automatic logoff for CLI and Telnet sessions:
cli timeout <30-65535>
7. Configure the number of lines in the output display:
terminal length <8–64>
8. Configure scrolling for the output display:
terminal more <disable|enable>

Example
Switch:1>enable
Switch:#configure terminal

Use the default option to enable use of the default logon string:

Switch:(config)#default login-message

Use the default option before this parameter to enable use of the default string:

Switch:(config)#default passwordprompt

Configure the allowable number of inbound remote CLI logon sessions:

Switch:(config)#max-logins 5

Configure the allowable number of inbound Telnet sessions:

Switch:(config)#telnet-access sessions 8

Configure the timeout value, in seconds, to wait for a Telnet or CLI login session before terminating the
connection:
Switch:(config)#cli timeout 900

Configure the number of lines in the output display for the current session:

Switch:(config)#terminal length 30

Configure scrolling for the output display:

Switch:(config)#terminal more disable

VOSS User Guide for version 8.7 229

Configure the Run-time Environment Basic Administration

Variable Definitions
The following table defines parameters for the login-message command.

Variable Value
WORD<1-1513> Changes the CLI logon prompt.
• WORD<1-1513> is an American Standard Code for
Information Interchange (ASCII) string from 1–1513
characters.
• Use the default option before this parameter,
default login-message, to enable use of the
default logon string.
• Use the no operator before this parameter, no
login-message, to disable the default logon
banner and display the new banner.

Use the data in the following table to use the passwordprompt command.

Variable Value
WORD<1-1510> Changes the CLI password prompt.
• WORD<1-1510> is an ASCII string from 1–1510
characters.
• Use the default option before this parameter,
default passwordprompt, to enable using the
default string.
• Use the no operator before this parameter, no
passwordprompt, to disable the default string.

Use the data in the following table to use the max-logins command.

Variable Value
<0-8> Configures the allowable number of inbound remote
CLI logon sessions. The default value is 8.
Note:
Exception: only supported on VSP 8600
Series.

Use the data in the following table to use the telnet-access sessions command.

Variable Value
<0-8> Configures the allowable number of inbound Telnet
sessions. The default value is 8.

230 VOSS User Guide for version 8.7

Basic Administration Configuring CLI logging

Use the data in the following table to use the cli time-out command.

Variable Value
<30-65535> Configures the timeout value, in seconds, to wait for
a Telnet or CLI login session before terminating the
connection.

Use the data in the following table to use the terminal command.

Variable Value
<8–64> Configures the number of lines in the output display
for the current session. To configure this option to
the default value, use thedefault operator with the
command. The default is value 23.
disable|enable Configures scrolling for the output display. The default
is enabled. Use the no operator to remove this
configuration. To configure this option to the default
value, use the default operator with the command.
no

Configuring CLI logging

About This Task

Use CLI logging to track all CLI commands executed and for fault management purposes. The CLI
commands are logged to the system log file as CLILOG module.

Note
The platform logs CLILOG and SNMPLOG as INFO. Normally, if you configure the logging
level to WARNING, the system skips all INFO messages. However, if you enable CLILOG and
SNMPLOG the system logs CLI Log and SNMP Log information regardless of the logging level
you set. This is not the case for other INFO messages.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable CLI logging:
clilog enable
3. Disable CLI logging:
no clilog enable
4. Ensure that the configuration is correct:
show clilog
5. View the CLI log:
show logging file module clilog

VOSS User Guide for version 8.7 231

Configure System Parameters Basic Administration

6. View the CLI log.

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#clilog enable

Variable Definitions
The following table defines parameters for the clilog commands.

Variable Value
enable Activates CLI logging. To disable, use the no clilog
enable command.

Configure System Parameters

About This Task

Configure individual system-level switch parameters to configure global options for the switch.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Change the system name:
sys name WORD<0–255>
3. Enable support for Jumbo frames:
sys mtu <1522-9600>
4. Enable the User Datagram Protocol (UDP) checksum calculation:
udp checksum

Example

Switch:1> enable

Switch:1# configure terminal

Configure the system, or root level, prompt name for the switch:

Switch:1(config)# sys name Floor3Lab2

Variable Definitions
The following table defines parameters for the sys command.

232 VOSS User Guide for version 8.7

Basic Administration Configuring system message control

Variable Value
clipId-topology-ip Configures the topology ip from the available CLIP.
WORD<1-256>specifies the Circuitless IP interface id.
Note:
Exception: Only supported on VSP 8600
Series

control tcp-timestamp Enables or disables TCP Timestamp.

force-msg Adds forced message control pattern.
WORD<4–4> Enter force message pattern.
force-topology-ip-flag Flags set to force choice of topology flag.
enable
Note:
Exception: Only supported on VSP 8600
Series

msg-control Configures system message control feature.

mtu <1522-9600> Configures Jumbo frame support for the data path. The
value can be either 1522, 1950 (default), or 9600 bytes.
name WORD<0–255> Configures the system, or root level, prompt name for
the switch.
WORD<0–255> is an ASCII string from 0–255
characters (for example, LabSC7 or Closet4).
power Enables power to specified slot(s).
security-console Enables the security console.
software Configures software configuration.
priv-exec-password Enables authentication for the Privileged EXEC CLI
command mode.

Configuring system message control

About This Task

Configure system message control to suppress duplicate error messages on the console, and to
determine the action to take if they occur.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure system message control action:
sys msg-control action <both|send-trap|suppress-msg>
3. Configure the maximum number of messages:
sys msg-control max-msg-num <2-500>

VOSS User Guide for version 8.7 233

Extending system message control Basic Administration

4. Configure the interval:

sys msg-control control-interval <1-30>
5. Enable message control:
sys msg-control

Example

Switch:1> enable

Switch:1# configure terminal

Configure system message control to suppress duplicate error messages on the console and send a trap
notification:

Switch:1(config)# sys msg-control action both

Configure the number of occurrences of a message after which the control action occurs:

Switch:1(config)# sys msg-control max–msg–num 2

Configure the message control interval in minutes:

Switch:1(config)# sys msg-control control–interval 3

Enable message control:

Switch:1(config)# sys msg-control

Variable Definitions
The following table defines parameters for the sys msg-control command.

Variable Value
action <both|send-trap| Configures the message control action. You can either
suppress-msg> suppress the message or send a trap notification, or both.
The default is suppress.
control-interval <1-30> Configures the message control interval in minutes. The valid
options are 1–30. The default is 5.
max-msg-num <2-500> Configures the number of occurrences of a message after
which the control action occurs. To configure the maximum
number of occurrences, enter a value from 2–500. The
default is 5.

Extending system message control

About This Task

Use the force message control option to extend the message control feature functionality to the
software and hardware log messages.

To enable the message control feature, you must specify an action, control interval, and maximum
message number. After you enable the feature, the log messages, which get repeated and cross the

234 VOSS User Guide for version 8.7

Basic Administration Hardware status using EDM

maximum message number in the control interval, trigger the force message feature. You can either
suppress the message or send a trap notification, or both.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the force message control option:
sys force-msg WORD<4-4>

Example

Switch:1> enable

Switch:1# configure terminal

Configure the force message control option. (If you specify the wildcard pattern (****), then all
messages undergo message control:

Switch:1(config)# sys force-msg ****

Variable Definitions
The following table defines parameters for the sys force-msg command.

Variable Value
WORD<4-4> Adds a forced message control pattern, where
WORD<4-4> is a string of 4 characters. You can add a
four-byte pattern into the force-msg table. The software
and the hardware log messages that use the first four
bytes that match one of the patterns in the force-msg
table undergo the configured message control action.
You can specify up to 32 different patterns in the force-
msg table, including a wildcard pattern (****) as well. If
you specify the wildcard pattern, all messages undergo
message control.

Hardware status using EDM

This section provides methods to check the status of basic hardware in the chassis using Enterprise
Device Manager (EDM).

Configure Polling Intervals

About This Task

Enable and configure polling intervals to determine how frequently EDM polls for port and LED status
changes or detects the hot swap of installed ports.

VOSS User Guide for version 8.7 235

View Module Information Basic Administration

Procedure

1. In the navigation pane, expand Configuration > Device.

2. Click Preference Setting.
3. Enable polling or hot swap detection.
4. Configure the frequency to poll the device.
5. Click Apply.

Preference Setting field descriptions

Use the data in the following table to use the Preference Setting tab.

Name Description
Enable Enables polling for port and LED status changes.
The default is disabled.
Poll Interval Specifies the polling interval, if enabled. The
default is 60 seconds.
Enable Detects the hot swap of installed ports. The
default is disabled.
Detection per Status Poll Intervals Specifies the number of poll intervals for
detection, if enabled. The default is 2 intervals.

View Module Information

View the administrative status for modules in the chassis.

About This Task

This command is not available for hardware platforms with fixed configurations. It is only available for
platforms where the user can install modules in slots.

Procedure

1. In the Device Physical View tab, select a module slot.

2. In the navigation pane, expand Configuration > Edit.
3. Click Card.
4. Click the Card tab.

Card field descriptions

Use the data in the following table to use the Card tab.

Name Description
CardType Displays the model number of the module.
CardDescription Shows a description of the installed module.
SerialNum Shows the serial number for the installed module.
PartNumber Shows the part number.
CardAssemblyDate Shows the date the module was assembled.

236 VOSS User Guide for version 8.7

Basic Administration View Module Storage Usage

Name Description
CardHWConfig Shows the hardware revision.
AdminStatus Changes the administrative status for the module.
OperStatus Shows the operational status for the module.
PowerManagementPriority Specifies the slot priority for power management as either
high or low.

View Module Storage Usage

Note
This procedure only applies to VSP 8600 Series.

View the storage usage for modules in the chassis.

About This Task

You cannot perform this procedure on hardware platforms with fixed configurations. It is only available
for platforms where you can install modules in slots.

Procedure

1. In the Device Physical View tab, select a module slot.

2. In the navigation pane, expand Configuration > Edit.
3. Select Card.
4. Select the Storage Usage tab.

Storage Usage Field Descriptions

Use the data in the following table to use the Storage Usage tab.

Name Description
IntflashBytesUsed Specifies the number of bytes used in internal flash memory.
IntflashBytesFree Specifies the number of bytes available for use in internal flash
memory.
IntflashNumFiles Specifies the number of files in internal flash memory.
UsbBytesUsed Specifies the number of bytes used in USB device.
UsbBytesFree Specifies the number of bytes available for use in USB device.
UsbNumFiles Specifies the number of files in USB device.

View Power Supply Parameters

Perform this procedure to view information about the operating status of the power supplies.

Procedure

1. In the navigation pane, expand Configuration > Edit.

VOSS User Guide for version 8.7 237

View Power Supply Information Basic Administration

2. Click Power Supply.

Details Field Descriptions

Use the data in the following table to use the Details tab.

Name Description
Id Specifies the ID number.
This field is not supported on all hardware platforms.
Type Describes the type of power used.
Description Provides a description of the power supply.
SerialNumber Specifies the power supply serial number.
HardwareRevision Specifies the hardware revision number.
PartNumber Specifies the power supply part number.
PowerSupplyOperStatus Specifies the status of the power supply as one of the
following:
• on (up)
• off (down)

InputLineVoltage Displays the input line voltage:

• low 110v—power supply connected to a 110 Volt source
• high 220v—power supply connected to a 220 Volt source
• ac110vOr220v—power supply connected to a 110 Volt or
220 Volt source

OutputWatts Displays the output power of this power supply.

InputOperLineVoltage Displays the operating input line voltage.
If the power supplies in a chassis are not of identical input
line voltage values, the operating line voltage shows the low
110v value.
This field is not supported on all hardware platforms.
InputPower Displays the input power of this power supply.
This field is not supported on all hardware platforms.

View Power Supply Information

Note
This procedure only applies to VSP 8600 Series.

About This Task

Perform this procedure to view information about the operating status of the power supplies.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Power Supply Information.

238 VOSS User Guide for version 8.7

Basic Administration View System Temperature Information

Details Field Descriptions

Use the data in the following table to use the Details tab.

InputLineVoltage Displays the input line voltage:

• low 110v—power supply connected to a 110 Volt source
• high 220v—power supply connected to a 220 Volt source
• ac110vOr220v—power supply connected to a 110 Volt or
220 Volt source

OutputWatts Displays the output power of this power supply.

View System Temperature Information

View information about the temperature for each sensor on the device.

The system triggers an alarm when one of the zones exceeds the threshold temperature value.

Note
This procedure is not supported on XA1400 Series.

Procedure

1. In the Device Physical View tab, select the chassis.

2. In the navigation pane, expand Configuration > Edit.
3. Click Chassis.
4. Click the System Temperature tab.

VOSS User Guide for version 8.7 239

View Chassis Temperatures Basic Administration

System Temperature field descriptions

Use the data in the following table to use the System Temperature tab.

Name Description
SensorIndex Specifies the range of sensors on the device.
SensorDescription Specifies the name of the sensor.
Temperature (degrees celsius) Specifies the sensor temperature measured in
Celsius degrees.
WarningThreshold Specifies the temperature value of the warning
threshold for the sensor. When the temperature
crosses the warning threshold a warning message
is generated.
CriticalThreshold Species the temperature value of the critical
threshold for the sensor. When the temperature
crosses the critical threshold, a critical message is
generated or the system shuts down, depending
on hardware capability.
Status Specifies the current temperature status based on
the warning and critical thresholds.

View Chassis Temperatures

You can view information about the temperature on the chassis.

Note
This procedure only applies to the VSP 8600 Series.

About This Task

The system triggers an alarm when one of the zones exceeds the threshold temperature value, and
clears the alarm after the zone temperature falls below the threshold value.

When an elevated temperature triggers a temperature alarm, the fan speed increases, and the LED
color changes on the front panel of the switch.

Procedure

1. In the Device Physical View tab, select the chassis.

2. In the navigation pane, expand Configuration > Edit.
3. Select Chassis.
4. Select the Temperature tab.

Temperature field descriptions

Use the data in the following table to use the Temperature tab.

240 VOSS User Guide for version 8.7

Basic Administration View Chassis Temperatures

Name Description
CpuTemperature Current CPU temperature in Celsius.
MacTemperature Current MAC component temperature in Celsius.
Phy1Temperature Current PHY 1 component temperature in Celsius.
This field does not apply on all hardware
platforms.
Phy2Temperature Current PHY 2 component temperature in Celsius.
This field does not apply on all hardware
platforms.

VOSS User Guide for version 8.7 241

Command Line Interface
Command Line Interface Fundamentals on page 242
CLI Procedures on page 253

Table 27: Command Line Interface product support

Feature Product Release introduced
Command Line Interface (CLI) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 4200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

For information about specific commands, see VOSS CLI Commands Reference.

Command Line Interface Fundamentals

This section describes the Command Line Interface (CLI).

CLI is an industry standard command line interface that you can use for single-device management.

CLI Command Modes

CLI command modes provide specific sets of CLI commands. When you log onto the switch, you are
in User EXEC mode with limited commands. While in a higher mode, you can access most commands
from lower modes, except if they conflict with commands of your current mode.

There are two categories of CLI commands: show commands and configuration commands. You can
use show commands from multiple command modes with the same results; they show the same
configuration information regardless of the command mode. Configuration command results, however,
might be dependent on the command mode from which a configuration command is used. For
example, an enable command used in Global Configuration mode will enable a feature globally for all
devices, and the same command used from one of the interface command modes will enable a feature
for a specific interface only.

242 VOSS User Guide for version 8.7

Command Line Interface CLI Command Modes

The following figure illustrates the navigation paths for the various command modes:

Log on to the switch

User EXEC

Privileged EXEC

Global
Configuration

Physical and Virtual

Interface Application Routing and Protocol
Configuration Configuration Configuration

GigabitEthernet Management Instance BGP Router

Interface Configuration Configuration Configuration

MLT Interface Elan-Transparent RIP Router

Configuration Configuration Configuration

mgmtEthernet Interface OVSDB OSPF Router

Configuration Configuration Configuration

Loopback Interface VXLAN IS-IS Router

Configuration Configuration Configuration

VLAN Interface Route-Map VRF Router

Configuration Configuration Configuration

Logical Interface DHCP Guard VRRP Router

Configuration Configuration Configuation

RA-guard BFD Router

Elan I-SID Configuration Configuration
Configuration

MKA Profile
Configuration

Figure 10: CLI Command Mode Navigation

Your user authorization credentials determine what commands are available to you in Privileged EXEC
mode and all higher-level modes. See System Access on page 3313 for more information.

VOSS User Guide for version 8.7 243

CLI Command Modes Command Line Interface

To navigate from higher-level modes to lower-level modes, use the following commands:
• exit to navigate from a higher-level mode to a lower-level mode, down to Privileged EXEC mode
• end to navigate from any command mode directly to Privileged EXEC mode
• disable to navigate from Privileged EXEC mode to User EXEC mode
• logout to terminate the CLI session from any command mode

The following table describes the various command modes, including the CLI command to access each
mode, the command prompt that displays in each mode, and a description of the purpose of the mode.

Note
Some command modes are hardware dependent. If any of the following commands modes
do not display on your hardware, they are not supported or applicable.

Table 28: CLI Command Mode Summary

Command mode Command to access Prompt displayed in Description
mode mode
User EXEC None required; default > View configuration
mode settings and connection
status.
Privileged EXEC enable # Configure limited
device-wide settings.

Note:
Depending on feature configuration, you can be prompted to enter a
username and password to access Privileged EXEC mode. For more
information, see Authentication for Privileged EXEC Command Mode on
page 253.

Global Configuration configure (config)# From a terminal or

{terminal| TFTP server, configure
network} device-wide global
parameters on a running
configuration, or specify
the filename of a
configuration file.
GigabitEthernet interface (config-if)# Configure chassis
Interface Configuration GigabitEthernet operations and features
{slot/port[/ on a physical port.
sub-port][-slot/
port[/subport]]
[,...]}
MLT Interface interface mlt (config-mlt)# Configure an MLT
Configuration <1-512> interface.
mgmtEthernet Interface interface (config-if)# Configure a dedicated
Configuration mgmtEthernet physical management
<mgmt|mgmt2> port (if supported on
your hardware).

244 VOSS User Guide for version 8.7

Command Line Interface CLI Command Modes

Table 28: CLI Command Mode Summary (continued)

Command mode Command to access Prompt displayed in Description
mode mode
Loopback Interface interface (config-if)# Configure a loopback
Configuration loopback <1–256> CLIP interface.
VLAN Interface interface vlan (config-if)# Configure port-based,
Configuration <1–4059> policy-based, private, or
SPBM B-VLANs
Logical Interface logical-intf isis Layer 2: Configure a logical
Configuration <1–255> (config-isis- Layer 2 or Layer 3
<1-255>)# interface.
Layer 3:
(config-isis-
<1-255>-
<A.B.C.D>)#
BGP Router router bgp (router-bgp)# Configure device-wide
Configuration BGP routing protocol
settings.
RIP Router router rip (config-rip)# Configure device-wide
Configuration RIP routing protocol
settings.
OSPF Router router ospf (config-ospf)# Configure device-wide
Configuration OSPF routing protocol
settings.
IS-IS Router router isis (config-isis)# Configure device-wide
Configuration IS-IS routing protocol
settings.
VRF Router router vrf (router-vrf)# Configure a VRF
Configuration WORD<1-16> instance, including the
built-in Management
VRF (accessed
with router
vrf MgmtRouter
command).
VRRP Router router vrrp (config-vrrp)# Configure device-wide
Configuration VRRP protocol settings.
Application application (config-app)# Configure custom
Configuration applications, such as
SLA Monitor or
RESTCONF.
Management Instance mgmt <clip | oob (mgmt:clip)# Configure a segmented
Configuration | vlan> or management CLIP, Out-
(mgmt:oob)# of-Band (OOB), or
or VLAN instance.
(mgmt:vlan)#
Elan I-SID Configuration i-sid <1– (elan:<1-16777215 Add ports and traffic
16777215> [elan] >)# to a Switched UNI I-SID
on a GigabitEthernet or
MLT interface.

VOSS User Guide for version 8.7 245

CLI Command Modes Command Line Interface

Table 28: CLI Command Mode Summary (continued)

Command mode Command to access Prompt displayed in Description
mode mode
Elan-Transparent i-sid (elan- Add ports and MLT
Configuration <1-16777215> tp:<1-16777215>)# interfaces to an
elan-transparent Elan-Transparent based
service.
OVSDB Configuration ovsdb (config-ovsdb)# Configure OVSDB
protocol support for
VXLAN Gateway.
Route-Map route-map (route-map)# Configure device-wide
Configuration WORD<1-64> or VRF instance-specific
<1-65535> route map policy
settings.
DHCP-guard ipv6 fhs dhcp- (config- Configure DHCPv6
Configuration guard policy dhcpguard)# for advertised address-
WORD<1-64> based, prefix-based,
and preference-based
filtering.
RA-guard Configuration ipv6 fhs ra-guard (config-raguard)# Configure RA Guard
policy WORD<1-64> for advertised IPv6
and MAC address-
based, IPv6 prefix-
based, preference-
based, hop count limit-
based, and default
router preference-based
filtering.
VXLAN Configuration vnid <1–16777215> (vxlan:<1-1677721 Associate port
i-sid <1– 5>)# or MLT interface
16777215> VLANs, configure
VXLAN endpoints and
untagged traffic.
MKA Profile macsec mka (mka-profile)# Configure replay
Configuration profile protection and
WORD<1-16> confidentiality offset for
an MKA profile.
BFD Router router bfd (router-bfd)# Configure device-wide
Configuration BFD settings.

Special CLI Command Modes

A special CLI command mode provides a set of specific CLI commands that are different from the
standard CLI command modes and the CLI commands available in them. For example, a set of CLI
commands that are specifically introduced to configure services on a Virtual Machine (VM) through a
specific CLI command mode.

Note
Special CLI command modes are hardware dependent. If they do not display on your
hardware, they are not supported or applicable.

246 VOSS User Guide for version 8.7

Command Line Interface Default User Names and Passwords for CLI

The following table describes the special command mode.

Table 29: Special CLI Command Mode Summary

Special command Command mode Command to Prompt displayed Description
mode navigation access mode in mode
Fabric IPsec Accessible from virtual- FIGW> Configure services
Gateway Privileged EXEC service like IPsec,
WORD<1-128> fragmentation and
console reassembly, and to
manage the Fabric
Note: IPsec Gateway VM.
Type CTRL+Y to
exit the console.

IS-IS Router Accessible router isis config-isis- Configure the

Remote from Global remote remote> Multi-area SPB
Configuration Configuration parameters like
area virtual node,
Shortest Path
Bridging MAC
(SPBM), manual
area and so on.

Default User Names and Passwords for CLI

The following table contains the default user names and passwords that you can use to log on to the
switch using the command line interface (CLI). For more information about how to change passwords,
see Security on page 2993.

Table 30: CLI default user names and passwords

User name Password Description
rwa rwa read-write-all
rw rw read-write
ro ro read-only
l1 l1 layer 1
l2 l2 layer 2
l3 l3 layer 3

You can create up to a maximum of 10 CLI users for each role. For more information, see Multiple CLI
Users for Each Role on page 3318.

VOSS User Guide for version 8.7 247

Documentation convention for the port variable Command Line Interface

If you enable enhanced secure mode, the user names and passwords are different than the default
values documented in the preceding table. For more information on enhanced secure mode, see
Enhanced Secure Mode on page 3319.

Important
The default passwords and community strings are documented and well known. As a best
practice, change the default passwords and community strings immediately after you first log
on. For more information about how to change user names and passwords, see Security on
page 2993.

Documentation convention for the port variable

Commands that require you to enter one or more port numbers on the switch use the parameter
{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} in the syntax. The following
table specifies the rules for using {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}.

Syntax How to use

{slot/port[/ Identifies a single slot and port. If the platform supports channelization and the
sub-port]} port is channelized, you must also specify the sub-port in the format slot/port/
sub-port.
For example, 1/1 indicates the first port on slot 1. 1/41/1 indicates the first channel on
slot 1, port 41.
{slot/port[/ Identifies the slot and port in one of the following formats: a single slot and port
sub-port] [- (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and
slot/port[/ ports (slot/port,slot/port,slot/port). If the platform supports channelization and
sub-port]] the port is channelized, you must also specify the sub-port in the format slot/port/
[,...]} sub-port.
For example, 1/1–1/3 indicates ports 1 to 3 on slot 1, or 1/41/1,1/41/3 indicates the first
and third channels of slot 1, port 41.

Command completion
The CLI provides potential command completions to the command string. Completions are provided by
using a question mark (?) or by using the CLI autocompletion feature.

? command completion
The ? command completion is available for any valid command. By typing a command and using a ? as
the last argument in the command, the system returns a list of possible command completions from the
point of the ?. A short description is provided with each possible completion.

If you enter the following command:

Switch:1(config-isis)#redistribute ?
CLI provides a list of completions for the redistribute ? command.
Switch:1(config-isis)#redistribute ?
direct isis redistribute direct command
ospf isis redistribute ospf command
rip isis redistribute rip command
static isis redistribute static command

248 VOSS User Guide for version 8.7

Command Line Interface Command completion

All the parameters listed under redistribute indicate sub-context commands.

You must use one of the available completions, and if necessary, use the command completion help
again to find the next completion.
Switch:1(config-isis)#redistribute direct ?
enable Enable isis redistribute direct command
metric Isis route redistribute metric
metric-type Set isis redistribute metric type
route-map Set isis redistribute direct route-policy
subnets Set isis redistribute subnets
<cr>

When you see <cr> (Carriage Return/Enter Key) in the list with the additional choices, this means that
no additional parameters are required to execute the CLI command. However, the additional choices
listed could be peer commands or sub-context commands.

For example, the parameters listed under redistribute direct ? are peer commands. You can
enter these peer commands on the same line as the root command, for example redistribute
direct enable. However, the <cr> indicates that you can also enter the redistribute direct
command only and this command does not require any additional parameters at this level.

CLI autocompletion
CLI autocompletion is a feature that you can use to automatically fill in the unique parts of a command
string rather than typing the entire command. Autcompletion makes the CLI experience easier and
prevents mistakes in spelling that force you to re-enter the command.

Autocompletion completes the token in the command as soon as it becomes unique.

The Tab key autocompletes the command without executing the command, and places the cursor
immediately after the last character. The Enter key autocompletes the command and executes it.

To enable redistribution of ISIS direct routes,

Switch:1(config-isis)#redistribute direct

When you use redistribute ?, you see four possible sub-context commands.
direct
static
ospf
rip

If you type the following without pressing Enter:

Switch:1(config-isis)#redistribute direct m

and press the Tab key, the system completes the command to the following point:
redistribute direct metric

Two possible completions exist. You can type -t, and then press Tab to finish the command:
Switch:1(config-isis)#redistribute direct metric-type

VOSS User Guide for version 8.7 249

default command operator Command Line Interface

default command operator

You can reset the modified configuration of a command to the default configuration by using the
default operator. For more information about the default value for each command, see VOSS CLI
Commands Reference.

Use the ? command completion along with the default keyword in each configuration mode, to view the
list of commands that support the default operator. For more information, see Command completion on
page 248.

Examples
Configure csnp-interval to its default value. The default value of csnp-interval is 10 seconds.
Switch:1>show isis

========================================================================================
ISIS General Info
========================================================================================
AdminState : disabled
RouterType : Level 1
System ID : e45d.523c.6484
Max LSP Gen Interval : 900
Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 200
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name :
ip source-address :
ipv6 source-address :
ip tunnel source-address :
Tunnel vrf :
ip tunnel mtu :
Num of Interfaces : 1
Num of Area Addresses : 0
Inband Mgmt Clip Ip :
backbone : disabled
Dynamically Learned Area : 00.0000.0000
Hello Padding : enabled
FAN Member : Yes
Multi-Area OperState : disabled
Multi-Area Flags :

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router isis
Switch:1(config-isis)#default csnp-interval
Switch:1(config-isis)#show isis

250 VOSS User Guide for version 8.7

Command Line Interface no command operator

Csnp Interval : 10
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name :
ip source-address :
ipv6 source-address :
ip tunnel source-address :
Tunnel vrf :
ip tunnel mtu :
Num of Interfaces : 1
Num of Area Addresses : 0
Inband Mgmt Clip Ip :
backbone : disabled
Dynamically Learned Area : 00.0000.0000
Hello Padding : enabled
FAN Member : Yes
Multi-Area OperState : disabled
Multi-Area Flags :

View the IP configuration commands for an MLT interface that support the default operator.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface mlt 1
Switch:1(config-mlt)#default ?
Default settings
fa Set Fabric Attach configuration to default on mlt
flex-uni Set flex-uni to default on mlt interface
ip Default IP configurations on MTL interface
isis Set interface level isis parameters to default value
lacp Set lacp for specific mlt to default
smlt Create default smlt on a specific mlt
svlan-prototype Set vlan port type to default
virtual-ist Create virtual-ist on MLT with default value
Switch:1(config-mlt)#default ip ?
Default IP configurations on MLT interface
arp-inspection Default arp inspection configuration
dhcp-snooping Default dhcp snooping configuration
Switch:1(config-mlt)#default ip arp-inspection ?
<cr>

no command operator
You can use the no operator in a command to negate a configuration. Based on the functionality
of the command, you can perform negations, such as disable, delete, remove, or reset to the
default configuration. For more information about the no operator for each command, see VOSS CLI
Commands Reference.

Use the ? command completion along with the no keyword to view the list of commands that support
the no operator in each configuration mode. For more information, see Command completion on page
248.

Negate the automatic virtual link that provides automatic dynamic backup link for OSPF traffic.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router ospf
Switch:1(config-ospf)#no auto-vlink

VOSS User Guide for version 8.7 251

GREP with CLI show command Command Line Interface

Remove an IP address configuration from VLAN.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface vlan 3
Switch:1(config-if)#no ip address 192.0.2.4

View the commands that can negate a configuration in RIP router configuration mode.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router rip
Switch:1(config-rip)#no ?
Negate a command or set its defaults
ipv6 Disable ipv6 configurations
network Disable rip on an ip network
redistribute To disable/delete redistribute golbally
Switch:1(config-rip)#no network ?
{A.B.C.D} Network ip address
Switch:1(config-rip)#no network 192.0.2.4 ?
<cr>

GREP with CLI show command

You can use Global Regular Expression Print (GREP) with show commands to filter the output based on
match criteria.

Enter the show command followed by the pipe (|) character, followed by the GREP filter command. The
show command output contains only the lines that match the GREP filter pattern.

Note
The show fulltech command does not support GREP filters.

The following GREP filter commands are supported.

GREP filter function Description

begin Displays the output of a command starting from the
first line, which matches the given pattern.
count Counts the number of lines in the output of a
command.
exclude Displays only the output lines which do not match
the given pattern. The lines matching the pattern are
discarded.
head Limits the output of a command to the first few lines.
If a number is not specified then only the first 10 lines
display.
include Displays only the output lines which match the given
pattern.

252 VOSS User Guide for version 8.7

Command Line Interface Timestamp in show command outputs

GREP filter function Description

no-more Temporarily disables pagination for the output of an
CLI command. When the lines of output exceed the
terminal length, you are not prompted to continue or
quit but the entire output of the command continues
to be displayed. The effect is similar to setting
terminal length 0 but only for the current command.
tail Limits the output of a command to the last few lines.
If a number is not specified then only the last 10 lines
display.

Timestamp in show command outputs

The output for all CLI show commands includes a timestamp header to indicate when the command
output was generated. This information can be helpful when communicating with Support.

The following command output shows a timestamp example.

Switch:1#show alarm statistics
************************************************************************************
Command Execution Time: Wed Nov 07 19:55:15 2018 UTC
************************************************************************************

====================================================================================
ALARM STATISTICS
====================================================================================
PERSISTENT PERSISTENT PERSISTENT PERSISTENT DYNAMIC DYNAMIC DYNAMIC DYNAMIC
ALARM ACTIVE CLEARED WRPRD ALARM ACTIVE CLEARED WRPRD
0 0 0 0 11 8 3 0

Authentication for Privileged EXEC Command Mode

For enhanced security, you can request user authentication to enter Privileged EXEC command mode.
When you configure password authentication, the switch prompts you to enter a username and
password to access Privileged EXEC command mode from User EXEC command mode. You use the
same username and password used to Telnet or SSH to the switch.

For more information about configuring Privileged EXEC authentication, see Authentication for
Privileged EXEC Command Mode on page 3000.

CLI Procedures
This section contains information about common CLI tasks. You can access CLI during runtime to
manage the switch.

Logging on to the software

Before You Begin
• The first time you connect to the switch, you must log on to CLI using the direct console port.

VOSS User Guide for version 8.7 253

View the Configuration Command Line Interface

About This Task

After you first connect to CLI you can log on to the software using the default user name and password.
For more information about the default user names and passwords, see Default User Names and
Passwords for CLI on page 247.

Procedure
1. At the login prompt, enter the user name.
2. At the password prompt, enter the password.

View the Configuration

You can view the running configuration using the show command.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View the running configuration:
show running-config

Example
VSP-8284XSQ:1#show running-config
Preparing to Display Configuration...
#
# Sat Mar 13 14:35:01 2021 UTC
# box type : VSP-8284XSQ
# software version : 8.4.0.0
# cli mode : ECLI
#

#Card Info :

# Slot 1 :
# CardType : 8242XSQ
# CardDescription : 8242XSQ
# CardSerial# : 14JP455C1029
# CardPart# : EC8200A01-E6
# CardAssemblyDate : 20141106
# CardHWRevision : 1
# CardHWConfig :
# AdminStatus : up
# OperStatus : up

# Slot 2 :
# CardType : 8242XSQ
# CardDescription : 8242XSQ
# CardSerial# : 14JP455C1029
# CardPart# : EC8200A01-E6
# CardAssemblyDate : 20141106
# CardHWRevision : 1
# CardHWConfig :
# AdminStatus : up
# OperStatus : up

#
#!end

254 VOSS User Guide for version 8.7

Command Line Interface Saving the configuration

#
config terminal

#
# BOOT CONFIGURATION
#

boot config flags ftpd

boot config flags sshd
boot config flags telnetd

#boot config sio console baud 9600 1

# end boot flags

Saving the configuration

After you change the configuration, you must save the changes to the module. Save the configuration
to a file to retain the configuration settings.

About This Task

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) support both IPv4 and IPv6
addresses, with no difference in functionality or configuration.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Save the running configuration:
save config [backup WORD<1–99>] [file WORD<1–99>] [verbose]

Example

Save the configuration to the default location:

Switch:1#save config

Identify the file as a backup file and designate a location to save the file:
Switch:1#save config backup 198.51.100.1/configs/backup.cfg

VOSS User Guide for version 8.7 255

Configure the Web Server Command Line Interface

Variable definitions
Use the data in the following table to use the save config command.

Variable Value
backup WORD<1–99> Saves the specified file name and identifies the file
as a backup file.
WORD<1–99> uses one of the following formats:
• a.b.c.d:<file>
• /intflash/<file>
The file name, including the directory structure, up
to 1 to 99 characters.
file WORD<1–99> Specifies the file name in one of the following
formats:
• /intflash/<file>
• a.b.c.d:<file>
The file name, including the directory structure, up
to 1 to 99 characters.
verbose Saves the default and current configuration. If
you omit this parameter, the command saves only
parameters you change.
standby WORD<1-99> Specifies the standby file name in the following
format:
• /intflash/<file>
The file name, including the directory structure, up
to 1 to 99 characters.

Configure the Web Server

Perform this procedure to enable and manage the web server using the Command Line Interface (CLI).
After you enable the web server, you can connect to EDM.

HTTP and FTP support both IPv4 and IPv6 addresses, with no difference in functionality or
configuration. The TFTP server supports both IPv4 and IPv6 addresses. The TFTP client is not
supported, only the server.

256 VOSS User Guide for version 8.7

Command Line Interface Configure the Web Server

About This Task

This procedure assumes that you use the default port assignments. You can change the port number
used for HTTP and HTTPS.

Important
To enable HTTP access to the device, you must disable the web server secure-only option. To
enable HTTPS access to the device, the web server secure-only option is enabled by default.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the web server:
web-server enable
3. Disable the secure-only option (for HTTP access) :
no web-server secure-only
4. Enable the secure-only option (for HTTPs access) :
web-server secure-only
5. Enable read-only user:
web-server read-only-user enable
6. Display the web server status:
show web-server

Example

Switch:1(config)#show web-server
Web Server Info :

NumTxErrors : 0
NumSetRequest : 0
Minimum password length : 8
Last Host Access Blocked : 0.0.0.0
In use certificate : Self signed
Certificate Truspoint CA Name :

VOSS User Guide for version 8.7 257

Configure the Web Server Command Line Interface

Certificate with Subject Name : 823

Variable Definitions
Use the data in the following table to use the web-server command.

Note:
read-only-user enable is available for
demonstration purposes on some products. For
more information, see VOSS Feature Support
Matrix.

258 VOSS User Guide for version 8.7

Command Line Interface Using GREP CLI show command filters

Note:
tlsv10 is not supported in enhanced secure
mode.
• tlsv11 – Configures the version to TLS 1.1.
• tlsv12 – Configures the version to TLS 1.2
The default is tlsv12.

Using GREP CLI show command filters

Use the following GREP filters to output only the command lines specified by the filter.

Procedure
1. Count the number of lines in the output:
<CLI command> | count
2. Display the output of a command starting from the first line that matches the given pattern:
<CLI command> | begin WORD<0–255> [field <number>] [ignore-case]
[header <number>]
3. Display only the output lines that match the given pattern:
<CLI command> | include <pattern> [field <number>] [ignore-case]
[header <number>]
4. Display only the output lines that do not match the given pattern:
<CLI command> | exclude <pattern> [field <number>] [ignore-case]
[header <number>]
5. Temporarily disable pagination for the output of a CLI command:
<CLI command> | no-more

There is no prompt to continue or to quit when the lines of output exceed the terminal length.
6. Limit the output of a command to the first few lines:
<CLI command> | head [<number>]

If a number is not specified, the first 10 lines display.

7. Limit the output of a command to the last few lines:
<CLI command> | tail [<number>] [from-line <number>] [header <number>]

If a number is not specified, the last 10 lines display.

Example
Switch:1>enable
Siwtch:1#configure terminal

VOSS User Guide for version 8.7 259

Using GREP CLI show command filters Command Line Interface

Count the number of lines in the output:

Switch1:#show vlan basic | count
Count: 17 lines

Display only the output lines that match the given pattern:
Switch:1(config)#show vlan basic | include byPort field 3 header 6

================================================================================================
Vlan Basic
================================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
------------------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
3 VLAN3 byPort 3 none N/A N/A 0
4 VLAN4 byPort 4 none N/A N/A 0
5 VLAN5 byPort 5 none N/A N/A 0
8 VLAN-8 byPort 8 none N/A N/A 0
9 VLAN-9 byPort 9 none N/A N/A 0
11 VLAN-11 byPort 11 none N/A N/A 0
12 VLAN-12 byPort 12 none N/A N/A 0
20 VLAN-20 byPort 0 none N/A N/A 0

Switch:1(config)#show vlan basic | include private field 3 header 6

Display only the output lines that do not match the given pattern:
Switch:1(config)#show vlan basic | exclude private field 3 header 6
================================================================================================
Vlan Basic
================================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
------------------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
3 VLAN3 byPort 3 none N/A N/A 0
4 VLAN4 byPort 4 none N/A N/A 0
5 VLAN5 byPort 5 none N/A N/A 0
8 VLAN-8 byPort 8 none N/A N/A 0
9 VLAN-9 byPort 9 none N/A N/A 0
11 VLAN-11 byPort 11 none N/A N/A 0
12 VLAN-12 byPort 12 none N/A N/A 0
20 VLAN-20 byPort 0 none N/A N/A 0

Switch:1(config)#show vlan basic | exclude byPort field 3 header 6

260 VOSS User Guide for version 8.7

Command Line Interface Using GREP CLI show command filters

Display the output of a command starting from the first line that matches the given pattern:
Switch:1(config)#show vlan basic | begin 8 header 6

Display the entire output of the command:

Switch:1(config)#show vlan basic | no-more

================================================================================================
Vlan Basic
================================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
------------------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
3 VLAN3 byPort 3 none N/A N/A 0
4 VLAN4 byPort 4 none N/A N/A 0
5 VLAN5 byPort 5 none N/A N/A 0
6 VLAN6 private 40 none N/A N/A 0
7 VLAN7 private 41 none N/A N/A 0
8 VLAN-8 byPort 8 none N/A N/A 0
9 VLAN-9 byPort 9 none N/A N/A 0
11 VLAN-11 byPort 11 none N/A N/A 0
12 VLAN-12 byPort 12 none N/A N/A 0
20 VLAN-20 byPort 0 none N/A N/A 0

Display only the first few lines of output:

Switch:1(config)#show vlan basic | head 9

Display only the last few lines of output:

Switch:1(config)#show vlan basic | tail 8 header 6

VOSS User Guide for version 8.7 261

Using GREP CLI show command filters Command Line Interface

12 VLAN-12 byPort 12 none N/A N/A 0

20 VLAN-20 byPort 0 none N/A N/A 0

Switch:1(config)#show vlan basic | tail from-line 15 header 6

Variable definitions
The GREP filters use the following parameters:

Parameter Description
field<number> Specifies the field in each line to match against the pattern. Fields are
separated by white spaces and are counted starting with 1 for the left-most
field.
If the output is formatted as a table, whitespaces are not counted as fields.
from-line <number> Specifies the remaining output starting with a given line.
head<number> Specifies the number of lines to keep from the beginning of the output.
header<number> Specifies a number of lines from the start of the output to display
unchanged before trying to match the pattern. This parameter is useful to
keep the header of a table intact. This filter skips the header lines.
ignore-case Specifies letters to match in the pattern regardless of case.
<number> Specifies the number of lines of output to keep, either from the beginning of
the output or from the end of the output.
<pattern> Specifies the regular expression to match against each line of output. Use
quotations if the parameter contains spaces.

262 VOSS User Guide for version 8.7

Enterprise Device Manager
Enterprise Device Manager Fundamentals on page 263
EDM interface procedures on page 271
File Management in EDM on page 278

Table 31: Enterprise Device Manager product support

Feature Product Release introduced
Enterprise Device Manager VSP 4450 Series VSP 4000 4.0
(EDM)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Read-Only user for EDM VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series VSP 8600 8.0 demo feature
XA1400 Series VOSS 8.0.50

Enterprise Device Manager Fundamentals

This section details Enterprise Device Manager (EDM).

EDM is a web-based graphical user interface (GUI) you can use to configure a single switch. EDM runs
from the switch and you can access it from a web browser. You do not need to install additional client
software, and you can access it with all operating systems.

VOSS User Guide for version 8.7 263

Supported Browsers Enterprise Device Manager

Supported Browsers
Use the following browser versions to access Enterprise Device Manager (EDM):
• Microsoft Edge 97
• Mozilla Firefox 96
• Google Chrome 97
• Safari 15.3

Important
For optimal performance, use Mozilla Firefox or Google Chrome.

Enterprise Device Manager Access

To access EDM, open http://<deviceip>/login.html or https://<deviceip>/
login.html from Microsoft Edge, Microsoft Internet Explorer, Google Chrome, or Mozilla Firefox.
Ensure you use a supported browser version.

Important
You must enable the web server from CLI (see Configure the Web Server on page 256) to
enable HTTP access to EDM. For HTTP access to the device, you must also disable the web
server secure-only option. The web server secure-only option, allowing for HTTPS access to
the device, is enabled by default. As a best practice, take the appropriate security precautions
within the network if you use HTTP

If you experience issues while connecting to EDM, check the proxy settings. Proxy settings can affect
EDM connectivity to the switch. Clear the browser cache and do not use proxy when connecting to the
device.

Default User Name and Password for EDM

The following table contains the default user name and password that you can use to log on to the
switch using EDM. For more information about changing the passwords, see Security on page 2993.

Table 32: EDM default username and password

Username Password
admin password

For information about creating CLI accounts for each user role on the switch, see Multiple CLI Users for
Each Role on page 3318.

Important
The default passwords and community strings are documented and well known. Change
the default passwords and community strings immediately after you first log on. For more
information about changing user names and passwords, see Security on page 2993.

264 VOSS User Guide for version 8.7

Enterprise Device Manager Device Physical View

Device Physical View

After you access EDM, the system displays a real-time physical view of the front panel of the device
on the Device Physical View tab in the content pane. From the front panel view, you can view fault,
configuration, and performance information for the device or a single port.

You can use the device view to determine the operating status of the various ports in your hardware
configuration. You can also use the device view to perform management tasks on specific objects. In the
device view, you can select a port or the entire chassis. EDM outlines the selected object in yellow.

The conventions on the device view are similar to the actual device appearance. The port LEDs and
the ports are color-coded to provide status. Green indicates the module or port is up and running, red
indicates the module or port is disabled, dark pink indicates a protocol is down, and amber indicates an
enabled port that is not connected to anything. For information about LED behavior, see your hardware
documentation.

EDM Window
The following list identifies the different sections of the EDM window:
• Navigation pane—Located on the left side of the window, the navigation pane displays all the
available command tabs in a tree format. A row of buttons at the top of the navigation pane
provides a quick method to perform common functions.
• Content pane—Located on the right side of the window, the content pane displays the tabs and
dialog boxes where you can view or configure parameters on the switch.
• Menu bar—Located at the top of the content pane, the menu bar shows the most recently accessed
primary tabs and their respective secondary tabs.
• Toolbar—Located just below the menu bar, the toolbar provides quick access to the most common
operational commands such as Apply, Refresh, and Help.

The following figure shows an example of two tabs open in the content pane of the EDM window.

VOSS User Guide for version 8.7 265

Navigation Pane Enterprise Device Manager

Figure 11: EDM window

Navigation Pane
You can use the navigation pane to see what commands are available and to quickly browse through
the command hierarchy. A row of buttons at the top of the navigation pane provides a quick method to
perform common functions.

Note
For module-based chassis, menu options related to a specific module are activated only after
you install and select the required module.

The following table describes the buttons that display at the top of the navigation pane.

Table 33: Navigation pane buttons

Button Name Description
Save Config Saves the running configuration.

Refresh Status Refreshes the Device Physical View.

Edit Edits the selected item in the Device Physical View.

Graph Opens the graph options for the selected item in the Device Physical View.

Help Setup Guide Opens instructions about how to install the Help files and configure EDM to
use the Help files.

266 VOSS User Guide for version 8.7

Enterprise Device Manager Navigation Pane

Expand a folder by selecting the directional arrow next to the folder name. Some folders have sub-
folders such as the Edit folder, which has the Port, NTP, and other sub-folders.

Within each folder and sub-folder, there are numerous options, which provide access to tabs. To open
an option, select it. The selected tab displays in the menu bar and opens in the content pane. The
following table describes the top-level folders in the navigation pane.

Table 34: Navigation Pane Folders

Menu Description
Device Use the Device menu to refresh and update device
information or enable polling.
• Preference Setting — Enable polling or hot
swap detection. Configure the frequency to
poll the device.
• Refresh Status — Use this option to refresh the
device view.
• Rediscover Device — Use this to trigger
a rediscovery to update all of the device
information.

VRF Context view Use the VRF Context view to switch to another
VRF context when you use the embedded EDM.
GlobalRouter is the default view at log in. You can
configure both Global Router (GRT) and Virtual
Routing and Forwarding (VRF) instances when
you launch a VRF context view. You can open only
five tabs for each EDM session.
Edit Use the Edit menu to view and configure
parameters for the chassis hardware or for the
currently selected hardware component, including
one or more ports. You can also use the Edit menu
to perform the following tasks:
• check and configure ports, including the
internal Extreme Integrated Application
Hosting ports, on the device
• change the configuration of many features,
including but not limited to, the file system,
NTP, OVSDB, SMTP, Link-state tracking, VTEP,
Management Instance, Endpoint Tracking, and
SNMPv3

Graph Use the Graph menu to view and configure EDM

statistics and to produce graphs of the chassis or
port statistics.
Power Management Use the Power Management menu to view and
configure Energy Saver.
VLAN Use the VLAN menu to view and configure VLANs,
spanning tree groups (STG), MultiLink Trunks/
LACP, SMLT, and SLPP.
Fabric Use the Fabric menu to view and configure IS-IS,
Shortest Path Bridging MAC (SPBM), I-SIDs, Fabric
Attach, DvR, Multi-area SPB, and statistics.

VOSS User Guide for version 8.7 267

Navigation Pane Enterprise Device Manager

Table 34: Navigation Pane Folders (continued)

Menu Description
VRF Use the VRF menu to view and create VRFs.
IP Use the IP menu to view and configure IP routing
functions for the system, including the following:
• IP-VPN
• IP-MVPN
• IP
• TCP/UDP
• OSPF
• RIP
• VRRP
• RSMLT
• BGP
• Multicast
• MSDP
• IGMP
• IPFIX
• PIM
• SPB-PIM-GW
• DHCP Relay
• DHCP Snooping
• ARP Inspection
• Source Guard
• UDP Forwarding
• IS-IS
• Policies
• BFD

IPv6 Use the IPv6 menu to view and configure IPv6

routing functions, including the following:
• IPv6
• IPv6 - VPN
• TCP/UDP
• Tunnel
• OSPFv3
• VRRP
• BGP+
• RSMLT
• DHCP Relay
• Policy
• FHS
• IS-IS
• RIPng
• IPv6 PIM
• IPv6 MLD
• IPv6 Mroute
• IPv6 BFD

268 VOSS User Guide for version 8.7

Enterprise Device Manager Menu Bar

Table 34: Navigation Pane Folders (continued)

Menu Description
Security Use the Security menu to view and configure
access policies, ACL filters, certificates, and
features such as RADIUS, RADIUS CoA, SSH,
IPSec, TACACS+, and EAPoL.
QOS Use the QOS menu to view and configure
mapping tables, QoS port states, CoS Queue
Stats, and Queue Profiles.
Serviceability Use the Serviceability menu to run diagnostics,
and to enable, configure, or view the following:
• RMON
• sFlow
• Application Telemetry
• SLA Monitor
• RESTCONF
• Virtual services
• ExtremeCloud IQ Agent

Menu Bar
The menu bar is above the content pane and consists of two rows of tabs.
• The top row displays the tabs you can open through the navigation pane. The system displays these
primary tabs in the sequence in which you open them.
• After you click a primary tab, the secondary tabs associated with it display in the bottom row. Click a
secondary tab to display it in the content pane.

In both the top and bottom rows of the menu bar, if the number of tabs exceeds the viewable space, the
system displays left- and right-pointing arrows. Click an arrow to scroll to the required tab.

To reduce the number of tabs on the top row, you can click the X on the right corner of a tab to remove
it from the row. The following figure shows a sample menu bar.

Figure 12: Menu bar

Toolbar
The toolbar buttons provide quick access to commonly used operational commands. The system
displays the buttons that vary depending on the tab you select. However, the Apply, Refresh, and Help

VOSS User Guide for version 8.7 269

Content Pane Enterprise Device Manager

buttons are on almost every screen. Other common buttons are Insert and Delete. The following list
detail the common toolbar buttons.
• Apply—Use this button to execute all edits that you make.
• Refresh—Use this button to refresh all data on the screen.
• Help—Use this button to display online help that is context sensitive to the current dialog box.
• Insert—Use this button to display a secondary dialog box related to the selected tab. After you edit
the configurable parameters, click the Insert button in the dialog box. This causes a new entry to
display in the dialog box of the selected tab.
• Delete—Use this button to delete a selected entry.

The following figure shows a sample toolbar.

Figure 13: Toolbar

Content Pane
The content pane is the main area on the right side of the window that displays the configuration tabs
and dialog boxes. Use the content pane to view or configure parameters on the switch.

Note
You can view valid ranges for all configurable parameters on EDM tabs.

The following figure is a sample that shows the content pane for the Port 1/3 General, Interface tab.
If you want to compare the information in two tabs, you can undock one, then open another tab. For
more information about undocking a tab, see Undocking and docking tabs on page 277.

Figure 14: Content pane

EDM user session extension

If the EDM user session remains unused for a duration of ten minutes, the system displays the following
message:

Your session will expire in about 5 minute(s). Would you like to extend
the session?

270 VOSS User Guide for version 8.7

Enterprise Device Manager EDM interface procedures

If you do not respond, EDM automatically ends the session with the following message: Your
session has expired.

You can log on again if you want to continue to use EDM.

EDM interface procedures

This section contains procedures for starting and using Enterprise Device Manager (EDM). The software
is built-in to the switch, and you do not need to install additional software.

Connect to EDM
Before You Begin
• Ensure that the switch is running.
• Note the IP address of the switch.
• Ensure that you use a supported browser version.
• Ensure that you enable the web server using CLI.

About This Task

Perform this procedure to connect to EDM to configure and maintain your network through a graphical
user interface.

Procedure

1. In the address field, enter the IP address of the system using the following formats: https://
<IP_address> (default) or http://<IP_address>.

Note
By default the web server is configured with the secure-only option, which requires you to
use HTTPS to access EDM. To access EDM using HTTP, you must disable the secure-only
option.

2. In the User Name field, type the user name.

The default is admin.
3. In the Password field, type a password.
The default is password.
4. Select Log On.

Configure the Web Management Interface

VOSS User Guide for version 8.7 271

Configure the Web Management Interface Enterprise Device Manager

Before You Begin

• Enable the web server.
• For VSP 8600 Series, enable the web server RO user in CLI.

About This Task

Configure the web management interface to change the user names and passwords for management
access to the switch using a web browser.

HTTP, FTP, and TFTP server supports both IPv4 and IPv6 addresses, with no difference in functionality
or configuration.

You can also use the CLI interface for creating users.

Procedure

1. In the navigation pane, expand Configuration > Security > Control Path.
2. Select General.
3. Select the Web tab.
4. Complete the WebRWAUserName and WebRWAUserPassword fields to specify the user name and
password for access to the web interface.
This user will have full permission.
5. To enable the RO user for the web server, select WebROEnable.

Note
This step does not apply to VSP 8600 Series.

6. Complete the WebROUserName and WebROUserPassword fields to specify the user name and
password for access to the web interface.
This user will have read only permission.
7. Select Apply.

Web Field Descriptions

Use the data in the following table to use the Web tab.

Name Description
WebRWAUserName Specifies the RWA username from 1–20
characters. The default is admin.
WebRWAUserPassword Specifies the password from 1–32 characters. The
default is 12345678.
WebROEnable Enables the web server read-only (RO) user, which
is disabled by default after a software upgrade.
Note:
Exception: not supported on VSP 8600 Series.

WebEncryptionType Specifies the ciphers for preset version of TLS for

the web server.

272 VOSS User Guide for version 8.7

Enterprise Device Manager Configure the Web Management Interface

Name Description
WebCertSubjectName Specifies the digital certificate subject Name used
as identity certificate in the web server.
WebCertCAName Specifies the digital certificate CA trustpoint name
used for the certificate in the web server.
WebROUserName Specifies the RO username. The default is user.

Note:
Product Notice: For VSP 8600 Series the web
server RO username must be enabled in CLI.

WebROUserPassword Specifies the password from 1–32 characters. The

HelpTftp/Ftp_SourceDir Configures the TFTP or FTP directory for Help

files, in one of the following formats: a.b.c.d:/|
peer:/ [<dir>]. The path can use 0–256 characters.
The following example paths illustrate the correct
format:
• 192.0.2.1:/Help
• 192.0.2.1:/

VOSS User Guide for version 8.7 273

Using the chassis shortcut menu Enterprise Device Manager

Name Description
DefaultDisplayRows Configures the web server display row width
between 10–100. The default is 30.
LastChange Shows the last web-browser initiated
configuration change.
NumHits Shows the number of hits to the web server.
NumAccessChecks Shows the number of access checks performed by
the web server.
NumAccessBlocks Shows the number of access attempts blocked by
the web server.
LastHostAccessBlockedAddressType Shows the address type, either IPv4 or IPv6, of the
last host access blocked by the web server.
LastHostAccessBlockedAddress Shows the IP address of the last host access
blocked by the web server.
NumRxErrors Shows the number of receive errors the web
server encounters.
NumTxErrors Shows the number of transmit errors the web
server encounters.
NumSetRequest Shows the number of set-requests sent to the web
server.

Using the chassis shortcut menu

About This Task

Perform the following procedure to display the chassis shortcut menu.

Procedure

1. In the Device Physical View, select the chassis.

2. Right-click the chassis.

Chassis shortcut menu field descriptions

Use the data in the following table to use the Chassis shortcut menu.

Name Description
Edit Edits chassis parameters.
Graph Graphs chassis statistics.
Refresh Status Refreshes the status of the chassis and MDAs.
Refresh Port Tooltips Refreshes the port tooltip data of the system. The
port tooltip data contains the following variables:
Slot/Port, PortName, and PortOperSpeed.

274 VOSS User Guide for version 8.7

Enterprise Device Manager Using the port shortcut menu

Using the port shortcut menu

About This Task

Perform this procedure to display the port shortcut menu.

Procedure

1. In the Device Physical View, select a port.

2. Right-click the selected port.

Port shortcut menu field descriptions

Use the data in the following table to use the port shortcut menu.

Name Description
Edit General Configures the general options for the port.
Edit IP Configures the IP options for the port.
Edit IPv6 Configures the IPv6 options for the port.
Channelization Enable Enables channelization for the port.
Channelization Disable Disables channelization for the port.
Graph Displays the statistics for the port.
Enable Enables the port.
Disable Disables the port.

Using a table-based tab

About This Task

Change an existing configuration using a table-based tab. You cannot edit grey-shaded fields in the
table. The following procedure is an illustration on how to use a table-based tab.

Note
You can expand the appropriate folders for any feature you configure and select a table-
based tab.

Procedure

1. In the Device Physical View, select multiple ports.

2. In the navigation pane, expand the Configuration > Edit > Port > General folders.
3. Click the VLAN tab.
The system displays a table-based tab with the VLAN information.
4. Select a table-based tab.
5. Double-click a white-shaded field to edit the value.

VOSS User Guide for version 8.7 275

Monitor Multiple Ports and Configuration Support Enterprise Device Manager

6. Click the arrow in the list field to view the options, and then select the appropriate value.

7. In a text-entry field, double-click, and then edit the value.

8. Click Apply to save the configuration changes.

Monitor Multiple Ports and Configuration Support

About This Task

You can monitor or apply the same configuration changes to more than one port by using the multiple
port selection function. You can use the standard menu or the shortcut menu to edit the configuration
settings for multiple ports.

Tip
A selected port shows a yellow outline around the port.

Procedure
1. Select the Device Physical View tab.
2. To select multiple ports, press Ctrl (Control), and then select the required ports.

Open Folders and Tabs

About This Task

Perform this procedure to navigate in EDM.

276 VOSS User Guide for version 8.7

Enterprise Device Manager Undocking and docking tabs

2. In the Device Physical View, select a port. In this example, right-click port 1.
3. In the Port shortcut menu, click Edit General.
4. Select and drag the Port 1/1 General tab wherever you want on the screen as shown in the following
figure.

5. To reposition the tab anywhere on the screen, Select and drag the title bar.
6. To manipulate the tab, Select on the buttons in the top-right of the dialog box.

VOSS User Guide for version 8.7 277

Installing EDM help files Enterprise Device Manager

7. Select the up arrowhead to minimize the tab as shown in the following figure.

8. Select the down arrowhead to restore the tab to its original size.
9. Select the pages to dock the tab back into the menu bar.
10. Select the X to close the tab.

Installing EDM help files

While the EDM GUI is bundled with the switch software, the associated EDM help files are not. To access
the help files from the EDM GUI, you must install the EDM help files on a TFTP or FTP server in your
network.

Use the following procedure to install the EDM help files on a TFTP or FTP server, and configure EDM to
use the help files

Before You Begin

If you use an FTP server to store the help files, ensure that you configure the switch with the host user
name and password.

Procedure

1. Download the EDM help file.

2. On a TFTP or FTP server reachable from the switch, create a directory called Help.

Tip
You can name the directory anything that will help you remember its purpose.

3. Unzip the EDM help zip file into the directory created in the preceding step.
4. In the EDM navigation pane, expand the Configuration > Security > Control Path folders.
5. Click General.
6. Click Web.
7. In the HelpTftp/Ftp_SourceDir field, enter the IP address of the file server and the path to the help
files, for example, 192.0.2.15:/home/Help/.

File Management in EDM

This setion contains procedures for managing files with Enterprise Device Manager (EDM).

Use the File System tab to perform the following tasks:

• Copy a file.
• Check the amount of memory used and the number of files stored in the internal flash memory.

278 VOSS User Guide for version 8.7

Enterprise Device Manager Copy a File

• Verify the name, size, and storage date of each file present in the internal flash memory.
• Display USB file information.

Copy a File
About This Task

Copy files on the internal flash.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select File System.
3. Select the Copy File tab.
4. Edit the fields as required.
5. Select Apply.

Copy File Field Descriptions

Use the data in the following table to use the Copy File tab.

Name Description
Source Identifies the device and file name to copy. You must specify the
full path and filename, for example, <deviceip-ftp server>:/
<filename>

Note:
For certain switches in enhanced secure mode, sensitive files and paths
are protected.

Destination Identifies the location to which to copy the source file with the
filename, for example, /intflash/<filename>.

Note:
For certain switches in enhanced secure mode, sensitive files and paths
are protected.

Action Starts or stops the copy process.

Result Specifies the result of the copy process:
• none
• inProgress
• success
• fail
• invalidSource
• invalidDestination
• outOfMemory
• outOfSpace
• fileNotFound

VOSS User Guide for version 8.7 279

Display Storage Use Enterprise Device Manager

Display Storage Use

About This Task

Display the amount of memory used, memory available, and the number of files for internal flash
memory.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select File System.
3. Select the Storage usage tab.

Storage Usage Field Descriptions

Use the data in the following table to use the Storage Usage tab.

Display Internal Flash File Information

About This Task

Display information about the files in internal flash memory on this device.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click File System.
3. Click the Flash Files tab.

Flash Files field descriptions

Use the data in the following table to use the Flash Files tab.

Name Description
Slot Specifies the slot number.
Name Specifies the directory name of the file.
Date Specifies the creation or modification date of the file.
Size Specifies the size of the file.

280 VOSS User Guide for version 8.7

Enterprise Device Manager Display USB File Information

Display USB File Information

About This Task

Display information about the files on a USB device to view general file information.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click File System.
3. Click the USB Files tab.

USB Files field descriptions

Use the data in the following table to use the USB Files tab.

Name Description
Slot Specifies the slot number of the device.
Name Specifies the directory name of the file.
Date Specifies the creation or modification date of the file.
Size Specifies the size of the file.

VOSS User Guide for version 8.7 281

Image Management
Image Upgrades on page 282
Image Naming Conventions on page 283
Interfaces on page 283
File Storage Options on page 284
Before You Upgrade on page 284
Saving the Configuration on page 287
Upgrade the Software on page 288
Verifying the upgrade on page 291
Commit an upgrade on page 292
Downgrade the Software on page 293
Remove a Software Build on page 294
Update the Complex Programmable Logic Device (CPLD) Image on page 294
Upgrade the Boot Loader Image on page 297

This section details what you must know to manage the software image on the switch.

Image Upgrades

Install new software upgrades to add functionality to the switch. Major and minor upgrades are released
depending on how many features the upgrade adds or modifies.

Upgrade time requirements

Image upgrades take less than 30 minutes to complete. The switch continues to operate during the
image download process. A service interruption occurs during the installation and subsequent reset of
the device. The system returns to an operational state after a successful installation of the new software
and device reset.

Before you upgrade the software image

Before you upgrade the switch, ensure that you read the entire upgrading procedure.

You must keep a copy of the previous configuration file (config.cfg), in case you need to return to
the previous version. The upgrade process automatically converts, but does not save, the existing
configuration file to a format that is compatible with the new software release. The new configuration
file may not be backward compatible.

282 VOSS User Guide for version 8.7

Image Management Image Naming Conventions

Image Naming Conventions

The switch software use a standardized dot notation format.

Software Images
Software image names use the following number format to identify release and maintenance values:

Product Name.Major Release.Minor Release.Maintenance Release.Maintenance

Release Update.tgz

For example, the image file name VOSS4K.4.2.1.0.tgz denotes a software image for the VSP
4450 Series product with a major release version of 4, a minor release version of 2, a maintenance
release version of 1 and a maintenance release update version of 0. Similarly, the image file name
VSP4K.3.0.1.0.tgz denotes a software image for the VSP 4450 Series product with a major
release version of 3, a minor release version of 0, a maintenance release version of 1 and a maintenance
release update version of 0. TGZ is the file extension.

Firmware Update And Verification With Digital Signed Certificate

VOSS software images are cryptographic signed. Code signing is the process of digitally signing
executables and scripts to confirm the software author and guarantee that the code has not been
altered or corrupted since it was signed. This process employs the use of a cryptographic hash to
validate authenticity and integrity.

The show software command displays information about the software image:

Switch:1#show software

==================================================================================
software releases in /intflash/release/
==================================================================================
4900_mux_64 (Backup Release) (Signed Release)
VOSS4900.8.5.0.0int020 (Primary Release) (Signed Release)

Operational Considerations
The following section describes operational considerations:
• You not required to provide additional input.
• You can use unsigned images; however, this is not recommended. To use an unsigned image,
downgrade to a pre-VOSS 8.5 software image then load a debug image.
• You cannot enter Enhanced Secure Mode with an unsigned image. Enhanced Secure Mode requires
a signed image.

Interfaces
You can apply upgrades to the switch using the Command Line Interface (CLI).

For more information about CLI, see Command Line Interface on page 242.

VOSS User Guide for version 8.7 283

File Storage Options Image Management

File Storage Options

This section details what you must know about the internal boot and system flash memory and
Universal Serial Bus (USB) mass-storage device, which you can use to store the files that start and
operate the switch.

The switch file system uses long file names.

Internal flash
The switch has two internal flash memory devices: the boot flash memory and the system flash
memory. The system flash memory size is 2 gigabytes (GB).

Boot flash memory is split into two banks that each contain a different copy of the boot image files.
Only the Image Management feature can make changes to the boot flash.

The system flash memory stores configuration files, runtime images, the system log, and other files. You
can access files on the internal flash through the /intflash/ folder.

USB device
The switch can use a USB device for additional storage or configuration files, release images, and other
files. The USB device provides a convenient, removable mechanical to copy files between a computer
and a switch, or between switches. In cases where network connectivity has not yet been established,
or network file transfer is not feasible, you can use a USB device to upgrade the configuration and
image files on the switch.

File Transfer Protocol

You can use File Transfer Protocol (FTP) to load the software directly to the switch, or to download the
software to the internal flash memory or to an installed USB device.

The switch can act as an FTP server or client. If you enable the FTP daemon (ftpd), you can use a
standards-based FTP client to connect to the switch by using the CLI log on parameters. Copy the files
from the client to either the internal flash memory or USB device.

Before You Upgrade

This section provides important feature impacts you need to understand before you upgrade the switch
software.

Important Upgrade Note for Systems using IPv6 Static Neighbors

Due to an issue in VOSS 4.2.1 and later releases, the port number for an IPv6 static neighbor is saved
with the wrong value in the configuration file if the port is part of an MLT or SMLT. You can view the
incorrect port number by using the show running-config command.

If performing a named boot (e.g. boot config.cfg), the configuration loading fails and the switch
remains in a default configuration. You can manually source the configuration file (e.g. source

284 VOSS User Guide for version 8.7

Image Management Pre-upgrade Instructions for IS-IS Metric Type

config.cfg) to retrieve/reapply the configuration (minus the IPv6 neighbor configuration with the
invalid port value).

If you boot the switch without a specified configuration (e.g.reset -y), the primary configuration fails
to load and the backup configuration file is loaded instead.

Caution
You should never configure an IPv6 static neighbor on a port belonging to an MLT or SMLT.

Pre-upgrade Instructions for IS-IS Metric Type

The command used to redistribute routes into IS-IS supports a parameter called metric-type, which
can take one of two values: internal or external. In releases that do not support the external
metric type, the routes are always advertised into IS-IS as internal, irrespective of whether you configure
the metric-type to internal or external. The saved configuration itself correctly shows the value that you
selected.

If the configuration file has redistribution commands that set the metric-type to external, after you
upgrade to a release that supports the external metric type, the routes will be advertised into IS-IS as
external routes. This constitutes a change in how the routes are advertised into IS-IS after the upgrade
as compared to before the upgrade. This configuration can cause unintended traffic issues if the other
switches in the network are not yet upgraded to a release that recognizes external routes in IS-IS.

To know which release supports the external metric type on your platform, see VOSS Release Notes for
interoperability considerations.

To avoid unintentionally impacting traffic immediately following an upgrade, as a best practice, check
the existing IS-IS redistribution configuration of a switch to determine if the metric-type is set to
external in the redistribution commands. If metric-type external is not used in the redistribution, the
switch can be upgraded using the normal upgrade procedures. If the metric-type external is used with
any redistribution command, change it to internal, and then save the configuration. After this the switch
can be upgraded using the normal upgrade procedures.

Commands to check metric-type in redistribution configuration:

Switch:1(config-isis)#show ip isis redistribute [vrf WORD<1-16>]
================================================================================
ISIS Redistribute List - GlobalRouter
================================================================================
SOURCE MET MTYPE SUBNET ENABLE LEVEL RPOLICY
--------------------------------------------------------------------------------
RIP 0 internal allow TRUE l1
OSPF 0 external allow TRUE l1
LOC 0 external allow TRUE l1

Commands to change metric-type to internal for GRT:

router isis
isis redistribute <protocol> metric-type internal
save config

The protocol above could be one of the following: direct, ospf, static, rip or bgp.

VOSS User Guide for version 8.7 285

VLAN and MLT Upgrade Considerations Image Management

Commands to change metric-type to internal for VRF:

router vrf WORD<1-16>
isis redistribute <protocol> metric-type internal
save config

The protocol above could be one of the following: direct, ospf, static, rip or bgp.

VLAN and MLT Upgrade Considerations

VLAN or MLT Name Uses all Numbers

Representational State Transfer Configuration Protocol (RESTCONF) does not allow VLAN or MLT
names that contain all numbers. Beginning with VOSS 8.0, the VLAN or MLT name cannot use all
numbers. If, in a release prior to 8.0, you configured a name that was all numbers, see the following
table to understand the impact of upgrading to a newer release.

Table 35: Upgrade impact on interface names with all numbers

Target upgrade release Impact after upgrade
VOSS 8.0.5.x, 8.0.6.x, or 8.0.7.x The system prepends VLAN- or MLT- , and
appends -01, to the name during the upgrade.
For example, the VLAN name 222 becomes
VLAN-222-01.
VOSS 8.0.8 and later If you plan to enable RESTCONF, you must check
interface names for invalid special characters
or conflicts, and make necessary modifications
manually. For information about how to check
interface names, see the RESTCONF content
in Representational State Transfer Configuration
Protocol (RESTCONF) on page 2793.
VOSS 8.1 or 8.1.1.x The system prepends VLAN- or MLT- , and
appends -01, to the name during the upgrade.
For example, the VLAN name 222 becomes
VLAN-222-01.
VOSS 8.1.2 and later If you plan to enable RESTCONF, you must check
interface names for invalid special characters
or conflicts, and make necessary modifications
manually. For information about how to check
interface names, see the RESTCONF content
in Representational State Transfer Configuration
Protocol (RESTCONF) on page 2793.

Digital Certificate Upgrade Considerations

Public Key Length

To support SNMP walk for rcDigitalCertTable where the public key length exceeds 2,048 characters,
VOSS 8.1 and later configures MAX_KEY_LEN to 2,048 to extend PublicKey to hold a maximum of
4,096-bit key. After this key length is updated, the format for/intflash/.cert/cert_info.cfg

286 VOSS User Guide for version 8.7

Image Management Fast PoE and Perpetual PoE Upgrade Considerations

changes based on the new public key maximum length and you will be unable to restore the
CertInfoTable from this file.

If you upgrade to VOSS 8.1 or later from an earlier release, you must reconfigure the certificates because
you cannot restore the old certificate configuration after reboot.

The switch displays the following log message after you upgrade to VOSS 8.1, or later,
and reboot: GlobalRouter DIGITALCERT ERROR Unable to restore info from /
intflash/.cert/cert_info.cfg due to different/wrong format

Fast PoE and Perpetual PoE Upgrade Considerations

When you upgrade from VOSS 8.1.X to VOSS 8.1.5, the POE Controller undergoes a firmware update,
which reverts previously configured Fast PoE and Perpetual PoE settings back to the default values. The
system displays a message to inform you about this change.

Saving the Configuration

Save the configuration
• When you make a change to the configuration.
• To create a backup configuration file before you upgrade the software on the switch.

After you change the configuration, you must save the changes on the device. Save the configuration to
a file to retain the configuration settings.

Note that not all CLI commands are included in configuration files. Typical examples include, but are not
limited to some operational and security-related commands.

Note
When loading large configuration files or large sections of a configuration file, avoid copying
and pasting of the files into the console or terminal window as it can lead to the loss of
configuration. You must either source the file or boot to the intended configuration file.
Sourcing and booting allow for the debug and verification of the configuration file using
the boot config flags. For more information about booting, sourcing, and debugging or
verification using boot flags, see VOSS CLI Commands Reference.

About This Task

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) support IPv4 and IPv6 addresses.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Save the running configuration:
save config [backup WORD<1–99>] [file WORD<1–99>] [verbose]

VOSS User Guide for version 8.7 287

Variable Definitions Image Management

Example

Switch:1> enable

Save the configuration to the default location:

Switch:1# save config

Identify the file as a backup file and designate a location to save the file:

Switch:1# save config backup /usb/PreUpgradeBackup.cfg

Variable Definitions
The following table defines parameters for the save config command.

Variable Value
backup WORD<1–99> Saves the specified file name and identifies the file
as a backup file.
WORD<1–99> uses one of the following format:
• a.b.c.d:<file>
• /intflash/<file>
• /usb/<file>
The file name, including the directory structure,
can include up to 99 characters.
file WORD<1–99> Specifies the file name in one of the following
format:
• a.b.c.d:<file>
• /intflash/<file>
• /usb/<file>
The file name, including the directory structure,
can include up to 99 characters.
verbose Saves the default and current configuration. If
you omit this parameter, the command saves only
parameters you change.

Upgrade the Software

Important
Upgrades from some releases require release-specific steps. For more information, see VOSS
Release Notes.

Perform this procedure to upgrade the software on the switch. This procedure shows how to upgrade
the software using the internal flash memory as the file storage location.

Use one of the following options to upload the file with the new software to the switch:
• Use FTP or SFTP to transfer the file.

288 VOSS User Guide for version 8.7

Image Management Upgrade the Software

• Download the image file to your computer. Copy the file to a USB device and insert the USB device
into the USB port on the switch.

You can store up to six software releases on the switch. If you have six releases already stored on the
switch, you are prompted to remove one release before you can proceed to add and activate a new
software release.

For information about how to remove a software release, see Remove a Software Build on page 190.

Before You Begin

• To obtain the new software, go to the Extreme Networks support site: http://
www.extremenetworks.com/support. You need a valid user or site ID and password.
• Back up the configuration files.
• Use an FTP or SFTP application or USB device to transfer the file with the new software release to
the switch.
• Ensure that you have not configured a VLAN above 4059. If you have, you must port all
configuration on this VLAN to another VLAN, before you begin the upgrade.

Caution
Only VLAN range 2 to 4059 is supported. All configuration on a higher numbered VLAN
from earlier releases will be lost after the upgrade.

Note
Software upgrade configurations are case-sensitive.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. If you are using the USB port to transfer files, go to the next step. If you are using FTP or SFTP to
download the files, start the FTP daemon on the switch and enable the ftpd flag for FTP or sshd flag
for SFTP:

Note
Start an FTP session from your computer to the switch using the same username and
password used to Telnet or SSH to the switch. Upload or copy the image to the switch.

boot config flag <ftpd | sshd>

end
3. Download the files to the switch through FTP or SFTP, or transfer them to the switch through the
USB port.
4. Enter Privileged EXEC configuration mode by exiting the Global Configuration mode.
exit
5. Extract the release distribution files to the /intflash/release/ directory:
software add WORD<1-99>

VOSS User Guide for version 8.7 289

Upgrade the Software Image Management

6. Install the image:

software activate WORD<1-99>
7. Restart the switch:
reset

Important
After you restart the system, you have the amount of time configured for the commit
timer to verify the upgrade and commit the software to gold. If you do not commit the
software to gold and auto-commit is not enabled, the system restarts with the last known
working version after the commit timer has expired. This feature ensures you can regain
control of the system if an upgrade fails. By default, auto-commit is enabled.

8. After you restart the switch, enter Privileged EXEC configuration mode:
rwa

enable
9. Confirm the software is upgraded:
show software
10. Commit the software:
software commit

Important
If you disable the auto-commit feature, you must run the software commit command
manually before the commit timer expires to commit the new software version, otherwise
the system restarts automatically to the previous (committed) version. By default, auto-
commit is enabled.

Example

Note
The image file name is switch dependent. See VOSS Release Notes for information about file
names.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#boot config flags ftpd
Switch:1#end
Switch:1#copy /usb/VOSS8200.8.5.0.0.tgz /intflash/VOSS8200.8.5.0.0.tgz
Switch:1#software add VOSS8200.8.5.0.0.tgz
Switch:1#software activate VOSS8200.8.5.0.0.GA
Switch:1#reset -y
Switch:1#show software
================================================================================
software releases in /intflash/release/
================================================================================
VOSS8200.8.5.0.0.GA (Primary Release)(Signed Release)
VOSS8200.8.4.2.0.GA (Backup Release) (Unsigned Release)

--------------------------------------------------------------------------------
Auto Commit : enabled
Commit Timeout : 10 minutes

290 VOSS User Guide for version 8.7

Image Management Variable Definitions

Remaining time until software auto-commit is 8 minutes 59 seconds

Switch:1#show software detail

VOSS8200.8.5.0.0.GA(Primary Release) (Signed Release)

SSIO
UBOOT 18081615
KERNEL 4.9
ROOTFS 4.9
APP_FS VOSS8200.8.5.0.0.GA
AVAILABLE ENCRYPTION MODULES
3DES
AES/DES

VOSS8200.8.4.2.0.GA (Backup Release) (Unsigned Release)

SSIO
UBOOT 18081615
KERNEL 4.9
ROOTFS 4.9

APP_FS VOSS8200.8.4.2.0.GA
AVAILABLE ENCRYPTION MODULES
No Modules Added
----------------------------------------------------------------------------------
Auto Commit : enabled
Commit Timeout : 10 minutes

Remaining time until software auto-commit is 8 minutes 41 seconds

Switch:1#software commit
Executing software commit for version VOSS8200.8.5.0.0.GA.
Software commit successful

Variable Definitions
The following table defines parameters for the software command.

Variable Value
activate WORD<1-99> Copies the software version to the boot flash file.
When you use the software activate command,
the system checks for hardware dependencies and
prevents a downgrade if it detects a dependency.
For example, if a hardware component has
a minimum software version dependency, you
cannot downgrade to an incompatible software
version or install the hardware component in
a chassis that runs an incompatible software
version.
add WORD<1-99> Unpacks a software release <version>.

Verifying the upgrade

Verify your upgrade to ensure proper switch operation.

VOSS User Guide for version 8.7 291

Commit an upgrade Image Management

Procedure

1. Check for alarms or unexpected errors:

show logging file tail
2. Verify all modules and slots are online:
show sys-info

Commit an upgrade
Perform the following procedure to commit an upgrade.

About This Task

The software commit functionality for software upgrades allows maximum time set by the commit
timer (the default is 10 minutes) to ensure that the upgrade is successful. If you enable the auto-commit
option, the system automatically commits to the new software version after the commit timer expires.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. (Optional) Configure the timer to activate the software:
sys software commit-time <10-60>

The default is 10 minutes.

Note
VSP 8600 Series default is 15 minutes.

3. (Optional) Extend or reduce the time to commit the software:

software reset-commit-time [<1–60>]
4. Commit the upgrade:
software commit

292 VOSS User Guide for version 8.7

Image Management Downgrade the Software

Downgrade the Software

Perform this procedure to downgrade the switch from the current trusted version to a previous release.

Important
MACsec connectivity association (CA) configurations fail during downgrade. If you plan
to downgrade MACsec to an earlier version, delete the MACsec CA entries, perform the
downgrade, and then reconfigure the MACsec CA entries. This applies to both 2AN and 4AN
modes.

Before You Begin

Ensure that you have a previous version installed.

About This Task

Note
The image file name is switch dependent. See VOSS Release Notes for information about file
names.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Extract the release distribution files to the /intflash/release/ directory:
software add WORD<1-99>
3. Activate a prior version of the software:
software activate WORD<1-99>
4. Restart the switch:
reset

Important
After you restart the system, you have the amount of time configured for the commit
timer to verify the software change and commit the software to gold. If you do not
commit the software to gold and auto-commit is not enabled, the system restarts with the
last known working version after the commit timer expires. This feature ensures you can
regain control of the system if an upgrade fails. By default, auto-commit is enabled.

5. Commit the software change:

software commit

VOSS User Guide for version 8.7 293

Variable Definitions Image Management

6. Verify the downgrade:

• Check for alarms or unexpected errors using the show logging file tail command.
• Verify all modules and slots are online using the show sys-info command.
7. (Optional) Remove unused software:
software remove WORD<1-99>

Variable Definitions
The following table defines parameters for the software command.

Variable Value
activate WORD<1-99> Specifies the name of the software release image.
add WORD<1-99> Specifies the path and version of the compressed
software release archive file.
remove WORD<1-99> Specifies the path and version of the compressed
software release archive file.

Remove a Software Build

Use the following procedure to remove a software build for the switch.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Remove the software build:
software remove WORD<1-99>

Example

Remove the software build:

Switch:1>enable
Switch:1#software remove w.x.y.z

Update the Complex Programmable Logic Device (CPLD) Image

Note
This procedure only applies to VSP 4900 Series.

During the device bootup, if an older version of a CPLD module is detected, the system displays a log
message to upgrade the CPLD module image.

294 VOSS User Guide for version 8.7

Update the Complex Programmable Logic Device
Image Management (CPLD) Image

The following is an example of the log message:

1 2020-01-17T13:08:16.630Z VSP-4900-12MXU-12XE CP1 - 0x0026050d -

00000000 GlobalRouter SW INFO cpu CPLD/FPGA module is running older
version. Recommended to upgrade using command cpld-install.

You can also use show sys-info cpld command to check the current version of the CPLD module
on the device.

Before You Begin

Upgrade the software on the switch to the latest build.

About This Task

The cpld-install command compares the image version of the modules with the current version
on the device:
• If the versions are the same, the command exits.
• If the current version is an earlier version, you must update the image version of the specific module.

The device automatically restarts after sucessful installation of the specific module.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Update one of the following CPLDs:
• CPU:

cpld-install cpu [WORD<1-99>]

• Field-Programmable Gate Array (FPGA):

cpld-install fgpa [WORD<1-99>]

• Port:

cpld-install port [WORD<1-99>]

• VIM (Versatile Interface Module):

cpld-install vim [WORD<1-99>]

3. When prompted, type y to continue with the CPLD update.

Example

Update the CPLD for port module.

Switch:1>cpld-install port /intflash/1.1.8_sd_portpld.tgz
image file md5 checksum passed
Current port CPLD version is 0x1108, 1.1.08

Do you want to continue with cpld update? (y/n) ? y

WARNING: Upgrading FPGA requires writing to a device

WARNING: It will take about a minute or so to complete.

VOSS User Guide for version 8.7 295

Variable Definitions Image Management

WARNING: DO NOT TURN POWER OFF OR MAKE ANY HARDWARE CHANGES ONCE YOU START THIS OPERATION.

FPGA upgrade completed successfully

System is going for powercycle now...

1 2019-12-13T14:55:55.577+05:30 VSP-4900-24S CP1 - 0x0026050c - 00000000 GlobalRouter SW INFO port
CPLD update completed successfully.
CP1 [12/13/19 14:55:56.000] LifeCycle: INFO: Stopping all processes
Switch:1>CP1 [12/13/19 14:56:01.000] LifeCycle: INFO: Process slamon.sh (pid:20748) stopping with
signal 9
1 2019-12-13T14:56:01.225+05:30 VSP-4900-24S CP1 - 0x0000c5f9 - 00000000 GlobalRouter HW INFO Link
Down(1/14). Port is disabled
1 2019-12-13T14:56:01.226+05:30 VSP-4900-24S CP1 - 0x00004726 - 00000000 GlobalRouter SNMP INFO SPBM
detected adj DOWN on Port1/14,
neighbor 489b.d59d.6884 (VSP-4900-12MXU-12XE)
1 2019-12-13T14:56:01.226+05:30 VSP-4900-24S CP1 - 0x00000033 - 00000000 GlobalRouter SW ERROR
dpmSendMulti: LtrSend Failed: Status=9
1 2019-12-13T14:56:01.226+05:30 VSP-4900-24S CP1 - 0x000e05dc - 00000000 GlobalRouter HAL ERROR
dpmCosqProfileApply: request ltrSend FAILED
1 2019-12-13T14:56:01.229+05:30 VSP-4900-24S CP1 - 0x0000c5f9 - 00000000 GlobalRouter HW INFO Link
Down(1/24). Port is disabled
1 2019-12-13T14:56:01.233+05:30 VSP-4900-24S CP1 - 0x00010756 - 0040000b.3 PERSISTENT SET GlobalRouter
HW WARNING Module VSP4900-24S in slot 1
is non-operational
1 2019-12-13T14:56:01.267+05:30 VSP-4900-24S CP1 - 0x00000033 - 00000000 GlobalRouter SW ERROR
dpmSendMulti: LtrSend Failed: Status=9
1 2019-12-13T14:56:01.267+05:30 VSP-4900-24S CP1 - 0x000e05dc - 00000000 GlobalRouter HAL ERROR
dpmSendMacAddrDelMsg: request ltrSend FAILED
1 2019-12-13T14:56:01.267+05:30 VSP-4900-24S CP1 - 0x00100665 - 00000000 GlobalRouter SW WARNING
dpmDeleteMacAddress: failed for
Mac = 02:78:84:ff:ff:ff, Mgid = 4052
1 2019-12-13T14:56:01.271+05:30 VSP-4900-24S CP1 - 0x000646fa - 00000000 GlobalRouter MLT INFO IST
DOWN, status vector: 0x60000000001800
1 2019-12-13T14:56:01.271+05:30 VSP-4900-24S CP1 - 0x000646da - 01900004 DYNAMIC SET GlobalRouter MLT
WARNING SMLT IST Link is DOWN /IST Slave
CP1 [12/13/19 14:56:04.000] LifeCycle: INFO: Stopped all processes
CP1 [12/13/19 14:56:04.000] LifeCycle: INFO: All processes have stopped
CP1 [12/13/19 14:56:04.000] LifeCycle: INFO: Setting shutdown countdown to 300 seconds
CP1 [12/13/19 14:56:04.000] LifeCycle: INFO: Flushing buffers ... OK
CP1 [12/13/19 14:56:04.000] LifeCycle: INFO: Restarting module
CP1 [12/13/19 14:56:05.000] LifeCycle: INFO: Powercycling the system!
Using device type 1 (FPGA)
RECONFIGURE command enabled
Lock file name is /tmp/FPGA_lock
FPGA RECONFIGURE operation started.
FPGA RECONFIGURE operation SUCCEEDED.

Variable Definitions
The following table defines parameters for the cpld-install command.

Variable Value
cpu Updates the CPU module.
fpga Updates the FPGA module.
port Updates the Port module.

296 VOSS User Guide for version 8.7

Image Management Upgrade the Boot Loader Image

Variable Value
vim Updates the VIM module.
WORD<1-99> Specifies the image filename.

Note: This parameter is optional. If you do not specify

the filename, the command checks the .tgz file for the
image from the running VOSS filesystem.

Upgrade the Boot Loader Image

Note
This procedure does not apply to VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

Warning
This command is an advanced-level command that upgrades the device uboot image. Only
use this command if specifically advised to do so by Technical Support. Improper use of this
command can result in permanent damage to the device and render it unusable.

If the need to use this command arises, instructions on usage will be provided by technical support.

Before You Begin

• Transfer the image to the /intflash/ directory on the switch.

Procedure

1. Enter Privileged EXEC mode:

enable
2. View the current uboot version:
show sys-info uboot
3. Upgrade the boot loader image:
uboot-install WORD<1-99>
4. Restart the system.

Example
Switch:1#>show sys-info uboot

U-Boot Info :
------------------------------------------------------------------------------------------

Default Version : 2.3.2.1

Alternate Version : 2.3.2.1

Boot Version Used : Default

Trusted Delivery Status : Boot Image Verified

VOSS User Guide for version 8.7 297

Variable Definitions Image Management

Variable Definitions
The following table defines parameters for the uboot-install command.

Variable Value
WORD<1-99> Specifies the full path and filename that contains the uboot image.

298 VOSS User Guide for version 8.7

Address Resolution Protocol
Address Resolution Protocol on page 299
Reverse Address Resolution Protocol on page 301
ARP configuration using the CLI on page 302
ARP configuration using Enterprise Device Manager on page 311

Table 36: Address Resolution Protocol product support

Feature Product Release introduced
Address Resolution Protocol VSP 4450 Series VSP 4000 4.0
(ARP) including Proxy ARP and
Static ARP VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Gratuitous ARP filtering VSP 4450 Series VOSS 4.2
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.2
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

Address Resolution Protocol

Network stations using the IP protocol need both a physical address and an IP address to transmit a
packet. In situations where the station knows only the network host IP address, the network station uses
Address Resolution Protocol (ARP) to determine the physical address for a network host by binding a
32-bit IP address to a 48-bit MAC address. A network station can use ARP across a single network only,
and the network hardware must support physical broadcasts.

VOSS User Guide for version 8.7 299

Enable ARP traffic Address Resolution Protocol

The network station uses ARP to determine the host physical address as follows:
• The network station broadcasts a special packet, called an ARP request, that asks the host at the
specified IP address to respond with its physical address.
• All network hosts receive the broadcast request.
• Only the specified host responds with its hardware address.
• The network station then maps the host IP address to its physical address and saves the results in an
address-resolution cache for future use.
• The network station ARP table displays the associations of the known MAC address to IP address.

You can create ARP entries, and you can delete individual ARP entries.

Enable ARP traffic

The switch accepts and processes ARP traffic, spanning tree bridge packet data units (BPDU), and
Topology Discovery Protocol packets on port-based VLANs with the default port action of drop. If a
filter port action is drop for a packet, ARP packets are also dropped. As a result, ARP entries on that
port are cleared and are not relearned when the ARP aging timer expires.

To prevent dropped ARP packets, configure the following options:

• A user-defined protocol-based VLAN for ARP EtherType (byprotocol usrDefined 0x0806).
• Ports as static members to this VLAN with the default port action of drop.
• The port default VLAN ID to the correct port-based VLAN where the ARPs are processed.

You do not need to make configuration changes for the BPDU and Topology Discovery Protocol
packets.

Only one user-defined protocol-based VLAN for ARP is allowed for each Spanning Tree Group (STG).
If the ports with the default port action of drop are in different STGs, you must create additional
user-defined protocol-based VLANs.

Proxy ARP
A network station uses proxy ARP to respond to an ARP request from a locally attached host or end
station for a remote destination. The network station sends an ARP response back to the local host with
its own MAC address of the network station interface for the subnet on which the ARP request was
received. The reply is generated only if the device has an active route to the destination network.

The following figure shows an example of proxy ARP operation. In this example, the system displays
host C with mask 24 to be locally attached to host B with mask 16, so host B sends an ARP request for
host C. However, the switch is between the two hosts. To enable communication between the two hosts,
the switch responds to the ARP request with the IP address of host C but with its own MAC address.

300 VOSS User Guide for version 8.7

Address Resolution Protocol Loop detection

Figure 15: Proxy ARP operation

Loop detection
To prevent cases of ARP looping, configure the ARP loop detection flag to detect this situation. When a
loop is detected, the port is shut down.

Flushing router tables

For administrative or troubleshooting purposes, sometimes you must flush the routing tables. Flush
routing tables either by VLAN or by port. In a VLAN context, all entries associated with the VLAN are
flushed. In a port context, all entries associated with the port are flushed.

Reverse Address Resolution Protocol

Certain devices use the Reverse Address Resolution Protocol (RARP) to obtain an IP address from a
RARP server. MAC address information for the port is broadcast on all ports associated with an IP
protocol-based or port-based VLAN. To enable a device to request an IP address from a RARP server
outside its IP VLAN, you must create a RARP protocol-based VLAN.

RARP has the format of an ARP frame but its own Ethernet type (8035). You can remove RARP
from the IP protocol-based VLAN definition and treat it as a separate protocol, thus creating a RARP
protocol-based VLAN.

A typical network topology provides desktop switches in wiring closets with one or more trunk ports
that extend to one or more data center switches where attached servers provide file, print, and other
services. Use RARP functionality to define all ports in a network that require access to a RARP server
as potential members of a RARP protocol-based VLAN. You must define all tagged ports and data
center RARP servers as static or permanent members of the RARP VLAN. Therefore, a desktop host
broadcasts an RARP request to all other members of the RARP VLAN. In normal operation, these
members include only the requesting port, tagged ports, and data center RARP server ports. Because
all other ports are potential members of this VLAN and RARP is only transmitted at startup, all other

VOSS User Guide for version 8.7 301

ARP configuration using the CLI Address Resolution Protocol

port VLAN memberships expire. With this feature, one or more centrally located RARP servers extend
RARP services across traditional VLAN boundaries to reach desktops globally.

ARP configuration using the CLI

Network stations that use IP protocol require both a physical address and an IP address to transmit
packets. In situations where the station knows only the network host IP address, the Address Resolution
Protocol (ARP) lets you use the network station to determine a network host physical address by
binding a 32-bit IP address to a 48-bit MAC address.

A network station can use ARP across a single network only, and the network hardware must support
physical broadcasts. If a network station wants to send a packet to a host but knows only the host IP
address, the network station uses ARP to determine the host physical address.

ARP response is enabled by default.

Enabling ARP on a port or a VLAN

Enable ARP on the device so that it answers local ARP requests.

About This Task

You can enable or disable ARP responses on the device. You can also enable ARP proxy, which lets a
router answer a local ARP request for a remote destination.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable ARP on the device:

ip arp-response

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 200
Switch:1(config-if)#ip arp-response

302 VOSS User Guide for version 8.7

Address Resolution Protocol Enabling ARP proxy

Enabling ARP proxy

About This Task

Configure an ARP proxy to allow the platform to answer a local ARP request for a remote destination.
ARP proxy is disabled by default.

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable ARP proxy on the device:

ip arp-proxy enable

Use the no operator to disable ARP proxy: no ip arp-proxy [enable]

Example

Enable ARP proxy on VLAN 200:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 200
Switch:1(config-if)#ip arp-proxy enable

View ARP Information

The show ip arp command displays all of the configured and dynamically learned ARP entries in the
ARP table.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display ARP information for a specified port or for all ports:
show ip arp interface gigabitethernet [slot/port[/sub-port][-slot/
port[/sub-port]][,...]]
3. Display ARP information for a VLAN:
show ip arp interface vlan <1-4059>

Example

Switch:1>show ip arp interface

================================================================================

VOSS User Guide for version 8.7 303

View ARP Information Address Resolution Protocol

Port Arp
================================================================================
PORT_NUM DOPROXY DORESP
--------------------------------------------------------------------------------
1/1 false true
1/2 false true
1/3 false true
1/4 false true
1/5 false true
1/6 false true
1/7 false true
1/8 false true
1/9 false true
1/10 false true
1/11 false true
1/12 false true
1/13 false true
1/14 false true
1/15 false true
1/16 false true
1/17 false true

--More-- (q = quit)

Variable definitions
Use the data in the following table to use the show ip arp command.

Variable Value
A.B.C.D Specifies the IP address of a network.
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.
interface Displays ARP interface configuration information.
spbm-tunnel-as-mac Displays the remote host name in the TUNNEL
column for the SPBM ARP entry.
-s Specifies a subnet.
You must indicate the IP address followed by the
subnet mask expressed as <A.B.C.D> <A.B.C.D>.
vlan <1-4059> Displays ARP entries for a particular VLAN ID.
Specifies the VLAN ID in the range of 1 to 4059.
By default, VLAN IDs 1 to 4059 are configurable
and the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the
vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.
VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1.

304 VOSS User Guide for version 8.7

Address Resolution Protocol Configuring IP ARP static entries

Variable Value
vrf WORD<1–16> Specifies a VRF name expressed as text from 1 to
16 characters in length.
The total number of ARPs listed in the summary
line of the show ip arp output represents the
total number of ARPs on the chassis, including
all VRFs (which includes the Management Router
VRF).
vrfids WORD<0–512> Specifies a range of VRFIDs as text from 0 to 512
characters in length.
The total number of ARPs listed in the summary
line of the show ip arp output represents the
total number of ARPs on the chassis, including
all VRFs (which includes the Management Router
VRF).

Use the data in the following table to help you understand the show ip arp interface command
output.

Variable Value
PORT_NUM Indicates the port number.
DOPROXY Indicates if ARP proxy responses are enabled or disabled on the specified
interface.
DORESP Indicates if the sending of ARP responses is enabled or disabled on the
specified interface.

Use the data in the following table to help you understand the show ip arp interface vlan
command output.

Variable Value
VLAN_ID Indicates the VLAN ID.
DOPROXY Indicates if ARP proxy responses are enabled or disabled on the specified
interface.
DORESP Indicates if the sending of ARP responses is enabled or disabled on the
specified interface.

Configuring IP ARP static entries

About This Task

Configure ARP static entries to modify the ARP parameters on the device. The only way to change a
static ARP is to delete the static ARP entry and create a new entry with new information.

Note
Static multicast ARP entries are not supported for NLB Unicast or NLB Multicast operations.

VOSS User Guide for version 8.7 305

Clearing ARP entries Address Resolution Protocol

Procedure

1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Configure ARP static entries on the device:
ip arp <A.B.C.D> 0x00:0x00:0x00:0x00:0x00:0x00 {slot/port[-slot/port]
[,...]}

Example

Configure ARP static entries:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip arp 192.0.2.10 00-16-76-7D-80-C2 2/1

Variable Definitions
Use the data in the following table to use the ip arp command.

Variable Value
request-threshold Configures the maximum number of outstanding ARP requests
<50-1000> that a device can generate. The range is 50–1000. The default
value is 500.
To configure this option to the default value, use the default
operator with this command.
timeout <1-32767> Configures the length of time in seconds an entry remains in the
ARP table before timeout. The range is 1–32767.
To configure this option to the default value, use the default
operator with this command.

Note:
The aging of ARP records is tied to the aging of MAC records.
The ARP record for a given IP address is not removed unless the
associated MAC record ages out and the router stops receiving
a response to ARP requests for that IP address. In cases where
the ARP aging time is set to less than the MAC aging time, the
switch waits until the MAC ages out before deleting the ARP for
an inactive host.

<A.B.C.D> Adds ARP entries.

Clearing ARP entries

Use this procedure to clear dynamic ARP table entries associated with the interface or VLAN.

306 VOSS User Guide for version 8.7

Address Resolution Protocol Showing ARP table information

Procedure

1. Enter Privileged EXEC mode:

enable
2. Clear ARP entries:
clear ip arp interface <gigabitethernet|vlan> <slot/port[/sub-port][-
slot/port[/sub-port]][,...]| <1-4059>>

Example

Clear ARP entries:

Switch:1> enable
Switch:1# clear ip arp interface gigabitethernet 1/16

Variable definitions
Use the data in the following table to use the clear ip arp interface command.

Variable Value
<1-4059> Specifies the VLAN ID in the range of 1 to 4059.
By default, VLAN IDs 1 to 4059 are configurable
and the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the
vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.
VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1.
gigabitethernet|vlan Specifies the interface type.
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Showing ARP table information

Show ARP information to view the configuration information in the ARP table.

About This Task

When you use the interface parameter with the show ip arp command you can display ARP
configuration information only for a specific switch.

The show ip arp command displays all of the configured and dynamically learned ARP entries in
the ARP table.

VOSS User Guide for version 8.7 307

Showing ARP table information Address Resolution Protocol

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display the ARP table:
show ip arp [<A.B.C.D>] [-s <A.B.C.D>] [gigabitEthernet <slot/port[/
sub-port]>] [interface <gigabitethernet|vlan>] [nlb] [spbm-tunnel-as-
mac][vlan <1-4059>] [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example

Switch:1#show ip arp
=========================================================================================
IP Arp - GlobalRouter
=========================================================================================
IP_ADDRESS MAC_ADDRESS VLAN PORT TYPE TTL(10 Sec) TUNNEL
-----------------------------------------------------------------------------------------
192.0.2.1 00:09:0f:09:00:08 20 1/3 DYNAMIC
2159
192.0.2.12 b4:a9:5a:ff:f8:40 20 1/3 DYNAMIC
458
192.0.2.25 e4:5d:52:3c:65:00 20 - LOCAL
2160
192.0.2.154 d4:ea:0e:c2:08:00 20 1/3 DYNAMIC
2131
192.0.2.157 00:1c:17:b1:ec:80 20 1/3 DYNAMIC
2131
192.0.2.161 fc:a8:41:fb:40:00 20 1/3 DYNAMIC
2131
192.0.2.253 e0:db:55:d4:e5:7c 20 1/3 DYNAMIC
2041
192.0.2.255 ff:ff:ff:ff:ff:ff 20 - LOCAL
2160

===========================================================================================
IP Arp Extn - GlobalRouter
===========================================================================================
MULTICAST-MAC-FLOODING AGING(Minutes) ARP-THRESHOLD
-------------------------------------------------------------------------------------------
disable 360 500

c: customer vid u: untagged-traffic

8 out of 8 ARP entries displayed

ARPs on TX-NNI: Current = 0, re-ARP count = 0

Variable definitions
Use the data in the following table to help you use the show ip arp command.

Variable Value
-s Specifies the subnet for the table.
gigabitEthernet Displays the entries for a particular brouter port.

308 VOSS User Guide for version 8.7

Address Resolution Protocol Showing ARP table information

Variable Value
interface Displays ARP interface configuration information.
Use the following parameters to display ARP table
information specifically for:
• gigabitethernet {slot/port[–slot/port][,...]}
displays IP ARP gigabitethernet interface
information
• VLAN <1-4059> displays IP ARP VLAN
interface information
Example: show ip arp interface vlan 1
nlb Displays the Network Load Balancing (NLB) ARP
entries on the switch.
spbm-tunnel-as-mac Displays the remote host name in the TUNNEL
column for the SPBM ARP entry.
vlan Specifies the VLAN ID in the range of 1 to 4059.
By default, VLAN IDs 1 to 4059 are configurable
and the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the
vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.
VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1.
Use these parameters to display ARP table
information specifically for:
• vrf WORD<1–16>—the VLAN VRF name in a
range from 1 to 16 characters
• vrfids WORD<0–512>—the VLAN VRF ID in a
range from 0 to 512
Example: show ip arp vlan 1 vrf 1
vrf WORD <1-16> Specifies the name of the VRF.
The total number of ARPs listed in the summary
line of the "show ip arp" display represents the
total number of ARPs on the chassis including all
VRFs.
vrfids WORD <0-512> Specifies the VRF ID.
The total number of ARPs listed in the summary
line of the "show ip arp" display represents the
total number of ARPs on the chassis including all
VRFs.
<A.B.C.D> Specifies the network IP address for the table.

Use the data in the following table to help you understand the output of the show ip arp
command.

Parameter Description
IP_ADDRESS Indicates the IP address where ARP is configured.
MAC_ADDRESS Indicates the MAC address where ARP is configured.

VOSS User Guide for version 8.7 309

Configuring Gratuitous ARP Address Resolution Protocol

Parameter Description
VLAN Indicates the VLAN address where ARP is configured.
PORT Indicates the port where ARP is configured.
TYPE Indicates the type of learning (dynamic or local) where ARP is configured.
TTL<10 secs> Indicates the time to live as tenths of a second where ARP is configured.
TUNNEL Displays the remote host name in the TUNNEL column for the SPBM ARP
entry.
MULTICAST-MAC- Displays whether IP ARP multicast MAC flooding is enabled or disabled.
FLOODING When enabled, the ARP entries for multicast MAC addresses are associated
with the VLAN or port interface on which they were learned.
AGING (Minutes) Displays when the ARP aging timer expires.
ARP-THRESHOLD Displays the maximum number of outstanding ARP requests that a device
can generate.

Configuring Gratuitous ARP

Use the following procedure to configure Gratuitous Address Resolution Protocol (ARP). When
Gratuitous ARP is enabled the switch allows all Gratuitous ARP request packets. The default is enabled.

If you disable Gratuitous ARP, the switch only allows Gratuitous ARP packets associated with Routed
Split Multi-Link Trunking (RSMLT) or Virtual Router Redundancy Protocol (VRRP), and the switch
discards all other Gratuitous ARP request packets.

About This Task

ARP translates network layer (layer 3) IP addresses into link layer (layer 2) MAC addresses. A host sends
a Gratuitous ARP request packet to inform other hosts of the existence of an interface on the network,
so other local hosts can update their ARP tables. If the IP or MAC address changes, or in the event of a
failover, a host sends a Gratuitous ARP request packet to inform other hosts to update their ARP tables.

VRRP and RSMLT use gratuitous ARP to update the MAC address tables on switches.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable Gratuitous ARP:
ip gratuitous-arp
3. (Optional) Disable Gratuitous ARP:
no ip gratuitous-arp
4. (Optional) Configure Gratuitous ARP to the default value:
default ip gratuitous-arp
5. Save the changed configuration.
save config [backup WORD<1–99>][file WORD<1–99>][verbose]

310 VOSS User Guide for version 8.7

Address Resolution Protocol ARP configuration using Enterprise Device Manager

ARP configuration using Enterprise Device Manager

Network stations using the IP protocol need both a physical address and an IP address to transmit a
packet. In situations where the station knows only the network host IP address, the network station
can use Address Resolution Protocol (ARP) to determine a network host physical address by binding
a 32-bit IP address to a 48-bit MAC address. A network station can use ARP across a single network
only, and the network hardware must support physical broadcasts. If a network station wants to send
a packet to a host but knows only the host IP address, the network station uses ARP to determine the
host physical address.

Enable or Disable ARP on a Port

After you assign the IP address, you can configure ARP. By default, ARP Response is enabled and Proxy
ARP is disabled.

Before You Begin

To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context View
on page 3856. All parameters might not be available in non-default VRFs.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand: Configuration > Edit > Port.
3. Select IP.
4. Select the ARP tab.
5. In DoProxy, select enable to enable the Proxy ARP function.
6. In DoResp, select enable to configure the system to respond to an ARP. The default is enable.
7. Select Apply.
The ARP function is available only when the port or VLAN is routed; that is, it is assigned an IP
address.

ARP field descriptions

Use the data in the following table to use the ARP tab fields.

Name Description
DoProxy Configures the system to respond to an ARP request from a locally attached host or
end station for a remote destination. The default value is disable.
DoResp Configures the system to send ARP responses for this IP interface address. The default
value is enable.

Enable or Disable ARP on a VLAN

Use the following procedure to enable ARP on VLAN level.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

VOSS User Guide for version 8.7 311

View ARP Entries Address Resolution Protocol

2. Select VLANs.
3. Select the Basic tab.
4. Select a VLAN.
5. Select IP.
6. Select the ARP tab.
7. In DoProxy, select enable to enable the Proxy ARP function.
8. In DoResp, select enable to configure the system to respond to an ARP. The default is enable.
9. Select Apply.
The ARP dialog box is available only if the port or VLAN is routed; that is, it is assigned an IP address.

ARP field descriptions

Use the data in the following table to use the ARP tab.

View ARP Entries

You can view and manage known MAC address to IP address associations. In addition, you can create or
delete individual ARP entries. For information about how to create a static ARP entry, see Create Static
ARP Entries on page 313.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IP.
3. Select the ARP tab.

ARP field descriptions

Use the data in the following table to use the ARP tab.

Name Description
NetAddress Specifies the IP address corresponding to the media-dependent physical address.
IfIndex Identifies the router interface for this ARP entry:
• Brouter interfaces are identified by the slot/port number of the brouter port.
• VLAN interfaces are identified by the vlan name.

312 VOSS User Guide for version 8.7

Address Resolution Protocol Create Static ARP Entries

Name Description
PhysAddress Specifies the media-dependent physical address (that is, the Ethernet address).
Type Specifies the type of ARP entry:
• local—a locally configured ARP entry
• static—a statically configured ARP entry
• dynamic—a learned ARP entry

TimeToLive Indicates the time to live where the ARP is configured.

DestIfIndex Indicates the slot/port on which the ARP entry was learned. For brouter
interfaces this is the same value as IfIndex, but for VLAN interfaces, it designates
the particular port in the VLAN on which the ARP was learned.
DestVlanId VLAN ID where the ARP is configured.
BMac Identifies the backbone MAC address if the entry is learned from an SPBM
network.
DestCvid Identifies the customer VLAN ID for a Switched UNI port.

Create Static ARP Entries

Use the following procedure to create a static ARP entry.

Before You Begin

About This Task

Note
Static multicast ARP entries are not supported for NLB Unicast or NLB Multicast operations.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IP.
3. Select the ARP tab.
4. Select Insert.
5. In NetAddress, type the IP address.
6. Select Port or Port in VLAN.
7. In the dialog box, select the interface.
8. Select OK.
9. In PhysAddress, type the MAC address.
10. Select Insert.

VOSS User Guide for version 8.7 313

Configure ARP Proxy Address Resolution Protocol

Configure ARP Proxy

With an ARP proxy, the switch can respond to an ARP request from a locally attached host or end
station for a remote destination. Proxy ARP does so by sending an ARP response back to the local host
with its own MAC address of the router interface for the subnet on which the ARP request was received.
The reply is generated only if the system has an active route to the destination network.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Select VLANs.
3. Select the Basic tab.
4. Select a VLAN.
5. Select IP.
6. Select the ARP tab.
7. For DoProxy, select enable.
8. Select Apply.

314 VOSS User Guide for version 8.7

Alternative Routes
Route Preference on page 316
Preferences for Static Routes on page 316
Preferences for Dynamic Routes on page 316
Alternative Route Configuration using CLI on page 317
Alternative Route Configuration using EDM on page 319
IPv6 Alternative Routes Configuration Example on page 320

Table 37: Alternative routes product support

Feature Product Release introduced
Alternative routes for IPv4 VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Alternative routes for IPv6 VSP 4450 Series VOSS 5.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported

To avoid traffic interruption, you can globally enable the alternative routes feature so the router can use
the next-best route, also known as an alternative route, if the best route becomes unavailable.

Routers learn routes to a destination through routing protocols. Routers maintain a routing table of the
learned alternative routes sorted in order by route preference, route costs, and route sources. The first
route on the list is the best route and the route that the router prefers to use.

VOSS User Guide for version 8.7 315

Route Preference Alternative Routes

The alternative route concept also applies between routing protocols. For example, if an OSPFv3 route
becomes unavailable and an alternative RIPng route is available, the system activates the RIPng route
without waiting for the update interval to expire.

Route Preference
On the switch, all standard routing protocols have default preference values that determine the routing
priority of the protocol. The router uses default preferences to select the best route when a clash exists
in preference between the protocols.

You can modify the global preference for a protocol to give the protocol a higher or lower priority
than other protocols. If you change the global preference for a static route and all best routes remain
best routes, only the local route tables change. However, if the protocol preference change causes best
routes to no longer be best routes, the change affects neighboring route tables.

Important
Changing route preferences is a process-intensive operation that can affect system
performance and network reach while you perform route preference procedures. As a best
practice, if you want to change preferences for static routes or routing protocols, do so when
you configure routes or during a maintenance window.

If a router learns a route with the same network mask and cost values from multiple sources, the router
uses the route preferences to select the best route to add to the forwarding database.

Note
To modify the preference for a route, you do not need to disable a route before you edit the
configuration.

Preferences for Static Routes

When you configure a static route on the switch, you can specify a global preference for the route. You
can also specify an individual route preference that overrides the global static route preference. The
preference value can be between 0 and 255, with 0 reserved for local routes and 255 representing an
unreachable route.

Preferences for Dynamic Routes

You can modify the preference value for dynamic routes through route filtering and IP policies, and this
value overrides the global preference for the protocol.

The following table shows the default preferences for routing protocols and route types. Use this table
to help you modify the global preference value.

Table 38: Routing protocol default preferences

Protocol Default preference
Local 0
Static 5

316 VOSS User Guide for version 8.7

Alternative Routes Alternative Route Configuration using CLI

Table 38: Routing protocol default preferences (continued)

Protocol Default preference
SPBM_L1 7
OSPF intra-area 20
OSPF inter-area 25
Exterior BGP 45
RIP/RIPng 100
OSPF external type 1 120
OSPF external type 2 125
IBGP 175
Staticv6 5
OSPFv3 intra-area 20
OSPFv3 inter-area 25
OSPFv3 external type 1 120
OSPFv3 external type 2 125

Alternative Route Configuration using CLI

Enable IPv4 Alternative Routes

About This Task

The default value is enabled. If you disable the alternative-route parameter, all existing alternative routes
are removed. After you enable the parameter, all alternative routes are readded.

Procedure

1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Activate the alternative route feature globally:
ip alternative-route

Enable IPv6 Alternative Routes

Use this procedure to enable IPv6 alternative routes and view the configuration on the switch.

VOSS User Guide for version 8.7 317

Enable IPv6 Alternative Routes Alternative Routes

Procedure
1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Enable IPv6 alternative routes:
ipv6 alternative-route

Note
IPv6 alternative routes are enabled by default.

3. Verify the configuration of the IPv6 alternative route:

show ipv6 global [vrf WORD<1–16> | vrfids WORD<0–512>]

show ipv6 route alternative [vrf WORD<1–16> | vrfids WORD<0–512>]

Example:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf globalRouter
Switch:1(router-vrf)#ipv6 alternative-route

Switch:1#show ipv6 global

================================================================================
IPv6 Global Information - GlobalRouter
================================================================================
forwarding : enable
default-hop-cnt : 64
number-of-interfaces : 0
icmp-error-interval : 1000
icmp-error-quota : 50
icmp-unreach-msg : disable
icmp-addr-unreach-msg : enable
icmp-port-unreach-msg : enable
icmp-echo-multicast-request : enable
icmp-drop-fragments : disable
static-route-admin-status : enable
alternative-route : enable
ecmp : disable
ecmp-max-path : 1
source-route : disable
host-autoconfig : disable
Switch:1#show ipv6 route alternative

=======================================================================================================================
=
IPv6 Routing Table Information - GlobalRouter
=======================================================================================================================
=
Destination Address/PrefixLen NEXT HOP NH VRF/ISID VID/BID/TID PROTO COST AGE TYPE
PREF
-----------------------------------------------------------------------------------------------------------------------
-
2910:0:0:1:0:0:0:0/64 fe80:0:0:0:b2ad:aaff:fe42:dd00 V-3 OSPF 2 0 B 20
2912:0:0:1:0:0:0:0/64 0:0:0:0:0:0:0:0 V-1001 LOCAL 1 0 B 0
2912:0:0:1:0:0:0:0/64 0:0:0:0:0:0:0:0 T-10 BGP 1 0 A 45
3000:0:0:1:0:0:0:0/64 0:0:0:0:0:0:0:0 V-3 LOCAL 1 0 B 0

318 VOSS User Guide for version 8.7

Alternative Routes Alternative Route Configuration using EDM

4001:0:0:1:0:0:0:0/64 0:0:0:0:0:0:0:0 T-10 LOCAL 1 0 B 0

5910:0:0:1:0:0:0:0/64 0:0:0:0:0:0:0:0 T-10 BGP 1 0 B 45
5910:0:0:1:0:0:0:0/64 fe80:0:0:0:b2ad:aaff:fe42:dd00 V-3 OSPF 2 0 A
120
5910:0:0:2:0:0:0:0/64 0:0:0:0:0:0:0:0 T-10 BGP 1 0 B 45
5910:0:0:2:0:0:0:0/64 fe80:0:0:0:b2ad:aaff:fe42:dd00 V-3 OSPF 2 0 A
120
-----------------------------------------------------------------------------------------------------------------------
-

13 out of 13 Total Num of Route Entries displayed.

-----------------------------------------------------------------------------------------------------------------------
-

TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Alternative Route Configuration using EDM

Enable IPv4 Alternative Routes

Enable alternative routes so that you can subsequently enable it on interfaces.

Before You Begin

• To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context
View on page 3856. All parameters might not be available in non-default VRFs.

Procedure

1. In the navigation tree, expand Configuration > IP.

2. Select IP.
3. Select the Globals tab.
4. Select AlternativeEnable.
If the AlternativeEnable parameter is disabled, all existing alternative routes are removed. After you
enable the parameter, all alternative routes are re-added.
5. Select Apply.

Enable IPv6 Alternative Routes

To avoid traffic interruption, enable alternative routes on the switch, to replace the best route with the
next-best route if the best route becomes unavailable. By default, this feature is enabled.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select IPv6.
3. Select the Globals tab.
4. To enable IPv6 alternative routes, select AlternativeRouteEnable.

VOSS User Guide for version 8.7 319

IPv6 Alternative Routes Configuration Example Alternative Routes

5. Select Apply.

IPv6 Alternative Routes Configuration Example

To avoid traffic interruption, you can enable alternative routes globally to replace the best route with the
next-best route, if the best route becomes unavailable.

The concept of alternative route applies between routing protocols. For example, if an OSPFv3 route
becomes unavailable and an alternative RIPng route is available, the system activates the RIPng route
immediately without waiting for an update interval to expire.

By default, the alternative routes feature is globally enabled on the switch.

The following example demonstrates this behavior.

In this example, you configure OSPFv3 and RIPng routes on two switches Switch-1 and Switch-2, as
shown in the following figure.

Configuration on Switch-1
VLAN configuration:

On Switch-1, configure VLAN 2 and the IPv6 interface address 2000:0:0:0:0:0:0:1/64.

Switch1:1:1>enable
Switch1:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch1:1(config)#vlan create 2 type port-mstprstp 0

Switch1:1(config)#vlan members 2 4/5
Switch1:1(config)#interface vlan 2
Switch1:1(config-if)#ipv6 interface address 2000:0:0:0:0:0:0:1/64
Switch1:1(config-if)#ipv6 interface enable
Switch1:1(config-if)#exit
Switch1:1(config)#show vlan basic

=======================================================================================
Vlan Basic
=======================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
---------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
2 VLAN-2 byPort 0 none N/A N/A 0

320 VOSS User Guide for version 8.7

Alternative Routes Configuration on Switch-1

All 2 out of 2 Total Num of Vlans displayed

Switch1:1>show vlan members
==========================================================================
Vlan Port

==========================================================================
VLAN PORT ACTIVE STATIC NOT_ALLOW
ID MEMBER MEMBER MEMBER MEMBER
--------------------------------------------------------------------------
1 1/1-1/16,1/17/1- 1/1-1/16,1/17/1-
1/17/4,1/18/1- 1/17/4,1/18/1-
1/18/4,2/1-2/16, 1/18/4,2/1-2/16,
2/17/1-2/17/4, 2/17/1-2/17/4,
2/18/1-2/18/4,3/1- 2/18/1-2/18/4,3/1-
3/6,4/1-4/4,4/6 3/6,4/1-4/4,4/6

2 4/5 4/5

All 2 out of 2 Total Num of Port Entries displayed

Switch1:1(config)#show ipv6 interface vlan 2

=================================================================================================================
Vlan Ipv6 Interface
=================================================================================================================
IFINDX VLAN PHYSICAL ADMIN OPER TYPE MTU HOP REACHABLE RETRANSMIT MCAST IPSEC RPC RPCMODE
INDX ADDRESS STATE STATE LMT TIME TIME STATUS
-----------------------------------------------------------------------------------------------------------------
2050 2 b0:ad:aa:4e:59:00 enable up ETHER 1500 64 30000 1000 disable disable disable existonly

=================================================================================================================
Vlan Ipv6 Address

=================================================================================================================
IPV6 ADDRESS VLAN-ID TYPE ORIGIN STATUS
-----------------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 V-2 UNICAST MANUAL PREFERRED
fe80:0:0:0:b2ad:aaff:fe4e:5900/64 V-2 UNICAST LINKLAYER PREFERRED

1 out of 1 Total Num of Interface Entries displayed.

2 out of 2 Total Num of Address Entries displayed.

Port configuration:
Switch1:1(config)#interface gigabitEthernet 4/5
Switch1:1(config-if)#encapsulation dot1q
Switch1:1(config-if)#no shutdown
Switch1:1(config-if)#exit

IPv6 global configuration:

Switch1:1(config)#ipv6 forwarding

Switch1:1(config)#show ipv6 forwarding

Ipv6 forwarding - GlobalRouter : enable
ecmp : disable
ecmp-max-path : 1

VOSS User Guide for version 8.7 321

Configuration on Switch-1 Alternative Routes

IPv6 OSPFv3 VLAN configuration:

Switch1:1(config)#interface vlan 2
Switch1:1(config-if)#ipv6 ospf area 0.0.0.0
Switch1:1(config-if)#ipv6 ospf enable

Switch1:1(config-if)#show ipv6 ospf interface vlan 2

admin-status : enable
area : 0.0.0.0
dead-interval : 40
hello-interval : 10
metric : 1
poll-interval : 120
priority : 1
retransmit-interval : 5
transit-delay : 1
type : BROADCAST

IPv6 OSPFv3 router configuration:

Switch1:1(config-if)#exit
Switch1:1(config)#router ospf ipv6-enable
Switch1:1(config)#show ipv6 ospf

==================================================================================
OSPFv3 Global Information - GlobalRouter

==================================================================================
router-id : 170.78.88.0
admin-state : ENABLED
version : 3
area-bdr-rtr-state : FALSE
as-bdr-rtr-state : FALSE
helper-mode : ENABLED
as-scope-lsa-count : 0
lsa-checksum : 0
originate-new-lsas : 22
rx-new-lsas : 11
ext-lsa-count : 0
Switch1:1(config)#show ipv6 ospf neighbor

=======================================================================================
OSPF Neighbor - GlobalRouter

=======================================================================================
IFINDX(VID/BRT) NBRROUTERID NBRIPADDR STATE TTL
---------------------------------------------------------------------------------------
2050 (2) 170.78.84.0 fe80:0:0:0:b2ad:aaff:fe4e:5500 Full 31

1 out of 1 Total Num of Neighbor Entries displayed.

=======================================================================================
OSPF Virtual Neighbor - GlobalRouter

=======================================================================================
NBRAREAID NBRROUTERID VIRTINTFID NBRIPV6ADDR STATE
---------------------------------------------------------------------------------------

0 out of 0 Total Num of Virtual Neighbor Entries displayed.

=======================================================================================
OSPF NBMA Neighbor - GlobalRouter

=======================================================================================

322 VOSS User Guide for version 8.7

Alternative Routes Configuration on Switch–2

INTERFACE NBRROUTERID NBRIPADDR STATE

---------------------------------------------------------------------------------------

0 out of 0 Total Num of NBMA Neighbor Entries displayed.

H = Helping a Restarting neighbor

Switch1:1(config-if)#exit

IPv6 RIPng configuration on VLAN:

Switch1:1(config)#interface vlan 2
Switch1:1(config-if)#ipv6 rip
Switch1:1(config-if)#ipv6 rip enable
Switch1:1(config-if)#show ipv6 rip interface

Total RIPng interfaces: 1

================================================================================
RIPng Interface - GlobalRouter

================================================================================
IFINDX COST POISON SEND ADMIN OPER
STATUS DEFAULT STATUS STATUS
--------------------------------------------------------------------------------
2050 (2 ) 1 disable disable enable enable

1 out of 1 Total Num of RIPng interfaces displayed

IPv6 RIPng global router configuration:

Switch1:1(config)#router rip ipv6-enable
Switch1:1(config)#router rip
Switch1:1(config)#show ipv6 rip

==========================================================================
RIPng Global - GlobalRouter

===========================================================================
Rip : Enabled
HoldDown Time : 120
Timeout Interval : 180
Update Time : 30
Default Info Metric : 1
Default Info State : Disabled
Default Import Metric : 1

Configuration on Switch–2
On Switch-2, configure VLAN 2 and VLAN 3 with the IPv6 interfaces 2000:0:0:0:0:0:0:2/64 and
3000:0:0:0:0:0:0:2/64 respectively.

VOSS User Guide for version 8.7 323

Configuration on Switch–2 Alternative Routes

VLAN configuration:
Switch2:1>enable
Switch2:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch2:1(config)#vlan create 2 type port-mstprstp 0

Switch2:1(config)#vlan members 2 4/5 portmember
Switch2:1(config)#interface vlan 2

Switch2:1(config-if)#ipv6 interface address 2000:0:0:0:0:0:0:2/64

Switch2:1(config-if)#ipv6 interface enable
Switch2:1(config-if)#ipv6 forwarding
Switch2:1(config-if)#exit
Switch2:1(config)#vlan create 3 type port-mstprstp 0
Switch2:1(config)#vlan members 3 4/6 portmember
Switch2:1(config)#interface vlan 3

Switch2:1(config-if)#ipv6 interface address 3000:0:0:0:0:0:0:2/64

Switch2:1(config-if)#ipv6 interface enable
Switch2:1(config-if)#ipv6 forwarding
Switch2:1(config-if)#exit
Switch2:1(config)#show vlan basic

===================================================================================
Vlan Basic
===================================================================================
VLAN MSTP
ID NAME TYPE INST_ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
-----------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
2 VLAN-2 byPort 0 none N/A N/A 0
3 VLAN-3 byPort 0 none N/A N/A 0

All 3 out of 3 Total Num of Vlans displayed

Switch2:1(config)#show vlan members

=======================================================================
Vlan Port

========================================================================
VLAN PORT ACTIVE STATIC NOT_ALLOW
ID MEMBER MEMBER MEMBER MEMBER
------------------------------------------------------------------------
1 1/1-1/16,1/17/1- 1/1-1/16,1/17/1-
1/17/4,1/18/1- 1/17/4,1/18/1-
1/18/4,2/1-2/16, 1/18/4,2/1-2/16,
2/17/1-2/17/4, 2/17/1-2/17/4,
2/18/1-2/18/4,3/1- 2/18/1-2/18/4,3/1-
3/6,4/1-4/4 3/6,4/1-4/4

2 4/5 4/5

3 4/6 4/6

All 3 out of 3 Total Num of Port Entries displayed

Switch2:1(config)#show ipv6 interface vlan

==================================================================================================================
Vlan Ipv6 Interface
==================================================================================================================
IFINDX VLAN PHYSICAL ADMIN OPER TYPE MTU HOP REACHABLE RETRANSMIT MCAST IPSEC RPC RPCMODE

324 VOSS User Guide for version 8.7

Alternative Routes Configuration on Switch–2

INDX ADDRESS STATE STATE LMT TIME TIME STATUS

------------------------------------------------------------------------------------------------------------------
2050 2 b0:ad:aa:4e:55:00 enable up ETHER 1500 64 30000 1000 disable disable disable existonly
2051 3 b0:ad:aa:4e:55:01 enable up ETHER 1500 64 30000 1000 disable disable disable existonly

===================================================================================================================
Vlan Ipv6 Address

===================================================================================================================
IPV6 ADDRESS VLAN-ID TYPE ORIGIN STATUS
-------------------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:2/64 V-2 UNICAST MANUAL PREFERRED
fe80:0:0:0:b2ad:aaff:fe4e:5500/64 V-2 UNICAST LINKLAYER PREFERRED
3000:0:0:0:0:0:0:2/64 V-3 UNICAST MANUAL PREFERRED
fe80:0:0:0:b2ad:aaff:fe4e:5501/64 V-3 UNICAST LINKLAYER PREFERRED

2 out of 2 Total Num of Interface Entries displayed.

4 out of 4 Total Num of Address Entries displayed.

Port configuration:
Switch2:1(config)#interface GigabitEthernet 4/5
Switch2:1(config)#encapsulation dot1q
Switch2:1(config)#no shutdown

Switch2:1(config)#interface GigabitEthernet 4/6

Switch2:1(config)#encapsulation dot1q
Switch2:1(config)#no shutdown

IPv6 global configuration:

Switch1:1(config)#ipv6 forwarding

Switch1:1(config)#show ipv6 forwarding

Ipv6 forwarding - GlobalRouter : enable
ecmp : disable
ecmp-max-path : 1

IPv6 OSPFv3 VLAN configuration:

Switch2:1(config)#interface vlan 2
Switch2:1(config-if)#ipv6 ospf area 0.0.0.0
Switch2:1(config-if)#ipv6 ospf enable

Switch2:1(config)#interface vlan 3
Switch2:1(config-if)#ipv6 ospf area 0.0.0.0
Switch2:1(config-if)#ipv6 ospf enable
Switch2:1(config-if)#show ipv6 ospf

=================================================================================
OSPFv3 Global Information - GlobalRouter

=================================================================================
router-id : 170.78.84.0
admin-state : ENABLED
version : 3
area-bdr-rtr-state : FALSE
as-bdr-rtr-state : FALSE
helper-mode : ENABLED
as-scope-lsa-count : 0
lsa-checksum : 0
originate-new-lsas : 56

VOSS User Guide for version 8.7 325

Configuration on Switch–2 Alternative Routes

rx-new-lsas : 62
ext-lsa-count : 0
Switch2:1(config-if)#show ipv6 ospf interface

Total ospf areas: 1

Total ospf interfaces: 2

==================================================================================
OSPF Interface - GlobalRouter

==================================================================================
IFINDX(VID/BRT) AREAID ADM IFSTATE METRIC PRI DR/BDR IFTYPE
----------------------------------------------------------------------------------
2050 (2 ) 0.0.0.0 ena BDR 1 1 170.78.88.0 BROADCAST
170.78.84.0
2051 (3 ) 0.0.0.0 ena DR 1 1 170.78.84.0 BROADCAST
0.0.0.0

2 out of 2 Total Num of ospf interfaces displayed

Total ospf virtual interfaces: 0

==================================================================================
OSPF Virtual Interface - GlobalRouter

==================================================================================

AREAID NBRIPADDR STATE

----------------------------------------------------------------------------------

0 out of 0 Total Num of ospf virtual interfaces displayed

Switch2:1(config-if)#show ipv6 ospf neighbor

==================================================================================
OSPF Neighbor - GlobalRouter

==================================================================================
IFINDX(VID/BRT) NBRROUTERID NBRIPADDR STATE TTL
----------------------------------------------------------------------------------
2050 (2) 170.78.88.0 fe80:0:0:0:b2ad:aaff:fe4e:5900 Full 30

1 out of 1 Total Num of Neighbor Entries displayed.

===================================================================================
OSPF Virtual Neighbor - GlobalRouter

===================================================================================
NBRAREAID NBRROUTERID VIRTINTFID NBRIPV6ADDR STATE
-----------------------------------------------------------------------------------

0 out of 0 Total Num of Virtual Neighbor Entries displayed.

===================================================================================
OSPF NBMA Neighbor - GlobalRouter

===================================================================================

INTERFACE NBRROUTERID NBRIPADDR STATE

------------------------------------------------------------------------------------

326 VOSS User Guide for version 8.7

Alternative Routes Configuration on Switch–2

0 out of 0 Total Num of NBMA Neighbor Entries displayed.

H = Helping a Restarting neighbor

IPv6 OSPFv3 global router configuration:

Switch2:1(config-if)#exit
Switch2:1(config)#router ospf ipv6-enable
Switch1:1(config)#show ipv6 ospf

=====================================================================================
OSPFv3 Global Information - GlobalRouter

=====================================================================================
router-id : 170.78.88.0
admin-state : ENABLED
version : 3
area-bdr-rtr-state : FALSE
as-bdr-rtr-state : FALSE
helper-mode : ENABLED
as-scope-lsa-count : 0
lsa-checksum : 0
originate-new-lsas : 22
rx-new-lsas : 11
ext-lsa-count : 0

IPv6 RIPng configuration:

Switch2:1(config)#interface vlan 2
Switch2:1(config-if)#ipv6 rip
Switch2:1(config-if)#ipv6 rip enable
Switch2:1(config-if)#exit

Switch2:1(config)#interface vlan 3
Switch2:1(config-if)#ipv6 rip
Switch2:1(config-if)#ipv6 rip enable
Switch2:1(config-if)#exit
Switch2:1(config)#
Switch2:1(config)#show ipv6 rip interface

Total RIPng interfaces: 2

========================================================================
RIPng Interface - GlobalRouter

========================================================================
IFINDX COST POISON SEND ADMIN OPER
STATUS DEFAULT STATUS STATUS
-------------------------------------------------------------------------
2050 (2 ) 1 disable disable enable enable
2051 (3 ) 1 disable disable enable enable

2 out of 2 Total Num of RIPng interfaces displayed

IPv6 RIPng global router configuration:

Switch2:1(config)#router rip ipv6-enable
Switch2:1(config)#router rip

Switch2:1(config)#show ipv6 rip

VOSS User Guide for version 8.7 327

Viewing route and alternative route configuration on the
switches Alternative Routes

=============================================================
RIPng Global - GlobalRouter

==============================================================
Rip : Enabled
HoldDown Time : 120
Timeout Interval : 180
Update Time : 30
Default Info Metric : 1
Default Info State : Disabled
Default Import Metric : 1

Viewing route and alternative route configuration on the switches

On Switch-1 and Switch-2, the route 3000:0:0:0:0:0:0:2/64 is learned using the protocols RIPng
and OSPFv3. The OSPFv3 route is learned as the best route because of its route preference value of
20. The RIPng route is added as alternative route as it has the route preference 100, which is greater
than the OSPFv3 route preference of 20. On Switch-2, the route 3000:0:0:0:0:0:0:2/64 is a local
route.

Viewing route and alternative route configuration on Switch-1:

Switch1:1(config)#show ipv6 route alternative

====================================================================================================
IPv6 Routing Table Information - GlobalRouter
====================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
----------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 RIP 2 0 A 100
----------------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

----------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Switch1:1(config)#show ipv6 route

===================================================================================================
IPv6 Routing Table Information - GlobalRouter
===================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
---------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
---------------------------------------------------------------------------------------------------

3 out of 3 Total Num of Route Entries displayed.

---------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Viewing route and alternative route configuration on Switch-2:

Switch2:1(config)#show ipv6 route alternative

328 VOSS User Guide for version 8.7

Alternative Routes Changing the route preference on Switch-1

Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:2/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 LOCAL 2 0 B 20
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 LOCAL 2 0 A 100
------------------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Switch2:1#show ipv6 route

==========================================================================================
IPv6 Routing Table Information - GlobalRouter
==========================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:2/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 0:0:0:0:0:0:0:0 V-3 LOCAL 1 0 B 20
------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Changing the route preference on Switch-1

On the switch, default preferences are assigned to all standard routing protocols. You can modify the
global preference for a protocol to give it a higher or lower priority than other protocols. When you
change the preference for a static route, if all best routes remain best routes, only the local route tables
change. However, if changing the protocol preference causes best routes to no longer be best routes,
neighboring route tables can be affected.

In the following example scenario, you configure a different routing preference for the RIPng protocol
on Switch-1 and observe the learning of best and alternative routes. The existing route preference for
RIPng is 100.
Switch1:1#show ipv6 route alternative

========================================================================================================
IPv6 Routing Table Information - GlobalRouter
========================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
--------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 RIP 2 0 A 100
--------------------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

--------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Switch1:1(config)#show ipv6 route

VOSS User Guide for version 8.7 329

Changing the route preference on Switch-1 Alternative Routes

Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
---------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
---------------------------------------------------------------------------------------------------

3 out of 3 Total Num of Route Entries displayed.

---------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Configure a different route preference for the RIPng protocol, for example, 19:
Switch1:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1:1(config)#ipv6 route preference protocol ripng 19
Switch1:1(config)#exit

Verify the route preference configuration:

Switch1:1#show ipv6 route preference

========================================================================================
IPv6 Route Preference - GlobalRouter

========================================================================================
PROTOCOL DEFAULT CONFIG
----------------------------------------------------------------------------------------
LOCAL 0 0
STATIC 5 5
SPBM_L1 7 7
OSPFv3_INTRA 20 20
OSPFv3_INTER 25 25
EBGP 45 45
RIPNG 100 19
OSPFv3_E1 120 120
OSPFv3_E2 125 125
IBGP 175 175

View the updated route preference (for RIPng) on Switch-1. The RIPng route is now learnt as the best
route as it has lesser value of route preference (19) than that of OSPFv3 (20), as shown below.
Switch1:1(config)#show ipv6 route

===================================================================================================
IPv6 Routing Table Information - GlobalRouter
===================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
---------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 RIP 2 0 B 19
---------------------------------------------------------------------------------------------------

3 out of 3 Total Num of Route Entries displayed.

---------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Switch1:1#show ipv6 route alternative

===========================================================================================================
IPv6 Routing Table Information - GlobalRouter
===========================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF

330 VOSS User Guide for version 8.7

Alternative Routes Disable alternative route learning on Switch-1

-----------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 RIP 2 0 B 19
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 A 20
-----------------------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

-----------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Disable alternative route learning on Switch-1

The following example demonstrates disabling alternative route learning on Switch-1.

View the alternative routes on Switch-1.

Switch1:1(config)#show ipv6 route alternative

=======================================================================================================
IPv6 Routing Table Information - GlobalRouter
=======================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
-------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 RIP 2 0 A 100
-------------------------------------------------------------------------------------------------------

4 out of 4 Total Num of Route Entries displayed.

-------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Disable IPv6 alternative routes on Switch-1.

Switch1:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1:1(config)#no ipv6 alternative-route
Switch1:1(config)#exit

Verify that alternative route learning is disabled.

Switch1:1#show ipv6 global
forwarding : enable
default-hop-cnt : 64
number-of-interfaces : 1
icmp-error-interval : 1000
icmp-error-quota : 50
icmp-unreach-msg : disable
icmp-echo-multicast-request : enable
static-route-admin-status : enable
alternative-route : disable
ecmp : disable
ecmp-max-path : 1
source-route : disable
Switch1:1(config)#show ipv6 route

VOSS User Guide for version 8.7 331

Disable alternative route learning on Switch-1 Alternative Routes

---------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
---------------------------------------------------------------------------------------------------

3 out of 3 Total Num of Route Entries displayed.

---------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Note that the alternative route (RIPng) is not learnt.

Switch1:1(config)#show ipv6 route alternative

======================================================================================================
IPv6 Routing Table Information - GlobalRouter
======================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
------------------------------------------------------------------------------------------------------
2000:0:0:0:0:0:0:1/64 0:0:0:0:0:0:0:0 V-2 LOCAL 1 0 B 0
3000:0:0:0:0:0:0:2/64 fe80:0:0:0:b2ad:aaff:fe4e:5500 V-2 OSPF 2 0 B 20
------------------------------------------------------------------------------------------------------

3 out of 3 Total Num of Route Entries displayed.

------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

332 VOSS User Guide for version 8.7

Application Telemetry
How Application Telemetry Works on page 334
Common Elements Between sFlow and Application Telemetry on page 335
Operational Considerations and Restrictions on page 336
Configuration Overview on page 340
Host Monitoring on page 341
Application Telemetry Configuration Using CLI on page 342
Application Telemetry Configuration Using EDM on page 346

Table 39: Application Telemetry product support

Feature Product Release introduced
Application Telemetry VSP 4450 Series VOSS 7.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.1
VSP 8400 Series VOSS 7.1
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported
Application Telemetry Host VSP 4450 Series VOSS 8.0.5
Monitoring
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 8.0.5
VSP 7400 Series VOSS 8.0.5
VSP 8200 Series VOSS 8.0.5
VSP 8400 Series VOSS 8.0.5
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

Extreme Networks offers two Analytics solutions that monitor traffic on your network:
• sFlow

VOSS User Guide for version 8.7 333

How Application Telemetry Works Application Telemetry

• Application Telemetry

Important
You can use either sFlow, or sFlow with Application Telemetry or both at the same time as
they can coexist on a switch. Note that to enable Application Telemetry, you must enable
sFlow first.

In both solutions, the switch collects flow information and sends it to a central server that processes the
information and provides statistical data in the form of reports. Then you can use Extreme Management
Center or ExtremeCloud IQ - Site Engine to analyze the reports to give you a full understanding of
the applications on your network and learn who is using those applications. Extreme Management
Center or ExtremeCloud IQ - Site Engine also provides information such as DoS tracking, security
monitoring, and statistics for protocols, ports, and applications.

This section describes how Application Telemetry works and how to configure it. Because there is some
commonality between the two features, this section also describes some sFlow features.

For further information about sFlow, see sFlow Fundamentals on page 3089.

For more information about Extreme Management Center or ExtremeCloud IQ - Site Engine, see
the documentation on the Extreme Networks Documentation portal (www.extremenetworks.com/
documentation/) with special attention to the Application Analytics User Guide.

How Application Telemetry Works

Both sFlow and Application Telemetry mirror packets to a server for deep packet inspection, but they
collect streams in different ways:
• sFlow samples 1 out of n packets to create flow streams. This methodology achieves scalability and
applies to high speed networks, but it provides limited application visibility.
• Application Telemetry does not sample some packets like sFlow; it monitors all traffic and uses
policy rules to filter packets for analysis. This pattern matching methodology enables Application
Telemetry to monitor all application-level traffic flows at wire speed on all interfaces simultaneously.

The policy rules that Application Telemetry uses are ACL and ACE filters that are pre-configured in a
policy configuration file called sflow.pol. This policy file is not user configurable. These rules enable
the switch to recognize several signatures that represent a combination of the following:
• IP protocol type (TCP/UDP)
• TCP flags
• Layer 4 port numbers
• data patterns (defined as offset/data/mask triplets)

Pattern matching enables Application Telemetry to target very specific, well-defined packets in each
flow and not full streams of traffic. Thus, the switch mirrors only a relatively few packets to the Analytics

334 VOSS User Guide for version 8.7

Common Elements Between sFlow and Application
Application Telemetry Telemetry

Engine. It is the Analytics Engine that performs deep packet inspection to create reports of statistical
data.

Important
When you enable Application Telemetry, the switch loads the filter rules based on the logic
below:
• Application Telemetry uses the apptelemetry.pol or the sflow.pol file because the
filter rules can exist in either file. The sflow.pol file is the default file and is included
with the image that is loaded on the switch. This file contains the default filter rules.
The apptelemetry.pol file is the user-defined file, which can be updated by the
ExtremeCloud IQ ‑ Site Engine. To use this file, configure Application Telemetry using the
ExtremeCloud IQ ‑ Site Engine. When you run the Application Telemetry LiveUpdate script
from ExtremeCloud IQ ‑ Site Engine, the updated apptelemetry.pol file is placed
in /intflash/.
• When you enable Application Telemetry, the feature uses the files in the following order:
◦ If the user-defined file (apptelemetry.pol) exists, then the switch loads the rules
from this file.
◦ If the apptelemetry.pol file does not exist or if there is a problem reading this file,
then the switch uses the default sflow.pol file.

Common Elements Between sFlow and Application Telemetry

sFlow and Application Telemetry send mirrored packets from a common source to a common
destination. sFlow sends samples directly to the destination, while Application Telemetry sends
mirrored packets through a GRE tunnel, to the same destination.

The tunnel source is the switch that you want to monitor:

• sFlow sends sampled flows.
• Application Telemetry sends packets that match its policy rules.

Both sFlow and Application Telemetry use an agent to package either the sFlow streams or the
Application Telemetry packets. To configure the agent, they both use the sflow agent-ip
command.

Note
The switch sends only one mirrored copy, even if the packet matches two or more policies.
For information on which mirrored copies take precedence, see Configuration considerations.

The tunnel destination for the mirrored traffic is a server where software performs a deep packet
inspection of the mirrored traffic.
• sFlow sends flow and counter samples as datagrams to the sFlow Collector.
• Application Telemetry sends packets that match the policy rules over a GRE tunnel to the Analytics
Engine.

VOSS User Guide for version 8.7 335

Operational Considerations and Restrictions Application Telemetry

To configure the tunnel destination, they both use the sflow collector <1–2> command.

Important
You can configure two Collectors, but Application Telemetry uses Collector 1 only. You must
configure Collector 1 before you enable Application Telemetry.

Operational Considerations and Restrictions

The following section describes operational considerations for deploying Application Telemetry,
including general considerations, followed by a summary of platform-specific considerations.

General Considerations
The following list describes general Application Telemetry operational considerations:
• When you enable Application Telemetry, it is globally enabled on all ports. You cannot disable the
feature on a per-port basis.
• Application Telemetry supports IPv4 and IPv6 packets, although host monitoring is available for
IPv4 hosts only.
• Application Telemetry filter rules are not user configurable. However, an updated app-
telemetry.pol file can be installed through the ExtremeCloud IQ ‑ Site Engine.
• If a user-created filter rule (ACL) conflicts with an Application Telemetry defined filter, the user-
created rule always takes precedence.
• There are two configurable sFlow collectors (Collector 1 and Collector 2). However, Application
Telemetry uses Collector 1 only and you must configure it before enabling Application Telemetry.
• In a Fabric Extend deployment on VSP 4450 Series, VSP 7200 Series, VSP 8200 Series, VSP 8400
Series, or VSP 8400 Series, Application Telemetry does not mirror ingressing NNI to UNI IP Shortcut
traffic.

Platform-Specific Considerations
This section provides a summary of operational considerations for different switches.

Table 40: Supported flow types

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Flows that ingress standard Supported Supported
VLAN ports
Flows that ingress UNI ports Supported Supported
Flows that ingress NNI ports and Supported Not supported
egress UNI ports
(Layer 2 VSN)
Flows that ingress NNI ports and Supported Not supported
egress UNI ports
(Layer 3 VSN)

336 VOSS User Guide for version 8.7

Application Telemetry Platform-Specific Considerations

Table 40: Supported flow types (continued)

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Flows that ingress NNI ports and Supported Not supported
terminate locally
Flow that ingress NNI ports and Not supported Not supported
egress NNI ports
Flows on DvR Controllers or DvR Supported Supported
Leafs

Table 41: Application Telemetry collector/server reachability

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
GRT Yes Yes
VRF No Yes
Exception: management VRF
Fabric Connect – Layer 2 VSNs Yes Yes
When the Analytics Engine When the Analytics Engine
is reachable over a Layer 2 is reachable over a Layer 2
VSN, the GRE packets are VSN, the GRE packets are
encapsulated with MAC-in-MAC encapsulated with MAC-in-MAC
(IEEE 802.1ah) at the originating (IEEE 802.1ah) at the originating
BEB. The MAC-in-MAC header BEB. The MAC-in-MAC header
is removed at the terminating is removed at the terminating
BEB and the original GRE BEB and the original GRE
packet is sent to the collector. packet is sent to the collector.
Note also that the MAC-in-MAC Note also that the MAC-in-MAC
encapsulation plus the GRE encapsulation plus the GRE
encapsulation adds 60 bytes to encapsulation adds 60 bytes to
the original packet. Therefore, if the original packet. Therefore, if
the original packet is close to the original packet is close to
the maximum transmission unit the maximum transmission unit
(MTU), the mirrored copy can (MTU), the mirrored copy can
exceed the MTU and be dropped. exceed the MTU and be dropped.

VOSS User Guide for version 8.7 337

Platform-Specific Considerations Application Telemetry

Table 41: Application Telemetry collector/server reachability (continued)

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Fabric Connect – IP Shortcut Yes Yes
Routing
Fabric Connect – Layer 3 VSNs No No

Table 42: Coexistence with sFlow

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
If you enable sFlow The switch sends the sFlow If the packet matches the
and Application Telemetry datagrams and Application Application Telemetry rules, the
simultaneously on the same port Telemetry packets to the switch mirrors the packet to the
collector. GRE tunnel and sends it to the
Analytics Engine and it cannot
be sampled by sFlow.
If the packet does not match
the Application Telemetry rules
and the packet gets sampled,
the switch sends it as an sFlow
datagram to the sFlow Collector.

Table 43: Coexistence with security filters

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
IPv6 security filters or IPv6 Not supported (consistency Allowed
source guard checks in place)
Exception: Allowed on VSP 7400
Series

Table 44: Coexistence with mirroring

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Mirroring resources Only 3 mirror ports can be No impact to number of mirror
configured for general port ports
mirroring
If rx port mirroring is The switch generates the remote The switch generates the remote
enabled on a port, and mirrored packet, and the port- mirrored packet only. The switch
Application Telemetry is enabled, based mirroring copy.

338 VOSS User Guide for version 8.7

Application Telemetry Platform-Specific Considerations

Table 44: Coexistence with mirroring (continued)

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
when a packet that matches does not generate the port-
oneApplication Telemetry entry based mirroring copy.
criterion comes to this port If a packet does not match an
Application Telemetry rule, the
switch generates the port-based
mirroring copy.

Table 45: Coexistence with Unicast Reverse Path Forwarding (uRPF)

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
If you enable uRPF mode on the The MTU values for both IPv4 The URPF boot config flag is
switch and IPv6 packets on the same not applicable. Even when uRPF
VLAN are always matched. is enabled, IPv6 MTU can be
Different Layer 3 MTU sizes on different from IPv4 MTU; both
the same VLAN are not allowed need not be the same.
in uRPF mode.

Table 46: High Availability

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Application Telemetry deployed Not applicable Supported
in a High Availability
environment

Table 47: Counters

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
If packets match both user Both counters incremented ACL counters incremented only
defined filters (ACLs) and

VOSS User Guide for version 8.7 339

Configuration Overview Application Telemetry

Table 47: Counters (continued)

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
Application Telemetry rules, and
if both rules have counters

Table 48: Match off-set

Attribute VSP 4450 Series, VSP 4900 VSP 8600 Series
Series, VSP 7200 Series, VSP
7400 Series, VSP 8200 Series,
VSP 8400 Series
smb, kerberosasreq2 and kerberosasreq2 and kerberosasreq2 and
kerberostgsreq packet types kerberostgsreq packet types kerberostgsreq packet types
supported. Smb – not available supported with an off-set of 24
bytes only; an off-set of 40 bytes
is not supported

Configuration Overview
After the optional step of uploading the apptelemetry.pol file to flash memory using Extreme
Management Center or ExtremeCloud IQ - Site Engine, activate Application Telemetry by configuring
the following:

1. Configure the IP address of the egress interface for the GRE tunnel with the sFlow agent-ip
command.
2. Enable sFlow with the sflow enable command.
3. Configure the IP address of the Analytics Engine with the sFlow collector 1 command.
4. Enable Application Telemetry with the app-telemetry enable command.

The following figure shows the Application Telemetry agent on various routers and switches with
packets being sent to the Analytics Engine.

340 VOSS User Guide for version 8.7

Application Telemetry Host Monitoring

Figure 16: Application Telemetry Overview

Table 49: Application Telemetry Legend

Number Description
1 Analytics Engine
2 GRE tunnels
3 Application Telemetry agents

Host Monitoring
You can use Application Telemetry to get better visibility for a selected host by performing a timed
packet capture for both incoming and outgoing traffic specific to that host. Initiate the packet capture
(PCAP) from ExtremeCloud IQ ‑ Site Engine and specify a source or destination IP address to match.
ExtremeCloud IQ ‑ Site Engine pushes an additional rule to the Application Telemetry agent on the
switch, which captures packets that match this rule and uses the existing ERSPAN GRE session to mirror
these packets to Analytics Engine for analysis.

To use this feature, all configuration occurs in ExtremeCloud IQ ‑ Site Engine. The following prerequisites
for configuration must be met:
• Application Telemetry is active.
• The Analytics Engine records application flows.

VOSS User Guide for version 8.7 341

Application Telemetry Configuration Using CLI Application Telemetry

• You can see the flows in ExtremeCloud IQ ‑ Site Engine.

In ExtremeCloud IQ ‑ Site Engine, select a flow and configure packet capture. You can specify the
host, either the originating or destination host for the flow, and a monitoring interval. For more
information about how to configure packet capture in ExtremeCloud IQ ‑ Site Engine, see the
ExtremeCloud IQ ‑ Site Engine documentation.

The following list identifies restrictions specific to host monitoring:

• You cannot configure monitoring of the same host twice.
• Host monitoring shares resources with the filter ACL application. The maximum number of hosts
that can be monitored depends on the number of ACEs you configure. If no resources are available,
the Resource Manager generates an error for both applications.
• You cannot configure monitoring of the sFlow agent IP address or collector IP address.

Although you use ExtremeCloud IQ ‑ Site Engine to configure the packet capture, the switch logs a
message when this feature is activated or deactivated. Configuration of host monitoring is not saved;
the monitoring is time-based.

Note
Host monitoring is supported beginning with ExtremeCloud IQ ‑ Site Engine version 8.2.4.

Application Telemetry Configuration Using CLI

Use Application Telemetry to capture traffic statistics to monitor traffic in a data network. This section
provides procedures to view and configure this feature using CLI.

Configuring the Agent IP Address

Use this procedure to configure the source of the Application Telemetry packets.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable the agent IPv4 address:
sflow agent–ip {A.B.C.D}

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#sflow agent-ip 192.0.2.27

342 VOSS User Guide for version 8.7

Configuring an Analytics Engine and Enabling
Application Telemetry Application Telemetry Globally

Variable Definitions
Use the data in the following table to use the sflow agent-ip command.

Variable Definition
{A.B.C.D.} Specifies the agent-ip address (IPv4).

Configuring an Analytics Engine and Enabling Application Telemetry Globally

Use this procedure to enable Application Telemetry and configure the device used as either an sFlow
Collector or an Application Telemetry Analytics Engine. This device is where the agent sends sFlow
datagrams and Application Telemetry packets for analysis.

sFlow supports up to two collectors for each interface slot in the chassis. However, Application
Telemetry supports Collector 1 only.

Note
• You can configure two Collectors, but Application Telemetry uses Collector 1 only. You
must configure Collector 1 before you enable Application Telemetry.
• Before you change or remove Collector 1, you must disable Application Telemetry.
• By default, Application Telemetry is globally disabled.

Before You Begin

• You must configure the sFlow agent IP address.
• You must enable sFlow before you can enable Application Telemetry.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the Analytics Engine information using Collector 1:
sflow collector 1 address {A.B.C.D} [owner WORD<1-20>] [vrf
WORD<1-16>]
3. Verify the Analytics Engine configuration:
show sflow collector 1
4. Enable Application Telemetry:
app-telemetry enable
5. Verify the global configuration:
show app-telemetry status

Note
The output of this command shows whether Application Telemetry is enabled or not and if
the collector is reachable.

VOSS User Guide for version 8.7 343

Configuring an Analytics Engine and Enabling
Application Telemetry Globally Application Telemetry

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#sflow collector 1 address 192.0.2.26 owner sflow1 port 6343 timeout 497
Switch:1(config)#show sflow collector 1

==========================================================================================
sFlow Collector Configuration Info

==========================================================================================
Id Owner Collector-IP Port Timeout(secs) Reachable via
------------------------------------------------------------------------------------------
1 sflow1 192.0.2.26 6343 497 192.0.2.15

------------------------------------------------------------------------------------------

All 1 out of 1 Total Num of sflow collector entries displayed

Switch:1(config)#app-telemetry enable
Switch:1(config)#show app-telemetry status
Application Telemetry is enabled
Collector is reachable via 192.0.2.26

Variable Definitions
Use the data in the following table to use the sflow collector command.

Variable Value
<1–2> Specifies the ID of the collector where you want to send packets for
analysis. Application Telemetry uses Collector 1 only.
owner WORD<1–20> Specifies the name of the collector.
Collector-IP Specifies the IP address of the collector.
{A.B.C.D.}
port <1–65535> Specifies the destination port. The default port is 6343.

Note:
Application Telemetry does not use this parameter.

timeout <1–65535> Specifies the time remaining (in seconds) before the collector is released.
The default timeout is 0, which means the timeout is not used and the
switch sends data forever.

Note:
Application Telemetry does not use this parameter.

vrf WORD<1–16> Specifies the name of the VRF used to reach the collector.

Note:
This parameter is not supported on all hardware platforms.

344 VOSS User Guide for version 8.7

Application Telemetry View Application Telemetry Counters

View Application Telemetry Counters

Use the following procedure to view the Application Telemetry status counters. The switch assigns an ID
to each counter and displays information about each filter rule by name. The information includes how
many packets were transmitted to the Analytics Engine that matched the specified pattern in the rule
and the total number of bytes in the packets.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View Application Telemetry counters:
show app—telemetry counter [name <WORD<1–32> | id <1–2000>]

Example
Switch:1>show app—telemetry counter

=================================================================
Application Telemetry Counters
=================================================================
EntryId Name Packets Bytes
-----------------------------------------------------------------
1 ssh 1258 72145
2 sslclient 457 27000
-----------------------------------------------------------------

All 2 out of 2 Total Num of Application Telemetry counters entries displayed

Clearing Application Telemetry Counters

Use this procedure to clear the Application Telemetry status counters. You can clear all of the counters
or specify just the counters you want to clear by name or ID.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Clear Application Telemetry counters:
clear app—telemetry counter [name <WORD<1–32> | id <1–2000>]
3. Verify that the counters were cleared:
show app—telemetry counter [name <WORD<1–32> | id <1–2000>]

Example

Clear the counters.

Switch:1>enable
Switch:1#clear app—telemetry counter
Switch:1>show app—telemetry counter

=================================================================
Application Telemetry Counters
=================================================================
EntryId Name Packets Bytes
-----------------------------------------------------------------
1 ssh 0 0
2 sslclient 0 0
-----------------------------------------------------------------

VOSS User Guide for version 8.7 345

Application Telemetry Configuration Using EDM Application Telemetry

All 2 out of 2 Total Num of Application Telemetry counters entries displayed

Application Telemetry Configuration Using EDM

Use Application Telemetry to capture traffic statistics to monitor traffic in a data network. This section
provides procedures to view and configure this feature using EDM.

Both sFlow and Application Telemetry use an agent to package either the sFlow streams or the
Application Telemetry packets. To configure the agent, they both use the Serviceability > Sflow >
Globals and Serviceability > Sflow > Collector tabs. For more information, see sFlow Configuration
Using EDM on page 3100.

Enabling Application Telemetry Globally

Use this procedure to globally enable Application Telemetry so it can send packets to an Analytics
Engine. By default, Application Telemetry is globally disabled.

Before You Begin

You must complete the following:

• Configure an agent IP address.
• Enable sFlow.
• Configure Collector 1.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Application Telemetry.
3. Click the Globals tab.
4. Select the AdminEnable check box.
5. Click Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Name Description
AdminEnable Shows whether Application Telemetry is enabled.
By default, the check box is not enabled.
ClearCounterStats Clears the Application Telemetry status counters.

346 VOSS User Guide for version 8.7

Application Telemetry Viewing Application Telemetry Counters

Viewing Application Telemetry Counters

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Application Telemetry.
3. Click the Counter tab.

Counter field descriptions

Use the data in the following table to use the Counter tab.

Name Description
CounterId Shows the Application Telemetry rule ID.
CounterName Shows the rule name.
CounterPkts Shows the number of packets transmitted to
the Analytics Engine that matched the specified
pattern in the rule.
CounterBytes Shows the total number of bytes in the packets.

Clearing Application Telemetry Counters

Use this procedure to clear the Application Telemetry status counters. You can clear all of the counters
or specify just the counters you want to clear by name or ID.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Application Telemetry.
3. Perform one of the following actions:
• To clear all the counters, click the Globals tab, and then select ClearCounterStats.
• To clear specific counters, click the Counter tab, select the counter ID you want to clear, and then
click ClearStats.
4. Click Apply.

Viewing Application Telemetry Status

About This Task

Use this procedure to view the status of the Application Telemetry collector.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

VOSS User Guide for version 8.7 347

Viewing Application Telemetry Status Application Telemetry

2. Click Application Telemetry.

3. Click the Status tab.

Status field descriptions

Use the data in the following table to use the Status tab.

Name Description
Collector IP Address Shows the address of the Application Telemetry
collector.
IsReachable Shows whether the Application Telemetry
collector is reachable.
NextHop If the collector is reachable, shows the name
or address of the next hop through which the
collector is reachable.

348 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection
BFD Fundamentals on page 350
BFD Configuration using CLI on page 353
BFD Configuration using EDM on page 367

Table 50: Bidirectional Forwarding Detection (BFD) product support

Feature Product Release introduced
BFD (IPv4) VSP 4450 Series VOSS 8.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 8.1
VSP 7400 Series VOSS 8.1
VSP 8200 Series VOSS 8.1
VSP 8400 Series VOSS 8.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported
BFD (IPv6) VSP 4450 Series VOSS 8.1 demonstration feature
VSP 4900 Series VOSS 8.1 demonstration feature
VSP 7200 Series VOSS 8.1 demonstration feature
VSP 7400 Series VOSS 8.1 demonstration feature
VSP 8200 Series VOSS 8.1 demonstration feature
VSP 8400 Series VOSS 8.1 demonstration feature
VSP 8600 Series Not Supported
XA1400 Series Not Supported
BFD over Fabric Extend Tunnels VSP 4450 Series Not Supported
(IPv4)
VSP 4900 Series VOSS 8.2
VSP 7200 Series VOSS 8.2
VSP 7400 Series VOSS 8.2
VSP 8200 Series VOSS 8.2
VSP 8400 Series VOSS 8.2
VSP 8600 Series Not supported
XA1400 Series VOSS 8.2

VOSS User Guide for version 8.7 349

BFD Fundamentals Bidirectional Forwarding Detection

Use Bidirectional Forwarding Detection (BFD) to provide a failure detection mechanism between two
systems.

The following sections provide information and procedures for BFD.

BFD Fundamentals
The following sections provide fundamentals information about Bidirectional Forwarding Detection
(BFD).

BFD Overview
Bidirectional Forwarding Detection (BFD) is a simple Hello protocol used between two peers. In BFD,
peer systems periodically transmit BFD packets to each other. If one of the systems does not receive
a BFD packet after a certain period of time, the system assumes that the link or other system is not
operating.

A path is considered operational when bidirectional communication is established between systems.

However, this does not preclude the use of unidirectional links.

BFD provides low-overhead, short-duration failure detection between two systems. BFD also provides a
single mechanism for connectivity detection over any media, at any protocol layer.

Because BFD sends rapid failure-detection notifications to the routing protocols that run on the local
system, which initiates routing table recalculations, BFD helps reduce network convergence time.

BFD supports IPv4/IPv6 single hop detection for static routes, OSPFv2, OSPFv3, iBGP, iBGPv6.
Forwarding path failure detection for Fabric Extend tunnels is supported over an IPv4 network only.

Note
BFD for IPv6 interfaces is a demonstration feature on some products. For more information
about feature support, see VOSS Feature Support Matrix.

Note
iBGPv6 is not supported in VRF.

BFD Operation
The switch uses one BFD session for all protocols with the same destination. For example, if a network
runs OSPFv2 and BGP across the same link with the same peer, only one BFD session is established, and
BFD shares session information with both routing protocols.

You can enable BFD over data paths with specified OSPFv2 and OSPFv3 neighbors, BGP neighbors,
static routing next-hop addresses, and Fabric Extend tunnels.

The switch supports BFD asynchronous mode, which sends BFD control packets between two systems
to activate and maintain BFD neighbor sessions. To reach an agreement with its neighbor about
how rapidly failure detection occurs, each system estimates how quickly it can send and receive BFD
packets.

350 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection BFD States

A session begins with the periodic, slow transmission of BFD control packets. When bidirectional
communication is achieved, the BFD session comes up.

After the session is up, the transmission rate of Control packets can increase to achieve detection time
requirements. If Control packets are not received within the calculated detection time, the session is
declared down. After a session is down, Control packet transmission returns to the slow rate.

If a session is declared down, it cannot come back up until the remote end signals that it is down (three-
way handshake). A session can be kept administratively down by configuring the state of AdminDown.

In asynchronous mode, detection time is equal to the value of DetectMult received from the
remote system multiplied by the agreed transmit interval of the remote system (the greater of
RequiredMinRxInterval and DesiredMinTxInterval.) DetectMult is approximately equal to the number
of sequential packets that must be missed to declare a session down.

BFD States
A session normally proceeds through three states; two states are used to establish a session (Init and
Up) and one state is used to tear down a session (Down). This allows a three-way handshake for both
session establishment and session teardown, assuring that both systems are aware of all session state
changes. There is a fourth state (AdminDown) that you can use to administratively put a session down
indefinitely.
• Down state: Indicates the session is down or has just been created. The session will remain in Down
state until the remote system sends a BFD control packet indicating anything other than Up state. If
the control packet signals Down state, the session advances to Init state. If the control packet signals
Init state, the session advances to Up state.
• Init state: In this state, the host system establishes communications with the remote system and
sends a request to move the session to the Up state, but the remote system has not yet recognized
the request. A session remains in Init state until it receives a BFD control packet signaling Init or Up
state, or until the connectivity timer expires, indicating communication with the remote system is
lost.
• Up state: Indicates the BFD session is established and connectivity is working. A session remains in
Up state until connectivity fails or until the session is taken down administratively.
• AdminDown state: Indicates the BFD session is being held down administratively. This causes the
remote system to enter Down state and remain there until the local system exits AdminDown state.

BFD Configuration
The following sections provide conceptual information about BFD configuration. For detailed
procedural information about BFD configuration, see BFD Configuration using CLI on page 353 and
BFD Configuration using EDM on page 367.

Enable BFD
To enable Bidirectional Forwarding Detection (BFD) between 2 peers:
• Configure BFD globally.
• Configure BFD on the required interfaces of both peer systems.

VOSS User Guide for version 8.7 351

BFD Considerations Bidirectional Forwarding Detection

• Enable BFD on the required routing protocols.

• Specify the next-hop device with which the switch initiates the BFD session.

Delete a BFD Session

To delete a BFD session, disassociate all applications with the BFD session, then administratively bring
down the BFD session.

Note
To successfully delete a BFD session, you must execute the commands in the following order:

1. Disassociate all applications from the BFD session.

2. Disable BFD at the global level or interface level, which transitions the BFD session to
AdminDown state.

If you change the above order of operations, the BFD session is not deleted.

BFD Considerations
The following considerations apply to Bidirectional Forwarding Detection (BFD):
• BFD is supported only in asynchronous mode. Demand mode and echo functionalities are not
supported.
• You configure BFD parameters on a per session basis, not on a per next-hop basis.
• BFD creates multiple sessions even though a neighbor shares an IP address.
• The granularity of the fault detection interval in BFD is 100 ms, and the minimum multiplier is 2.

The minimum value for the transmit interval or the receive interval is 100 ms. If you configure the
transmit interval or the receive interval as 100 ms, you must configure a value of 4 or greater for the
multiplier.

You can configure a total of 16 BFD sessions. Of the 16 possible BFD sessions, you can configure a
maximum of 4 BFD sessions with the minimum value for transmit interval or receive interval. You
can configure the remaining BFD sessions with a transmit interval or a receive interval that is greater
than or equal to the 200 ms default value.
• BFD is not supported over RSMLT links. This applies to BFD sessions over IPv4 interfaces and IPv6
interfaces.
• Inter-tunnel routing with 6in4 tunnels is not supported. This means that incoming IPv6 packets over
a tunnel cannot be forwarded over another tunnel configured on the same switch.
• BFD for Interior Border Gateway Protocol (iBGP) and BGPv6 in VRF is not supported.
• BFD for eBGPv6 in VRF is not supported.
• Session dampening is not supported for BFD.
• The switch supports BFD multihop only at the eBGP application level. For other applications, the
switch does not support BFD multihop, as defined by RFC 5883. However, there is no requirement
for source and destination IP addresses to be in the same subnet.
• BFD over IPv6 Fabric Extend (FE) tunnels is not supported.
• The minimum value for the transmit interval or the receive interval is 1 second with a fault detection
time of 3 seconds for BFD over IPv4 FE tunnels.

352 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection BFD Configuration using CLI

• BFD does not support a static route flag.

• BFD is not supported on a Virtual Router Redundancy Protocol (VRRP) interface.
• High Availability for BFD is not supported.
• You can configure a total of 256 BFD and Virtual Link Aggregation Control Protocol (VLACP)
sessions.
• BFD packets cannot be mirrored when BFD is configured on the switch.

BFD Configuration using CLI

Use the following procedures to configure Bidirectional Forwarding Detection (BFD) using CLI. BFD
provides low-overhead, short-duration failure-detection between two systems.

Enable BFD Globally

Note
BFD for IPv6 interfaces is a demonstration feature on some products. For more information
about feature support, see VOSS Feature Support Matrix.

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD globally.

Note
Enabling BFD globally does not establish a BFD session. To establish a BFD session, you must
also configure BFD at the interface level and at the application level.

Procedure

1. Enter BFD Router Configuration mode:

enable

configure terminal

router bfd
2. Enable BFD:
router bfd enable

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router bfd
Switch:1(router-bfd)#router bfd enable

Configure BFD on an IPv4 Interface

VOSS User Guide for version 8.7 353

Configure BFD on an IPv4 Interface Bidirectional Forwarding Detection

About This Task

Use the following procedure to enable and to configure Bidirectional Forwarding Detection (BFD) on an
IPv4 interface. All interface configuration is performed at the VLAN, GigabitEthernet, or Loopback level.

Note
Enabling BFD on an interface does not establish a BFD session. To establish a BFD session,
you must enable BFD globally and at the application level.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

followed by one of the following:

• interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-
port]][,...]}
• interface loopback <1–256>
• interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable BFD on an interface:

ip bfd enable
3. (Optional) Configure the transmit interval:
ip bfd interval <100-65335>
4. (Optional) Configure the minimum receive interval:
ip bfd min-rx <100-65335>
5. (Optional) Configure the multiplier:
ip bfd multiplier <1-20>
6. (Optional) In GigabitEthernet Interface Configuration mode, you can configure a value for port:
ip bfd port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
7. (Optional) In VLAN Interface Configuration mode, you can configure a value for VLAN:
ip bfd vlan <1-4094>
8. (Optional) In Loopback Interface Configuration mode, you can configure a value for loopback:
ip bfd loopback <1-256>

354 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Configure BFD on an IPv4 Interface

Variable Definitions
The following table defines parameters for the ip bfd command.

Note:
For XA1400 Series, the default is 1000 ms.

Note:
The minimum value you can configure for the transmit interval is 100 ms.
You can configure a maximum of 4 BFD sessions with the minimum value
for the transmit interval. You can configure any remaining BFD sessions
with a transmit interval that is greater than or equal to the 200 ms default
value.

min-rx <100-65535> Specifies the receive interval in milliseconds. The default is 200 ms.

Note:
For XA1400 Series, the default is 1000 ms.

Note:
The minimum value you can configure for the receive interval is 100 ms.
You can configure a maximum of 4 BFD sessions with the minimum value
for the receive interval. You can configure any remaining BFD sessions
with a receive interval that is greater than or equal to the 200 ms default
value.

multiplier <1-20> Specifies the multiplier used to calculate the amount of time BFD waits
before declaring a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you
must configure a value of 4 or greater for the multiplier.

port {slot/port[/ Identifies the slot and port in one of the following formats: a single slot
sub-port] [-slot/ and port (slot/port), a range of slots and ports (slot/port-slot/port), or
port[/sub-port]] a series of slots and ports (slot/port,slot/port,slot/port). If the platform
[,...]} supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
vlan <1-4094> Specifies the VLAN ID.
loopback <1-256> Specifies the Loopback ID.

VOSS User Guide for version 8.7 355

Configure BFD on an IPv6 Interface Bidirectional Forwarding Detection

Configure BFD on an IPv6 Interface

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use the following procedure to enable and to configure BFD on an IPv6 interface. All interface
configuration is performed at the VLAN or GigabitEthernet level.

Note
Enabling BFD on an interface does not establish a BFD session. To establish a BFD session,
you must enable BFD globally and at the application level.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable BFD on an interface:

ipv6 bfd enable
3. (Optional) Configure the transmit interval:
ipv6 bfd interval <100-65335>
4. (Optional) Configure the minimum receive interval:
ipv6 bfd min-rx <100-65335>
5. (Optional) Configure the multiplier:
ipv6 bfd multiplier <1-20>
6. (Optional) In GigabitEthernet Interface Configuration mode, you can configure a value for port:
ipv6 bfd port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
7. (Optional) In VLAN Interface Configuration mode, you can configure a value for VLAN:
ipv6 bfd vlan <1-4094>

356 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Configure BFD on an IPv6 Interface

Variable Definitions
The following table defines parameters for the ip bfd command.

Note:
For XA1400 Series, the default is 1000 ms.

min-rx <100-65535> Specifies the receive interval in milliseconds. The default is 200 ms.

Note:
For XA1400 Series, the default is 1000 ms.

multiplier <1-20> Specifies the multiplier used to calculate the amount of time BFD waits
before declaring a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you
must configure a value of 4 or greater for the multiplier.

VOSS User Guide for version 8.7 357

Enable BFD at the BGP Application Level Bidirectional Forwarding Detection

Enable BFD at the BGP Application Level

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD supports internal Border Gateway Protocol (iBGP) and external Border Gateway Protocol (eBGP)
on IPv4 interfaces. You configure BFD on a VRF instance the same way you configure the GlobalRouter,
except that you must use VRF Router Configuration mode and the prefix ip bgp. BFD does not
support BGPv6 for VRF on IPv6 interfaces.

Note
Enabling BFD at the BGP application level does not establish a BFD session. To establish a
BFD session, you must enable BFD globally and at the interface level.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Enable BFD for the BGP protocol:
neighbor WORD<0-1536> fall-over bfd

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router bgp
Switch:1(router-bgp)#neighbor 192.0.2.15 fall-over bfd

Variable Definitions
The following table defines parameters for the neighbor command.

Variable Value
WORD<0-1536> Specifies the peer IP address or the peer group name.

Enable BFD at the OSPF Application Level

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD supports Open Shortest Path First (OSPF) for IPv4 interfaces and OSPFv3 for IPv6 interfaces.

358 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD at the OSPF Application Level

Use the following procedure to enable BFD at the OSPF application level.

Note
Enabling BFD at the OSPF application level does not establish a BFD session. To establish a
BFD session, you must enable BFD globally and at the interface level.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. (Optional) Enable BFD on an IPv4 interface under the OSPF protocol:

ip ospf bfd
3. Enable BFD on an IPv6 interface under the OSPF protocol:
ipv6 ospf bfd

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitethernet 1/3
Switch:1(config-if)#ip ospf bfd

Variable Definitions
The following table defines parameters for the ip ospf bfd command.

Variable Value
{slot/port[/sub-port] Identifies the slot and port in one of the following formats: a single slot
[-slot/port[/sub- and port (slot/port), a range of slots and ports (slot/port-slot/port), or
port]][,...]} a series of slots and ports (slot/port,slot/port,slot/port). If the platform
supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN
IDs 1 to 4059 are configurable and the system reserves VLAN IDs
4060 to 4094 for internal use. On switches that support the vrf-
scaling and spbm-config-mode boot configuration flags, if you
enable these flags, the system also reserves VLAN IDs 3500 to 3998.
VLAN ID 1 is the default VLAN and you cannot create or delete VLAN
ID 1.

VOSS User Guide for version 8.7 359

Configure BFD on an IPv4 Static Route Bidirectional Forwarding Detection

Configure BFD on an IPv4 Static Route

About This Task

Use the following procedure to configure BFD on an IPv4 static route.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure BFD on an IPv4 static route:
ip route bfd {A.B.C.D}

Variable Definitions
The following table defines parameters for the ip route bfd command.

Variable Value
{A.B.C.D} Specifies the BFD static route IPv4 address.

Configure BFD on an IPv6 Static Route

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use the following procedure to configure BFD on an IPv6 static route.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure BFD on an IPv6 static route:
ipv6 route bfd WORD<0-128>
3. (Optional) Configure an IPv6 static route for a port:
ipv6 route bfd WORD<0-128> port {slot/port[/sub-port] [-slot/port[/
sub-port]] [,...]}
4. (Optional) Configure an IPv6 static route for a VLAN:
ipv6 route bfd WORD<0-128> vlan <1-4094>

360 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Clear BFD Session Statistics

Variable Definitions
The following table defines parameters for the ipv6 route bfd command.

Variable Value
WORD<0-128> Specifies the BFD static route IPv6 address.
port {slot/port[/sub- Specifies the port number for the BFD IPv6 static route.
port] [-slot/port[/
sub-port]] [,...]}
vlan <1-4094> Specifies the VLAN ID for the BFD IPv6 static route.

Clear BFD Session Statistics

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use the following procedure to clear local and remote Bidirectional Forwarding Detection (BFD) session
statistics for IPv4 or IPv6 interfaces.

Procedure

1. Enter Privileged EXEC mode:

enable
2. (Optional) Clear BFD session statistics for an IPv4 interface:
clear ip bfd stats
3. Clear BFD session statistics for an IPv6 interface:
clear ipv6 bfd stats

Variable Definitions
The following table defines parameters for the clear ip bfd stats command.

Variable Value
vrf WORD<1-16> Specifies a VRF instance by VRF name.
vrfids WORD<0-512> Specifies a VRF or range of VRFs by ID.

Display BFD Global Configuration

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use this procedure to display global configuration information for BFD.

VOSS User Guide for version 8.7 361

Display BFD Configuration for an IPv4 Interface Bidirectional Forwarding Detection

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display global BFD configuration information:
show ip bfd [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example
The following example displays global configuration information for BFD on an IPv4 interface.
Switch:1>show ip bfd
================================================================================
BFD information - GlobalRouter
================================================================================
BFD Version : 1
Admin Status : TRUE
Trap Enable : FALSE
--------------------------------------------------------------------------------
Total session number : 1

UP: 1, DOWN: 0, AdminDown: 0, Init: 0

--------------------------------------------------------------------------------

Variable Definitions
The following table defines parameters for the show ip bfd command.

Variable Value
vrf WORD<1-16> Specifies a VRF instance by VRF name.
vrfids WORD<0-512> Specifies a VRF or range of VRFs by ID.

Display BFD Configuration for an IPv4 Interface

About This Task

Use the following procedure to display BFD configuration on an interface.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display BFD on a Gigabit Ethernet interface:
show ip bfd interfaces Gigabitethernet [{slot/port[/sub-port][-slot/
port[/sub-port]][,...]}] [vrf WORD<1-16>] [vrfids WORD<0-512>]
3. Display BFD on a VLAN interface:
show ip bfd interfaces vlan [<1-4059>] [vrf WORD<1-16>] [vrfids
WORD<0-512>]

Examples
The following example displays VLAN interface configuration information for BFD.
Switch:1>show ip bfd interfaces vlan 11
==========================================================================================
Vlan Bfd

362 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Display BFD Configuration for an IPv6 Interface

==========================================================================================
VLAN STATUS MIN_RX INTERVAL MULTIPLIER VRF-ID
------------------------------------------------------------------------------------------
11 enable 200 200 3 0

The following example displays Loopback interface configuration information for BFD:

Switch:1>enable
Switch:1#show ip bfd interfaces loopback
================================================================================
Circuitless IP Interface Bfd
================================================================================
INTF ID STATUS MIN_RX INTERVAL MULTIPLIER VRF-ID
--------------------------------------------------------------------------------
1 enable 200 200 3 0
2 enable 200 200 3 2

Variable Definitions
The following table defines parameters for the show ip bfd interfaces command.

Variable Value
{slot/port[/sub- Identifies the slot and port in one of the following formats: a single slot
port][-slot/port[/ and port (slot/port), a range of slots and ports (slot/port-slot/port), or a
sub-port]][,...]} series of slots and ports (slot/port,slot/port,slot/port). If the platform
supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060 to
4094 for internal use. On switches that support the vrf-scaling and
spbm-config-mode boot configuration flags, if you enable these flags,
the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
vrf WORD<1-16> Specifies a VRF instance by VRF name.
vrfids WORD<0-512> Specifies a VRF or range of VRFs by ID.

Display BFD Configuration for an IPv6 Interface

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use the following procedure to display BFD configuration on an IPv6 interface.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display BFD on a Gigabit Ethernet interface:
show ipv6 bfd interfaces Gigabitethernet [{slot/port[/sub-port][-slot/
port[/sub-port]][,...]}]

VOSS User Guide for version 8.7 363

Display BFD IPv4 Neighbor Information Bidirectional Forwarding Detection

3. Display BFD on a VLAN interface:

show ipv6 bfd interfaces vlan <1-4059>

Example
The following example displays port configuration information for BFD.
Switch:1>show ipv6 bfd interfaces gigabitethernet 1/3

==========================================================================================
Port Bfd
==========================================================================================
PORT STATUS MIN_RX INTERVAL MULTIPLIER VRF-ID
------------------------------------------------------------------------------------------
1/3 enable 200 200 3 0

Variable Definitions
The following table defines parameters for the show ip bfd interfaces command.

Display BFD IPv4 Neighbor Information

About This Task

Use this procedure to display BFD session information for IPv4 neighbors.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display BFD neighbor information:
show ip bfd neighbors
3. (Optional) Display BFD neighbor next-hop information:
show ip bfd neighbors next-hop {A.B.C.D}
4. (Optional) Display BFD neighbor information for a particular VRF:
show ip bfd neighbors vrf WORD<1-16>

364 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Display BFD IPv6 Neighbor Information

5. (Optional) Display BFD neighbor information for a VRF ID or a range of VRF IDs:
show ip bfd neighbors vrfids WORD<0-512>

Example
The following example displays BFD session information for an IPv4 neighbor.
Switch:1>show ip bfd neighbors
========================================================================================================================
BFD Session - GlobalRouter
========================================================================================================================

MY_DISC YOUR_DISC NEXT_HOP STATE MULTI MIN_TX MIN_RX ACT_TX DETECT_TIME REMOTE_STATE APP RUN

1 0 192.0.2.11 Down 3 200 200 1000 600 Down O

------------------------------------------------------------------------------------------------------------------------
1 out of 1 BFD session displayed
------------------------------------------------------------------------------------------------------------------------
APP and RUN Legend:
B=BGP, O=OSPF, S=Static Route
------------------------------------------------------------------------------------------------------------------------

Variable Definitions
The following table defines parameters for the show ip bfd neighbors command.

Variable Value
{A.B.C.D} Specifies the next-hop IP address in the format a.b.c.d.
vrf WORD<1-16> Specifies a VRF instance by name (the string length ranges from 1–16
characters).
vrfids WORD<0-512> Specifies a range of VRFs by ID number (the ID ranges from 0–512).

Display BFD IPv6 Neighbor Information

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use this procedure to display information about BFD IPv6 neighbors.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display BFD neighbor information:
show ipv6 bfd neighbors
3. (Optional) Display BFD neighbor next-hop information:
show ipv6 bfd neighbors next-hop WORD<0-128>
4. (Optional) Display BFD neighbor information for a particular VRF:
show ipv6 bfd neighbors vrf WORD<1-16>
5. (Optional) Display BFD neighbor information for a range of VRFs:
show ipv6 bfd neighbors vrfids WORD<0-512>

VOSS User Guide for version 8.7 365

Display BFD Statistics Bidirectional Forwarding Detection

Example
The following example displays BFD session information for an IPv6 neighbor.
Switch:1>show ipv6 bfd neighbors
=========================================================================================================================================
BFD Session - GlobalRouter
=========================================================================================================================================

MY_DISC YOUR_DISC NEXT_HOP STATE MULTI MIN_TX MIN_RX ACT_TX DETECT_TIME REMOTE_STATE APP RUN
1 0 2001:DB8:0:0:25AB:0:0:1 Down 3 200 200 1000 0 Down O
-----------------------------------------------------------------------------------------------------------------------------------------
1 out of 1 BFD session displayed
-----------------------------------------------------------------------------------------------------------------------------------------
APP and RUN Legend:
B=BGP_IPv6, O=OSPFv3, S=IPv6 Static Route
-----------------------------------------------------------------------------------------------------------------------------------------

Variable Definitions
The following table defines parameters for the show ipv6 bfd neighbors command.

Variable Value
WORD<0-128> Specifies the next-hop IPv6 address in the format a:b:c:d:e:f:g:h.
vrf WORD<1-16> Specifies a VRF instance by name (the string length ranges from 1–16
characters).
vrfids WORD<0-512> Specifies a range of VRFs by ID number (the ID ranges from 0–512).

Display BFD Statistics

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

Use the following procedure to display BFD statistics for IPv4 or IPv6 interfaces.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display BFD IPv4 statistics:
show ip bfd stats [vrf] [vrfids]
3. Display BFD IPv6 statistics:
show ipv6 bfd stats [vrf] [vrfids]

Example

The following example displays BFD statistics for IPv4 interfaces.

Switch:1>show ip bfd stats
================================================================================================================
BFD staticstics - GlobalRouter
================================================================================================================

MY_DISC YOUR_DISC NEXT_HOP PACKT_IN PACKET_OUT LAST_UP LAST_DOWN

----------------------------------------------------------------------------------------------------------------

1 0 192.0.2.10 4661750 4620630 Mon Sep 6 15:31:15 2021 Mon Sep 6 15:28:08 2021
----------------------------------------------------------------------------------------------------------------

366 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection BFD Configuration using EDM

The following example displays BFD statistics for IPv6 interfaces.

Switch:1>show ipv6 bfd stats
========================================================================================================================
BFD staticstics - GlobalRouter
========================================================================================================================

MY_DISC YOUR_DISC NEXT_HOP PACKT_IN PACKET_OUT LAST_UP LAST_DOWN

------------------------------------------------------------------------------------------------------------------------

1 0 2001:DB8:0:0:0:0:0:ffff 4661750 4620630 Mon Sep 6 15:31:15 2021 Mon Sep 6 15:28:08 2021
------------------------------------------------------------------------------------------------------------------------

Variable Definitions
The following table defines parameters for the show ip bfd stats command.

Variable Value
vrf Specifies a VRF instance by VRF name.
vrfids Specifies a VRF or range of VRFs by ID.

BFD Configuration using EDM

Use the following procedures to configure Bidirectional Forwarding Detection (BFD) using EDM. BFD
provides low-overhead, short-duration failure-detection between two systems.

Enable BFD Globally

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

Before You Begin

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD globally.

Note
Enabling BFD globally does not establish a BFD session. To establish a BFD session, you must
enable BFD at the interface level and at the application level.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select BFD.
3. Select the Globals tab.
4. In AdminStatus, select enabled.
5. (Optional) Select TrapEnabled to send BFD traps.
6. Select Apply.

VOSS User Guide for version 8.7 367

Display BFD Sessions Bidirectional Forwarding Detection

BFD Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Name Description
AdminStatus Specifies whether BFD is enabled.
VersionNumber Specifies the current version number of the BFD protocol.
TrapEnabled Specifies whether BFD traps are sent.

Display BFD Sessions

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

Before You Begin

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
display information about BFD sessions. You can optionally display BFD session information for IPv4 or
IPv6 interfaces.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select BFD.
3. Select the Sessions tab.
4. (Optional) Select Filter.
5. (Optional) Select AddrType.
6. (Optional) In AddrType, specify a value for address type.

BFD Sessions Field Descriptions

Use the data in the following table to use the Sessions tab.

Name Description
Discriminator Specifies the local discriminator that uniquely identifies the BFD session.
RemoteDiscr Specifies the discriminator of the remote system in the BFD session.
UdpPort Specifies the UDP Port for the BFD session. The default value is the well-known
value for the port.
State Specifies the state of the BFD session. Possible values are Down, Up, Init, and
AdminDown.

368 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Configure BFD for an IPv4 Interface on a Port

Name Description
Addr Specifies the IP address of the interface associated with the BFD session.
A value of unknown (0) indicates the BFD session is not associated with a
specific interface.
DesiredMinTxInterval Specifies the preferred minimum interval for transmitting BFD control packets
by the local system.
ReqMinTxInterval Specifies the minimum interval for transmitting BFD control packets that the
local system can support.
DestAddr Specifies the destination IP address of the interface associated with the BFD
session.
OldState Specifies the old state of the BFD session.
App Specifies the applications configured on the BFD session.
AppRun Specifies the applications running on the BFD session.
AddrType Specifies the IP address type of the interface associated with this BFD session.
Possible values are ipv4 and ipv6.

Configure BFD for an IPv4 Interface on a Port

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable and configure BFD for an IPv4 interface on a port.

Procedure

1. In the navigation pane, expand Configuration > Edit > Port.

2. Select IP.
3. Select the BFD tab.
4. Select Enable.
5. (Optional) In the MinRxInterval field, specify the minimum receive interval..
6. (Optional) In the TxInterval field, specify the transmit interval.
7. (Optional) In the Multiplier field, specify a value for the multiplier used to calculate a receive
timeout.

VOSS User Guide for version 8.7 369

Configure BFD for an IPv6 Interface on a Port Bidirectional Forwarding Detection

BFD Field Descriptions

Use the data in the following table to use the BFD tab.

Name Description
Enable Enable BFD on the port.
MinRxInterval Specifies the minimum interval, in milliseconds, between received BFD control packets
that the local system is capable of supporting. The default is 200 ms.

Note:
The minimum value you can configure for the receive interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the receive
interval. You can configure any remaining BFD sessions with a receive interval that is
greater than or equal to the 200 ms default value.

TxInterval Specifies the transmit interval in milliseconds. The default is 200 ms.

Note:
The minimum value you can configure for the transmit interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the transmit
interval. You can configure any remaining BFD sessions with a transmit interval that is
greater than or equal to the 200 ms default value.

Multiplier Specifies a value for the multiplier used to calculate a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you must
configure a value of 4 or greater for the multiplier.

Configure BFD for an IPv6 Interface on a Port

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable and configure BFD for an IPv6 interface on a port.

Procedure

1. In the navigation pane, expand Configuration > Edit > Port.

2. Select IPv6.
3. Select the IPv6 BFD Interface tab.
4. (Optional) In the MinRxInterval column, double-click the field and type a value for MinRxInterval.
5. (Optional) In the TxInterval column, double-click the field and type a value for TxInterval.
6. (Optional) In the Multiplier column, double-click the field and type a value for Multiplier.

370 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Configure BFD for an IPv4 Interface on a VLAN

BFD Field Descriptions

Use the data in the following table to use the BFD tab.

Name Description
Interface Specifies the BFD interface.
MinRxInterval Specifies the minimum interval, in milliseconds, between received BFD control packets
that the local system is capable of supporting. The default is 200 ms.

Note:
The minimum value you can configure for the receive interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the receive
interval. You can configure any remaining BFD sessions with a receive interval that is
greater than or equal to the 200 ms default value.

TxInterval Specifies the transmit interval in milliseconds. The default is 200 ms.

Note:
The minimum value you can configure for the transmit interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the transmit
interval. You can configure any remaining BFD sessions with a transmit interval that is
greater than or equal to the 200 ms default value.

Multiplier Specifies a value for the multiplier used to calculate a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you must
configure a value of 4 or greater for the multiplier.

Configure BFD for an IPv4 Interface on a VLAN

About This Task

BFD provides a failure detection-mechanism between two systems. Use the following procedure to
enable and configure BFD for an IPv4 interface on a VLAN.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Select VLANs.
3. Select the Basic tab.
4. Select the VLAN on which you want to configure BFD.
5. Select IP.
6. Select BFD.
7. Select Enable.
8. (Optional) In the MinRxInterval field, specify the minimum receive interval..
9. (Optional) In the TxInterval field, specify the transmit interval.

VOSS User Guide for version 8.7 371

Configure BFD for an IPv6 Interface on a VLAN Bidirectional Forwarding Detection

10. (Optional) In the Multiplier field, specify a value for the multiplier used to calculate a receive
timeout.

IP BFD field descriptions

Use the data in the following table to use the BFD tab.

Name Description
Enable Enable BFD on the VLAN.
MinRxInterval Specifies the minimum interval, in milliseconds, between received BFD control packets
that the local system is capable of supporting. The default is 200 ms.

Note:
The minimum value you can configure for the receive interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the receive
interval. You can configure any remaining BFD sessions with a receive interval that is
greater than or equal to the 200 ms default value.

TxInterval Specifies the transmit interval in milliseconds. The default is 200 ms.

Note:
The minimum value you can configure for the transmit interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the transmit
interval. You can configure any remaining BFD sessions with a transmit interval that is
greater than or equal to the 200 ms default value.

Multiplier Specifies a value for the multiplier used to calculate a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you must
configure a value of 4 or greater for the multiplier.

Configure BFD for an IPv6 Interface on a VLAN

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable and configure BFD for an IPv6 interface on a VLAN.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Select VLANs.
3. Select the Basic tab.
4. Select the VLAN on which you want to configure BFD.
5. Select IPV6.
6. Select IPv6 BFD Interface.

372 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for BGP Peers

7. (Optional) In the MinRxInterval column, double-click the field and type a value for MinRxInterval.
8. (Optional) In the TxInterval column, double-click the field and type a value for TxInterval.
9. (Optional) In the Multiplier column, double-click the field and type a value for Multiplier.

IPV6 BFD Interface field descriptions

Use the data in the following table to use the IPv6 BFD Interface tab.

Name Description
Interface Specifies an index value that uniquely identifies the interface.
Enable Enable BFD on the VLAN.
MinRxInterval Specifies the minimum interval, in milliseconds, between received BFD control packets
that the local system is capable of supporting. The default is 200 ms.

Note:
The minimum value you can configure for the receive interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the receive
interval. You can configure any remaining BFD sessions with a receive interval that is
greater than or equal to the 200 ms default value.

TxInterval Specifies the transmit interval in milliseconds. The default is 200 ms.

Note:
The minimum value you can configure for the transmit interval is 100 ms. You can
configure a maximum of 4 BFD sessions with the minimum value for the transmit
interval. You can configure any remaining BFD sessions with a transmit interval that is
greater than or equal to the 200 ms default value.

Multiplier Specifies a value for the multiplier used to calculate a receive timeout. The default is 3.

Note:
If you configure the transmit interval or the receive interval as 100 ms, you must
configure a value of 4 or greater for the multiplier.

Enable BFD for BGP Peers

Before You Begin

VOSS User Guide for version 8.7 373

Enable BFD for BGP Peers Bidirectional Forwarding Detection

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD for Border Gateway Protocol (BGP) peers.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Peers tab.
4. Select Insert.
5. Select BfdEnable.
6. Select Insert.

Peers Field Descriptions

Use the data in the following table to use the Peers tab.

Name Description
Instance Specifies the BGP peer instance.
LocalAddrType Specifies the local IP address type of the entered BGP peer.
LocalAddr Specifies the local IP address of the entered BGP peer.
RemoteAddrType Specifies the remote IP address type of the entered BGP peer.
RemoteAddr Specifies the remote IP address of the entered BGP peer.
AdminStatus Specifies the administrative status of the BGP peer.
GroupName Specifies the peer group name to which the peer belongs
(optional).
PeerState Specifies the BGP peer connection state.
RemoteAs Configures a remote AS number for the peer or peer-group in the
range 0–65535.
Enable Controls whether the peer connection is enabled or disabled. The
default is disabled.
EbgpMultiHop Enables or disables a connection to a BGP peer that is more than
one hop away from the local router. The default value is disable.
RoutePolicyIn Specifies the policy (by name) that applies to all network routes
learned from this peer.
RoutePolicyOut Specifies the policy (by name) that applies to all outgoing route
updates.
RemovePrivateAs Strips (when enabled) private AS numbers when the switch sends
an update. The default is enable.
UpdateSourceInterface Specifies the source IP address to use when the switch sends
eBGP packets to this peer or peer group.

374 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for BGP Peers

Name Description
ConnectRetryInterval Specifies the time interval, in seconds, for the connect retry timer.
The suggested value for this timer is 120 seconds. The range is 1 to
65535.
HoldTimeConfigured Specifies the time interval, in seconds, for the hold time for this
BGP speaker with this peer. This value is in an open message sent
to this peer by this BGP speaker. To determine the hold time with
the peer, the switch compares this value with the HoldTime value
in an open message received from the peer. The HoldTime must
be at least three seconds. If the value is zero, the hold time does
not establish with the peer. The suggested value for this timer is
180 seconds. The range is 0 to 65535.
KeepAliveConfigured Specifies the time interval, in seconds, for the KeepAlive
timer configured for this BGP speaker with this peer.
KeepAliveConfigured determines the keep alive message
frequency relative to HoldTimeConfigured; KeepAlive indicates
the actual time interval for the keep alive messages. The
maximum value for this timer is one-third of HoldTimeConfigured.
If KeepAliveConfigured is zero, no periodic keep alive messages
are sent to the peer after the peers establish a BGP connection.
Configure a value of 60 seconds. The range is 0 to 21845.
MD5Authentication Enables and disables MD5 authentication.
AdvertisementInterval Specifies the time interval, in seconds, that elapses between
each transmission of an advertisement from a BGP neighbor. The
default value is 30 seconds and the range is 5–120 seconds.
The route advertisement interval feature is implemented using the
time stamp that indicates when each route is advertised. The time
stamp is marked to each route so that the route advertisement
interval is compared to the time stamp and BGP is then able
to make a decision about whether the route advertisement can
be sent or should be delayed when a better route is received.
This feature does not work for a withdraw route because the
route entry is already removed when the processing route
advertisement is sent and the time stamp marked in the route
entry cannot be obtained.
DefaultOriginate When enabled, specifies that the current route originated from
the BGP peer. This parameter enables or disables sending the
default route information to the specified neighbor or peer. The
default value is false.
DefaultOriginateIpv6 When enabled, specifies that the current IPv6 route originated
from the BGP peer. This parameter enables or disables sending
the default IPv6 route information to the specified neighbor or
peer. The default value is false.
Weight Specifies the peer or peer group weight, or the priority of updates
the system can receive from this BGP peer. The default value is
100 and the range is 0–65535.
MaxPrefix Configures a limit on the number of routes accepted from a
neighbor. The default value is 12000 routes and the range is 0–
2147483647.
A value of 0 means no limit exists.

VOSS User Guide for version 8.7 375

Enable BFD for BGP Peers Bidirectional Forwarding Detection

Name Description
NextHopSelf Specifies that the next-hop attribute in an iBGP update is the
address of the local router or the router that generates the iBGP
update. The default is disable.
RouteReflectorClient Specifies that this peer is a route reflector client.

Note:
This parameter only applies to VRF 0.

SendCommunity Enables or disables sending the community attribute of the

update message to the specified peer. The default value is disable.
Vpnv4Address Specifies the vpnv4 routes.
IpvpnLiteCap Enable or disable IP VPN-lite capabilitiy on the BGP neighbor
peer.
Ipv6Cap Enable or disable the IPv6 capability on the BGP neighbor peer.
The default value is disable.
SooAddress Specifies the site-of-origin (SoO) address of the BGP peer.
SooAsNumber Specifies the site-of-origin (SoO) Autonomous System (AS)
number of the BGP peer.
SooAssignedNum Specifies the site-of-origin (SoO) assigned number of the BGP
peer.
SooType Specifies the site-of-origin (SoO) type of the BGP peer.
RouteRefresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to resend
all route updates in the database that are eligible for the peer that
issues the request. This parameter only applies to VRF 0.

376 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for BGP Peer Groups

Name Description
AsOverride Specifies that the AS Override parameter can be enabled or
disabled for the BGP peer. The default is disable.
Note:
This field does not apply on all
hardware platforms.

AllowAsIn Specifies the number of AS-in allowed for the BGP peer. The
range is 1–10.
Note:
This field does not apply on all
hardware platforms.

Ipv6RoutePolicyIn Specifies the policy (by name) that applies to all network IPv6
routes learned from this peer.
Ipv6RoutePolicyOut Specifies the policy (by name) that applies to all outgoing IPv6
route updates.
Ipv6MaxPrefix Configures a limit on the number of IPv6 routes accepted from a
neighbor.
A value of 0 means no limit exists.
BfdEnable Enables Bidirectional Forwarding Detection (BFD) for this BGP
peer.

Enable BFD for BGP Peer Groups

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

Before You Begin

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD for Border Gateway Protocol (BGP) peer groups.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Peer Groups tab.
4. Select Insert.

VOSS User Guide for version 8.7 377

Enable BFD for BGP Peer Groups Bidirectional Forwarding Detection

5. Select BfdEnable.
6. Select Insert.

Peer Groups field descriptions

Use the data in the following table to use the Peer Groups tab.

Name Description
Index Specifies the index of this peer group.
GroupName Specifies the peer group to which this neighbor belongs
(optional).
Enable Enables or disables the peer group.
RemoteAs Configures a remote AS number for the peer-group in the range
0–65535.
DefaultOriginate When enabled, the BGP speaker (the local router) sends the
default route 0.0.0.0 to a group of neighbors for use as a default
route. The default is disabled.
DefaultOriginateIpv6 When enabled, the BGP speaker (the local router) sends the
default route to a group of neighbors for use as a default route.
The default is disabled.
EbgpMultiHop When enabled, the switch accepts and attempts BGP connections
to external peers that reside on networks that do not directly
connect. The default is disabled.
AdvertisementInterval Specifies the time interval, in seconds, that elapses between BGP
routing updates. The default value is 30 seconds.
KeepAlive Specifies the time interval, in seconds, between sent BGP keep
alive messages to remote peers. The default value is 60.
HoldTime Configures the hold time for the group of peers in seconds. Use
a value that is three times the value of the KeepAlive time. The
default value is 180.
Weight Assigns an absolute weight to a BGP network. The default value is
100.
MaxPrefix Limits the number of routes accepted from this group of
neighbors. A value of zero indicates no limit The default value
is 12,000 routes.
NextHopSelf Specifies that the switch must set the NextHop attribute to the
local router address before sending updates to remote peers.
RoutePolicyIn Specifies the route policy that applies to all networks learned from
this group of peers.
RoutePolicyOut Specifies the route policy that applies to all outgoing updates to
this group of peers.
RouteReflectorClient Specifies that this peer group is a route reflector client.

Note:
This parameter only applies to VRF 0.

378 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for BGPv6 Peers

Name Description
SoftReconfigurationIn When enabled, the router relearns routes from the specified
neighbor or group of neighbors without restarting the connection
after the policy changes in the inbound direction. The default
value is enable.
Enabling SoftReconfigurationIn stores all BGP routes in local
memory (even non-best routes).
MD5Authentication Enables and disables MD5 authentication. The default is disable.
RemovePrivateAs Strips (when enabled) private AS numbers when the switch sends
an update. The default is enable.
SendCommunity Enables or disables sending the community attribute of the
update message to the specified peer group. The default value
is disable.
AfUpdateSourceInterfaceType Specifies the interface type.
AfUpdateSourceInterface Specifies the IP address used for circuitless IP (CLIP) for this peer
group.
Vpnv4Address Enables BGP address families for IPv4 (BGP) and Layer 3 VPN
(MP-BGP) support. Enable this parameter for VPN/VRF Lite
routes.
IpvpnLiteCap Specifies (when enabled) that IP VPN Lite capability can be
enabled or disabled on the BGP neighbor peer. The default is
disable.
RouteRefresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to resend
all route updates in the database that are eligible for the peer that
issues the request. This parameter only applies to VRF 0.
AsOverride Specifies that the AS Override parameter can be enabled or
disabled for the BGP peer group. The default is disable.
AllowedAsIn Specifies the number of AS-in allowed for the BGP peer group.
The range is 1–10.
IPv6Cap Enable or disable the IPv6 capability on the BGP neighbor peer.
The default value is disable.
Ipv6RoutePolicyIn Specifies the policy (by name) that applies to all network IPv6
routes learned from this peer.
Ipv6RoutePolicyOut Specifies the policy (by name) that applies to all outgoing IPv6
route updates.
Ipv6MaxPrefix Configures a limit on the number of IPv6 routes accepted from a
neighbor.
A value of 0 means no limit exists.
BfdEnable Enables Bidirectional Forwarding Detection (BFD) for the BGP
peer group.

Enable BFD for BGPv6 Peers

VOSS User Guide for version 8.7 379

Enable BFD for BGPv6 Peers Bidirectional Forwarding Detection

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD for BGPv6 peers.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Note
BFD for IPv6 interfaces is a demonstration feature on some products. For more information
about feature support, see VOSS Feature Support Matrix.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Peers tab.
4. Select Insert.
5. Select BfdEnable.

Peers Field Descriptions

Use the data in the following table to use the Peers tab.

380 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for BGPv6 Peers

Name Description
ConnectRetryInterval Specifies the time interval, in seconds, for the connect retry timer.
The suggested value for this timer is 120 seconds. The range is 1 to
65535.
HoldTimeConfigured Specifies the time interval, in seconds, for the hold time for this
BGP speaker with this peer. This value is in an open message sent
to this peer by this BGP speaker. To determine the hold time with
the peer, the switch compares this value with the HoldTime value
in an open message received from the peer. The HoldTime must
be at least three seconds. If the value is zero, the hold time does
not establish with the peer. The suggested value for this timer is
180 seconds. The range is 0 to 65535.
KeepAliveConfigured Specifies the time interval, in seconds, for the KeepAlive
timer configured for this BGP speaker with this peer.
KeepAliveConfigured determines the keep alive message
frequency relative to HoldTimeConfigured; KeepAlive indicates
the actual time interval for the keep alive messages. The
maximum value for this timer is one-third of HoldTimeConfigured.
If KeepAliveConfigured is zero, no periodic keep alive messages
are sent to the peer after the peers establish a BGP connection.
Configure a value of 60 seconds. The range is 0 to 21845.
MD5Authentication Enables and disables MD5 authentication.
AdvertisementInterval Specifies the time interval, in seconds, that elapses between each
transmission of an advertisement from a BGPv6 neighbor. The
default value is 30 seconds and the range is 5 to 120 seconds.
The route advertisement interval feature is implemented using the
time stamp that indicates when each route is advertised. The time
stamp is marked to each route so that the route advertisement
interval is compared to the time stamp and BGP is then able
to make a decision about whether the route advertisement can
be sent or should be delayed when a better route is received.
This feature does not work for a withdraw route because the
route entry is already removed when the processing route
advertisement is sent and the time stamp marked in the route
entry cannot be obtained.
DefaultOriginateIpv6 When enabled, specifies that the current IPv6 route originated
from the BGP peer. This parameter enables or disables sending
the default IPv6 route information to the specified neighbor or
peer. The default value is false.
Weight Specifies the peer or peer group weight, or the priority of updates
the system can receive from this BGP peer. The default value is
100 and the range is 0 to 65535.
MaxPrefix Configures a limit on the number of routes accepted from a
neighbor. The default value is 12000 routes and the range is 0
to 2147483647.
A value of 0 means no limit exists.
NextHopSelf Specifies that the next-hop attribute in an iBGP update is the
address of the local router or the router that generates the iBGP
update. The default is disable.

VOSS User Guide for version 8.7 381

Enable BFD for BGPv6 Peers Bidirectional Forwarding Detection

Name Description
RouteReflectorClient Specifies that this peer is a route reflector client.

Note:
This parameter only applies to VRF 0.

SendCommunity Enables or disables sending the community attribute of the

update message to the specified peer. The default value is disable.
IpvpnLiteCap Enable or disable IP VPN-lite capabilitiy on the BGP neighbor
peer.
Ipv6Cap Enable or disable the IPv6 capability on the BGP neighbor peer.
The default value is disable.
RouteRefresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to resend
all route updates in the database that are eligible for the peer that
issues the request. This parameter only applies to VRF 0.
AsOverride Specifies that the AS Override parameter can be enabled or
disabled for the BGP peer. The default is disable.
Note:
This field does not apply on all
hardware platforms.

AllowAsIn Specifies the number of AS-in allowed for the BGP peer. The
range is 1–10.
Note:
This field does not apply on all
hardware platforms.

382 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for OSPF on an IPv4 Port Interface

Name Description
Ipv6RoutePolicyIn Specifies the policy (by name) that applies to all network IPv6
routes learned from this peer.
Ipv6RoutePolicyOut Specifies the policy (by name) that applies to all outgoing IPv6
route updates.
Ipv6MaxPrefix Configures a limit on the number of IPv6 routes accepted from a
neighbor.
A value of 0 means no limit exists.
BfdEnable Enables Bidirectional Forwarding Detection (BFD) for this peer.

Enable BFD for OSPF on an IPv4 Port Interface

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD for the OSPF protocol on an IPv4 port interface.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Select IP.
4. Select the OSPF tab.
5. Select BfdEnable.

OSPF Field Descriptions

Use the data in the following table to use the OSPF tab.

Name Description
Enable Enables or disables OSPF routing on the specified port. The
default is false.
HelloInterval Specifies the length of time, in seconds, between the transmission
of hello packets. This value must be the same for all routers
attached to a common network. The default is 10 seconds.
After you change the hello interval values, you must save the
configuration file, and then restart the switch. After the switch
restarts, it restores the values and checks for consistency.

VOSS User Guide for version 8.7 383

Enable BFD for OSPF on an IPv4 Port Interface Bidirectional Forwarding Detection

Name Description
RtrDeadInterval Specifies the interval used by adjacent routers to determine if
the router was removed from the network. This interval must
be identical on all routers on the subnet, and a minimum of
four times the hello interval. To avoid interoperability issues, the
RtrDeadInterval value for the OSPF interface needs to match
with the RtrDeadInterval value for the OSPF virtual interface. The
default is 40 seconds.
DesigRtrPriority Specifies the priority of this port in multiaccess networks to use
in the designated router election algorithm. The value 0 indicates
the router is not eligible to become the designated router on this
particular network. If a tie occurs, routers use their router ID as a
tie breaker. The default is 1.
Metric Specifies the metric for the type of service (TOS) on this port. The
value of the TOS metric is (10^9 / interface speed). The default is 1.
• FFFF—No route exists for this TOS.
• IPCP links—Defaults to 0.
• 0—Use the interface speed as the metric value when the state
of the interface is up.

AuthType Specifies the type of authentication required for the interface.

• none—Specifies that no authentication required.
• simple password—Specifies that all OSPF updates received by
the interface must contain the authentication key specified in
the interface AuthKey parameter.
• MD5 authentication—Specifies that all OSPF updates received
by the interface must contain the MD5 key.
• sha1—Specifies secure hash algorithm (SHA-1), which is a
cryptographic hash function that produces a 160-bit hash
value, usually given in a hexadecimal number, 40 digits long.
You can only access and enable the SHA-1 authentication type
after you enable enhanced secure mode.
• sha-2—Specifies SHA-2, which offers the hash function
SHA-256.

Note:
sha-2, an update of SHA-1, can offer six hash functions that
include SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224,
SHA 512/256, with hash values that are 224, 256, 384, or 512
bits. However, the current release supports only SHA-256.

AuthKey Specifies the key (up to 8 characters) when you specify simple
password authentication in the port AuthType variable.
AreaId Specifies the OSPF area name in dotted-decimal format.
The area name is not related to an IP address. You can use a
suitable value for the OSPF area name (for example, 1.1.1.1 or
200.200.200.200).

384 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for OSPF on an IPv4 VLAN Interface

Name Description
AdvertiseWhenDown Advertises the network on this port as up, even if the port is down.
The default is false.
After you configure a port with no link and enable
AdvertiseWhenDown, it does not advertise the route until the
port is active. Then, OSPF advertises the route even if the link
is down. To disable advertising based on link-states, disable
AdvertiseWhenDown.
IfType Specifies the type of OSPF interface (broadcast, NBMA, passive, or
p2p).
Before you change an OSPF interface type, you must first disable
the interface. If the interface is an NBMA interface, you must also
delete all configured neighbors.

Note:
Exception: p2p interface does not apply to VSP 8600 Series.

PollInterval Specifies the length of time, in seconds, between hello packets

sent to an inactive OSPF router. Neighbors must have the same
poll interval.
IfMtuIgnore Specifies whether the interface ignores the global maximum
transmission unit (MTU) configuration. To allow the switch to
accept OSPF database description (DD) packets with a different
MTU size, enable MtuIgnore. The interface drops incoming OSPF
DD packets if their MTU is greater than 1500 bytes.
BfdEnable Enable Bidirectional Forwarding Detection (BFD) for OSPF.

Enable BFD for OSPF on an IPv4 VLAN Interface

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable OSPF BFD on an IPv4 VLAN interface.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Select VLANs.
3. Select the Basic tab.
4. Select the VLAN on which you want to enable BFD for OSPF.
5. Select IP.
6. Select OSPF.
7. Select BfdEnable.

VOSS User Guide for version 8.7 385

Enable BFD for OSPF on an IPv4 VLAN Interface Bidirectional Forwarding Detection

OSPF Field Descriptions

Use the data in the following table to use the OSPF tab.

Name Description
Enable Enables or disables OSPF routing on the specified VLAN. The
default is false.
HelloInterval Specifies the length of time, in seconds, between the transmission
of hello packets. This value must be the same for all routers
attached to a common network. The default is 10 seconds.
After you change the hello interval values, you must save the
configuration file, and then restart the switch. After the switch
restarts, it restores the values and checks for consistency.
RtrDeadInterval Specifies the interval used by adjacent routers to determine if
the router was removed from the network. This interval must
be identical on all routers on the subnet and a minimum of
four times the hello interval. To avoid interoperability issues, the
RtrDeadInterval value for the OSPF interface needs to match
with the RtrDeadInterval value for the OSPF virtual interface. The
default is 40 seconds.
DesigRtrPriority Specifies the priority of this VLAN in multiaccess networks to use
in the designated router election algorithm. The value 0 indicates
the router is not eligible to become the designated router on this
particular network. If a tie occurs, routers use their router ID as a
tie breaker. The default is 1.
Metric Specifies the metric for this TOS on this VLAN. The value of the
TOS metric is (10^9 / interface speed). The default is 1.
• FFFF—No route exists for this TOS.
• IPCP links—Defaults to 0.
• 0—Use the interface speed as the metric value when the state
of the interface is up.

AuthType Specifies the type of authentication required for the interface.

• none—Specifies that no authentication required.
• simple password—Specifies that all OSPF updates received by
the interface must contain the authentication key specified in
the interface AuthKey parameter.
• MD5 authentication—Specifies that all OSPF updates received
by the interface must contain the MD5 key.
• sha1—Specifies secure hash algorithm 1 (SHA-1), which is a
cryptographic hash function that produces a 160-bit hash value,
usually given in a hexadecimal number, 40 digits long. You can
only access and enable the SHA-1 authentication type after you
enable enhanced secure mode.
• sha-2—Specifies SHA-2, which offers the hash function
SHA-256.

386 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for OSPF on an IPv6 Port Interface

Name Description
AuthKey Specifies the key (up to eight characters) when you specify simple
password authentication in the VLAN AuthType variable.
AreaId Specifies the OSPF area name in dotted-decimal format.
The area name is not related to an IP address. You can use a
suitable value for the OSPF area name (for example, 1.1.1.1 or
200.200.200.200).
AdvertiseWhenDown Advertises the network even if the port is down. If true, OSPF
advertises the network on this VLAN as up, even if the port is
down. The default is false.
After you configure a port without a link and enable
AdvertiseWhenDown, it does not advertise the route until the
port is active. Then, OSPF advertises the route even when the
link is down. To disable advertising based on link states, disable
AdvertiseWhenDown.
IfType Specifies the type of OSPF interface (broadcast, NBMA, passive, or
p2p).
Before you change an OSPF interface type, you must first disable
the interface. If the interface is an NBMA interface, you must also
delete all configured neighbors.

Note:
Exception: p2p interface does not apply to VSP 8600 Series.

PollInterval Specifies the length of time, in seconds, between hello packets

sent to an inactive OSPF router. Neighbors must use the same poll
interval.
IfMtuIgnore Specifies whether the VLAN ignores the MTU configuration. To
allow the switch to accept OSPF DD packets with a different MTU
size, enable MtuIgnore. The interface drops incoming OSPF DD
packets if their MTU is greater than 1500 bytes.
BfdEnable Enables Bidirectional Forwarding Detection (BFD) for OSPF.

Enable BFD for OSPF on an IPv6 Port Interface

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable BFD for the OSPF protocol on an IPv6 port interface.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand Configuration > Edit > Port.

VOSS User Guide for version 8.7 387

Enable BFD for OSPF on an IPv6 Port Interface Bidirectional Forwarding Detection

3. Select IPv6.
4. Select the IPv6 OSPF Interface tab.
5. Select Insert.
6. Select BfdEnable.

IPv6 OSPFv3 Interface Field Descriptions

Use the data in the following table to use the IPv6 OSPFv3 Interface tab.

Name Description
Index Specifies the interface index for the IPv6 interface
on which OSPFv3 is configured.
AreaId Specifies the area ID to which the IPv6 interface
connects. Use 0.0.0.0 for the OSPFv3 backbone.
Type Specifies the OSPFv3 interface type as one of the
following:
Note: • broadcast
Value is not configurable for OSPFv3 CLIP • NBMA
interfaces. • point-to-point
• point-to-multipoint
• passive

AdminStat Specifies the administrative status for the OSPFv3

interface. If you enable the status, it is advertised
as an internal route to some areas. If you disable
the status, the interface is external to OSPFv3. The
default is enabled.
RtrPriority Specifies the priority of this interface. Multiaccess
networks use the priority in the designated router
Note: election.
Value is not configurable for OSPFv3 CLIP A higher priority value increases the chance the
interfaces. router becomes the designated router. A value of
zero (0) indicates the router cannot become the
designated router for the network. If more than
one router uses the same priority value, the router
ID determines the designated router.
The default is 1.
TransitDelay Specifies the estimated number of seconds to
transmit a link-state-update packet over this
Note: interface. The default is 1.
Value is not configurable for OSPFv3 CLIP
interfaces.

RetransInterval Specifies the number of seconds between

retransmission of link-state advertisements for the
Note: adjacencies that belong to this interface, and
Value is not configurable for OSPFv3 CLIP for database description and link-state request
interfaces. packets. The default is 5.

388 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for OSPF on an IPv6 Port Interface

Name Description
HelloInterval Specifies the number of seconds between the
hello packets that the router sends on this
Note: interface. You must configure this field to the
Value is not configurable for OSPFv3 CLIP same value for all routers attached to a common
interfaces. network. The default is 10.

RtrDeadInterval Specifies the number of seconds after which to

declare a router down if no hello packets are
Note: received. You must configure this field to the
Value is not configurable for OSPFv3 CLIP same value for all routers attached to a common
interfaces. network. The default is 40.

PollInterval Specifies the number of seconds between hello

packets sent to an inactive NBMA neighbor. The
Note: default is 120.
Value is not configurable for OSPFv3 CLIP
interfaces.

State Shows the state of the OSPFv3 interface as one of

the following:
• down
• loopback
• waiting
• pointToPoint
• designatedRouter
• backupDesginatedRouter
• otherDesignatedRouter

DesignatedRouter Shows the router ID for the designated router.

BackupDesignatedRouter Shows the router ID for the backup designated
router.
MetricValue Specifies the cost for the interface. The default
value for a brouter port or VLAN is 1. The default
Note: value for a tunnel is 100.
Value is not configurable for OSPFv3 CLIP
interfaces. Note:
If you do not specify a cost for the interface,
the switch dynamically updates the interface cost
with the configured global OSPF default cost. The
global OSPF default cost depends on the speed of
the interface.

LinkLsaSuppression Specifies whether Link LSA suppression is

enabled.
Note:
Value is not configurable for OSPFv3 CLIP
interfaces.

VOSS User Guide for version 8.7 389

Enable BFD for OSPF on an IPv6 VLAN Interface Bidirectional Forwarding Detection

Enable BFD for OSPF on an IPv6 VLAN Interface

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

About This Task

BFD provides a failure-detection mechanism between two systems. Use the following procedure to
enable OSPF BFD on an IPv6 VLAN interface.

Note
Enabling BFD at the application level does not establish a BFD session. To establish a BFD
session, you must enable BFD globally and at the interface level.

Procedure

1. In the navigation pane, expand the Configuration > VLAN folders.

2. Select VLANs.
3. Select the Basic tab.
4. Select the VLAN on which you want to enable BFD for OSPF.
5. Select IPV6.
6. Select IPv6 OSPF Interface.
7. Select Insert.
8. Select BfdEnable.

IPv6 OSPF Interface Field Descriptions

Use the data in the following table to use the IPv6 OSPF Interface tab.

Name Description
Index Shows the interface index for the IPv6 interface on
which OSPFv3 is configured.
AreaId Specifies the area ID to which the IPv6 interface
connects. Use 0.0.0.0 for the OSPFv3 backbone.
Type Specifies the OSPFv3 interface type as one of the
following:
• broadcast
• NBMA
• point-to-point
• point-to-multipoint
• passive

AdminStat Specifies the administrative status for the OSPFv3

interface. If you enable the status, it is advertised
as an interal route to some areas. If you disable
the status, the interface is external to OSPFv3. The
default is enabled.

390 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Enable BFD for OSPF on an IPv6 VLAN Interface

Name Description
RtrPriority Specifies the priority of this interface. Multiaccess
networks use the priority in the designated router
election.
A higher priority value increases the chance the
router becomes the designated router. A value of
zero (0) indicates the router cannot become the
designated router for the network. If more than
one router uses the same priority value, the router
ID determines the designated router.
The default is 1.
TransitDelay Specifies the estimated number of seconds to
transmit a link-state-update packet over this
interface. The default is 1.
RetransInterval Specifies the number of seconds between
retransmission of link-state advertisements for the
adjacencies that belong to this interface, and
for database description and link-state request
packets. The default is 5.
HelloInterval Specifies the number of seconds between the
hello packets that the router sends on this
interface. You must configure this field to the
same value for all routers attached to a common
network. The default is 10.
RtrDeadInterval Specifies the number of seconds after which to
declare a router down if no hello packets are
received. You must configure this field to the
same value for all routers attached to a common
network. The default is 40.
PollInterval Specifies the number of seconds between hello
packets sent to an inactive NBMA neighbor. The
default is 120.
State Shows the state of the OSPFv3 interface as one of
the following:
• down
• loopback
• waiting
• pointToPoint
• designatedRouter
• backupDesginatedRouter
• otherDesignatedRouter

DesignatedRouter Shows the router ID for the designated router.

BackupDesignatedRouter Shows the router ID for the backup designated
router.

VOSS User Guide for version 8.7 391

Configure BFD on an IPv4 Static Route Bidirectional Forwarding Detection

Name Description
MetricValue Specifies the cost for the interface. The default
value for a brouter port or VLAN is 1. The default
value for a tunnel is 100.

Note:
If you do not specify a cost for the interface,
the switch dynamically updates the interface cost
with the configured global OSPF default cost. The
global OSPF default cost depends on the speed of
the interface.

LinkLsaSuppression Specifies whether Link LSA suppression is

enabled.
BfdEnable Enables Bidirectional Forwarding Detection (BFD)
for OSPF.

Configure BFD on an IPv4 Static Route

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BFD.
3. Select Insert.
4. In the NextHop field, type the IPv4 address of the next hop of the BFD session.
5. (Optional) In the VrfId field, type the ID of the VRF associated with the BFD session.

BFD Static Route Field Descriptions

Use the data in the following table to use the Static Route tab.

Name Description
NextHop Specifies the IPv4 address of the next hop of the BFD session.
VrfId Specifies the ID of the VRF associated with the BFD session.
VrfName Specifies the name of the VRF associated with the BFD session.

Configure BFD on an IPv6 Static Route

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select IPv6 BFD.
3. Select Insert.
4. In the Interface field, select either Port or Vlan and select an interface.

392 VOSS User Guide for version 8.7

Bidirectional Forwarding Detection Display BFD Performance Counters

5. In the NextHop field, type the IPv6 address of the next hop of the BFD session.
6. (Optional) In the VrfId field, type the ID of the VRF associated with the BFD session.

IPv6 BFD Static Route Field Descriptions

Use the data in the following table to use the Static Route tab.

Name Description
Interface Specifies either a port or VLAN interface.
NextHop Specifies the IPv4 address of the next hop of the BFD session.
VrfId Specifies the ID of the VRF associated with the BFD session.
VrfName Specifies the name of the VRF associated with the BFD session.

Display BFD Performance Counters

BFD for IPv6 interfaces is a demonstration feature on some products. For more information about
feature support, see VOSS Feature Support Matrix.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select BFD.
3. Select the Performance counters tab.

BFDPerformance Counters Field Descriptions

Use the data in the following table to use the Performance counters tab.

Name Description
PktIn Specifies the total number of BFD messages received for this BFD session.
PktOut Specifies the total number of BFD messages sent for this BFD session.

VOSS User Guide for version 8.7 393

BGP
BGP fundamentals on page 394
BGP configuration using CLI on page 430
BGP Verification Using CLI on page 457
BGP configuration using EDM on page 472
BGP Configuration Examples on page 502

The following sections provide conceptual information and procedures that you can use to configure
Border Gateway Protocol (BGP) services. The following operations are supported by BGP:
• IPv4
• 4-byte AS
• Peer groups
• Redistribution

Examples and network illustrations in these sections illustrate only one of the supported platforms.
Unless otherwise noted, the concept illustrated applies to all supported platforms.

BGP fundamentals

Table 51: Border Gateway Protocol product support

Feature Product Release introduced
Border Gateway Protocol for VSP 4450 Series VSP 4000 4.0
IPv4 (BGPv4)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

394 VOSS User Guide for version 8.7

BGP BGP fundamentals

Table 51: Border Gateway Protocol product support (continued)

Feature Product Release introduced
BGP+ (BGPv4 for IPv6). VSP 4450 Series VOSS 5.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.0
VSP 8400 Series VOSS 5.0
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported
BGPv6 VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported
External BGP (eBGP) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Internal BPG (iBGP) VSP 4450 Series VOSS 4.2
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.2
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

VOSS User Guide for version 8.7 395

Autonomous Systems BGP

Table 51: Border Gateway Protocol product support (continued)

Feature Product Release introduced
Route metric for BGP route VSP 4450 Series VOSS 6.1
redistribution
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.1
VSP 8400 Series VOSS 6.1
VSP 8600 Series VSP 8600 8.0
XA1400 Series VOSS 8.0.50
iBGP over user-created VRFs VSP 4450 Series VOSS 8.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 8.1
VSP 7400 Series VOSS 8.1
VSP 8200 Series VOSS 8.1
VSP 8400 Series VOSS 8.1
VSP 8600 Series VSP 8600 8.0 - demonstration
feature
XA1400 Series Not Supported

Border Gateway Protocol (BGP) is an inter-domain routing protocol that provides loop-free routing
between autonomous systems (AS) or within an AS. This section describes the major BGP features.

Autonomous Systems
An Autonomous system (AS) is a group of routers and hosts run by a single technical administrator
that has a single, clearly defined routing policy. Each AS uses a unique AS number assigned by the
appropriate Internet Registry entity. LANs and WANs that interconnect by IP routers form a group
of networks called an internetwork. For administrative purposes, internetworks divide into boundaries
known as autonomous systems.

The following figure shows a sample internetwork segmented into three autonomous systems.

396 VOSS User Guide for version 8.7

BGP Autonomous Systems

Figure 17: Internetwork segmented into three autonomous systems

BGP exchanges information between autonomous systems as well as between routers within the same
AS. As shown in the preceding figure, routers that are members of the same AS and exchange BGP
updates run internal BGP (iBGP), and routers that are members of different autonomous systems and
exchange BGP updates run external BGP (eBGP).

Internal and external BGP routing

The switch supports both iBGP intra-AS routing and eBGP external-AS routing. With iBGP, each router
within an AS runs an interior gateway protocol (IGP), such as Routing Information Protocol (RIP) or
Open Shortest Path First (OSPF). The iBGP information, along with the IGP route to the originating BGP
border router, determines the next hop to use to exchange information with an external AS. Each router
uses iBGP exclusively to determine reachability to external autonomous systems. After a router receives
an iBGP update destined for an external AS, it passes the update to IP for inclusion in the routing table
only if a viable IGP route to the correct border gateway is available.

BGP speakers in different autonomous systems use eBGP communicate routing information.

VOSS User Guide for version 8.7 397

Autonomous Systems BGP

BGP speaker
BGP routers employ an entity within the router, referred to as a BGP speaker, which transmits and
receives BGP messages and acts upon them. BGP speakers establish a peer-to-peer session with other
BGP speakers to communicate.

All BGP speakers within an AS must be fully meshed. The following figure shows a BGP network with
fully-meshed BGP speakers.

Figure 18: BGP networks

398 VOSS User Guide for version 8.7

BGP Autonomous Systems

Transit AS
An AS with more than one BGP speaker can use iBGP to provide a transit service for networks located
outside the AS. An AS that provides this service is a transit AS. As shown in the preceding figure, BGP
networks , AS 40 is the transit AS. AS 40 provides information about the internal networks, as well as
transit networks, to the remaining autonomous systems. The iBGP connections between routers D, E,
and F provide consistent routing information to the autonomous systems.

Stub and multihomed autonomous systems

As shown in the preceding figure, BGP networks , an AS can include one or more BGP speakers that
establish peer-to-peer sessions with BGP speakers in other autonomous systems to provide external
route information for the networks within the AS.

A stub AS has a single BGP speaker that establishes a peer-to-peer session with one external BGP
speaker. In this case, the BGP speaker provides external route information only for the networks within
its own AS.

A multihomed AS has multiple BGP speakers.

Peers
BGP uses Transmission Control Protocol (TCP) as a transport protocol. When two routers open a TCP
connection to each other for the purpose of exchanging routing information, they form a peer-to-peer
relationship. In the preceding figure, BGP networks, Routers A and D are BGP peers, as are Routers B
and E, C and E, F and G, and Routers D, E, and F.

Although Routers A and D run eBGP, Routers D, E, and F within AS 40 run iBGP. The eBGP peers
directly connect to each other, while the iBGP peers do not. As long as an IGP operates and allows two
neighbors to logically communicate, the iBGP peers do not require a direct connection.

Note
You cannot create the same iBGP peers on two different VRFs, or the same eBGP peers on
two different chassis. Only one local autonomous system (AS) can exist for each chassis or
VRF.

Because all BGP speakers within an AS must be fully meshed logically, the iBGP mesh can grow to
large proportions and become difficult to manage. You can reduce the number of peers within an AS by
creating confederations and route reflectors.

BGP peers exchange complete routing information only after the peers establish a connection.
Thereafter, BGP peers exchange routing updates. An update message consists of a network number,
a list of autonomous systems that the routing information passed through (the AS path), and other
path attributes that describe the route to a set of destination networks. When multiple paths exist, BGP
compares the path attributes to choose the preferred path. Even if you disable BGP, the system logs
all BGP peer connection requests. For more information about update messages, see BGP Updates on
page 414.

Supernet advertisements
BGP has no concept of address classes. Each network listed in the network layer reachability
information (NLRI) portion of an update message contains a prefix length field, which describes the
length of the mask associated with the network. The prefix length field allows for both supernet and

VOSS User Guide for version 8.7 399

Autonomous Systems BGP

subnet advertisement. The supernet advertisement is what makes classless interdomain routing (CIDR)
possible (see CIDR and aggregate addresses on page 403).

Bandwidth and maintenance reduction

BGP provides two features that reduce the high bandwidth and maintenance costs associated with a
large full-mesh topology:
• confederations
• route reflectors

Note
Confederations and route reflectors are not supported on iBGP for non-default VRFs.

For information on confederations and route reflectors, see Routing information consolidation on page
403.

BGP 4 Byte AS Support

Each Autonomous System (AS) must have its own unique number. Because the 2-byte AS numbering
scheme is unable to meet the increasing demand, the switch supports 4-byte AS numbers. This feature
is enabled by supporting RFC 4893, BGP Support for 4-octet AS Number Space.

The switch supports the following three types of peer relationships as a result of 4 byte AS support:
• Old peer to old peer
• Old peer to new peer
• New peer to new peer

An old peer is the one that supports 2–byte AS numbers only and new peer is the one that supports
both 2–byte AS numbers and 4–byte AS numbers.

RFC4893 supports two new path attributes:

• AS4_PATH contains the AS path encoded with a 4-octet AS number.
• AS4-AGGR is a new aggregator attribute that carries a 4-octet AS number.

400 VOSS User Guide for version 8.7

BGP Autonomous Systems

Figure 19: 2-byte and 4-byte Mixed Environment

The preceding figure shows an example of how the switch uses the AS4_PATH attribute in a mixed
environment. The figure illustrates how a 2-byte BGP speaker interoperates with a 4-byte BGP speaker.

Router B is a 2-byte BGP speaker. Router A substitutes AS_PATH with the AS_TRANS, a 2-octet AS
number defined by RFC4893 for backward compatibility, and encodes the 4-byte AS into AS4_PATH in
BGP updates it sends to router B.

Router B does not understand the AS4_PATH but does preserve the information and sends it to router
C.

Router C is a 4-byte BGP speaker. Router C merges the information received in AS_PATH and
AS4_PATH, and encodes the 4-byte AS when it sends the AS_PATH information to router D.

Old Peer to Old Peer

When the peer relationship between an old peer and another old peer is established, 4 byte AS
numbers contained in the AS4_PATH and AS4_AGGREGATOR are transited to other peers.

Important
Do not assign 23456 as an AS number. The Internet Assigned Numbers Authority (IANA)
reserved this number for the AS_TRANS attribute and BGP uses it to facilitate communication
between peer modes. AS_TRANS uses a 2-byte AS format to represent a 4-byte AS number.
The switch interprets the AS_TRANS attribute and propagates it to other peers.

New Peer to New Peer

The new BGP speaker establishes its 4 byte AS support through BGP capability advertisement. A
BGP speaker that announces such capability and receives it from its peer, uses 4 byte AS numbers

VOSS User Guide for version 8.7 401

Autonomous Systems BGP

in AS_PATH and AGGREGATOR attributes and assumes these attributes received from its peer are
encoded in 4 byte AS numbers.

The new BGP attributes AS4_PATH and AS4_AGGREGATOR received from the new BGP speaker
between the new BGP peers in the update message is discarded.

Old Peer to New Peer

An old BGP speaker and a new BGP speaker can form peering relationship only if the new BGP
speaker is assigned a 2 byte AS number. This 2 byte number can be any global unique AS number or
AS_TRANS.

New BGP speaker sends AS path information to the old BGP speaker in AS_PATH attribute as well
as AS4_PATH attribute. If the entire AS_PATH consists of only 2 byte AS numbers then the new BGP
speaker does not send AS4_PATH information.

The 4-byte AS number feature does not in any way restrict the use or change the way you configure
2-byte AS numbers. You can also configure 2-byte AS or 4 byte AS numbers in AS path lists, community
lists, and route policies.

BGP 4–byte AS Number Notation

BGP 4–byte AS numbers are represented in two ways: AS Plain and AS dot. The default form of
representing the AS numbers is AS Plain while you have an option to configure AS dot. AS Plain form
of representation is preferred over AS dot representation as a large amount of network providers find
the AS dot notation incompatible with the regular expressions used by them. In case of any issues,
troubleshooting and analyzing also gets difficult with AS dot notation.

BGP AS Number Format – AS Plain

Table 52: Default Asplain 4-Byte Autonomous System Number Format

Format Configuration Format Show Command Output and Regular
Expression Match Format
asplain 2-byte: 1 to 65535 2-byte: 1 to 65535
4-byte: 65536 to 4294967295 4-byte: 65536 to 4294967295
asdot 2-byte: 1 to 65535 2-byte: 1 to 65535
4-byte: 1.0 to 65535.65535 4-byte: 65536 to 4294967295

BGP AS Number Format - ASdot

Table 53: Asdot 4-Byte Autonomous System Number Format

Format Configuration Format Show command output and Regular
Expression Match Format
asplain 2-byte: 1 to 65535 2-byte: 1 to 65535
4-byte: 65536 to 4294967295 4-byte: 1.0 to 65535.65535
asdot 2-byte: 1 to 65535 2-byte: 1 to 65535
4-byte: 1.0 to 65535.65535 4-byte: 1.0 to 65535.65535

For more information on configuring 4 byte AS numbers, see Configure 4-byte AS numbers on page
435.

402 VOSS User Guide for version 8.7

BGP Routing information consolidation

Routing information consolidation

Use the information in this section to understand how to reduce the size of routing tables.

CIDR and aggregate addresses

Classless interdomain routing (CIDR) is an addressing scheme (also known as supernetting) that
eliminates the concept of classifying networks into class types. Earlier addressing schemes identified
five classes of networks: Class A, Class B, Class C, Class D, and Class E. This document does not discuss
Classes D (used for multicast) and E (reserved and currently not used).

Network 195.215.0.0, an illegal Class C network number, becomes a legal supernet when represented in
CIDR notation as 195.215.0.0/16. The /16 is the prefix length and expresses the explicit mask that CIDR
requires. In this case, the addition of the prefix /16 indicates that the subnet mask consists of 16 bits
(counting from the left).

Using this method, supernet 195.215.0.0/16 represents 195.215.0.0 255.255.0.0. The following table
shows the conversion of prefix length to subnet mask.

Table 54: CIDR conversion

Prefix Dotted-decimal Binary Network class
/1 128.0.0.0 1000 0000 0000 0000 0000 0000 0000 128 Class A
0000
/2 192.0.0.0 1100 0000 0000 0000 0000 0000 0000 64 Class A
0000
/3 224.0.0.0 1110 0000 0000 0000 0000 0000 0000 32 Class A
0000
/4 240.0.0.0 1111 0000 0000 0000 0000 0000 0000 16 Class A
0000
/5 248.0.0.0 1111 1000 0000 0000 0000 0000 0000 8 Class A
0000
/6 252.0.0.0 1111 1100 0000 0000 0000 0000 0000 0000 4 Class A
/7 254.0.0.0 1111 1110 0000 0000 0000 0000 0000 0000 2 Class A
/8 255.0.0.0 1111 1111 0000 0000 0000 0000 0000 0000 1 Class A or 256
Class B
/9 255.128.0.0 1111 1111 1000 0000 0000 0000 0000 0000 128 Class B
/10 255.192.0.0 1111 1111 1100 0000 0000 0000 0000 0000 64 Class B
/11 255.224.0.0 1111 1111 1110 0000 0000 0000 0000 0000 32 Class B
/12 255.240.0.0 1111 1111 1111 0000 0000 0000 0000 0000 16 Class B
/13 255.248.0.0 1111 1111 1111 1000 0000 0000 0000 0000 8 Class B
/14 255.252.0.0 1111 1111 1111 1100 0000 0000 0000 0000 4 Class B
/15 255.254.0.0 1111 1111 1111 1110 0000 0000 0000 0000 2 Class B
/16 255.225.0.0 1111 1111 1111 1111 0000 0000 0000 0000 1 Class B or 256
Class C
/17 255.255.128.0 1111 1111 1111 1111 1000 0000 0000 0000 128 Class C

VOSS User Guide for version 8.7 403

Routing information consolidation BGP

Table 54: CIDR conversion (continued)

Prefix Dotted-decimal Binary Network class
/18 255.255.192.0 1111 1111 1111 1111 1100 0000 0000 0000 64 Class C
/19 255.255.224.0 1111 1111 1111 1111 1110 0000 0000 0000 32 Class C
/20 255.255.240.0 1111 1111 1111 1111 1111 0000 0000 0000 16 Class C
/21 255.255.248.0 1111 1111 1111 1111 1111 1000 0000 0000 8 Class C
/22 255.255.252.0 1111 1111 1111 1111 1111 1100 0000 0000 4 Class C
/23 255.255.254.0 1111 1111 1111 1111 1111 1110 0000 0000 2 Class C
/24 255.255.225.0 1111 1111 1111 1111 1111 1111 0000 0000 1 Class C

Use CIDR to assign network prefixes of arbitrary lengths, as opposed to the obsolete class system,
which assigned prefixes as even multiples of an octet.

For example, you can assign a single routing table supernet entry of 195.215.16/21 to represent 8
separate Class C network numbers: 195.215.16.0 through 195.215.23.0.

Supernet addressing
You can create a supernet address that covers an address range.

For example, to create a supernet address that covers an address range of 192.32.0.0 to 192.32.9.255,
perform the following steps:
1. Convert the starting and ending address range from dotted-decimal notation to binary notation (see
the following figure).

Figure 20: Binary notation conversion

2. Locate the common bits in both ranges. Ensure that the remaining bits in the start range are zeros,
and the remaining bits in the end range are all ones. In this example, the remaining bits in the end
range are not all ones.
3. If the remaining bits in the end range are not all ones, you must recalculate to find the IP prefix that
has only ones in the remaining bits in the end range.
4. Recalculate to find a network prefix that has all ones in the remaining end range bits (see the
following figure). In this example, 192.32.7.255 is the closest IP prefix that matches the common bits
for the start range.

404 VOSS User Guide for version 8.7

BGP Routing information consolidation

Figure 21: First aggregate and prefix length

5. The 21 bits that match the common bits form the prefix length. The prefix length is the number of
binary bits that form the explicit mask (in dotted-decimal notation) for this IP prefix.
6. The remaining aggregate is formed from 192.32.8.0 to the end range, 192.32.9.255.

As shown in Figure 21, the resulting first aggregate 192.32.0.0/21 represents all of the IP prefixes from
192.32.0.0 to 192.32.7.255.

The following figure shows the results after forming the remaining aggregate from 192.32.9.0 to the end
range, 192.32.9.255.

The resulting aggregate 192.32.8.0/23 represents all of the IP prefixes from 192.32.8.0 to 192.32.9.255.

VOSS User Guide for version 8.7 405

Routing information consolidation BGP

Figure 22: Last aggregate and prefix length

The final result of calculating the supernet address that ranges from 192.32.00 to 192.32.9.255 is as
follows:

192.32.0.0 (with mask) 255.255.248.0 = 192.32.0.0/21

192.32.8.0 (with mask) 255.255.254.0 = 192.32.8.0/23

Aggregate routes
Eliminating the idea of network classes provides an easy method to aggregate routes. Rather than
advertise a separate route for each destination network in a supernet, BGP uses a supernet address
to advertise a single route (called an aggregate route) that represents all the destinations. CIDR also
reduces the size of the routing tables used to store advertised IP routes.

The following figure shows an example of route aggregation using CIDR. In this example, a single
supernet address 195.215.0.0/16 advertises 256 separate Class C network numbers 195.215.0.0 through
195.215.255.0.

406 VOSS User Guide for version 8.7

BGP Routing information consolidation

Figure 23: Aggregating routes with CIDR

Confederations
A BGP router configured for iBGP establishes a peer-to-peer session with every other iBGP speaker
in the AS. In an AS with a large number of iBGP speakers, this full-mesh topology can result in high
bandwidth and maintenance costs.

Note
Confederations are not supported on iBGP for non-default VRFs.

As shown in the following example, a full-mesh topology for an AS with 50 iBGP speakers requires 1225
internal peer-to-peer connections:

Example:

n x (n-1)/2 = n iBGP sessions

where:

50 x (50-1)/2 = 1225 number of unique iBGP sessions

You can reduce the high bandwidth and maintenance costs associated with a large full-mesh topology
by dividing the AS into multiple smaller autonomous systems (sub-autonomous systems), and then
group them into a single confederation (see the following figure).

VOSS User Guide for version 8.7 407

Routing information consolidation BGP

Figure 24: Confederations

As shown in the preceding figure, each sub-AS is fully meshed within itself and has eBGP sessions with
other sub-autonomous systems in the same confederation.

Although the peers in different autonomous systems have eBGP sessions with the various sub-AS
peers, they preserve the next-hop, Multi-Exit Discriminator (MED), and local preference information
and exchange routing updates as if they were iBGP peers. All of the autonomous systems retain a
single interior gateway protocol (IGP). When the confederation uses its own confederation identifier, the
system displays the group of sub-autonomous systems as a single AS (with the confederation identifier
as the AS number).

Route reflectors
Another way to reduce the iBGP mesh inherent in an AS with a large number of iBGP speakers is to
configure a route reflector. Using this method, when an iBGP speaker needs to communicate with other

408 VOSS User Guide for version 8.7

BGP Routing information consolidation

BGP speakers in the AS, the speaker establishes a single peer-to-peer route reflector client session with
the iBGP route reflector.

Note
Route reflectors are not supported on iBGP for non-default VRFs.

In an AS, more than one route reflector cluster can exist and more than one route reflector in a cluster.
When more than one reflector exists in a cluster, take care to prevent route loops.

The following figure shows a simple iBGP configuration with three iBGP speakers (routers A, B, and C).
Without route reflectors, after Router A receives an advertised route from an external neighbor, it must
advertise the route to Routers B and C.

Figure 25: Fully meshed AS with iBGP speakers

Routers B and C do not readvertise the iBGP learned routes to other iBGP speakers. BGP does not allow
routers to pass routes learned from internal neighbors on to other internal neighbors, which avoids
routing information loops.

As shown in the following figure, when you configure an internal BGP peer (Router B) as a route
reflector, all of the iBGP speakers do not need to be fully meshed. In this case, the assigned route
reflector passes iBGP learned routes to a set of iBGP neighbors.

VOSS User Guide for version 8.7 409

Routing information consolidation BGP

Figure 26: AS with route reflector

After Router B, the route reflector, receives routes from Router A (the iBGP speaker), it advertises them
to router C. Conversely, after the route reflector receives routes from internal peers, it advertises those
routes to Router A. Routers A and C do not need an iBGP session.

Route reflectors separate internal peers into two groups: client peers and nonclient peers. The route
reflector and its clients form a cluster. The client peers in the cluster do not need to be fully meshed, and
do not communicate with iBGP speakers outside their cluster. Nonclient peers must be fully meshed
with each other.

The following figure shows a cluster, where Router A is the route reflector in a cluster with client routers
B, C, and D. Routers E, F, and G are fully meshed, nonclient routers.

410 VOSS User Guide for version 8.7

BGP BGP Communities

Figure 27: Route reflector with client and nonclient peers

BGP Communities
You can group destinations into communities to simplify policy administration. A community is a group
of destinations that share a common administrative property.

Use community control routing policies with respect to destinations. Create communities when you
have more than one destination and want to share a common attribute.

The following list identifies specific community types:

• Internet—advertise this route to the Internet community
• no advertise—do not advertise to BGP peers including iBGP peers

You can use a community to control which routing information to accept, prefer, or distribute to other
BGP neighbors. If you specify the append option in the route policy, the router adds the specified
community value to the existing value of the community attribute. Otherwise, the specified community
value replaces a previous community value.

BGP path attributes

You can create policies that control routes, work with default routing, control specific and aggregated
routes, and manipulate BGP path attributes.

VOSS User Guide for version 8.7 411

BGP Route Selection BGP

Four categories of BGP path attributes exist:

• Well-known mandatory attributes must be in every BGP update message.
• Well-known discretionary attributes can be in a BGP update message.
• Optional transitive attributes are accepted and passed to other BGP peers.
• Optional non-transitive attributes can be either accepted or ignored, but must not pass along to
other BGP peers.

Border routers that utilize built-in algorithms or manually configured polices to select paths use path
attributes. BGP uses the following path attributes to control the path a BGP router chooses:
• origin (well-known mandatory)
• AS_path (well-known mandatory)
• next hop (well-known mandatory)
• MED attribute (optional non-transitive)
• local preference (well-known discretionary)
• atomic aggregate (well-known discretionary)
• aggregator (optional transitive)
• community (optional transitive)

For more information about path attributes in BGP updates, see Path Attributes on page 415.

BGP Route Selection

A BGP router determines the best path to a destination network. This path is then eligible for use in
the IP forwarding table and the router also advertises the path to its eBGP peers. To choose the best of
multiple BGP routes to a destination, the router executes a best path algorithm.

The algorithm chooses a route in the following order:

• highest weight

Weight is a locally significant parameter associated with each BGP peer. You can use the weight to
influence which peer paths the router uses.
• highest local preference

The local preference has global significance within an AS. You can manipulate the preference using
route policies to influence path selection.
• prefer locally originated paths

The router prefers a path locally originated using the network, redistribution, or aggregate command
over a path learned through a BGP update. The router prefers local paths sourced by network or
redistribute commands over local aggregates sourced by the aggregate address command.
• shortest AS path

The AS path parameter specifies the autonomous systems that the network prefix traversed. The
AS path commonly determines the best path. For example, a router can choose a path based on
whether the network passed through a specific AS. You can configure a route policy to match the
AS, and then modify the local preference. Also, you can pad the AS path before the AS advertises it
to a peer AS, so that downstream routers are less likely to prefer the advertised network path.

412 VOSS User Guide for version 8.7

BGP BGP Route Selection

The AS_CONFED_SEQUENCE length will also be considered while picking the best path inside the
confederation.
• lowest origin type

The order of preference is IGP, EGP, INC (incomplete).

• lowest MED

The MED parameter influences the preferred path from a remote AS to the advertising AS. This
parameter applies when there are multiple exit points from the remote AS to the advertising AS. A
lower MED value indicates a stronger path preference than a higher MED value. By default, the MED
attribute is ignored as specified by the BGP global parameter Always Compare MED except when
the routes come from the same AS. This parameter must be enabled for MEDs to be compared (and
for this step of the best path algorithm to execute).

The router compares MEDs regardless of what the first (neighboring) AS specified in the AS_PATH.
Deterministic MED, when enabled, means that the first AS of the multiple paths must be the same.
Paths received with no MED are assigned a MED of 0, unless the global BGP parameter Missing Is
Worst is enabled. If so, received paths are assigned a MED of 4 294 967 294. Missing is Worst is
enabled by default. The "no-med-path-is-worst" flag has an impact only when the “First AS” or the
"Most Left AS" is the same for multiple routes received. The router changes paths received with a
MED of 4 294 967 295 to 4 294 967 294 before insertion into the BGP table.

Note
You cannot enable or disable the MED selection process. BGP aggregation does not occur
when routes have different MEDs or next hops.

When MED value is set in route-map configuration, the configured MED value is not applicable if it is
already set in the associated Path Attribute.

1. When router A sets MED value of 100 by route-map, it will send Path Attribute with MED=100 to
EBGP peer B.
2. Router B sends Path Attribute with MED=100 to IBGP peer C.
3. If the route-map is configured with "set MED 200", then router C does not apply MED=200 to the
Path Attribute as it is already set to 100 when it is received from router B.
4. Router D will get Path Attribute with MED=100 so that router C does not influence router D when
it selects the best route.

Set: Set:
MED100 MED100 MED:100 MED200 MED:100
A------------------B-------------------------C-----------------------------D
EBGP IBGP EBGP
Example: If Prefix: X is set as MED=100 from router A, it will be received at B with MED=100, and will
carry same MED=100 value to router C, as it is an IBGP peer. Router C will not propagate MED=100
value to D as MED is a non-transitive attribute, so MED can travel maximum of 1 AS.
• lowest IGP metric to the BGP next-hop

If multiple paths exist whose BGP next-hop is reachable through an IGP, the path with the lowest IGP
metric to the BGP next-hop is chosen.
• prefer external paths (learned by eBGP) over internal paths (iBGP)

VOSS User Guide for version 8.7 413

BGP and dampened routes BGP

The system prefers external paths over internal paths.

• if Equal Cost Multipath (ECMP) is enabled, insert up to four paths in the routing table

If you enable ECMP, multiple BGP learned routes that use the same metric to different IP next-hops
are installed in the IP forwarding table for traffic load-balancing purposes.
• lowest router ID

The lowest router ID, or Circuitless IP (CLIP) address, is preferred.

BGP and dampened routes

The switch supports route dampening (route suppression). When you use route dampening, a route
accumulates penalties each time the route fails. After the accumulated penalties exceed a threshold, the
router no longer advertises the route. The router enters the suppressed routes into the routing table
only after the accumulated penalty falls below the reuse threshold.

Route flap dampening suppresses the advertisement of the unstable route until the route becomes
stable. For information about how to enable flap-dampening, see Configure BGP on page 430.
For information about viewing flap dampening configurations, see Viewing global flap-dampening
configurations on page 461.

Dampening applies only to routes that are learned through an eBGP. Route flap dampening prevents
routing loops and protects iBGP peers from having higher penalties for routes external to the AS.

The following paragraph describes the algorithm that controls route flaps.

After the route flaps the first time

• the router creates a route history entry
• a timer starts (180 seconds)

If the route does not flap again, the router uses this timer to delete the history entry after the 180
seconds expires.

After the route flaps a second time

• The penalty is recalculated based on the decay function.

If the penalty is greater than the cut-off value (1536), the route is suppressed and the reuse time is
calculated based on the reuse time function.
• The reuse timer starts.

After the reuse time expires, the suppressed route is announced again (the reuse time is recalculated
if the route flaps again). The penalty decays slower for withdrawn routes than for update routes. The
route history entry is kept longer if the route is withdrawn. For update history, the delete time is 90
seconds and the withdrawn history delete time is 180 seconds.

BGP Updates
BGP uses update messages to communicate information between two BGP speakers. The update
message can advertise a single feasible route to a peer, or withdraw multiple unfeasible routes from
service.

414 VOSS User Guide for version 8.7

BGP BGP Updates

The following figure shows the format of an update message.

Figure 28: Update Message Format

This section describes how BGP uses the update message fields to communicate information between
BGP speakers.

Withdrawn Routes Length

The withdrawn routes length parameter (referred to in RFC1771 as the Unfeasible Routes Length field)
indicates the total length of the withdrawn routes field in octets. The withdrawn routes length field
calculates the length of the NLRI field. For example, a value of 0 indicates that no routes are withdrawn
from service, and that the withdrawn routes field is not present in this update message.

Withdrawn Routes
The withdrawn routes parameter is a variable-length parameter that contains a list of IP prefixes for
routes that are withdrawn from service. The following figure shows the format of an IP prefix.

Figure 29: IP Prefix Format

The length indicates the number of bits in the prefix (also called the network mask).

For example, 192.0.2.0/24 is equivalent to 192.0.2.0 255.255.255.0 (the /24 indicates the number of bits
in the length parameter to represent the network mask 255.255.255.0).

The prefix parameter contains the IP address prefix itself, followed by enough trailing bits to make the
length of the whole field an integer multiple of 8 bits (1 octet).

Total Path Attributes Length

The total path attributes length parameter indicates the total length of the path attributes parameter in
octets.

The total path attributes length calculates the length of the NLRI parameter. For example, a value of 0
indicates that no NLRI field is present in this update message.

Path Attributes
The path attributes parameter is a variable-length sequence of path attributes that exists in every BGP
update. The path attributes contain BGP attributes associated with the prefixes in the NLRI parameter.

For example, the attribute values allow you to specify the prefixes that the BGP session can exchange,
or which of the multiple paths of a specified prefix to use.

VOSS User Guide for version 8.7 415

BGP Updates BGP

The attributes carry the following information about the associated prefixes:
• the path origin
• the AS paths through which the prefix is advertised
• the metrics that display degrees of preference for this prefix

The following figure shows the encoding used with the path attribute parameter.

Figure 30: Path Attribute Encoding

Attribute Type
As shown in the following figure, the attribute type is a two-octet field that comprises two sub-fields:
attribute flags and attribute type code.

Figure 31: Attribute Type Fields

The attribute flags parameter is a bit string that contains four binary values that describe the attribute,
and four unused bits. The following list provides bit descriptions (from the high-order bit to the
low-order bit):
• The high-order bit (bit 0) is the optional bit. When this bit is set (the value is 1), the attribute is
optional. When this bit is clear (the value is 0), the attribute is well-known. Well-known attributes
must be recognized by all BGP implementations and, when appropriate, passed on to BGP peers.
Optional attributes are not required in all BGP implementations.
• The second high-order bit (bit 1) is the transitive bit. For well-known attributes, this bit must be
set to 1. For optional attributes, it defines whether the attribute is transitive (when set to 1) or
non-transitive (when set to 0).
• The third high-order bit (bit 2) is the partial bit. The partial bit defines whether the information in the
optional transitive attribute is partial (when set to 1) or complete (when set to 0). For well-known
attributes and for optional non-transitive attributes the partial bit must be set to 0.
• The fourth high-order bit (bit 3) is the extended length bit. The extended length bit defines whether
the attribute length is one octet (when set to 0) or two octets (when set to 1). The attribute flag can
use the extended length only if the length of the attribute value is greater than 255 octets.
◦ If the extended length bit of the attribute flags octet is set to 0, the third octet of the path
attribute contains the length of the attribute data in octets.
◦ If the extended length bit of the attribute flags octet is set to 1, then the third and the fourth
octets of the path attribute contain the length of the attribute data in octets.
• The lower-order four bits of the attribute flags octet are unused. The lower-order four bits must be
zero (and must be ignored when received).

The attribute type code parameter contains the attribute type code, as defined by the Internet Assigned
Numbers Authority (IANA). The attribute type code uniquely identifies the attribute from all others. The
remaining octets of the path attribute represent the attribute value and are interpreted according to the
attribute flags and the attribute type code parameters.

416 VOSS User Guide for version 8.7

BGP BGP Updates

The following table shows the supported attribute type codes.

Table 55: BGP Mandatory Path Attributes

Attribute Type code Description
Origin 1 Defines the origin of the path information:
• Value = 0 --- IGP (the path is valid all the way to the IGP
of the originating AS)
• Value = 1--- EGP (the last AS in the AS path uses an EGP
to advertise the path)
• Value = 2--- Incomplete (the path is valid only to the last
AS in the AS path)

AS path 2 Contains a list of the autonomous systems that packets must

traverse to reach the destinations. This code represents each
AS path segment as follows:
• path segment type
• path segment length
• path segment value

Next hop 3 Specifies the IP address of the border router to use as a next
hop for the advertised destinations (destinations listed in the
NLRI field of the update message).
Multiexit discriminator 4 Discriminates among multiple exit or entry points to the
same neighboring AS on external (internal-AS) links.
Local preference 5 Indicates the preference that AS border routers assign to a
chosen route when they advertise it to iBGP peers
Atomic aggregate 6 Ensures that certain NLRI is not deaggregated
Aggregator 7 Identifies which AS performed the most recent route
aggregation. This attribute contains the last AS number that
formed the aggregate route followed by the IP address of
the BGP speaker that formed the aggregate route.

Attribute Length
The attribute length can be one or two octets in length, depending on the value of the extended length
parameter in the attributes flag field.

This parameter indicates the length of the attribute value field.

Attribute Value
The attribute value contains the actual value of the specific attribute. The system implements the
attribute value according to the values in the attribute flags and the attribute type code parameters.

NLRI
The NLRI parameter is a variable length field that contains a list of prefixes. The packet size that BGP
speakers can exchange limits the number of prefixes in the list.

VOSS User Guide for version 8.7 417

Equal Cost Multipath BGP

Equal Cost Multipath

Equal Cost Multipath (ECMP) support allows a BGP speaker to perform route or traffic balancing within
an AS by using multiple equal-cost routes submitted to the routing table by OSPF, RIP, or static routes.

For more information about ECMP, see Equal Cost Multipath on page 1844.

MD5 message authentication

Authenticate BGP messages by using Message Digest 5 (MD5) signatures. After you enable BGP
authentication, the BGP speaker verifies that the BGP messages it receives from its peers are actually
from a peer and not from a third party masquerading as a peer.

BGPv4 TCP MD5 message authentication provides the following features:

• A TCP MD5 signature can exist for BGP peers. You can configure authentication and secret keys for
each peer. Peers configured with common secret keys can authenticate each other and exchange
routing information.
• The switch can concurrently have BGP peers with authentication enabled and other BGP peers with
authentication disabled.
• The switch always encrypts the secret keys.

After you enable BGPv4 TCP MD5 authentication, the router computes an MD5 signature for each TCP
packet based on the TCP packet and an individual peer secret key. The router adds this MD5 signature
to the TCP packet that contains a BGP message and sends it with the packet, but it does not send the
secret key.

The receiver of the TCP packet also knows the secret key and can verify the MD5 signature. A third
party that tries to masquerade as the sender, however, cannot generate an authentic signature because
it does not know the secret key.

In commands, the term password refers to the secret key. The secret keys provide security. If the keys
are compromised, then the authentication itself is compromised. To prevent this, the switch stores the
secret keys in encrypted form.

MD5 signature generation

BGP peers calculate MD5 signatures in BGP messages based on the following elements:
• TCP pseudo-header
• TCP header, excluding options
• TCP segment data
• TCP MD5 authentication key

If TCP receives an MD5 authentication key, it reduces its maximum segment size by 18 octets, which is
the length of the TCP MD5 option. TCP adds an MD5 signature to each transmitted packet. The peer
inserts the resulting 16-byte MD5 signature into the following TCP options: kind=19, length=18.

418 VOSS User Guide for version 8.7

BGP BGP and route redistribution

MD5 signature verification

After the switch receives a packet, it performs three tests. The following table lists the tests and the
event message that TCP logs if a test fails.

Table 56: MD5 signature verification rules on BGP TCP packets

Condition tested Action on success Failure event message
Is the connection configured for Verify that the packet contains a TCP MD5 No Signature
MD5 authentication? kind=19 option.
Is MD5 authentication enabled for TCP computes the expected TCP MD5 Authentication
this TCP connection? MD5 signature. Disabled
Does the computed MD5 TCP sends the packet to BGP. TCP MD5 Invalid
signature match the received Signature
MD5 signature?

If a packet passes a test, it proceeds to the next test. After a packet passes all three tests, TCP accepts
the packet and sends it to BGP.

If a packet fails a test, the switch logs an event, increments the count of TCP connection errors
(wfTcpConnMd5Errors), and discards the packet. The TCP connection remains open.

BGP and route redistribution

Redistribution imports routes from one protocol to another. Redistribution sends route updates for a
protocol-based route through another protocol. For example, if OSPF routes exist in a router and they
must travel through a BGP network, then configure redistribution of OSPF routes through BGP. This
sends OSPF routes to a router that uses BGP.

The switch can redistribute routes:

• on an interface basis.
• on a global basis between protocols on a single VRF instance (intraVRF).
• between the same or different protocols on different VRF instances (interVRF).

Configure interface-based redistribution by configuring a route policy and apply it to the interface.
Configure the match parameter to the protocol from which to learn the routes.

You can redistribute routes on a global basis, rather than on an interface basis. Use the ip bgp
redistribute command to accomplish the (intraVRF) redistribution of routes through BGP, so that
BGP redistribution occurs globally on all BGP-enabled interfaces. This redistribution does not require a
route policy, but you can use one for more control.

If you configure redistribution globally and on an interface, redistribution through the route policy takes
precedence.

You can redistribute routes from a protocol in one VRF to BGP in another VRF. You can use a route
policy for redistribution control. If you enable route redistribution between VRF instances, ensure that IP
addresses do not overlap.

VOSS User Guide for version 8.7 419

BGP+ BGP

Use caution when you configure redistribution. An improperly configured parameter can cause the
router to advertise learned eBGP routes out of your local AS. If this happens, the local AS can route
other networks.

Do not use redistribution if you peer to an Internet Service Provider (ISP) and do not want traffic to
transit your local AS.

When you redistribute OSPF routes into BGP, route priorities can create routing loops. Because BGP has
a higher route preference than OSPF external type 1 and 2 routes, if you redistribute OSPF external type
1 and 2 routes into BGP, the router uses the BGP routes, which can cause a routing loop.

Route-maps and BGP neighbors

BGP Routing Information Base (BGP RIB) stores routing information received from different peers. BGP
RIB has two types of BGP routes, External and Internal (Local). The routes learned from BGP neighbors
are External routes and all imported routes are considered as Internal (Local) routes.

In BGP RIB, the OSPF routes redistributed into BGP are considered as Internal (Local) and are matched
by route-type only when the keyword is set to local. When match route-type is set to external, the
route-maps applied on BGP neighbors are ignored and the set operation is not performed.

Note
This is applied only on the route-maps applied to BGP neighbors in BGP RIB, and not
considered when applying a route-map to the redistribute command.

BGP route redistribution and DvR

DvR Controllers redistribute routes (direct routes, static routes and the default route) into the DvR
domain. You can configure redistribution of DvR host routes into BGP.

For information on DvR, see Distributed Virtual Routing on page 688.

BGP+
The switch extends the BGPv4 process to support the exchange of IPv6 routes using BGPv4 peering.
BGP+ is an extension of BGPv4 for IPv6, which is indicated using the Address Family Identifier (AFI) in
the BGP header.

The switch supports capabilities for AFI with the following values: 1 (IPv4) and 2 (IPv6). If the switch
receives an OPEN message advertising an AFI with a different value, the connection is closed and a BGP
notification message is sent to the peer mentioning unsupported capability.

BGP+ is only supported on the global VRF instance.

Note
Ensure you configure IPv6 forwarding for BGP+ to work.

Note that the BGP+ support on the switch is not an implementation of BGPv6. Native BGPv6 peering
uses the IPv6 Transport layer (TCPv6 ) for establishing the BGPv6 peering, route exchanges, and data
traffic.

420 VOSS User Guide for version 8.7

BGP ECMP with BGP+

The switch supports the exchange of IPv6 reachability information over IPv4 transport. To support
BGP+, the switch supports two BGP protocol extensions, standards RFC 4760 (multi-protocol
extensions to BGP) and RFC 2545 (MP-BGP for IPv6). These extensions allow BGPv4 peering to be
enabled with IPv6 address family capabilities.

The implementation of BGP+ on the switch uses an existing TCPv4 stack to establish a BGPv4
connection. Optionally, nontransitive BGP properties are used to transfer IPv6 routes over the BGPv4
connection. Any BGP+ speaker has to maintain at least one IPv4 address to establish a BGPv4
connection.

Different from IPv4, IPv6 introduces scoped unicast addresses, identifying whether the address is global
or link-local. When BGP+ is used to convey IPv6 reachability information for interdomain routing, it is
sometimes necessary to announce a next hop attribute that consists of a global address and a link-local
address. For BGP+, no distinction is made between global and site-local addresses.

The BGP+ implementation includes support for BGPv6 policies, including redistributing BGPv6 into
OSPFv3, ISIS, RIPng, and advertising OSPFv3, ISIS, RIPng, IPv6 static and local routes into BGPv6
(through BGP+). It also supports the aggregation of global unicast IPv6 addresses.

When configuring BGP+ on the router that is enabled only for IPv6 (the router does not have an IPv4
address), then BGP router ID must be manually configured for the router.

BGP+ does not support confederations. You can configure confederations for IPv4 routes only.

The basic configuration of BGP+ is the same as BGPv4 with one additional parameter added and
some existing commands altered to support IPv6 capabilities. You can enable and disable IPv6 route
exchange by specifying the address family attribute as IPv6. Note that an IPv6 tunnel is required for the
flow of IPv6 data traffic.

BGP+ tunnel
When you use BGP+ you must configure an IPv6 tunnel and static routes at BGP+ peers.

When BGP+ peers advertise route information, they use Update messages to advertise route
information.

These RTM routes contain next-hop addresses from the BGP peer that the route was learned from.

The static routes correlate the next-hop addresses represented by the IPv4–mapped IPv6 address to a
specific outgoing interface.

Following is one way to express a static route in an IPv6–configured tunnel for BGP+:

ipv6 route 2001:DB8:0:0:0:ffff:192.0.2.0/24 cost 1 tunnel 10 where

2001:DB8:0:0:0:ffff:192.0.2.0 is the IPv4-mapped IPv6 address of the BGP peer at 192.0.2.0

ECMP with BGP+

The ECMP feature supports and complements BGP+ protocol.

The number of equal-cost-paths supported can differ by hardware platform. For more information, see
VOSS Release Notes.

VOSS User Guide for version 8.7 421

BGPv6 BGP

You can use multiple paths for load sharing of traffic. These multiple paths allow faster convergence
to other active paths in case of network failure. By maximizing load sharing among equal-cost paths,
you can use your links between routers more efficiently when sending IP and IPv6 traffic. Equal Cost
Multipath is formed using routes from the same protocol.

Note
To add BGP+ equal cost paths in the routing table, you must enable the following:
• IPv6 ECMP feature globally
• BGP multiple-paths attribute

BGPv6
BGP peering over IPv6 transport uses a BGPv6 peer to exchange IPv6 routes over an IPv6 transport
layer. This is different than BGP+, which enables exchange of IPv6 routes over a BGPv4 peer. Also
with BGP+, you must use an IPv6 tunnel to install and configure IPv6 routes in an IPv6 Routing Table
Manager (RTM). BGP+ uses an IPv4 mapped IPv6 address for the next hop address and requires you
to configure IPv6 static routes and install IPv6 routes in an IPv6 RTM where the next hop for the static
route is an IPv6 tunnel interface.

BGPv6 supports the following:

• Input/Output policies.
• Redistribution of OSPFv3, IS-IS, IPv6 static route, and IPv6 direct routes into BGPv6.
• Aggregation of global unicast IPv6 addresses.

Note
BGP+ also supports the preceding features.

RFC
The switch supports the BGP mulitprotocol extension, as described in RFC 4760. Also supports RFC
2545 (MP-BGP for IPv6).

The BGP protocol extensions ensure peering can be enabled with IPv6 address family capabilities.

Route exchange
BGPv6 does not exchange any IPv4 routes. BGPv6 advertises or learns only IPv6 routes.

The following table shows the differences between BGPv4 and BGPv6 for route exchange.

GRT/VRF IPv4 Routes Exchange IPv6 Routes Exchange

BGPv4 GRT Supported Supported (BGP+)
VRF Supported Not supported

Note:
IPv6 over IPv4 tunnels is not yet virtualized.

422 VOSS User Guide for version 8.7

BGP BGPv6

GRT/VRF IPv4 Routes Exchange IPv6 Routes Exchange

BGPv6 GRT Not supported Supported
VRF Not supported Supported

Specify the address family attribute as IPv6 to enable IPv6 route exchange.

You can enable IPv6 route exchange by specifying the address family attribute as IPv6. Optionally,
you can use non-transitive BGP properties to exchange IPv6 routes between the BGPv6 peering. Any
BGPv6 speaker must maintain at least one IPv6 address to establish a BGPv6 connection. The IPv6
scoped unicast addresses can identify the address as global or link-local. If you use BGPv6 to convey
IPv6 reachability information for interdomain routing, you can also announce a next hop attribute that
consists of a global address and a link-local address.

Note
BGPv6 does not support adjacency on link-local.

Authentication
BGPv6 uses IPsec for security. MD-5 authentication is supported for BGPv4 and is not supported for
BGPv6.

The following table shows the differences between BGPv4 and BGPv6 for authentication.

MD5 IPsec SHA1/SHA2

BGPv4 Supported Not supported Not supported
BGPv6 Not supported Supported Not supported

Note:
IP Sec is not virtualized, hence BGPv6 is supported only in
Global Router mode, and not supported in VRF mode.

MD5 authentication
MD5 authentication is not supported in BGPv6 so it is not necessary to enable MD5 authentication.

IPsec
Only IPsec is supported. Therefore, MD5 authentication cannot be configured.

Consistency checking
Includes consistency checking for MD5 authentication. BGP peer and BGP peer group configuration
for IPv6 addresses include a rule to block MD5 authentication. If you attempt to configure MD5
authentication, you will receive an error message.

IPv6 tunneling
With BGPv6, IPv6 tunneling is not required for IPv6 data traffic flow. An IPv6 tunnel is required for
BGP+.

VOSS User Guide for version 8.7 423

Circuitless IP BGP

Circuitless IP
Circuitless IP (CLIP) is a virtual (or loopback) interface that you do not associate with a physical port.
You can use a CLIP interface to provide uninterrupted connectivity to your switch as long as an actual
path exists to reach the device. For example, as shown in the following figure, a physical point-to-point
link exists between R1 and R2 along with the associated addresses (195.39.1.1/30 and 195.39.1.2/30).
Note also that an iBGP session exists between two additional addresses 195.39.128.1/32 (CLIP 1) and
195.39.128.2/32 (CLIP 2).

Figure 32: Routers with iBGP connections

The system treats the CLIP interface like an IP interface and treats the network associated with the CLIP
as a local network attached to the device. This route always exists and the circuit is always up because
no physical attachment exists.

The router advertises routes to other routers in the domain either as external routes using the route-
redistribution process or after you enable OSPF in a passive mode to advertise an OSPF internal route.
You can configure only the OSPF protocol on the CLIP interface. After you create a CLIP interface,
the system software programs a local route with the CPU as the destination ID. The CPU processes
all packets destined to the CLIP interface address. The system treats other packets with destination
addresses associated with this network (but not to the interface address) as if they are from an
unknown host.

A circuitless IP or CLIP address is a logical IP address for network management, as well as other
purposes. The CLIP is typically a host address (with a 32 bit subnet mask). Configure the OSPF router
ID to the configured CLIP address. By default, the BGP router ID is automatically equivalent to the OSPF
router ID.

For information about how to configure CLIP interfaces, see Configure a CLIP Interface on page 1872 and
Configure a Circuitless IPv4 Interface on page 1897.

BGP Configuration Considerations and Limitations

Use the information in this section to help you configure BGP on your switch, which supports BGPv4 as
described in RFC 1771.

424 VOSS User Guide for version 8.7

BGP BGP Configuration Considerations and Limitations

BGP Implementation Guidelines

The following list provides guidelines to successfully implement BGP:
• BGP does not operate with an IP router in nonforwarding (host-only) mode. Make sure that the
routers you want BGP to operate with are in forwarding mode.
• If you use BGP for a multihomed AS (one that contains more than a single exit point), use OSPF for
your IGP and BGP for your sole exterior gateway protocol, or use intra-AS iBGP routing.
• If OSPF is the IGP, use the default OSPF tag construction. Using EGP or modifying the OSPF tags
makes network administration and proper configuration of BGP path attributes difficult.
• For routers that support both BGP and OSPF, the OSPF router ID and the BGP identifier must be the
same IP address. The BGP router ID automatically uses the OSPF router ID.
• In configurations where BGP speakers reside on routers that have multiple network connections
over multiple IP interfaces (the typical case for iBGP speakers), consider using the address of the
circuitless (virtual) IP interface as the local peer address. In this configuration, you ensure that BGP is
reachable as long as an active circuit exists on the router.
• By default, BGP speakers do not advertise or inject routes into the IGP. You must configure route
policies to enable route advertisement.
• Coordinate routing policies among all BGP speakers within an AS so that every BGP border router
within an AS constructs the same path attributes for an external path.
• Configure accept and announce policies on all iBGP connections to accept and propagate all routes.
Make consistent routing policy decisions on external BGP connections.

Minimum Requirements
You must configure the following minimum parameters:
• router ID
• local AS number
• enable BGP globally
• BGP neighbor peer session: remote IP addresses
• enable BGP peers
• When you use both BGP and OSPF, the OSPF and BGP router ID must be the same.

The router ID must be a valid IP address of an IP interface on the router or a CLIP address. BGP update
messages use this IP address. By default, the BGP router ID automatically uses the OSPF router ID.

You cannot configure the BGP router ID if you configure BGP before you configured the OSPF router ID.
You must first disable BGP, configure the OSPF route ID, and then enable BGP globally.

You can add BGP policies to the BGP peer configuration to influence route decisions. BGP policies apply
to the peer through the soft-reconfiguration commands.

After you configure the switch for BGP, some parameter changes can require you to enable or disable
the BGP global state or the neighbor admin-state.

You can dynamically modify BGP policies. On the global level, the BGP redistribution command has an
apply parameter that causes the policy to take effect after you issue the command.

VOSS User Guide for version 8.7 425

BGP Configuration Considerations and Limitations BGP

BGP Neighbor Maximum Prefix Configuration

By default, the maximum prefix parameter limits 12 000 NLRI messages for each neighbor. The
maximum prefix parameter limits the number of routes that the switch can accept.

The maximum prefix parameter prevents large numbers of BGP routes from flooding the network if you
implement an incorrect configuration. You can assign a value to the maximum prefix limit, including
0 (0 means unlimited routes). When you configure the maximum prefix value, consider the maximum
number of active routes that your equipment configuration can support.

BGP and OSPF Interaction

RFC1745 defines the interaction between BGP and OSPF when OSPF is the IGP within an autonomous
system. For routers that use both protocols, the OSPF router ID and the BGP ID must be the same IP
address. You must configure a BGP route policy to allow BGP advertisement of OSPF routes.

Interaction between BGPv4 and OSPF can advertise supernets to support CIDR. BGPv4 supports
interdomain supernet advertisements; OSPF can carry supernet advertisements within a routing
domain.

BGP and Internet Peering

By using BGP, you can perform Internet peering directly between the switch and another edge router.
In such a scenario, you can use each switch for aggregation and link it with a Layer 3 edge router, as
shown in the following figure.

Figure 33: BGP and Internet peering

In cases where the Internet connection is single-homed, to reduce the size of the routing table, as a best
practice, advertise Internet routes as the default route to the IGP.

For route scaling information, see VOSS Release Notes.

Routing Domain Interconnection with BGP

You can implement BGP so that autonomous routing domains, such as OSPF routing domains, connect.
This connection allows the two different networks to begin communicating quickly over a common

426 VOSS User Guide for version 8.7

BGP BGP Configuration Considerations and Limitations

infrastructure, thus providing additional time to plan the IGP merger. Such a scenario is particularly
effective when you need to merge two OSPF area 0.0.0.0s, as shown in the following figure.

Figure 34: Routing Domain Interconnection with BGP

BGP and Edge Aggregation

You can perform edge aggregation with multiple point of presence or edge concentrations. The switch
supports 12 pairs (peering services). You can use BGP to inject dynamic routes rather than using static
routes or RIP (see the following figure).

Figure 35: BGP and Edge Aggregation

BGP and ISP Segmentation

You can use the platform as a peering point between different regions or autonomous systems (AS)
that belong to the same ISP. In such cases, you can define a region as an OSPF area, an AS, or a part of
an AS.

You can divide the AS into multiple regions that each run different IGPs. Interconnect regions logically
by using a full iBGP mesh. Each region then injects its IGP routes into iBGP and also injects a default
route inside the region. For destinations that do not belong to the region, each region defaults to the
BGP border router.

VOSS User Guide for version 8.7 427

BGP Configuration Considerations and Limitations BGP

Use the community parameter to differentiate between regions. To provide Internet connectivity, this
scenario requires you to make your Internet connections part of the central iBGP mesh (see the
following figure).

Figure 36: Multiple Regions Separated by iBGP

In the preceding figure, consider the following:
• The AS is divided into three regions that each run different and independent IGPs.
• Regions logically interconnect by using a full-mesh iBGP, which also provides Internet connectivity.
• Internal non-BGP routers in each region default to the BGP border router, which contains all routes.
• If the destination belongs to another region, the traffic is directed to that region; otherwise, the
traffic is sent to the Internet connections according to BGP policies.

To configure multiple policies between regions, represent each region as a separate AS. Implement
eBGP between autonomous systems, and implement iBGP within each AS. In such instances, each AS
injects its IGP routes into BGP, where they are propagated to all other regions and the Internet.

The following figure shows the use of eBGP to join several autonomous systems.

428 VOSS User Guide for version 8.7

BGP BGP Configuration Considerations and Limitations

Figure 37: Multiple regions Separated by eBGP

You can obtain AS numbers from the Inter-Network Information Center (NIC) or use private AS
numbers. If you use private AS numbers, be sure to design your Internet connectivity carefully. For
example, you can introduce a central, well-known AS to provide interconnections between all private
autonomous systems and the Internet. Before it propagates the BGP updates, this central AS strips the
private AS numbers to prevent them from leaking to providers.

The following figure illustrates a design scenario in which you use multiple OSPF regions to enable
peering with the Internet.

Figure 38: Multiple OSPF Regions Peering with the Internet

BGP Peers
The following list provides rules related to BGP peers:
• Only metric (=MED) attribute is applied to the output policy if its BGP peer is IBGP
• metric (=MED) and community attributes are applied to output policy if its BGP peer is EBGP

VOSS User Guide for version 8.7 429

BGP configuration using CLI BGP

• To influence EBGP and IBGP peers with all applicable BGP attributes, configure route-map as
an option to neighbor command, for example, neighbor 192.0.2.2 out-route-map
policy1

BGP and Route Aggregation

When you configure the attribute-map with the aggregate command, community, metric, AS Path, and
next-hop attributes are set, while the origin attribute is not set.

BGP Session Flapping when IPv6 Forwarding is Enabled or Disabled

In a BGP session that is established with IPv4 and IPv6 capability, disabling or enabling IPv6 forwarding
results in BGP session flapping due to capability negotiation. The flapping session in turn affects the
IPv4 routing through BGP and the BGP session gets terminated. Ultimately, a capability negotiation
takes place to re-establish the IPv4 and IPv6 capable session.

BGP configuration using CLI

Configure the Border Gateway Protocol (BGP) to create and maintain an interdomain routing system
that guarantees loop-free routing information between autonomous systems (AS).

For information about how to configure route policies for BGP, see Configure IP Route Policies on page
2913.

Configure BGP
Configure BGP globally to enable BGP on the switch and determine how BGP operates.

Before You Begin

• To configure the suppress-map, advertise-map, or attribute-map options, the route policy for those
options must exist.
• For initial BGP configuration, you must know the AS number.
• You configure BGP on a VRF instance the same way you configure the GlobalRouter, except that you
must use VRF Router Configuration mode and the prefix ip bgp. The VRF must have an RP Trigger
of BGP.

Note
Route refresh is not currently supported on non-default VRFs.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

430 VOSS User Guide for version 8.7

BGP Configure BGP

2. Specify the AS number and enable BGP:

router bgp [WORD <0-11>] [enable]

Note
• This command applies only on VRF 0. To enable BGP globally on other VRFs, use the
ip bgp enable command. You must configure BGP locally before you configure it
globally.
• You can also confiure AS number on non-default VRFs. For more information, see
Configure an AS Number for a Non-default VRF on page 456.

3. Access Router BGP Configuration mode:

router bgp
4. Configure BGP variables or accept the default values.

Example

Specify the AS number and enable BGP:

Switch(config)#router bgp 3 enable

Access Router BGP Configuration mode:

Switch(config)#router bgp

Switch(router-bgp)#

Variable Definitions
The following table defines parameters for the router bgp command.

Variable Value
WORD <0-11> Specifies the AS number. You cannot enable BGP until you
change the local AS to a value other than 0.
enable Enables BGP on the router.

Use the data in the following table to use the BGP variables in BGP and VRF Router Configuration
mode.

Variable Value
aggregate-address Specifies an IP address and its length in the form {a.b.c.d/
WORD<1-256> len}, or an IPv6 address and its length in the form
{ipv6addr/len}.
auto-peer-restart enable Enables the process that automatically restarts a connection
to a BGP neighbor. The default value is enable.
auto-summary When enabled, BGP summarizes networks based on class
limits, for example, Class A, B, and C networks. The default
value is enable.

VOSS User Guide for version 8.7 431

Configure BGP BGP

Variable Value
bgp always-compare-med Enables the comparison of the multi-exit discriminator
(MED) parameter for paths from neighbors in different
autonomous systems. The system prefers a path with a
lower MED over a path with a higher MED. The default value
is disable.
bgp aggregation Enables the aggregation feature on the interface.
bgp client-to-client Enables or disables route reflection between two route
reflection reflector clients. This variable applies only if the route
reflection value is enable. The default value is disable. You
can enable route reflection even when clients are fully
meshed.
This variable only applies to VRF 0.
Example: Switch(router-bgp)# bgp client-to-
client reflection System Response: Restart
or soft-restart BGP for the change to take
effect.
bgp cluster-id {A.B.C.D} Configures a cluster ID. This variable applies only if the route
reflection value is enable, and if multiple route reflectors are
in a cluster. {A.B.C.D} is the IP address of the reflector
router.
This variable only applies to VRF 0.
Example: Switch(router-bgp)# bgp cluster-id
0.0.0.0
bgp confederation identifier Configures a BGP confederation.
<0-4294967295> [peers identifier<0-4294967295> specifies the
WORD<0-255>] confederation identifier. Use 0–65535 for 2-byte AS and
<0-4294967295> for 4-byte AS.
peers WORD<0-255> lists adjoining autonomous systems
that are part of the confederation in the format
(5500,65535,0,10,...,...). Use quotation marks (") around the
list of autonomous systems.

Note:
Use this command only on VRF 0.

Example: Switch(router-bgp)# bgp

confederation identifier 1 peers “20 30
40”
bgp default local-preference Specifies the default value of the local preference attribute.
<0-2147483647> The default value is 0. You must disable BGP before you can
change the default value.
Example: Switch(router-bgp)# bgp default
local-preference 2–12
bgp deterministic-med enable Enables deterministic MED.
Example: Switch(router-bgp)# bgp
deterministic-med enable

432 VOSS User Guide for version 8.7

BGP Configure BGP

Variable Value
bgp multiple-paths <1-8> Configures the maximum number of equal-cost-paths that
are available to a BGP router by limiting the number of
equal-cost-paths the routing table can store. The default
value is 1.
Example: Switch(router-bgp)# bgp multiple-
paths 4

Note:
Configuring the bgp multiple-paths variable does not
affect existing routes. The routing table does not show
ECMP routes; instead only one route is shown in the routing
table.
To view Equal-Cost Multipath (ECMP) routes, receive
the routes after executing the bgp multiple-paths
variable, or toggle the BGP state.
The number of equal-cost-paths supported can differ by
hardware platform. For more information, see VOSS Release
Notes.

comp-bestpath-med-confed When enabled, compares MED attributes within a

enable confederation. The default value is disable.
This variable only applies to VRF 0.
Example: Switch(router-bgp)# comp-bestpaht-
med-confed enable Restart or soft-restart
BGP for the change to take effect
debug-screen <off|on> Displays debug messages on the console, or saves them in
a log file. Disable BGP screen logging (off) or enable BGP
screen logging (on).
Example: Switch(router-bgp)# debug-screen on
System Response:BGP Screen Logging is On
default-information Enables the advertisement of a default route to peers, if the
originate route exists in the routing table. The default value is disable.
default-information ipv6- Enables the advertisement of an IPv6 default route to peers,
originate if the route exists in the routing table. The default value is
disable.
default-metric Configures a value to send to a BGP neighbor to determine
<-1-2147483647> the cost of a route a neighbor uses. A default metric value
solves the problems associated with redistributing routes
that use incompatible metrics. For example, whenever
metrics do not convert, using a default metric provides a
reasonable substitute and redistribution proceeds. Use this
option in conjunction with the redistribute commands so
the current routing protocol uses the same metric for all
redistributed routes. The default value is 0.
flap-dampening enable Enables route suppression for routes that flap on and off.
The default value is disable.

VOSS User Guide for version 8.7 433

Configure BGP BGP

Variable Value
global-debug mask Displays specified debug information for BGP global
WORD<1-100> configurations. The default value is none.
• <WORD 1-100> is a list of mask choices separated by
commas with no space between choices.
Mask choices are:
• none disables all debug messages.
• all enables all debug messages.
• error enables display of debug error messages.
• packet enables display of debug packet messages.
• event enables display of debug event messages.
• trace enables display of debug trace messages.
• warning enables display of debug warning messages.
• state enables display of debug state transition
messages.
• init enables display of debug initialization messages.
• filter enables display of debug messages related to
filtering.
• update enables display of debug messages related to
sending and receiving updates.
Example: Switch(router-bgp)# global-debug
mask event, trace, warning, state
ibgp-report-import-rt enable Configures BGP to advertise imported routes to an
interior BGP (iBGP) peer. This variable enables or disables
advertisement of nonBGP imported routes to other iBGP
neighbors. The default value is enable.
ignore-illegal-rtrid enable When enabled, BGP overlooks an illegal router ID. For
example, you can configure this variable to enable or disable
the acceptance of a connection from a peer that sends an
open message using a router ID of 0 (zero). The default
value is enable.
neighbor-debug-all mask Displays specified debug information for BGP neighbors.
WORD<1-100> The default value is none. For mask options, see the
global-debug mask WORD<1-100> variable.
Example: Switch(router-bgp)# neighbor-debug-
all mask error, packet, event.trace,
state, filter
no-med-path-is-worst enable Enables BGP to treat an update without a MED attribute as
the worst path. The default value is disable.
quick-start enable Enables the quick-start flag for exponential backoff.
route-reflector enable Enables the reflection of routes from iBGP neighbors. The
default value is disable.
This variable only applies to VRF 0.
route-refresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to
resend all route updates it contains in its database that are
eligible for the peer that issues the request.
This variable only applies to VRF 0.

434 VOSS User Guide for version 8.7

BGP Configure 4-byte AS numbers

Variable Value
router-id {A.B.C.D} Specifies the BGP router ID in IP address format. This
variable only applies to VRF 0.
synchronization Enables the router to accept routes from BGP peers without
waiting for an update from the IGP. The default value is
enable.
traps enable Enables BGP traps.
vrf-as WORD<0-11> Configures an AS number on a specific VRF instance. Use
0–65535 for a 2-byte AS and <0-4294967295> for a 4-byte
AS.
The default value of 0, or configuring the local-as in the
VRF to 0, is equivalent to deleting the local-as configured
on user-defined VRFs, and in both cases the local-as on the
VRF becomes the local-as on the GlobalRouter.

Job Aid
Use debug command values to control debug messages for global BGP message types, and for
message types associated with a specified BGP peer or peer group.

Tip
The following tips can help you use the debug commands:
• Display debug commands for multiple mask choices by entering the mask choices
separated by commas, with no space between choices.
• To end (disable) the display of debug messages, use the mask choice of none.
• You can save debug messages in a log file, or you can display the messages on your
console using the debug-screen command.

For more information about the logged debug messages, see VOSS Alarms and Logs Reference.

Configure 4-byte AS numbers

Configure Autonomous System (AS) numbers using the 4-byte format and represent the numbers in
octets.

Before You Begin

• You cannot modify the global BGP configuration unless BGP is disabled.
• Configure the local AS number at Global Router (VRF0) only.
• Make sure that you define AS numbers in policies the same way that you configure them for the
router. The AS list for the route policies accepts AS number only in the asplain format. If you
create policies using asplain and configure the switch with asdot, the match will not occur.

About This Task

Use BGP 4-byte AS numbers to ensure the continuity of loop-free inter-domain routing information
between autonomous systems and to control the flow of BGP updates as 2-byte AS numbers will
deplete soon. AS Plain notation format is the default and the preferred form of representing 4-byte AS
numbers over the AS dot notation format.

VOSS User Guide for version 8.7 435

Configure 4-byte AS numbers BGP

You have an option to configure AS dot notation format as well. With AS dot notation, analyzing
and troubleshooting any issues encountered becomes difficult as it is incompatible with the regular
expressions used by most of the network providers.

If you enable 4-byte AS numbers, or the dotted octet notation, for the Global Router (VRF0), the
configuration is inherited by user-defined VRFs. You cannot enable 4-byte AS numbers on individual
user-defined VRFs.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable BGP to change the AS number format.
no router bgp enable
3. Enable the 4-byte AS numbering format.
router bgp as–4–byte enable
4. To use the dotted octet notation, enable as-dot.
router bgp as-dot enable
5. Configure the 4-byte AS number and enable BGP. If you have enabled as-dot, enter the AS number
in octet.
router bgp WORD<0–11> enable
6. Access Router BGP Configuration mode:
router bgp
7. (Optional) Configure BGP confederation identifier.
bgp confederation identifier <0–4294967295>
8. (Optional) Configure BGP confederation peers.
bgp confederation peers WORD<0–255>

Example

Disable BGP to change the AS number format.

Switch(config)# no router bgp enable

Enable the 4–byte AS numbering format.

Switch(config)# router bgp as-4-byte enable

To use the dotted octet notation, enable as-dot.

Switch(config)# router bgp as-dot enable

Configure the 4–byte AS number and enable BGP.

Switch(config)# router bgp 65536 enable

436 VOSS User Guide for version 8.7

BGP Configure Aggregate Routes

Variable Definitions
The following table defines parameters for the router bgp command.

Variable Value
as-4-byte Enables the switch for using 4 byte numbers for an autonomous system (AS).
<enable> The default value is disable.
as-dot <enable> Enables or disables representing AS numbers in octets. The default is disable
so the switch uses the plain notation format. If you enable the 4-byte-as and
as-dot parameters, enter numbers in the range of 1.0 to 65535.65535.
The default value is disable.

Note:
This parameter is not supported with BGP+.

WORD <0–11> Sets the local autonomous system (AS) number.

enable You cannot change local-as when BGP is set to enable.
• To set a 2-byte local AS number, enter a local-as number in the range of 0 to
65535.
• To set a 4-byte local-as number, enable the 4-byte as variable and enter a
number in the range of 0 to 4294967295.

Note:
If as-4-byte is set to false, the range for AS number is 0–65535 and if as-4-byte
is set to true, the range is 0–4294967295.

If you enable as-dot, enter the AS number in octets in the range of 1.0 to
65535.65535.

Note:
This parameter is not supported with BGP+.

Configure Aggregate Routes

Configure aggregate routes so that the router advertises a single route (aggregate route) that
represents all destinations. Aggregate routes also reduce the size of routing tables.

Before You Begin

• Disable BGP before you enable aggregation.
• You need the appropriate aggregate address and mask.
• If required, policies exist.
• You configure BGP on a VRF instance the same way you configure the GlobalRouter, except that you
must use VRF Router Configuration mode and the prefix ip bgp. The VRF must have an RP Trigger
of BGP.

Note
Route refresh is not currently supported on non-default VRFs.

VOSS User Guide for version 8.7 437

Configure Aggregate Routes BGP

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Enable BGP aggregation:
bgp aggregation enable
3. Add an aggregate route to the routing table:
aggregate-address WORD<1–256> {advertise-map WORD<0–1536>] [as-set]
[attribute-map WORD<0–1536>] [summary-only] [suppress-map WORD<0–
1536>]
4. Exit to Global Configuration mode:
exit
5. Enable BGP:
router bgp [<0-65535>] [enable]

Example

Add an aggregate route to the routing table:

Switch(router-bgp)# aggregate-address 2001:DB8::/32 advertise-map map1

attribute-map map2

Enable BGP:

Switch(router-bgp)# router bgp 4 enable

Variable Definitions
The following table defines parameters for the aggregate-address command.

Variable Value
advertise-map WORD<0-1536> Specifies the route map name for route
advertisements.
as-set Enables autonomous system information. The
default value is disable.
attribute-map WORD<0-1536> Specifies the route map name.
WORD <1–256> Specifies an IP address and its length in the
appropriate form. The value must be entered in
the format a.b.c.d/len or ipv6addr/len.

438 VOSS User Guide for version 8.7

BGP Configure Allowed Networks

Variable Value
summary-only Enables the summarization of routes not included
in routing updates. This variable creates the
aggregate route and suppresses advertisements
of more specific routes to all neighbors. The
default value is disable.
suppress-map WORD<0-1536> Specifies the route map name for the suppressed
route list.

The following table defines parameters for the router bgp command.

Variable Value
<0-65535> Specifies the AS number. You cannot enable BGP until you
change the local AS to a value other than 0.
enable Enables BGP on the router.

Configure Allowed Networks

Configure network addresses to determine the network addresses that BGP advertises. The allowed
addresses determine the BGP networks that originate from the switch.

Before You Begin

• You configure BGP on a VRF instance the same way you configure the GlobalRouter, except that you
must use VRF Router Configuration mode and the prefix ip bgp. The VRF must have an RP Trigger
of BGP.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Specify IGP network prefixes for BGP to advertise:
network <WORD 1–256> [metric <0-65535>]

Example

Specify IGP network prefixes for BGP to advertise:

Switch(router-bgp)# network 2001:DB8::/32 metric 32

VOSS User Guide for version 8.7 439

Configure BGP Peers or Peer Groups BGP

Variable Definitions
The following table defines parameters for the network command.

Variable Value
WORD <1–256> Specifies an IP address and its length in the
appropriate form.
metric <0-65535> Specifies the metric to use when the system sends
an update for the routes in the network table.
The metric configures the MED for the routes
advertised to eBGP peers. The range is 0–65535.

Configure BGP Peers or Peer Groups

Configure peers and peer groups to simplify BGP configuration and make updates more efficient.

BGP speakers can have many neighbors configured with similar update policies. For example, many
neighbors use the same distribute lists, filter lists, outbound route maps, and update source. Group the
neighbors that use the same update policies into peer groups and peer associations.

Note
• If required, route policies exist.
• You configure BGPv4 on a VRF instance the same way you configure the GlobalRouter,
except that you must use VRF Router Configuration mode and the prefix ip bgp. The
VRF must have an RP Trigger of BGP.
• Route refresh is not currently supported on non-default VRFs.
• Not all parameters are supported on non-default VRFs.

About This Task

Many of the command variables in this procedure use default values. You can accept the default values
or change them to customize the configuration.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Create a peer or peer group:
neighbor WORD<0–1536>
3. Apply a route policy to all incoming routes:
For BGPv4: neighbor WORD<0–1536> in-route-map WORD<0-256>

For BGPv6: neighbor WORD<0–1536> ipv6–in-route-map WORD<0-256>

440 VOSS User Guide for version 8.7

BGP Configure BGP Peers or Peer Groups

4. Apply a route policy to all outgoing routes:

For BGPv4: neighbor WORD<0–1536> out-route-map WORD<0-256>

For BGPv6: neighbor WORD<0–1536> ipv6–out-route-map WORD<0-256>

5. (Optional) Configure the source IP address:
neighbor WORD<0–1536> update-source WORD<1–256>
6. Enable MD5 authentication (for BGPv4):
neighbor WORD<0–1536> MD5-authentication enable
7. Specify an MD5 authentication password (for BGPv4):
neighbor password <nbr_ipaddr|peer-group-name> WORD<0-1536>
8. Change the default values for other command variables as required.
9. Enable the configuration:
neighbor WORD<0–1536> enable

Example

Create a peer or a peer group:

Switch(router-bgp)# neighbor peergroupa

Apply a route policy (in-route-map or out-route-map) to all incoming or outgoing routes:

Switch(router-bgp)# neighbor peergroupa in-route-map map1 out-route-map

map2

Configure the source IP address:

Switch(router-bgp)# neighbor peergroupa update-source 192.0.2.1

Enable MD5 authentication:

Switch(router-bgp)# neighbor peergroupa MD5–authentication enable

Specify an MD5 authentication password:

Switch(router-bgp)# neighbor password peergroupa password

Enable the configuration:

Switch(router-bgp)# neighbor peergroupa enable

VOSS User Guide for version 8.7 441

Configure BGP Peers or Peer Groups BGP

Variable Definitions
The following table defines parameters for the neighbor command.

Variable Value
address-family <ipv6> Enables the IPv6 address family on BGP neighbor.
Switch(router-bgp)# neighbor peergroupa
address-family ipv6
advertisement-interval Specifies the time interval, in seconds, that transpires between
<5-120> each transmission of an advertisement from a BGP neighbor.
The default value is 5 seconds.
Switch(router-bgp)# neighbor peergroupa
advertisement-interval 26 enable
The route advertisement interval feature is implemented using
the time stamp that indicates when each route is advertised.
The time stamp is marked to each route so that the route
advertisement interval is compared to the time stamp and
BGP is then able to make a decision about whether the route
advertisement can be sent or it should be delayed when a
better route is received. This feature does not work for a
withdraw route because the route entry is already removed
when the processing route advertisement is sent and the time
stamp marked in the route entry cannot be obtained.
allow-as-in Allows BGP to inject updates.
default-ipv6–originate Enables IPv6 BGP neighbor default originate.
Switch(router-bgp)# neighbor peergroupa
default-ipv6–originate
default-originate Enables the switch to send a default route advertisement to
the specified neighbor. A default route does not need to be in
the routing table. The default value is disable.
Do not use this command if default-information
originate is globally enabled.
Switch(router-bgp)# neighbor peergroupa
default-originate enable peer-group test
ebgp-multihop Enables a connection to a BGP peer that is more than one hop
away from the local router. The default value is disable.
Switch(router-bgp)# neighbor peergroupa
ebgp-multihop retry-interval 3 timers 4 5
enable Enables the BGP neighbor.
fall-over bfd Enable fall-over Bidirectional Forwarding Detection (BFD).
in-route-map WORD<0-256> Applies a route policy rule to all incoming routes that are
learned from, or sent to, the peers or peer groups of the local
router. The local BGP router is the BGP router that allows
or disallows routes and configures attributes in incoming or
outgoing updates.
WORD<0-256> is an alphanumeric string length (0–256
characters) that indicates the name of the route map or policy.
Switch(router-bgp)# neighbor peergroupa in-
route-map map1 address-family ipv6

442 VOSS User Guide for version 8.7

BGP Configure BGP Peers or Peer Groups

Variable Value
ipv6-in-route-map WORD <0– Creates IPv6 in route map. WORD <0–256> specifies the
256> route map name in the range of 0 to 256 characters.
Switch(router-bgp)# neighbor peergroupa
ipv6– in-route-map map1
ipv6-max-prefix Configures a limit on the number of routes that the router can
<0-2147483647> accept from a neighbor. The default value is 12000 routes. A
value of 0 (zero) indicates that no limit exists.
ipv6–out-route-map WORD Creates IPv6 out route map. WORD <0–256> specifies the
<0–256> route map name in the range of 0 to 256 characters.
Switch(router-bgp)# neighbor peergroupa
ipv6–out-route-map map2
max-prefix <0-2147483647> Configures a limit on the number of routes that the router can
accept from a neighbor. The default value is 12000 routes. A
value of 0 (zero) indicates that no limit exists.
Switch(router-bgp)# neighbor peergroupa max-
prefix 158 in-route-map map1 out-route-map
map2
MD5-authentication enable Enables TCP MD5 authentication between two peers. The
default value is disable.
neighbor-debug mask Displays specified debug information for a BGP peer. The
WORD<1-100> default value is none.
<WORD 1-100> is a list of mask choices separated by
commas with no space between choices. For example:
{<mask>,<mask>,<mask>...}.
Mask choices are:
• none disables all debug messages.
• all enables all debug messages.
• error enables display of debug error messages.
• packet enables display of debug packet messages.
• event enables display of debug event messages.
• trace enables display of debug trace messages.
• warning enables display of debug warning messages.
• state enables display of debug state transition messages.
• init enables display of debug initialization messages.
• filter enables display of debug messages related to
filtering.
• update enables display of debug messages related to
sending and receiving updates.
Switch(router-bgp)# neighbor
peergroupa neighbor-debug-mask
event,trace,warning,state
next-hop-self When enabled, specifies that the next-hop attribute in an iBGP
update is the address of the local router or the router that
generates the iBGP update. The default value is disable.
You can only configure this variable if the neighbor is disabled.
Switch(router-bgp)# neighbor peergroupa
next-hop-self out-route-map map2 peer-group
peergroupb

VOSS User Guide for version 8.7 443

Configure BGP Peers or Peer Groups BGP

Variable Value
out-route-map WORD<0-256> Applies a route policy rule to all outgoing routes that are
learned from, or sent to, the peers or peer groups of the local
router. The local BGP router is the BGP router that allows
or disallows routes and configures attributes in incoming or
outgoing updates.
WORD<0-256> is an alphanumeric string length (0–256
characters) that indicates the name of the route map or policy.
peer-group <WORD 0-1536> Adds a BGP peer to the specified subscriber group. You must
create the specified subscriber group before you use this
command.
remote-as <WORD 0-11> Configures the remote AS number of a BGP peer or a peer-
group. You must disable the admin-state before you can
configure this variable.
Switch(router-bgp)# neighbor peergroupa
remote-as As-number
<WORD 0-11> is an alphanumeric string length (0–11
characters) that indicates the AS number.
remove-private-as enable Strips private AS numbers when an update is sent.
The default value is enable.
retry-interval <1-65535> Configures the time interval, in seconds, for the ConnectRetry
timer. The default value is 120 seconds.
Switch(router-bgp)# neighbor 198.51.100.2
retry-interval 34
You can configure the retry interval for BGP neighbors only;
you cannot configure the retry interval for BGP peer groups.
route-reflector-client Configures the specified neighbor or group of neighbors
as a route reflector client. The default value is disable. All
configured neighbors become members of the client group
and the remaining iBGP peers become members of the
nonclient group for the local route reflector.

Note:
This variable only applies to VRF 0.

Switch(router-bgp)# neighbor
route-refresh Enables route refresh for the BGP peer. If enabled, a route
refresh request received by a BGP speaker causes the speaker
to resend all route updates it contains in its database that are
eligible for the peer that issues the request.

Note:
This variable only applies to VRF 0.

send-community Enables the switch to send the update message community

attribute to the specified peer. The default value is disable.
site-of-origin Specifies a site of origin that is added to the extended
communities list in each route from a specific peer.

444 VOSS User Guide for version 8.7

BGP Configure a BGP Peer or Peer Group Password

Variable Value
soft-reconfiguration-in Enables the router to relearn routes from the specified
enable neighbor or group of neighbors without restarting the
connection after the policy changes in the inbound direction.
The default value is disable.
timers <0-21845> <0-65535> Configures timers, in seconds, for the BGP speaker for this
peer.
<0-21845> is the keepalive time. The default is 60. As a best
practice, configure a value of 30 seconds.
<0-65535> is the hold time. The default is 180.
Switch(router-bgp)# neighbor peergroupa
timers 4 6
update-source WORD<1–256> Specifies the source IPv4 address {A.B.C.D.} or IPv6 address
to use when the system sends BGP packets to this peer or
peer group. You must disable the admin-state before you can
configure this variable.
Switch(router-bgp)# neighbor peergroupa
update-source 192.0.2.2 weight 560
weight <0-65535> Specifies the weight of a BGP peer or peer group, or the
priority of updates the router can receive from that BGP peer.
The default value is 0. If you have particular neighbors that you
want to use for most of your traffic, you can assign a higher
weight to all routes learned from that neighbor.
WORD<0-1536> Specifies the peer IP address or the peer group name.

Configure a BGP Peer or Peer Group Password

Use this procedure to configure a BGP peer or peer group password for Transmission Control Protocol
(TCP) MD5 authentication between two peers.

Note
You configure BGP peer on a VRF instance the same way you configure the GlobalRouter,
except that you must use VRF Router Configuration mode and the prefix ip bgp. The VRF
must have an RP Trigger of BGP. Route refresh is not currently supported on non-default
VRFs.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Assign a BGP peer or peer group password:
neighbor password <nbr_ipaddr|peer-group=name> WORD <0–1536>

Example

Assign a BGP peer or peer group password:

VOSS User Guide for version 8.7 445

Configure Redistribution to BGP BGP

Switch(router-bgp)# neighbor password peergroupa password1

Variable Definitions
The following table defines parameters for the neighbor password <nbr_ipaddr|peer-
group-name> command.

Variable Value
password <nbr_ipaddr|peer- Specifies a password for TCP MD5 authentication
group-name> WORD <0–1536> between two peers.
WORD <0–1536> is an alphanumeric string length
from 0 to 1536 characters.
To disable this option, use no operator with the
command.
To configure this option to the default value, use
default operator with the command.

Configure Redistribution to BGP

Configure a redistribution entry to announce routes of a certain source protocol type into the BGP
domain such as: DvR routes, static routes, Routing Information Protocol (RIP) routes, or direct routes.
Use a route policy to control the redistribution of routes.

Note
When a route map with attributes set to origin and local-pref is applied to the BGP
redistribute command, the attributes are not applied to the redistributed routes.

Before You Begin

• If required, a route policy exists.
• You can configure BGP on a VRF instance the same way you configure the GlobalRouter, except that
you must use VRF Router Configuration mode and the prefix ip bgp. The VRF must have an RP
Trigger of BGP.

Note
Route refresh is not currently supported on non-default VRFs.

• Before you redistribute DvR host routes to BGP, you must disable BGP aggregation and BGP
auto-summarization of networks, using the commands no ip bgp aggregation enable and
no ip bgp auto-summary respectively.

Disabling these settings ensures that all the DvR host routes are correctly advertised into BGP and
are not summarized.

Note
When applying a route map to an inter-vrf redistribution, the route map and any associated
IP prefix lists must be configured first on the source VRF before configuring the redistribute
policy on the destination VRF.
Inter-vrf redistribution is not supported on IPv6 routes.

446 VOSS User Guide for version 8.7

BGP Configure Redistribution to BGP

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

Note
Redistribution of ripng routes into BGP is supported only on VRF 0.

3. If required, specify a route policy to govern redistribution:

For IPv6: ipv6 bgp apply redistribute <direct|dvr|isis|ospf|rip|static>

[vrf <WORD 1-16>]
9. Apply BGP redistribution to a specific VRF:
ip bgp apply redistribute vrf WORD<1-16>

Changes do not take effect until you apply them.

VOSS User Guide for version 8.7 447

Configure Redistribution to BGP BGP

10. View all routes (including DvR host routes) that are redistributed into BGP:
View routes redistributed from GRT to BGP:

For IPv4: show ip bgp imported-routes

For IPv6: show bgp ipv6 imported-routes

View routes redistributed to BGP for a specific VRF instance:

For IPv4: show ip bgp imported-routes [vrf WORD<1–64>] [vrfids WORD<0–

512>]

For IPv6: show bgp ipv6 imported-routes [WORD<1-256>] [vrf WORD<1–16>]

[vrfids WORD<0-255>]

Examples
Redistribute direct routes from the VRF instance source1 into BGP, in the GRT context.

Create a redistribution instance:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router bgp
Switch(router-bgp)#redistribute direct vrf-src source1

If required, specify a route policy to govern redistribution:

Switch(router-bgp)# redistribute direct route-map policy1 vrf-src source1

If required, configure the route metric:

Switch:1(router-bgp)# redistribute direct metric 4 vrf-src source1

Enable the instance:

Switch:1(router-bgp)# redistribute direct enable vrf-src source1

Exit BGP Router Configuration mode:

Switch:1(router-bgp)# exit

Apply the redistribution instance configuration:

Switch:1(config)# ip bgp apply redistribute direct vrf-src source1

Redistribute DvR routes from the GRT to BGP:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router bgpSwitch:1(router-bgp)#redistribute dvr
Switch:1(router-bgp)#redistribute dvr enable
Switch:1(router-bgp)#exit
Switch:1(config)#ip bgp apply redistribute dvr

448 VOSS User Guide for version 8.7

BGP Configure Redistribution to BGP

View the host routes (including DvR host routes) that are redistributed from the GRT to BGP:
Switch:1(config)#show ip bgp imported-routes vrf vrf1

=================================================================================
BGP Imported Routes - VRF vrf1
=================================================================================
ROUTE METRIC COMMUNITY LOCALPREF NEXTHOP ORIGIN
---------------------------------------------------------------------------------
192.0.2.1/255.255.255.0 0 0 100 198.51.100.1 INC
192.0.2.2/255.255.255.0 0 0 100 198.51.100.1 INC
192.0.2.3/255.255.255.0 0 0 100 198.51.100.1 INC
...
...
...
3 out of 763 Total Num of imported routes displayed

Redistribute DvR routes to BGP for the specific VRF instance vrf1:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router vrf vrf1
Switch:1(router-vrf)#ip bgp redistribute dvr
Switch:1(router-vrf)#ip bgp redistribute dvr enable
Switch:1(router-vrf)#exit
Switch:1(config)#ip bgp apply redistribute dvr vrf vrf1

View the DvR host routes that are redistributed to BGP for vrf vrf1:
Switch:1(config)#show ip bgp imported-routes vrf vrf1

=================================================================================
BGP Imported Routes - VRF vrf1
=================================================================================
ROUTE METRIC COMMUNITY LOCALPREF NEXTHOP ORIGIN
---------------------------------------------------------------------------------
192.0.2.4/255.255.255.0 0 0 100 203.0.113.1 INC
192.0.2.5/255.255.255.0 0 0 100 203.0.113.1 INC
192.0.2.6/255.255.255.0 0 0 100 203.0.113.1 INC
192.0.2.7/255.255.255.0 0 0 100 203.0.113.1 INC
192.0.2.8/255.255.255.0 0 0 100 203.0.113.1 INC
...
...
...
5 out of 675 Total Num of imported routes displayed

This example demonstrates redistribution of inter-VRF routes (both direct and DvR routes) to BGP, with
a route policy configured.

Redistribute inter-VRF DvR routes between VRFs (with VRF IDs 10 and 30), to BGP.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf 10
Switch:1(router-vrf)#ip prefix-list "test10" 192.0.2.0/24 ge 25 le 32
Switch:1(router-vrf)#route-map "test10" 1
Switch:1(router-vrf)#permit
Switch:1(router-vrf)#enable
Switch:1(router-vrf)#match network "test10"
Switch:1(router-vrf)#set metric 99
Switch:1(router-vrf)#exit

VOSS User Guide for version 8.7 449

Configure redistribution to BGP+ for VRF 0 BGP

Switch:1(config)#router vrf 30
Switch:1(router-vrf)#ip bgp redistribute direct vrf-src 10
Switch:1(router-vrf)#ip bgp redistribute direct enable vrf-src 10
Switch:1(router-vrf)#ip bgp redistribute dvr vrf-src 10
Switch:1(router-vrf)#ip bgp redistribute dvr route-map "test10" vrf-src 10
Switch:1(router-vrf)#ip bgp redistribute dvr enable vrf-src 10
Switch:1(router-vrf)#exit

Switch:1(config)#ip bgp apply redistribute direct vrf 30 vrf-src 10

Switch:1(config)#ip bgp apply redistribute dvr vrf 30 vrf-src 10

Variable Definitions
The following table defines parameters for the redistribute and ip bgp apply
redistribute commands.

Variable Value
<direct | dvr | ipv6-direct Specifies the type of routes to redistribute (the protocol
| ipv6-isis | ipv6-static | source).
isis | ospf | ospfv3 | rip
| ripng| static >
enable Enables the BGP route redistribution instance.
metric <0-65535> Configures the metric to apply to redistributed routes.
metric-type live-metric Configures the metric type to apply to redistributed routes.
When you enable the live-metric option, when BGP
redistributes static, RIP, OSPF, IS-IS, or DvR routes, the metric
value is taken from the routing table and is set to the Path
attributes as a MED value.
By default, this option is disabled, which means the BGP MED
value is not derived from the metric in the routing table.
route-map WORD<0-64> Configures the route policy to apply to redistributed routes.
vrf WORD<1–16> Specifies the name of a VRF instance.
vrf-src WORD<1-16> Specifies the source VRF instance by name for route
redistribution.

Configure redistribution to BGP+ for VRF 0

Configure an IPv6 redistribute entry to announce IPv6 routes of a certain source protocol type into the
BGP domain, for example, static, OSPF, IS-IS, RIPng, or direct routes. Use a route policy to control the
redistribution of routes.

Note
When a route map with attributes set to origin and local-pref is applied to the BGP
redistribute command, the attributes are not applied to the redistributed routes.

Before You Begin

• If required, a route policy exists.

450 VOSS User Guide for version 8.7

BGP Configure redistribution to BGP+ for VRF 0

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

Unlike IPv4 redistribution, you do not need to manually apply the IPv6 redistribution instance. Once
you enable the IPv6 redistribution instance, it is automatically applied.

Example

Specify a route policy to govern redistribution by using the following command:

Switch:1(router-bgp)#redistribute ipv6–direct route-map policy2

Variable Definitions
The following table defines parameters for the redistribute <ipv6-direct|ipv6-static|
ospfv3|ipv6–isis|ripng> command.

Variable Value
enable Enables the BGP route redistribution instance. The
default value is none.
To configure this option to the default value, use
default operator with the command.
To disable this option, use no operator with the
command.
metric<0–65535> Configures the metric to apply to redistributed routes.
The default value is 0.
To configure this option to the default value, use
default operator with the command.
route-map <Word 0-64> Configures the route policy to apply to redistributed
routes. The default value is none.
To configure this option to the default value, use
default operator with the command.

VOSS User Guide for version 8.7 451

Configure redistribution to BGP+ for VRF 0 BGP

Job Aid
Use the data in the following table to know how route policies are used for BGP from IPv6 perspective.

Table 57: BGP for IPv6 Route Policy Support

REDISTRIBUTE ACCEPT ANNOUNCE
IPv6 Direct IPv6 Static OSPFv3 IPv6 IS-IS RIPng BGP BGP
MATCH
as-path Yes Yes
community Yes Yes Yes Yes Yes Yes Yes
community-exact Yes Yes
extcommunity Yes Yes
interface
local-preference
metric Yes Yes
network Yes Yes
next-hop Yes Yes
protocol
route-source Yes
route-type Yes Yes
tag
vrf
vrfids
SET
as-path Yes Yes
as-path-mode Yes Yes
automatic-tag
community Yes Yes
community-mode Yes Yes
injectlist Yes Yes Yes Yes Yes
ip-preference
local-preference Yes Yes
mask
metric Yes Yes Yes Yes Yes Yes Yes
metric-type
metric-type-
internal
next-hop Yes Yes

452 VOSS User Guide for version 8.7

BGP Configure AS Path Lists

Table 57: BGP for IPv6 Route Policy Support (continued)

REDISTRIBUTE ACCEPT ANNOUNCE
IPv6 Direct IPv6 Static OSPFv3 IPv6 IS-IS RIPng BGP BGP
nssa-pbit
origin Yes
origin-egp-as
tag
weight Yes

Configure AS Path Lists

Configure an AS path list to restrict the routing information a router learns or advertises to and from a
neighbor. The AS path list acts as a filter that matches AS paths.

Before You Begin

Note
Route refresh is not currently supported on non-default VRFs.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Create the path list:
ip as-list <1-1024> memberid <0–65535> <permit|deny> as-path WORD<0–
1536>

Use this command for each member by specifying different member IDs.

Example

Create the path list:

Switch(config)# ip as-list 234 memberid 3456 permit as-path "5"

VOSS User Guide for version 8.7 453

Configure Community Lists BGP

Variable Definitions
The following table defines parameters for the ip as-list command.

Variable Value
<0-65535> Specifies an integer value between 0–65535 that represents
the regular expression entry in the AS path list.
<1-1024> Specifies an integer value from 1–1024 that represents the
AS-path list ID you want to create or modify.
<permit|deny> Permits or denies access for matching conditions.
WORD<0–1536> Specifies the AS number as an integer value between 0–
1536. Place multiple AS numbers within quotation marks (").

Configure Community Lists

Configure community lists to specify permitted routes by using their BGP community. This list acts as a
filter that matches communities or AS numbers.

Before You Begin

Note
Route refresh is not currently supported on non-default VRFs.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Create a community list:
ip community-list <1-1024> memberid <0-65535> <permit|deny> community-
string WORD<0-256>

Example

Create a community list:

Switch(config)# ip community-list 1 memberid 4551 permit community-

string internet

454 VOSS User Guide for version 8.7

BGP Configure Extended Community Lists

Variable Definitions
The following table defines parameters for the ip community-list command.

Variable Value
<0-65535> Specifies an integer value from 0–65535 that represents the
member ID in the community list.
<1-1024> Specifies an integer value from 1–1024 that represents the
community list ID.
<permit|deny> Configures the access mode, which permits or denies access
for matching conditions.
WORD<0-256> Specifies the community as an alphanumeric string value with
a string length from 0–256 characters. Enter this value in one
of the following formats:
• (AS num:community-value)
• (well-known community string)

Well known communities include: internet, no-export, no-

advertise, local-as (known as NO_EXPORT_SUBCONFED).

Configure Extended Community Lists

Configure community lists to specify permitted routes by BGP extended community attributes,
including route targets and sites of origin (SOO). This list acts as a filter that matches route targets
and SOO.

Before You Begin

• Configure BGP on a VRF instance the same way you configure the GlobalRouter, except that you
must use VRF Router Configuration mode and the prefix ip bgp. The VRF must have an RP Trigger
of BGP.

Note
Route refresh is not currently supported on non-default VRFs.

Procedure

1. Enter BGP Router Configuration mode:

enable

configure terminal

router bgp
2. Create an extended community list based on the route target attribute:
ip extcommunity-list <1-1024> memberId <0-65535> rt {<0–65535>
<0-2147483647>|<A.B.C.D> <0–65535>} [soo {<0-65535> <0-2147483647>|
<A.B.C.D> <0-65535>}]

You can optionally configure the SOO attributes at the end of the same command or you can
configure the SOO separately using the syntax in the following step.

VOSS User Guide for version 8.7 455

Configure an AS Number for a Non-default VRF BGP

3. Create an extended community list based on the SOO attribute:

ip extcommunity-list <1-1024> memberId <0-65535> soo {<0-65535>
<0-2147483647>|<A.B.C.D> <0-65535>}

Example

Create an extended community list based on the route target attribute:

Switch(config)# ip extcommunity-list 1 memberid 234 rt 192.0.2.1 5 soo

32 45

Variable Definitions
The following table defines parameters for the ip extcommunity-list command.

Variable Value
<1-1024> Specifies an integer value from 1–1024 that represents the
community list ID you want to create or modify.
memberId <0-65535> Specifies an integer value from 0–65535 that represents the
member ID in the community list.
rt <0-65536> <0-2147483647> Specifies the route target in the format {AS number:assigned
rt <A.B.C.D> <0-65535> number} (that is, {0–65535}:{0–2147483647}) or
{ipaddress:assigned number} (that is, {a.b.c.d}:{0–65535}).
soo <0-65535> <0-2147483647> Specifies the site of origin in the format
soo <A.B.C.D> <0-65535> {AS number:assigned number} (that is, {0–65535}:{0–
2147483647}) or {ipaddress:assigned number} (that is,
{a.b.c.d}:{0–65535}).

Configure an AS Number for a Non-default VRF

The Autonomous System (AS) number configured on the global Virtual Routing Forwarding (VRF)
instance, called the GlobalRouter (GRT), is inherited by all user-created VRFs by default, however, you
can override the AS number for the specific VRF instance using the following procedure.

Before You Begin

• Disable BGP synchronization.

Procedure
1. Enter VRF Router Configuration mode for a specific VRF context:
enable

configure terminal

router vrf WORD<1-16>

2. Set the AS number:
ip bgp vrf-as WORD<0-11>

Example

Switch:1>enable

456 VOSS User Guide for version 8.7

BGP BGP Verification Using CLI

Switch:1#configure terminal
Switch:1(config)#router vrf vrfred
Switch:1(router-vrf)#ip bgp vrf-as 3

Variable Definitions
The following table defines parameters for the ip bgp vrf-as command.

Variable Value
WORD<0-11> Configures the local autonomous system (AS) number for the
specific VRF instance. You cannot change local-as when BGP is
set to enable.
• To configure a 2-byte local AS number, enter a local-as
number in the range of 0 to 65535.
• To configure a 4-byte local-as number, enable the 4-byte
as variable and enter a number in the range of 0 to
4294967295.

Note:
If as-4-byte is configured to false, the range for AS number is
0–65535 and if as-4-byte is configured to true, the range is
0–4294967295.

If you enable as-dot, enter the AS number in octets in the

range of 1.0 to 65535.65535.
The AS number in a specific VRF instance inherits the AS
number in the GlobalRouter in the following instances:
• Configuring the AS number in a specific VRF instance to 0
(ip bgp vrf-as 0) .
• Deleting the AS number in a specific VRF instance (no ip
bgp vrf-as or default ip bgp vrf-as.

BGP Verification Using CLI

Use show commands to verify Border Gateway Protocol (BGP) configuration and to monitor or
troubleshoot BGP operation.

Note
If the next hop of a BGP route is resolved using an IS-IS route, show commands can display
the IS-IS internal next hop from the 127.1.x.y class rather than the IS-IS sys name.

Viewing BGP aggregate information

Display information about current aggregate addresses.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about current aggregates:
show ip bgp aggregates [<prefix/len>] [vrf WORD <1–16>] [vrfids
WORD<0-255>]

VOSS User Guide for version 8.7 457

Viewing IPv6 BGP+ aggregate information BGP

Variable Definitions
The following table defines parameters for the show ip bgp aggregates command.

Variable Value
<prefix/len> Specifies the IP address and the mask length.
vrf WORD<1–16> Specifies a VRF instance by name.
vrfids WORD<0–255> Specifies a range of VRFs by ID number.

Viewing IPv6 BGP+ aggregate information

Display information about current IPv6 aggregate addresses.

About This Task

Use BGP 4 byte AS numbers to ensure the continuity of loop-free inter-domain routing information
between ASs and to control the flow of BGP updates as 2 byte AS numbers will deplete soon.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about current IPv6 aggregates:
show bgp ipv6 aggregates [<WORD 1–256>] [vrf <WORD 1-16>] [vrfids
<0-255>]

Variable Definitions
The following table defines parameters for the show bgp ipv6 aggregates command.

Variable Value
WORD <1–256> Specifies the IPv6 prefix and the prefix length (the length
can be 0 to 128).
vrf WORD <1-16> Specifies a VRF instance by name (the string length
ranges from 1–16 characters).
vrfids <0–255> Specifies a range of VRFs by ID number (the ID ranges
from 0–255).

Viewing CIDR routes

Display information about classless interdomain routing (CIDR) routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about CIDR routes:
show ip bgp cidr-only [<prefix/len>] [vrf WORD<1–16>] [vrfids WORD<0–
512>]

458 VOSS User Guide for version 8.7

BGP View BGP Configuration

Variable Definitions
The following table defines parameters for the show ip bgp cidr-only command.

Variable Value
<prefix/len> Specifies an exact match of the prefix. This variable is an
IP address and an integer value from 0–32 in the format
a.b.c.d/xx.

vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).

vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from

0–512).

View BGP Configuration

View information about the BGP configuration.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about the current BGP configuration:
show ip bgp conf [vrf WORD<1–16>] [vrfids WORD<0–512>]

Example
================================================================================
BGP Configuration - VRF vrf1

================================================================================

BGP version - 4
local-as - 22610
Identifier - 27.82.217.1
BGP on/off - ON
as-4-byte - disable
as-dot - disable
aggregation - enable
always-cmp-med - disable
auto-peer-restart - enable
auto-summary - enable
comp-bestpath-med-confed - disable
default-local-preference - 100
default-metric - -1
deterministic-med - disable
flap-dampening - disable
debug-screen - Off
global-debug - none
ibgp-report-import-rt - enable
ignore-illegal-rtrid - enable
max-equalcost-routes - 1
no-med-path-is-worst - enable
route-refresh - disable
orig-def-route - disable
orig-v6-def-route - disable
quick-start - disable
synchronization - enable

--More-- (q = quit)

VOSS User Guide for version 8.7 459

Viewing BGP confederation BGP

Variable Definitions
The following table defines parameters for the show ip bgp conf command.

Variable Value

vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).

vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from

0–512).

Viewing BGP confederation

Display information about BGP confederations.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about current BGP confederations:
show ip bgp confederation

Example
Switch(config)#show ip bgp confederation
confederation identifier 0
confederation peer as

Viewing flap-dampened routes

Display information about flap-dampened routes to determine unreliable routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about flap-dampened routes:
show ip bgp dampened-paths {A.B.C.D} [<prefix/len>] [longer-prefixes]
[vrf WORD<1–16>] [vrfids WORD<0–512>]

Variable Definitions
The following table defines parameters for the show ip bgp dampened-paths command.

Variable Value
{A.B.C.D} Specifies the source IP address in the format a.b.c.d.
longer-prefixes Shows long prefixes. The longer-prefixes indicate the mask
length from a specified prefix to 32 (for example, show from
prefix a.b.c.d/len to a.b.c./32).
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).

460 VOSS User Guide for version 8.7

BGP Viewing global flap-dampening configurations

Variable Value
vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from
0–512).

Viewing global flap-dampening configurations

Display global information about flap-dampening.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display global information about flap-dampening:
show ip bgp flap-damp-config [prefix/len] [vrf WORD<1–16>] [vrfids
WORD<0–512>]

Example
Switch(config)# show ip bgp flap-damp-config vrf vrf1

===================================================================
BGP Flap Dampening - VRF vrf1
===================================================================
Status - enable
PolicyName - N/A
CutoffThreshold - 1536
ReuseThreshold - 512
Decay - 2
MaxHoldDown - 180

Variable Definitions
The following table defines parameters for the show ip bgp flap-damp-config command.

Variable Value
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from
0–512).

Viewing imported routes

Display information about BGP imported routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

VOSS User Guide for version 8.7 461

Viewing BGPv6 imported routes BGP

2. Display information about BGP imported routes:

show ip bgp imported-routes [<prefix/len>] [longer-prefixes] [vrf
WORD<1–16>] [vrfids WORD<0–512>]

Variable Definitions
The following table defines parameters for the show ip bgp imported-routes command.

Variable Value
longer-prefixes Shows long prefixes. The longer-prefixes indicate the mask
length from a specified prefix to 32 (for example, show from
prefix a.b.c.d/len to a.b.c./32).
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from
0–512).

Viewing BGPv6 imported routes

Display information about BGPv6 imported routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGPv6 imported routes:
show bgp ipv6 imported-routes [<prefix/len>] [longer-prefixes] [vrf
WORD<1–16>] [vrfids WORD<0–255>]

Variable Definitions
The following table defines parameters for the show bgp ipv6 imported-routes command.

Variable Value
longer-prefixes Shows long prefixes. The longer-prefixes indicate the mask
length from a specified prefix to 32 (for example, show from
prefix a.b.c.d/len to a.b.c./32).
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids WORD<0–255> Specifies a range of VRFs by ID number (the ID ranges from
0–255).

View BGP Neighbors Information

Display information about BGP neighbors.

462 VOSS User Guide for version 8.7

BGP View BGP Neighbors Information

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGP neighbors:
show ip bgp neighbors [{A.B.C.D}] [vrf WORD<1–16>] [vrfids WORD<0–
512>]
3. Display information about BGP peer advertised routes:
show ip bgp neighbors {A.B.C.D} advertised-routes [<prefix/len>]
[longer-prefixes] [vrf WORD<1–16>] [vrfids WORD<0–512>]
4. Display information about BGP peer routes:
show ip bgp neighbors {A.B.C.D} routes [<prefix/len>] [community
<enable|disable>] [longer-prefixes] [vrf WORD<1–16>] [vrfids WORD<0–
512>]
5. Display statistics for BGP peers:
show ip bgp neighbors {A.B.C.D} stats [vrf WORD<1–16>] [vrfids WORD<0–
512>]

Example
Switch:#show ip bgp neighbors vrf vrf1

=========================================================================

BGP Neighbor Info - VRF vrf1

=========================================================================

BGP neighbor is 200.200.200.63 remote AS 63, Internal Peer, MP-BGP-capable, BGP state
[Established] UP Time 0 day(s), 07:27:24 remote router ID 63.1.1.1

vrf instance - 0
admin-state - BGP ON
connect-retry-interval - 120
ebgp-multihop - disable
hold-time - 30
keepalive-time - 10
hold-time-configured - 180
keepalive-time-configured - 60
max-prefix - 12000
nexthop-self - disable
originate-def-route - disable
MD5-authentication - disable
neighbor-debug - all
remove-private-as - disable
route-advertisement-interval - 5
route-reflector-client - disable
send-community - disable
soft-reconfiguration-in - disable
updt-source-interface - 0.0.0.0
weight - 100
Route Policy In -
Route Policy Out -
address-family vpnv4 - disable
route-refresh - disable
Total bgp neighbors -
1

VOSS User Guide for version 8.7 463

Viewing BGPv6 neighbors information BGP

Variable Definitions
The following table defines parameters for the show ip bgp neighbors command.

Variable Value
{A.B.C.D} Specifies the IP address.
community <enable|disable> Enables or disables the display of community attributes.
longer-prefixes Shows long prefixes. The longer-prefixes indicate the mask
length from a specified prefix to 32 (for example, show from
prefix a.b.c.d/len to a.b.c./32).
prefix/len Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name.
vrfids WORD<0–512> Specifies a range of VRFs by ID number.

Viewing BGPv6 neighbors information

View information about BGPv6 neighbors.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. View information about BGPv6 neighbors:
show bgp ipv6 neighbors [WORD<1–256>] [vrf <WORD 1-16>] [vrfids
<0-255>]
3. View information about BGPv6 peer advertised routes:
show bgp ipv6 neighbors WORD<1–256> advertised-routes [WORD<1–256>]
[longer-prefixes] [vrf <WORD 1-16>] [vrfids <0-255>]
4. View information about BGPv6 peer routes:
show bgp ipv6 neighbors WORD<1–256> routes [WORD<1–256>] [community
<enable|disable>] [vrf <WORD 1-16>] [vrfids <0-255>]

Example

The following examples shows the summary output for bgp ipv6 neighbors command, and the
advertised-routes and routes variable options.
Switch:1>show bgp ipv6 neighbors vrf vrf1

=====================================================================================
BGPv6 Neighbor Info - VRF vrf1
=====================================================================================
BGPv6 neighbor is 2015:cdba:0:0:0:0:3257:9652 remote AS 200, External Peer,
BGP state [Established] UP Time 0 day(s), 00:50:30
remote router ID 0.0.0.6

vrf instance - 0
admin-state - BGP ON
connect-retry-interval - 120
ebgp-multihop - disable
hold-time - 180
keepalive-time - 60

464 VOSS User Guide for version 8.7

BGP Viewing BGPv6 neighbors information

hold-time-configured - 180
keepalive-time-configured - 60
ipv6-max-prefix - 8000
nexthop-self - disable
originate-defv6-route - disable
neighbor-debug - all
remove-private-as - disable

route-advertisement-interval - 5
route-reflector-client - disable
send-community - disable
soft-reconfiguration-in - enable
updt-source-interface - 0:0:0:0:0:0:0:0
weight - 100
IPv6Route Policy In -
IPv6Route Policy Out -
address-family ipv6 - enable
route-refresh - enable

Total bgpv6 neighbors: 1

Switch:1>show bgp ipv6 neighbors 2015:cdba:0:0:0:0:3257:9655 advertised-routes vrf vrf1
-------------------------------------------------------------------------

The total number of routes advertised to the neighbor is 2

=================================================================================================
BGPv6 Neighbor Advertised Routes - VRF vrf1
=================================================================================================
NETWORK/MASK NEXTHOP ADDRESS LOC PREF ORG STATUS
-------------------------------------------------------------------------------------------------
2001:cdba:0:0:0:0:0:0/64 2001:cdba:0:0:0:0:3257:9651 100 INC Best
2007:cdba:0:0:0:0:0:0/64 2001:cdba:0:0:0:0:3257:9651 100 INC Used
-------------------------------------------------------------------------------------------------
Switch:1>show bgp ipv6 neighbors 2015:cdba:0:0:0:0:3257:9655 routes vrf vrf1
-------------------------------------------------------------------------------------------------
The total number of accepted routes from the neighbor is 2
=================================================================================================
BGPv6 Neighbor Routes - VRF vrf1
=================================================================================================
NETWORK/MASK PEER-REM-ADDR NEXTHOP-ADDRESS ORG LOC-PREF STATUS

-------------------------------------------------------------------------------------------------
1100:0:0:0:0:0:0:0/64 2015:cdba:0:0:0:0:3257:9655 2015:cdba:0:0:0:0:3257:9655 INC 100 Used AS_PATH:(150)
2015:cdba:0:0:0:0:0:0/64 2015:cdba:0:0:0:0:3257:9655 2015:cdba:0:0:0:0:3257:9655 INC 100 Best AS_PATH:(150)
-------------------------------------------------------------------------------------------------

Variable Definitions
The following table defines parameters for the show bgp ipv6 neighbors command.

Variable Value
WORD<1–256> Specifies the IPv6 address.
advertised-routes Specifies an IPv6 neighbors advertised routes.
routes Specifies an IPv6 neighbors routes.
WORD<1–256> Specifies an IPv6 address/length.
Shows long prefixes. The longer-prefixes indicate the mask
longer-prefixes length from any specified prefix to 128. For example, show
from prefix :X::X:X/len to X:X::X:X/ 128.

VOSS User Guide for version 8.7 465

Viewing BGP network configurations BGP

Variable Value
community <enable|disable> Enables or disables the display of community attributes.
vrf Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids Specifies a range of VRFs by ID number (the ID ranges from
0–255).

Viewing BGP network configurations

Display information about BGP network configurations.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display information about BGP network configurations:
show ip bgp networks [<prefix/len>] [vrf WORD<1–16>] [vrfids WORD<0–
512>]

Variable Definitions
The following table defines parameters for the show ip bgp networks command.

Viewing IPv6 BGP+ network configurations

Display information about BGP+ network configurations.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGP+ network configurations:
show bgp ipv6 networks <WORD 1-256> [vrf <WORD 1-16>] [vrfids <0-255>]

466 VOSS User Guide for version 8.7

BGP Viewing BGP peer group information

Variable Definitions
The following table defines parameters for the show bgp ipv6 networks command.

Variable Value
<WORD 1–256> Specifies the IPv6 prefix and the prefix length (must be
an integer value between 0 and 128).
vrf Specifies a VRF instance by name (the string length
ranges from 1–16 characters).
vrfids Specifies a range of VRFs by ID number (the ID ranges
from 0–255).

Viewing BGP peer group information

Display information about BGP peer groups.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGP peer groups:
show ip bgp peer-group [WORD<0–1536>] [vrf WORD<1–16>] [vrfids WORD<0–
512>]

Variable Definitions
The following table defines parameters for the show ip bgp peer-group command.

Variable Value

vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).

vrfids WORD<0–512> Specifies a range of VRFs by ID number (the ID ranges from

0–512).
WORD<0–1536> Specifies the name of the peer group (the string length ranges
from 0–1536 characters).

Viewing BGP redistributed routes

Display information about BGP redistributed routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGP redistributed routes:
show ip bgp redistributed-routes [<prefix/len>] [vrf WORD<1–16>]
[vrfids WORD<0–512>]

VOSS User Guide for version 8.7 467

Viewing BGPv6 redistributed routes BGP

Variable Definitions
The following table defines parameters for the show ip bgp redistributed-routes command.

Variable Value
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name (the string length ranges
from 1–16 characters).
vrfids WORD<0–255> Specifies a range of VRFs by ID number (the ID ranges from
0–255).

Viewing BGPv6 redistributed routes

Display information about BGPv6 redistributed routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGPv6 redistributed routes:
show bgp ipv6 redistributed-routes [vrf <WORD 1-16] [vrfids <0-255>]

Variable Definitions
The following table defines parameters for the show bgp ipv6 redistributed-routes
command.

Variable Value
vrf Specifies a VRF instance by name (the string
length ranges from 1–16 characters).
vrfids Specifies a range of VRFs by ID number (the ID
ranges from 0–255).

View a Summary of BGP Configurations

Display summarized information about BGP.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display summarized information about BGP:
show ip bgp summary [vrf WORD<1–16>] [vrfids WORD<0–512>]

Example

The following example shows partial output for the show ip bgp summary command.
Switch:1>show ip bgp summary vrf vrf1

====================================================================================================
BGP Summary - VRF vrf1

468 VOSS User Guide for version 8.7

BGP Viewing a summary of BGPv6 configurations

====================================================================================================

BGP version - 4
local-as - 22610
Identifier - 27.82.217.1
Decision state - Idle
The total number of routes is 0

BGP NEIGHBOR INFO :

NEIGHBOR RMTAS STATE HLDTM KPALV HLDCFG KPCFG WGHT CONRTY ADVINT UPTime
----------------------------------------------------------------------------------------------------
192.0.2.1 22620 Active 0 0 180 60 100 120 5 0 day(s), 07:25:09
Total bgp neighbors: 1

BGP CONFEDERATION INFO :

confederation identifier 0
confederation peer as

--More-- (q = quit)

Variable Definitions
The following table defines parameters for the show ip bgp summary command.

Variable Value
vrf WORD<1–16> Specifies a VRF instance by name.
vrfids WORD<0–512> Specifies a range of VRFs by ID number.

Viewing a summary of BGPv6 configurations

View a summary of BGP peering over IPv6 transport.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View BGPv6 summary:
show bgp ipv6 summary [vrf <WORD 1-16>] [vrfids <0-255>]

Example

The following example shows partial output for the show bgp ipv6 summary command.
Switch:1>show bgp ipv6 summary vrf vrf1

=============================================================================
BGP ipv6 Summary - VRF vrf1
=============================================================================

BGP version - 4
local-as - 200
Identifier - 0.0.0.6
Decision state - Idle
The total number of routes is 1

VOSS User Guide for version 8.7 469

Viewing BGP routes BGP

BGPv6 NEIGHBOR INFO :

NEIGHBOR RMTAS STATE HLDTM KPALV HLDCFG KPCFG WGHT CONRTY ADVINT
------------------------------------------------------------------------------------------------
2001:DB8:0:0:0:0:0:ffff 50 Established 180 60 180 60 100 120
5

Total bgpv6 neighbors: 1

BGP CONFEDERATION INFO :

confederation identifier 0
confederation peer as

BGPv6 NETWORK INFO :

=====================================================================
BGPv6 Networks - VRF vrf1
=====================================================================
)

Variable Definitions
The following table defines parameters for the show bgp ipv6 summary command.

Variable Value
vrf Specifies a VRF instance by name (the string
length ranges from 1–16 characters).
vrfids Specifies a range of VRFs by ID number (the ID
ranges from 0–255).

Viewing BGP routes

Display information about BGP routes.

Note
BGP stores route information on the AVL tree and this command retrieves that information.
Information in the AVL tree is not sorted. The information returned by this command will not
be displayed in any particular order.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display information about BGP routes:
show ip bgp route [<prefix/len>] [community <enable|disable>] [ip
{A.B.C.D}] [longer-prefixes] [vrf WORD<1–16>] [vrfids WORD<0–512>]

470 VOSS User Guide for version 8.7

BGP Viewing BGPv6 routes

Variable Definitions
The following table defines parameters for the show ip bgp route command.

Variable Value
community <enable|disable> Enables or disables the display of community attributes.
ip {A.B.C.D} Specifies an IP address.
longer-prefixes Shows long prefixes. Longer-prefixes indicates the mask length
from a specified prefix to 32 (for example, show from prefix
a.b.c.d/len to a.b.c./32).
<prefix/len> Shows paths with this prefix. The prefix is the IP address and
exact mask length (must be an integer value from 0–32).
vrf WORD<1–16> Specifies a VRF instance by name.
vrfids WORD<0–512> Specifies a range of VRFs by ID number.

Viewing BGPv6 routes

Display information about BGPv6 routes.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Enter Privileged EXEC mode:
enable
3. Display information about BGP routes:
show bgp ipv6 route [<WORD 1-256> [longer-prefixes]] [community
<enable|disable>] [ipv6 <WORD 1-256>] [vrf <WORD 1-16>] [vrfids
<0-255>]

Variable Definitions
The following table defines parameters for the show bgp ipv6 route command.

Variable Value
[<WORD 1-256>] Specifies the IPv6 prefix and the prefix length (must be
an integer value between 0 and 128).
community <enable|disable> Enables or disables the display of community attributes.
ipv6 <WORD 1-256>] Specifies an IPv6 address.
longer-prefixes Shows long prefixes. The longer-prefixes indicate the
mask length from any specified prefix to 128 (for
example, show from prefix X:X::X:X/len to X:X::X:X/ 128).
vrf Specifies a VRF instance by name (the string length
ranges from 1–16 characters).
vrfids Specifies a range of VRFs by ID number (the ID ranges
from 0–255).

VOSS User Guide for version 8.7 471

BGP configuration using EDM BGP

BGP configuration using EDM

Configure Border Gateway Protocol (BGP) to create an inter-domain routing system that guarantees
loop-free routing information between autonomous systems.

For information about how to configure route policies, see Configure a Route Policy on page 2925.

Configure BGP
Enable BGP so that BGP runs on the router. Configure general BGP parameters to define how BGP
operates on the system.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Generals tab.
4. In AdminStatus, select enable.
5. Configure the local autonomous system (AS) ID.
6. In the Aggregate area, enable or disable route aggregation as required.
7. Configure the BGP options as required.
8. In the DebugMask area, select the type of information to show for BGP debugging purposes.
9. Configure BGP confederations as required.
10. Configure BGP route reflectors as required.
11. Select Apply.

Generals Field Descriptions

Use the data in the following table to use the Generals tab.

Name Description
bgpVersion Specifies the version of BGP that operates on the router.

Note:
This parameter only applies to VRF 0.

Identifier Specifies the BGP router ID number.

AdminStatus Enables or disables BGP on the router. The default is
disable. You cannot enable AdminStatus until you change the
LocalAS value to a nonzero value.

472 VOSS User Guide for version 8.7

BGP Configure BGP

Name Description
4ByteAs Enables or disables 4–byte AS numbers. The default is
disable.

Note:
This parameter only applies to VRF 0.

LocalAs Configures the local AS number. You cannot change the

LocalAs value if AdminStatus is enable.
The switch does not support this parameter with BGP +.

Note:
If the inserted LocalAs is 0, then the LocalAs in that
VRFcontext loses its significance and it becomes the
LocalAs configured in GlobalRouter (the equivalence to CLI
commands ip bgp vrf-as 0 and no ip bgp vrf-as
or default ip bgp vrf-as).

AsDot Enables or disables representing AS numbers in octets. The

default is disable so the switch uses the plain notation format
The AS dot notation is easier to read and remember than the
AS plain notation, but it can be difficult to convert from AS
plain to AS dot. The IETF prefers the AS plain notation.
The switch does not support this parameter with BGP +.

Note:
This parameter only applies to VRF 0.

Aggregate Enables or disables aggregation. The default is enable.

DefaultMetric Configures the metric sent to BGP neighbors. The default
metric determines the cost of a route a neighbor uses.
Use this parameter in conjunction with the redistribute
parameters so that BGP uses the same metric for all
redistributed routes.
The default is -1. The range is -1–2147483647.
DefaultLocalPreference Specifies the default local preference. The local preference
indicates the preference that AS border routers assign to
a chosen route when they advertise it to iBGP peers. The
default is 100. The range is 0–2147483647.
AlwaysCompareMed Enables or disables the comparison of the multi-exit
discriminator (MED) parameter for paths from neighbors in
different autonomous systems. The system prefers a path
with a lower MED over a path with a higher MED. The default
is disable.
DeterministicMed Enables or disables deterministic MED. Deterministic MED
compares the MEDs after routes advertised by different
peers in the same AS are chosen. The default is disable.
AutoPeerRestart Enables or disables the process that automatically restarts a
connection to a BGP neighbor. The default is enable.

VOSS User Guide for version 8.7 473

Configure BGP BGP

Name Description
AutoSummary Enables or disables automatic summarization. If you enable
this varialble, BGP summarizes networks based on class limits
(for example, Class A, B, or C networks). The default is
enable.
NoMedPathIsWorst Enables or disables NoMedPathIsWorst. If you enable this
variable, BGP treats an update without a MED attribute as
the worst path. The default is enabled.
BestPathMedConfed Enables or disables the comparison of MED attributes within
a confederation. The default is disable.
DebugMask Displays the specified debug information for BGP global
configurations. The default value is none. Other options are
• none disables all debug messages.
• event enables the display of debug event messages.
• state enables display of debug state transition messages.
• update enables display of debug messages related to
updates transmission and reception.
• error enables the display of debug error messages.
• trace enables the display of debug trace messages.
• init enables the display of debug initialization messages.
• all enables all debug messages.
• packet enables the display of debug packet messages.
• warning enables the display of debug warning messages.
• filter enables the display of debug messages related to
filtering.

IgnoreIllegalRouterId Enables BGP to overlook an illegal router ID. For example,

this variable enables the acceptance of a connection from a
peer that sends an open message using a router ID of 0. The
default is enable.
Synchronization Enables or disables the router to accept routes from BGP
peers without waiting for an update from the IGP. The default
is enable.
MaxEqualcostRoutes Configures the maximum number of equal-cost-paths that
are available to a BGP router by limiting the number of equal-
cost-paths the routing table can store. The default value is 1;
the range is 1–8.
IbgpReportImportRoute Configures BGP to report imported routes to an interior BGP
(iBGP) peer. This variable also enables or disables reporting
of non-BGP imported routes to other iBGP neighbors. The
default is enable.
FlapDampEnable Enables or disables route suppression for routes that go up
and down (flap). The default is disable.
QuickStart Enables or disables the Quick Start feature, which forces the
BGP speaker to begin establishing peers immediately, instead
of waiting for the auto-restart timer to expire. The default is
disable.
TrapEnable Enables or disables the BGP traps. The default is disable.

474 VOSS User Guide for version 8.7

BGP Configure 4-byte AS numbers

Name Description
ConfederationASIdentifier Specifies a BGP confederation identifier in the range of 0–
65535.

Note:
This parameter applies only to VRF 0.

ConfederationPeers Lists adjoining autonomous systems that are part of the

confederation in the format (5500,65535,0,10,...,...).. This
value can use 0–255 characters.

Note:
This parameter applies only to VRF 0.

RouteReflectionEnable Enables or disables the reflection of routes from iBGP

neighbors. The default is enable.

Note:
This parameter applies only to VRF 0.

RouteReflectorClusterId Configures a reflector cluster ID IP address. This variable

applies only if you enable RouteReflectionEnable, and if
multiple route reflectors are in a cluster.

Note:
This parameter applies only to VRF 0.

ReflectorClientToClientReflection Enables or disables route reflection between two

route reflector clients. This variable applies only if
RouteReflectionEnable is enable. The default is enable.

Note:
This parameter applies only to VRF 0.

RouteRefresh Enables or disables route refresh. If enabled, a route refresh

request received by a BGP speaker causes the speaker to
resend all route updates it contains in its database that are
eligible for the peer that issues the request.

Note:
This parameter only applies to VRF 0.

Configure 4-byte AS numbers

Configure AS numbers using the 4-byte format and represent the numbers in octets.

Before You Begin

• You cannot modify the global BGP configuration unless BGP is disabled.
• Make sure that you define AS numbers in policies the same way that you configure them for the
router. The choices are asplain (regular expression) or asdot (dot notation). If you create policies
using asplain and configure the switch with asdot, the match will not occur.

VOSS User Guide for version 8.7 475

Configure 4-byte AS numbers BGP

About This Task

Use BGP 4–byte AS numbers to ensure the continuity of loop-free inter-domain routing information
between autonomous systems and to control the flow of BGP updates as 2 byte AS numbers will
deplete soon. AS Plain notation format is the default and the preferred form of representing 4–byte AS
numbers over the AS dot notation format.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Generals tab.
4. To change the AS number format, select disable for AdminStatus.
5. Select Apply.
6. In 4-byteAs , select enable.
7. In AsDot, select enable.
8. In LocalAs, type the 4-byte AS number in octets.
9. In AdminStatus, select enable.
10. Select Apply.

Generals Field Descriptions

Use the data in the following table to use the Generals tab.

Name Description
bgpVersion Specifies the version of BGP that operates on the router.

Note:
This parameter only applies to VRF 0.

Identifier Specifies the BGP router ID number.

AdminStatus Enables or disables BGP on the router. The default is
disable. You cannot enable AdminStatus until you change the
LocalAS value to a nonzero value.
4ByteAs Enables or disables 4–byte AS numbers. The default is
disable.

Note:
This parameter only applies to VRF 0.

476 VOSS User Guide for version 8.7

BGP Configure 4-byte AS numbers

Name Description
LocalAs Configures the local AS number. You cannot change the
LocalAs value if AdminStatus is enable.
The switch does not support this parameter with BGP +.

AsDot Enables or disables representing AS numbers in octets. The

Note:
This parameter only applies to VRF 0.

Aggregate Enables or disables aggregation. The default is enable.

VOSS User Guide for version 8.7 477

Configure 4-byte AS numbers BGP

Name Description
BestPathMedConfed Enables or disables the comparison of MED attributes within
a confederation. The default is disable.
DebugMask Displays the specified debug information for BGP global
configurations. The default value is none. Other options are
• none disables all debug messages.
• event enables the display of debug event messages.
• state enables display of debug state transition messages.
• update enables display of debug messages related to
updates transmission and reception.
• error enables the display of debug error messages.
• trace enables the display of debug trace messages.
• init enables the display of debug initialization messages.
• all enables all debug messages.
• packet enables the display of debug packet messages.
• warning enables the display of debug warning messages.
• filter enables the display of debug messages related to
filtering.

IgnoreIllegalRouterId Enables BGP to overlook an illegal router ID. For example,

Note:
This parameter applies only to VRF 0.

478 VOSS User Guide for version 8.7

BGP Viewing BGP Global Stats

Name Description
ConfederationPeers Lists adjoining autonomous systems that are part of the
confederation in the format (5500,65535,0,10,...,...).. This
value can use 0–255 characters.

Note:
This parameter applies only to VRF 0.

RouteReflectionEnable Enables or disables the reflection of routes from iBGP

neighbors. The default is enable.

Note:
This parameter applies only to VRF 0.

RouteReflectorClusterId Configures a reflector cluster ID IP address. This variable

applies only if you enable RouteReflectionEnable, and if
multiple route reflectors are in a cluster.

Note:
This parameter applies only to VRF 0.

ReflectorClientToClientReflection Enables or disables route reflection between two

route reflector clients. This variable applies only if
RouteReflectionEnable is enable. The default is enable.

Note:
This parameter applies only to VRF 0.

RouteRefresh Enables or disables route refresh. If enabled, a route refresh

request received by a BGP speaker causes the speaker to
resend all route updates it contains in its database that are
eligible for the peer that issues the request.

Note:
This parameter only applies to VRF 0.

Viewing BGP Global Stats

View BGP global stats.

Procedure

1. In the navigation pane, expand the Configuration > IP folders.

2. Click BGP.
3. Click the Global Stats tab.

VOSS User Guide for version 8.7 479

Viewing BGP Global Stats BGP

Global Stats Field Descriptions

Use the data in the following table to use the BGP Global Stats tab.

Name Description
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/sec Displays the average value for each second.
Minimum/sec Displays the minimum value for each second.
Maximum/sec Displays the maximum value for each second.
LastVal/sec Displays the last value for each second.
Starts Displays the number of times the BGP connection started.
Stops Displays the number of times the BGP connection stopped.
Opens Displays the number of times BGP opens TCP.
Closes Displays the number of times BGP closes TCP.
Fails Displays the number of times TCP attempts failed.
Fatals Displays the number of times TCP crashes due to fatal error.
ConnExps Displays the number of times the TCP retry timer expired.
HoldExps Displays the number of times the hold timer expired.
KeepExps Displays the number of times the keepalive timer expired.
RxOpens Displays the number of open instances BGP receives.
RxKeeps Displays the number of keepalive instances BGP receives.
RxUpdates Displays the number of update instances BGP receives.
RxNotifys Displays the number of notification instances BGP receives.
TxOpens Displays the number of open instances BGP transmitted.
TxKeeps Displays the number of keepalive instances BGP transmitted.
TxUpdates Displays the number of updates instances BGP transmits.
TxNotifys Displays the number of notification instances BGP transmits.
BadEvents Displays the number of invalid events FSM received.
SyncFails Displays the number of times FDB sync failed.
TrEvent Displays the trace event.
RxECodeHeader Displays the total header errors received.
RxECodeOpen Displays the total open errors received.
RxECodeUpdate Displays the total update errors received.
RxECodeHoldtimer Displays the total hold timer errors received.
RxECodeFSM Displays the total FSM errors received.
RxECodeCease Displays the total cease errors received.
RxHdrCodeNoSync Displays the header not synchronized errors received.

480 VOSS User Guide for version 8.7

BGP Viewing BGP Global Stats

Name Description
RxHdrCodeInvalidMsgLen Displays the header invalid message length errors received.
RxHdrCodeInvalidMsgType Displays the header invalid message type errors received.
RxOpCodeBadVer Displays the open errors received for Bad Version.
RxOpCodeBadAs Displays the open errors received for le Bad AS Number.
RxOpCodeBadRtID Displays the open errors received for Bad BGP Rtr ID.
RxOpCodeUnsuppOption Displays the open errors received for Unsupported Option.
RxOpCodeAuthFail Displays the open errors received for Auth Failures.
RxOpCodeBadHold Displays the open errors received for Bad Hold Value.
RxUpdCodeMalformedAttrList Displays the update errors received for Malformed Attr List.
RxUpdCodeWelKnownAttrUnrecog Displays the update errors received for Welknown Attr Unrecog.
RxUpdCodeWelknownAttrMiss Displays the update errors received for Welknown Attr Missing.
RxUpdCodeAttrFlagError Displays the update errors received for Attr Flag Error.
RxUpdCodeAttrLenError Displays the update errors received for Attr Len Error.
RxUpdCodeBadORIGINAttr Displays the update errors received for Bad ORIGIN Attr.
RxUpdCodeASRoutingLoop Displays the update errors received for AS Routing Loop.
RxUpdCodeBadNHAttr Displays the update errors received for Bad NEXT-HOP Attr.
RxUpdCodeOptionalAttrError Displays the update errors received for Optional Attr Error.
RxUpdCodeBadNetworkField Displays the update errors received for Bad Network Field.
RxUpdCodeMalformedASPath Displays the update errors received for Malformed AS Path.
TxECodeHeader Displays the total Header errors transmitted.
TxECodeOpen Displays the total Open errors transmitted.
TxECodeUpdate Displays the total Update errors transmitted.
TxECodeHoldtimer Displays the total Hold timer errors transmitted.
TxECodeFSM Displays the total FSM errors transmitted.
TxECodeCease Displays the total Cease errors transmitted.
TxHdrCodeNoSync Displays the header Not Synchronized errors transmitted.
TxHdrCodeInvalidMsgLen Displays the header Invalid msg len errors transmitted.
TxHdrCodeInvalidMsgType Displays the header Invalid msg type errors transmitted.
TxOpCodeBadVer Displays the open errors transmitted for Bad Version.
TxOpCodeBadAs Displays the open errors transmitted for Bad AS Number.
TxOpCodeBadRtID Displays the open errors transmitted for Bad BGP Rtr ID.
TxOpCodeUnsuppOption Displays the open errors transmitted for Unsupported Option.
TxOpCodeAuthFail Displays the open errors transmitted for Auth Failures.
TxOpCodeBadHold Displays the open errors transmitted for Bad Hold Value.
TxUpdCodeMalformedAttrList Displays the update errors transmitted for Malformed Attr List.

VOSS User Guide for version 8.7 481

Configure Aggregate Routes BGP

Name Description
TxUpdCodeWelknownAttrUnrecog Displays the update errors transmitted for Welknown Attr
Unrecog.
TxUpdCodeWelknownAttrMiss Displays the update errors transmitted for Welknown Attr
Missing.
TxUpdCodeAttrFlagError Displays the update errors transmitted for Attr Flag Error.
TxUpdCodeAttrLenError Displays the update errors transmitted for Attr Len Error.
TxUpdCodeBadORIGINAttr Displays the update errors transmitted for Bad ORIGIN Attr.
TxUpdCodeASRoutingLoop Displays the update errors transmitted for AS Routing Loop
TxUpdCodeBadNHAttr Displays the update errors transmitted for Bad NEXT-HOP Attr
TxUpdCodeOptionalAttrError Displays the update errors transmitted for Optional Attr Error.
TxUpdCodeBadNetworkField Displays the update errors transmitted for Bad Network Field.
TxUpdCodeMalformedASPath Displays the update errors transmitted for Malformed AS Path.

Configure Aggregate Routes

Configure aggregate routes so that the router advertises a single route (aggregate route) that
represents all destinations. Aggregate routes also reduce the size of routing tables.

Before You Begin

• Enable aggregate routes globally.
• You need the appropriate aggregate address and mask.
• If required, ensure the required policies exist.
• To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context
View on page 3856. All parameters might not be available in non-default VRFs.
• The VRF must have an RP trigger of BGP.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Aggregates tab.
4. Click Insert.
5. Configure the aggregate Address and PrefixLen.
6. Select AsSetGenerate or SummaryOnly as required.
7. Configure policies for the aggregate route.
8. Select Insert.

482 VOSS User Guide for version 8.7

BGP Configure Aggregate IPv6 Routes

Aggregates field descriptions

Use the data in the following table to use the Aggregates tab.

Name Description
Address Specifies the aggregate IP address.
PrefixLen Specifies the aggregate PrefixLen.
AsSetGenerate Enables or disables AS-set path information generation. The
default is disable.
SummaryOnly Enables or disables the summarization of routes in routing
updates. Enable this parameter to create the aggregate route
and suppress advertisements of more-specific routes to all
neighbors. The default is disable.
SuppressPolicy Specifies the route policy (by name) used for the suppressed
route list. Enable this parameter to create the aggregate route
and suppress advertisements of the specified routes.
AdvertisePolicy Specifies the route policy (by name) used for route
advertisements. The route policy selects the routes that create
AS-set origin communities.
AttributePolicy Specifies the route policy (by name) used to determine
aggregate route attributes.

Configure Aggregate IPv6 Routes

Configure IPv6 aggregate routes so that the router advertises a single route (aggregate route) that
represents all destinations. Aggregate routes also reduce the size of routing tables.

To configure aggregate routes for IPv4, see Configure Aggregate Routes on page 482.

Before You Begin

• Aggregate routes are enabled.
• You have determined the appropriate aggregate prefix and length.
• If required, policies exist.
• To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context
View on page 3856. All parameters might not be available in non-default VRFs.
• The VRF must have an RP trigger of BGP.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Aggregates tab.
4. Select Insert.
5. Specify the aggregate Address and PrefixLen
6. (Optional) Configure AsSetGenerate and SummaryOnly as required.
7. (Optional) Configure policies for the aggregate route.

VOSS User Guide for version 8.7 483

Configure Allowed Networks BGP

8. Select Insert.

Aggregates field descriptions

Use the data in the following table to use the Aggregates tab.

Name Description
Address Specifies the aggregate address. The default is
none.
PrefixLen Specifies the length of the prefix (in bits).
AsSetGenerate Enables or disables AS-set path information
generation. The default is disable.
SummaryOnly Enables or disables the summarization of routes in
routing updates. Enable this parameter to create
the aggregate route and suppress advertisements
of more-specific routes to all neighbors. The
default is disable.
SuppressPolicy Specifies the route policy (by name) used for
the suppressed route list. Enable this parameter
to create the aggregate route and suppress
advertisements of the specified routes.
AdvertisePolicy Specifies the route policy (by name) used for
route advertisements. The route policy selects the
routes that create AS-set origin communities.
AttributePolicy Specifies the route policy (by name) used to
determine aggregate route attributes.

Configure Allowed Networks

Configure network addresses to determine the network addresses that BGP advertises. The allowed
addresses determine the BGP networks that originate from the switch.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Network tab.
4. Select Insert.
5. Configure the network address, mask, and metric.
6. Select Insert.

484 VOSS User Guide for version 8.7

BGP Configure Allowed IPv6 Networks

Network field descriptions

Use the data in the following table to use the Network tab.

Name Description
NetworkAfAddr Specifies the network prefix that BGP advertises.
NetworkAfPrefixLen Specifies the prefix length of the network address.
NetworkAfMetric Specifies the metric to use when the system sends an update for the
routes in the network table. The metric configures the MED for the
routes advertised to eBGP peers. The range is 0–65535.

Configure Allowed IPv6 Networks

Configure IPv6 network addresses to determine the network addresses that BGP advertises. The
allowed addresses determine the BGP networks that originate from the switch.

To configure allowed IPv4 networks, see Configure Allowed Networks on page 484.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Network tab.
4. Select Insert.
5. Configure the network address, prefix length, and metric.
6. Select Insert.

Network field descriptions

Use the data in the following table to use the Network tab.

Name Description
NetworkAfAddr Specifies the network prefix that BGP advertises.
The default is none.
NetworkAfPrefixLen Specifies the network prefix length. The default is
none.
NetworkAfMetric Specifies the metric used when an update is sent
for the routes in the network table. The metric
configures the MED for the routes advertised to
EBGP peers. The range is 0 to 65535. The default
is 0.

VOSS User Guide for version 8.7 485

Configure BGP Peers BGP

Configure BGP Peers

Configure BGP peers to connect two routers to each other for the purpose of exchanging routing
information. BGP peers exchange complete routing information only after they establish the peer
connection.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Peers tab.
4. Select Insert.
5. Configure the peer as required.
6. Select Insert.
7. In the Enable column, double-click the value, and then select true.
By default, new peer configuration parameters are disabled.
8. Select Apply.
9. To modify a peer configuration, double-click the value, and then select a new value.
10. Select Apply.

Peers Field Descriptions

Use the data in the following table to use the Peers tab.

486 VOSS User Guide for version 8.7

BGP Configure BGP Peers

Name Description
RoutePolicyIn Specifies the policy (by name) that applies to all network routes
learned from this peer.
RoutePolicyOut Specifies the policy (by name) that applies to all outgoing route
updates.
RemovePrivateAs Strips (when enabled) private AS numbers when the switch sends
an update. The default is enable.
UpdateSourceInterface Specifies the source IP address to use when the switch sends
eBGP packets to this peer or peer group.
ConnectRetryInterval Specifies the time interval, in seconds, for the connect retry timer.
The suggested value for this timer is 120 seconds. The range is 1 to
65535.
HoldTimeConfigured Specifies the time interval, in seconds, for the hold time for this
BGP speaker with this peer. This value is in an open message sent
to this peer by this BGP speaker. To determine the hold time with
the peer, the switch compares this value with the HoldTime value
in an open message received from the peer. The HoldTime must
be at least three seconds. If the value is zero, the hold time does
not establish with the peer. The suggested value for this timer is
180 seconds. The range is 0 to 65535.
KeepAliveConfigured Specifies the time interval, in seconds, for the KeepAlive
timer configured for this BGP speaker with this peer.
KeepAliveConfigured determines the keep alive message
frequency relative to HoldTimeConfigured; KeepAlive indicates
the actual time interval for the keep alive messages. The
maximum value for this timer is one-third of HoldTimeConfigured.
If KeepAliveConfigured is zero, no periodic keep alive messages
are sent to the peer after the peers establish a BGP connection.
Configure a value of 60 seconds. The range is 0 to 21845.
MD5Authentication Enables and disables MD5 authentication.
AdvertisementInterval Specifies the time interval, in seconds, that elapses between
each transmission of an advertisement from a BGP neighbor. The
default value is 30 seconds and the range is 5–120 seconds.
The route advertisement interval feature is implemented using the
time stamp that indicates when each route is advertised. The time
stamp is marked to each route so that the route advertisement
interval is compared to the time stamp and BGP is then able
to make a decision about whether the route advertisement can
be sent or should be delayed when a better route is received.
This feature does not work for a withdraw route because the
route entry is already removed when the processing route
advertisement is sent and the time stamp marked in the route
entry cannot be obtained.
DefaultOriginate When enabled, specifies that the current route originated from
the BGP peer. This parameter enables or disables sending the
default route information to the specified neighbor or peer. The
default value is false.
DefaultOriginateIpv6 When enabled, specifies that the current IPv6 route originated
from the BGP peer. This parameter enables or disables sending
the default IPv6 route information to the specified neighbor or
peer. The default value is false.

VOSS User Guide for version 8.7 487

Configure BGP Peers BGP

Name Description
Weight Specifies the peer or peer group weight, or the priority of updates
the system can receive from this BGP peer. The default value is
100 and the range is 0–65535.
MaxPrefix Configures a limit on the number of routes accepted from a
neighbor. The default value is 12000 routes and the range is 0–
2147483647.
A value of 0 means no limit exists.
NextHopSelf Specifies that the next-hop attribute in an iBGP update is the
address of the local router or the router that generates the iBGP
update. The default is disable.
RouteReflectorClient Specifies that this peer is a route reflector client.

Note:
This parameter only applies to VRF 0.

SendCommunity Enables or disables sending the community attribute of the

488 VOSS User Guide for version 8.7

BGP Configure BGPv6 Peers

Name Description
SooAssignedNum Specifies the site-of-origin (SoO) assigned number of the BGP
peer.
SooType Specifies the site-of-origin (SoO) type of the BGP peer.
RouteRefresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to resend
all route updates in the database that are eligible for the peer that
issues the request. This parameter only applies to VRF 0.
AsOverride Specifies that the AS Override parameter can be enabled or
disabled for the BGP peer. The default is disable.
Note:
This field does not apply on all
hardware platforms.

AllowAsIn Specifies the number of AS-in allowed for the BGP peer. The
range is 1–10.
Note:
This field does not apply on all
hardware platforms.

Configure BGPv6 Peers

Configure BGPv6 peers to connect two routers to each other for the purpose of exchanging routing
information. BGPv6 peers exchange complete routing information only after they establish the peer
connection.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Peers tab.
4. Select Insert.

VOSS User Guide for version 8.7 489

Configure BGPv6 Peers BGP

5. Configure the peer, as required.

6. Select Insert.
7. In the Enable column, double-click the value, and then select enable.
By default, new peer configuration parameters are disabled.
8. Select Apply.
9. To modify a peer configuration, double-click the value, and then select a new value.
10. Select Apply.

Peers Field Descriptions

Use the data in the following table to use the Peers tab.

Name Description
RemoteAddr Specifies the remote IPv6 address of the entered BGP+ peer.
GroupName Specifies the peer group name to which the peer belongs
(optional).
PeerState Specifies the BGPv6 peer connection state.
RemoteAs Configures a remote AS number for the peer or peer-group in the
range 0 to 65535.
Enable Controls whether the peer connection is enabled or disabled. The
default is disabled.
EbgpMultiHop Enables or disables a connection to a BGPv6 peer that is more
than one hop away from the local router. The default value is
disable.
RoutePolicyIn Specifies the policy (by name) that applies to all network routes
learned from this peer.
RoutePolicyOut Specifies the policy (by name) that applies to all outgoing route
updates.
RemovePrivateAs Strips (when enabled) private AS numbers when the switch sends
an update. The default is enable.
UpdateSourceInterface Specifies the source IP address to use when the switch sends
eBGP packets to this peer or peer group.
ConnectRetryInterval Specifies the time interval, in seconds, for the connect retry timer.
The suggested value for this timer is 120 seconds. The range is 1 to
65535.
HoldTimeConfigured Specifies the time interval, in seconds, for the hold time for this
BGP speaker with this peer. This value is in an open message sent
to this peer by this BGP speaker. To determine the hold time with
the peer, the switch compares this value with the HoldTime value
in an open message received from the peer. The HoldTime must
be at least three seconds. If the value is zero, the hold time does
not establish with the peer. The suggested value for this timer is
180 seconds. The range is 0 to 65535.

490 VOSS User Guide for version 8.7

BGP Configure BGPv6 Peers

Name Description
KeepAliveConfigured Specifies the time interval, in seconds, for the KeepAlive
timer configured for this BGP speaker with this peer.
KeepAliveConfigured determines the keep alive message
frequency relative to HoldTimeConfigured; KeepAlive indicates
the actual time interval for the keep alive messages. The
maximum value for this timer is one-third of HoldTimeConfigured.
If KeepAliveConfigured is zero, no periodic keep alive messages
are sent to the peer after the peers establish a BGP connection.
Configure a value of 60 seconds. The range is 0 to 21845.
MD5Authentication Enables and disables MD5 authentication.
AdvertisementInterval Specifies the time interval, in seconds, that elapses between each
transmission of an advertisement from a BGPv6 neighbor. The
default value is 30 seconds and the range is 5 to 120 seconds.
The route advertisement interval feature is implemented using the
time stamp that indicates when each route is advertised. The time
stamp is marked to each route so that the route advertisement
interval is compared to the time stamp and BGP is then able
to make a decision about whether the route advertisement can
be sent or should be delayed when a better route is received.
This feature does not work for a withdraw route because the
route entry is already removed when the processing route
advertisement is sent and the time stamp marked in the route
entry cannot be obtained.
DefaultOriginateIpv6 When enabled, specifies that the current IPv6 route originated
from the BGP peer. This parameter enables or disables sending
the default IPv6 route information to the specified neighbor or
peer. The default value is false.
Weight Specifies the peer or peer group weight, or the priority of updates
the system can receive from this BGP peer. The default value is
100 and the range is 0 to 65535.
MaxPrefix Configures a limit on the number of routes accepted from a
neighbor. The default value is 12000 routes and the range is 0
to 2147483647.
A value of 0 means no limit exists.
NextHopSelf Specifies that the next-hop attribute in an iBGP update is the
address of the local router or the router that generates the iBGP
update. The default is disable.
RouteReflectorClient Specifies that this peer is a route reflector client.

Note:
This parameter only applies to VRF 0.

VOSS User Guide for version 8.7 491

Configure BGPv6 Peers BGP

Name Description
DebugMask Displays the specified debug information for the BGP peer. The
default value is none.
• None disables all debug messages.
• Event enables the display of debug event messages.
• State enables display of debug state transition messages.
• Update enables display of debug messages related to updates
transmission and reception.
• Error enables the display of debug error messages.
• Trace enables the display of debug trace messages.
• Init enables the display of debug initialization messages.
• All enables all debug messages.
• Packet enables the display of debug packet messages.
• Warning enables the display of debug warning messages.
• Filter enables the display of debug messages related to
filtering.

SendCommunity Enables or disables sending the community attribute of the

AllowAsIn Specifies the number of AS-in allowed for the BGP peer. The
range is 1–10.
Note:
This field does not apply on all
hardware platforms.

492 VOSS User Guide for version 8.7

BGP Configure Peer Groups

Configure Peer Groups

Configure or edit peer groups to create update policies for neighbors in the same group.

Before You Begin

Procedure
1. In the navigation pane, expand Configuration > IP.
2. Select BGP.
3. Select the Peer Groups tab.
You can modify an existing parameter by double-clicking the value.
4. Select Insert.
5. Configure the peer group as required.
6. Select Apply.

Peer Groups field descriptions

Use the data in the following table to use the Peer Groups tab.

VOSS User Guide for version 8.7 493

Configure Peer Groups BGP

Name Description
Weight Assigns an absolute weight to a BGP network. The default value is
100.
MaxPrefix Limits the number of routes accepted from this group of
neighbors. A value of zero indicates no limit The default value
is 12,000 routes.
NextHopSelf Specifies that the switch must set the NextHop attribute to the
local router address before sending updates to remote peers.
RoutePolicyIn Specifies the route policy that applies to all networks learned from
this group of peers.
RoutePolicyOut Specifies the route policy that applies to all outgoing updates to
this group of peers.
RouteReflectorClient Specifies that this peer group is a route reflector client.

Note:
This parameter only applies to VRF 0.

SoftReconfigurationIn When enabled, the router relearns routes from the specified
neighbor or group of neighbors without restarting the connection
after the policy changes in the inbound direction. The default
value is enable.
Enabling SoftReconfigurationIn stores all BGP routes in local
memory (even non-best routes).
MD5Authentication Enables and disables MD5 authentication. The default is disable.
RemovePrivateAs Strips (when enabled) private AS numbers when the switch sends
an update. The default is enable.
SendCommunity Enables or disables sending the community attribute of the
update message to the specified peer group. The default value
is disable.
AfUpdateSourceInterfaceType Specifies the interface type.
AfUpdateSourceInterface Specifies the IP address used for circuitless IP (CLIP) for this peer
group.
Vpnv4Address Enables BGP address families for IPv4 (BGP) and Layer 3 VPN
(MP-BGP) support. Enable this parameter for VPN/VRF Lite
routes.
IpvpnLiteCap Specifies (when enabled) that IP VPN Lite capability can be
enabled or disabled on the BGP neighbor peer. The default is
disable.
RouteRefresh Enables or disables route refresh. If enabled, a route refresh
request received by a BGP speaker causes the speaker to resend
all route updates in the database that are eligible for the peer that
issues the request. This parameter only applies to VRF 0.
AsOverride Specifies that the AS Override parameter can be enabled or
disabled for the BGP peer group. The default is disable.
AllowedAsIn Specifies the number of AS-in allowed for the BGP peer group.
The range is 1–10.

494 VOSS User Guide for version 8.7

BGP View IPv6 Community Attributes

Name Description
IPv6Cap Enable or disable the IPv6 capability on the BGP neighbor peer.
The default value is disable.
Ipv6RoutePolicyIn Specifies the policy (by name) that applies to all network IPv6
routes learned from this peer.
Ipv6RoutePolicyOut Specifies the policy (by name) that applies to all outgoing IPv6
route updates.
Ipv6MaxPrefix Configures a limit on the number of IPv6 routes accepted from a
neighbor.
A value of 0 means no limit exists.
BfdEnable Enables Bidirectional Forwarding Detection (BFD) for the BGP
peer group.

View IPv6 Community Attributes

View IPv6 community attributes for specific routes to utilize the update message fields to communicate
information between BGP speakers. Use the Path Attribute values to specify the prefixes that the BGP
session can exchanged, or which of the multiple paths of a specified prefix to use.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Bgp Route Summary tab.
4. Select a route for which you want to view the route summary information.
5. Select the Route Comm Attr option on the menu.
The BGP Path Attributes tab opens with the BGP IPv6 community attribute information.

BGP Path Attributes Field Descriptions

Use the data in the following table to use the BGP Path Attributes tab.

Name Description
Origin Specifies the ultimate origin of the path information.
NextHopAddr Specifies the address of the border router that is used to
access the destination network. This address is the nexthop
address received in the UPDATE packet associated with this
prefix.

VOSS User Guide for version 8.7 495

Display Dampened Routes Information BGP

Name Description
Med This metric is used to discriminate between multiple exit
points to an adjacent autonomous system. When the MED
value is absent but has a calculated default value, this object
will contain the calculated value.
LocalPref Specifies the value used during route decision process in the
BGP protocol. Applicable to BGP only.
AggregatorAS Specifies the AS number of the last BGP4 speaker that
performed route aggregation. If the AGGREGATOR path
attribute is absent, this object will not be present in the
conceptual row.
AggregatorAddr Specifies the IP address of the last BGP4 speaker that
performed route aggregation. If the AGGREGATOR path
attribute is absent, this object will not be present in the
conceptual row.
String This is a string representing the autonomous system path
to the network which was received from the peer which
advertised it. The format of the string is implementation-
dependent, and is designed for operator readability.

Note:
SnmpAdminString is only capable of representing a
maximum of 255 characters. This may lead to the string
being truncated in the presence of a large AS Path.

Display Dampened Routes Information

Display dampened path information to see which routes are suppressed.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Dampened Routes tab.

496 VOSS User Guide for version 8.7

BGP Configure Redistribution to BGP

Dampened Routes field descriptions

Use the data in the following table to use the Dampened Routes tab.

Name Description
IpAddrPrefix Specifies the IP address prefix in the NLRI field. This variable
is an IP address that contains the prefix with a length
specified by IpAddrPrefixLen. Bits beyond the length specified by
IpAddrPrefixLen are set to zero.
IpAddrPrefixLen Specifies the length, in bits, of the IP address prefix in the NLRI field.
Peer Specifies the IP address of the peer from which the router learns the
path information.
FlapPenalty Specifies the penalty based on number of route flaps.
FlapCount Specifies the number of times a route flapped (went down and up)
since the last time the penalty was reset to zero.
RouteDampened Indicates whether this route is suppressed or announced.
ReuseTime Specifies the system-configured time for route reuse.

Configure Redistribution to BGP

Configure redistribute entries for BGP to announce routes of a certain source type to BGP, for example,
DvR, direct, static, Routing Information Protocol (RIP), and Open Shortest Path First (OSPF). If you do
not configure a route policy, then the switch uses the default action based on metric, metric type, and
subnet. Use a route policy to perform detailed redistribution.

Before You Begin

• If required, configure a route policy.
• When you configure BGP on a specific VRF instance, the VRF must have an RP trigger of BGP.
• To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context
View on page 3856. All parameters might not be available in non-default VRFs.
• Before you redistribute DvR host routes to BGP, ensure that you disable BGP aggregation and
BGP auto-summarization of networks. Disabling these options ensures that all DvR host routes are
advertised into BGP correctly, and are not summarized.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select BGP.
3. Select the Redistribute tab.
4. Select Insert.
5. Configure the source protocol.
6. (Optional) If required, choose a route policy.
7. Configure the metric to apply to redistributed routes.
8. Enable the redistribution instance.
9. Select Insert.

VOSS User Guide for version 8.7 497

Configure Redistribution to BGPv6 BGP

Redistribute field descriptions

Use the data in the following table to use the Redistribute tab.

Name Description
DstVrfId Specifies the destination VRF instance (read-only).
Protocol Specifies the protocols that receive the redistributed routes.
SrcVrfId Specifies the source VRF instance (read-only).
RouteSource Specifies the source protocol for the route redistribution entry.
Enable Enables (or disables) a BGP redistribute entry for a specified source type.
RoutePolicy Configures the route policy to use for the detailed redistribution of external
routes from a specified source into the BGP domain.
Metric Configures the metric for the redistributed route. The value can be a range
between 0–65535. The default value is 0. Use a value that is consistent with
the destination protocol.

Configure Redistribution to BGPv6

Configure redistribute entries for BGPv6 to announce routes of a certain source type to BGPv6, for
example, DvR, direct, static, Routing Information Protocol (RIP), and Open Shortest Path First (OSPF).
If you do not configure a route policy, then the switch uses the default action based on metric, metric
type, and subnet. Use a route policy to perform detailed redistribution.

Before You Begin

• If required, configure a route policy.
• When you configure BGPv6 on a specific VRF instance, the VRF must have an RP trigger of BGP.
• To perform this procedure on a non-default VRF, you must first change the VRF instance. For
information about how to use EDM for a non-default VRF, see Select and Launch a VRF Context
View on page 3856. All parameters might not be available in non-default VRFs.
• Before you redistribute DvR host routes to BGPv6, ensure that you disable BGPv6 aggregation and
BGPv6 autosummarization of networks. Disabling these settings ensures that all the DvR host routes
are advertised into BGPv6 correctly, and are not summarized.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select BGP+.
3. Select the Redistribute tab.
4. Select Insert.
5. Configure the source protocol.
6. (Optional) If required, choose a route policy.
7. Configure the metric to apply to redistributed routes.
8. Enable the redistribution instance.
9. Select Insert.

498 VOSS User Guide for version 8.7

BGP View BGP+ or BGPv6 Route Summary Information

Redistribute field descriptions

Use the data in the following table to use the Redistribute tab.

Name Description
DstVrfId Specifies the destination VRF instance (read-only).
Protocol Specifies the protocols that receive the redistributed routes.

Note:
This field does not
apply on all hardware
platforms.

SrcVrfId Specifies the source VRF instance (read-only).

RouteSource Specifies the source protocol for the route redistribution entry.
Enable Enables (or disables) a BGPv6 redistribute entry for a specified source type.
RoutePolicy Configures the route policy to use for the detailed redistribution of external
routes from a specified source into the BGPv6 domain.
Metric Configures the metric for the redistributed route. The default value is 0. Use
a value that is consistent with the destination protocol.
MetricType Specifies the metric type.
Specifies a type1 or a type2 metric. For metric type1, the cost of the external
routes is equal to the sum of all internal costs and the external cost. For
metric type2, the cost of the external routes is equal to the external cost
alone.
The default is type2.

2. Select Policy.
3. Select the As Path List tab.
4. Select Insert.
5. Enter the appropriate information for your configuration.
6. Select Insert.

As Path List field descriptions

Use the data in the following table to use the As Path List tab.

Name Description
Id Specifies the AS path list.
MemberId Specifies the AS path access list member ID.
Mode Specifies the action to take if the system selects a policy
for a specific route. Select permit (allow the route) or deny
(ignore the route).
AsRegularExpression Specifies the expression to use for the AS path.

Configure a Community Access List

Configure community lists to specify permitted routes by using their BGP community. This list acts as a
filter that matches communities or AS numbers.

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select Policy.
3. Select the Community List tab.
4. Select Insert.
5. Configure the list as required.
6. Select Insert.

VOSS User Guide for version 8.7 501

BGP Configuration Examples BGP

Community List field descriptions

Use the data in the following table to use the Community List tab.

Name Description
Id Specifies the community list. The range is 0–1024.
MemberId Specifies the community list member ID. The range is 0–
65535.
Mode Specifies the action to take if the system selects a policy
for a specific route. Select permit (allow the route) or deny
(ignore the route).
Community Specifies the community access list community string.

BGP Configuration Examples

IPv6 Tunnel Configurations for BGP+

You must configure an IPv6 tunnel and static routes at BGP+ peers when you use BGP+.

When BGP+ peers advertise route information, they use Update messages to advertise route
information. And, when route information is encapsulated in Update messages, BGP+ peers convert
their own IPv4 peer addresses to IPv4-mapped IPv6 addresses and insert them into the next-hop field
in the Update message.

When the BGP+ software module receives Update messages, it adds route information to the IPv6
Routing Manager (RTM). These RTM routes contain next-hop addresses from the BGP peer that the
route was learned from. The next-hop addresses are represented as IPv4-mapped IPv6 addresses.

But, because the IPv6 RTM cannot correlate the IPv4-mapped IPv6 address to a specific outgoing
interface, you must create a manually-configured static route to make the link between the BGP peer
and the IPv6 tunnel interface so that traffic can reach networks advertised by the peer.

Following is one way to express a static route in an IPv6–configured tunnel for BGP+:
ipv6 route 0:0:0:0:0:ffff:192.0.2.0/24 cost 1 tunnel 10

Configure the IPv6 tunnel endpoint and the BGP peer to reside on the same switch.

If the IPv6 tunnel endpoint and the BGP peer must reside on different switches you can terminate the
tunnel on a different switch, but you must consider the following:
• Because the IPv6 tunnel endpoint does not reside on the same switch as the BGP peer, the BGP
device cannot use the tunnel as the outgoing interface. That is, to reach the IPv6-configured tunnel
endpoint, if the BGP peer resides on a different switch from the IPv6 tunnel endpoint, the next-hop
for the manually-configured IPv4-mapped IPv6 static route is the native IPv6 interface next-hop
address.

502 VOSS User Guide for version 8.7

BGP IPv6 Tunnel Configurations for BGP+

• The node where the tunnel terminates must contain all of the information needed to route the
packets between the remote IPv6 network clouds.

Note
In order for the tunnel endpoint switch to be aware of all of the necessary IPv6 routes, you
may need to redistribute the BGP routes into OSPFv3.

IPv4–mapped IPv6 addresse

IPv4-mapped IPv6 addresses are IPv4 addresses that the system has mapped into the IPv6 address
space.

The system uses these IPv4-mapped IPv6 addresses for devices that are only IPv4-capable.

These IPv4-mapped address have the first 80 bits set to zeros, followed by the next 16 bits set to ones,
and the last 32 bits have IPv4 addresses.

When converted to an IPv4-mapped IPv6 address, an IPv4 device address of 192.0.2.1 would be
represented as one of the following:
• 0:0:0:0:0:FFFF:192.0.2.1
• ::FFFF:192.0.2.1

The following figure illustrates the components in an IPv4-mapped IPv6 address.

VOSS User Guide for version 8.7 503

IPv6 Tunnel Configurations for BGP+ BGP

Figure 39: IPv4–mapped IPv6 address components

eBGP+ peership between two switches with IPv6 Tunneling

The following figure shows a sample network that contains eBGP+ peers using IPv6 tunneling.

Figure 40: eBGP+ peers with IPv6 tunneling

The configuration in the figure, eBGP+ peers with IPv6 tunneling , assumes that the BGP peer IP address
is the next hop.

When you configure the static route for the BGP+ tunnel, you must designate the BGP peer IP address
as the next hop in most cases.

You can configure multiple static routes, using the same tunnel, but you must ensure reachability when
you create the static routes.

504 VOSS User Guide for version 8.7

BGP IPv6 Tunnel Configurations for BGP+

R1 configuration
interface GigabitEthernet 3/2
brouter port 3/2 vlan 2090 subnet 192.0.2.1/255.255.255.0 mac-offset 2
exit
# BGP CONFIGURATION - GlobalRouter
#

router bgp as-dot enable

router bgp 65000 enable
router bgp
neighbor "192.0.2.2"
neighbor 192.0.2.2 remote-as 65001
neighbor 192.0.2.2 address-family ipv6
neighbor 192.0.2.2 enable
exit
# IPV6 CONFIGURATION
#

ipv6 forwarding

# IPV6 TUNNEL CONFIGURATION

ipv6 tunnel 10 source 192.0.2.1 address 2001:DB8::/32 destination 200.1.

1.2

#
# IPV6 STATIC ROUTE CONFIGURATION
#

ipv6 route 0:0:0:0:0:ffff:192.0.2.1 cost 1 tunnel 10

R2 configuration
interface GigabitEthernet 4/32
brouter port 4/32 vlan 2090 subnet 192.0.2.2/255.255.255.0 mac-offset
2
exit
# BGP CONFIGURATION - GlobalRouter
#

router bgp as-dot enable

router bgp 65000 enable
router bgp
neighbor "192.0.2.1"
neighbor 192.0.2.1 remote-as 65000
neighbor 192.0.2.1 address-family ipv6
neighbor 192.0.2.1 enable
exit
# IPV6 CONFIGURATION
#

ipv6 forwarding

# IPV6 TUNNEL CONFIGURATION

ipv6 tunnel 10 source 192.0.2.2 address 2001:DB8::/32 destination

192.0.2.1

#
# IPV6 STATIC ROUTE CONFIGURATION

VOSS User Guide for version 8.7 505

IPv6 Tunnel Configurations for BGP+ BGP

ipv6 route 0:0:0:0:0:ffff:192.0.2.1 cost 1 tunnel 10

iBGP+ peership on CLIP between two switches with IPv6 Tunneling

The following figure shows a sample network that contains iBGP+ peers using IPv6 tunneling.

Figure 41: iBGP+ peers on CLIP interfaces with IPv6 tunneling

You must enable OSPF on the interface and globally as well.

If you cannot enable OSPF, you must configure static routes to provide reachability to the BGP+ peer.

The static route must point to the next hop for the routes to be installed in the IPv6 RTM.

The next hop must be the BGP peer IP address.

The IPv4 interfaces do not need to connect directly, but the routing table on each switch must include
the IPv4 interface of the other switch.

iBGP between the CLIP interfaces needs to run OSPF as a routing protocol so that the BGP neighbor
can remain reachable.

eBGP connections cannot use a CLIP interface as an end point.

R1 configuration
interface GigabitEthernet 3/2
brouter port 3/2 vlan 2090 subnet 192.0.2.1/255.255.255.0 mac-offset
2
exit
# OSPF CONFIGURATION - GlobalRouter
#

router ospf enable

# OSPF PORT CONFIGURATION

interface gigabitethernet 3/2

ip ospf enable
exit

# CIRCUITLESS IP INTERFACE CONFIGURATION - GlobalRouter

interface loopback 1

506 VOSS User Guide for version 8.7

BGP IPv6 Tunnel Configurations for BGP+

ip address 1 1.1.1.1/255.255.255.255
ip ospf 1

# BGP CONFIGURATION - GlobalRouter

router bgp
no synchronization
exit
router bgp as-dot enable
router bgp 65000 enable
router bgp
neighbor "2.2.2.2"
neighbor 2.2.2.2 remote-as 65000
neighbor 2.2.2.2 next-hop-self
neighbor 2.2.2.2 update-source 1.1.1.1
neighbor 2.2.2.2 address-family ipv6
neighbor 2.2.2.2 enable
exit
# IPV6 CONFIGURATION
#

ipv6 forwarding

# IPV6 TUNNEL CONFIGURATION

ipv6 tunnel 10 source 192.0.2.1 address 2001:DB8::/32 destination

192.0.2.2

#
# IPV6 STATIC ROUTE CONFIGURATION
#

ipv6 route 0:0:0:0:0:ffff:2.2.2.2/128 cost 1 tunnel 10

R2 configuration
interface GigabitEthernet 4/32
brouter port 4/32 vlan 2090 subnet 192.0.2.2/255.255.255.0 mac-offset
2
exit
# OSPF CONFIGURATION - GlobalRouter
#

router ospf enable

# OSPF PORT CONFIGURATION

interface gigabitethernet 4/32

ip ospf enable
exit

# CIRCUITLESS IP INTERFACE CONFIGURATION - GlobalRouter

interface loopback 1
ip address 1 2.2.2.2/255.255.255.255
ip ospf 1

# BGP CONFIGURATION - GlobalRouter

VOSS User Guide for version 8.7 507

Native IPv6 eBGP peership between two switches on
VRF BGP

router bgp
no synchronization
exit
router bgp as-dot enable
router bgp 65000 enable
router bgp
neighbor "1.1.1.1"
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 next-hop-self
neighbor 1.1.1.1 update-source 2.2.2.2
neighbor 1.1.1.1 address-family ipv6
neighbor 1.1.1.1 enable
exit
# IPV6 CONFIGURATION
#

ipv6 forwarding

# IPV6 TUNNEL CONFIGURATION

ipv6 tunnel 10 source 192.0.2.2 address 2001:DB8::/32 destination

192.0.2.1

#
# IPV6 STATIC ROUTE CONFIGURATION
#

ipv6 route 0:0:0:0:0:ffff:1.1.1.1/128 cost 1 tunnel 10

Native IPv6 eBGP peership between two switches on VRF

The following figure shows a sample network that contains native IPv6 eBGP peers on VRFs.

Figure 42: Native IPv6 eBGP peers on VRFs

Configure the local AS first on GRT (and it is inherited by all VRFs), and then enable BGP on GRT/VRF.

You must configure the address-family ipv6 option for IPv6 peers, otherwise, peer-ship is
formed, but no routing updates between them will take place.

508 VOSS User Guide for version 8.7

Native IPv6 eBGP peership between two switches on
BGP VRF

You must configure the ebgp-multihop option for the given eBGP peer that is not on one of local
subnets (remote peers), otherwise, peer-ship will not be formed.

Note
The switch does not accept any configuration command for BGP in router-vrf configuration
mode unless a BGP instance associated to the VRF context is created. You can use ip bgp
command in router-vrf configuration mode to create a BGP instance on VRF.

R1 configuration
#
# VRF CONFIGURATION
#

ip vrf vrf1 vrfid 1

router vrf vrf1
exit
ip vrf vrf2 vrfid 2
router vrf vrf2
exit
#

# PORT CONFIGURATION - PHASE I

interface GigabitEthernet 1/1

encapsulation dot1q
exit

#
# VLAN CONFIGURATION
#

vlan members remove 1 1/1,1/46

vlan create 100 type port-mstprstp 0
vlan members 100 1/1 portmember
interface Vlan 100
ip address 100.1.1.1 255.255.255.0 1
ipv6 interface mac-offset 1
ipv6 interface enable
ipv6 interface address 2001:0:100:0:0:0:0:1/64
exit
vlan create 101 type port-mstprstp 0
vlan members 101 1/1 portmember
interface Vlan 101
vrf vrf1
ip address 101.1.1.1 255.255.255.0 2
ipv6 interface mac-offset 2
ipv6 interface enable
ipv6 interface address 2001:0:101:0:0:0:0:1/64
exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember
interface Vlan 102
vrf vrf2
ip address 102.1.1.1 255.255.255.0 3
ipv6 interface mac-offset 3
ipv6 interface enable
ipv6 interface address 2001:0:102:0:0:0:0:1/64
ipv6 forwarding

VOSS User Guide for version 8.7 509

Native IPv6 eBGP peership between two switches on
VRF BGP

exit

#
# PORT CONFIGURATION - PHASE II
#

interface GigabitEthernet 1/1

default-vlan-id 100
no shutdown
exit

#
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - GlobalRouter
#

interface loopback 1
ipv6 interface address 1:1:1:1:0:0:0:1/128

exit #
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - VRF
#

interface loopback 2
ipv6 interface address 11:1:1:1:0:0:0:1/128 vrf vrf1
exit
interface loopback 3
ipv6 interface address 12:1:1:1:0:0:0:1/128 vrf vrf2
exit

#
# BGP CONFIGURATION - GlobalRouter
#

router bgp
no synchronization
exit
router bgp 1000 enable
router bgp
network 1:1:1:1:0:0:0:1/128 metric 100000
neighbor "2001:0:100:0:0:0:0:2"
neighbor 2001:0:100:0:0:0:0:2 remote-as 10000
neighbor 2001:0:100:0:0:0:0:2 next-hop-self
neighbor 2001:0:100:0:0:0:0:2 ebgp-multihop
neighbor 2001:0:100:0:0:0:0:2 address-family ipv6
neighbor 2001:0:100:0:0:0:0:2 update-source 2001:0:100:0:0:0:0:1
neighbor 2001:0:100:0:0:0:0:2 enable
exit#
# BGP CONFIGURATION - VRF
#
router vrf vrf1
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 11:1:1:1:0:0:0:1/128 metric 100000
ip bgp neighbor "2001:0:101:0:0:0:0:2"
ip bgp neighbor 2001:0:101:0:0:0:0:2 remote-as 10000
ip bgp neighbor 2001:0:101:0:0:0:0:2 next-hop-self
ip bgp neighbor 2001:0:101:0:0:0:0:2 ebgp-multihop
ip bgp neighbor 2001:0:101:0:0:0:0:2 address-family ipv6
ip bgp neighbor 2001:0:101:0:0:0:0:2 update-source 2001:0:101:0:0:0:0:1
ip bgp neighbor 2001:0:101:0:0:0:0:2 enable
exit
router vrf vrf2

510 VOSS User Guide for version 8.7

Native IPv6 eBGP peership between two switches on
BGP VRF

ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 12:1:1:1:0:0:0:1/128 metric 100000
ip bgp neighbor "2001:0:102:0:0:0:0:2"
ip bgp neighbor 2001:0:102:0:0:0:0:2 remote-as 10000
ip bgp neighbor 2001:0:102:0:0:0:0:2 next-hop-self
ip bgp neighbor 2001:0:102:0:0:0:0:2 ebgp-multihop
ip bgp neighbor 2001:0:101:0:0:0:0:2 address-family ipv6
ip bgp neighbor 2001:0:102:0:0:0:0:2 update-source 2001:0:102:0:0:0:0:1
ip bgp neighbor 2001:0:102:0:0:0:0:2 enable
exit

R2 configuration
#
# VRF CONFIGURATION
#

ip vrf vrf1 vrfid 1

router vrf vrf1
exit
ip vrf vrf2 vrfid 2
router vrf vrf2
exit

#
# PORT CONFIGURATION - PHASE I
#

interface GigabitEthernet 1/1

encapsulation dot1q

exit

#
# VLAN CONFIGURATION
#

vlan members remove 1 1/1

vlan create 100 type port-mstprstp 0
vlan members 100 1/1 portmember
interface Vlan 100

ip address 100.1.1.2 255.255.255.0 1

ipv6 interface mac-offset 1
ipv6 interface enable
ipv6 interface address 2001:0:100:0:0:0:0:2/64
ipv6 forwarding

exit
vlan create 101 type port-mstprstp 0
vlan members 101 1/1 portmember
interface Vlan 101
vrf vrf1
ip address 101.1.1.2 255.255.255.0 2
ipv6 interface mac-offset 2
ipv6 interface enable
ipv6 interface address 2001:0:101:0:0:0:0:2/64
ipv6 forwarding

exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember

VOSS User Guide for version 8.7 511

Native IPv6 eBGP peership between two switches on
VRF BGP

interface Vlan 102

vrf vrf2
ip address 102.1.1.2 255.255.255.0 3

ipv6 interface mac-offset 3

ipv6 interface enable
ipv6 interface address 2001:0:102:0:0:0:0:2/64
ipv6 forwarding

exit

#
# PORT CONFIGURATION - PHASE II
#

interface GigabitEthernet 1/1

default-vlan-id 100
no shutdownexit

#
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - GlobalRouter
#

interface loopback 1
ipv6 interface address 2:2:2:2:0:0:0:2/128
exit

#
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - VRF
#

interface loopback 2
ipv6 interface address 21:2:2:2:0:0:0:2/128 vrf vrf1
exit
interface loopback 3
ipv6 interface address 22:2:2:2:0:0:0:2/128 vrf vrf2
exit

#
# BGP CONFIGURATION - GlobalRouter
#

router bgp
no synchronization
exit
router bgp 10000 enable
router bgp
neighbor "2001:0:100:0:0:0:0:1"
neighbor 2001:0:100:0:0:0:0:1 remote-as 1000
neighbor 2001:0:100:0:0:0:0:1 next-hop-self
neighbor 2001:0:100:0:0:0:0:1 ebgp-multihop
neighbor 2001:0:100:0:0:0:0:1 address-family ipv6
neighbor 2001:0:100:0:0:0:0:1 update-source 2001:0:100:0:0:0:0:2
neighbor 2001:0:100:0:0:0:0:1 enableexit

#
# BGP CONFIGURATION - VRF
#

router vrf vrf1

ip bgp
no ip bgp synchronization

512 VOSS User Guide for version 8.7

BGP iBGP over User-created VRFs Configuration Example

ip bgp enable
ip bgp neighbor "2001:0:101:0:0:0:0:1"
ip bgp neighbor 2001:0:101:0:0:0:0:1 remote-as 1000
ip bgp neighbor 2001:0:101:0:0:0:0:1 next-hop-self
ip bgp neighbor 2001:0:101:0:0:0:0:1 ebgp-multihop
ip bgp neighbor 2001:0:101:0:0:0:0:1 address-family ipv6
ip bgp neighbor 2001:0:101:0:0:0:0:1 update-source 2001:0:101:0:0:0:0:2
ip bgp neighbor 2001:0:101:0:0:0:0:1 enable
exit
router vrf vrf2
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp neighbor "2001:0:102:0:0:0:0:1"
ip bgp neighbor 2001:0:102:0:0:0:0:1 remote-as 1000
ip bgp neighbor 2001:0:102:0:0:0:0:1 next-hop-self
ip bgp neighbor 2001:0:102:0:0:0:0:1 ebgp-multihop
ip bgp neighbor 2001:0:102:0:0:0:0:1 address-family ipv6
ip bgp neighbor 2001:0:102:0:0:0:0:1 update-source 2001:0:102:0:0:0:0:2
ip bgp neighbor 2001:0:102:0:0:0:0:1 enable
exit

iBGP over User-created VRFs Configuration Example

This section shows examples of configured internal Border Gateway Protocol (iBGP) IPv4 and IPv6
peers over user-created Virtual Routing and Forwarding (VRF) instances.

Note
The Autonomous System (AS) number configured on the global VRF is inherited by all
user-created VRFs, however, you can override the AS number for a specific user-created VRF.
For more information, see Configure an AS Number for a Non-default VRF on page 456.

IPv4 iBGP Peers Configuration

Configuration on switch 1:
#
# VRF CONFIGURATION
#
ip vrf vrf1 vrfid 1
router vrf vrf1
exit
ip vrf vrf2 vrfid 2
router vrf vrf2
exit
#
# PORT CONFIGURATION - PHASE I
#
interface GigabitEthernet 1/1
encapsulation dot1q
exit
#
# VLAN CONFIGURATION
#
vlan members remove 1 1/1,1/46
vlan create 100 type port-mstprstp 0
vlan members 100 1/1 portmember
interface Vlan 100
ip address 10.10.10.1 255.255.255.0 1
exit

VOSS User Guide for version 8.7 513

iBGP over User-created VRFs Configuration Example BGP

vlan create 101 type port-mstprstp 0

vlan members 101 1/1 portmember
interface Vlan 101
vrf vrf1
ip address 11.10.10.1 255.255.255.0 2
exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember
interface Vlan 102
vrf vrf2
ip address 12.10.10.1 255.255.255.0 3
exit
#
# PORT CONFIGURATION - PHASE II
#
interface GigabitEthernet 1/1
default-vlan-id 100
no shutdown
exit
#
# CIRCUITLESS IP INTERFACE CONFIGURATION - GlobalRouter
#
interface loopback 1
ip address 10.1.1.10/32
exit
#
# CIRCUITLESS IP INTERFACE CONFIGURATION - VRF
#
interface loopback 2
ip address 11.1.1.11/32 vrf vrf1
exit
interface loopback 3
ip address 12.1.1.12/32 vrf vrf2
exit
#
# BGP CONFIGURATION - GlobalRouter
#
router bgp
no synchronization
exit
router bgp 1000 enable
router bgp
network 10.1.1.10/32 metric 100000
neighbor "10.10.10.2"
neighbor 10.10.10.2 remote-as 1000
neighbor 10.10.10.2 next-hop-self
neighbor 10.10.10.2 update-source 10.10.10.1
neighbor 10.10.10.2 enable
exit
#
# BGP CONFIGURATION - VRF
#
router vrf vrf1
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 11.1.1.11/32 metric 100000
ip bgp neighbor "11.10.10.2"
ip bgp neighbor 11.10.10.2 remote-as 1000
ip bgp neighbor 11.10.10.2 next-hop-self
ip bgp neighbor 11.10.10.2 update-source 11.10.10.1
ip bgp neighbor 11.10.10.2 enable
exit
router vrf vrf2

514 VOSS User Guide for version 8.7

BGP iBGP over User-created VRFs Configuration Example

ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 12.1.1.12/32 metric 100000
ip bgp neighbor "12.10.10.2"
ip bgp neighbor 12.10.10.2 remote-as 1000
ip bgp neighbor 12.10.10.2 next-hop-self
ip bgp neighbor 12.10.10.2 update-source 12.10.10.1
ip bgp neighbor 12.10.10.2 enable
exit

Configuration on switch 2:
#
# VRF CONFIGURATION
#
ip vrf vrf1 vrfid 1
router vrf vrf1
exit
ip vrf vrf2 vrfid 2
router vrf vrf2
exit
#
# PORT CONFIGURATION - PHASE I
#
interface GigabitEthernet 1/1
encapsulation dot1q
exit
#
# VLAN CONFIGURATION
#
vlan members remove 1 1/1,1/46
vlan create 100 type port-mstprstp 0
vlan members 100 1/1 portmember
interface Vlan 100
ip address 10.10.10.2 255.255.255.0 1
exit
vlan create 101 type port-mstprstp 0
vlan members 101 1/1 portmember
interface Vlan 101
vrf vrf1
ip address 11.10.10.2 255.255.255.0 2
exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember
interface Vlan 102
vrf vrf2
ip address 12.10.10.2 255.255.255.0 3
exit
#
# PORT CONFIGURATION - PHASE II
#
interface GigabitEthernet 1/1
default-vlan-id 100
no shutdown
exit
#
# BGP CONFIGURATION - GlobalRouter
#
router bgp
no synchronization
exit
router bgp 1000 enable
router bgp

VOSS User Guide for version 8.7 515

iBGP over User-created VRFs Configuration Example BGP

neighbor "10.10.10.1"
neighbor 10.10.10.1 remote-as 1000
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 update-source 10.10.10.2
neighbor 10.10.10.1 enable
exit
#
# BGP CONFIGURATION - VRF
#
router vrf vrf1
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp neighbor "11.10.10.1"
ip bgp neighbor 11.10.10.1 remote-as 1000
ip bgp neighbor 11.10.10.1 next-hop-self
ip bgp neighbor 11.10.10.1 update-source 11.10.10.2
ip bgp neighbor 11.10.10.1 enable
exit
router vrf vrf2
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp neighbor "12.10.10.1"
ip bgp neighbor 12.10.10.1 remote-as 1000
ip bgp neighbor 12.10.10.1 next-hop-self
ip bgp neighbor 12.10.10.1 update-source 12.10.10.2
ip bgp neighbor 12.10.10.1 enable
exit

IPv6 iBGP Peers Configuration

516 VOSS User Guide for version 8.7

BGP iBGP over User-created VRFs Configuration Example

ipv6 interface mac-offset 2

ipv6 interface enable
ipv6 interface address 2001:DB8:1::1/64
exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember
interface Vlan 102
vrf vrf2
ipv6 interface mac-offset 3
ipv6 interface enable
ipv6 interface address 2001:DB8:2::1/64
exit
#
# PORT CONFIGURATION - PHASE II
#
interface GigabitEthernet 1/1
default-vlan-id 100
no shutdown
exit
#
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - GlobalRouter
#
interface loopback 1
ipv6 interface address 2001:DB8:2000::1/128
exit
#
# CIRCUITLESS IPV6 INTERFACE CONFIGURATION - VRF
#
interface loopback 2
ipv6 interface address 2001:DB8:2001::1/128 vrf vrf1
exit
interface loopback 3
ipv6 interface address 2001:DB8:2002::1/128 vrf vrf2
exit
#
# BGP CONFIGURATION - GlobalRouter
#
router bgp
no synchronization
exit
router bgp 1000 enable
router bgp
network 2001:DB8:2000::1/128 metric 100000
neighbor "2001:DB8:0::2"
neighbor 2001:DB8:0::2 remote-as 1000
neighbor 2001:DB8:0::2 next-hop-self
neighbor 2001:DB8:0::2 address-family ipv6
neighbor 2001:DB8:0::2 update-source 2001:DB8:0::1
neighbor 2001:DB8:0::2 enable
exit
#
# BGP CONFIGURATION - VRF
#
router vrf vrf1
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 2001:DB8:2001::1/128 metric 100000
ip bgp neighbor "2001:DB8:1::2"
ip bgp neighbor 2001:DB8:1::2 remote-as 1000
ip bgp neighbor 2001:DB8:1::2 next-hop-self
ip bgp neighbor 2001:DB8:1::2 update-source 2001:DB8:1::1
ip bgp neighbor 2001:DB8:1::2 address-family ipv6
ip bgp neighbor 2001:DB8:1::2 enable

VOSS User Guide for version 8.7 517

iBGP over User-created VRFs Configuration Example BGP

exit
router vrf vrf2
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp network 2001:DB8:2002::1/128 metric 100000
ip bgp neighbor "2001:DB8:2::2"
ip bgp neighbor 2001:DB8:2::2 remote-as 1000
ip bgp neighbor 2001:DB8:2::2 next-hop-self
ip bgp neighbor 2001:DB8:2::2 update-source 2001:DB8:2::1
ip bgp neighbor 2001:DB8:2::2 address-family ipv6
ip bgp neighbor 2001:DB8:2::2 enable
exit

Configuration on switch 2:
#
# VRF CONFIGURATION
#
ip vrf vrf1 vrfid 1
router vrf vrf1
exit
ip vrf vrf2 vrfid 2
router vrf vrf2
exit
#
# PORT CONFIGURATION - PHASE I
#
interface GigabitEthernet 1/1
encapsulation dot1q
exit
#
# VLAN CONFIGURATION
#
vlan members remove 1 1/1,1/46
vlan create 100 type port-mstprstp 0
vlan members 100 1/1 portmember
interface Vlan 100
ipv6 interface mac-offset 1
ipv6 interface enable
ipv6 interface address 2001:DB8:0::2/64
exit
vlan create 101 type port-mstprstp 0
vlan members 101 1/1 portmember
interface Vlan 101
vrf vrf1
ipv6 interface mac-offset 2
ipv6 interface enable
ipv6 interface address 2001:DB8:1::2/64
exit
vlan create 102 type port-mstprstp 0
vlan members 102 1/1 portmember
interface Vlan 102
vrf vrf2
ipv6 interface mac-offset 3
ipv6 interface enable
ipv6 interface address 2001:DB8:2::2/64
exit
#
# PORT CONFIGURATION - PHASE II
#
interface GigabitEthernet 1/1
default-vlan-id 100
no shutdown

518 VOSS User Guide for version 8.7

BGP iBGP over User-created VRFs Configuration Example

exit
#
# BGP CONFIGURATION - GlobalRouter
#
router bgp
no synchronization
exit
router bgp 1000 enable
router bgp
neighbor "2001:DB8:0::1"
neighbor 2001:DB8:0::1 remote-as 1000
neighbor 2001:DB8:0::1 next-hop-self
neighbor 2001:DB8:0::1 address-family ipv6
neighbor 2001:DB8:0::1 update-source 2001:DB8:0::2
neighbor 2001:DB8:0::1 enable
exit
#
# BGP CONFIGURATION - VRF
#
router vrf vrf1
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp neighbor "2001:DB8:1::1"
ip bgp neighbor 2001:DB8:1::1 remote-as 1000
ip bgp neighbor 2001:DB8:1::1 next-hop-self
ip bgp neighbor 2001:DB8:1::1 update-source 2001:DB8:1::2
ip bgp neighbor 2001:DB8:1::1 address-family ipv6
ip bgp neighbor 2001:DB8:1::1 enable
exit
router vrf vrf2
ip bgp
no ip bgp synchronization
ip bgp enable
ip bgp neighbor "2001:DB8:2::1"
ip bgp neighbor 2001:DB8:2::1 remote-as 1000
ip bgp neighbor 2001:DB8:2::1 next-hop-self
ip bgp neighbor 2001:DB8:2::1 update-source 2001:DB8:2::2
ip bgp neighbor 2001:DB8:2::1 address-family ipv6
ip bgp neighbor 2001:DB8:2::1 enable
exit

VOSS User Guide for version 8.7 519

Chassis Operations
Chassis operations fundamentals on page 520
Chassis operations configuration using the CLI on page 544
Chassis operations configuration using EDM on page 574

The following sections provide information for chassis operations such as hardware and software
compatibility.

Chassis operations fundamentals

This section provides conceptual information for chassis operations such as hardware and software
compatibility and power management. Read this section before you configure the chassis operations.

Management Port
Note
The Management Router for management port configuration is only supported on VSP 8600
Series. For all other platforms, see Segmented Management on page 69.

The management port is a 10/100/1000 Mbps Ethernet port that you can use for an Out-of-Band (OOB)
management connection to the switch. To remotely access the switch using the management port, you
must configure an IP address for the OOB management port.

Management Router VRF

A separate VRF called Management Router (MgmtRouter) is reserved for the OAM (mgmt) port. The
configured IP subnet must be globally unique because the management protocols, for example, SNMP,
Telnet, and FTP, can go through in-band or out-of-band ports. The VRF ID for the Management Router
is 512.

The switch never switches or routes transit packets between the Management Router VRF port and the
Global Router VRF, or between the Management Router VRF and other VRF ports.

The switch honors the VRF of the ingress packet; however, in no circumstance does the switch enable
routing between the Management VRF and Global Router VRF. The switch does not support the

520 VOSS User Guide for version 8.7

Chassis Operations Management Port

configuration if you have an out-of-band management network with access to the same networks
present in the GRT routing table.

Note
IPv6 is not supported on MgmtRouter.

Non-virtualized client management applications

Do not define a default route in the Management Router VRF. A route originating from the switch and
used for non-virtualized client management applications, such as Telnet, Secure Shell (SSH), and FTP
will always match a default route defined in the Management Router VRF.

If you want out-of-band management, define a specific static route in the Management Router VRF
to the IP subnet where your management application resides. When you specify a static route in the
Management Router VRF, it enables the client management applications originating from the switch
to perform out-of-band management without affecting in-band management. This enables in-band
management applications to operate in the Global Router VRF.

Non-virtualized client management applications originating from the switch, such as Telnet, SSH, and
FTP, follow the behavior listed below:

1. Look at the Management Router VRF route table

2. If no route is found, the applications will proceed to look in the Global Router VRF table

Non-virtualized client management applications include:

• DNS
• FTP client with the copy command
• NTP
• rlogin
• RADIUS authentication and accounting
• SSH
• SNMP clients in the form of traps
• SYSLOG
• TACACS+
• Telnet
• TFTP client

For management applications that originate outside the switch, the initial incoming packets establish a
VRF context that limits the return path to the same VRF context.

Virtualized management applications

Virtualized management applications, such as ping and traceroute, operate using the specified VRF
context. To operate ping or traceroute you must specify the desired VRF context. If not specified, ping

VOSS User Guide for version 8.7 521

Entity MIB – Physical Table Chassis Operations

defaults to the Global Router VRF. For example, if you want to ping a device through the out-of-band
management port you must select the Management Router VRF.

Note
IPv6 is not supported on MgmtRouter.

Switch:1(config)#ping 192.0.2.1 vrf MgmtRouter

192.0.2.1 is alive
Ping test for IPv6:
Switch:1(config)#ping 2001:db8::1 vrf vrfRED
2001:db8::1 is alive
Traceroute test for IPv4:
Switch:1#traceroute 192.0.2.1 vrf MgmtRouter
Traceroute test for IPv6:
Switch:1#traceroute 2001:db8::1 vrf vrfRED

Entity MIB – Physical Table

Table 58: Entity MIB product support

Feature Product Release introduced
Entity MIB - Physical Table VSP 4450 Series VOSS 6.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
Entity MIB enhancements and VSP 4450 Series VOSS 6.1.2
integration for the following:
VSP 4900 Series VOSS 8.1
• Physical Table
• Alias Mapping Table VSP 7200 Series VOSS 6.1.2
• Physical Contains Table VSP 7400 Series VOSS 8.0
• Last Change Time object
VSP 8200 Series VOSS 6.1.2
VSP 8400 Series VOSS 6.1.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50

522 VOSS User Guide for version 8.7

Chassis Operations Entity MIB – Physical Table

Table 58: Entity MIB product support (continued)

Feature Product Release introduced
Entity MIB - Logical Table VSP 4450 Series VOSS 8.4
includes the following logical
interface entities: VSP 4900 Series VOSS 8.4
• VLANs VSP 7200 Series VOSS 8.4
• MLTs VSP 7400 Series VOSS 8.4
• Circuitless IP (CLIP)
• Fabric Extend interfaces VSP 8200 Series VOSS 8.4
(logical layer 2 and layer 3 IS- VSP 8400 Series VOSS 8.4
IS interfaces)
VSP 8600 Series Not supported
XA1400 Series VOSS 8.4

The Entity MIB – Physical Table assists in the discovery of functional components on the switch. The
Entity MIB – Physical Table supports a physical interface table that includes information about the
chassis, power supply, fan, I/O cards, console, and management port.

Some hardware platforms support removable interface modules while others offer a fixed configuration.
The names used for these modules can vary depending on the hardware platform.

The following table identifies the entity index range for the switch components.

Component Entity index range

Chassis 1
Power supply slot 3 to 8
Fan tray and fan slot 9 to 16
I/O slot 17 to 30
SF Slot 31 to 36
I/O card or module 37 to 50
SF Card 51 to 56
Console port 57
Console port 2 58
Management port 64
Management port 2 65
Power supply 68 to 73
Fan tray 74 to 81
Fan module 82 to 105
Port 192 to 1023
Pluggable Module and Sensor 19201 to 102314

For more information about Entity MIB – Physical Table, see View Physical Entities on page 578.

VOSS User Guide for version 8.7 523

High Availability-CPU (HA-CPU) Chassis Operations

High Availability-CPU (HA-CPU)

Table 59: High-Availability product support

Feature Product Release introduced
High Availability-CPU (HA-CPU) VSP 4450 Series Not Applicable
for a standalone switch
VSP 4900 Series Not Applicable
VSP 7200 Series Not Applicable
VSP 7400 Series Not Applicable
VSP 8200 Series Not Applicable
VSP 8400 Series Not Applicable
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Applicable
High Availability-CPU (HA-CPU) VSP 4450 Series Not Applicable
for Layer 2 with Simplified vIST
VSP 4900 Series Not Applicable
VSP 7200 Series Not Applicable
VSP 7400 Series Not Applicable
VSP 8200 Series Not Applicable
VSP 8400 Series Not Applicable
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Applicable
High Availability-CPU (HA-CPU) VSP 4450 Series Not Applicable
for Layer 3 with Simplified vIST
VSP 4900 Series Not Applicable
VSP 7200 Series Not Applicable
VSP 7400 Series Not Applicable
VSP 8200 Series Not Applicable
VSP 8400 Series Not Applicable
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Applicable

The High Availability-CPU (HA-CPU) framework supports redundancy at the hardware and application
levels. The CP software runs on an Input/Output control (IOC) module in both slots 1 and 2, and the
HA-CPU feature activates two CPUs simultaneously in primary or standby role. These CPUs exchange
topology data so that, if a failure occurs, one of the CPUs can take over the operations of the other.
You can configure the CPUs to operate in either HA mode or non-HA mode. In HA mode, the two
CPUs synchronize configuration, protocol states, and tables. In non-HA mode, the two CPUs do not
synchronize.

The default mode is HA disabled. To activate HA-CPU mode, use the boot config flags ha-cpu
command. To deactivate HA-CPU mode, use the no boot config flags ha-cpu command.

524 VOSS User Guide for version 8.7

Chassis Operations High Availability-CPU (HA-CPU)

If you switch from one mode to the other, the standby CP restarts in the specified HA mode (hot
standby) or non-HA mode (warm standby). This does not impact the Input/Output process and there is
no traffic loss on the physical slot of the card.

If a failure occurs and the chassis is configured for either HA mode (hot standby) or non-HA mode
(warm standby), the CP software restarts and runs as standby. The system generates a trap to indicate
the change from hot-standby mode to warm-standby mode.

Note
• The HA-CPU feature provides node-level redundancy. Hot standby mode is not supported
with fabric functionality, which provides network-level redundancy.
• If your switch is in hot standby mode (ha-cpu boot flag is set to true), you must disable
boot config flag to configure SPBM or vIST on the switch. When the switch is in warm
standby mode (ha-cpu boot flag is set to false), you must disable SPBM and vIST to move
to hot standby mode.
• When you try to switch-over from warm standby mode to hot standby mode using EDM,
the system displays the following error message when you enable the boot config flag for
ha-cpu:
Hot-standby mode cannot be enabled while SPB/VIST features are still
configured.

HA mode
In HA mode, also called hot standby, the platform synchronizes the primary CPU information to the
standby secondary CPU. The platform adds any configuration changes or application table changes to
the primary CPU by using bulk synchronization or incremental synchronization. After synchronization
is complete, both the CPUs contain the same configuration and application tables information.
Application in HA mode support either full HA implementation or partial HA implementation. In full
HA implementation, both the configuration and runtime application data tables exist on the primary
CPU and the standby CPU.

If the primary CPU fails, the standby CPU takes over the primary responsibility quickly and you do
not see an impact on your network. Also, the IOC and SF modules as well as the full HA applications
continue to operate and the full HA applications run consistency checks to verify the tables.

The following applications support full HA mode:

Feature Supported
Layer 1
Port configuration parameters Yes
Layer 2
Media Access Control security (MACsec) Yes
Multiple Spanning Tree Protocol parameters Yes
Quality of Service (QoS) parameters Yes
Rapid Spanning Tree Protocol parameters Yes
VLAN parameters Yes

VOSS User Guide for version 8.7 525

High Availability-CPU (HA-CPU) Chassis Operations

Feature Supported
Layer 3
ARP entries Yes
Border Gateway Protocol (BGP) Partial (configuration only)
Dynamic Host Configuration Protocol (DHCP) Relay Partial (configuration only)
Internet Group Management Protocol (IGMP) Yes
IPv6 Partial (configuration only)
Access Control Lists Yes
Open Shortest Path First (OSPF) Yes
Protocol Independent Multicast (PIM) Partial (configuration only)
Prefix lists and route policies Yes
Routing Information Protocol Yes
Router Discovery Yes
Static and default routes Yes
Virtual IP (VLANs) Yes
Virtual Router Redundancy Protocol Yes
Transport Layer
Network Load Balancing (NLB) Yes
Remote Access Dial-In User Services (RADIUS) Yes
Terminal Access Controller Access-Control System plus (TACACS+) Partial (configuration only)
UDP forwarding Yes

Partial HA
A few applications in HA mode have partial HA implementation, where the system synchronizes user
configuration data (including interfaces, IPv6 addresses and static routes) from the primary CPU to the
standby CPU. However, for partial HA implementation, the platform does not synchronize dynamic data
learned by protocols. After failure, those applications restart and rebuild their tables, which causes an
interruption to traffic that is dependent on a protocol or application with partial HA support.

The following applications support Partial HA:

• Layer 3
◦ Border Gateway Protocol (BGP)
◦ Dynamic Host Configuration Protocol (DHCP) Relay
◦ Factory defaults flag behavior
◦ IPv6
◦ MACsec Key Agreement
◦ Open Shortest Path First Version 3 for Loopback interfaces
◦ Protocol Independent Multicast-Sparse Mode (PIM-SM)
◦ Protocol Independent Multicast-Source Specific Mode (PIM-SSM)
◦ SHA512 secure password hashing

526 VOSS User Guide for version 8.7

Chassis Operations High Availability-CPU (HA-CPU)

• Transport Layer
◦ Terminal Access Controller Access Control System plus (TACACS+)

Non-HA mode
In non-HA mode, also called warm standby, the platform does not synchronize the configuration
between the primary CPU and the standby CPU. When failover happens, the standby CPU switches to
primary role, and all the IOCs (except the new primary CPU) are restarted. The new primary CPU loads
the configuration when all the cards are ready. These operations cause an interruption to traffic on all
ports on the chassis.

Note
• When there is a switch-over to warm standby mode, only the RWA access level user can
log in to the new primary CPU console screen.

The remaining users can log in to the CPU console screen only after the primary CP
module reloads the configuration and displays the new login prompt.
• When the platform switches from standby CPU to primary CPU in warm standby mode,
the platform always uses the previously-saved primary configuration file to boot the
chassis on the switch.
• The runtime config file must be present on the flash drive during the boot-up of both the
primary CPU and the standby CPU. If the config file that is used by the primary CPU for
booting is not available on the standby CPU, the standby CPU loads the default config
file. You can run the save config command to synchronize the configuration settings
or copy the boot config file from the primary CPU to the standby CPU. The standby CPU
must be rebooted to load the desired config file.

When the primary CPU is physically removed in warm-standby mode, all cards are
rebooted and the standby CPU switches to the primary role and loads the saved
configuration. If the old primary CPU is physically not plugged in during this time, the
respective slot configuration is not loaded to memory even though the configuration exists
in the config file. When the old primary CPU is re-inserted later, the system considers this
as a first time insertion and loads the default configuration on the inserted CP card. This
is expected behavior in warm-standby mode. To load the configuration for the re-inserted
standby CPU, ensure that the savetostandby boot-flag is set to true after re-inserting
the removed CPU, and run the CLI command source <config-file> on the active
CPU.

HA-CPU support in Simplified vIST

HA-CPU in Simplified vIST configurations enables synchronization of data for Layer 2 and Layer 3
applications between the master CPU and standby CPU, to provide hot standby capability.

VOSS User Guide for version 8.7 527

Power Manager Chassis Operations

Power Manager

Table 60: Power Manager product support

Feature Product Release introduced
Power Management VSP 4450 Series Not Supported
VSP 4900 Series Not Supported
VSP 7200 Series Not Supported
VSP 7400 Series Not Supported
VSP 8200 Series Not Supported
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Supported

Power Manager identifies the available power in the chassis (called the power budget), and determines
if enough power is available to operate the installed components. Power Manager also gives you control
over which module slots to supply power to and enables you to prioritize the slots that should shut
down first if there isn’t enough power available.

If the power usage exceeds the power budget, the system powers off the module with the lowest
priority. After a power over-usage occurs, the system uses a Simple Network Management Protocol
(SNMP) trap to send a message to the network administrator configured to receive the trap.

The system compares the total chassis power consumed against the total chassis power available,
and verifies that if one power supply fails, enough power still remains to operate the chassis and
components. If enough power is available to keep all modules powered on in the case of a single failed
power supply, then the system is considered to have redundant power.

Note
In a redundant power supply configuration, that is, a +1 configuration where the system
has one or more power supplies above the actual requirement, the power management
logic automatically employs load-sharing across all active power supplies. This load-sharing
ensures that the switch draws power equally from all available power supplies to support the
system requirements in a fully active model.

If the system does not have redundant power, then the system sends an SNMP trap to the receiver and a
message to CLI to inform you that the device no longer operates in redundant power mode.

For information on configuring Power Manager, see the following:

• If using the CLI, see Configuring power on module slots on page 562 and Configuring Slot Priority
on page 563.
• If using EDM, see Configure Slot Priority on page 614.

528 VOSS User Guide for version 8.7

Chassis Operations Software Lock-up Detection

Software Lock-up Detection

The software lock-up detect feature monitors processes on the CPU to limit situations where the device
stops functioning because of a software process issue. Monitored issues include
• software that enters a dead-lock state
• a software process that enters an infinite loop

The software lock-up detect feature monitors processes to ensure that the software functions within
expected time limit.

The CPU logs detail about suspended tasks in the log file.

Jumbo frames
Jumbo packets and large packets are particularly useful in server and storage over Ethernet
applications. If the payload to header relation increases in a packet, the bandwidth can be used more
efficiently. For this reason, increasing Ethernet frame size is a logical option. The switch supports
Ethernet frames as large as 9600 bytes, compared to the standard 1518 bytes, to transmit large amounts
of data efficiently and minimize the task load on a server CPU.

Tagged VLAN support

A port with VLAN tagging activated can send tagged frames. If you plan to use Jumbo frames in a
VLAN, ensure that you configure the ports in the VLAN to accept Jumbo frames and that the server
or hosts in the VLAN do not send frames that exceed 9600 bytes. For more information about how to
configure VLANs, see VLAN Configuration on page 3751.

Multi-speed Ports
If a port supports multiple speeds, the software configures the speed automatically based on the optic
type it detects in the port; you do not need to configure the port speed. For multi-speed copper ports,
Auto-Negotiation detects the speed.

Note
Some VIMs must operate with all ports at the same speed, while others can operate with
ports at different speeds. For more information, see VOSS Release Notes. The sys vim-
speed command is supported only on VIMs that must operate with all ports at the same
speed. An error message displays if you run the command on an unsupported VIM.

In addition to the documented maximum port speed, and in cases where the hardware supports it:
• SFP ports are for 1 Gbps but can also support 100 Mbps.
• SFP+ ports are for 10 Gbps but can also support 1 Gbps or 100 Mbps.
• SFP28 ports are for 25 Gbps but can also support 10 Gbps or 1 Gbps.

VOSS User Guide for version 8.7 529

Auto-Negotiation Chassis Operations

• QSFP+ ports are for 40 Gbps but can also support 4x10 Gbps if channelization is supported and
enabled.
• QSFP28 ports are for 100 Gbps but also can support 40 Gbps, or 4x25 Gbps or 4x10 Gbps if
channelization is supported and enabled.

Note
A 100 Gbps DAC in a 100 Gbps port can negotiate down to 40 Gbps depending on the
hardware and peer connection.

SFP28, SFP+ and SFP ports have the same physical size.

QSFP28 and QSFP+ ports have the same physical size.

To know if a port supports multiple speeds or channelization, see the applicable hardware
documentation.

Auto-Negotiation

Table 61: Auto-Negotiation product support

Feature Product Release introduced
Auto-Negotiation VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
Switch models:
• VSP4900-24S and
VSP4900-48P - all fixed
ports
• VSP4900-12MXU-12XE - all
fixed ports, with ports 13 to
24 at 1 Gbps only
• VSP4900-24XE - all fixed
ports at 1 Gbps only
VIM5-4XE at 1 Gbps only and
VIM5-4YE at 25 Gbps only
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

The Auto-Negotiation feature enables the device to switch between the various operational modes in
an ordered fashion and lets you select a specific operational mode. The Auto-Negotiation feature also
provides a parallel detection (called autosensing) function to recognize compatible devices, even if they
do not support Auto-Negotiation and helps the device sense the link speed only; not the duplex mode.

530 VOSS User Guide for version 8.7

Chassis Operations Auto-Negotiation

You can use the show interfaces gigabitEthernet l1-config command to see the Auto-
Negotiation operational state on a port. The operational state uses the configuration and transceiver
type present in the port. If you enable Auto-Negotiation for the port but the transceiver type does not
support Auto-Negotiation, the operational state is disabled (false).

Important
The software requires the same Auto-Negotiation configuration on link partners to avoid
incorrect declaration of link status. Mismatched configuration can cause the links to stay down
as well as unpredictable behavior. Ensure the Auto-Negotiation configuration between local
ports and their remote link partners match before upgrading software releases.

Default Auto-Negotiation Behavior

The default Auto-Negotiation behavior depends on the switch model, port type, and transceiver type.
The following table provides the default combinations.

Table 62: VSP 4900 Series default behavior

Model Port type Transceiver type Auto-Negotiation FEC
VSP4900-48P 1GBASE-T Enabled
VSP4900-24S SFP 100BASE-FX
1GBASE-T Enabled
1G SFP Enabled
VSP4900-24XE SFP+ 100BASE-FX
1GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
1G SFP Disabled
10GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
10G DAC Disabled
10G SFP+

VOSS User Guide for version 8.7 531

Auto-Negotiation Chassis Operations

Table 62: VSP 4900 Series default behavior (continued)

Model Port type Transceiver type Auto-Negotiation FEC
VSP4900-12MXU-1 100M/1/2.5/5/10Gb Enabled
2XE ps Copper
SFP+ 100BASE-FX
1GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
1G SFP Disabled
10GBASE-T Enabled
10G DAC Disabled
10G SFP+
VIM5-4X SFP+ 1GBASE-T Not Supported
1G SFP Disabled
10GBASE-T Enabled
10G DAC Disabled
10G SFP+
VIM5-4XE SFP+ 1GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
1G SFP Disabled
10GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
10G DAC Disabled
10G SFP+
VIM5-2Y and SFP28 10GBASE-T Enabled
VIM5-4Y The operational
state is always
enabled regardless
of configuration.
10G DAC Disabled
10G SFP+
25G DAC Disabled Not Supported
25G AOC Not Supported
25G SFP28 Not Supported

532 VOSS User Guide for version 8.7

Chassis Operations Auto-Negotiation

Table 62: VSP 4900 Series default behavior (continued)

Model Port type Transceiver type Auto-Negotiation FEC
VIM5-4YE SFP28 10GBASE-T Enabled
The operational
state is always
enabled regardless
of configuration.
10G DAC Disabled
10G SFP+
25G DAC Enabled FEC is negotiated
requesting CL108.
25G AOC FEC auto: CL108
25G SFP28 FEC auto: CL108

10/100/1000 Mbps Port Considerations

Auto-Negotiation lets devices share a link, and automatically configures both devices so that they take
maximum advantage of their abilities. Auto-Negotiation uses a modified 10BASE-T link integrity test
pulse sequence to determine device ability.

Important
Product-specific considerations for Auto-Negotiation include:
• If Auto-Negotiation is disabled, the following hardware does not support half-duplex:
◦ 8424GT ESM
◦ 8424XT ESM
◦ VSP 7254XTQ

Configure Auto-Negotiation as shown in the following table, where A and B are two Ethernet devices.

Table 63: Auto-Negotiation configuration on 10/100/1000BASE-TX ports

Port on A Port on B Remarks Best practice
Auto-Negotiation Auto-Negotiation Ports negotiate on highest Use this configuration if
enabled enabled supported mode on both both ports support Auto-
sides. Negotiation mode.
Full-duplex Full-duplex Both sides require the Use this configuration if
same mode. you require full-duplex, but
the configuration does not
support Auto-Negotiation.

VOSS User Guide for version 8.7 533

Auto-Negotiation Chassis Operations

Auto-Negotiation cannot detect the identities of neighbors and cannot shut down misconnected ports.
Upper-layer protocols perform these functions.

Note
10 GigabitEthernet (GbE) fiber-based I/O module ports can operate at either 1 Gigabit per
second (Gbps) or 10 Gbps, depending upon the capabilities of the optical transceiver that you
install.
This situation presents an ambiguity with respect to the Auto-Negotiation configuration of
the port, while 1 GbE ports require Auto-Negotiation; Auto-Negotiation is not defined and is
non-existent for 10 GbE ports.
For a 10-GbE fiber-based I/O module, you can swap between 1 GbE and 10 GbE operation
by simply swapping transceivers. To help with the swap, you can configure Auto-Negotiation
when you install a 10 GbE transceiver, even though Auto-Negotiation is not defined for 10
GbE.
You can do this in anticipation of a port changeover from 10 GbE to 1 GbE. In this manner, you
can pre-configure a port in 1 GbE mode while the 10 GbE transceiver is still installed. The port
is ready to go upon the changeover to the 1 GbE transceiver.
You can use a saved configuration file with Auto-Negotiation enabled, to boot a system with
either 10 GbE or 1 GbE transceivers installed. If you install a 1 GbE transceiver, the system
applies Auto-Negotiation. If you install a 10 GbE transceiver, the system does not remove
the Auto-Negotiation settings from the configuration, but the system simply ignores the
configuration because Auto-Negotiation settings are irrelevant to a 10 GbE transceiver. The
system preserves the saved configuration for Auto-Negotiation when re-saved no matter
which speed of transceiver you install.

25 GbE Port Considerations

25 GbE ports typically support 25 Gbps, 10 Gbps, and 1 Gbps operational speeds. Auto-Negotiation
support varies depending on the pluggable type and speed.

The following table provides a summary of Auto-Negotiation support for 25 Gbps ports.

Table 64: 25 Gbps Port Auto-Negotiation

Transceiver Type Auto-Negotiation
25 Gbps DAC Supported

Note:
Exception: VIM5-2Y and VIM5-4Y do not support
Auto-Negotiation at 25 Gbps.

25 Gbps SR, LR, AOC Not Supported

10 Gbps Not Supported
1 Gbps
Note:
Not Supported for VSP 7400-48Y.

Forward Error Correction (FEC) is a negotiated port attribute for 25 GbE connections that support
Auto-Negotiation. For more information, see Forward Error Correction on page 538.

534 VOSS User Guide for version 8.7

Chassis Operations Auto-Negotiation Advertisements

40 GbE Port Considerations

Auto-Negotiation must be enabled in 40 GbE ports when using 40GbCR4 (copper Direct Attached
Cables - DACs) pluggable modules as Clause 73 of the 40 GbE standard lists it as mandatory. Though
the links may come up in 40 GbE ports even without Auto-Negotiation, the best practice is to always
enable Auto-Negotiation. Otherwise, there might be link instability or FCS errors.

100 GbE Port Considerations

Ensure that you enable Auto-Negotiation for ports with 100GbCR4 modules plugged in.

Although Auto-Negotiation is mandatory as per the 100GbCR4 standard, and this is the default
software configuration, you can disable Auto-Negotiation to connect with older systems that do not
support it. The system does not support FEC on 100GbCR4 links with Auto-Negotiation disabled.

For more information about FEC, see Forward Error Correction on page 538.

Auto-Negotiation Advertisements
Auto-Negotiation advertisements use Custom Auto-Negotiation Advertisement (CANA) to control the
speed and duplex settings that the interface modules advertise during Auto-Negotiation sessions
between Ethernet devices. Modules can only establish links using these advertised settings, rather than
at the highest common supported operating mode and data rate.

Use CANA to provide smooth migration from 10 Mbps to 10000 Mbps on host and server connections.
Using Auto-Negotiation only, the switch always uses the fastest possible data rates. In limited-uplink-
bandwidth scenarios, CANA provides control over negotiated access speeds, and improves control over
traffic load patterns.

Use the auto-negotiation-advertisements command to configure CANA.

To use CANA, you must enable Auto-Negotiation.

Important
If a port belongs to a MultiLink Trunking (MLT) group and you configure CANA on the port
(that is, you configure an advertisement other than the default), you must apply the same
configuration to all other ports of the MLT group if they support CANA.

The following platforms support full duplex and half duplex modes for CANA:

Platform Full duplex Half duplex

VSP 4450 Series Yes Yes
VSP 4900 Series Yes Supported at 100Mbps
onVSP4900-48P and first 12
ports of VSP4900-12MXU-12XE.
VSP 7200 Series Yes No
VSP 7400 Series Yes No
VSP 8200 Series Yes No

VOSS User Guide for version 8.7 535

SynOptics Network Management Protocol Chassis Operations

Platform Full duplex Half duplex

VSP 8400 Series Yes No
(includes 8424XT, 8418XTQ, and
8424GT ESMs)
VSP 8600 Series Yes No
XA1400 Series Yes Yes
Supported on ports 1/1-1/4 only.

SynOptics Network Management Protocol

Table 65: SONMP product support

Feature Product Release introduced
SONMP VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

The switch supports an auto-discovery protocol known as the SynOptics Network Management
Protocol (SONMP). SONMP allows a network management station (NMS) to formulate a map that
shows the interconnections between Layer 2 devices in a network. SONMP is also called Topology
Discovery Protocol (TDP).

All devices in a network that are SONMP-enabled send hello packets to their immediate neighbors, that
is, to interconnecting Layer 2 devices. A hello packet advertises the existence of the sending device and
provides basic information about the device, such as the IP address and MAC address. The hello packets
allow each device to construct a topology table of its immediate neighbors. A network management
station periodically polls devices in its network for these topology tables, and then uses the data to
formulate a topology map.

If you disable SONMP, the system stops transmitting and acknowledging SONMP hello packets. In
addition, the system removes all entries in the topology table except its own entry. If you enable
SONMP, the system transmits a hello packet every 12 seconds. The default status is enabled.

SONMP for the Segmented Management Instance

SONMP and LLDP both advertise the same topology IP address for the Segmented Management
Instance management interface. SONMP supports IPv4 advertisement only. If all three management
interfaces are configured, the advertised default topology IP priority is management CLIP, then
management VLAN, then management OOB. You can change the default topology IP using CLI or EDM.
If multiple IPv4 addresses are configured on an OOB or VLAN management interface, the advertised IP
priority is static IP address, then DHCP IP address, then link-local IP address.

536 VOSS User Guide for version 8.7

Chassis Operations Channelization

Channelization

Table 66: Channelization product support

Feature Product Release introduced
Channelization of 40 Gbps ports VSP 4450 Series Not Applicable
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 7432CQ only
VSP 8200 Series VOSS 4.2
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series Not Applicable
Channelization of 100 Gbps ports VSP 4450 Series Not Applicable
VSP 4900 Series Not Applicable
VSP 7200 Series Not Applicable
VSP 7400 Series VOSS 8.0
VSP 7432CQ only
VSP 8200 Series Not Applicable
VSP 8400 Series Not Supported
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Applicable

Use the channelization feature to configure a single port to operate as four individual ports.
Channelization can apply to the following port speeds:
• 40 Gbps (Quad Small Form-factor Pluggable) (QSFP+) — when channelized, operates as four 10
Gbps ports
• 100 Gbps (QSFP28) — when channelized, operates as four 25 Gbps ports

Note
In cases where the hardware supports it, you can insert a 40 Gbps QSFP+ transceiver in a
100 Gbps port, and use the 100 Gbps port as a 40 Gbps port. If you enable channelization
on a 100 Gbps port and the switch detects a 40 Gbps QSFP+ transceiver in the port, the
port operates as four individual 10 Gbps ports.
If the switch detects a 100 Gbps QSFP28 transceiver and you enable channelization, the
port operates as four 25 Gbps ports.
To know if you can use a 100 Gbps port as a 40 Gbps port and support the channelization
of that port, see the applicable hardware documentation.

You can use breakout direct attach cables (DAC) or transceivers with fiber breakout cables to connect
the channelized ports to other servers, storage, and switches.

VOSS User Guide for version 8.7 537

Forward Error Correction Chassis Operations

By default, the ports are not channelized, which means that the ports operate as one single port at the
fully supported speed. You can enable or disable channelization on a port.

For the number of ports on the switch that support channelization, see the applicable hardware
documentation.

If the product supports channelization and you enable or disable channelization on a port, the port
QoS configuration resets to default values. For information about configuring QoS values, see Quality of
Service on page 2649.

Note
When you use channelized ports in an Split Multi-Link Trunking (SMLT) configuration, the
system does not display the channelized ports properly when you show MLT information
for the remote port member if the remote switch runs a release that does not support
channelization.

When a port is channelized, use only break out cables (copper or active optical DAC) in it. Using other
cables in either a channelized port or a non-channelized port results in mismatched link status between
link partners, which can lead to network issues.

Feature Interaction with Channelization

Software features operate on channelized ports. When an interface is dechannelized, the interface
cleans up all the channels.

If a feature operates on channel 1/1/1 and 1/1/2, and the circuit is dechannelized, the 1/1/1 configuration is
saved and the commands are configured on 1/1. The configuration on 1/1/2 is deleted.

Forward Error Correction

Table 67: Forward Error Correction product support

Feature Product Release introduced
Forward Error Correction (FEC) VSP 4450 Series Not Applicable
(configurable)
VSP 4900 Series VOSS 8.1
VIM5-4YE at 25 Gbps
VSP 7200 Series Not Applicable
VSP 7400 Series VOSS 8.0
VSP 8200 Series Not Supported
VSP 8400 Series VOSS 8.0
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Applicable

Forward Error Correction (FEC) is a method of obtaining error control in data transmission over an
unreliable or noisy channel in which the source (transmitter) encodes the data in a redundant way
by using an error correcting code (ECC). This redundancy enables a destination (receiver) to detect a
limited number of errors and correct them without requiring a re-transmission.

538 VOSS User Guide for version 8.7

Chassis Operations Forward Error Correction

FEC is useful where re-transmitting data is either expensive or impossible, for example, when
transmitting to multiple receivers in multicast. However, although FEC provides more error control,
it introduces a latency in data transmission.

FEC Configuration Options

You typically configure FEC on a port. The supported options are:
• cl91 (Clause 91 RS-FEC)
• cl108 (Clause 108 RS-FEC):
• cl74 (Clause 74 Firecode R-FEC):
• auto:

FEC is not supported on:

• Out-of-band (OOB) management ports.
• 100 GbE ports that are changed to 40 GbE ports by dynamically swapping 100 Gb modules with 40
Gb modules. FEC does not support the 40 Gbps speed.

Important
• On ports that support FEC configuration, ensure that you configure the same option at
both end-points. Otherwise, the link does not come up.
• You must enable FEC to achieve proper functionality when using interconnects such as the
25Gb SR, 25 Gb SR-lite, 25 Gb ESR optics or the 25 Gb AOC and 25 Gb DAC.
• FEC is not required on 100 Gb or 25 Gb long-range optics because these optics do error
checking internally.

Clause 91 RS-FEC
This option supports both the 25 Gbps and 100 Gbps speeds. You can configure this option on
ports with either the 100GbSR4 or 100GbCR4 modules plugged in, or on 100 GbE channelized ports
operating at 25Gbps speed.

Note
Ensure that you enable Auto-Negotiation for ports with the 100GbCR4 modules plugged in; it
is mandatory.

Clause 108 RS-FEC

This option also supports both the 25 Gbps and 100 Gbps speeds. It is similar to Clause 91 but provides
extra latency.

Clause 74 Firecode R-FEC

This option supports only the 25 Gbps speed and is used in applications that require reduced latency.

Auto
This option automatically configures FEC based on port speed and pluggable module type.
• For 25 Gbps speeds, FEC CL108 is enabled for all transceiver types.

VOSS User Guide for version 8.7 539

Forward Error Correction Chassis Operations

• For 100Gbps speeds:

◦ FEC is disabled for 100GbE LR4 and ER4 transceivers.
◦ FEC CL91 is enabled for all other transceiver types (for example, 100GbE SR4, CR4, AOC,
CWDM4, SWDM4).

FEC and Auto-Negotiation

FEC is a negotiated port attribute for 25 Gb and 100 Gb connections that support Auto-Negotiation. If
you enable Auto-Negotiation on a port for a supported transceiver type, the switch uses the configured
FEC value in the negotiation advertisement. Peers can advertise different values, which means the
resulting FEC operational state can be different than the one advertised.

The following table lists the 25 Gb end-point advertisements and the resulting FEC operational state:

Table 68: 25 Gb end-point advertisements

Peer A Peer B Result
CL108 CL108 CL108
CL74 CL74 CL74
No FEC No FEC No FEC
No FEC CL108 CL108
No FEC CL74 CL74
CL74 CL108 CL108

The following table lists the 100 Gb end-point advertisements and the resulting FEC operational state:

Table 69: 100 Gb end-point advertisements

Peer A Peer B Result
CL91 CL91 CL91
No FEC No FEC CL91

Note:
Even when both peers advertise
no FEC, negotiation results in
clause 91 FEC per IEEE standard
mandatory setting.

No FEC CL91 CL91

You can use the show interfaces gigabitEthernet config command to see the FEC
operational state for a port.

For additional details about support, see Default Auto-Negotiation Behavior on page 531.

540 VOSS User Guide for version 8.7

Chassis Operations IEEE 802.3X Pause Frame Transmit

IEEE 802.3X Pause Frame Transmit

Table 70: IEEE 802.3X Pause Frame Transmit product support

Feature Product Release introduced
IEEE 802.3X Pause frame VSP 4450 Series VOSS 6.0
transmit
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.1.50

The switch uses MAC pause frames to provide congestion relief on full-duplex interfaces.

Overview
When congestion occurs on a port, the system can send or receive pause frames, also known as flow
control, to temporarily pause the packet flow. The system uses flow control if the rate at which one
or more ports receives or sends packets is greater than the rate the switch can process or accept the
packets.

The switch can generate pause frames to tell the sending device to stop sending additional packets for
a specified time period. After the time period expires, the sending device can resume sending packets.
During the specified time period, if the switch determines the congestion is reduced, it can send pause
frames to the sending device to instruct it to begin sending packets immediately.

Flow control mode and pause frames

If you enable flow control mode, the switch drops packets on ingress when congestion occurs. If the
switch is not in flow control mode, it drops packets at egress when congestion occurs.

Configure an interface to send pause frames when congestion occurs to alleviate packet drops due to
flow control mode.

Auto-Negotiation
Interfaces that support auto-negotiation advertise and exchange their flow control capability to agree
on a pause frame configuration. IEEE 802.3 annex 28b defines the auto-negotiation ability fields and the

VOSS User Guide for version 8.7 541

IEEE 802.3X Pause Frame Transmit Chassis Operations

pause resolution. The switch advertises only two capabilities. The following table shows the software bit
settings based on the flow control configuration.

Note
Not all interfaces support Auto-Negotiation. For more information, see your hardware
documentation.

Table 71: Advertised abilities

Interface configuration Pause ASM Capability advertised
Flow control enabled 1 0 Symmetric pause
Flow control disabled 1 1 Both Symmetric pause and
asymmetric pause

The following tables identifies the pause resolution.

Table 72: Pause resolution

Local Local Peer device Peer device Local device resolution Peer device resolution
device device ASM pause ASM
pause
0 0 Do not care Do not care Disable pause transmit Disable pause transmit
and receive. and receive.
0 1 0 Do not care Disable pause transmit Disable pause transmit
and receive. and receive.
0 1 1 0 Disable pause transmit Disable pause transmit
and receive. and receive.
0 1 1 1 Enable pause transmit. Disable pause
Disable pause receive. transmit. Enable pause
receive.
1 0 0 Do not care Disable pause transmit Disable pause transmit
and receive. and receive.
1 Do not care 1 Do not care Enable pause transmit Enable pause transmit
and receive. and receive.
1 1 0 0 Disable pause transmit Disable pause transmit
and receive. and receive.
1 1 0 1 Disable pause Enable pause transmit.
transmit. Enable pause Disable pause receive.
receive.

The following list identifies the type of interfaces that support auto-negotiated flow control:
• 10 Mbps/100 Mbps/1 Gbps copper
• 100 Mbps/1 Gbps/10 Gbps copper
• 1 Gbps fiber (in both SFP and SFP+ ports)

542 VOSS User Guide for version 8.7

Chassis Operations Auto MDIX

Auto MDIX
Automatic medium-dependent interface crossover (Auto-MDIX) automatically detects the need for
a straight-through or crossover cable connection and configures the connection appropriately. This
removes the need for crossover cables to interconnect switches and ensures either type of cable can
be used. The speed and duplex setting of an interface must be set to Auto for Auto-MDIX to operate
correctly.

Auto MDIX is supported on all platforms with fixed copper ports. All fixed copper ports are supported.

IOC Module Preconfiguration

Table 73: IOC Module Preconfiguration

Feature Product Release introduced
IOC Module Preconfiguration VSP 4450 Series Not Applicable
VSP 4900 Series Not Applicable
VSP 7200 Series Not Applicable
VSP 7400 Series Not Applicable
VSP 8200 Series Not Applicable
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Applicable

Using IOC Module Pre-Configuration, you can configure a slot for an IOC Module before you insert the
module in the chassis. By specifying the slot and module type, all configuration at the slot or port level
become available for that slot. You can issue configuration commands for a specific slot before you
insert an IOC Module in that slot.

When you insert the IOC Module that matches the pre-configured module type in the specified
slot, all configuration related to that slot is applied, and pre-configuration loads on the IOC Module
automatically. However, if the module type of the inserted IOC Module does not match the module type
of the IOC Module Pre-Configuration, then the IOC module functionality depends on the following card
lock configurations:
• If the card lock option is enabled, the inserted IOC Module is rejected and does not boot up. Only
modules that are of same type as the IOC Module Pre-Configuration type for the slot are able to
boot up on that slot. The output of the show-sys-info command displays the operational status
of the inserted module as down-Mismatch.
• If the card lock option is disabled, existing configuration is removed on that slot and a new IOC
Module is accepted and boots up with default configuration.

When you remove an IOC Module from the chassis, all configuration on that slot is still available
because the module was automatically pre-configured on that slot. You can view the configuration for
the module by using the show sys-info card command. You can also change the configuration
for an IOC Module that has been removed from the chassis. When you save the configuration, the
configuration for all slots is saved regardless of which modules are plugged into the chassis.

VOSS User Guide for version 8.7 543

Chassis operations configuration using the CLI Chassis Operations

Hotswapping IOC Modules

If a preconfigured IOC Module is replaced with a model that does not match the preconfigured IOC
Module type and the card lock is enabled, then the IOC Module does not boot up. Either a module of the
same type as the preconfigured IOC Module must be reinserted in the slot or the pre-configured IOC
Module type must be removed from the configuration.

Important
Removing the preconfigured IOC Module type from the configuration also removes the
configuration for the slot.

When a new IOC Module is inserted in the slot, the module boots with default configuration. If a
module is inserted into a running system and the module type is not configured for the slot, the system
automatically creates a preconfiguration with the module type of the IOC Module that was inserted.
Then the module boots with default configuration.

Chassis operations configuration using the CLI

This section provides the details to configure basic hardware and system settings.

Enabling the High Availability-CPU (HA-CPU) mode

About This Task

Enable High Availability-CPU (HA-CPU) mode to enable devices with two CPUs to recover quickly from
a failure of the master CPU.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the following boot flag:
boot config flags ha-cpu

The configuration file is saved on both the CPUs. After you disable HA mode on the master CPU,
the secondary CPU software automatically resets and loads the settings from the previously-saved
configuration file.
3. Type y after displaying the following prompt:
Do you want to continue (y/n) ?

Responding to the user prompt with a y causes the secondary CPU to reset itself automatically, and
that secondary CPU restarts with HA mode enabled.
4. Save the configuration.

Example
Switch:1>enable
Switch:1#configure terminal

544 VOSS User Guide for version 8.7

Chassis Operations Disabling the High Availability-CPU (HA-CPU) Mode

Enable HA mode:
Switch:1(config)#boot config flags ha-cpu
The config files on the Master and Slave will be overwritten with the current active
configuration.
-Layer 2/3 features will be enabled in L2/L3 redundancy mode.
Do you want to continue (y/n)?y
Boot configuration is being saved.
CP-1: Save config to file /intflash/config.cfg successful.
CP-2: Save /intflash/config.cfg to standby successful.
Runtime configuration is being saved.
Resetting Slave CPU from Master CPU.
CP1 [01/07/17 15:21:50.605:UTC] 0x000045e3 00000000 GlobalRouter SNMP INFO Save config
successful.
CP2 [01/07/17 15:22:16.890:UTC] 0x000105e3 00000000 GlobalRouter HW INFO HA-CPU: Table
Sync is complete (Standby CPU)
CP1 [01/07/17 15:22:17.407:UTC] 0x000105c8 00000000 GlobalRouter HW INFO HA-CPU: Table
Sync Completed on Secondary CPU

Verify the configuration:

Switch:1(config)#show ha-state
Current CPU State : Synchronized State.
Last Event : Table synchronization completed.
Mode : Warm Standby

Card Info :
Slot# CardType Oper Admin Power
Status Status State
1 8624XS up-Master up on
2 8624XS up-Warmstandby up on

Current Boot Config State: master 1

Save the configuration:

Switch:1(config)#save config

What to Do Next

Note
In HA-CPU mode, whenever there is a mismatch of boot config flags between the master CPU
and the standby CPU, the standby CPU follows the master CPU. The mismatch could be due
to different runtime config files or primary config files at standby CPU. Once the chassis boots
up successfully on the switch, ensure that both the CPUs run the same primary config file and
the running config file.

Disabling the High Availability-CPU (HA-CPU) Mode

About This Task

Perform this procedure to disable HA mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal

VOSS User Guide for version 8.7 545

Removing an IOC Module with HA Mode Activated Chassis Operations

2. Enter the following boot flag command:

no boot config flags ha-cpu

The configuration file is saved on both the CPUs. After you enable HA mode on the master CPU, the
secondary CPU software automatically synchronizes the configuration from the master CPU.

Example
Switch:1>enable
Switch:1#configure terminal

Disable HA mode:
Switch:1(config)#no boot config flags ha-cpu
The config files on the Master and Slave will be overwritten with the current active
configuration.
-No longer Layer 2/3 features run in L2/L3 redundancy mode.
Do you want to continue (y/n) ? y
Boot configuration is being saved.
CP-1: Save config to file /intflash/config.cfg successful.
CP-2: Save /intflash/config.cfg to standby successful.
Resetting Slave CPU from Master CPU.

Verify the configuration:

Switch:1(config)#show ha-state
Current CPU State : Disabled State.
Last Event : No event.
Mode : Warm Standby

Card Info :
Slot# CardType Oper Admin Power
Status Status State
1 8624XS up-Master up on
2 8624XS up-Warmstandby up on

Current Boot Config State: master 1

Removing an IOC Module with HA Mode Activated

About This Task

Perform this procedure to properly remove the IOC module that is in the master CP slot, when the
system operates in HA mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Use the sys action cpu-switch-over command to fail over to another CP.
3. Remove the IOC module.

Important
Do not reinsert an IOC module until at least 15 seconds has elapsed, which is long enough
for another CP slot to become master.

546 VOSS User Guide for version 8.7

Chassis Operations Enabling jumbo frames

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#sys action cpu-switch-over

Enabling jumbo frames

About This Task

Enable jumbo frames to increase the size of Ethernet frames the chassis supports.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable jumbo frames:
sys mtu <1522-9600>

Example

Switch:1> enable

Switch:1# configure terminal

Enable jumbo frames to 9600 bytes:

Switch:1#(config)# sys mtu 9600

Variable Definitions
The following table defines parameters for the sys mtu command.

Variable Value
<1522-9600> Configures the frame size support for the data
path.
Possible sizes are 1522, 1950, or 9600 bytes.
The default is 1950 bytes.

Configuring port lock

About This Task

Configure port lock to administratively lock a port or ports to prevent other users from changing port
parameters or modifying port action. You cannot modify a locked port until you unlock the port.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal

VOSS User Guide for version 8.7 547

Configuring SONMP Chassis Operations

2. Enable port lock globally:

portlock enable
3. Log on to GigabitEthernet Interface Configuration mode:
interface gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}
4. Lock a port:
lock port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} enable

Example

Switch:1> enable

Switch:1# configure terminal

Log on to GigabitEthernet Interface Configuration mode:

Switch:1(config)# interface GigabitEthernet 1/1

Unlock port 1/14:

Switch:1(config-if)# no lock port 1/14 enable

Variable Definitions
The following table defines parameters for the interface gigabitethernet and lock port
commands.

Variable Value
{slot/port[/sub-port] [-slot/port[/ Identifies the slot and port in one of the following
sub-port]] [,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.
For the lock port command, use the no
form of this command to unlock a port:
no lock port {slot/port[/sub-port]
[-slot/port[/sub-port]][,...]}

Configuring SONMP
About This Task

Configure the SynOptics Network Management Protocol (SONMP) to allow a network management
station (NMS) formulate a map that shows the interconnections between Layer 2 devices in a network.
The default status is enabled.

548 VOSS User Guide for version 8.7

Chassis Operations View the Topology Message Status

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Disable SONMP:
no autotopology
3. Enable SONMP:
autotopology

Example

Switch:1> enable

Switch:1 configure terminal

Disable SONMP:

Switch:1(config)# no autotopology

View the Topology Message Status

About This Task

View topology message status to view the interconnections between Layer 2 devices in a network.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Show the contents of the topology table:
show autotopology nmm-table

Unless the witch is physically connected to other devices in the network, this topology will be blank.

Example

Note
In the following example, the column “ChassisType” uses a generic name. When you use the
show autotopology nmm-table, your switch displays the actual chassis type.

Switch:1(config)#show autotopology nmm-table

==========================================================================================
Topology Table
==========================================================================================
Local Rem
Port IpAddress SegmentId MacAddress ChassisType BT LS CS Port
------------------------------------------------------------------------------------------
0/0 192.0.2.81 0x000000 0030ab707a00 ChassisType 1 12 Yes HtBt 0/0
1/1 192.0.2.81 0x000000 0050ea268800 ChassisType 2 12 Yes HtBt 1/50
1/42 192.0.2.81 0x000000 070ab307aa00 ChassisType 3 12 Yes HtBt 1/1
2/1 192.0.2.81 0x000000 0030ab57ab00 ChassisType 4 12 Yes HtBt 1/49
2/2 192.0.2.81 0x000000 0030ab307af0 ChassisType 5 12 Yes HtBt 1/50

VOSS User Guide for version 8.7 549

Associating a port to a VRF instance Chassis Operations

2/41 192.0.2.81 0x000000 00e0ba327c00 ChassisType 6 12 Yes HtBt 2/1

2/42/1 192.0.2.81 0x000000 0050eb127400 ChassisType 7 12 Yes HtBt 1/2

Note
When a peer switch is running an older software version that does not include support for
SONMP hello messages with channelization information, it can only show the slot/port. It
cannot show the sub-port.

Associating a port to a VRF instance

Associate a port to a Virtual Router Forwarding (VRF) instance so that the port becomes a member of
the VRF instance.

Before You Begin

• The VRF instance must exist. For more information about the creation of VRFs, see Create a VRF
Instance on page 3839.

About This Task

You can assign a VRF instance to a port after you configure the VRF. The system assigns ports to the
Global Router, VRF 0, by default.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Associate a VRF instance with a port:

vrf <WORD 1-16>

Example

Switch:1> enable

Switch:1# configure terminal

Switch:1(config)# interface gigabitethernet 1/12

Switch:1(config-if)# vrf red

550 VOSS User Guide for version 8.7

Chassis Operations Configure an IP Address for the Management Port

Configure an IP Address for the Management Port

Note
This procedure only applies to VSP 8600 Series. For other products, see Segmented
Management on page 69.

Configure an IP address for the management port so that you can remotely access the device using the
out-of-band (OOB) management port. The management port runs on a dedicated VRF.

The configured IP subnet has to be globally unique because the management protocols can go through
in-band (Global Router) or out-of-band ports (Management VRF).

Before You Begin

• Do not configure a default route in the Management VRF.
• If you want out-of-band management, define a specific static route in the Management Router VRF
to the IP subnet where your management application resides.
• If you initiate an FTP session from a client device behind a firewall, you should set FTP to passive
mode.
• The switch gives priority to out-of-band management when there is reachability from both in-band
and out-of-band. To avoid a potential conflict, do not configure an overlap between in-band and
out-of-band networks.

Procedure

1. Enter mgmtEthernet Interface Configuration mode:

enable

configure terminal

interface mgmtEthernet <mgmt | mgmt2>

2. Configure the IP address and mask for the management port:
ip address {<A.B.C.D/X> | <A.B.C.D> <A.B.C.D>}
3. Configure an IPv6 address and prefix length for the management port:
ipv6 interface address WORD<0-255>
4. Show the complete network management information:
show interface mgmtEthernet
5. Show the management interface packet/link errors:
show interface mgmtEthernet error
6. Show the management interface statistics information:
show interface mgmtEthernet statistics

Example

Configure the IP address for the management port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface mgmtethernet mgmt
Switch:1(config-if)#ip address 192.0.2.24 255.255.255.0

VOSS User Guide for version 8.7 551

Configure Ethernet Ports with Auto-Negotiation Chassis Operations

Variable Definitions
The following table defines parameters for the ip address command.

Variable Value
{<A.B.C.D/X> | <A.B.C.D> <A.B.C.D>} Specifies the IP address followed by the subnet
mask.

The following table defines parameters for the ipv6 interface address command.

Variable Value
WORD<0-255> Specifies the IPv6 address and prefix length.

Configure Ethernet Ports with Auto-Negotiation

Configure Ethernet ports so they operate optimally for your network conditions.

About This Task

When you use 1 Gigabit Ethernet SFP transceivers, the software disables Auto-Negotiation on the port.
If you use 1 Gbps SFP transceivers, the remote end must also have Auto-Negotiation disabled.

All ports that belong to the same MLT or Link Aggregation Control Protocol (LACP) group must use the
same port speed. In the case of MLTs, the software does not enforce this.

The software requires the same Auto-Negotiation settings on link partners to avoid incorrect
declaration of link status. Mismatched settings can cause the links to stay down. Ensure the Auto-
Negotiation settings between local ports and their remote link partners match before you upgrade the
software.

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable Auto-Negotiation:
auto-negotiate [port {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}] enable
3. Verify the configuration:
show interfaces gigabitEthernet l1-config [{slot/port[/sub-port][-
slot/port[/sub-port]][,...]}]

552 VOSS User Guide for version 8.7

Chassis Operations Configure Auto-Negotiation Advertisements

Example
Switch:>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitethernet 1/8
Switch:1(config-if)#auto-negotiate enable
Switch:1(config-if)#show interfaces gigabitEthernet l1-config 1/8
====================================================================================================
Port Config L1
====================================================================================================
PORT AUTO OPERATE CUSTOM AUTO NEGOTIATION CANA ADMIN OPERATE ADMIN OPERATE
NUM NEG. AUTO-NEG ADVERTISEMENTS ORIGIN DPLX SPD DPLX SPD TX-FLW-CTRL TX-FLW-CTRL
----------------------------------------------------------------------------------------------------
1/8 true true Not Configured RADIUS full 10000 0 enable enable

Variable Definitions
The following table defines parameters for the auto-negotiate command.

Variable Value
{slot/port[/sub-port] [-slot/port[/ Specifies the port or ports that you want to
sub-port]] [,...]} configure.
enable Enables auto-negotiation for the port or other
ports of the module.
The default Auto-Negotation behavior depends
on the switch model and transceiver type.

Configure Auto-Negotiation Advertisements

Configure local port Auto-Negotiation advertisements to specify the speed and duplex mode for traffic
between local ports and remote link partners. Supported speeds and duplex modes vary, depending on
your hardware.

Before You Begin

You must enable Auto-Negotiation before you perform this procedure.

About This Task

Configure local port Auto-Negotiation advertisements.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

VOSS User Guide for version 8.7 553

Configure IEEE 802.3X Pause Frame Transmit Chassis Operations

2. Configure Auto-Negotiation advertisements on one or more ports:

auto-negotiation-advertisements {25000-full|10000-full|2500-full|5000-
full|1000-full|100-full|100-half|10-full|10-half}
or

auto-negotiation-advertisements port {slot/port[/sub-port][-slot/

port[/sub-port]][,...]}] {25000-full|10000-full|2500-full|5000-full|
1000-full|100-full|100-half|10-full|10-half}
3. Verify the configuration:
show interfaces gigabitEthernet l1-config [{slot/port[/sub-port][-
slot/port[/sub-port]][,...]}]

Variable Definitions
The following table defines parameters for the auto-negotiation-advertisements command.

Variable Value
{slot/port[/sub-port] [-slot/port[/ Specifies the port or ports that you want to
sub-port]] [,...]} configure.
25000-full Advertises 25 Gbps full-duplex.
10000-full Advertises 10 Gbps full-duplex.
5000-full Advertises 5 Gbps full-duplex.
2500-full Advertises 2.5 Gbps full-duplex.
1000-full Advertises 1 Gbps full-duplex.
100-full Advertises 100 Mbps full-duplex.
100-half Advertises 100 Mbps half-duplex.
10-full Advertises 10 Mbps full-duplex.
10-half Advertises 10 Mbps half-duplex.
none Configures the Auto-Negotiate value to none.

Configure IEEE 802.3X Pause Frame Transmit

Configure IEEE 802.3X Pause frame transmit to eliminate or minimize packet loss.

About This Task

By default, flow control mode is disabled. When disabled, the system does not generate nor configure
the transmission of flow control messages. The system always honors received flow control messages
regardless of the flow control mode status. You must enable this mode before you configure an
interface to send pause frames.

554 VOSS User Guide for version 8.7

Chassis Operations Configure IEEE 802.3X Pause Frame Transmit

By default, an interface does not send pause frames.

Note
If you enable MACsec on an interface and you send small packet size traffic near line
rate, the In FlowCtrl frame might increment in the output of the show interface
gigabitEthernet statistics command because of the processing overhead caused
by adding the MACsec header of 32 bytes. This is part of the expected over-subscription
footprint.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable flow control mode:
boot config flags flow-control-mode
3. Save the configuration.
4. Exit Privileged EXEC mode:
exit
5. Reboot the chassis.
boot
6. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

7. Configure the interface to generate pause frames:

tx-flow-control [enable]
8. (Optional) Configure other interfaces to generate pause frames:
tx-flow-control port {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]} enable
9. Verify the boot flag configuration:
show boot config flags
10. Verify the interface configuration:
show interfaces gigabitEthernet l1-config {slot/port[/sub-port] [-
slot/port[/sub-port]] [,...]}
11. View the pause-frame packet count:
show interfaces gigabitEthernet statistics {slot/port[/sub-port] [-
slot/port[/sub-port]] [,...]}

VOSS User Guide for version 8.7 555

Configure IEEE 802.3X Pause Frame Transmit Chassis Operations

Example

Enable flow control on the system and configure slot 1, port 10 to send pause frames. Verify the
configuration.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#boot config flags flow-control-mode
Warning: Please save the configuration and reboot the switch
for this configuration to take effect.
Switch:1<config>#save config
CP-1: Save config to file /intflash/config.cfg successful.
CP-1: Save license to file /intflash/license.xml successful.
Switch:1<config>#exit
Switch:1#boot
Are you sure you want to re-boot the switch (y/n) ?y

Note
Flag support can vary across hardware models.

Switch:1#show boot config flags

flags advanced-feature-bandwidth-reservation low
flags block-snmp false
flags debug-config false
flags debugmode false
flags dvr-leaf-mode false
flags enhancedsecure-mode false
flags factorydefaults false
flags flow-control-mode true
flags ftpd true
flags ha-cpu true
flags hsecure false
flags ipv6-egress-filter true
flags ipv6-mode false
flags linerate-directed-broadcast false
flags logging true
flags nni-mstp false
flags reboot true
flags rlogind false
flags savetostandby true
flags spanning-tree-mode mstp
flags spbm-config-mode true
flags sshd true
flags syslog-rfc5424-format true
flags telnetd true
flags tftpd true
flags trace-logging false
flags urpf-mode true
flags verify-config true
flags vrf-scaling true
flags vxlan-gw-full-interworking-mode false
Switch:1(config-if)#show interfaces gigabitEthernet l1-config 1/10
==================================================================================================
Port Config L1
==================================================================================================
PORT AUTO OPERATE CUSTOM AUTO NEGOTIATION CANA ADMIN OPERATE ADMIN OPERATE
NUM NEG. AUTO-NEG ADVERTISEMENTS ORIGIN DPLX SPD DPLX SPD TX-FLW-CTRL TX-FLW-CTRL
--------------------------------------------------------------------------------------------------
1/10 true true Not Configured RADIUS full 10000 0 enable enable

556 VOSS User Guide for version 8.7

Chassis Operations Enable Channelization

View the pause-frame packet count for slot 1, port 10.

Switch:1(config-if)#show interfaces gigabitEthernet statistics 1/10
==========================================================================================
Port Stats Interface
==========================================================================================
PORT IN OUT IN OUT
NUM OCTETS OCTETS PACKET PACKET
------------------------------------------------------------------------------------------
1/1 29964704384 22788614528 234106526 178034166

PORT IN OUT IN OUT

OUTLOSS
NUM FLOWCTRL FLOWCTRL PFC PFC
PACKETS
------------------------------------------------------------------------------------------
1/1 0 11014 0 0 0

Variable Definitions
The following table defines parameters for the tx-flow-control command.

Variable Value
enable Configures the interface to send pause frames. By default, flow control is
disabled.

Note:
tx-flow-control is enabled by default on XA1400 Series.

port Identifies the slot and port in one of the following formats: a single slot and port
{slot/port[/ (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots
sub-port] and ports (slot/port,slot/port,slot/port). If the platform supports channelization
[-slot/port[/ and the port is channelized, you must also specify the sub-port in the format
sub-port]] slot/port/sub-port.
[,...]}

Use the data in the following table to use the show interfaces gigabitEthernet l1-config
and show interfaces gigabitEthernet statistics commands.

Variable Value
{slot/port[/ Identifies the slot and port in one of the following formats: a single slot
sub-port] [- and port (slot/port), a range of slots and ports (slot/port-slot/port), or a
slot/port[/sub- series of slots and ports (slot/port,slot/port,slot/port). If the platform supports
port]] [,...]} channelization and the port is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Enable Channelization
Enable channelization on a port to configure it to operate as four channels, or ports.

Important
Enabling or disabling channelization resets the port QoS configuration to default values.

VOSS User Guide for version 8.7 557

Enable Channelization Chassis Operations

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable channelization on a port:

channelize [port {slot/port[-slot/port][,...]}] enable
3. Display the status of the ports:
show interfaces gigabitEthernet channelize [{slot/port[-slot/port]
[,...]}]

To display the details of the sub-ports, use:

show interfaces gigabitEthernet channelize detail [{slot/port/sub-

port[-slot/port/sub-port][,...]}]
4. (Optional) To disable channelization on a port, enter:
no channelize [port {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}] enable

Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface gigabitethernet 2/1
Switch:1(config-if)# channelize enable
Enabling channelization on port 2/1. Subport 2/1/1 will inherit port 2/1 configuration.
Subports 2,3,4 will use default config. QSFP will be reset as removal and re-insert.
NOTE: Modify QOS configurations on all subports as required.
Do you wish to continue (y/n) ? y

Display the port status:

Switch:1(config)# show interfaces gigabitEthernet channelize 2/2-2/4

================================================================================
Port Channelization
================================================================================
--------------------------------------------------------------------------------
PORT ADMIN MODE CHANNEL TYPE
--------------------------------------------------------------------------------
2/2 true 40G
2/3 false 40G
2/4 false 40G

The following is an example of how to disable channelization on a port:

Switch:1> enable
Switch:1# configure terminal

558 VOSS User Guide for version 8.7

Chassis Operations Configure FEC on a Port

Switch:1(config)# interface gigabitethernet 2/2/1

Switch:1(config-if)# no channelize enable

Variable Definitions
The following table defines parameters for the channelization command.

Variable Value
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Configure FEC on a Port

About This Task

Use this procedure to configure Forward Error Correction (FEC) on supported ports.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. (Optional) Specify the port or ports to configure for FEC:

fec port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
3. Configure FEC on a port:
fec {auto | cl108 | cl74 | cl91}
4. Verify the configuration:
show interfaces gigabitEthernet config {slot/port[/sub-port][-slot/
port[/sub-port]][,...]}

Examples
Configure Clause 108 FEC on a 25 Gbps port 1/1:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitethernet 1/1
Switch:1(config-if)#fec cl108

VOSS User Guide for version 8.7 559

Configure FEC on a Port Chassis Operations

Verify the configuration when a 25 Gbps optic is present:

Switch:1(config-if)#show interfaces gigabitEthernet config 1/1

==========================================================================================
Port Config
==========================================================================================
PORT DIFF-SERV QOS MLT VENDOR
NUM TYPE EN TYPE LVL ID NAME
------------------------------------------------------------------------------------------
1/1 25GbCX true core 1 0 Extreme
==========================================================================================
Port Config
==========================================================================================

PORT ADMIN OPERATE AUTO ACCESS-SERV RMON FLEX-UNI ADMIN APPLICABLE OPERATE
NUM ROUTING ROUTING RECOVER EN FEC FEC FEC
------------------------------------------------------------------------------------------
1/1 Enable Disable Disable false Disable Disable Auto CL108 CL108

Verify the configuration when a 10 Gb optic is present in a 25 Gb port:

Switch:1(config-if)#show interfaces gigabitEthernet config 1/1
================================================================================================
Port Config
================================================================================================
PORT DIFF-SERV QOS MLT VENDOR
NUM TYPE EN TYPE LVL ID NAME
------------------------------------------------------------------------------------------------
1/1 10GbSR true core 1 0 Extreme

PORT ADMIN OPERATE AUTO ACCESS-SERV RMON FLEX-UNI ADMIN APPLICABLE OPERATE
NUM ROUTING ROUTING RECOVER EN FEC FEC FEC
------------------------------------------------------------------------------------------------
1/1 Enable Disable Disable false Disable Disable Auto Not Applicable Off

560 VOSS User Guide for version 8.7

Chassis Operations Configuring Serial Management Port Dropping

Variable Definitions
The following table defines parameters for the fec command.

Variable Value
port {slot/port[/sub-port] [-slot/ Identifies the slot and port in one of the following
port[/sub-port]] [,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port in
the format slot/port/sub-port.
{auto | cl108 | cl74 | cl91} Configures one of the following options for FEC on
the port:
• auto
• Clause 91
• Clause 108
• Clause 74

Note:
On a 100 GbE port, only the Clause 91 and Clause 108
options are supported. On 100 GbE channelized ports
(operating at 25 Gbps speed), you can configure
Clause 108 for extra latency or Clause 74 for reduced
latency.
Configuration of FEC is not supported on a
management port or on 100 GbE ports operating at
40 Gbps speed.

Important:
On ports that support FEC, always configure the
same option on both end-points. Otherwise, the link
does not come up.

Configuring Serial Management Port Dropping

Configure the serial management ports to drop a connection that is interrupted for any reason. If you
enable serial port dropping, the serial management ports drop the connection for the following reasons:
• modem power failure
• link disconnection
• loss of the carrier

Serial ports interrupted due to link disconnection, power failure, or other reasons force out the user and
end the user session. Ending the user session ensures a maintenance port is not available with an active
session that can allow unauthorized use by someone other than the authenticated user, and prevents
the physical hijacking of an active session by unplugging the connected cable and plugging in another.

By default, the feature is disabled with enhanced secure mode disabled. If enhanced secure mode is
enabled, the default is enabled.

VOSS User Guide for version 8.7 561

Configuring power on module slots Chassis Operations

For more information on enhanced secure mode, see Enabling enhanced secure mode on page 3339.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the serial port to drop if a connection is interrupted:
sys security-console

Example

Configure the serial port to drop if a connection is interrupted:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#sys security-console

Configuring power on module slots

About This Task

Use this procedure to control whether or not to supply power to specific slots that contain either switch
fabric modules or input/output modules. By default, power is available to all slots.

After enabling power to specific input/output module slots, you can also configure the priority in which
they are powered on. For more information, see Configuring Slot Priority on page 563.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable power to one or more slots:
sys power slot <1–4 | 1–8 | SF1–SF3>
3. Disable power to one or more slots:
no sys power slot <1–4 | 1–8 | SF1–SF3>

Example

Switch:1>enable

Switch:1#configure terminal

Enable power to Slot 1:

Switch:1 (config)# sys power slot 1

Disable power to Slot 1:

Switch:1 (config)# no sys power slot 1

562 VOSS User Guide for version 8.7

Chassis Operations Configuring Slot Priority

Enable power to Slots 3 and 5:

Switch:1(config)#sys power slot 3,5

Disable power to Slots 3 and 5:

Switch:1(config)#no sys power slot 3,5

Variable Definitions
The following table defines parameters for the sys power slot command.

Variable Value
<1–4 | 1–8 | Identifies the slot to provide power in one of the following formats: a single slot (1),
SF1–SF3> a range of slots (1–3), or a series of slots (1,2,4). The default is to provide power to
all slots.
Use the no operator to disable power to a slot.
Use the default operator to enable power to a slot.
Different hardware platforms support different slot ranges. Use the CLI Help to see
the available range.

Configuring Slot Priority

Note
This procedure only applies to VSP 8600 Series.

About This Task

Configure slot priority to specify which slots you want to shut down if there is insufficient power
available in the chassis. By default, power is available to all slots, and the slots have the following
priority:
• Slots 1, 2, SF1, SF2, and SF3 must always be Critical so you cannot configure them.
• Slots 3-8 are High by default, but you can configure any of them to Low.

Note
Power is always supplied to critical slots first which are the CP modules, SF modules, and fan
trays.

The slot with the lowest priority shuts down first. Slots with the same priority shut down in descending
order (highest slot number first) and interface slots shut down before CP, SF modules, and fan tray
slots.

For example, if slot 3 has a low priority and slots 4 and 5 have a high priority, the slot shutdown
priority is as follows: 4, 5, 3. Slot 3 has the lowest priority because it was configured as low so it would
be shut down first. Slots 4 and 5 have the same priority, but slot 5 shuts down before slot 4 because slot
4 has a higher slot number.

VOSS User Guide for version 8.7 563

Enable the Locator LED Chassis Operations

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure slot priority:
sys power slot-priority <3–8> {high|low}

Example

Switch:1>enable

Switch:1#configure terminal

Configure slot priority to determine that slot 3 has a low priority if insufficient power is available for all
modules:

Switch:1(config)#sys power slot-priority 3 low

Variable Definitions
The following table defines parameters for the sys power slot-priority command.

Variable Value
<3–8> Identifies the module slot.
high | low Specifies whether the module should have a high or low priority setting if there is
insufficient power available for all modules. The default is high.

Enable the Locator LED

Note
This procedure only applies to VSP 4900 Series.

About This Task

Perform this procedure to turn the system Locator LED on to provide a visual identification of a specific
switch.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable the system Locator LED:
sys locator-led
3. Display the system Locator LED status:
show sys locator-led

564 VOSS User Guide for version 8.7

Chassis Operations Enable or Disable the USB Port

Enable or Disable the USB Port

Perform this procedure to control USB access. For security reasons, you may want to disable this port
to prevent individuals from using it. By default, the port is automatically mounted when a USB device is
inserted.

Before You Begin

• The switch must be in Enhanced Secure mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Disable the USB port:
sys usb disable
3. Enable a previously disabled USB port:
no sys usb disable

View Fan Information

About This Task

Note
This procedure does not apply to XA1400 Series or VSP 8600 Series.

View fan information to monitor the alarm status of the cooling ports in the chassis.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display fan information:
show sys-info fan

Example

View fan information:

Switch:1>show sys-info fan
******************************************************************************
Tray Unit Oper Speed Oper Speed (Rpm) Airflow Type Status
1 1 LOW 5782 F2B OK
1 2 LOW 3366 F2B OK

VOSS User Guide for version 8.7 565

Configure Port Speed Chassis Operations

Configure Port Speed

About This Task

Manually configure the port speed.

Important
If Auto-Negotiation is disabled and you change the speed on a port that results in a
configuration mismatch in speed between two ports, VSP 4450 Series and VSP 4900 Series
switches may show an incorrect operational status of "up" for the mismatched ports.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the speed for one or more ports:

speed {10|100|1000|10000|2500|25000|5000}

or
speed port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}] {10|
100|1000|10000|2500|25000|5000}

Variable Definitions
The following table defines parameters for the speed command.

Variable Value
{slot/port[/sub-port] [-slot/port[/ Specifies the port or ports that you want to
sub-port]] [,...]} configure.
10 Configures the port speed to 10 Mbps.
100 Configures the port speed to 100 Mbps.
1000 Configures the port speed to 1 Gbps.
10000 Configures the port speed to 10 Gbps.
2500 Configures the port speed to 2.5 Gbps.
25000 Configures the port speed to 25 Gbps.
5000 Configures the port speed to 5 Gbps.

566 VOSS User Guide for version 8.7

Chassis Operations Configure Ports Speeds for All VIM Ports

Configure Ports Speeds for All VIM Ports

Note
This procedure only applies to VSP 4900 Series.

Configure all of the ports on an installed Versatile Interface Module (VIM) to operate at the same speed.

Before You Begin

Install the VIM before performing this procedure.

About This Task

Use this procedure to configure the speed of all ports in a multi-port VIM to operate at either 1 Gbps, 10
Gbps, or 25 Gbps.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the speed for all of the VIM ports:
sys vim-speed {1000 | 10000 | 25000}
3. Configure all VIM ports into two speed setting groups:
sys vim-speed group <1-2> {1000 | 10000 | 25000}

Variable Definitions
The following table defines parameters for the sys vim-speed command.

Variable Value
10000 | 25000 Configures all ports in a multi-port VIM to operate
at either 10 Gbps, or 25 Gbps.
The default is 25 Gbps.

Display Ports Speeds for All VIM Ports

Note
This procedure only applies to VSP 4900 Series.

VOSS User Guide for version 8.7 567

Prepare a slot for IOC Module Preconfiguration using
CLI Chassis Operations

Display the configured speed on all VIM ports.

Note
Some VIMs must operate with all ports at the same speed, while others can operate with
ports at different speeds. For more information, see VOSS Release Notes. The show sys
vim-speed command is supported only on VIMs that must operate with all ports at the
same speed. An error message displays if you run the command with an unsupported VIM
installed.

Before You Begin

Install the VIM before performing this procedure.

About This Task

Use this procedure to display the configured speed of all ports in a multi-port VIM.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the speed for all of the VIM ports:
show sys vim-speed

Prepare a slot for IOC Module Preconfiguration using CLI

About This Task

Use this procedure to designate a slot in the switch for IOC module preconfiguration. You can designate
a slot for only one module type at a time.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Enter Global Configuration mode:
enable

configure terminal
3. Designate a slot for IOC module preconfiguration:
preconfig slot <1-8> WORD<1-20> [lock]
4. Verify IOC module preconfiguration:
show sys-info card

Example

The following examples prepare a slot for IOC module preconfiguration:

Prepare a slot for IOC module preconfiguration, with card lock enabled on the slot.

Switch:1>en
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

568 VOSS User Guide for version 8.7

Prepare a slot for IOC Module Preconfiguration using
Chassis Operations CLI

Switch:1(config)#preconfig slot 5 8624XT lock

Verify the configuration:

Switch:1(config)#show sys-info card

Card Info :
Slot 5 :

CardType : 8624XT
CardDescription : 8624XT
CardSerial# : SDNI86XSD282
CardPart# : EC8604002-E6
CardAssemblyDate : 20161125
CardHWRevision : D2
CardHWConfig : 0
AdminStatus : up
OperStatus : up
PowerStatus : on
Preconfigured : yes
Preconfig CardType: 8624XT
Preconfig Lock : yes

If card lock is enabled on the slot, and the module type of the inserted IOC module does not match
the preconfigured IOC module type (for example, if the inserted module is type 8624XT but the
preconfigured module type is 8624XS), then the operational status of the inserted IOC module displays
as down-Mismatch.

Switch:1(config)show sys-info card

Card Info :
Slot 5 :

CardType : 8624XS
CardDescription : 8624XS
CardSerial# : SDNI86XSD282
CardPart# : EC8604002-E6
CardAssemblyDate : 20161125
CardHWRevision : D2
CardHWConfig : 0
AdminStatus : down
OperStatus : down-Mismatch
PowerStatus : down
Preconfigured : yes
Preconfig CardType: 8624XT
Preconfig Lock : yes

Prepare another slot for IOC module preconfiguration, with no card lock enabled on the slot.

Switch:1>en
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)#preconfig slot 6 8624XS

Verify the configuration:

Switch:1(config)show sys-info card

VOSS User Guide for version 8.7 569

Prepare a slot for IOC Module Preconfiguration using
CLI Chassis Operations

Card Info :
Slot 6 :

CardType : 8624XS
CardDescription : 8624XS
CardSerial# : SDNI86XSD282
CardPart# : EC8604002-E6
CardAssemblyDate : 20161125
CardHWRevision : D2
CardHWConfig : 0
AdminStatus : up
OperStatus : up
PowerStatus : on
Preconfigured : yes
Preconfig CardType: 8624XS
Preconfig Lock : no

If card lock is disabled on the slot, and the IOC module type of the inserted card does not match
the preconfigured module type, the existing configuration is deleted and the slot is automatically
preconfigured with the module type of the inserted IOC module. The inserted module then boots up
with default configuration.

In the following example, when the 8624XT module is inserted in a slot preconfigured for the 8624XS,
the pre-configuration for the 8624XS is deleted because it is not locked. The slot is then automatically
preconfigured for 8624XT when the IOC module is physically inserted in that slot.

Switch:1(config)show sys-info card

Card Info :
Slot 6 :

Variable Definitions
The following table defines parameters for the preconfig slot command.

Variable Value
<1-8> Specifies the slot number designated for pre-configuration.
WORD <1-20> Specifies the card type that can be assigned to the pre-configured slot.
lock Specifies that the IO card will be locked to the pre-configured slot. Only
the IO card that matches the card type assigned to the pre-configured
slot will operate.

570 VOSS User Guide for version 8.7

Chassis Operations View the Management Port Statistics

View the Management Port Statistics

Use this procedure to view the management port statistics.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. View the management port statistics:
show interfaces mgmtethernet statistics

Example

View management port statistics:

Switch:1#show interfaces mgmtethernet statistics

===========================================================================
Port Stats Interface
===========================================================================
PORT IN OUT IN OUT
NUM OCTETS OCTETS PACKET PACKET
---------------------------------------------------------------------------
mgmt 7222116 44282 81789 586

PORT IN OUT IN OUT OUTLOSS

NUM FLOWCTRL FLOWCTRL PFC PFC PACKETS
---------------------------------------------------------------------------
mgmt 0 0 0 0 0

View Port Routing Statistics

About This Task

View port routing statistics to manage network performance.

Note
This command is not available on all hardware platforms.

Procedure
View port routing statistics:
show routing statistics interface [gigabitethernet] [{slot/port[-slot/
port][,...]}]

Example
Switch:1#show routing statistics interface gigabitethernet 1/7-1/9
================================================================================
Port Stats Routing
================================================================================
PORT IN_FRAME IN_FRAME IN OUT_FRAME OUT_FRAME
NUM UNICAST MULTICAST DISCARD UNICAST MULTICAST
--------------------------------------------------------------------------------
1/7 1386 0 0 1344 0
1/8 1302 0 0 1344 0
1/9 0 0 0 0 0

VOSS User Guide for version 8.7 571

Display Bridging Statistics for Specific Ports Chassis Operations

Variable Definitions
Use the data in the following table to use the show routing statistics interface command.

Variable Value
gigabitethernet Specifies the interface type.
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Display Bridging Statistics for Specific Ports

About This Task

Display individual bridging statistics for specific ports to manage network performance.

Note
This command is only available on XA1400 Series.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View bridging statistics for a specific port:
show interfaces GigabitEthernet statistics bridging [{slot/port[-slot/
port][,...]}}

Example

Switch:1#show interfaces gigabitEthernet statistics bridging

================================================================================
Port Stats Bridge
================================================================================
PORT IN_FRAME IN_FRAME IN_FRAME OUT_FRAME IN_FRAME OUT_FRAME IN_DISCARD
NUM UNICAST MULTICAST BROADCAST xSTP BPDU xSTP BPDU
--------------------------------------------------------------------------------
1/1 179325 0 0 119310 179325 0 0
1/2 187951 26078 42 689486 179324 0 25617
1/3 0 0 0 0 0 0 0
1/4 0 0 0 0 0 0 0
1/5 0 0 0 0 0 0 0
1/6 394 0 0 948942 360 0 0
1/7 4689 0 0 863403 360 0 0
1/8 4369 3206 116 958752 360 0 3995
1/9 0 0 0 0 0 0 0
1/10 0 0 0 0 0 0 0
1/11 0 0 0 0 0 0 0
1/12 0 0 0 0 0 0 0
1/13 179325 0 0 42040 179325 0 0
1/14 187864 0 0 50437 179324 0 0
1/15 0 0 0 0 0 0 0

572 VOSS User Guide for version 8.7

Chassis Operations Displaying Detailed Statistics for Ports

1/16 0 0 0 0 0 0 0

--More-- (q = quit)

Variable Definitions
Use the data in the following table to use the show interfaces GigabitEthernet
statistics bridging command.

Variable Value
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Displaying Detailed Statistics for Ports

Display detailed statistics for specific ports to manage network performance.

Note
Slot and port information can differ depending on hardware platform.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View statistics for specific ports:
show interfaces GigabitEthernet statistics verbose {slot/port[/sub-
port][-slot/port[/sub-port]][,...]}

Example

View statistics for various ports:

Switch:1>enable
Switch:1#show interfaces gigabitethernet statistics verbose

Please widen the terminal for optimal viewing of data.

===========================================================================================

Port Stats Interface Extended

===========================================================================================

PORT_NUM IN_UNICST OUT_UNICST IN_MULTICST OUT_MULTICST IN_BRDCST OUT_BRDCST IN_LSM OUT_LSM

-------------------------------------------------------------------------------------------

2/1 0 0 0 0 0 0 0 0
2/2 0 0 0 0 0 0 0 0
2/3 0 0 0 0 0 0 0 0
2/4 0 0 0 0 0 0 0 0
2/5 0 0 0 0 0 0 0 0
2/6 0 0 0 0 0 0 0 0

VOSS User Guide for version 8.7 573

Chassis operations configuration using EDM Chassis Operations

3/1 0 0 0 0 0 0 0 0
3/2 0 0 0 0 0 0 0 0
3/3 0 0 8702 34805 0 0 0 0
3/4 0 0 0 0 0 0 0 0
3/5 0 0 0 0 0 0 0 0
3/6 0 0 0 0 0 0 0 0
3/7 0 0 0 0 0 0 0 0
3/8 0 0 0 0 0 0 0 0
3/9 0 0 0 0 0 0 0 0

--More-- (q = quit)

Variable Definitions
Use the data in the following table to use the show interfaces GigabitEthernet
statistics verbose command.

Variable Value
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Chassis operations configuration using EDM

This section provides the details to configure basic hardware and system settings using Enterprise
Device Manager (EDM).

Edit System Information

About This Task

Edit system identification information, configuration file information, and perform system actions.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click Chassis.
3. Click the System tab.
4. Enter or edit the information as required.
5. Click Apply.

574 VOSS User Guide for version 8.7

Chassis Operations Edit System Information

System Field Descriptions

Use the data in the following table to use the System tab.

Name Description
sysDescr Shows the system assigned name and the
software version.
sysUpTime Shows the elapsed time since the system last
started.
sysContact Configures the contact information.
sysName Configures the name of this device.
sysLocation Configures the physical location of this device.
VirtualIpAddr Configures the virtual IP address that the
primary CPU advertises and stores in the switch
configuration file.
VirtualNetMask Configures the net mask of the virtual
management IP address.
VirtualIpv6Addr Specifies the virtual IPv6 address.
VirtualIpv6PrefixLength Specifies the length of the virtual IPv6 address
prefix (in bits).
DnsDomainName Configures the default domain for querying the
DNS server.
LastChange Displays the time since the last configuration
change.
LastVlanChange Displays the time since the last VLAN change.
LastStatisticsReset Displays the time since the statistics counters
were last reset.
LastRunTimeConfigSave Displays the last run-time configuration saved.
DefaultRuntimeConfigFileName Displays the default Run-time configuration file
directory name.
ConfigFileName Specifies the name of a new configuration file.
ActionGroup1 Performs one of the following actions:
• resetCounters— Resets all statistic counters.
• saveRuntimeConfig— Saves the current run-
time configuration.
• loadLicense— Loads a software license file to
enable features.

LicenseFileName Specifies the name of the license file in the /

intflash directory.
Note:
Exception: only supported on the VSP 8600 Series
and the XA1400 Series.

ActionGroup2 Specifies the following action:

resetlstStatCounters—Resets the IST statistic
counters

VOSS User Guide for version 8.7 575

Edit Chassis Information Chassis Operations

Name Description
ActionGroup3 Can be the following action:
• flushIpRouteTbl—flushes IP routes from the
routing table

ActionGroup4 Can be the following action:

• softReset—resets the device without running
power-on tests
• cpuSwitchOver—switches over to the other
CPU
• softResetCoreDump —reset with coredump

Result Displays a message after you select Apply.

LocatorLED Configures the system Locator LED on or off. The
default is off.
Note:
Exception: only supported on VSP 4900 Series.

Edit Chassis Information

About This Task

Edit the chassis information to make changes to chassis-wide settings.

Procedure

1. In the Device Physical View tab, select the device.

2. In the navigation pane, expand Configuration > Edit.
3. Select Chassis.
4. Select the Chassis tab.
5. Edit the necessary options.
6. Select Apply.

Chassis Field Descriptions

Use the data in the following table to use the Chassis tab.

Name Description
Type Specifies the chassis type.
ModelName Specifies the chassis model name.
This parameter does not apply on all
platforms.
BrandName Specifies the chassis brand name.
This parameter does not apply on all
platforms.
PartNumber Specifies the device part number.
SerialNumber Specifies a unique chassis serial number.

576 VOSS User Guide for version 8.7

Chassis Operations Edit Chassis Information

Name Description
HardwareRevision Specifies the current hardware revision of the device chassis.
NumSlots Specifies the number of slots available in the chassis.
NumPorts Specifies the number of ports currently installed in the
chassis.
BaseMacAddr Specifies the starting point of the block of MAC addresses
used by the switch for logical and physical interfaces.
MacAddrCapacity Specifies the number of routable MAC addresses based on
the BaseMacAddr.
Temperature Specifies the temperature of the device measured in degrees
This parameter does not apply for all Celsius.
platforms.
MacFlapLimitTime Configures the time limit for the loop-detect feature, in
This parameter does not apply for all milliseconds, for MAC flapping. The value ranges from 10–
platforms. 5000. The default value is 500.
AutoRecoverDelay Specifies the time interval, in seconds, after which auto-
recovery runs on ports to clear actions taken by CP Limit
or link flap. The default is 30.
MTUSize Configures the maximum transmission unit size.
The default is 1950 bytes.
MgidUsageVlanCurrent Number of MGIDs for VLANs currently in use.
MgidUsageVlanRemaining Number of remaining MGIDs for VLANs.
MgidUsageMulticastCurrent Number of MGIDs for multicast currently in use.
MgidUsageMulticastRemaining Number of remaining MGIDs for multicast.
DdmMonitor Enables or disables the monitoring of the DDM. When
enabled, the user gets the internal performance condition
(temperature, voltage, bias, Tx power and Rx power) of the
SFP/XFP. The default is disable.
DdmMonitorInterval Configures the DDM monitor interval in the range of 5 to
60 in seconds. If any alarm occurs, the user gets the log
message before the specific interval configured by the user.
The default value is 5 seconds.
DdmTrapSend Enables or disables the sending of trap messages. When
enabled, the trap message is sent to the Device manager,
any time the alarm occurs. The default is enable.
DdmAlarmPortdown Sets the port down when an alarm occurs. When enabled,
the port goes down when any alarm occurs. The default is
disable.
PowerUsage Specifies the amount of power the CPU uses.
This parameter does not apply on all
platforms.
PowerAvailable Specifies the amount of power available to the CPU.
This parameter does not apply on all
platforms.

VOSS User Guide for version 8.7 577

View Physical Entities Chassis Operations

View Physical Entities

Perform this procedure to view information about the functional components of the switch.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click Entity.

Physical Entities Field Descriptions

The following table defines the use the Physical Entities tab.

Name Description
Index Indicates the index of the entry.
Descr Indicates the name of the manufacturer for the
physical entity.
VendorType Indicates the vendor-specific hardware type for
the physical entity. Because there is no vendor-
specifier registration for this device, the value is 0.
ContainedIn Indicates the index value for the physical entity
which contains this physical entity. A value of zero
indicates that this physical entity is not contained
in any other physical entity.
Class Indicates the general hardware type of the
physical entity. The value is configured to the
standard enumeration value that indicates the
general class of the physical entity.
ParentRelPos Indicates the relative position of the child
component among the sibling components.
Name Indicates the name of the component, as assigned
by the local device, and that is suitable to use in
commands you enter on the console of the device.
Depending on the physical component naming
syntax of the device, the name can be a text name
such as console, or a component number such as
port or module number.
If there is no local name, there is no value.
HardwareRev Indicates the vendor-specific hardware revision
string for the physical entity.
If no specific hardware revision string is associated
with the physical component, or if this information
is unknown, then this object contains a zero-
length string, or there is no value.
If there is no information available, there is no
value.

578 VOSS User Guide for version 8.7

Chassis Operations View Physical Entities

Name Description
FirmwareRev Indicates the vendor-specific firmware revision
string for the physical entity.
If no specific firmware programs are associated
with the physical component, or if this information
is unknown, then this object contains a zero-
length string, or there is no value.
If there is no information available, there is no
value.
SoftwareRev Indicates the vendor-specific software revision
string for the physical entity.
If no specific software programs are associated
with the physical component, or if this information
is unknown, then this object contains a zero-
length string, or there is no value.
If there is no information available, there is no
value.
SerialNum Indicates the vendor-specific serial number string
for the physical entity. The value is the serial
number string printed on the component, if
present.
If there is no information available, there is no
value.
MfgName Indicates the name of the manufacturer of
the physical component. The value is the
manufacturer name string printed on the
component, if present.
If the manufacturer name string associated with
the physical component is unknown, then this
object contains a zero-length string.
If there is no information available, there is no
value.
ModelName Indicates the vendor-specific model name
identifier string associated with the physical
component. The value is the part number which
is printed on the component.
If the model name string associated with the
physical component is unknown, then this object
contains a zero-length string.
Alias Indicates an alias name for the physical entity that
is specified by a network manager, and provides a
nonvolatile handle for the physical entity.
The software supports read-only and provides
values for the port interface only.
AssetID Indicates a user-assigned asset tracking identifier
for the physical entity. This value is specified
by a network manager, and provides nonvolatile
storage of this information.
Because this object is not supported, there is no
value.

VOSS User Guide for version 8.7 579

View Entity Aliases Chassis Operations

Name Description
IsFRU Indicates whether or not the physical entity is
considered a field replaceable unit.
• If the value is true(1), then the component is
a field replaceable unit.
• If the value is false(2), then the component
is permanently contained within a field
replaceable unit.

MfgDate Indicates the manufacturing date of the managed

entity. If the manufacturing date is unknown, then
the value is '0000000000000000'H.
Uris Indicates additional identification information
about the physical entity.
Uris is not supported, therefore there is no value.

View Entity Aliases

About This Task

Perform this procedure to view the entity aliases on the switch.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click Entity.
3. Click the Alias tab.

Alias Field Descriptions

Use the data in the following table to use the Alias tab.

Name Description
Index The index of the entry
LogicalIndexOrZero The index of the entry. The value of this object
identifies the logical entity that defines the
naming scope for the associated instance of the
Mapping Identifier object.
This is always 0.
MappingIdentifier The value of this object identifies a particular
conceptual row associated with the indicated
Physical Index and Logical Index pair.
Because only physical ports are modeled in this
table, only entries that represent interfaces or
ports are allowed. If an ifEntry exists on behalf of
a particular physical port, then this object should
identify the associated ifEntry.
This is the OID of ifIndex.Port.

580 VOSS User Guide for version 8.7

Chassis Operations Viewing Entity Child Indexes

Viewing Entity Child Indexes

About This Task

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click Entity.
3. Click the Child Index tab.

Child Index field descriptions

Use the data in the following table to use the Child Index tab.

Name Description
Index Indicates the index of the entry.
ChildIndex The index of the entry. The value of Physical Index
for the contained physical entity.

Configure System Flags

About This Task

Configure the system flags to enable or disable flags for specific configuration settings.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the System Flags tab.
4. Select the system flags you want to activate.
5. Clear the system flags you want to deactivate.
6. Select Apply.

Important
After you change certain configuration parameters, you must save the changes to the
configuration file.

System Flags Field Descriptions

Use the data in the following table to use the System Flags tab.

Name Description
EnableAccessPolicy Activates access policies. The default is disabled.
ForceTrapSender Configures circuitless IP as a trap originator. The default is
disabled.
ForceIpHdrSender If you enable Force IP Header Sender, the system matches
the IP header source address with SNMP header sender
networks. The default is disabled.

VOSS User Guide for version 8.7 581

Configure System Flags Chassis Operations

Name Description
AuthSuccessTrapEnable Enables the system to send the authentication success trap,
rcnAuthenticationSuccess. The default is disabled.
MrouteStrLimit Enable or disable Mroute stream limit in system. The default
is disabled.
DataPathFaultShutdownEnable Enable or disable data path fault shutdown. The default is
enabled.
PingTracerouteContextType Configures the default context for executing ping commands
and traceroute commands. The default is grt.
Note:
Exception: not supported on VSP 8600
Series.

UdpSrcByVirtualIpEnable Enables or disables virtual IP as the User Datagram Protocol

(UDP) source. The default is disabled.
ForceTopologyIpFlagEnable Activates or disables the flag that configures the CLIP ID as
the topology IP. Values are true or false.
The default is disabled.
CircuitlessIpId Uses the CLIP ID as the topology IP.
Enter a value from 1–256.
HaCpu Activates or disables the CPU High Availability feature.
If you enable or disable High Availability mode, the
secondary CPU resets automatically to load settings from
the saved configuration file.
The default is enabled.
MasterCPUSlot Specifies the slot number, either 1 or 2, for the master CPU.
The default value is 1.
EnableSavetoStandby Enables or disables automatic save of the configuration file
to the standby CPU. The default value is enabled.

582 VOSS User Guide for version 8.7

Chassis Operations Configure Channelization

Name Description
HaCpuState Indicates the CPU High Availability state.
• initialization—Indicates the CPU is in this state.
• oneWayActive—Specifies modules that need to
synchronize register with the framework (either locally
or a message received from a remote CPU).
• twoWayActive—Specifies modules that need to
synchronize register with the framework (either locally
or a message received from a remote CPU).
• synchronized—Specifies table-based synchronization is
complete on the current CPU.
• remoteIncompatible—Specifies CPU framework version is
incompatible with the remote CPU.
• error—Specifies if an invalid event is generated in a
specific state the CPU enters Error state.
• disabled—Specifies High Availability is not activated.
• peerNotConnected—Specifies no established peer
connection.
• peerConnected—Specifies peer connection is established.
• lostPeerConnection—Specifies a lost connection to peer
or standby CPU.
• notSynchronized—Specifies table-based synchronization
is not complete.

HaEvent Indicates the High Availability event status.

• restart—Causes the state machine to restart.
• systemRegistrationDone—Causes the CPU to transfer to
One Way or Two Way Active state.
• tableSynchronizationDone—Causes the CPU to transfer
to synchronized state.
• versionIncompatible—Causes the CPU to go to remote
incompatible state
• noEvent—Means no event occurred to date.

StandbyCpu Indicates the state of the standby CPU.

Configure Channelization
Use this procedure to enable or disable channelization on a port. Channelization configures the port to
operate as four channels, or ports.

Important
Enabling or disabling channelization resets the port QoS configuration to default values.

Procedure

1. In the Device Physical View tab, select a port that supports channelization.
2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the Channelization tab.

VOSS User Guide for version 8.7 583

Configure Basic Port Parameters Chassis Operations

5. To enable channelization on the port, select enable .

6. Select Apply . Alternatively, you can rignt-click the port on the Device Physical View tab, and then
select Channelization Enable.
7. To disable channelization on a port, select the first sub-port for the corresponding port, slot/port/1.
8. In the navigation pane, expand Configuration > Edit > Port.
9. Select General.
10. Select the Channelization tab.
11. To disable channelization on the port, select disable. This action will disable the four sub-ports.
12. Select Apply . Alternatively, you can rignt-click the port on the Device Physical View tab, and then
select Channelization Disable.

Channelization Field Descriptions

Use the data in the following table to use the Channelization tab.

Name Description
Channelization This field determines whether channelization is enabled or disabled on
the selected port. The two options are enable and disable. The default
is disable.

Configure Basic Port Parameters

Configure options for port operations.

About This Task

If you select more than one port, the format of the tab changes to a table-based tab.

When you use 1 Gigabit Ethernet SFP transceivers, the software disables Auto-Negotiation on the port.
If you use 1 Gbps SFP transceivers, the remote end must also have Auto-Negotiation disabled.

Procedure

1. In the Device Physical View tab, select one or more ports.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the Interface tab.
5. Configure the fields as required.
10/100BASE-TX ports do not consistently auto-negotiate with older 10/100BASE-TX equipment.
You can sometimes upgrade the older devices with new firmware or driver revisions. If an upgrade
does not enable auto-negotiation to correctly identify the link speed and duplex settings, you can
manually configure the settings for the link in question.

Check the Extreme Networks website for the latest compatibility information.
6. Select Apply.

584 VOSS User Guide for version 8.7

Chassis Operations Configure Basic Port Parameters

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Name Description
Index Displays the index of the port, written in the slot/
port[/sub-port] format.
Name Configures the name of the port.
Descr Displays the description of the port. A textual
string containing information about the interface.
Type Displays the type of connector plugged in the
port.
Mtu Displays the Maximum Transmission Unit (MTU)
for the port. The size of the largest datagram
which can be sent or received on the interface,
specified in octets. For interfaces that are used for
transmitting network datagrams, this is the size of
the largest network datagram that can be sent on
the interface.
PhysAddress Displays the physical address of the port. The
address of the interface at the protocol layer
immediately `below' the network layer in the
protocol stack. For interfaces which do not have
such an address, for example, a serial line, this
object should contain an octet string of zero
length.
VendorDescr Displays the vendor of the connector plugged in
the port.
DisplayFormat Identifies the slot and port numbers (slot/port). If
the port is channelized, the format also includes
the sub-port in the format slot/port/sub-port
AdminStatus Configures the port as enabled (up) or disabled
(down) or testing. The testing state indicates that
no operational packets can be passed.
OperStatus Displays the current status of the port. The
status includes enabled (up) or disabled (down)
or testing. The testing state indicates that no
operational packets can be passed.
LicenseControlStatus Shows the port license status.

Note:
Exception: only supported on VSP 7200 Series.

ShutdownReason Indicates the reason for a port state change.

LastChange Displays the timestamp of the last change.
LinkTrap Enable or disable link trapping.
AutoNegotiate Enables or disables Auto-Negotiation for this port.
The default Auto-Negotiation behavior depends
on the switch model and transceiver type.

VOSS User Guide for version 8.7 585

Configure Basic Port Parameters Chassis Operations

Name Description
AutoNegAd Specifies the port speed and duplex abilities to
advertise during link negotiation.
Supported speeds and duplex modes vary,
depending on your hardware.
The abilities specified in this object are only
used when auto-negotiation is enabled on the
port. If all bits in this object are disabled, and
auto-negotiation is enabled on the port, then the
physical link process on the port will be disabled
(if hardware supports this ability).
Any change to this configuration restarts the auto-
negotiation process, which has the same effect as
physically unplugging and reattaching the cable
attached to the port.
If you select default, all capabilities supported by
the hardware are advertised.
AdminDuplex Configures the administrative duplex setting for
the port.
OperDuplex Indicates the operational duplex setting for the
port.
AdminSpeed Configures the administrative speed for the port.

Important:
If Auto-Negotiation is disabled and you change
the administrative speed on a port that results
in a configuration mismatch in speed between
two ports, VSP 4450 Series and VSP 4900 Series
switches can show an incorrect operational status
of "up" for the mismatched ports.

OperSpeed Indicates the operational speed for the port.

QoSLevel Selects the Quality of Service (QoS) level for this
port. The default is level1.
DiffServ Enables the Differentiated Service feature for this
port. The default is disabled.
Layer3Trust Configures if the system should trust Layer 3
packets coming from access links or core links
only. The default is core.
Layer2Override8021p Specifies whether Layer 2 802.1p override is
enabled (selected) or disabled (cleared) on the
port. The default is disabled (clear).
MltId Shows the MLT ID associated with this port. The
default is 0.
Locked Shows if the port is locked. The default is
unlocked.

586 VOSS User Guide for version 8.7

Chassis Operations Configure Basic Port Parameters

Name Description
UnknownMacDiscard Discards packets that have an unknown source
MAC address, and prevents other ports from
sending packets with that same MAC address
as the destination MAC address. The default is
disabled.
DirectBroadcastEnable Specifies if this interface forwards direct broadcast
traffic.
OperRouting Shows the routing status of the port.
HighSecureEnable Enables or disables the high secure feature for this
port.
RmonEnable Enables or disables Remote Monitoring (RMON)
on the interface. The default is disabled.
FlexUniEnable Enables Flex UNI on the port. The default is
disabled.
IngressRateLimit Limits the traffic rate that the specific ingress port
accepts.
Note:
Exception: not supported on VSP 4450 Series,
VSP 7400 Series, or VSP 8600 Series.

IngressRatePeak Configures the peak rate in Kbps. The default is 0.

IngressRateSvc Configures the service rate in Kbps. The default is
0.
EgressRateLimitState Enables or disables egress port-based shaping to
bind the maximum rate at which traffic leaves the
port. The default is disabled.
EgressRateLimit Specifies the egress rate limit in Kbps. Different
hardware platforms support different egress rate
Note: limits, depending on the port with the highest
Exception: not supported on VSP 7400 Series, speed available on the platform. You cannot
VSP 8600 Series, or XA1400 Series. configure the egress shaper rate to exceed the
port capability.
If you configure this value to 0, shaping is disabled
on the port.
TxFlowControl Configures if the port sends pause frames. By
default, an interface does not send pause frames.
Note: You must also enable the flow control feature
Exception: not supported on VSP 8600 Series globally before an interface can send pause
frames.
TxFlowControlOperState Shows the operational state of flow control.
BpduGuardTimerCount Shows the time, starting at 0,
since the port became disabled. When
the BpduGuardTimerCount reaches the
BpduGuardTimeout value, the port is enabled.
Displays in 1/100 seconds.

VOSS User Guide for version 8.7 587

Configure Basic Port Parameters Chassis Operations

Name Description
BpduGuardTimeout Specifies the value to use for port-state recovery.
After a BPDU guard disables a port, the port
remains in the disabled state until this timer
expires.
You can configure a value of 0 or to 65535. The
default is 120 seconds. If you configure the value
to 0, the expiry is infinity.
BpduGuardAdminEnabled Enables BPDU Guard on the port. The default is
disabled.
ForwardErrorCorrection Configures one of the following options for
Forward Error Correction (FEC) on the port:
• CL 91
• CL 108
• CL 74
• disable
• auto
The disable option disables this configuration on
the port.
ForwardErrorCorrectionApplicability Displays whether FEC is applicable on the
interface.
OperAutoNegotiate Shows the operational state of Auto-Negotiation.
OperForwardErrorCorrection Shows the negotiated operational FEC clause.
If the value is off, the port supports FEC and is
up but not configured for FEC. If the value is
notApplicable, the port does not support FEC. If
the value is unknown, the port supports FEC but is
down.
IsPortShared Indicates whether the port is combo or not.
• portShared—Combo port.
• portNotShared—Not a combo port.

PortActiveComponent Specifies whether the copper port is active or

fabric port is active if port is a combo port.
• fixed port—Copper port is active.
• gbic port—Fabric port is active.

Action Performs one of the following actions on the port

• none - none of the following actions
• flushMacFdb - flush the MAC forwarding table
• flushArp - flush the ARP table
• flushIp - flush the IP route table
• flushAll - flush all tables
• triggerRipUpdate — manually triggers a RIP
update
The default is none.
Result Displays the result of the selected action. The
default is none.

588 VOSS User Guide for version 8.7

Configure Basic Parameters on an Extreme Integrated
Chassis Operations Application Hosting Port

Name Description
AutoSense Enables or disables Auto-sense on the specific
port. The default value is disabled for existing
Note: configurations but enabled for new Zero Touch
Exception: not supported on VSP 8600 Series and Fabric Configuration deployments.
XA1400 Series.

AutoSenseKeepAutoConfig Retains the Auto-sense configuration if you

disable Auto-sense on the port. The dynamic
Note: configuration becomes a manual configuration
Exception: not supported on VSP 8600 Series and and is visible in the show running-config
XA1400 Series. output.

CustomAutoNegAdOrigin Specifies the origin of Custom Auto Negotiation

Advertisements (CANA) configuration on the port.
The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication
Dial-In User Service (RADIUS) attribute.

BpduGuardOrigin Specifies the origin of BPDU Guard configuration

on the port. The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication
Dial-In User Service (RADIUS) attribute.

AutoSenseState Displays the Auto-sense port state.

Note:
Exception: not supported on VSP 8600 Series and
XA1400 Series.

LinkDebounce Specifies the extended debounce timer on the

port. The range is 0 to 300000 milliseconds. The
Note: value 0 milliseconds disables debounce time. The
Exception: not supported on VSP 8600 Series and default value is 1000.
XA1400 Series.

AutoSenseDataIsid Specifies the Auto-sense data I-SID per port. The

range is 0 to 16777215.
Note:
Exception: not supported on VSP 8600 Series and
XA1400 Series.

Configure Basic Parameters on an Extreme Integrated Application Hosting Port

Note
This procedure only applies to VSP 4900 Series and VSP 7400 Series.

VOSS User Guide for version 8.7 589

Configure Basic Parameters on an Extreme Integrated
Application Hosting Port Chassis Operations

About This Task

Perform this procedure to configure basic parameters on Extreme Integrated Application Hosting (IAH)
ports, for example, auto negotiation, QoS level, and remote monitoring.

Procedure

1. In the navigation pane, expand Configuration > Edit > Insight Port.
2. Select the IAH port you want to configure.
3. Select the Interface tab.
4. In the Name field, type a name for the IAH port.
5. Configure the fields as required.
6. Select Apply.

Interface Field Descriptions

Use data in the following table to use the Interface tab.

Name Description
Index Specifies the index of the Extreme Integrated
Application Hosting (IAH) port, written in the slot/
port[/sub-port] format.
Name Specifies the name of the IAH port.
Descr Specifies the information about the interface.
Type Specifies the type of connector plugged in the IAH
port.
Mtu Specifies the Maximum Transmission Unit (MTU)
for the port. The size of the largest datagram
which can be sent or received on the interface,
specified in octets. For interfaces that are used for
transmitting network datagrams, this is the size of
the largest network datagram that can be sent on
the interface.
PhysAddress Specifies the physical address of the IAH port.
The address of the interface at the protocol
layer immediately below the network layer in the
protocol stack. For interfaces which do not have
such an address (like a serial line), this object
should contain an octet string of zero length.
VendorDescr Specifies the vendor of the connector plugged in
the IAH port.
DisplayFormat Specifies the slot and port numbers (slot/port).
AdminStatus Specifies the operational status of the IAH port.
The testing state indicates that no operational
packets can be passed.
OperStatus Specifies the current status of the IAH port. The
testing state indicates that no operational packets
can be passed.
LicenseControlStatus Specifies the IAH port license status.

590 VOSS User Guide for version 8.7

Configure Basic Parameters on an Extreme Integrated
Chassis Operations Application Hosting Port

Name Description
ShutdownReason Specifies the reason for the IAH port state change.
LastChange Specifies the timestamp of the last change.
LinkTrap Enables or disables link trapping. The default is
enabled.
AutoNegotiate Enables or disables auto-negotiation for the IAH
port. The default is true (enabled).
AutoNegAd Specifies the port speed and duplex abilities to be
advertised during link negotiation.
The abilities specified in this object are only used
when auto-negotiation is enabled on the IAH
port. If all bits in this object are disabled, and
auto-negotiation is enabled on the IAH port, then
the physical link process on the IAH port will be
disabled (if hardware supports this ability).
Any change in the value of this bit map will force
the switch to restart the auto-negotiation process.
The capabilities being advertised are either all
the capabilities supported by the hardware or the
user-configured capabilities, which is a subset of
all the capability supported by hardware.
By default, all capabilities supported by the
hardware are enabled.
AdminDuplex Specifies the administrative duplex setting for the
IAH port.
OperDuplex Specifies the operational duplex setting for the
IAH port.
AdminSpeed Specifies the administrative speed for the IAH
port.
OperSpeed Specifies the operational speed for the IAH port.
QoSLevel Specifies the Quality of Service (QoS) level for the
IAH port. The default is level1.
DiffServ Enables the Differentiated Service feature for the
IAH port. The default is enabled.
Layer3Trust Specifies if the system should trust Layer 3
packets coming from access links or core links
only. The default is core.
Layer2Override8021p Specifies whether Layer 2 802.1p override is
enabled or disabled. The default is disabled.
MltId Specifies the MLT ID associated with the IAH port.
The default is 0.
Locked Specifies if the IAH port is locked. The default is
false.
UnknownMacDiscard Enables the functionality to discard packets with
an unknown source MAC address, and prevents
the other IAH port from sending packets with
the same MAC address as the destination MAC
address. The default is disabled.

VOSS User Guide for version 8.7 591

Configure Basic Parameters on an Extreme Integrated
Application Hosting Port Chassis Operations

Name Description
DirectBroadcastEnable Specifies if the IAH port forwards direct broadcast
traffic.
OperRouting Specifies the routing status of the IAH port. The
default is disabled.
HighSecureEnable Enables or disables the high secure feature for the
IAH port. The default is disabled.
RmonEnable Enables or disables Remote Monitoring (RMON)
on the IAH port. The default is disabled.
FlexUniEnable Enables or disables Flex UNI on the IAH port. The
default is disabled.
EgressRateLimitState Enables or disables egress port-based shaping to
bind the maximum rate at which traffic leaves the
IAH port. The default is disabled.
EgressRateLimit Specifies the egress rate limit in Kbps. Different
hardware platforms provide different port speeds.
The default is 0.
TxFlowControl Specifies if the IAH port is sending pause frames.
The default is disabled.

Note:
You must enable the flow control feature globally.

TxFlowControlOperState Specifies the operational state of flow control.

BpduGuardTimerCount Specifies the duration since when the IAH port
is disabled. When the BpduGuardTimerCount
reaches the BpduGuardTimeout value, the IAH
port is enabled.
BpduGuardTimeout Specifies the time (in seconds) for the IAH port-
state recovery. After the IAH port is disabled by
the BPDU guard, the IAH port remains in the
disabled state until this timer expires.
The default is 120 seconds. If you configure the
value to 0, the expiry is infinity.
BpduGuardAdminEnabled Enables or disables BPDU Guard on the IAH port.
The default is disabled.
ForwardErrorCorrection Configures one of the following options for
Forward Error Correction (FEC) on the IAH port:
• CL 91
• CL 108
• CL 74
• disable
• auto
The disable option disables this configuration on
the port.
ForwardErrorCorrectionApplicability Displays whether FEC is applicable on the
interface.

592 VOSS User Guide for version 8.7

Chassis Operations Configure IEEE 802.3X Pause Frame Transmit

Name Description
OperAutoNegotiate Shows the operational state of Auto-Negotiation.
OperForwardErrorCorrection Shows the negotiated operational FEC clause.
If the value is off, the port supports FEC and is
up but not configured for FEC. If the value is
notApplicable, the port does not support FEC. If
the value is unknown, the port supports FEC but is
down.
Action Specifies the following actions on the IAH port:
• none - no action.
• flushMacFdb - flush the MAC forwarding table.
• flushArp - flush the ARP table.
• flushIp - flush the IP route table.
• flushAll - flush all tables.
• triggerRipUpdate - manually triggers a RIP
update.
• clearLoopDetectAlarm - clears the loop
detection alarm on the IAH port.
The default is none.
Result Specifies the result of the selected action. The
default is none.
AutoSense Enables or disables Auto-sense on the specific
port. The default value is disabled for existing
configurations but enabled for new Zero Touch
Fabric Configuration deployments.
AutoSenseKeepAutoConfig Retains the Auto-sense configuration if you
disable Auto-sense on the port. The dynamic
configuration becomes a manual configuration
and is visible in the show running-config
output.
AutoSenseState Displays the Auto-sense port state.
CustomAutoNegAdOrigin Specifies the origin of Custom Auto Negotiation
Advertisements (CANA) configuration on the port.
The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication
Dail-In User Service (RADIUS) attribute.

BpduGuardOrigin Specifies the origin of BPDU Guard configuration

on the port. The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication
Dail-In User Service (RADIUS) attribute.

Configure IEEE 802.3X Pause Frame Transmit

Configure IEEE 802.3X Pause frame transmit to eliminate or minimize packet loss.

VOSS User Guide for version 8.7 593

View the Boot Configuration Chassis Operations

About This Task

By default, an interface does not send pause frames.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the Boot Config tab.
4. For EnableFlowControlMode, select enable.
5. Select Apply.
6. Save the switch configuration.
7. Reboot the chassis, and log in again.
8. In the Device Physical View, select a port or ports.
9. In the navigation pane, expand Configuration > Edit > Port.
10. Select General.
11. Select the Interface tab.
12. For TxFlowControl, select enable to enable the interface to generate pause frames.
13. Select Apply.

View the Boot Configuration

About This Task

View the boot configuration to determine the software version, as well as view the source from which
the switch last started.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the Boot Config tab.

Boot Config Field Descriptions

Use the data in the following table to use the Boot Config tab.

594 VOSS User Guide for version 8.7

Chassis Operations View the Boot Configuration

Name Description
PrimaryBackupConfigSource Specifies the backup configuration source to use if
the primary does not exist.
EnableFactoryDefaultsMode Specifies whether the switch uses the factory
default settings at startup.
• false: The node does not use factory default
settings at startup.
• fabric: This mode is not supported.
• noFabric: The node uses the factory default
mode settings at startup.
The default value is false. This flag is automatically
reset to the default setting after the switch
restarts. If you change this parameter, you must
restart the switch for the change to take effect.

EnableDebugMode Enabling the debugmode allows a user to enable

TRACE on any port by prompting the selection on
the console during boot up. This allows the user
start trace for debugging earlier on specified port.
It only works on console connection. The default
value is disabled.

Important:
Do not change this parameter.

EnableRebootOnError Activates or disables automatic reboot on a fatal

error. The default value is activated.

Important:
Do not change this parameter.

EnableTelnetServer Activates or disables the Telnet server service. The

default value is disabled.
EnableRloginServer Activates or disables the rlogin and rsh server. The
default value is disabled.
Note:
Exception: only supported on VSP 8600 Series.

EnableFtpServer Activates or disables the FTP server on the switch.

VOSS User Guide for version 8.7 595

View the Boot Configuration Chassis Operations

Name Description
EnableSshServer Activates or disables the SSH server service. The
default value is disabled.
EnableSpbmConfigMode Enables you to configure SPB and IS-IS, but you
cannot configure PIM and IGMP either globally or
on an interface.
The boot flag is enabled by default.
EnableIpv6Mode Enable this flag to support IPv6 routes with prefix-
lengths greater than 64 bits. This flag is disabled
Note: by default.
Exception: not supported on VSP 4450 Series or
XA1400 Series .

EnableEnhancedsecureMode Enables or disables the enhanced secure mode.

Select either jitc or non-jitc to enable the
enhanced secure mode in one of these sub-
modes. The default is disabled.

Note:
As a best practice, enable the enhanced secure
mode in the non-JITC sub-mode because the JITC
sub-mode is more restrictive and prevents the use
of some troubleshooting utilities.

EnableUrpfMode Enables Unicast Reverse Path Forwarding (uRPF)

globally. You must enable uRPF globally before
you configure it on a port or VLAN. The default is
disabled.
EnableVxlanGwFullInterworkingMode Enables VXLAN Gateway in Full Interworking
Mode, which supports SPB, SMLT, and vIST.
Note: By default, the Base Interworking Mode is enabled
Exception: only supported on VSP 7200 Series, and Full Interworking Mode is disabled. You
VSP 7400 Series, VSP 8200 Series, and VSP 8400 change modes by enabling this boot configuration
Series. flag.
In Base Interworking Mode, VXLAN Gateway
supports Layer 2 gateway communication
between VXLAN and traditional VLAN
environments.
EnableFlowControlMode Enables or disables flow control globally. When
disabled, the system does not generate nor
Note: configure the transmission of flow control
Exception: not supported on VSP 8600 Series. messages. The system always honors received
flow control messages regardless of the flow
control mode status. You must enable this mode
before you configure an interface to send pause
frames.
The default is disabled.

596 VOSS User Guide for version 8.7

Chassis Operations View the Boot Configuration

Name Description
AdvancedFeatureBwReservation Enables the switch to support advanced features
by reserving ports as loopback ports. When
Note: disabled, you can use all ports on the switch, but
Exception: only supported on VSP 7400 Series advanced features do not work.
and XA1480. • The high level means that the switch reserves
the maximum bandwidth for the advanced
features.
• The low level means that the switch
reserves less bandwidth to support minimum
functionality for advanced features.
The default is enabled with low level.
If you change this parameter, you must restart the
switch.
EnableDvrLeafMode Enables the switch to be configured as a DvR Leaf.
When enabled, you cannot configure the switch to
operate as a DvR Controller.
EnablevrfScaling Changes the maximum number of VRFs and Layer
3 VSNs that the switch supports. If you select this
check box, the maximum number increases. The
default is disabled.

Important:
If you select both this check box and the
EnableSpbmConfigMode check box, the switch
reduces the number of configurable VLANs.
For more information about maximum scaling
numbers, see VOSS Release Notes.

EnableSyslogRfc5424Format Enables or disables the RFC 5424 syslog format.

The default is enabled. If the pre-existing
configuration file is for a release prior to
this enhancement, then the flag is disabled
automatically.
NniMstp Enables MSTP, and allows non SPBM B-VLAN
configuration on SPBM network-to-network
interface (NNI) ports. The default is disabled.

Note:
Spanning Tree is disabled on all SPBM NNIs.

You cannot add an SPBM NNI port or MLT port to

any non SPBM B-VLAN.
EnableIpv6EgressFilterMode Enables IPv6 egress filters. The default is disabled.
If you change this parameter, you must restart the
switch.
MasterCPUSlot Specifies the slot number, either 1 or 2, for the
master CPU. The default value is 1.
Note:
Exception: only supported on VSP 8600 Series.

VOSS User Guide for version 8.7 597

Configure Boot Flags Chassis Operations

Name Description
EnableHaCpu Enables or disables the CPU High Availability
feature.
Note: If you enable or disable HA mode, the secondary
Exception: only supported on VSP 8600 Series. CPU automatically resets to load settings from the
previously-saved configuration file. The default is
enabled.
EnableSavetoStandby Enables or disables automatic save of the
configuration file to the standby CPU. The default
Note: value is enabled.
Exception: only supported on VSP 8600 Series.

Slot Specifies the slot number.

TftpHash Enables TFTP hashing.
TftpRetransmit Set TFTP retransmit timeout counter.
TftpTimeout Set TFTP timeout counter.
User Configure host user.
Password Configure host password.

Configure Boot Flags

About This Task

Change the boot configuration to determine the services available after the system starts.

Procedure

1. In the navigation pane, expand Configuration > Edit > Chassis.

2. Select the Boot Config tab.
3. Select the services you want to enable.
4. Select Apply.

Boot Config Field Descriptions

Use the data in the following table to use the Boot Config tab.

Name Description
SwVersion Specifies the software version that currently runs
on the chassis.
LastRuntimeConfigSource Specifies the last source for the run-time image.
PrimaryConfigSource Specifies the primary configuration source.
PrimaryBackupConfigSource Specifies the backup configuration source to use if
the primary does not exist.

598 VOSS User Guide for version 8.7

Chassis Operations Configure Boot Flags

Name Description
EnableFactoryDefaultsMode Specifies whether the switch uses the factory
default settings at startup.
• false: The node does not use factory default
settings at startup.
• fabric: This mode is not supported.
• noFabric: The node uses the factory default
mode settings at startup.
The default value is false. This flag is automatically
reset to the default setting after the switch
restarts. If you change this parameter, you must
restart the switch for the change to take effect.

EnableDebugMode Enabling the debugmode allows a user to enable

Important:
Do not change this parameter.

EnableRebootOnError Activates or disables automatic reboot on a fatal

error. The default value is activated.

Important:
Do not change this parameter.

EnableTelnetServer Activates or disables the Telnet server service. The

default value is disabled.
EnableRloginServer Activates or disables the rlogin and rsh server. The
default value is disabled.
Note:
Exception: only supported on VSP 8600 Series.

EnableFtpServer Activates or disables the FTP server on the switch.

The default value is disabled. To enable FTP,
ensure that the TFTPD flag is disabled.
EnableTftpServer Activates or disables Trivial File Transfer Protocol
server service. The default value is disabled.
EnableSshServer Activates or disables the SSH server service. The
default value is disabled.

VOSS User Guide for version 8.7 599

Configure Boot Flags Chassis Operations

Name Description
EnableSpbmConfigMode Enables you to configure SPB and IS-IS, but you
cannot configure PIM and IGMP either globally or
on an interface.
The boot flag is enabled by default.
EnableIpv6Mode Enable this flag to support IPv6 routes with prefix-
lengths greater than 64 bits. This flag is disabled
Note: by default.
Exception: not supported on VSP 4450 Series or
XA1400 Series .

EnableEnhancedsecureMode Enables or disables the enhanced secure mode.

Select either jitc or non-jitc to enable the
enhanced secure mode in one of these sub-
modes. The default is disabled.

Note:
As a best practice, enable the enhanced secure
mode in the non-JITC sub-mode because the JITC
sub-mode is more restrictive and prevents the use
of some troubleshooting utilities.

EnableUrpfMode Enables Unicast Reverse Path Forwarding (uRPF)

600 VOSS User Guide for version 8.7

Chassis Operations Configure Boot Flags

EnableSyslogRfc5424Format Enables or disables the RFC 5424 syslog format.

Note:
Spanning Tree is disabled on all SPBM NNIs.

You cannot add an SPBM NNI port or MLT port to

VOSS User Guide for version 8.7 601

Reserve Bandwidth for Advanced Features Chassis Operations

Slot Specifies the slot number.

TftpHash Enables TFTP hashing.
TftpRetransmit Set TFTP retransmit timeout counter.
TftpTimeout Set TFTP timeout counter.
User Configure host user.
Password Configure host password.

Reserve Bandwidth for Advanced Features

Use this procedure if you want the switch to support advanced features. When you enable the boot flag,
you need to save and reboot with the new configuration.

1. On the Device Physical View, select the Device.

2. In the navigation pane, expand Configuration > Edit.
3. Click Chassis.
4. Click the User Set Time tab.
5. Type and select the correct details.
6. Click Apply.

User Set Time field descriptions

Use the data in the following table to use the User Set Time tab.

Name Description
Configures the year (integer 1998–2097). The
Year
default is 1998.
Month Configures the month. The default is 1.
Date Configures the day (integer 1–31). The default is 1.
Hour Configures the hour (12am–11pm). The default is 0.
Configures the minute (integer 0–59). The default
Minute
is 0.

VOSS User Guide for version 8.7 603

Configure CP Limit Chassis Operations

Name Description
Configures the second (integer 0–59). The default
Second
is 0.
Time Zone Configures the time zone.

Configure CP Limit
Configure CP Limit functionality to protect the switch from becoming congested by an excess of data
flowing through one or more ports.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Click General.
4. Click the CP Limit tab.
5. Select the AutoRecoverPort check box.
6. Click Apply.

CP Limit field descriptions

Use the data in the following table to use the CP Limit tab.

Name Description
AutoRecoverPort Activates or disables auto recovery of the port
from action taken by CP Limit or link flap features.
The default value is disabled.

Configure CP Limit on an Extreme Integrated Application Hosting Port

Note
This procedure only applies to VSP 4900 Series and VSP 7400 Series.

About This Task

Perform this procedure to configure CP Limit functionality to protect the switch from becoming
congested by excess data flow through Extreme Integrated Application Hosting (IAH) ports.

Procedure

1. In the navigation pane, expand Configuration > Edit > Insight Port.
2. Select the IAH port you want to configure.
3. Select the CP Limit tab.
4. Select AutoRecoverPort.
5. Select Apply.

604 VOSS User Guide for version 8.7

Chassis Operations Configure an IP Address for the Management Port

CP Limit Field Descriptions

Use data in the following table to use the CP Limit tab.

Name Description
AutoRecoverPort Enables or disables auto recovery of the Extreme
Integrated Application Hosting port from action
taken by CP Limit or the link flap features. The
default is disabled.

Configure an IP Address for the Management Port

Note
This procedure only applies to VSP 8600 Series. For other products, see Segmented
Management Instance Configuration for VOSS using EDM on page 116.

Configure an IP address for the management port so that you can remotely access the device using the
out-of-band (OOB) management port. The management port runs on a dedicated VRF.

The configured IP subnet must be globally unique because the management protocols can go through
in-band (Global Router) or out-of-band ports (Management VRF).

This procedure only applies to hardware with a dedicated, physical management interface.

Before You Begin

• You must make a direct connection through the console port to configure a new IP address. If you
connect remotely, you can view or delete the existing IP address configuration. If you delete the IP
address remotely, you lose the EDM connection to the device.
• Do not configure a default route in the Management VRF.
• If you want out-of-band management, define a specific static route in the Management Router VRF
to the IP subnet where your management application resides.
• If you initiate an FTP session from a client device behind a firewall, you should set FTP to passive
mode.
• The switch gives priority to out-of-band management when there is reachability from both in-band
and out-of-band. To avoid a potential conflict, do not configure any overlapping between in-band
and out-of-band networks.

About This Task

Configure an IP address for the management port so that you can remotely access the device using
the out-of-band (OOB) management port. The management port runs on a dedicated VRF. Redirect all
commands that are run on the management port to its VRF.

VOSS User Guide for version 8.7 605

Configure an IP Address for the Management Port Chassis Operations

The configured IP subnet has to be globally unique because the management protocols can go through
in-band or out-of-band ports.

Note
Do not configure a default route in the Management VRF and instead use a static route.
Inbound FTP does not work when a default route is configured at the Management VRF.
When you initiate FTP, you should also set FTP to passive mode.

Procedure

1. In the navigation pane, expand Configuration > VRF Context View.

2. Select Set VRF Context View.
3. Select MgmtRouter, VRF 512.
4. Select Launch VRF Context View.
A new EDM webpage displays for the VRF context. Parameters that you cannot configure for this
context appear dim.
5. In the Device Physical view, select the management port.
6. In the navigation pane, expand Configuration > Edit.
7. Select Mgmt Port.
8. Select the IP Address tab.
9. Select Insert.
10. Configure the IP address and mask.
11. Select Insert.
12. Collapse the VRF context view.

IP Address field descriptions

Use the data in the following table to use the IP Address tab.

Name Description
Interface Specifies the slot and port for the management
port.
Ip Address Specifies the IP address for the management port.
Net Mask Specifies the subnet mask for the IP address.
BcastAddrFormat Specifies the broadcast address format for the
management port.
ReasmMaxSize Specifies the size of the largest IP datagram
that can be reassembled from IP fragmented
datagrams received on the management port.

606 VOSS User Guide for version 8.7

Chassis Operations Edit the Management Port Parameters

Name Description
VlanId Specifies the VLAN ID to which the management
port belongs.
Specifies the VLAN ID in the range of 1 to 4059.
By default, VLAN IDs 1 to 4059 are configurable
and the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the
vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.
VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1.
BrouterPort Specifies if the management port is a brouter port
rather than a routeable VLAN. You cannot change
this value after the row is created.
MacOffset Translates the IP address into a MAC address.

Edit the Management Port Parameters

About This Task

Note
This procedure only applies to hardware with a dedicated physical management interface.

The management port on the switch is a 10/100/1000 Mb/s Ethernet port that you can use for an
out-of-band management connection to the switch.

If you use EDM to configure the static routes of the management port, you do not receive a warning if
you configure a non-natural mask. After you save the changes, the system deletes those static routes
after the next restart, possibly causing the loss of IP connectivity to the management port.

If you are uncertain whether the mask you configure is non-natural, use the CLI to configure static
routes.

Procedure

1. In the Device Physical View tab, select the management port.

2. In the navigation pane, expand Configuration > Edit.
3. Select Mgmt Port.
4. Select the General tab.
5. Modify the appropriate settings.
6. Select Apply.

VOSS User Guide for version 8.7 607

Configure the Management Port IPv6 Interface
Parameters Chassis Operations

General Field Descriptions

Use the data in the following table to use the General tab.

Name Description
Index Specifies the slot and port number of the management port.
AdminStatus Configures the administrative status of the device as up (ready to
pass packets) or down. The testing state indicates that no operational
packets can be passed.
OperStatus Specifies the operational status of the device.
LicenseControlStatus Shows the license status of the port:
• Locked means the port requires a Port License but one is not
present on the switch.
• Unlocked means the port requires a Port License and one is present
on the switch.
• notApplicable means the port does not require a Port License.

Mtu Shows the configuration for the maximum transmission unit. The size
of the largest packet which can be sent/received on the interface,
specified in octets. For interfaces that are used for transmitting
network datagrams, this is the size of the largest network datagram
that can be sent on the interface.
LinkTrap Enables or disables traps for the link status.
IpsecEnable Enables IPsec on the management port. The default is disabled.
PhysAddress Shows the MAC address.
AutoNegotiate Enables or disables Auto-Negotiation for the mangement port. The
default varies depending on the platform:
• VSP 4900 Series - enabled
• VSP 7200 Series - disabled
• VSP 7400 Series - enabled
• VSP 8200 Series - enabled
• VSP 8400 Series - enabled
• VSP 8600 Series - enabled

AdminDuplex Specifies the administrative duplex mode for the management port.
The default is full.
OperDuplex Specifies the operational duplex configuration for this port.
AdminSpeed Specifies the administrative speed for this port. The default is 100 Mb/s.
OperSpeed Shows the current operating data rate of the port.

Configure the Management Port IPv6 Interface Parameters

Note
This procedure only applies to VSP 8600 Series. For other products, see Segmented
Management Instance Configuration for VOSS using EDM on page 116.

608 VOSS User Guide for version 8.7

Configure the Management Port IPv6 Interface
Chassis Operations Parameters

About This Task

Configure IPv6 management port parameters to use IPv6 routing on the port.

This procedure only applies to hardware with a dedicated, physical management interface.

Procedure

1. In the Device Physical View tab, select the management port.

2. In the navigation pane, expand Configuration > Edit.
3. Select Mgmt Port.
4. Select the IPv6 Interface tab.
5. Select Insert.
6. Edit the fields as required.
7. Select Insert.
8. Select Apply.

IPv6 Interface field descriptions

Use the data in the following table to use the IPv6 Interface tab.

Name Description
Interface Identifies the unique IPv6 interface.
Descr Specifies a textual string containing information about the
interface. The network management system also configures the
Descr string.
Type Specifies the type of interface.
ReasmMaxSize(MTU) Configures the MTU for this IPv6 interface. This value must be
the same for all the IP addresses defined on this interface. The
default value is 1500.
PhysAddress Specifies the physical address for the interface. For example, for
an IPv6 interface attached to an 802.x link, this value is a MAC
address.
AdminStatus Configures the indication of whether IPv6 is activated (up) or
disabled (down) on this interface. This object does not affect
the state of the interface, only the interface connection to an
IPv6 stack. The default is false (cleared).
ReachableTime Configures the time, in milliseconds, that the system considers a
neighbor reachable after it receives a reachability confirmation.
The value is in a range from 0–3600000. The default value is
30000.

VOSS User Guide for version 8.7 609

Configure Management Port IPv6 Addresses Chassis Operations

Name Description
RetransmitTimer Configures the time between retransmissions of neighbor
solicitation messages to a neighbor; during address resolution
or neighbor reachability discovery. The value is expressed in
milliseconds in a range from 0–3600000. The default value is
1000.
CurHopLimit Specifies the current hop limit field sent in router
advertisements from this interface. The value must be the
current diameter of the Internet. A value of zero indicates that
the advertisement does not specify a value for the current hop
limit. The default is 64.

Configure Management Port IPv6 Addresses

Note
This procedure only applies to VSP 8600 Series. For other products, see Segmented
Management Instance Configuration for VOSS using EDM on page 116.

About This Task

Configure management port IPv6 addresses to add or remove IPv6 addresses from the port.

The switch supports IPv6 addressing with Ping, Telnet, and SNMP.

Procedure

1. In the Device Physical View tab, select the management port.

2. In the navigation pane, expand Configuration > Edit.
3. Select Mgmt Port.
4. Select the IPv6 Addresses tab.
5. Select Insert.
6. In the Addr box, type the required IPv6 address for the management port.
7. In the AddrLen box, type the number of bits from the IPv6 address you want to advertise.
8. Select Insert.
9. Select Apply.

IPv6 Addresses field descriptions

Use the data in the following table to use the IPv6 Addresses tab.

Name Description
Interface Specifies an index value that uniquely identifies the interface.
Addr Specifies the IPv6 address to which this entry addressing information
pertains.
If the IPv6 address exceeds 116 octets, the object identifiers (OIDS) of
instances of columns in this row is more than 128 subidentifiers and you
cannot use SNMPv1, SNMPv2c, or SNMPv3 to access them.

610 VOSS User Guide for version 8.7

Automatically Reactivating the Port of the SLPP
Chassis Operations Shutdown

Name Description
AddrLen Specifies the prefix length value for this address. You cannot change
the address length after creation. You must provide this field to create
an entry in this table.
Type Specifies unicast, the only supported type.
Origin Specifies the origin of the address. The origin of the address can be one
of the following: other, manual, dhcp, linklayer, or random.
Status Specifies the status of the address, describing if the address can be
used for communication. The status can be one of the following:
preferred, deprecated, invalid, inaccessible, unknown, tentative, or
duplicate.
Created Specifies the time this entry was created. If this entry was created prior
to the last initialization of the local network management subsystem,
then this option contains a zero value.
LastChanged Specifies the time this entry was last updated. If this entry was
updated prior to the last initialization of the local network management
subsystem, then this option contains a zero value.

Automatically Reactivating the Port of the SLPP Shutdown

About This Task

Use the following procedure to automatically reactivate the port that is shut down by the SLPP.

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Click General.
4. Click the CP Limit tab.
5. Select AutoRecoverPort to activate auto recovery of the port from the action taken by SLPP
shutdown features. The default value is disabled.
6. Click Apply.

Edit Serial Port Parameters

About This Task

Perform this procedure to specify serial port communication settings. The serial port on the device is
the console port. Depending on the hardware platform, the console port displays as console or 10101.

Procedure

1. In the Device Physical View tab, select the console port on the device.
2. In the navigation pane, expand Configuration > Edit.
3. Click Serial Port.
4. Edit the port parameters as required.
5. Click Apply.

VOSS User Guide for version 8.7 611

Enable Port Lock Chassis Operations

Serial Port Field Descriptions

Use the data in the following table to use the Serial Port tab.

Name Description
IfIndex Identifies the port as a serial port.
BaudRate Specifies the baud rate of this port.
Different hardware platforms support different baud rates, which also
impacts the default value for each hardware platform:
• VSP 4450 Series — 9600
• VSP 4900 Series — 115200
• VSP 7200 Series — 9600
• VSP 7400 Series — 115200
• VSP 8200 Series — 9600
• VSP 8400 Series — 9600
• VSP 8600 Series — 115200
• XA1400 Series — 115200

DataBits Specifies the number of data bits, for each byte of data, this port sends
and receives. The default is eight.

Enable Port Lock

About This Task

Use the port lock feature to administratively lock a port or ports to prevent other users from changing
port parameters or modifying port action. You cannot modify locked ports until you first unlock the
port.

Procedure

1. In the navigation pane, expand Configuration > Security > Control Path.
2. Click General.
3. Click the Port Lock tab.
4. To enable port lock, select the Enable check box.
5. Click Apply.

Port Lock field descriptions

Use the data in the following table to use the Port Lock tab.

Name Description
Enable Activates the port lock feature. Clear this check box to
unlock ports. The default is disabled.
LockedPorts Lists the locked ports. Click the ellipsis (...) button to select
the ports you want to lock or unlock.

612 VOSS User Guide for version 8.7

Chassis Operations Lock a Port

Lock a Port
Before You Begin
• You must enable port lock before you lock or unlock a port.

About This Task

Procedure

1. In the navigation pane, expand Configuration > Security > Control Path.
2. Click General.
3. Click the Port Lock tab.
4. In the LockedPorts box, click the ellipsis (...) button.
5. Click the desired port or ports.
6. Click Ok.
7. In the Port Lock tab, click Apply.

Port Lock field descriptions

Use the data in the following table to use the Port Lock tab.

Configure Power on Module Slots

View power information to see the amount of power available and used by the chassis and all
components.

Procedure

1. On the Device Physical View, select the Device.

2. In the navigation pane, expand Configuration > Edit.
3. Select Chassis.
4. Select the Power Info tab.

Power Info field descriptions

Use the data in the following table to use the Power Info tab.

Name Description
TotalPower Shows the total power for the chassis.
RedundantPower Shows the redundant power for the chassis.
PowerUsage Shows the power currently used by the complete
chassis.
PowerAvailable Shows the unused power.

View Power Status

About This Task

Perform the following procedure to view the power consumption of the modules in the chassis.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Click Chassis.
3. Click the Power Consumption tab.

Power consumption field descriptions

Use the data in the following table to use the Power Consumption tab.

Name Description
Index Displays an index value that identifies the component.
PowerStatus Displays the power status: on or off.
BasePower Displays the base power required for the slot.
ConsumedPower Displays the actual consumed power for the slot. This value is 0 if the
power status is off.
PowerPriority Displays the priority of the slot for power management.

VOSS User Guide for version 8.7 615

View Fan Tray Information Chassis Operations

Name Description
SlotDescription Displays the slot number.
CardDescription Identifies the type of module in the slot.

View Fan Tray Information

View fan tray information to see manufacturing information about the fans.

Note
This procedure does not apply to XA1400 Series.

3. Click USB Port.
4. Click the General tab.

General field descriptions

Use the data in the following table to use the General tab.

Name Description
UsbStatus Displays the current status of USB storage: either
present or notPresent.
UsbDescription Displays a description of the USB storage.

View Topology Status Information

About This Task

View topology status information (which includes MIB status information) to view the configuration
status of the SynOptics Network Management Protocol (SONMP) on the system.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics.

2. Click Topology.
3. Click the Topology tab.

VOSS User Guide for version 8.7 617

View the Topology Message Status Chassis Operations

Topology field descriptions

Use the data in the following table to use the Topology tab.

Name Description
IpAddr Specifies the IP address of the device.
Status Indicates whether topology (SONMP) is on or off for the device.
NmmLstChg Specifies the value of sysUpTime, the last time an entry in the
network management MIB (NMM) topology table was added, deleted,
or modified, if the table did not change since the last cold or warm
start of the agent.
NmmMaxNum Specifies the maximum number of entries in the NMM topology table.
NmmCurNum Specifies the current number of entries in the NMM topology table.

View the Topology Message Status

About This Task

View topology message status to view the interconnections between Layer 2 devices in a network.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics.

2. Click Topology.
3. Click the Topology Table tab.

Topology Table Field Descriptions

Use the data in the following table to use the Topology Table tab.

Name Description
Slot Specifies the slot number in the chassis that received the topology
message.
Port Specifies the port that received the topology message.
SubPort Specifies the channel of a channelized 40 Gbps port that received the
topology message.
IpAddr Specifies the IP address of the sender of the topology message.
SegId (RemPort) Specifies the segment identifier of the segment from which the remote
agent sent the topology message. This value is extracted from the
message.
MacAddr Specifies the MAC address of the sender of the topology message.
ChassisType Specifies the chassis type of the device that sent the topology
message.
BkplType Specifies the backplane type of the device that sent the topology
message.

618 VOSS User Guide for version 8.7

Chassis Operations Configure a Forced Message Control Pattern

Name Description
LocalSeg Indicates if the sender of the topology message is on the same
Ethernet segment as the reporting agent.
CurState Specifies the current state of the sender of the topology message. The
choices are
• topChanged—Topology information recently changed.
• heartbeat—Topology information is unchanged.
• new—The sending agent is in a new state.

Configure a Forced Message Control Pattern

About This Task

Configure a forced message control pattern to enforce configured message control actions.

Procedure

1. In the navigation pane, expand Configuration > Edit > Chassis.

2. Click the Force Msg Patterns tab.
3. Click Insert.
4. In the PatternId field, enter a pattern ID number.
5. In the Pattern field, enter a message control pattern.
6. Click Insert.

Force Msg Patterns Field Descriptions

Use the data in the following table to use the Force Msg Patterns tab.

Name Description
PatternId Specifies a pattern identification number in the
range 1–32.
Pattern Specifies a forced message control pattern of 4
characters. The software and the hardware log
messages that use the first four bytes matching
one of the patterns in the force-msg table
undergo the configured message control action.
You can specify up to 32 different patterns in
the force-msg table, including a wildcard pattern
(****). If you specify the wildcard pattern, all
messages undergo message control.

View Fan Information

View fan information to monitor the alarm status of the cooling ports in the chassis.

Note
This tab does not apply on the VSP 8600 Series switch.

VOSS User Guide for version 8.7 619

Configure Ports Speeds for All VIM Ports Chassis Operations

About This Task

For platforms that support both back-to-front and front-to-back airflow, the airflow direction must be
the same for both the power supply fans and the chassis fan.

Procedure

1. On the Device Physical View, select the Device.

2. In the navigation pane, expand Configuration > Edit.
3. Select Chassis.
4. Select the Fan Info tab.

Fan Info field descriptions

Use the data in the following tables to use the Fan Info tab.

Name Description
Description Specifies a description of the fan location.
OperStatus Specifies the operation status of the fan.
OperSpeed Specifies the actual fan speed.
OperSpeedRPM Specifies the current operational speed of the fan in
RPM.
Note:
Exception: only supported on VSP 4900
Series and VSP 7400 Series.

Configure Ports Speeds for All VIM Ports

Note
This procedure only applies to VSP 4900 Series.

Configure all of the ports on an installed Versatile Interface Module (VIM) to operate at the same speed.

Note
Some VIMs must operate with all ports at the same speed, or a group of ports at the same
speed, while others can operate with ports at different speeds. For more information, see
VOSS Release Notes. You can configure VIM ports speed only on VIMs that must operate with
all ports at the same speed.

Before You Begin

Install the VIM before performing this procedure.

About This Task

Use this procedure to configure the speed of all ports in a multi-port VIM to operate at either 10 Gbps or
25 Gbps.

620 VOSS User Guide for version 8.7

Chassis Operations View Modular SSD Information

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the VIM tab.
4. Select mbps10000 or mbps25000.
5. Select Apply.

VIM Field Descriptions

Use the data in the following table to use the VIM tab.

Name Description
AdminSpeed • mbps10000: Configures all ports in a multi-port VIM to operate at 10 Gbps.
• mbps25000: Configures all ports in a multi-port VIM to operate at 25 Gbps.
The default is 25 Gbps.

View Modular SSD Information

Note
This procedure only applies to VSP 4900 Series.

About This Task

Perform this procedure to display information about an installed Solid State Drive (SSD) on a switch.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Chassis.
3. Select the SSD tab.

SSD Field Descriptions

Use the data in the following table to use the SSD tab.

Name Description
ProductName Specifies Solid State Drive (SSD) product name.
VendorName Specifies the SSD vendor.
ManufactureDate Specifies the date on which the SSD was manufactured.
SerialNum Specifies the SSD serial number.
PartNum Specifies the SSD part number.
DeviceVersion Specifies the version of the SSD.
TotalSize Specifies the total memory size of the SSD.

VOSS User Guide for version 8.7 621

Prepare a slot for IOC Module Preconfiguration using
EDM Chassis Operations

Prepare a slot for IOC Module Preconfiguration using EDM

Note
This procedure only applies to VSP 8600 Series.

About This Task

VOSS User Guide for version 8.7 623

Viewing Chassis SNMP Statistics Chassis Operations

System Field Descriptions

The following table describes the fields on the System tab.

Name Description
MemUsed The percentage of memory space used.
Only the AbsoluteValue column is valid in the System tab. All
other columns display as N/A because they are percentages and
not actual memory counters.
MemFree The amount in kilobytes of free memory.
CpuUtil Percentage of CPU utilization.

Viewing Chassis SNMP Statistics

View chassis SNMP statistics to monitor network performance.

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the SNMP tab.

SNMP Field Descriptions

The following table describes parameters on the SNMP tab.

Name Description
InPkts The number of messages delivered to the SNMP entity from the
transport service.
OutPkts The number of SNMP messages passed from the SNMP protocol
entity to the transport service.
InTotalReqVars The number of MIB objects retrieved successfully by the SNMP
protocol entity as the result of receiving valid SNMP Get-Request and
Get-Next PDUs.
InTotalSetVars The number of MIB objects altered successfully by the SNMP protocol
entity as the result of receiving valid SNMP Set-Request PDUs.
InGetRequests The number of SNMP Get-Request PDUs the SNMP protocol accepts
and processes.
OutGetRequests The number of SNMP Get-Request PDUs that are generated by the
SNMP protocol entity.
InGetNexts The number of SNMP Get-Next PDUs the SNMP protocol accepts and
processes.
OutGetNexts The number of SNMP Get-Next PDUs that are generated by the SNMP
protocol entity.
InSetRequests The number of SNMP Set-Request PDUs the SNMP protocol accepts
and processes.

624 VOSS User Guide for version 8.7

Chassis Operations Viewing Chassis IP Statistics

Name Description
OutSetRequests The number of SNMP Set-Request PDUs that are generated by the
SNMP protocol entity.
InGetResponses The number of SNMP Get-Response PDUs the SNMP protocol accepts
and processes.
OutGetResponses The number of SNMP Get-Response PDUs that are generated by the
SNMP protocol entity.
InTraps The number of SNMP Trap PDUs the SNMP protocol accepts.
OutTraps The number of SNMP Trap PDUs the SNMP protocol generates.
OutTooBigs The number of SNMP PDUs the SNMP protocol generates for which
the value of the error-status field is tooBig.
OutNoSuchNames The number of SNMP PDUs the SNMP protocol generates for which
the value of the error-status field is noSuchName.
OutBadValues The number of SNMP PDUs the SNMP protocol generates for which
the value of the error-status field is badValue.
OutGenErrs The number of SNMP PDUs the SNMP protocol generates for which
the value of the error-status field is genErr.
InBadVersions The number of SNMP messages delivered to the SNMP protocol
entity for an unsupported SNMP version.
InBadCommunityNames The number of SNMP messages delivered to the SNMP protocol
entity that used an SNMP community name not known to said entity.
InBadCommunityUses The number of SNMP messages delivered to the SNMP protocol
entity that represented an SNMP operation not allowed by the SNMP
community named in the message.
InASNParseErrs The number of ASN.1 or BER errors the SNMP protocol encountered
when decoding received SNMP messages.
InTooBigs The number of SNMP PDUs delivered to the SNMP protocol entity for
which the value of the error-status field is tooBig.
InNoSuchNames The number of SNMP PDUs delivered to the SNMP protocol entity for
which the value of the error-status field is noSuchName.
InBadValues The number of SNMP PDUs delivered to the SNMP protocol entity for
which the value of the error-status field is badValue.
InReadOnlys The number of SNMP PDUs delivered to the SNMP protocol entity for
which the value of the error-status field is readOnly. It is a protocol
error to generate an SNMP PDU containing the value "readOnly"
in the error-status field. This object is provided to detect incorrect
implementations of the SNMP.
InGenErrs The number of SNMP PDUs delivered to the SNMP protocol entity for
which the value of the error-status field is genErr.

Viewing Chassis IP Statistics

View chassis IP statistics to monitor network performance.

VOSS User Guide for version 8.7 625

Viewing Chassis IP Statistics Chassis Operations

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the IP tab.

IP Field Descriptions
The following table describes parameters on the IP tab.

Name Description
InReceives The number of input datagrams received from interfaces, including
those received in error.
InHdrErrors The number of input datagrams discarded due to errors in the IP
headers, including bad checksums, version number mismatch, other
format errors, time-to-live exceeded, errors discovered in processing
their IP options.
InAddrErrors The number of input datagrams discarded because the IP address in
the IP header destination field was not a valid address to be received
at this entity. This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported Classes (for example, Class E).
For entities that are not IP Gateways and therefore do not forward
datagrams, this counter includes datagrams discarded because the
destination address was not a local address.
ForwDatagrams The number of input datagrams for which this entity was not their final
IP destination, as a result of which an attempt was made to find a
route to forward them to that final destination. In entities that do not
act as IP Gateways, this counter includes only those packets that were
Source-Routed by way of this entity and had successful Source-Route
option processing.
InUnknownProtos The number of locally addressed datagrams received successfully but
discarded because of an unknown or unsupported protocol.
InDiscards The number of input IP datagrams for which no problems were
encountered to prevent their continued processing but that were
discarded (for example, for lack of buffer space). This counter does
not include any datagrams discarded while awaiting reassembly.
InDelivers The number of input datagrams successfully delivered to IP user-
protocols (including ICMP).
OutRequests The number of IP datagrams that local IP user-protocols (including
ICMP) supplied to IP in requests for transmission. This counter does not
include any datagrams counted in ipForwDatagrams.
OutDiscards The number of output IP datagrams for which no problem was
encountered to prevent their transmission to their destination, but that
were discarded (for example, for lack of buffer space). This counter
includes datagrams counted in ipForwDatagrams if any such packets
met this (discretionary) discard criterion.

626 VOSS User Guide for version 8.7

Chassis Operations Viewing Chassis ICMP In Statistics

Name Description
OutNoRoutes The number of IP datagrams discarded because no route was found to
transmit them to their destination. This counter includes any packets
counted in ipForwDatagrams that meet this no-route criterion. This
counter includes any datagrams a host cannot route because all default
gateways are down.
FragOKs The number of IP datagrams that were successfully fragmented at this
entity.
FragFails The number of IP datagrams that were discarded because they needed
to be fragmented at this entity but can not be, for example, because
the Don't Fragment flags were set.
FragCreates The number of IP datagram fragments that were generated as a result
of fragmentation at this entity.
ReasmReqds The number of IP fragments received that needed to be reassembled at
this entity.
ReasmOKs The number of IP datagrams successfully reassembled.
ReasmFails The number of failures detected by the IP reassembly algorithm
(for whatever reason: timed out, errors, and so on). This number
is not necessarily a count of discarded IP fragments because some
algorithms (notably the algorithm in RFC 815) can lose track of the
number of fragments by combining them as they are received.

Viewing Chassis ICMP In Statistics

View chassis ICMP In statistics to monitor network performance.

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the ICMP In tab.

ICMP In Field Descriptions

The following table describes parameters on the ICMP In tab.

Name Description
SrcQuenchs The number of ICMP Source Quench messages received.
Redirects The number of ICMP Redirect messages received.
Echos The number of ICMP Echo (request) messages received.
EchoReps The number of ICMP Echo Reply messages received.
Timestamps The number of ICMP Timestamp (request) messages received.
TimestampReps The number of ICMP Timestamp Reply messages received.
AddrMasks The number of ICMP Address Mask Request messages received.
AddrMaskReps The number of ICMP Address Mask Reply messages received.

VOSS User Guide for version 8.7 627

Viewing Chassis ICMP Out Statistics Chassis Operations

Name Description
ParmProbs The number of ICMP Parameter Problem messages received.
DestUnreachs The number of ICMP Destination Unreachable messages received.
TimeExcds The number of ICMP Time Exceeded messages received.

Viewing Chassis ICMP Out Statistics

View chassis ICMP Out statistics to monitor network performance.

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the ICMP Out tab.

ICMP Out Field Descriptions

The following table describes parameters on the ICMP Out tab.

Name Description
SrcQuenchs The number of ICMP Source Quench messages sent.
Redirects The number of ICMP Redirect messages received. For a host, this
object is always zero, because hosts do not send redirects.
Echos The number of ICMP Echo (request) messages sent.
EchoReps The number of ICMP Echo Reply messages sent.
Timestamps The number of ICMP Timestamp (request) messages sent.
TimestampReps The number of ICMP Timestamp Reply messages sent.
AddrMasks The number of ICMP Address Mask Request messages sent.
AddrMaskReps The number of ICMP Address Mask Reply messages sent.
ParmProbs The number of ICMP Parameter Problem messages sent.
DestUnreachs The number of ICMP Destination Unreachable messages sent.
TimeExcds The number of ICMP Time Exceeded messages sent.

Viewing Chassis TCP Statistics

View TCP statistics to monitor network performance.

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the TCP tab.

628 VOSS User Guide for version 8.7

Chassis Operations Viewing Chassis UDP Statistics

TCP Field Descriptions

The following table describes parameters on the TCP tab.

Name Description
ActiveOpens The number of times TCP connections made a direct transition to the
SYN-SENT state from the CLOSED state.
PassiveOpens The number of times TCP connections made a direct transition to the
SYN-RCVD state from the LISTEN state.
AttemptFails The number of times TCP connections made a direct transition to the
CLOSED state from either the SYN-SENT state or the SYN-RCVD state,
plus the number of times TCP connections made a direct transition to
the LISTEN state from the SYN-RCVD state.
EstabResets The number of times TCP connections made a direct transition to the
CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT
state.
CurrEstab The number of TCP connections for which the current state is either
ESTABLISHED or CLOSE-WAIT.
InSegs The number of segments received, including those received in error.
This count includes segments received on currently established
connections.
OutSegs The number of segments sent, including those on current connections,
but excluding those containing only retransmitted octets.
RetransSegs The number of segments retransmitted that is, the number of TCP
segments transmitted containing one or more previously transmitted
octets.
InErrs The number of segments received in error (for example, bad TCP
checksums).
OutRsts The number of TCP segments sent containing the RST flag.
HCInSegs The number of segments received, including those received in error.
This count includes segments received on currently established
connections. This object is the 64-bit equivalent of InSegs.
HCOutSegs The number of segments sent, including those on current connections,
but excluding those containing only retransmitted octets. This object is
the 64-bit equivalent of OutSegs.

Viewing Chassis UDP Statistics

Display User Datagram Protocol (UDP) statistics to see information about the UDP datagrams.

Procedure

1. In the Device Physical View, select the chassis.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Chassis.
4. Click the UDP tab.
5. Select the information you want to graph.

VOSS User Guide for version 8.7 629

Viewing Port Interface Statistics Chassis Operations

6. Select the type of graph you want:

• line
• area
• bar
• pie
7. To clear counters, click Clear Counters. Discontinuities in the value of these counters can occur when
the management system reinitializes, and at other times as indicated by discontinuities in the value
of sysUpTime.

UDP Field Descriptions

Use the data in the following table to use the UDP tab.

Name Description
NoPorts The number of received UDP datagrams with no application at the
destination port.
Discontinuities in the value of this counter can occur at reinitialization
of the management system, and at other times as indicated by
discontinuities in the value of sysUpTime.
InErrors The number of received UDP datagrams that were not delivered for
reasons other than the lack of an application at the destination port.
Discontinuities in the value of this counter can occur at reinitialization
of the management system and at other times as indicated by
discontinuities in the value of sysUpTime.
InDatagrams The number of UDP datagrams delivered to UDP users, for devices that
can receive more than 1 000 000 UDP datagrams for each second.
Discontinuities in the value of this counter can occur at reinitialization
of the management system, and at other times as indicated by
discontinuities in the value of sysUpTime.
OutDatagrams The number of UDP datagrams sent from this entity.
Discontinuities in the value of this counter can occur at reinitialization
of the management system, and at other times as indicated by
discontinuities in the value of sysUpTime.
HCInDatagrams The number of TCP connections for which the current state is either
ESTABLISHED or CLOSE-WAIT.
HCOutDatagrams The number of UDP datagrams sent from this entity, for devices that
can transmit more than 1 million UDP datagrams for each second.
Discontinuities in the value of this counter can occur at reinitialization
of the management system, and at other times as indicated by
discontinuities in the value of sysUpTime.

Viewing Port Interface Statistics

View port interface statistics to manage network performance.

Procedure

1. In the Device Physical View, select a port.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Port.

630 VOSS User Guide for version 8.7

Chassis Operations Viewing Port Interface Statistics

4. Click the Interface tab.

Interface Field Descriptions

The following table describes parameters on the Interface tab.

Name Description
InOctets Specifies the number of octets received on the interface, including
framing characters.
OutOctets Specifies the number of octets transmitted from the interface,
including framing characters.
InUcastPkts Specifies the number of packets delivered by this sublayer to
a higher sublayer that were not addressed to a multicast or
broadcast address at this sublayer.
OutUcastPkts Specifies the number of packets that higher-level protocols
requested be transmitted that were not addressed to a multicast
address at this sublayer. The total number includes those packets
discarded or not sent.
InMulticastPkts Specifies the number of packets delivered by this sublayer to a
higher sublayer that were addressed to a multicast address at
this sublayer. For a MAC layer protocol, this number includes both
group and functional addresses.
OutMulticastPkts Specifies the number of packets that higher-level protocols
requested be transmitted, and that are addressed to a multicast
address at this sublayer, including those that were discarded or not
sent. For a MAC layer protocol, this number includes both group
and functional addresses.
InBroadcastPkts Specifies the number of packets delivered by this sublayer to a
higher sublayer that are addressed to a broadcast address at this
sublayer.
OutBroadcastPkts Specifies the number of packets that higher-level protocols
requested be transmitted, and that were addressed to a broadcast
address at this sublayer, including those that were discarded or not
sent.
InDiscards Specifies the number of inbound packets that are discarded
because of frames with errors or invalid frames or, in some cases,
to fill up buffer space.
InErrors For packet-oriented interfaces, specifies the number of inbound
packets that contained errors preventing them from being
deliverable to a higher-layer protocol. For character-oriented or
fixed-length interfaces, the number of inbound transmission units
that contained errors preventing them from being deliverable to a
higher-layer protocol.
InUnknownProtos For packet-oriented interfaces, specifies the number of packets
received through the interface that are discarded because of an
unknown or unsupported protocol. For character-oriented or fixed-
length interfaces that support protocol multiplexing, the number
of transmission units received through the interface that were
discarded because of an unknown or unsupported protocol. For
any interface that does not support protocol multiplexing, this
counter is always 0.

VOSS User Guide for version 8.7 631

Viewing Port Ethernet Errors Statistics Chassis Operations

Name Description
HCInPfcPkts Specifies the total number of Priority Flow Control (PFC) packets
received by this interface. This number does not increment for
port-level flow control.
HCOutPfcPkts Specifies the total number of PFC packets transmitted by this
interface. This number does not increment for port-level flow
control.
InFlowCtrlPkts Specifies the number of port-level flow control packets received by
this interface.
OutFlowCtrlPkts Specifies the number of port-level flow control packets transmitted
by this interface.
InPfcPkts Specifies the total number of port-level flow control packets
received by this interface.
OutPfcPkts Specifies the total number of port-level flow control packets
transmitted by this interface.
NumStateTransition Specifies the number of times the port went in and out of service;
the number of state transitions from up to down.

Viewing Port Ethernet Errors Statistics

View port Ethernet errors statistics to manage network performance.

Procedure

1. In the Device Physical View, select a port.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Port.
4. Click the Ethernet Errors tab.

632 VOSS User Guide for version 8.7

Chassis Operations Viewing Port Ethernet Errors Statistics

Ethernet Errors Field Descriptions

The following table describes parameters on the Ethernet Errors tab.

Name Description
AlignmentErrors Specifies acount of frames received on a particular interface that
are not an integral number of octets in length and do not pass
the FCS check. The count represented by an instance of this
object increments when the alignmentError status is returned
by the MAC service to the LLC (or other MAC user). Received
frames for which multiple error conditions obtain are, according
to the conventions of IEEE 802.3 Layer Management, counted
exclusively according to the error status presented to the LLC.
FCSErrors Specifies a count of frames received on a particular interface
that are an integral number of octets in length but do not pass
the FCS check. The count represented by an instance of this
object increments when the frameCheckError status is returned
by the MAC service to the LLC (or other MAC user). Received
frames for which multiple error conditions obtained are, according
to the conventions of IEEE 802.3 Layer Management, counted
exclusively according to the error status presented to the LLC.
InternalMacTransmitErrors Specifies a count of frames for which transmission on a particular
interface fails due to an internal MAC sublayer transmit error.
A frame is only counted by an instance of this object if
it is not counted by the corresponding instance of either
the LateCollisions object, the ExcessiveCollisions object, or the
CarrierSenseErrors object. The precise meaning of the count
represented by an instance of this object is implementation-
specific. In particular, an instance of this object can represent a
count of transmission errors on a particular interface that are not
otherwise counted.
InternalMacReceiveErrors Specifies a count of frames for which reception on a particular
interface fails due to an internal MAC sublayer receive error.
A frame is only counted by an instance of this object if
it is not counted by the corresponding instance of either
the FrameTooLongs object, the AlignmentErrors object, or the
FCSErrors object. The precise meaning of the count represented
by an instance of this object is implementation-specific. In
particular, an instance of this object can represent a count of
receive errors on a particular interface that are not otherwise
counted.
CarrierSenseErrors Specifies the number of times that the carrier sense condition is
lost or not asserted when the switch attempts to transmit a frame
on a particular interface. The count represented by an instance
of this object increments at most once for each transmission
attempt, even if the carrier sense condition fluctuates during a
transmission attempt.

VOSS User Guide for version 8.7 633

Viewing Port Ethernet Errors Statistics Chassis Operations

Name Description
FrameTooLongs Specifies a count of frames received on a particular interface
that exceed the maximum permitted frame size. The count
represented by an instance of this object increments when the
frameTooLong status is returned by the MAC service to the LLC
(or other MAC user). Received frames for which multiple error
conditions obtained are, according to the conventions of IEEE
802.3 Layer Management, counted exclusively according to the
error status presented to the LLC.
SQETestErrors Specifies a count of times that the SQE TEST ERROR message is
generated by the PLS sublayer for a particular interface. The SQE
TEST ERROR message is defined in section 7.2.2.2.4 of ANSI/IEEE
802.3-1985 and its generation described in section 7.2.4.6 of the
same document.
DeferredTransmissions Specifies a count of frames for which the first transmission
attempt on a particular interface is delayed because the medium
is busy. The count represented by an instance of this object does
not include frames involved in collisions.
SingleCollisionFrames Specifies a count of successfully transmitted frames on a
particular interface for which transmission is inhibited by exactly
one collision. A frame that is counted by an instance of
this object is also counted by the corresponding instance of
either the UcastPkts, MulticastPkts, or BroadcastPkts objects
and is not counted by the corresponding instance of the
MultipleCollisionFrames object.
MultipleCollisionFrames Specifies a count of successfully transmitted frames on a
particular interface for which transmission is inhibited by more
than one collision. A frame that is counted by an instance of
this object is also counted by the corresponding instance of
either the UcastPkts, MulticastPkts, or BroadcastPkts objects
and is not counted by the corresponding instance of the
SingleCollisionFrames object.
LateCollisions Specifies the number of times that a collision is detected on a
particular interface later than 512 bit-times into the transmission
of a packet; 512 corresponds to 51.2 microseconds on a 10 Mb/s
system. A (late) collision included in a count represented by an
instance of this object is also considered as a (generic) collision
for purposes of other collision-related statistics.
ExcessiveCollisions Specifies a count of frames for which transmission on a particular
interface fails due to excessive collisions.
FrameTooShorts Specifies the number of frames, encountered on this interface,
that are too short.
LinkFailures Specifies the number of link failures encountered on this interface.
PacketErrors Specifies the number of packet errors encountered on this
interface.
CarrierErrors Specifies the number of carrier errors encountered on this
interface.
LinkInactiveErrors Specifies the number of link inactive errors encountered on this
interface.

634 VOSS User Guide for version 8.7

Chassis Operations View Port Bridging Statistics

View Port Bridging Statistics

Note
This procedure only applies to VSP 4450 Series.

View port bridging errors statistics to manage network performance.

Procedure

1. In the Device Physical View, select a port.

2. In the navigation pane, expand: Configuration > Graph.
3. Select Port.
4. Select the Bridging tab.

Bridging Field Descriptions

The following table describes parameters on the Bridging tab.

Name Description
InUnicastFrames The number of incoming unicast frames bridged.
InMulticastFrames The number of incoming multicast frames bridged.
InBroadcastFrames The number of incoming broadcast frames bridged.
InDiscards The number of frames discarded by the bridging entity.
OutFrames The number of outgoing frames bridged.

View Port Routing Statistics

Note
This procedure only applies to VSP 4450 Series.

View port routing statistics to manage network performance.

Procedure

1. In the Device Physical View, select a port.

2. In the navigation tree, expand Configuration > Graph.
3. Select Port.
4. Select the Routing tab.

Routing Field Descriptions

Use the data in the following table to use the Routing tab.

Name Description
InUnicastFrames The number of incoming unicast frames routed.
InMulticastFrames The number of incoming multicast frames routed.
InDiscards The number of frames discarded by the routing entity.

VOSS User Guide for version 8.7 635

View Port Routing Statistics Chassis Operations

Name Description
OutUnicastFrames The number of outgoing unicast frames routed.
OutMulticastFrames The number of outgoing multicast frames routed.

636 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration
DHCP option 82 on page 638
DHCP Relay for IPv6 on page 641
DHCP Relay Network Topology and Workflow on page 643
UDP broadcast forwarding on page 644
DHCP and UDP configuration using the CLI on page 644
IPv6 DHCP Relay Configuration using CLI on page 658
DHCP and UDP configuration using Enterprise Device Manager on page 663
IPv6 DHCP Relay Configuration using EDM on page 676

Table 74: Dynamic Host Configuration Protocol product support

Feature Product Release introduced
Dynamic Host Configuration VSP 4450 Series VSP 4000 4.0
Protocol (DHCP) Relay
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

VOSS User Guide for version 8.7 637

Dynamic Host Configuration Protocol and User
DHCP option 82 Datagram Protocol Configuration

Table 74: Dynamic Host Configuration Protocol product support (continued)

Feature Product Release introduced
DHCP Option 82 VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

Table 75: Dynamic Host Configuration Protocol Relay for IPv6 product support
Feature Product Release introduced
IPv6 DHCP Relay VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported

DHCP option 82
The DHCP option 82 is the DHCP Relay Agent Information option. The DHCP relay agent inserts
option 82 when it forwards the client-originated DHCP packets to a DHCP server. The Relay Agent
Information option is organized as a single DHCP option that contains one or more sub-options that
convey information known by the relay agent. The DHCP server echoes the option back to the relay
agent in server-to-client replies, and the relay agent removes the option before forwarding the reply to
the client.

The DHCP option 82 is added at the DHCP relay level as shown in the following image.

638 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration DHCP option 82

Figure 43: DHCP Client-Relay-Server Architecture

The Relay Agent Information option (code 82) is a container for specific agent-supplied suboptions;
Agent Circuit ID (code 1) and Agent Remote ID (code 2). The suboptions can represent different
information relevant for the relay. The fields are encoded in the following manner, where N or n is the
total number of octets in the Agent Information Field (all bytes of the suboptions):

VOSS User Guide for version 8.7 639

Dynamic Host Configuration Protocol and User
DHCP Suboptions Datagram Protocol Configuration

Figure 44: Format of the Relay Agent Information

Because at least one of the sub-options must be defined, the minimum Relay Agent Information length
is two (2), and the length n of the suboption can be zero (0). The sub-options do not have to display in
any particular order. No pad suboption is defined and the Information field is not terminated with 255
suboption.

DHCP Suboptions
The suboptions are Agent Circuit ID and Agent Remote ID.

The DHCP relay agents can add the Agent Circuit ID to terminate switched or permanent circuits. The
Agent Circuit ID encodes an agent-local identifier of the circuit from which a DHCP client-to-server
packet was received. Agents can use the Circuit ID to relay DHCP responses back to the proper circuit.
In the switch, the Agent Circuit ID field contains the ifIndex of the interface on which the packet is
received.

DHCP relay agents can add the Agent Remote ID to terminate switched or permanent circuits, and can
identify the remote host end of the circuit. The switch uses the Agent Remote ID field to encode the
MAC address of the interface on which the packet is received. The Agent Remote ID must be globally
unique.

Agent Operations
A DHCP relay agent adds a Relay Agent Information field as the last option in the DHCP options field of
any recognized BOOTP or DHCP packet forwarded from a client to a server. However, if the End Option

640 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration DHCP Relay for IPv6

255 is present, then the DHCP relay agent adds a Relay Agent information field before the End Option
255 field.

Relay agents can receive a DHCP packet from an untrusted circuit with the gateway IP address
(GIADDR) set to zero to indicate that the relay agent is the first-hop router from the gateway. If a Relay
Agent Information option is present in the packet, the relay agent discards the packet and increments
an error counter. A trusted circuit can contain a trusted downstream network element, for example,
a bridge, between the relay agent and the client. The bridge can add a relay agent option but does
not set the GIADDR field. In this case, the relay agent forwards the DHCP packet per normal DHCP
relay agent operations, and sets the GIADDR field to the relay address. The relay agent does not add a
second relay agent option.

You can distinguish between a trusted circuit and an untrusted circuit based on the type of circuit
termination equipment you use. To make a circuit trusted, set the trusted flag under DHCP for each
interface.

After packets append the Relay Agent Information option, the packets that exceed the MTU or the
vendor size buffer of 64 bits, are forwarded without adding the Agent Information option, and an error
counter is incremented.

The relay agent or the trusted downstream network element removes the Relay Agent Information
option echoed by a server that is added when forwarding a server-to-client response back to the client.

The following list outlines the operations that the relay agent does not perform:
• The relay agent does not add an Option Overload option to the packet or use the file or sname
fields to add the Relay Agent Information option. The agent does not parse or remove Relay Agent
Information options , the system can display it in the sname or file fields of a server-to-client packet
forwarded through the agent.
• The relay agent does not monitor or modify client-originated DHCP packets addressed to a server
unicast address; this includes the DHCP-REQUEST sent when entering the RENEWING state.
• The relay agent does not modify DHCP packets that use the IPSEC Authentication Header or IPSEC
Encapsulating Security Payload.

A DHCP relay agent can receive a client DHCP packet forwarded from a BOOTP/DHCP relay agent
closer to the client. This packet has a GIADDR as non-zero, and may or may not already have a DHCP
Relay Agent option in it.

Relay agents configured to add a Relay Agent option which receive a client DHCP packet with a
nonzero GIADDR, discards the packet if the GIADDR spoofs a GIADDR address implemented by the
local agent itself. Otherwise, the relay agent forwards any received DHCP packet with a valid non-zero
GIADDR without adding any relay agent options. The GIADDR value does not change.

DHCP Relay for IPv6

The Dynamic Host Configuration Protocol (DHCP) for IPv6 (RFC 3315) enables DHCP servers to pass
configuration parameters such as IPv6 network addresses to IPv6 nodes. DHCP supports automatic
allocation of reusable network addresses and of additional configuration parameters. This protocol
is a stateful counterpart to stateless address autoconfiguration, and you can use it separately or
concurrently with the latter to obtain configuration parameters. For more information about stateless
address autoconfiguration, see Host autoconfiguration on page 1994.

VOSS User Guide for version 8.7 641

Dynamic Host Configuration Protocol and User
Remote ID Datagram Protocol Configuration

To request the assignment of one or more IPv6 addresses, a client first locates a DHCP server, and then
requests the assignment of addresses and other configuration information from the server:

1. The client sends a solicit message to the All_DHCP_Relay_Agents_and_Servers (FF02::1:2) multicast

address to find available DHCP servers.
2. Any server that can meet the requirements responds with an advertise message.
3. The client then chooses one of the servers and sends a request message to the server asking for
confirmed assignment of addresses and other configuration information.
4. The server responds with a reply message that contains the confirmed addresses and configuration.

If a DHCP client does not need a DHCP server to assign it an IPv6 address, the client can obtain
configuration information such as a list of available DNS servers or NTP servers through a single
message and reply exchanged with a DHCP server.

IPv6 DHCP clients use link-local addresses to send and receive DHCP messages. To permit a DHCP
client to send a message to a DHCP server that is not attached to the same link, you must configure a
DHCP relay agent on the client link to relay messages between the client and server. The operation of
the relay agent is transparent to the client.

A relay agent relays messages from clients and messages from other relay agents. The switch supports
DHCP Relay for IPv6. Configure at least one relay agent when the client and server are in different
networks.

You must configure the relay agent to use a list of destination addresses for available DHCP servers. The
software does not support IPv6 multicast for site-local and global addresses.

The DHCP relay can be a Virtual Router Redundancy Protocol (VRRP) Address. The relay forwards the
DHCP messages only if VRRP is in the Master state, otherwise the relay discards the messages.

Note
DHCP cannot work on the backup VRRP if the master fails. To achieve optimum results and to
leverage redundancy, you must configure DHCP on the backup VRRP.

Clients listen for DHCP messages on UDP port 546. Servers and relay agents listen for DHCP messages
on UDP port 547.

Remote ID
IPv6 DHCP Relay supports the remote ID parameter (RFC4649). After you enable remote ID on the
switch, the relay agent adds information about the relay to DHCPv6 messages before relaying the
messages to the DHCP server. The server can use the supplied information in the process of assigning
the addresses, delegated prefixes, and configuration parameters that the client is to receive.

The remote ID option contains two fields:

• vendor ID
• MAC address of the client

The switch uses a vendor ID of 1584.

642 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Limitations

Limitations
The following list identifies configuration limitations:
• You can configure only one relay for a VLAN, regardless of how many addresses are configured on
that VLAN. The default address is the smallest address configured. If the relay is a VRRP address, the
default value is the first VRRP address configured.
• The maximum number of servers to which a relay can send a message from one client, is 10.
• You can configure the number of forwarding paths per system. For information on the maximum
limit, see VOSS Release Notes.

DHCP Relay Network Topology and Workflow

The following example depicts the interaction between a DHCP client and a server:

Figure 45: DHCP Client-Relay-Server Architecture

The following list outlines the operations that the DHCP relay agent performs to forward the message to
the server :
• When a client sends a request for the IP address or configuration parameters, the server responds
with the details as requested by the client.

Note
There should be at least one relay agent when client and server are located in different
networks.

• A DHCP Relay IPv6 is established only between agents within the context of each VRF and when no
cross VRF interaction is present.

Note
All_DHCP_Servers multicast address option is not implemented for IPv6, as there is no
IPv6 MCAST support for site-local and global address.

VOSS User Guide for version 8.7 643

Dynamic Host Configuration Protocol and User
UDP broadcast forwarding Datagram Protocol Configuration

UDP broadcast forwarding

Some network applications, such as the NetBIOS name service, rely on a User Datagram Protocol (UDP)
broadcast to request a service or locate a server for an application. If a host is on a network, subnet
segment, or VLAN that does not include a server for the service, UDP broadcasts are by default not
forwarded to the server located on a different network segment or VLAN. You can resolve this problem
by forwarding the broadcasts to the server through physical or virtual router interfaces.

UDP broadcast forwarding is a general mechanism for selectively forwarding limited UDP broadcasts
received on an IP interface out to other router IP interfaces as a rebroadcast or to a configured IP
address. If the address is that of a server, the packet is sent as a unicast packet to this address. If the
address is that of an interface on the router, the frame is rebroadcast.

After a UDP broadcast is received on a router interface, it must meet the following criteria to be eligible
for forwarding:
• It must be a MAC-level broadcast.
• It must be an IP limited broadcast.
• It must be for the specified UDP protocol.
• It must have a time-to-live (TTL) value of at least 2.

For each ingress interface and protocol, the policy specifies how the UDP broadcast is retransmitted: to
a unicast host address or to a broadcast address.

DHCP and UDP configuration using the CLI

Use Dynamic Host Configuration Protocol (DHCP), an extension of the Bootstrap Protocol (BootP), to
provide host configuration information to the workstations dynamically. Use the DHCP relay commands
to configure DHCP relay behavior on a port or on a VLAN.

This section describes CLI commands for DHCP and User Datagram Protocol (UDP) configuration.

Configure DHCP Parameters Globally

Before You Begin

Configure an IP address on the interface to be used as the DHCP relay interface.

About This Task

Configure DHCP relay parameters for the port or the VLAN.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Create the forwarding path from the client to the server:
ip dhcp-relay fwd-path <A.B.C.D> <A.B.C.D>

644 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configure DHCP Parameters Globally

3. Enable the forwarding path from the client to the server:

ip dhcp-relay fwd-path <A.B.C.D> <A.B.C.D> enable

Note
If the agent IP address (the first <A.B.C.D> variable) is a VLAN or port IP address, you
must enable DHCP Relay on that VLAN or port by running ip dhcp-relay within the
VLAN context. However, if the first <A.B.C.D> variable is a VRRP address, you do not
need to enable DHCP Relay on the VLAN or port in which the VRRP address resides.

4. Modify DHCP mode to forward BOOTP messages only, DHCP messages only, or both:
ip dhcp-relay fwd-path <A.B.C.D> <A.B.C.D> mode <bootp|bootp_dhcp|
dhcp>
5. (Optional) Configure the forwarding path with source port 67 from client to the server.
ip dhcp-relay fwd-path {A.B.C.D} {A.B.C.D} src-port-67

Note
This step does not apply to VSP 8600 Series.

Example

Create the forwarding path from the client to the server. Enable the forwarding path from the client the
server. Modify DHCP mode to forward both BOOTP and DHCP messages. Configure the forwarding path
with source port 67 for BOOTP request.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip dhcp-relay fwd-path 192.0.2.120 192.0.2.50
Switch:1(config)#ip dhcp-relay fwd-path 192.0.2.128 192.0.2.50 enable
Switch:1(config)#ip dhcp-relay fwd-path 192.0.2.128 192.0.2.50 mode bootp_dhcp
Switch:1(config)#ip dhcp-relay fwd-path 192.0.2.128 192.0.2.50 src-port-67

Variable Definitions
The following table defines parameters for the ip dhcp-relay fwd-path command.

Variable Value
{A.B.C.D} The {A.B.C.D} variable is the agent IP address configured
on an interface (a locally configured IP address).
{A.B.C.D} The {A.B.C.D} variable is the IP address of the DHCP server
in the network.
disable Disables DHCP Relay globally.
enable Enables DHCP Relay globally.
mode {bootp|bootp_dhcp| Modifies DHCP mode to forward BOOTP messages only, DHCP
dhcp> messages only, or both. The default is both.
src-port-67 Configures the UDP source port to 67 for BOOTP request. The
default is 68.
Note: Exception: not supported on
VSP 8600 Series.

VOSS User Guide for version 8.7 645

Dynamic Host Configuration Protocol and User
Showing DHCP relay information Datagram Protocol Configuration

Showing DHCP relay information

Display relay information to show relay information about DHCP routes and counters.

For scaling information on DHCP Relay forwarding (IPv4 or IPv6), see VOSS Release Notes.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display information about DHCP relay forward paths:
show ip dhcp-relay fwd-path [vrf WORD<1-16>] [vrfids WORD<0-512>]
3. Display information about DHCP relay counters:
show ip dhcp-relay counters [vrf WORD<1-16>] [vrfids WORD<0-512>]
4. Display the options for each listed interface:
show ip dhcp-relay interface [gigabitethernet {slot/port[/sub-port]
[-slot/port[/sub-port]][,...]}] [vlan <1-4059>] [vrf WORD <1–16>]
[vrfids WORD <0–512>]

Example

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1#show ip dhcp-relay interface

================================================================================
Port Dhcp
================================================================================
PORT VRF MAX MIN ALWAYS CIRCUIT REMOTE TRUST
NUM NAME ENABLE HOP SEC MODE BCAST ID ID CIRC
--------------------------------------------------------------------------------

================================================================================
Vlan Dhcp
================================================================================
VLAN VRF MAX MIN ALWAYS CIRCUIT REMOTE TRUST
ID NAME ENABLE HOP SEC MODE BCAST ID ID CIRC
--------------------------------------------------------------------------------

All 0 out of 0 of Vlan Dhcp Entries displayed

Variable definitions
Use the data in the following table to use the show ip dhcp-relay command.

Variable Value
vrf WORD<1-16> The name of the VRF.
vrfids WORD<0-512> The ID of the VRF. The value is an integer in the
range of 0–512.

646 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring DHCP option 82

Use the data in the following table to use the show ip dhcp-relay interface command.

Variable Value
{slot/port[/ Identifies the slot and port in one of the following formats: a single slot and
sub-port][-slot/ port (slot/port), a range of slots and ports (slot/port-slot/port), or a series
port[/sub-port]] of slots and ports (slot/port,slot/port,slot/port). If the platform supports
[,...]} channelization and the port is channelized, you must also specify the sub-
port in the format slot/port/sub-port.
[vlan <1-4059>] Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060 to
4094 for internal use. On switches that support the vrf-scaling and
spbm-config-mode boot configuration flags, if you enable these flags,
the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
[vrf WORD<1-16>] Specifies the name of the VRF.
[vrfids Specifies the ID of the VRF. The value is an integer from 0– 512.
WORD<0-512>]

Configuring DHCP option 82

Configure the DHCP option 82 to enable the circuit ID to encode an agent-local identifier of the circuit
from which a DHCP client-to-server packet is received. Configure the DHCP option 82 to enable the
remote ID to encode the MAC address of the interface on which the packet is received. By default, the
DHCP option 82 is disabled.

Before You Begin

• You must enable ip and dhcp-relay on the VLAN.

About This Task

To configure the DHCP option 82 on a VLAN, you must enter the VLAN Interface Configuration mode.

To configure the DHCP option 82 on a brouter port, you must enter the GigabitEthernet Interface
Configuration mode.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

VOSS User Guide for version 8.7 647

Dynamic Host Configuration Protocol and User
Configuring DHCP option 82 Datagram Protocol Configuration

2. Enable the circuit ID:

ip dhcp-relay circuitID
3. Enable the remote ID:
ip dhcp-relay remoteID
4. Configure the circuit as trusted:
ip dhcp-relay trusted
5. Show statistics for option 82, which is the relay agent information option:
show ip dhcp-relay counters option82 [vrf WORD<1–16>] [vrfids WORD <0–
512>]

Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface gigabitethernet 1/10

Enable the circuit ID:

Switch:1(config-if)# ip dhcp—relay circuitID

Enable the remote ID:

Switch:1(config-if)# ip dhcp-relay remoteID

Configure the circuit as trusted:

Switch:1(config-if)# ip dhcp-relay trusted

Show statistics for option 82, which is the relay agent information option:
Switch:1(config-if)# show ip dhcp-relay counters option82

Variable Definitions

Use the data in the following table to configure the DHCP option 82.

Variable Value
circuitID Enables the Circuit ID.
remoteID Enables the Remote ID.
trusted Sets the circuit as trusted.

Use the data in the following table to use the show ip dhcp-relay counters option82 [vrf
WORD<1–16>] [vrfids WORD <0–512>] command.

Variable Value
vrf WORD<1–16> Displays DHCP counters for a particular VRF. WORD<1–16> specifies the
VRF name.
vrfids WORD <0–512> Displays a DHCP forward path for a particular VRF. WORD <0–512>
specifies the VRF ID.

648 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring DHCP relay on a port or VLAN

Configuring DHCP relay on a port or VLAN

You can view and configure the DHCP parameters on specific ports or on a VLAN.

Before You Begin

• You must configure IP on the interface.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable DHCP parameters on a specified port or VLAN:

ip dhcp-relay

Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface gigabitethernet 1/10

Enable DHCP parameters on a specified port or VLAN:

Switch:1(config-if)# ip dhcp-relay

Variable definitions
Use the data in the following table to use the ip dhcp-relay command.

Use the no operator to disable DHCP parameters on specified ports: no ip dhcp-relay.

Note
The no ip dhcp-relay command disables DHCP Relay, it does not delete the DHCP entry.

VOSS User Guide for version 8.7 649

Dynamic Host Configuration Protocol and User
Configuring DHCP relay on a port or VLAN Datagram Protocol Configuration

To configure this option to the default value, use the default operator with this command.

Variable Value
broadcast Enables the device to send the server reply as a broadcast
to the end station. After you disable this variable, the device
sends the server reply as a unicast to the end station. Use
the no operator to disable broadcast: no ip dhcp-relay
broadcast.
To configure this option to the default value, use the
default operator with this command.
circuitId Enables Option 82 circuit ID on the interface.
clear-counters Clears DHCP Relay counters for the interface.
fwd-path <A.B.C.D> [vrid Creates a forward path server with a virtual router ID (or
<1-255>] VRRP ID), a mode, and a state.
A.B.C.D is the IP address.
vrid <1-255> is the ID of the virtual router and is an
integer from 1 to 255.
Use the no operator to delete a forward path server with
a specific value and virtual router ID: no ip dhcp-relay
fwd-path <A.B.C.D> [vrid <1-255>]
To configure this option to the default value, use the
default operator with this command.
fwd-path <A.B.C.D> disable Disables a forward path server with a specific value and
[vrid <1-255>] virtual router ID.
A.B.C.D is the IP address.
vrid <1-255> is the ID of the virtual router (or VRRP ID)
and is an integer from 1 to 255.
fwd-path <A.B.C.D> enable Enables a forward path server with a specific value and
[vrid <1-255>] virtual router ID (or VRRP ID).
A.B.C.D is the IP address in the form a.b.c.d.
vrid <1-255> is the ID of the virtual router and is an
integer from 1 to 255.
fwd-path <A.B.C.D> Configures the forward path mode for a VLAN. This
mode <bootp|bootp_dhcp|dhcp> command string is available only in VLAN Interface
[vrid <1-255>] Configuration mode.
A.B.C.D is the IP address in the form a.b.c.d.
mode is a choice of bootp, dhcp, or bootp_dhcp.
vrid <1-255> is the ID of the virtual router (or VRRP ID)
and is an integer from 1 to 255.
To configure this option to the default value, use the
default operator with this command.
max-hop <1-16> Configures the maximum number of hops before a BootP/
DHCP packet is discarded (1 to 16). The default is 4.
To configure this option to the default value, use the
default operator with this command.
min-sec <0-65535> Configures the minimum seconds count for DHCP. If the secs
field in the BootP/DHCP packet header is greater than this
value, the device relays or forwards the packet; otherwise,
the packet is dropped (0 to 65535). The default is 0 seconds.
To configure this option to the default value, use the
default operator with this command.

650 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Displaying DHCP-relay Statistics for Specific Ports

Variable Value
mode <bootp|bootp_dhcp|dhcp> Configures DHCP mode to forward BootP messages only,
DHCP messages only, or both. The default is both.
To configure this option to the default value, use the
default operator with this command.
remoteId Enables Option82 remote ID on the interface.
trusted Configures the DHCP circuit as trusted.

Displaying DHCP-relay Statistics for Specific Ports

Display individual DHCP-relay statistics for specific ports to manage network performance.

Note
Slot and port information can differ depending on hardware platform.

Procedure

1. Enter Privileged EXEC mode:

enable
2. View DHCP-relay statistics for a specific port or VRF.
show interfaces GigabitEthernet statistics dhcp-relay [vrf
WORD<1-16>] [vrfids WORD<0-255>]|{slot/port[/sub-port][-slot/port[/
sub-port]][,...]}}

Example

View DHCP-relay statistics:

Switch:1>enable
Switch:1#show interfaces gigabitethernet statistics dhcp-relay

================================================================================
Port Stats Dhcp
================================================================================
PORT_NUM VRF NAME NUMREQUEST NUMREPLY
--------------------------------------------------------------------------------
1/12 GlobalRouter 0 2
1/13 GlobalRouter 3 2
2/3 GlobalRouter 0 2
--------------------------------------------------------------------------------

VOSS User Guide for version 8.7 651

Dynamic Host Configuration Protocol and User
Displaying DHCP-relay Statistics for all Interfaces Datagram Protocol Configuration

Variable Definitions
Use the data in the following table to use the show interfaces GigabitEthernet
statistics dhcp-relay command.

Variable Value
vrf WORD<1-16> Specifies a VRF instance by VRF name.
vrfids WORD<0-255> Specifies the ID of the VRF.
{slot/port[/sub-port][-slot/port[/ Identifies the slot and port in one of the following
sub-port]][,...]} formats: a single slot and port (1/1).
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range
of slots and ports (slot/port-slot/port), or a series
of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port
is channelized, you must also specify the sub-port
in the format slot/port/sub-port.

Displaying DHCP-relay Statistics for all Interfaces

About This Task

Display DHCP-relay statistics for all interfaces to manage network performance.

Note
Slot and port information can differ depending on hardware platform.

Procedure

1. Show the number of requests and replies for each interface:

show ip dhcp-relay counters [vrf WORD<1-16>] [vrfids WORD<0-512>]
2. Show counters for Option 82:
show ip dhcp-relay counters option82 [vrf WORD<1-16>] [vrfids
WORD<0-512>]

Example
Switch:1>show ip dhcp-relay counters option82
==========================================================================================
=====
DHCP Counters Option82 - GlobalRouter
==========================================================================================
=====
IP FOUND DROP CIRC ADD DEL REMOTE ADD DEL
INTERFACE ADDR OP82 PKT ID CIRC CIRC ID REMID REMID
------------------------------------------------------------------------------------------
-----
Port 1/12 0 0 395 0 0 00:24:7f:9d:0a:00 0 0
Vlan40 0 0 2088 0 0 00:24:7f:9d:0a:01 0 0

652 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring UDP broadcast forwarding

Variable Definitions
Use the data in the following table to use the show ip dhcp-relay counters command.

Variable Value
vrf WORD<1-16> Specifies a VRF instance by the VRF name.
vrfids WORD<0-512> Specifies the ID of the VRF.

Configuring UDP broadcast forwarding

About This Task

By default, routers do not forward broadcasts. UDP broadcast forwarding is a generalized mechanism
for the router to selectively forward UDP broadcasts. You must set up UDP broadcast forwarding on the
system. Configure UDP broadcast forwarding to forward the UDP broadcasts of network applications to
the required server through physical or virtual router interfaces.

Procedure

1. Enter protocols into a table.

2. Create policies (protocol/server pairs).
3. Assemble the policies into lists or profiles.
4. Apply the list to the appropriate interfaces.

Configuring UDP protocols

About This Task

Configure UDP protocols to determine which UDP broadcasts are forwarded.

Procedure

1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Configure a UDP protocol:
ip forward-protocol udp <1–65535> WORD<1–15>
3. Confirm your configuration:
show ip forward-protocol udp interface [vrf WORD<1-16>]|[vrfids
WORD<0-512>] portfwd [vrf WORD<1-16>]| [vrfids WORD<0-512>]
portfwdlist <1–1000>[vrf WORD<1-16>]|[vrfids WORD<0-512>] vrf
WORD<1-16> vrfids WORD<0-512>

VOSS User Guide for version 8.7 653

Dynamic Host Configuration Protocol and User
Configuring a UDP port forward entry Datagram Protocol Configuration

Example

Configure a UDP protocol and confirm your configuration.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip forward-protocol udp 53 DNS
Switch:1(config)#show ip forward-protocol udp

================================================================================
Udp Protocol Tbl - GlobalRouter
================================================================================
UDP_PORT PROTOCOL_NAME
--------------------------------------------------------------------------------
37 Time Service
49 TACACS Service
53 DNS
69 TFTP
137 NetBIOS NameSrv
138 NetBIOS DataSrv

Variable definitions
Use the data in the following table to use the ip forward-protocol udp command.

Variable Value
<1-65535> WORD<1-15> Creates a new UDP protocol.
<1-65535> WORD<1-15> is the UDP protocol name as a string.
Use the no operator to delete a UDP protocol no ip forward-
protocol udp <1-65535>.
portfwd Displays portfwd information.
portfwdlist Displays port forward list information.
vrf WORD<1-16> Specifies the name of the VRF.
vrfids WORD<0-512> Specifies the ID of the VRF.

Configuring a UDP port forward entry

Configure a UDP port forward entry to add or remove a port forward entry.

Procedure
1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Configure a UDP port forward entry:
ip forward-protocol udp portfwd <1–65535> {A.B.C.D}
3. Confirm your configuration:
show ip forward-protocol udp portfwd [vrf WORD<1-16>] [vrfids
WORD<0-512>]

654 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring the UDP port forwarding list

Example

Configure a UDP port forward entry:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip forward-protocol udp portfwd 150 192.0.2.10

Variable definitions
Use the data in the following table to use the ip forward-protocol udp portfwd command.

Variable Value
<1-65535> {A.B.C.D} Adds a UDP protocol port to the specified port forwarding list.
1-65535 is a UDP protocol port in the range of 1–65535.
A.B.C.D is an IP address in a.b.c.d format.
Use the no operator to remove a protocol port forwarding entry
and IP address from the list: no ip forward-protocol udp
portfwd <1-65535> <A.B.C.D>.
To configure this option to the default value, use the default
operator with this command.
vrf WORD<1-16> Specifies the name of the VRF.
vrfids WORD<0-512> Specifies the ID of the VRF.

Configuring the UDP port forwarding list

Configure the UDP port forwarding list to assign protocols and servers to the port forward list.

About This Task

You can perform this procedure in Global Configuration mode, VLAN Interface Configuration mode, or
VRF Router Configuration mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure the UDP port forwarding list:
ip forward-protocol udp portfwdlist <1-1000>

Important
The following two steps are not available in the Global Configuration or VRF Router
Configuration mode. The following two commands are available in VLAN Interface
Configuration mode only.

3. Enter VLAN Interface Configuration mode:

interface vlan <1-4059>
4. Configure the broadcast mask:
ip forward-protocol udp broadcastmask {A.B.C.D}

VOSS User Guide for version 8.7 655

Dynamic Host Configuration Protocol and User
Configuring the UDP port forwarding list Datagram Protocol Configuration

5. Configure the maximum time to live:

ip forward-protocol udp maxttl <1-16>
6. Confirm your configuration:
show ip forward-protocol udp portfwdlist <1–1000> [vrf WORD<1-16>]
[vrfids WORD<0-512>]

Example
Switch:1> enable
Switch:1# configure terminal

Configure the UDP port forwarding list:

Switch:1(config)# ip forward-protocol udp portfwdlist 1

Log on to the VLAN interface configuration mode:

Switch:1(config)# interface vlan 3

Configure the broadcast mask:

Switch:1(config-if)# ip forward-protocol udp broadcastmask 192.0.2.255

Configure the maximum time to live:

Switch:1(config-if)# ip forward-protocol udp maxttl 10

Confirm the configuration:

Switch:1(config-if)# show ip forward-protocol udp portfwdlist

Variable definitions
Use the data in the following table to use the ip forward-protocol udp portfwdlist
command.

Variable Value
<1-1000> Creates a UDP port forwarding list in the range of
1–1000.
<1–65535> {A.B.C.D} Adds a UDP protocol port to the specified port
forwarding list.
1-65535 is a UDP protocol port in the range of
1–65535.
A.B.C.D is an IP address in a.b.c.d format.
Use the no operator to remove or delete a port
forwarding list ID,
no ip forward-protocol udp
portfwdlist <1-1000> <1-65535>
<A.B.C.D>.
To configure this option to use the default value,
use the default operator with this command.
name WORD<0–15> Changes the name of the port forwarding list.

656 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Showing UDP forward information

Use the data in the following table to use the ip forward-protocol udp command.

Variable Value
broadcastmask {A.B.C.D} Configures the interface broadcast mask (the interface broadcast
mask can be different from the interface mask).
A.B.C.D is an IP address in a.b.c.d format.
Use the no operator to delete the broadcast mask:
no ip forward-protocol udp broadcastmask
{A.B.C.D}
To configure this option to the default value, use the default
operator with this command.
maxttl <1-16> Configures the maximum time-to-live value (TTL) for the UDP
broadcast forwarded by the interface. The range is 1–16.
portfwdlist <1–1000> Assigns the list to the VLAN.
vlan <1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN
[portfwdlist <1–1000>] IDs 1 to 4059 are configurable and the system reserves VLAN IDs
4060 to 4094 for internal use. On switches that support the vrf-
scaling and spbm-config-mode boot configuration flags, if
you enable these flags, the system also reserves VLAN IDs 3500
to 3998. VLAN ID 1 is the default VLAN and you cannot create or
delete VLAN ID 1.
If you use the portfwdlist variable with the VLAN variable, it
assigns the list to the specified VLAN, regardless of which VLAN
context you currently configure.

Showing UDP forward information

Show UDP forward information to view information about the UDP forwarding characteristics of the
device. UDP forwarding only supports 128 entries.

About This Task

There are four show options:

• Show the interface information
• Show the port forward information
• Show the port forward list information
• Show the protocol information

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display information about the UDP interface for all IP addresses or a specified IP address:
show ip forward-protocol udp interface [<A.B.C.D>] [vrf WORD<1-16>]
[vrfids WORD<0-512>]
3. Display the UDP port forwarding table:
show ip forward-protocol udp portfwd [vrf WORD<1-16>] [vrfids
WORD<0-512>]

VOSS User Guide for version 8.7 657

Dynamic Host Configuration Protocol and User
IPv6 DHCP Relay Configuration using CLI Datagram Protocol Configuration

4. Display the UDP port forwarding list table for the specified list or all lists on the device:
show ip forward-protocol udp portfwdlist [vrf WORD<1-16>] [vrfids
WORD<0-512>]
5. Display the UDP protocol table with the UDP port numbers for each supported or designated
protocol:
show ip forward-protocol udp [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example

Display the UDP protocol table with the UDP port numbers for each supported or designated protocol:
Switch:1>enable
Switch:1#show ip forward-protocol udp

Variable Definitions
Use the data in the following table to use the show ip forward-protocol udp interface
command.

Variable Value
<A.B.C.D> Specifies the IP address for the interface in a.b.c.d format.
vrf WORD<1–16> Specifies the name of the VRF.
vrfids WORD<0–512> Specifies the ID of the VRF and is an integer in the range of 0
to 512.

IPv6 DHCP Relay Configuration using CLI

Configure a DHCP Relay Forwarding Path

Configure a forwarding path to specify the relay agent address and the DHCP server address to which
to forward packets.

To use DHCP Relay for IPv6, you must configure at least one forwarding path and enable the relay on
one interface.

Before You Begin

For a VRF other than GlobalRouter, the interface must be first associated to that VRF.

658 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configure a DHCP Relay Forwarding Path

About This Task

The relay agent can use the IPv6 address of the interface or the VRRP global address linked to that
interface. The relay forwards the DHCP messages only if VRRP is in the master state, otherwise the relay
discards the messages.

You can configure only one relay agent on an interface. If you need to change the relay agent, you must
delete all the forwarding paths with the old relay agent, and then configure the new relay agent.

For scaling information on DHCP Relay forwarding paths, see VOSS Release Notes.

Procedure

1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Configure a forwarding path:
ipv6 dhcp-relay fwd-path WORD<0-255> WORD<0-255> [enable]

If you configure the forwarding path globally, the relay agent address can be any configured IP
address of the relay interface or the VRRP global address linked to the relay interface.
3. To configure a forwarding path on an interface, enter Interface Configuration mode:
interface GigabitEthernet {slot/port[/sub-port] [-slot/port[/sub-
port]] [,...]}

interface vlan <1-4059>

4. Configure a forwarding path:
ipv6 dhcp-relay fwd-path WORD<0-255> [enable] [vrid WORD<1-255>]

If you configure the forwarding path on an interface, the relay agent address is either the smallest
IP configured on the interface or the first VRRP global address configured, if the relay is the VRRP
master. You do not specify the relay agent address as part of the command.

Note
IPv6 DHCP Relay is established only between agents within the context of each VRF.

Examples
Configure a forwarding path globally:
Switch:1(config)#ipv6 dhcp-relay fwd-path 1111::1111 1234::1234 enable

Configure a forwarding path on an interface:

Switch:1(config)#interface GigabitEthernet 1/1
Switch:1(config-if)#ipv6 dhcp-relay fwd-path 1234::1234 enable

VOSS User Guide for version 8.7 659

Dynamic Host Configuration Protocol and User
Configuring DHCP Relay for an interface Datagram Protocol Configuration

Configure the VRRP master as the relay:

Switch:1(config-if)#ipv6 dhcp-relay fwd-path 1234::1234 vrid 12 enable

Variable Definitions
Use the data in the following table to use the ipv6 dhcp-relay fwd-path command.

Variable Value
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs 1
to 4059 are configurable and the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the vrf-scaling and spbm-
config-mode boot configuration flags, if you enable these flags, the system
also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default VLAN and you
cannot create or delete VLAN ID 1.
enable Enables the forwarding path. The default is disabled.
{slot/port[/ Identifies the slot and port in one of the following formats: a single slot and
sub-port][-slot/ port (slot/port), a range of slots and ports (slot/port-slot/port), or a series
port[/sub-port]] of slots and ports (slot/port,slot/port,slot/port). If the platform supports
[,...]} channelization and the port is channelized, you must also specify the sub-port
in the format slot/port/sub-port.
vrid WORD<1-255> Specifies the VRRP ID to use the VRRP master as the relay agent interface.
WORD<0-255> Specifies the IPv6 address of the DHCP server for the interface configuration.
WORD<0-255> Specifies the IPv6 address of the relay agent interface and the IPv6 address of
WORD<0-255> the DHCP server for the global configuration.

Configuring DHCP Relay for an interface

Configure the DHCP relay behavior on the interface.

About This Task

You can configure only one relay for a VLAN, regardless of how many addresses are configured on that
VLAN. The default address is the smallest address configured. If the relay is a VRRP address, the default
value is the first VRRP address configured.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

660 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration View DHCP Relay Information

2. Enable DHCP on the interface:

ipv6 dhcp-relay
3. Configure the maximum hop count:
ipv6 dhcp-relay max-hop <1–32>
4. Enable the remote ID:
ipv6 dhcp-relay remote-id

Example

Configure the maximum hop count:

Switch:1(config-if)#ipv6 dhcp-relay max-hop 30

Disable the remote ID:

Switch:1(config-if)#no ipv6 dhcp-relay remote-id

Variable Definitions
Use the data in the following table to use the ipv6 dhcp-relay command.

Variable Value
max-hop <1–32> Specifies the maximum number of hops a DHCP packet can take from the DHCP
client to the DHCP server. The default is 32.
remote-id Enables the relay agent to add information about the relay to DHCPv6 messages
before relaying the messages to the DHCP server. The default is disabled

Use the data in the following table to use the interface command.

View DHCP Relay Information

View DHCP Relay information to display the current configuration for the forwarding path and the
interface configuration.

About This Task

Not all parameters are available in non-default VRFs.

VOSS User Guide for version 8.7 661

Dynamic Host Configuration Protocol and User
Viewing IPv6 DHCP Relay Statistics Datagram Protocol Configuration

Procedure

1. Enter Privileged EXEC mode:

enable
2. View DHCP Relay global information:
show ipv6 dhcp-relay {counters [vrf WORD<1–16> | vrfids WORD<0–512>] |
fwd-path [vrf WORD<1–16> | vrfids WORD<0–512>]
3. View IPv6 DHCP Relay interface configuration:
show ipv6 dhcp-relay interface {gigabitEthernet {slot/port[/sub-port]
[-slot/port[/sub-port]] [,...]} | vlan <1-4059>}

Note
The no ipv6 dhcp-relay command disables DHCP on the interface but does not
delete the entry.

Example
Switch:1(config-if)#show ipv6 dhcp-relay fwd-path

================================================================================
DHCPv6 Fwd-path - GlobalRouter
================================================================================
INTERFACE SERVER ENABLE
--------------------------------------------------------------------------------
1111:0:0:0:0:0:0:1111 1234:0:0:0:0:0:0:1234 enable

Variable Definitions
Use the information in the following table to help you use the show ipv6 dhcp-relay command.

Variable Value
{slot/port[/sub- Identifies the slot and port in one of the following formats: a single slot
port][-slot/port[/ and port (slot/port), a range of slots and ports (slot/port-slot/port), or
sub-port]][,...]} a series of slots and ports (slot/port,slot/port,slot/port). If the platform
supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.
vlan<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060 to
4094 for internal use. On switches that support the vrf-scaling and
spbm-config-mode boot configuration flags, if you enable these flags,
the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
vrf WORD<1–16> Specifies the VRF name.
vrfids WORD<0–512> Specifies the VRF ID.

Viewing IPv6 DHCP Relay Statistics

Display individual IPv6 DHCP Relay statistics for specific interfaces to manage network performance.

662 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User DHCP and UDP configuration using Enterprise Device
Datagram Protocol Configuration Manager

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View statistics:
show ipv6 dhcp-relay counters

Note
Use the sys action reset counters command to clear DHCP Relay statistics.

Example
Switch:1#show ipv6 dhcp-relay counters

================================================================================
DHCPv6 Counters
================================================================================
INTERFACE REQUESTS REPLIES
--------------------------------------------------------------------------------
1111:0:0:0:0:0:0:1111 1 1

DHCP and UDP configuration using Enterprise Device Manager

Dynamic Host Configuration Protocol (DHCP), an extension of the Bootstrap Protocol (BootP),
dynamically provides host configuration information to workstations. To lower administrative overhead,
network managers prefer to configure a small number of DHCP servers in a central location. Using few
DHCP servers requires the routers connecting to the subnets or bridge (or VLAN) domains to support
the BootP/DHCP relay function so that hosts can retrieve the configuration information from servers
several router hops away.

User datagram protocol (UDP) is a connectionless protocol that adds reliability and multiplexing to IP.
It describes how messages reach application programs within a destination computer. Some network
applications, such as the NetBIOS name service, rely on a UDP broadcast to request a service or to
locate a service. By default, broadcasts are not forwarded by a router. UDP broadcast forwarding is a
generalized mechanism for the router to selectively forward UDP broadcasts.

Important
BootP/DHCP relays are supported only on IP routed port-based VLANs and protocol-based
VLANs.

Before You Begin

You must enable DHCP relay on the path for port or VLAN configuration to take effect.

Configuring DHCP on a brouter port or a VRF instance

Before You Begin
• You must first enable BootP/DHCP relay on a port (or VLAN).
• You must enable DHCP and forwarding path.
• You must enable IP Routing on the interface.

VOSS User Guide for version 8.7 663

Dynamic Host Configuration Protocol and User
Configuring BootP/DHCP on a VLAN or VRF instance Datagram Protocol Configuration

About This Task

Use the DHCP tab to configure the DHCP behavior on a brouter port or a VRF instance. The DHCP tab is
available only if the port is routed (that is, assigned an IP address).

Procedure

1. In the Device Physical View tab, select a port.

2. In the navigation tree, expand the following folders: Configuration > Edit > Port.
3. Click IP.
4. Click the DHCP Relay tab.
5. Click Enable to select the DHCP option. The default is disable.
6. Configure the other parameters as needed.
7. Click Apply.

DHCP field descriptions

Use data from the following table in the DHCP Relay tab.

Name Description
Enable Lets you use BootP/DHCP on the port. The default is disable.
MaxHop Sets the maximum number of hops before a BootP/DHCP packet is
discarded (1 to 16). The default is 4.
MinSec The secs field in the BootP/DHCP packet header represents the elapsed time
since the client first sent the message. If the secs field in the packet header is
greater than this value, the system relays or forwards the packet; otherwise,
the packet is dropped. The default is 0 seconds.
Mode Sets the interface to process only BootP, only DHCP, or both types of
packets. The default is both.
AlwaysBroadcast When enabled, the server reply is sent as a broadcast back to the end
station. The default is disable.
CircuitId Indicates whether DHCP Relay inserted the option 82 circuit ID information
into the DHCP packets before sending the DHCP packets to the DHCP server.
The default is disable.
RemoteId Indicates whether DHCP Relay inserted the option 82 remote ID information
into the DHCP packets before sending the DHCP packets to the DHCP server.
The default is disable.
Trusted Indicates if DHCP packets come through a trusted DHCP circuit. Only
packets with GIADDR configured to 0 and containing option 82 are
forwarded if the circuit is trusted. The default value is false.

Configuring BootP/DHCP on a VLAN or VRF instance

Before You Begin
• You must enable IP Routing on the interface.

664 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring BootP/DHCP on a VLAN or VRF instance

About This Task

Use the DHCP Relay tab to configure the DHCP behavior on a VLAN. The DHCP Relay tab is available
only if the VLAN is routed and is assigned an IP address.

Procedure

1. In the navigation tree, expand the following folders: Configuration > VLAN.
2. Click VLANs > Basic.
3. Select a VLAN.
4. Click IP.
5. Click the DHCP Relay tab.
6. Select Enable.
7. Configure the parameters as required.
8. Click Apply.

DHCP Relay field descriptions

Use the data in the following table to use the DHCP Relay tab.

Variable Value
Enable Lets you use BootP/DHCP on the port. The default
is disable.
MaxHop Sets the maximum number of hops a BootP/DHCP
packet can take from the DHCP client to the DHCP
server. The maximum number of hops is 16. The
default is 4.
MinSec Represents the minimum number of seconds
to wait between receiving a DHCP packet and
forwarding the DHCP packet to the DHCP server.
A value of 0 indicates that forwarding is done
immediately. The default value is 0.
Mode Indicates the type of DHCP packet required. The
options are:
• bootp
• dhcp
• both
The default is both.
AlwaysBroadcast When enabled, the DHCP Reply packets are sent
as a broadcast to the DHCP client. The default is
disable.
CircuitId Indicates whether DHCP Relay inserted the option
82 circuit ID information into the DHCP packets
before sending the DHCP packets to the DHCP
server. The default is disable.

VOSS User Guide for version 8.7 665

Dynamic Host Configuration Protocol and User
Configure DHCP Relay Datagram Protocol Configuration

Variable Value
RemoteId Indicates whether DHCP Relay inserted the option
82 remote ID information into the DHCP packets
before sending the DHCP packets to the DHCP
server. The default is disable.
Trusted Indicates if DHCP packets come through a
trusted DHCP circuit. Only packets with GIADDR
configured to 0 and containing option 82 are
forwarded if the circuit is trusted. The default
value is false.

Configure DHCP Relay

About This Task

After you configure the BOOTP/DHCP relay on an IP interface, you can configure forwarding paths to
indicate where packets are forwarded. The forwarding paths are based on the type of packet and where
the packet is received.

About This Task

Procedure

1. In the navigation tree, expand Configuration > IP.

2. Select DHCP Relay.
3. Select the Globals tab.
4. Select Insert.
5. In the AgentAddr box, type the agent address.
6. In the ServerAddr list, type the server address.
7. Select Enable to enable BOOTP/DHCP relay. You can enable or disable each agent server forwarding
policy. The default is enabled.
8. In the Mode box, select the type of messages to relay.
Both the mode setting for the DHCP interface and the mode setting for the agent interface
determine which packets are forwarded.
9. Select SrcPort67 to configure the source port for the BOOTP/DHCP relay request.

Note
This step does not apply to VSP 8600 Series.

10. Select Insert.

666 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Viewing DHCP relay configuration information

Globals field descriptions

Use the data in the following table to use the Globals tab.

Name Description
AgentAddr The IP address of the input interface (agent)
on which the BOOTP/DHCP request packets are
received for forwarding. This address is the IP
address of either a brouter port or a VLAN for
which forwarding is enabled.
ServerAddr This parameter is either the IP address of the
BOOTP/DHCP server or the address of another
local interface.
• If it is the address of the BOOTP/DHCP server,
the request is unicast to the server address.
• If the address is one of the IP addresses
of an interface on the system, the BOOTP/
DHCP requests are broadcast out of that local
interface.

Enable Enables BOOTP/DHCP relay.

Mode Specifies the type of messages relayed:
• Only BOOTP
• Only DHCP
• Both types of messages
The default is to forward both BOOTP and DHCP
messages.
SrcPort67 Assigns source port 67 to the UDP forwarding
path. The default is source port 68.
Note:
Exception: not supported on VSP 8600 Series.

Viewing DHCP relay configuration information

About This Task

Use the DHCP Relay Interfaces tab to view configuration information about the DHCP relay. To change
the configuration information, double-click the value in the field under the required interface, and enter
a new value.

Procedure

1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click DHCP Relay.
3. Click the Interfaces tab.

VOSS User Guide for version 8.7 667

Dynamic Host Configuration Protocol and User
Viewing DHCP Statistics for an Interface Datagram Protocol Configuration

Interfaces field descriptions

Use the data in the following table to use the Interfaces tab.

Variable Value
IfIndex A read-only interface number that represents a
physical interface, or the VLAN logical interface.
MaxHop Sets the maximum number of hops a DHCP
packet can take from the DHCP client to the DHCP
server. The maximum number of hops is 16. The
default is 4.
MinSec Represents the minimum number of seconds
to wait between receiving a DHCP packet and
forwarding the DHCP packet to the DHCP server.
A value of 0 indicates that forwarding is done
immediately. The default value is 0.
Mode Indicates the type of DHCP packet required. The
options are:
• bootp
• dhcp
• both
The default is both.
AlwaysBroadcast Indicates if DHCP Reply packets can be sent as a
broadcast to the DHCP client. The default is false.
CircuitId Indicates whether DHCP Relay inserted the option
82 circuit ID information into the DHCP packets
before sending the DHCP packets to the DHCP
server. The default is disable.
RemoteId Indicates whether DHCP Relay inserted the option
82 remote ID information into the DHCP packets
before sending the DHCP packets to the DHCP
server. The default is disable.
Trusted Indicates if DHCP packets come through a
trusted DHCP circuit. Only packets with GIADDR
configured to 0 and containing option 82 are
forwarded if the circuit is trusted. The default
value is false.

Viewing DHCP Statistics for an Interface

View DHCP statistics to manage network performance.

Procedure

1. In the navigation pane, expand the Configuration > IP folders.

2. Click DHCP Relay.
3. Click the Interfaces Stats tab.

668 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Graphing DHCP Statistics for a Port

Interfaces Stats Field Descriptions

Use the data in the following table to use the Interfaces Stats tab.

Name Description
IfIndex Identifies the physical interface.
AgentAddr Shows the IP address configured as the relay on this interface. This
address is either the IP of the physical interface or the IP of the VRRP
address.
NumRequests Shows the number of DHCP and BootP requests on this interface.
NumReplies Shows the number of DHCP and BootP replies on this interface.

Graphing DHCP Statistics for a Port

View DHCP statistics to manage network performance.

Procedure

1. In the Device Physical View, select a port.

2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Port.
4. Click the DHCP tab.
5. Select one or more values.
6. Click the type of graph to create.

DHCP Field Descriptions

The following table describes parameters on the DHCP tab.

Name Description
NumRequests The number of DHCP and/or BootP requests on this interface.
NumReplies The number of DHCP and/or BootP replies on this interface.

Viewing DHCP Statistics for a Port

View DHCP statistics to manage network performance.

Procedure

1. In the Device Physical view, select a port.

2. In the navigation pane, expand the Configuration > Edit > Port folders.
3. Click IP.
4. Click the DHCP Relay tab.
5. Click Graph.
6. Select one or more values.
7. Click the type of graph.

VOSS User Guide for version 8.7 669

Dynamic Host Configuration Protocol and User
Displaying DHCP-relay Statistics for Option 82 Datagram Protocol Configuration

DHCP Stats Field Descriptions

Use the data in the following table to use the DHCP Stats tab.

Name Description
NumRequests The number of DHCP and BootP requests on this interface.
NumReplies The number of DHCP and BootP replies on this interface.

Displaying DHCP-relay Statistics for Option 82

Display DHCP-relay statistics for all interfaces to manage network performance.

Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click DHCP-Relay.
3. Click the Option 82 Stats tab.

Option 82 Stats Field Descriptions

Use the data in the following table to use the Option 82 Stats tab.

Name Description
IfIndex Shows the name of the interface on which you
enabled option 82. Shows the port number if the
interface is a brouter port or the VLAN number if
the interface is a VLAN.
AgentAddr Shows the IP address configured as the relay on
this interface. This address is either the IP of the
physical interface or the IP of the VRRP address.
FoundOp82 Shows the number of packets that the interface
received that already had option82 in them.
Dropped Shows the number of packets the interface
dropped because of option 82–related issues.
These reasons could be that the packet was
received from an untrusted source or spoofing
was detected. To determine the cause of the drop,
you must enable trace on level 170.
CircuitId Shows the value inserted in the packets as the
circuit ID. The value is the index of the interface.
AddedCircuitId Shows how many packets (requests from client
to server) the circuit ID was inserted for that
interface.
If you expect this value to increase but it does
not, and the interface does not drop a packet, it is
possible the packet does not have enough space
to insert the option. You must enable trace on
level 170 to determine the cause.

670 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Graphing DHCP Statistics for a VLAN

Name Description
RemovedCircuitId Shows how many packets (replies from server
to client) the circuit id was removed for that
interface.
RemoteId Shows the value inserted in the packets as the
remote ID. The value is the MAC address of the
interface.
AddedRemoteId Shows how many packets (requests from client
to server) the remote ID was inserted for that
interface.
If you expect this value to increase but it does
not, and the interface does not drop a packet, it is
possible the packet does not have enough space
to insert the option. You must enable trace on
level 170 to determine the cause.
RemovedRemoteId Shows how many packets (replies from server
to client) the remote ID was removed for that
interface.

Graphing DHCP Statistics for a VLAN

View DHCP statistics to manage network performance.

Procedure

1. In the navigation pane, expand the Configuration > VLAN folders.

2. Click VLANs.
3. On the Basic tab, select a VLAN.
4. Click IP.
5. Click the DHCP Relay tab.
6. Click Graph.
7. Select one or more values.
8. Click the type of graph.

DHCP Stats Field Descriptions

Use the data in the following table to use the DHCP Stats tab.

Name Description
NumRequests The number of DHCP and BootP requests on this interface.
NumReplies The number of DHCP and BootP replies on this interface.

VOSS User Guide for version 8.7 671

Dynamic Host Configuration Protocol and User
Managing UDP forwarding protocols Datagram Protocol Configuration

Managing UDP forwarding protocols

About This Task

The switch configures the following protocols, by default:

• Time Service
• Terminal Access Controller Access Control System (TACACS) Service
• Domain Name System (DNS)
• Trivial file transfer protocol (TFTP)
• Network Basic Input/Output System (NetBIOS) NameSrv
• NetBIOS DataSrv

You can use these protocols to create forwarding entries and lists but you cannot delete them; you can
add or remove other protocols to the list of protocols.

Procedure

1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click UDP Forwarding.
3. Click Insert.
4. In the PortNumber field, type a UDP port number.
This number defines the UDP port used by the server process as its contact port. The range is from 1
to 65535 and cannot be one of the UDP port numbers or a number previously assigned.
5. In the Name field, type a name for the protocol.
6. Click Insert.
The protocol is added to the Protocol table. After you create a protocol, you cannot change its name
or number.

Protocols field descriptions

Use the data in the following table to use the Protocols tab.

Name Description
PortNumber Defines the UDP port (1 to 65535).
Specifies an administratively assigned name for this list (0 to
Name
15 characters).

Managing UDP forwarding

About This Task

You manage UDP forwarding by defining the destination addresses for the UDP protocol.

Procedure

1. In the navigation tree, expand the following folders:Configuration > IP.

2. Click UDP Forwarding.
3. Click the Forwardings tab.

672 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Creating the forwarding profile

4. Click Insert.
5. In the Insert Forwardings dialog box, select a destination UDP port from the defined protocols in the
DestPort box.
6. Enter a destination IP address in the DestAddr box.
The destination address can be any IP server address for the protocol application or the IP address
of an interface on the router.
7. Click Insert. The information is added to the Forwarding tab.

Forwardings field descriptions

Use the data in the following table to use the Forwardings tab.

Name Description
DestPort Specifies the port number defined for UDP, depending
upon the protocol type.
DestAddr Specifies the destination address can be any IP server
address for the protocol application or the IP address of
an interface on the router:
• If the address is that of a server, the packet is sent as
a unicast packet to this address.
• If the address is that of an interface on the router, the
frame is rebroadcast.

Id Specifies an integer that identifies this entry internally.

NumFwdPackets Specifies the total number of UDP broadcast packets
forwarded using this policy.
NumDropPacketsTtlExpired Specifies the total number of UDP broadcast packets
dropped because the time-to-live value (TTL) expired.
NumDropPacketsDestUnreach Specifies the total number of UDP broadcast packets
dropped because the specified destination address was
unreachable.

Creating the forwarding profile

About This Task

A forwarding profile is a collection of port and destination pairs. When you configure UDP forwarding
list entries, be sure to first configure the UDP forwarding list. Then, configure your UDP forwarding list
entries and assign them to a UDP forwarding list. If you do not assign a UDP forwarding list entry to at
least one UDP forwarding list, the UDP forwarding list is lost after a restart.

Procedure

1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click UDP Forwarding.
3. Click the Forwarding Lists tab.
4. Click Insert.
5. In the Id field, type the forwarding list ID.

VOSS User Guide for version 8.7 673

Dynamic Host Configuration Protocol and User
Managing the broadcast interface Datagram Protocol Configuration

6. In the Name field, type the name of the forwarding list if required.
The system displays the forwarding list in the FwdIdList box.
7. Click Insert.

Forwarding Lists field descriptions

Use the data in the following table to use the Forwarding Lists tab and Insert Forwarding Lists dialog
box.

Name Description
Id Specifies a value that uniquely identifies this list of entries (1 to 1000).
Name Specifies an administratively assigned name for this list (0 to 15 characters).
FwdIdList Specifies the zero or more port forwarding entries associated with this list.
Each list identifier is stored as 2 bytes in this array, starting from 0 bytes
(size=64). Clicking on the ellipsis (...) button in this field displays the ID list.

Managing the broadcast interface

About This Task

Manage the broadcast interface by specifying and displaying which router interfaces can receive UDP
broadcasts to forward.

Procedure

1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click UDP Forwarding.
3. Click the Broadcast Interfaces tab.
4. Click Insert.
5. In the LocalIfAddr field, click the ellipsis (...) to select a local interface IP address from the list, and
then click OK.
6. In the UdpPortFwdListId field, click the ellipsis (...) to select a forwarding list ID from the list, and
then click OK.
7. In the MaxTtl field, type the maximum number of hops an IP broadcast can take from the source
device to the destination device (the default is 4; the range is 1 to 16).
8. In the BroadCastMask field, enter the subnet mask of the local interface that broadcasts the UDP
broadcast packets.
When you configure the UDP forwarding broadcast mask, the broadcast mask must be less specific
(shorter in length) or equally specific (equal in length) to the subnet mask of the IP interface on
which it is configured. If the UDP forwarding broadcast mask is more specific than the subnet mask
of the corresponding IP interface, UDP forwarding does not function properly.
9. Click Insert.

674 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Viewing UDP endpoint information

Broadcast Interfaces field descriptions

Use the data in the following table to use the Broadcast Interfaces tab.

Name Description
LocalIfAddr Specifies the IP address of the local router interface that
receives forwarded UDP broadcast packets.
UdpPortFwdListId Specifies the number of the UDP lists or profiles that this
interface is configured to forward (0 to100). A value of
0 indicates that the interface cannot forward any UDP
broadcast packets.
MaxTtl Specifies the maximum number of hops an IP broadcast
packet can take from the source device to the destination
device (the default is 4; the range is 1 to 16).
NumRxPkts Specifies the total number of UDP broadcast packets
received by this local interface.
NumFwdPkts Specifies the total number of UDP broadcast packets
forwarded by this local interface.
NumDropPktsMaxTtlExpired Specifies the total number of UDP broadcast packets
dropped because the time-to-live (TTL) value expired.
NumDropPktsDestUnreach Specifies the total number of UDP broadcast packets
dropped because the destination was unreachable.
NumDropPktsUnknownPort Specifies the total number of UDP broadcast packets
dropped because the destination port or protocol specified
has no matching forwarding policy.
BroadCastMask Specifies the subnet mask of the local interface that
broadcasts the UDP broadcast packets.

Viewing UDP endpoint information

View UDP Endpoints to confirm correct configuration.

About This Task

You can use UDP endpoint information to display local and remote UDP activity.

Since UDP is a protocol used to establish connectionless network sessions, you need to monitor local
and remote UDP activity and to know which applications are running over UDP.

You can determine which applications are active by checking the port number.

Processes are further identified with a UDP session to allow for the multiplexing of a port mapping for
UDP.

Procedure

1. In the navigation pane, expand the Configuration > IP folders.

2. Click TCP/UDP.
3. Click the UDP Endpoints tab.

VOSS User Guide for version 8.7 675

Dynamic Host Configuration Protocol and User
IPv6 DHCP Relay Configuration using EDM Datagram Protocol Configuration

UDP Endpoints field descriptions

Use the data in the following table to use the UDP Endpoints tab.

Name Description
LocalAddressType Displays the local address type (IPv6 or IPv4).
LocalAddress Displays the local IPv6 address.
LocalPort Displays the local port number.
RemoteAddressType Displays the remote address type (IPv6 or IPv4).
RemoteAddress Displays the remote IPv6 address.
RemotePort Displays the remote port number.
Instance Distinguishes between multiple processes
connected to the UDP endpoint.
Process Displays the ID for the UDP process.

IPv6 DHCP Relay Configuration using EDM

Configure a DHCP Relay Forwarding Path

Configure a forwarding path to specify the relay agent address and the DHCP server address to which
to forward packets.

To use DHCP Relay for IPv6, you must configure at least one forwarding path and enable the relay on
one interface.

Before You Begin

Change the VRF instance as required to configure a DHCP Relay forwarding path on a specific VRF
instance. Not all parameters are configurable on non-default VRFs.

About This Task

The relay agent can use the IPv6 address of the interface or the VRRP global address linked to that
interface. The relay forwards the DHCP messages only if VRRP is in the Master state, otherwise the relay
discards the messages.

For scaling information on DHCP Relay forwarding paths, see VOSS Release Notes.

Procedure

1. In the navigation tree, expand Configuration > IPv6.

2. Select DHCP Relay.
3. Select the Forward Path tab.
4. Select Insert.

676 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Configuring DHCP Relay for an interface

5. In the AgentAddr field, type the address of the input interface that forwards the packets.
6. In the ServerAddr field, type the address of the DHCP server.
7. Select Enabled.
8. Select Insert.

Forward Path field descriptions

Use the data in the following table to use the Forward Path tab.

Name Description
AgentAddr Specifies the IP address of the input interface
(relay agent) on which the DHCP request packets
are received for forwarding. This address is the
IPv6 or VRRP global address of either a brouter
port or a VLAN for which forwarding is enabled.
ServerAddr Specifies the IP address of the DHCP server. The
request is unicast to the server address.
Enabled Enables DHCP Relay for the system. The default is
disabled (clear).

Configuring DHCP Relay for an interface

Configure the DHCP relay behavior on the interface.

Before You Begin

Change the VRF instance as required to configure DHCP Relay for an interface on a specific VRF
instance. Not all parameters are configurable on non-default VRFs.

About This Task

You can modify the DHCP Relay configuration for a brouter port through the Edit > Port > IPv6
navigation path, and for a VLAN through the VLAN > VLANs > Basic > IPv6 navigation path. This
procedure uses the main IPv6 navigation path where you can configure both types of interfaces.

Procedure

1. In the navigation tree, expand the following folders: Configuration > IPv6.
2. Click DHCP Relay.
3. Click the Interface tab.
4. Click Insert.
5. Beside the IfIndex field, click Port or Vlan.
6. Select a port or VLAN, and then click OK.
7. Click Insert.

VOSS User Guide for version 8.7 677

Dynamic Host Configuration Protocol and User
Modifying DHCP Relay for a VLAN Datagram Protocol Configuration

Interface field descriptions

Use the data in the following table to use the Interface tab.

Name Description
IfIndex Shows the unique value to identify an IPv6
interface. For the brouter port, the value is the
ifindex of the port and, in the case of the VLAN,
the value is the ifindex of the VLAN.
MaxHop Specifies the maximum number of hops a DHCP
packet can take from the DHCP client to the DHCP
server. The default is 32.
RemoteIdEnabled Enables the relay agent to add information about
the relay to DHCPv6 messages before relaying
the messages to the DHCP server. The default is
disabled (clear or false).

Modifying DHCP Relay for a VLAN

Modify the existing DHCP relay behavior on the VLAN interface.

About This Task

Procedure

1. In the navigation tree, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select a VLAN.
5. Click IPv6.
6. Click the DHCP Relay tab.
7. Double-click a cell to change the value.
8. Click Apply.

DHCP field descriptions

Use the data in the following table to use the DHCP Relay tab.

Name Description
IfIndex Shows the unique value to identify an IPv6
interface.
MaxHop Specifies the maximum number of hops a DHCP
packet can take from the DHCP client to the DHCP
server. The default is 32.

678 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Modifying DHCP Relay for a port

Modifying DHCP Relay for a port

Modify the existing DHCP relay behavior on the brouter port interface.

About This Task

The default address is the smallest address configured. If the relay is a VRRP address, the default value
is the first VRRP address configured.

Procedure

1. In the Device Physical View, select the port.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.
3. Click IPv6.
4. Click DHCP Relay.
5. Double-click a cell to change the value.
6. Click Apply.

DHCP Relay field descriptions

Use the data in the following table to use the DHCP Relay tab.

VOSS User Guide for version 8.7 679

Dynamic Host Configuration Protocol and User
Viewing DHCP Statistics for an IPv6 Interface Datagram Protocol Configuration

Name Description
RemoteIdEnabled Enables the relay agent to add information about
the relay to DHCPv6 messages before relaying
the messages to the DHCP server. The default is
disabled (clear or false).
DhcpEnabled Enables (true) or disables (false) DHCP Relay
for an interface with an existing DHCP Relay
configuration.
The system displays this field on the DHCP
Relay tab for a brouter port only if you modify
an existing configuration. The system does not
display this field if you create a new DHCP Relay
port configuration.

Viewing DHCP Statistics for an IPv6 Interface

View IPv6 DHCP statistics to manage network performance.

Procedure

1. In the navigation pane, expand the Configuration > IPv6 folders.

2. Select DHCP Relay.
3. Select the Interfaces Stats tab.

Interfaces Stats Field Descriptions

Use the data in the following table to use the Interfaces Stats tab.

Name Description
IfIndex Identifies the physical interface.
NumRequests Shows the number of DHCP and BootP requests on this interface.
NumReplies Shows the number of DHCP and BootP replies on this interface.

Viewing IPv6 DHCP Relay Statistics for a Port

Display individual IPv6 DHCP Relay statistics for specific ports to manage network performance. You
can also create a graph of selected statistical values.

Procedure

1. On the Device Physical view, select a port.

2. In the navigation pane, expand the Configuration > IPv6 folders.
3. Click the DHCP Relay tab.
4. Click the Interface tab.
5. Select the interface on which you want to view the IPv6 DHCP Relay statistics.
6. Click Statistics.
7. Select one or more values.
8. Click the type of graph.

680 VOSS User Guide for version 8.7

Dynamic Host Configuration Protocol and User
Datagram Protocol Configuration Viewing IPv6 DHCP Relay Statistics for a Port

Statistics Field Descriptions

Use the data in the following table to use the Statistics tab.

Name Description
NumRequests Shows the number of DHCP and BootP requests
on this interface.
NumReplies Shows the number of DHCP and BootP replies on
this interface.

VOSS User Guide for version 8.7 681

Domain Name Service
DNS fundamentals on page 682
DNS configuration using CLI on page 683
DNS configuration using EDM on page 686

Table 76: Domain Name Service product support

Feature Product Release introduced
Domain Name Service (DNS) VSP 4450 Series VSP 4000 4.0
client (IPv4)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
DNS client (IPv6) VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported

The following sections provide information on the Domain Name Service (DNS) implementation for the
switch.

DNS fundamentals
This section provides conceptual material on the Domain Name Service (DNS) implementation for the
switch. Review this content before you make changes to the configurable DNS options.

682 VOSS User Guide for version 8.7

Domain Name Service DNS client

DNS client
Every equipment interface connected to a Transmission Control Protocol over IP (TCP/IP) network is
identified with a unique IPv4 or IPv6 address. You can assign a name to every machine that uses an
IPv4 or IPv6 address. The TCP/IP does not require the usage of names, but these names make the task
easier for network managers in the following ways:
• An IP client can contact a machine with its name, which is converted to an IP address, based on
a mapping table. All applications that use this specific machine do not depend on the addressing
scheme.
• It is easier to remember a name than a full IP address.

To establish the mapping between an IP name and an IPv4 or an IPv6 address you use the Domain
Name Service (DNS). DNS is a hierarchical database that you can distribute on several servers for
backup and load sharing. After you add a new hostname, update this database. The information is sent
to all the different hosts. An IP client that resolves the mapping between the hostname and the IP
address sends a request to one of the database servers to resolve the name.

After you establish the mapping of IP name and IP address, the application is modified to use a
hostname instead of an IP address. The switch converts the hostname to an IP address.

If the entry to translate the hostname to IP address is not in the host file, the switch queries the
configured DNS server for the mapping from hostname to IP address. You can configure connections for
up to three different DNS servers—primary, secondary and tertiary. First the primary server is queried,
and then the secondary, and finally the tertiary.

The DNS client tracks any server addresses or domain names provided from a DHCP server. If a DHCP
server provides info to the DNS client, the DNS configuration is classified as dynamic. You can manually
delete dynamic DNS entries, but cannot manually add dynamic DNS entries. You can view the Dynamic
DNS entries with show ip dns or show sys dns. Dynamic DNS entries are not saved in the
configuration file. The status monitoring of DNS occurs every 60 seconds.

DNS modifies Ping, Telnet, and copy applications. You can enter a hostname or an IP address to invoke
Ping, Telnet, and copy applications.

A log/debug report is generated for all the DNS requests sent to DNS servers and all successful DNS
responses received from the DNS servers.

IPv6 Support
The Domain Name Service (DNS) used by the switch supports both IPv4 and IPv6 addresses with no
difference in functionality or configuration.

DNS configuration using CLI

This section describes how to configure the Domain Name Service (DNS) client using Command Line
Interface (CLI).

DNS supports IPv4 and IPv6 addresses.

VOSS User Guide for version 8.7 683

Configuring the DNS client Domain Name Service

Configuring the DNS client

About This Task

Configure the Domain Name Service to establish the mapping between an IP name and an IPv4 or IPv6
address. DNS supports IPv4 and IPv6 addresses with no difference in

functionality or configuration using CLI.

You can configure connection for up to three different DNS servers—primary, secondary and tertiary.
First the primary server is queried, and then the secondary, and finally the tertiary.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the DNS client:
ip domain-name WORD<0–255>
3. (Optional) Add addresses for primary, secondary, or tertiary DNS servers:
ip name-server <primary|secondary|tertiary> WORD<0–46>
4. (Optional) Delete addresses for primary, secondary, or tertiary DNS servers:
no ip name-server <primary|primary-dynamic|secondary|secondary-
dynamic|tertiary|tertiary-dynamic> WORD<0–46>
5. View the DNS client system status:
show ip dns

Example

Switch:1> enable

Switch:1# configure terminal

Add addresses for a tertiary DNS server:

Switch:1(config)# ip name-server tertiary 254.104.201.141

Delete address for a secondary dynamic DNS server:

Switch:1(config)#no ip name-server secondary-dynamic 192.0.2.12

Variable Definitions
The following table defines parameters for the ip domain-name command.

Variable Value
WORD<0–255> Configures the default domain name.
WORD<0–255> is a string 0–255 characters.

684 VOSS User Guide for version 8.7

Domain Name Service Querying the DNS host

The following table defines parameters for the ip name-server command.

Variable Value
primary|secondary|tertiary WORD<0– Configures the primary, secondary, or tertiary
46> DNS server address. Enter the IP address in
a.b.c.d format for IPv4 or hexadecimal format
(string length 0–46) for IPv6. You can specify
the IP address for only one server at a time; you
cannot specify all three servers in one command.
Use the no operator before this parameter, no
ip name-server <primary|secondary|
tertiatry>

Querying the DNS host

About This Task

Query the DNS host for information about host addresses.

You can enter either a hostname, an IPv4 or IPv6 address. If you enter the hostname, this command
shows the IP address that corresponds to the hostname and if you enter an IP address, this command
shows the hostname for the IP address. DNS supports IPv4 and IPv6 addresses with no difference in
functionality or configuration using CLI.

Procedure

1. Enter Privileged EXEC mode:

enable
2. View the host information:
show hosts WORD<0–256>

Example

Switch:1> enable

Switch:1# configure terminal

View the host information:

Switch:1(config)# show hosts 192.0.2.1

VOSS User Guide for version 8.7 685

DNS configuration using EDM Domain Name Service

Variable Definitions
The following table defines parameters for the show hosts command.

Variable Value
WORD<0–256> Specifies one of the following:
• the name of the host DNS server as a string of
0–256 characters.
• the IP address of the host DNS server in a.b.c.d
format.
• The IPv6 address of the host DNS server in
hexadecimal format (string length 0–46).

DNS configuration using EDM

This section describes how to configure the Domain Name Service (DNS) using Enterprise Device
Manager (EDM).

DNS supports IPv4 and IPv6 addresses with no difference in functionality or configuration except for
the following. Under the DNS Servers tab, in the DnsServerListAddressType box, you must select ipv4
or ipv6.

Configure the DNS Client

About This Task

You can configure connections for up to three different DNS servers—primary, secondary and tertiary.
First the primary server is queried, and then the secondary, and finally the tertiary.

DNS supports IPv4 and IPv6 addresses. Under the DNS Servers tab, in the DnsServerListAddressType
box, you must select ipv4 or ipv6.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics.

2. Click DNS.
3. Click the DNS Servers tab.
4. Click Insert.
5. In the DnsServerListType box, select the DNS server type.
6. In the DnsServerListAddressType box, select the IP version.
7. In the DnsServerListAddress box, enter the DNS server IP address.
8. Click Insert.

686 VOSS User Guide for version 8.7

Domain Name Service Query the DNS Host

DNS Servers Field Descriptions

Use the data in the following table to use the DNS Servers tab.

Name Description
DnsServerListType Configures the DNS server as primary, secondary, or
tertiary.
OR
Removes a DNS server as primary, primaryDynamic,
secondary, secondaryDynamic, tertiary, or tertiaryDynamic.
DnsServerListAddressType Configures the DNS server address type as IPv4 or IPv6.
DnsServerListAddress Specifies the DNS server address.
DnsServerListStatus Specifies the status of the DNS server.
DnsServerListRequestCount Specifies the number of requests sent to the DNS server.
DnsServerListSuccessCount Specifies the number of successful requests sent to the
DNS server.

Query the DNS Host

About This Task

Query the DNS host for information about host addresses.

You can enter either a hostname or an IPv4 or IPv6 address. If you enter the hostname, this command
shows the IP address that corresponds to the hostname and if you enter an IP address, this command
shows the hostname for the IP address. DNS supports IPv4 addresses with no difference in functionality
or configuration in this procedure.

Procedure

1. In the navigation pane, expand Configuration > Serviceability > Diagnostics.

2. Click DNS.
3. Click the DNS Host tab.
4. In the HostData text box, enter the DNS host name, IPv4 or the IPv6 address.
5. Click Query.

DNS Host Field Descriptions

Use the data in the following table to use the DNS Host tab.

Name Description
HostData Enter hostname or host IPv4 or IPv6 address to be identified.
HostName Identifies the host name. This variable is a read-only field.
HostAddressType Identifies the address type of the host.
HostAddress Identifies the host IP address. This variable is a read-only field.
HostSource Identifies the DNS server IP or host file. This variable is a read-only
field.

VOSS User Guide for version 8.7 687

Distributed Virtual Routing
Distributed Virtual Routing Fundamentals on page 690
DvR configuration using the CLI on page 708
DvR Configuration Using the EDM on page 750

Table 77: Distributed Virtual Routing Controller product support

Feature Product Release introduced
DvR Controller VSP 4450 Series Not Supported

Important: VSP 4900 Series VOSS 8.1.5

VSP4900-12MXU-12XE,
Because of a change in VOSS
VSP4900-24S, and
6.0.1.2, the best practice is to use
VSP4900-24XE only
a minimum software version of
6.0.1.2 in DvR deployments. VSP 7200 Series VOSS 6.0.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0.1
VSP 8400 Series VOSS 6.0.1
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported
dvr-one-ip VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

688 VOSS User Guide for version 8.7

Distributed Virtual Routing

Table 77: Distributed Virtual Routing Controller product support (continued)

Feature Product Release introduced
DvR In-band Management VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0.1
VSP 8400 Series VOSS 6.0.1
VSP 8600 Series Not supported
XA1400 Series Not Supported

Table 78: Distributed Virtual Routing Leaf product support

Feature Product Release introduced
DvR Leaf VSP 4450 Series VOSS 6.1

Important: VSP 4900 Series VOSS 8.1

Because of a change in VOSS VSP 7200 Series VOSS 6.0.1
6.0.1.2, the best practice is to use
a minimum software version of VSP 7400 Series VOSS 8.0
6.0.1.2 in DvR deployments. VSP 8200 Series VOSS 6.0.1
VSP 8400 Series VOSS 6.0.1
VSP 8600 Series Not supported
XA1400 Series Not Supported
DvR In-band Management VSP 4450 Series VOSS 6.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0.1
VSP 8400 Series VOSS 6.0.1
VSP 8600 Series Not supported
XA1400 Series Not Supported

VOSS User Guide for version 8.7 689

Distributed Virtual Routing Fundamentals Distributed Virtual Routing

Table 78: Distributed Virtual Routing Leaf product support (continued)

Feature Product Release introduced
Management I-SID Assignment VSP 4450 Series VOSS 8.5
to DvR Leaf
VSP 4900 Series VOSS 8.5
VSP 7200 Series VOSS 8.5
VSP 7400 Series VOSS 8.5
VSP 8200 Series VOSS 8.5
VSP 8400 Series VOSS 8.5
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Distributed Virtual Routing (DvR) is a technology for router redundancy in a Fabric deployment where
IP subnets are stretched across multiple switches. DvR provides Default Gateway Redundancy and
optimizes traffic flows to avoid traffic tromboning due to inefficient routing, thereby increasing the total
routing throughput.

The topics in this section provide DvR concepts and configuration procedures.

Distributed Virtual Routing Fundamentals

You can deploy Distributed Virtual Routing (DvR) in Campus environments for stretching IP subnets
between multiple aggregation layer switches and also simplifies data center deployments by
introducing a Controller-Leaf architecture. In this architecture, Layer 3 configuration is required only
on the Controller nodes, whereas the Leaf nodes require only Layer 2 configuration. All Layer 3
configuration is automatically distributed to the Leaf nodes by the Controller nodes.

For typical Campus DvR deployments, configure aggregation layer switches as DvR Controllers. Wiring
closet access switches are then typically dual-homed to a pair of DvR Controllers.

IP subnets, which stretch between aggregation layer switches and multiple wiring closets, enable
seamless IP roaming for wireless users while at the same time ensure optimal traffic forwarding.
To optimize automation, Fabric Attach is typically deployed between wiring closet and aggregation
switches. In this construct, there would likely be no DvR Leaf configured.

In Fabric deployments, DvR replaces VRRP (with VRRP-BackupMaster or RSMLT). The operator can
chose for each I-SID/IP subnet what router redundancy method to use.

To migrate to a DvR-enabled I-SID/IP subnet, all member Fabric switches of this I-SID must be either
DvR Controllers or DvR Leafs. You can connect non Fabric switches to DvR Leafs and DvR Controllers
with manual configuration or Fabric Attach configuration. Until all Fabric switches that are members of
the I-SID/IP subnet are DvR-enabled, use VRRP or RSMLT as the router redundancy protocol.

DvR Domain
To enable multi-site DvR deployments, a DvR domain concept has been introduced. Within a DvR
domain, a set of up to eight DvR Controllers control the DvR domain Leaf switches. A domain can also

690 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR Controller

include just DvR controllers without DvR Leafs. Typically, a DvR domain is restricted to one physical
location. Traffic leaving this physical location always passes through DVR Controllers.

A DvR domain is a logical group of switches or nodes that are DvR enabled. These nodes are not
physically connected but are connected over the SPB Fabric such that each node is aware of the BMAC
addresses of all other nodes within the domain. A DvR domain does not contain nodes that are not DvR
enabled. However, those nodes can coexist with other DvR enabled nodes within the same SPB Fabric
network.

You configure a common DvR domain ID for all nodes belonging to a DvR domain. This domain ID
translates internally to a Domain Data Distribution (DDD) I-SID. All switch nodes that share the same
DvR domain ID or DDD I-SID receive the Layer 3 information that is distributed from all other nodes
belonging to that DvR domain.

A DvR domain can contain multiple Layer 3 VSNs and Layer 2 VSNs. Layer 2 and Layer 3 VSNs can span
multiple DvR domains.

A DvR domain typically has the following members:

1. DvR Controller(s)
2. DvR Leaf nodes

For scaling information on the number of Controllers and Leaf nodes to configure in a DvR domain, see
VOSS Release Notes.

DvR Controller
In a DvR domain, the Controller nodes are the central nodes on which Layer 3 is configured. They own
all the Layer 3 configuration and push the configuration information to the Leaf nodes within the SPB
network.

A DvR domain can have one or more controllers for redundancy and you must configure every Layer 2
VSN (VLAN) and Layer 3 VSN within the domain, on the Controller(s). A node that you configure as a
DvR Controller is considered the controller for all the Layer 2 and Layer 3 VSNs configured on that node.
A Controller is configured with its own subnet IP address for every DvR enabled Layer 2 VSN within the
domain.

All Layer 2 VSNs on a DvR Controller need not be DvR enabled. A controller can be configured with
individual Layer 2 VSNs that are DvR disabled.

The Layer 3 configuration data that is pushed to the Leaf nodes include the Layer 3 IP subnet
information for all Layer 2 VSNs within the DvR domain. It also includes the IP routes learned
or redistributed by the Controllers from networks outside the SPB network, into the DvR Domain.
Controllers also send information on whether Multicast is enabled on a specific DvR enabled Layer 2
VSN, and the version of IGMP. DvR Controllers inject a default route into the DvR domain for external

VOSS User Guide for version 8.7 691

DvR Leaf Node Distributed Virtual Routing

route reachability. Use route policies to inject specific routes into a DvR domain or inject host routes into
OSPF or BGP.

Note
When sFlow operates in a DvR domain and DvR Leaf nodes use the management CLIP
address as the sFlow agent IP, DvR Leaf nodes always report the sFlow collector as reachable
because DvR Controllers inject a default route into the DvR domain. You can use the dvr
controller inject-default-route-disable command to withdraw the route and
force DvR Leaf nodes to use either a DvR host route, a direct, or a static route that the DvR
Controller can redistribute. The best practice is to perform appropriate analysis before you use
this setting.

A Controller can only belong to one DvR domain, based on the domain ID that you configure on the
node.

DvR Controllers include all DvR Leaf functions, thus a Leaf node free deployment is a valid network
deployment. Especially if you use DvR in Campus deployments to replace VRRP or RSMLT, a Controller-
only deployment, as Fabric Attach server nodes, is a valid deployment option.

DvR Leaf Node

DvR Leaf nodes are typically data center top of the rack (TOR) Fabric switches that aggregate physical
and virtual servers or storage devices. DvR Leaf nodes operate in a reduced configuration mode, where
Layer 3 is not configured locally, but pushed to them from the DvR Controller(s) within the domain. You
need to configure only the IS-IS infrastructure and the Layer 2 VSNs on the Leaf nodes.

A DvR Leaf node also monitors local host attachments and communicates updates about the current
state of those host attachments to the DvR domain. All DvR nodes exchange host attachment
information using the DvR host distribution protocol, which leverages a DvR domain I-SID.

DvR leaf nodes are managed in-band through a local loopback address, which is exchanged using the IP
Shortcut protocol.

Eligibility Criteria for a Leaf Node

A Leaf node must support the following criteria:
• configuration of basic parameters of IP Multicast over Fabric Connect, such as the system ID,
nickname, B-VLANs, SPBM instance, area, peer system ID and virtual BMAC
• configuration of a physical port as either an SPB network-to-network interface (NNI), a FLEX-UNI
interface or an FA interface
• configuration of an MLT as either an SPB NNI, a FLEX-UNI interface or an FA interface
• configuration of an SMLT as a Flex-UNI Interface or an FA Interface
• configuration of Layer 2 VSN I-SID instances of type ELAN
• configuration of FLEX-UNI end-points as part of a Layer 2 VSN
• FA Server functionality on FA enabled interfaces
• SMLT and vIST
• configuration of a in-band management interface for in-band management of the node

692 VOSS User Guide for version 8.7

Distributed Virtual Routing Summary of Controller and Leaf Node Functions

Summary of Controller and Leaf Node Functions

A DvR Controller performs the following functions:
• pushes Layer 3 configuration data (IPv4 Unicast and Multicast) to the Leaf nodes for all the Layer 2
VSNs or subnets within the DvR domain.
• pushes the Layer 3 learned host routes (host routes learned on its own UNI ports) and route data
learned through route redistribution or route policies, to the Leaf nodes.
• configures learned remote host routes from other Controllers and Leaf nodes, on its own device.

A DvR enabled Leaf node performs the following functions:

• configures the gateway MAC when the gateway IPv4 address is learned.
• pushes the Layer 3 learned remote host routes to other Controllers and Leaf nodes in the domain.
• configures learned remote host routes from other Controllers and Leaf nodes on its own device.
• configures ECMP routes (in the datapath only) for the Layer 2 VSN subnets, with each next hop as
the Controller in the DvR domain.
• configures learned routes from the Controllers that are redistributed using DvR.
• handles host route response packet interception based on the Controller VLAN MAC or the gateway
MAC.

DvR backbone
The DvR backbone is automatically established among the DvR Controllers from all DvR domains. Every
Controller node has an edge gateway to its DvR domain, to the DvR backbone and all other non-DvR
domains within the network.

Controllers exchange host route information such that any host can be reached in a shortcut switched
manner, irrespective of its location. For these host route information exchanges, controllers use an
automatically assigned backbone I-SID. Local subnets to the Controllers are automatically injected into
the DvR host route exchanges.

To redistribute DvR host routes into OSPF or BGP, you can configure route policies. These host routes
are not injected into IS-IS.

DvR Backbone Members

You can configure a non-DvR backbone edge bridge (BEB) to join the DvR backbone. This enables the
node to receive redistributed DvR host routes from all DvR Controllers in the SPB network, just like a
DvR Controller. However, unlike the Controller, you can neither configure a DvR interface on this node
nor can the node inject its host routes into the DvR domain.

DvR operation
In a DvR domain, DvR enabled Controller(s) handle the learning and distribution of Layer 3
configuration and route data to the DvR enabled Leaf nodes. The Leaf nodes in turn, use this data
to automatically create distributed Layer 3 datapaths on themselves. In this way, Layer 3 configuration
and learning remains only with the Controller(s) and there are distributed Layer 3 datapaths at the
edges of the fabric network. This allows for destination lookups at the edge to happen quickly, and
traffic is sent directly to their destinations without multiple lookups.

VOSS User Guide for version 8.7 693

ARP Learning Distributed Virtual Routing

An important benefit of DvR is that only minimal configuration is required on the Leaf node. Based on
the Layer 2 VSN that the Leaf node is a part of, all Layer 3 configuration information (IPv4 Unicast and
Multicast configuration) is pushed from the Controllers in the domain. Thus the leaf nodes, although
basically Layer 2 configured switches, become fully layer 3 capable devices.

Figure 46: SPB Fabric network with central Layer 3 Controller and distributed Layer 3 datapath at
the edges

ARP Learning
When DvR is enabled on a Controller, it initiates ARP requests for traffic to be routed to unknown
destination hosts.

DvR enabled Controllers learn ARP requests from:

• DvR enabled Leaf nodes (here the Leaf node owns the ARPs)
• its own local UNI ports. Here, the controller owns the ARPs
• other DvR enabled Controllers

DvR enabled Leaf nodes learn ARP requests from:

• its own local UNI ports (here the Leaf node owns the ARPs)
• other DvR enabled Leaf nodes (that own the ARPs) and respond to ARP requests on their UNI ports
• DvR enabled Controllers (that own the local UNI ARPs)

Controllers only distribute ARP entries that are locally learned on its own UNI ports, to other DvR
enabled nodes in the domain.

694 VOSS User Guide for version 8.7

Distributed Virtual Routing dvr-leaf-mode boot flag

dvr-leaf-mode boot flag

To configure a node to operate as a DvR Leaf node, you must first enable the dvr-leaf-mode boot
flag.
• The dvr-leaf-mode boot flag is disabled by default. You must explicitly enable this flag before
you configure a switch node to operate as a Leaf node.

When you enable the dvr-leaf-mode boot flag, you can configure the node as a DvR leaf node
without rebooting, as long as there is no unsupported configuration discovered on the switch.
• After you enable or disable the boot flag, you must save the configuration.

Important
A node on which the dvr-leaf-mode boot flag is enabled cannot be configured as a DvR
Controller.

In-band management
Use in-band management to manage a DvR enabled Leaf node that does not have an out-of-band
management port or a console port.

For in-band management of the node within the management subnet (for example, from a Controller
node), you must configure a unique IPv4 address to be used as the in-band management IP address, on
that node. This IPv4 address functions like a CLIP address.

DvR deployment scenarios

The following sections describe typical deployments of the DvR infrastructure.

DvR deployment in a single data center

The following topology shows DvR deployment in a single data center. This deployment consists of a
single DvR domain comprising a Controller layer and a Leaf node layer. The Controller layer has two
controllers (for redundancy), which are deployed closer to the boundary of the DvR domain and the
rest of the SPB Fabric network. The DvR Leaf nodes or Top of Rack (TOR) switches are typically access
or edge switches.

All switches that belong to the DvR domain are configured with the same DvR domain ID and
communicate with each other over a predefined I-SID.

The Controller nodes control the Leaf nodes and also build the gateway between the DvR domain and
the rest of the Fabric infrastructure. So traffic is either routed between the Leaf nodes, or through the
Controllers, to the rest of the fabric infrastructure.

Two IP subnets (Layer 2 VSNs), yellow and green, span the Leaf nodes. Each subnet is configured with
a virtual IP address that is a shared among all Controller and Leaf nodes that belong to the subnet. The
Controller and Leaf nodes are configured with routing interfaces to the subnets, as shown in the figure.

VOSS User Guide for version 8.7 695

DvR deployment scenarios Distributed Virtual Routing

DvR works by enabling each Leaf node or Top of Rack (TOR) switch to bi-directionally route traffic
for each IP subnet of which it is a member. This is done by distributing the Layer 3 configuration
information (IP Unicast, IP Multicast and virtual IP configuration) needed to handle Layer 3 routing, from
the Controllers to the Leaf nodes. Configuration information is pushed over the DvR Domain I-SID, as
indicated by the blue arrows in the above figure.

Routing between the two IP subnets is achieved directly at the Leaf nodes when the Layer 3 distributed
datapath is programmed at the Leaf Nodes, based on the Layer 3 configuration data that is pushed.
Thus traffic within and between IP subnets is shortcut switched without having to traverse the central
routing nodes, as shown in the figure below, if there are direct physical connections between them.

696 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR deployment scenarios

Thus, in a DvR deployment, all virtual IP and Layer 3 configuration is performed on the Controller nodes
and pushed to the Leaf nodes, so that the Leaf nodes though basically Layer 2 configured switches,
become fully layer 3 capable devices.

DvR deployment in a dual data center

The following example deployment shows two data centers each having its own DvR domain,
connected through a backbone.

All nodes in data center Campus 1 belong to DvR domain shown in green, and the nodes in the data
center Campus 3 belong to the DvR domain shown in orange. The two DvR domains are individually
managed, so in this scenario, the controllers colored orange manage the orange Leaf nodes and the
controllers colored green manage the green Leaf nodes. However, subnets can still be stretched across
the DvR domains (and possibly between buildings), as shown in the figure.

Each DvR domain learns its own Layer 3 data and distributes this information to its own Leaf nodes.
Layer 3 host information that is redistributed from other DvR Domains is learned by the Controllers only
(through inter-DvR domain redistribution) and is programmed on the Leaf nodes in the same domain,
but not in the other Domain. For example, Layer 3 information redistributed from domain 2 is learned
by all controllers including the domain 1 controllers, but this information is not distributed to the Leaf
nodes in domain 1.Hosts in one DvR domain can reach the hosts in the other DvR domain only through
the Controllers.

Figure 47: Shortest path routing between servers in different data centers
All controllers in all domains are always part of the DvR backbone by default, as they are connected by
the SPB Fabric. The DvR backbone connects many DvR domains.

Thus DvR can scale to multiple campuses, allowing a simplified way to deploy a large scale fully-routed
infrastructure.

VOSS User Guide for version 8.7 697

DvR Route Redistribution Distributed Virtual Routing

DvR Route Redistribution

The following sections describe redistribution of IPv4 local and static routes from DvR Controllers into
the DvR domain. It also describes redistribution of host routes that are learned on DvR enabled VLANs,
to BGP and OSPF. You can configure route policies to control the selection of routes to be distributed.
You can also configure IS-IS accept policies on DvR Controllers and non-DvR BEBs, to determine which
DvR host routes to accept into the routing-table from the DvR backbone.

Redistribution of IPv4 Local and Static Routes

The DvR feature supports redistribution of IPv4 local and static routes into the DvR domain.

Note
For every VRF instance and the Global Router, the Controller automatically injects a default
route to the Leaf node, with a next hop as the advertising Controller. However, if you require
only local or static routes to be advertised to the Leaf nodes, you can manually disable the
injection of default routes on the Controller.

On a DvR Controller, you can configure (enable or disable) the redistribution of direct or static routes.
Direct routes are redistributed with the route type as internal. Static routes are redistributed with
the route type as external. You can apply route policies on the Controller to selectively permit the
redistribution of these routes and also configure a metric value for the route that is redistributed. The
default metric for imported local routes is 1. For static routes, the configured route metric or cost is
honored.

You can configure redistribution of static and direct routes from the Global Router, or within a VRF
instance. For redistributed routes, the Controller configures the Layer 3 VSN as that of the VRF
redistributing the route, and the next hop BEB as the system ID of the Controller injecting the route into
the DvR domain.

The following example demonstrates how a DvR Leaf node benefits from the redistribution of local and
static routes.

By default, if the injection of default routes is enabled on a DvR Controller, the DvR Leaf node can only
route traffic to other nodes within the DvR enabled subnet. For the Leaf node to reach networks outside
of the DvR enabled subnet, the Controllers must redistribute local and static routes from non-DvR
subnets into the DvR domain. In the following figure, the DvR Leaf L1 can route traffic only to nodes in
the DvR enabled subnet 10.10.10.0/24. To be able to reach hosts in VLAN 20 (20.20.20.0/24) or VLAN
30 (30.30.30.0/24), redistribution of local routes into DvR is required at each of the Controllers C1 and
C2. For the Leaf node to reach hosts in remote networks 40.40.40.0/24 or 50.50.50.0/24, redistribution
of static routes to the DvR domain is required.

You can apply route policies to control which local or static routes are to be redistributed into the DvR
domain.

698 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR Route Redistribution

Figure 48: Redistribution of IPv4 local and static routes

Redistribution of Routes to OSPF or BGP

For non-SPB routers to benefit from the host accessibility information learned within a DvR domain,
DvR supports the redistribution of host routes into OSPF or BGP. Redistribution of these host routes is
only by the DvR Controllers and only for the intra-domain host routes within the DvR enabled subnets.

A DvR Controller can redistribute host routes for all hosts from a DvR domain into OSPF or BGP.
You can also apply route policies on the Controller to select the routes to be redistributed. The
Controller supports redistribution of routes from the Global Router or within a VRF instance. You can
also configure the metric of the route before redistribution.

The following example demonstrates the benefit of redistribution of routes to BGP.

Consider a 10.1.0.0/16 network with a stretched Layer 2 VSN spanning two data centers. On the campus
side of the network, BGP peering is configured between a non-Extreme router and one or more routers
in the data center. BGP advertises the network route 10.1.0.0/16 to the campus BGP routers. Depending
on which edge router the traffic is delivered to, it is possible that traffic from a host on the campus
traverses the WAN a second time to reach the server that is physically connected to one segment of the
data center, as shown in the following figure.

VOSS User Guide for version 8.7 699

DvR Route Redistribution Distributed Virtual Routing

Figure 49: Inefficient traffic flow

Redistribution of the host routes from the DvR Controller to BGP solves this problem.

The following figure shows two DvR domains (show in green and orange) configured at each data
center. Each campus edge router establishes a BGP peering session with one or more Controllers in
each data center (DvR domain). This enables BGP to advertise more specific routes to the campus BGP
router so that the optimal routing path is always taken. So, there is no need for traffic to traverse the
WAN multiple times. Also, in the case of server movement within or between data centers, the updated
DvR host routes are propagated to BGP, thus ensuring that traffic flowing into the data center continues
along the most optimal path.

For example, in the following figure, only the Controller attached to the Leaf node where the 10.1.0.111
server exists, advertises its accessibility over the 10.1.0.111/32 route. Similarly, the DvR Controller
associated with the Leaf node connected to the 10.1.0.222 server advertises the 10.1.0.222/32 host route.

700 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR Route Redistribution

Figure 50: Traffic flow optimized with route redistribution

Controllers in each data center learn all host routes through the DvR backbone, but since those routes
belong to different DvR domains, they are not all eligible for redistribution to OSPF or BGP.

Route Redistribution and IS-IS Accept Policies

DvR route redistribution leverages IS-IS accept policies to control (accept or reject) DvR routes learned
from the DvR backbone. You can configure accept policies on both Controllers and non-DvR BEBs in
the SPB network.

For more information about accept policies, see IS-IS Accept Policies on page 1357.

DvR Deployment for Wireless Roaming in Campus Deployments

In fabric deployments where IP subnets/I-SIDs stretch between multiple buildings, you can use DvR
instead of VRRP or RSMLT to avoid traffic tromboning issues. This deployment is supported with
non-fabric switches that have Fabric Attach enabled, or switches that do not support Fabric Attach.
You can use VSP 4450 Series as DvR Leafs in this context as well. IP subnets can stretch across one or
multiple DvR domains as shown in the following figure.

VOSS User Guide for version 8.7 701

Management I-SID Assignment to DvR Leaf Distributed Virtual Routing

Figure 51: Wireless roaming in Campus

Management I-SID Assignment to DvR Leaf

The Management I-SID Assignment to DvR Leaf feature simplifies the process of creating a
Management Instance VLAN interface on a DvR Leaf.

You can configure a Management Instance VLAN on a DvR Leaf node by specifying the I-SID. When you
specify the I-SID, an internal VLAN is created and associated with the I-SID.

Operational Considerations
The following section describes operational considerations for assigning a Management I-SID to DvR
Leaf node.
• If the specified I-SID is not associated with a VLAN, the Management Instance VLAN interface is
created with the specified I-SID and an internal VLAN.

Note
The internal VLAN is not configurable.

• You cannot create a Management Instance VLAN interface if the I-SID is already associated with a
VLAN. However, you can configure a Management Instance VLAN interface if the I-SID is associated
with the onboarding VLAN.

702 VOSS User Guide for version 8.7

Using Ping or IP Traceroute for Hosts in the DvR-One-IP
Distributed Virtual Routing Subnet

• The I-SID cannot be learned dynamically. You cannot create a Management Instance VLAN interface
if the I-SID sent from the DvR Controller is the same as the Management Instance VLAN I-SID.
• When you delete the Management Instance VLAN interface, the internal VLAN is deleted. You
cannot delete the onboarding VLAN.
• You can migrate from a previous configuration or to a DvR Leaf only if an I-SID is associated with the
Management Instance VLAN. If you disable DvR on a DvR Leaf by disabling the dvr-leaf-mode
boot flag, the Management Instance VLAN is deleted. You can either restart the onboarding process
or configure a Management Instance CLIP or Management Instance OOB interface.
• In DvR Leaf, you can create a Management Instance VLAN interface using the quick-config-mgmt
utility script with the Management I-SID but not with port number or VLAN ID. This I-SID cannot be
used if the Management Instance interface is already created. You can issue the convert command
to use this I-SID.
• Migration from DvR leaf to non-DvR leaf deletes the Management Instance VLAN configuration.

Using Ping or IP Traceroute for Hosts in the DvR-One-IP Subnet

To use DvR-One-IP, a circuitless IP (CLIP) must exist in the VRF to which the DvR-One-IP interface
belongs. If the DvR-One-IP interface is part of the global router (GRT), a CLIP must exist in the GRT
and it must be configured as the IS-IS ip-source-address. If these CLIPs exist, pinging hosts in the
DvR-One-IP subnet from the DvR Controller works as expected.

If the CLIPs do not exist, pinging hosts in the DvR-One-IP subnet is not possible from DvR Controllers.
The ping attempt times out and the switch displays the following warning message: Warning: For
DVR one IP a loopback IP must be configured on the VRF. If you provide a source
IP address with the ping command, the switch does not display the warning message but the ping
attempt fails.

This same restriction also applies to IP traceroute.

DvR Restrictions
Review the following limitations and behavioral characteristics associated with DvR.
• The DvR feature does not affect out-of-band management on a switch chassis, if the chassis
supports it.
• The DvR feature does not support a non-DvR BEB in a DvR enabled Layer 2 VSN.
• The number of host route records that can be stored in the datapath of a Leaf node is limited to the
scaling capacity of the switch node. Different switch platforms have different scaling capacities.

For information on the scaling capacities of different platforms, see VOSS Release Notes.
• You must first disable DvR on a Controller or Leaf node, before you attempt to change the domain
ID of the node.
• You cannot configure IGMP snooping on DvR enabled nodes.
• DvR is only supported in warm standby High Availability mode on the VSP 8600 Series.

VOSS User Guide for version 8.7 703

DvR Restrictions Distributed Virtual Routing

Configuration Restrictions on a DvR Controller

• If you are using two different IP addresses for the DvR VLAN and the DvR GW IP, you must first
configure a gateway IPv4 address and then configure an IP interface for the VLAN before you enable
DvR on a Layer 2 VSN (VLAN). Both the VLAN IP address and the gateway IPv4 address must be in
the same subnet.

If you use same IP address for VLAN interface and DvR GW IP, you can use the command ip
address {A.B.C.D/X} dvr-one-ip.

For more information, see Enable DvR on a Layer 2 VSN (VLAN) on page 3802 and Configure a
Single IP Address for All DvR Controllers on a VLAN Subnet on page 3803.
• You cannot configure IPv4 VRRP on a DvR-enabled VLAN.

Note
This restriction does not apply to VSP 8600 Series.

• You cannot configure RSMLT on a DvR-enabled VLAN.

• You cannot configure SPB-PIM Gateway (SPB-PIM GW) on a DvR VLAN.
• You cannot configure dynamic routing protocols, such as OSPF, RIP, BGP, IPv6 OSPFv3, IPv6 RIPng,
IPv6 MLD, and IPv6 PIM-GW on a DvR-enabled VLAN.

Note
IPv6 OSPFv3, IPv6 RIPng, IPv6 MLD, and IPv6 PIM-GW do not apply to VSP 8600 Series.

• You can configure DvR on a VLAN that has configured IPv6 interface. You must first delete the IPv6
interface, configure DvR, and then reconfigure IPv6 interface.

Note
This restriction does not apply to VSP 8600 Series.

A DvR VLAN is a VLAN configured on a DvR Controller with a VLAN IP address, a VLAN/I-SID, the
DvR gateway IP address, and DvR enabled. This Layer 3 configuration for the DvR VLAN (the DvR
gateway IP address and this DvR subnet) is pushed to the DvR Leaf nodes. The DvR gateway IP
address must be the same address across all DvR Controllers for that DvR VLAN.
• You cannot configure an IPv6 interface on a DvR-enabled VLAN from a subnet that is used as
next-hop in a IPv6 static route.
• You cannot configure an IPv6 address on a DvR-enabled VLAN from a subnet used as an IPv6 BGP
Peer.

Note
This restriction does not apply to VSP 8600 Series.

• DvR-enabled VLAN/I-SIDs are for host connectivity only; you cannot connect a router to a DvR-
enabled VLAN/I-SID and use dynamic or static routing. Use a non-DvR VLAN/I-SID instead to
connect an external router.

Configuration Limitations on a DvR Leaf

• Enabling the DvR-leaf-mode boot flag before you configure a node as a DvR Leaf, automatically
removes all existing non-DvR configuration on the node such as platform VLANs and their IP

704 VOSS User Guide for version 8.7

Distributed Virtual Routing Migrate from VRRP to DvR

address configuration, CLIP configuration, routing protocol configuration and VRF configuration. The
gateway IPv4 address, if configured, is also removed.
• You cannot configure SPB-PIM GW on a Leaf node. The configuration is supported only on a DvR
Controller.
• You cannot perform Layer 3 configuration (for example, IP interfaces, IP routing, and VRFs). You can
only perform Layer 2 configuration.

You cannot configure Microsoft NLB on a Leaf node.

• You cannot configure Fabric Extend on a Leaf node.
• You cannot configure the VXLAN Gateway on a Leaf node.
• You cannot configure a T-UNI on a Leaf node.
• You cannot configure IPv4 multicast on a Leaf node. The configuration is supported only on a DvR
Controller.
• You can configure only one instance of vIST on a Leaf node pair. Also, you cannot configure vIST on
Leaf nodes from different domains.
• Platform VLANs are not supported. You cannot configure a platform VLAN directly on a DvR leaf
node. However, you can configure a VLAN Management Instance on a DvR leaf node. After you
configure the management VLAN, you can configure a platform VLAN.
• You cannot configure IP Shortcuts and IP Multicast over Fabric Connect on Leaf nodes. This
configuration is pushed from the DvR Controllers in the domain.
• You must manually configure an I-SID on a Layer 2 VSN Leaf node. This configuration is not pushed
from a DvR Controller.
• DvR-enabled VLAN/I-SIDs are for host connectivity only; you cannot connect a router to a DvR-
enabled VLAN/I-SID and use dynamic or static routing. Use a non-DvR VLAN/I-SID instead to
connect an external router.

Migrate from VRRP to DvR

About This Task

If you have a VRRP network with a mix of existing routers that do not support DvR and devices that do
support DvR, you can migrate your VRRP network to DvR using this high-level process. This migration
process assumes the following design:
• Existing routers are the VRRP masters.
• Existing routers are the default gateways for all subnets.

VOSS User Guide for version 8.7 705

Migrate from VRRP to DvR Distributed Virtual Routing

• Fabric Connect network with DvR-capable nodes where DvR is configured globally, but not on
I-SIDs, on the VOSS devices; and VOSS devices operate in Layer 2 mode for the VRRP VLANs that
need to be migrated.

Important
When you configure DvR on Controllers with existing VRRP VLANs, ensure there is no VRRP
VLAN with VRID 37 or VRID 38. VRID 37 conflicts with the DvR gateway MAC used by all DvR
nodes. The DvR gateway MAC is a constant value 00:00:5e:00:01:25; VRRP VRID 37 translates
to the same MAC. Similarly, VRRP VRID 38 translates to 00:00:5e:00:01:26, and is used within
DvR. If you have a VRRP VLAN with either of these VRIDs, change the VRID to a different
value.

Procedure
1. Enable VRRP interfaces on the DvR Controllers but keep VRRP mastership on the existing routers.
2. Change VRRP mastership on the VLAN or IP Subnet in question on the DvR Controller by applying a
higher priority than the current master.
Note
You can easily fall back to the original VRRP master to change VRRP priorities back.

3. Disable VRRP on the existing routers.

4. Subnet by subnet (VLAN/I-SID), delete VRRP interfaces on all DvR Controllers first (this includes
removing VRRP and removing the VLAN IP address), and then configure DvR interfaces (this
includes adding the DVR-GW-IP, enabling DvR, and then adding the VLAN IP address) on the VLAN/
I-SID instead. This might lead to a short traffic interruption.
Note
For each VLAN/I-SID, ensure that VRRP is disabled on all nodes before you configure DvR
interfaces on the Controllers for the VLAN/I-SID.
Keep in mind that you can only enable DvR on VLAN or I-SIDs where all participating BEBs
are DvR-capable.
Anytime when falling back, you can delete the DvR interface on the I-SID (this includes
disabling DvR, removing the DVR-GW-IP and removing the VLAN IP address) and
configure the VRRP interface again (this includes adding the VLAN IP address and adding
VRRP again), however, ensure you delete the DvR interfaces on all Controllers first before
you enable VRRP again.

Example

Start with VRRP VLAN:

vlan create 250 name vlan_test250 type port-mstprstp 0
vlan i-sid 250 111250
interface vlan 250
ip address 192.0.2.3 255.255.255.0
interface vlan 250
ip vrrp version 2
ip vrrp address 10 192.0.2.1
ip vrrp 10 priority 180
ip vrrp 10 backup-master enable
ip vrrp 10 enable
exit

706 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR and IPv6 VRRP Coexistence on the Same I-SID

Change to DvR VLAN:

interface vlan 250
no ip vrrp address 10 192.0.2.1
no ip address 192.0.2.3
exit
interface vlan 250
dvr gw-ipv4 192.0.2.1
dvr enable
ip address 192.0.2.3 255.255.255.0
exit

Change back to VRRP VLAN:

interface vlan 250
no dvr enable
no dvr gw-ipv4
no ip address 192.0.2.3
exit
interface vlan 250
ip address 192.0.2.3 255.255.255.0
ip vrrp version 2
ip vrrp address 10 192.0.2.1
ip vrrp 10 priority 180
ip vrrp 10 backup-master enable
ip vrrp 10 enable
exit

DvR and IPv6 VRRP Coexistence on the Same I-SID

You can configure IPv6 VRRP and IPv6 DHCP relay on a DvR-enabled VLAN or I-SID.

You must perform the following steps in order:

1. Enable DvR on a VLAN interface.

2. Configure an IPv6 interface.
3. Configure IPv6 VRRP.

Configuration Examples
The following example shows how you can configure an IPv6 interface and IPv6 VRRP on a DvR-
enabled VLAN:
vlan create 10 name vlan_test10 type port-mstprstp 0
vlan i-sid 10 111010
interface vlan 10
dvr gw-ipv4 192.0.2.1
dvr enable
ip address 192.0.2.2 255.255.255.0
ipv6 interface enable
ipv6 interface address 2001:DB8:0::1/64
ipv6 vrrp address 1 link-local fe80::1234
ipv6 vrrp address 1 global 2001:DB8:0::1234/64
ipv6 vrrp 1 enable
exit

You cannot enable DvR on a VLAN interface that has IPv6 VRRP configuration. You must first delete
IPv6 interface from the VLAN, configure DvR and then reconfigure IPv6 interface.
interface vlan 10
no ipv6 vrrp 1

VOSS User Guide for version 8.7 707

DvR configuration using the CLI Distributed Virtual Routing

no ipv6 interface
dvr gw-ipv4 192.0.2.1
dvr enable
ip address 192.0.2.2 255.255.255.0
ipv6 interface enable
ipv6 interface address 2001:DB8:0::1/64
ipv6 vrrp address 12 link-local fe80::1234
ipv6 vrrp address 1 global 2001:DB8:0::1234/64
ipv6 vrrp 1 enable
exit

DvR configuration using the CLI

The following sections describe configuration of Distributed Virtual Routing (DvR) using the Command
Line Interface (CLI).

Configuring a DvR Controller

About This Task

Configuring a node as a DvR Controller enables DvR globally on that node.

Perform this procedure to create a DvR domain with the domain ID that you specify, and configure the
role of the node as the Controller of that domain. A Controller can belong to only one DvR domain.

Note
For a node to perform the role of both a Controller and a Leaf within a DvR domain, you must
configure it as a Controller.

Before You Begin

• Ensure that you configure IP Shortcuts on the node. This is necessary for proper functioning of the
node as a DvR Controller.
• Ensure that the dvr-leaf-mode boot flag is disabled on the node.

To verify the setting, enter show boot config flags in Privileged EXEC mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure a DvR Controller.
dvr controller <1-255>

708 VOSS User Guide for version 8.7

Distributed Virtual Routing Disabling injection of default routes on a Controller

3. (Optional) Disable DvR on a DvR Controller.

no dvr controller

Caution
Disabling DvR on a DvR Controller destroys the domain ID and all dynamic content
learned within the DvR domain.
However the switch retains the VLAN specific configuration and you can view the
information using the command show running-config.

4. View a summary of the Controller configuration. Enter:

show dvr

Example

Configure a node as a DvR Controller:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#dvr controller 5
Switch:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 5
Domain ISID : 16678219
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled

Variable definitions
Use the data in the following table to use the dvr controller command.

Variable Value
<1-255> Specifies the domain ID of the DvR domain that the
controller belongs.

Disabling injection of default routes on a Controller

About This Task

By default, a DvR Controller injects default routes into the DvR domain and all the Leaf nodes in that
domain learn these routes with the next hop as the Controller that advertised them.

You can however disable default route injection for the GRT or a specific VRF on a Controller, to override
this behavior.

VOSS User Guide for version 8.7 709

Disabling injection of default routes on a Controller Distributed Virtual Routing

Procedure
1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Disable default route injection for the GRT or a specific VRF, on the Controller.
On the GRT:

dvr controller inject-default-route-disable

The default or the no operator enables injection of default routes for the GRT into the domain.

On a VRF instance:

dvr inject-default-route-disable

The default or the no operator enables injection of default routes for a specific VRF into the
domain.
3. Verify the configuration.
On the GRT:

show dvr

On a VRF instance:

show dvr l3vsn

Example

Disable injection of default routes for the GRT on a Controller.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#dvr controller inject-default-route-disable
Switch:1(config)#show dvr

Disable injection of default routes for a specific VRF on a Controller.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

710 VOSS User Guide for version 8.7

Distributed Virtual Routing Configuring DvR route redistribution

Switch:1(config)#router vrf vrf3

Switch:1(router-vrf)#dvr inject-default-route-disable
Switch:1(router-vrf)#show dvr l3vsn

======================================================================================
DVR L3VSN
======================================================================================
VRF ID L3VSN ISID VRF NAME INJECT-DEFAULT-ROUTE-DISABLE
--------------------------------------------------------------------------------------
1 50 green Disabled
7 1000003 vrf3 Enabled

2 out of 2 Total Num of DVR L3VSN displayed

---------------------------------------------------------------------------------------

Configuring DvR route redistribution

About This Task

Configure redistribution of direct or static routes into the DvR domain, on the Global Router or for a
specific VRF instance.

Procedure

1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF
context:
enable

configure terminal

Optional: router vrf WORD<1-16>

2. Configure route redistribution of direct routes:
a. Configure route redistribution of direct routes on a VRF. The route type is internal.
dvr redistribute direct [metric <0-65535>]|[route-map WORD<1-64>]
b. Enable route redistribution.
dvr redistribute direct enable
c. Apply the configuration:
dvr apply redistribute direct
d. (Optional) Disable route redistribution of direct routes.
no dvr redistribute direct
3. Configure route redistribution of static routes:
a. Configure route redistribution of static routes on a VRF. The route type is external.
dvr redistribute static [metric <0-65535>]|[route-map WORD<1-64>]
b. Enable route redistribution.
dvr redistribute static enable
c. Apply the configuration.
dvr apply redistribute static
d. (Optional) Disable route redistribution of static routes.
no dvr redistribute static

VOSS User Guide for version 8.7 711

Configuring DvR route redistribution Distributed Virtual Routing

4. Verify the route redistribution configuration. You can also verify it on a specific VRF instance.
show dvr redistribute [vrf WORD<1-16>]

Example

Configure route redistribution of direct and static routes on the Global Router. Ensure that you apply the
configuration.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)#dvr redistribute static

Switch:1(config)#dvr redistribute static metric 200
Switch:1(config)#dvr redistribute static enable
Switch:1(config)#dvr apply redistribute static

Switch:1(config)#dvr redistribute direct

Switch:1(config)#dvr redistribute direct metric 100
Switch:1(config)#dvr redistribute direct enable
Switch:1(config)#dvr apply redistribute direct

Verify configuration on the Global Router:

Switch:1(config)#show dvr redistribute
===========================================================================
DVR Redistribute List - GlobalRouter
===========================================================================

SOURCE MET MTYPE ENABLE RPOLICY

---------------------------------------------------------------------------
STAT 200 External TRUE -
LOC 100 Internal TRUE -

Configure redistribution of direct and static routes on the specific VRF instance vrf1. Ensure that you
apply the configuration.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)#router vrf vrf1

Switch:1(router-vrf)#dvr redistribute static
Switch:1(router-vrf)#dvr redistribute static metric 20000
Switch:1(router-vrf)#dvr redistribute static enable
Switch:1(router-vrf)#exit
Switch:1(config)#dvr apply redistribute static

Switch:1(router-vrf)#dvr redistribute direct

Switch:1(router-vrf)#dvr redistribute direct metric 10000
Switch:1(router-vrf)#dvr redistribute direct enable
Switch:1(router-vrf)#exit
Switch:1(config)#dvr apply redistribute static

Verify configuration on vrf1:

Switch:1(router-vrf)#show dvr redistribute vrf vrf1
============================================================================
DVR Redistribute List - VRF vrf1
============================================================================

SOURCE MET MTYPE ENABLE RPOLICY

712 VOSS User Guide for version 8.7

Distributed Virtual Routing Clearing DvR host entries

----------------------------------------------------------------------------
STAT 20000 External TRUE -
LOC 10000 Internal TRUE -

Variable definitions
Use the data in the following table to use the dvr redistribute direct or the dvr
redistribute static commands.

Variable Value
enable Enables DvR route redistribution on the VRF instance.
Route redistribution is enabled by default.
metric <0-65535> Specifies the DvR route redistribution metric.
route-map WORD<1-64> Specifies the route policy for DvR route redistribution.

Use the data in the following table to use the show dvr redistribute command.

Variable Value
vrf WORD<1-16> Specifies the VRF name.

Clearing DvR host entries

About This Task

Clear DvR host entries (IPv4 remote host routes) on a Controller. The host entries are learned on the
switch, either locally on its UNI port or dynamically from other nodes in the DvR domain.

Note
You can clear DvR host entries only on a DvR Controller.
An error message displays if you attempt clearing of host entries on a DvR Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Clear the DvR host entries.
clear dvr host-entries [ipv4 {A.B.C.D}} | [l2isid <0-16777215>] |
[l3isid <0-16777215>]

VOSS User Guide for version 8.7 713

Configuring a DvR Leaf Distributed Virtual Routing

Example

In this example, you clear host entries for IP address 50.0.1.0 to clear host entries for IP addresses
50.0.1.2 and 50.0.1.3.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#clear dvr host-entries 50.0.1.0

Variable definitions
Use the data in the following table to use the clear dvr host-entries command.

Variable Value
ipv4 Specifies the IP address (IPv4) of the DvR host entries to
clear.
l2isid Specifies the Layer 2 VSN I-SID of the DvR host entries to
clear
The range is 1 to 16777215.
l3isid Specifies the Layer 3 VSN I-SID of the DvR host entries to
clear.
The range is 0 to 16777215.

Configuring a DvR Leaf

About This Task

Perform this procedure to create a DvR domain with the domain ID that you specify, and configure the
role of the node as a Leaf node. Configuring a node as a DvR Leaf automatically enables DvR globally
on the node.

A Leaf node can belong to only one DvR domain.

Note
For a node to perform the role of both a Controller and a Leaf within the domain, you must
configure it as a Controller.

Note
You must enable the VRF-scaling boot configuration flag on a DvR Leaf node, if more than 24
VRFs are required in the DvR domain.
For additional scaling information, see VOSS Release Notes.

Before You Begin

• You must enable the dvr-leaf-mode boot flag before you configure a node as a DvR Leaf node.

Note
When you enable the dvr-leaf-mode boot flag, you can configure the node as a DvR
leaf node without rebooting, as long as there is no unsupported configuration discovered
on the switch.

714 VOSS User Guide for version 8.7

Distributed Virtual Routing Configuring a DvR Leaf

To verify the setting, enter show boot config flags in Privileged EXEC mode.

Caution
Ensure that you save the current configuration on the switch, before you enable the flag.
Enabling the flag removes all existing non-DvR configuration on the switch, such as
platform VLANs and their IP address configuration, circuitless IP (CLIP) configuration,
routing protocol configuration and VRF configuration. The gateway IPv4 address, if
configured, is also removed.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure a node as a DvR Leaf.
dvr leaf <1-255>
3. (Optional) Disable DvR on a DvR Leaf.
no dvr Leaf

Caution
Disabling DvR on a Leaf node removes its membership with the DvR domain and all the
dynamic content learned from the Controllers of that domain.

4. View a summary of the Leaf configuration.

show dvr
5. Restart the switch for your change to take effect.

Example

Configure a node as a DvR Leaf:

Switch2:1>enable
Switch2:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch2:1(config)#boot config flags dvr-leaf-mode

Switch2:1(config)#save config
Switch2:1(config)#dvr Leaf 5

Switch2:1(config)#show dvr

===========================================================================
DVR Summary Info
===========================================================================
Domain ID : 5
Domain ISID : 16678219
Role : Leaf
My SYS ID : 00:00:72:54:44:00
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address :
Virtual Ist local subnet mask :
Virtual Ist peer address :

VOSS User Guide for version 8.7 715

Configuring vIST on a DvR Leaf node pair Distributed Virtual Routing

Virtual Ist cluster-id :

Virtual Ist ISID :

Variable definitions
Use the data in the following table to use the dvr leaf command.

Variable Value
<1-255> Specifies the domain ID of the DvR domain to which the
Leaf node belongs.

Configuring vIST on a DvR Leaf node pair

Before You Begin

Ensure that the nodes are configured as DvR Leaf nodes, before you configure vIST.

About This Task

When you configure vIST on a DvR Leaf node pair, the switch generates an I-SID from the configured
cluster ID. This I-SID is unique across the SPB network as long as the cluster ID is unique across the SPB
network, for the vIST pair. You can configure only one instance of vIST on the Leaf node pair.

To configure vIST, both nodes must be Leaf nodes. You cannot configure vIST, for example, on a
Controller-Leaf node pair.

Also both the nodes must belong to the same DvR domain. vIST configuration over Leaf nodes in
different domains is not supported.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure vIST on the Leaf nodes:
dvr leaf virtual-ist {<A.B.C.D/X|<A.B.C.D> <A.B.C.D>} peer-ip
{A.B.C.D} cluster-id <1–1000>
3. (Optional) Disable vIST on the DvR Leaf node pair.
no dvr leaf virtual-ist

Caution
Disabling DvR on a Leaf node in a vIST pair removes all vIST configuration on that node,
but not on the pair. The node on which DvR is disabled also loses its membership with the
DvR domain and all the dynamic content learned from the Controllers in that domain.
If DvR is re-enabled on the node, you must manually configure vIST on that node again.

4. View a summary of vIST configuration on the Leaf nodes.

show dvr

716 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a Management VLAN on a DvR Leaf Node

Example

Configure vIST on DvR Leaf nodes, with IP addresses 51.51.51.1 and 51.51.51.2 respectively:
Switch2:1>enable
Switch2:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch2:1(config)#dvr leaf virtual-ist 51.51.51.1 peer-ip 51.51.51.2 cluster-id 255
Switch2:1#show dvr

======================================================================
DVR Summary Info
======================================================================
Domain ID : 5
Domain ISID : 16678219
Role : Leaf
My SYS ID : 00:bb:00:00:71:23
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226

Variable definitions
Use the data in the following table to use the dvr leaf virtual-ist command.

Variable Value
{<A.B.C.D/X|<A.B.C.D> Specifies the local IP (IPv4) address and subnet mask of
<A.B.C.D>} the node.
{<A.B.C.D>} Specifies the IP address (IPv4) of the vIST peer.
<1–1000> Specifies the cluster ID of vIST.
It is set to 0 if vIST is not configured.

Configure a Management VLAN on a DvR Leaf Node

Note
This procedure does not apply to VSP 8600 Series.

About This Task

On a DvR leaf node, you can configure a Management Instance VLAN by specifying the I-SID. Use the
following procedure to configure a Management Instance VLAN on a DvR leaf node.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 717

Delete a Management VLAN on a DvR Leaf Node Distributed Virtual Routing

2. Configure a Management Instance VLAN I-SID:

mgmt vlan i-sid <1-16777215>

Variable Definitions
The following table defines parameters for the mgmt vlan i-sid command.

Variable Value
1-16777215 Specifies the VLAN I-SID to associate with the management VLAN.

Delete a Management VLAN on a DvR Leaf Node

Note
This procedure does not apply to VSP 8600 Series.

About This Task

Perform this procedure to delete a Management Instance VLAN on a DvR leaf node.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Delete the management VLAN:
no mgmt vlan

Moving a vIST Leaf node pair from one domain to another

About This Task

Use this procedure to move a vIST Leaf node pair from one DvR domain to another.

For vIST to work properly, both Leaf nodes must be in the same domain.

Procedure

1. Disable IS-IS on each vIST peer Leaf node, to remove the node from the SPB network.
no router isis enable

718 VOSS User Guide for version 8.7

Moving a vIST Leaf node pair from one domain to
Distributed Virtual Routing another

2. Disable DvR on each Leaf node.

no dvr leaf

Caution
Disabling DvR on a Leaf node in a vIST pair automatically removes all vIST configuration
on that node, but not on the pair. The node on which DvR is disabled also loses
its membership with the DvR domain and all the dynamic content learned from the
Controllers in that domain.
When you re-enable DvR on the node, you must manually configure vIST on that node
again.

3. Configure each node as a DvR Leaf node, with the new domain ID.
Ensure that you configure both nodes as Leaf nodes and with the same domain ID.

dvr leaf <1–255>

4. Configure vIST on the DvR Leaf nodes.
dvr leaf virtual-ist {<A.B.C.D/X|<A.B.C.D> <A.B.C.D>} peer-ip
{A.B.C.D} cluster-id <1–1000>
5. Enable IS-IS on each vIST peer Leaf node, to add back the node to the SPB network.
router isis enable

Example

Consider two vIST peer Leaf nodes Switch1 (IP address 51.51.51.1) and Switch2
(51.51.51.2) that belong to a DvR domain (with domain ID 4), that you need to move to another
domain (with domain ID 5).

View a summary of existing Leaf configuration on each node.

Switch1:1(config)#show dvr

===========================================================================
DVR Summary Info
===========================================================================
Domain ID : 4
Domain ISID : 16678220
Role : Leaf
My SYS ID : 00:00:72:54:44:00
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226
Switch2:1(config)#show dvr

VOSS User Guide for version 8.7 719

Moving a vIST Leaf node pair from one domain to
another Distributed Virtual Routing

GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226

Disable IS-IS globally on each Leaf node.

Switch1:1>en
Switch1:1>conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch1:1(config)#router isis
Switch1:1(config-isis)#no router isis enable
Switch1:1(config-isis)#exit
Switch1:1(config)#
Switch2:1>en
Switch2:1>conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch2:1(config)#router isis
Switch2:1(config-isis)#no router isis enable
Switch1:1(config-isis)#exit
Switch1:1(config)#

Disable DvR on each node. This automatically removes all vIST configuration on the node, but not on
the vIST pair. The node also loses its membership with the DvR domain and all the dynamic content
learned from the Controllers in that domain.
Switch1:1(config)#no dvr leaf
Switch2:1(config)#no dvr leaf

Configure each node as a DvR Leaf, with domain ID 5.

Switch1:1(config)#dvr leaf 5
Switch2:1(config)#dvr leaf 5

Configure vIST on each of the DvR Leaf nodes.

Switch1:1(config)#dvr leaf virtual-ist 51.51.51.1 peer-ip 51.51.51.2 cluster-id 255
Switch2:1(config)#dvr leaf virtual-ist 51.51.51.2 peer-ip 51.51.51.1 cluster-id 255

Enable IS-IS globally on each Leaf node.

Switch1:1(config)#router isis
Switch1:1(config-isis)#router isis enable
Switch1:1(config-isis)#exit
Switch1:1(config)#
Switch2:1(config)#router isis
Switch2:1(config-isis)#router isis enable
Switch2:1(config-isis)#exit
Switch2:1(config)#

View a summary of Leaf configuration on each node.

Switch1:1(config)#show dvr

===========================================================================
DVR Summary Info
===========================================================================
Domain ID : 5

720 VOSS User Guide for version 8.7

Moving a vIST Controller pair from one domain to
Distributed Virtual Routing another

Domain ISID : 16678221

Role : Leaf
My SYS ID : 00:00:72:54:44:00
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226
Switch2:1(config)#show dvr

===========================================================================
DVR Summary Info
===========================================================================
Domain ID : 5
Domain ISID : 16678221
Role : Leaf
My SYS ID : 00:00:72:55:45:00
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226

Moving a vIST Controller pair from one domain to another

About This Task

Use this procedure to move a vIST Controller node pair from one DvR domain to another.

For vIST to work properly, both Controller nodes must be in the same domain.

Procedure

1. Disable IS-IS on each vIST peer Controller node, to remove the node from the SPB network.
no router isis enable
2. Disable DvR on each Controller node:
no dvr controller

Caution
Disabling DvR on a DvR Controller destroys the domain ID and all dynamic content
learned within the DvR domain. However, the switch retains the VLAN specific
configuration which you can view using the command show running-config.

3. Configure each node as a DvR Controller node, with the new domain ID. Ensure that you configure
both nodes as Controller nodes and with the same domain ID.
dvr controller <1–255>
4. Enable IS-IS on each vIST peer Controller node, to add back the node to the SPB network.
router isis enable

VOSS User Guide for version 8.7 721

Moving a vIST Controller pair from one domain to
another Distributed Virtual Routing

Example

Consider two vIST peer Controller nodes Switch1 (IP address 51.51.51.3) and Switch2
(51.51.51.4) that belong to a DvR domain (with domain ID 4), that you need to move to another
domain (with domain ID 5).

View a summary of Controller configuration on each node:

Switch1:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 4
Domain ISID : 16678220
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled
Switch2:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 4
Domain ISID : 16678220
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:82:22
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled

Disable IS-IS globally on each Controller node:

Disable DvR on each node:

Switch1:1(config)#no dvr controller
Switch2:1(config)#no dvr Controller

Configure each node as a DvR Controller, with domain ID 5.

Switch1:1(config)#dvr controller 5
Switch2:1(config)#dvr controller 5

722 VOSS User Guide for version 8.7

Moving a vIST Controller pair from one domain to
Distributed Virtual Routing another

Enable IS-IS globally on each Controller node.

View a summary of Controller configuration on each node.

Switch1:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 5
Domain ISID : 16678221
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled
Switch2:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 5
Domain ISID : 16678221
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:82:22
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled

View the vIST configuration on each of the Controller nodes.

Switch1:1>show virtual-ist

===============================================================================
IST Info
===============================================================================
PEER-IP VLAN ENABLE IST
ADDRESS ID IST STATUS
-------------------------------------------------------------------------------
51.51.51.2 4002 true up

NEGOTIATED MASTER/
DIALECT IST STATE SLAVE
-------------------------------------------------------------------------------
NONE up Master

Switch2:1>show virtual-ist

===============================================================================
IST Info
===============================================================================

VOSS User Guide for version 8.7 723

Configure a non-DvR BEB to Join the DvR Backbone Distributed Virtual Routing

PEER-IP VLAN ENABLE IST

ADDRESS ID IST STATUS
-------------------------------------------------------------------------------
51.51.51.1 4002 true up

NEGOTIATED MASTER/
DIALECT IST STATE SLAVE
--------------------------------------------------------------------------------
NONE up Slave

Configure a non-DvR BEB to Join the DvR Backbone

About This Task

Configure a non-DvR backbone edge bridge (BEB) to join the DvR backbone so that it can receive
redistributed DvR host routes from all DvR Controllers in the SPB network.

Note
On a non-DvR BEB, the redistributed host routes from the DvR backbone are not
automatically installed in the IP routing table. To utilize the backbone host routes to optimize
traffic forwarding (forwarding in the data plane), you must explicitly configure an IS-IS accept
policy with a backbone route policy using the command accept backbone-route-map
<route-map-name>, and specifying a suitable route-map to select the list or range of DvR
backbone host routes to be installed in the routing table.
For more information on configuring an IS-IS accept policy with a backbone route policy, see
Configuring IS-IS Accept Policies on page 1374.

Procedure
1. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
2. Configure a non-DvR BEB to join the DvR backbone.
backbone enable
3. Verify the configuration using the following commands.
• show dvr backbone-members
• show dvr backbone-members non-dvr-beb
• show dvr backbone-entries
• show isis

Examples
Switch3:1>enable
Switch3:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch3:1(config)#router isis
Switch3:1(config-isis)#show dvr

724 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a non-DvR BEB to Join the DvR Backbone

=====================================================================
NON DVR BEB Summary Info
=====================================================================
Domain ID : 0
Domain ISID : 0
Backbone ISID : 16678216
Role : NON DVR BEB
My SYS ID : 00:00:82:84:40:00
Operational State : Up

Configure the non-DvR BEB to join the DvR backbone.

Switch3:1(config-isis)#backbone enable

Verify the configuration. View the DvR backbone members.

Switch3:1(config-isis)#show dvr backbone-members

=============================================================================================================
DVR BB Members
=============================================================================================================
System Name Nick-Name Nodal MAC Role Domain Id Area Area-Name
-------------------------------------------------------------------------------------------------------------
DVR-8284-D2-C1-40 0.82.40 00:00:82:84:40:00 NON-DVR-BEB 9999 HOME area-0.00.20

DVR-8284-D2-C2-41 0.82.41 00:00:82:84:41:00 Controller 9999 HOME area-0.00.20

Home: 2 out of 2 Total Num of DVR Backbone Members displayed

-------------------------------------------------------------------------------------------------------------

Switch3:1(config-isis)#show dvr backbone-members non-dvr-beb

============================================================================================================
DVR BB Members
============================================================================================================
System Name Nick-Name Nodal MAC Role Domain Id Area Area-Name
------------------------------------------------------------------------------------------------------------
DVR-8284-D2-C1-40 0.82.40 00:00:82:84:40:00 NON-DVR-BEB 9999 HOME area-0.00.20

Home: 1 out of 2 Total Num of DVR Backbone Members displayed

------------------------------------------------------------------------------------------------------------

View the backbone DvR host routes that the non-DvR BEB receives from other Controllers in the SPB
network.

Switch:1(config-isis)#show dvr backbone-entries

=============================================================================================================================
DVR Backbone-Entries
=============================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
-----------------------------------------------------------------------------------------------------------------------------
39.1.1.4 10:cd:ae:70:5d:01 401 10390 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30
39.2.1.4 10:cd:ae:70:5d:01 401 10391 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30
39.3.1.4 10:cd:ae:70:5d:01 401 10392 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30
39.4.1.4 10:cd:ae:70:5d:01 401 10393 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30
39.5.1.4 10:cd:ae:70:5d:01 401 10394 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30
39.6.1.4 10:cd:ae:70:5d:01 401 10395 200 DVR-8284-D2-C2-41 DVR-8284-D2-C2-41 REMOTE area-0.00.30

Remote: 6 out of 427 Total Num of DVR Backbone Routes displayed

-----------------------------------------------------------------------------------------------------------------------------

VOSS User Guide for version 8.7 725

DvR show commands Distributed Virtual Routing

View the IS-IS related information.

Switch3:1(config-isis)#show isis

====================================================================================
ISIS General Info
====================================================================================
AdminState : enabled
RouterType : Level 1
System ID : 00bb.0000.8121
Max LSP Gen Interval : 900
Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 10
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name : router_r1
ip source-address :
ipv6 source-address :
ip tunnel source-address :
Tunnel vrf :
ONA Port :
ip tunnel mtu :
Num of Interfaces : 3
Num of Area Addresses : 1
Inband Mgmt Clip IP :72.54.44.1
backbone :enabled
Dynamically Learned Area : 00.0000.0000
FAN Member : No
Multi-Area OperState : disabled
Hello Padding : enabled
Multi-Area Flags : home-always-up

DvR show commands

The following section explains the show commands for DvR.

Viewing DvR summary

Use this procedure to view a summary of the DvR configuration on a DvR Controller or a DvR Leaf.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View a summary of DvR configuration:
show dvr

Example

View the information on a DvR Controller:

Switch:1#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 5
Domain ISID : 16678219

726 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

Backbone ISID : 16678216

Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Enabled

View the information on a DvR Leaf:

Switch2:1#show dvr

======================================================================
DVR Summary Info
======================================================================
Domain ID : 5
Domain ISID : 16678219
Role : Leaf
My SYS ID : 00:bb:00:00:71:23
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP : 72.54.44.1
Virtual Ist local address : 51.51.51.1
Virtual Ist local subnet mask : 255.255.255.0
Virtual Ist peer address : 51.51.51.2
Virtual Ist cluster-id : 255
Virtual Ist ISID : 16677226

Viewing members of a DvR domain

About This Task

View the members of all DvR domains, namely the Controllers and Leaf nodes.

You can view this information on either a Controller or a Leaf node. Both the Controller and the Leaf
node displays those members of the DvR domain to which it belongs.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. show dvr members [controller|leaf]

Example

View all members of a DvR domain:

Switch:1#show dvr members

================================================================================================
DVR Members (Domain ID: 255)
================================================================================================
System Name Nick-Name Nodal MAC Role
------------------------------------------------------------------------------------------------
Leaf-4:110 0.41.10 00:bb:00:00:41:10 Leaf
Leaf-1:Q:123 0.71.23 00:bb:00:00:71:23 Leaf
Leaf-2:K:124 0.71.24 00:bb:00:00:71:24 Leaf
Leaf-3:K:125 0.71.25 00:bb:00:00:71:25 Leaf

VOSS User Guide for version 8.7 727

DvR show commands Distributed Virtual Routing

Ctrl-1:Q:121 0.81.21 00:bb:00:00:81:21 Controller

Ctrl-2:Q:122 0.81.22 00:bb:00:00:81:22 Controller

6 out of 6 Total Num of DVR Members displayed

------------------------------------------------------------------------------------------------

View member DvR Controllers:

Switch:1#show dvr members controller

===============================================================================================
DVR Members (Domain ID: 255)
================================================================================================
System Name Nick-Name Nodal MAC Role
------------------------------------------------------------------------------------------------
Ctrl-1:Q:121 0.81.21 00:bb:00:00:81:21 Controller
Ctrl-2:Q:122 0.81.22 00:bb:00:00:81:22 Controller

2 out of 6 Total Num of DVR Members displayed

------------------------------------------------------------------------------------------------

View member DvR Leaf nodes:

Switch:1#show dvr members leaf

==============================================================================================
DVR Members (Domain ID: 255)
==============================================================================================
System Name Nick-Name Nodal MAC Role
----------------------------------------------------------------------------------------------
Leaf-4:110 0.41.10 00:bb:00:00:41:10 Leaf
Leaf-1:Q:123 0.71.23 00:bb:00:00:71:23 Leaf
Leaf-2:K:124 0.71.24 00:bb:00:00:71:24 Leaf
Leaf-3:K:125 0.71.25 00:bb:00:00:71:25 Leaf

4 out of 6 Total Num of DVR Members displayed

-----------------------------------------------------------------------------------------------

Viewing DvR interfaces

View the DvR interfaces on either a Controller or a Leaf node.

On Controllers, DvR interfaces are created when you configure IP on a DvR enabled Layer 2 VSN (VLAN,
I-SID). Only Controllers display the administrative state of the interfaces because this is where you
enable or disable the interfaces. The Leaf nodes display DvR interface information that is pushed from
the Controllers, for example, subnet routes or gateway IP addresses for the Layer 2 VSNs.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. Enter Privileged EXEC mode:

enable

728 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

2. View the DvR interface information.

On a Controller:

show dvr interfaces [l3isid <0-16777215>] [vrf WORD<1-16>] [vrfids

WORD<0-512>]

On a Leaf node:

show dvr interfaces [l3isid <0-16777215>]

Viewing the DvR interface information for a specific VRF or VRF ID is not supported on a DvR Leaf
node.

Example

View DvR interfaces on a Controller node:

You can view DvR interface information on all interfaces or for a specific Layer 3 I-SID, VRF, or VRF ID.
Switch:1#show dvr interfaces

==================================================================================================
DVR Interfaces
==================================================================================================
Admin SPBMC IGMP
Interface Mask L3ISID VRFID L2ISID VLAN GW IPv4 State State Version
--------------------------------------------------------------------------------------------------
50.0.1.2 255.255.0.0 55500 1 50500 500 50.0.1.1 enable disable 2

1 out of 1 Total Num of DVR Interfaces displayed

---------------------------------------------------------------------------------------------------

View DvR interfaces on a Leaf node:

You can view DvR interface information on all interfaces or for a specific Layer 3 I-SID. Viewing the
interface information for a specific VRF or VRF ID is not supported on a DvR Leaf node.
Switch:1#show dvr interfaces l3isid 401

================================================================================
DVR Interfaces
================================================================================

Interface Mask L3ISID VRFID L2ISID VLAN GW IPv4

--------------------------------------------------------------------------------
40.1.0.0 255.255.0.0 401 2 10401 77 40.1.1.11
40.2.0.0 255.255.0.0 401 2 10402 78 40.2.1.11
40.3.0.0 255.255.0.0 401 2 10403 79 40.3.1.11
40.4.0.0 255.255.0.0 401 2 10404 80 40.4.1.11

4 out of 4 Total Num of DVR Interfaces displayed

----------------------------------------------------------------------------------

VOSS User Guide for version 8.7 729

DvR show commands Distributed Virtual Routing

Variable definitions

Use the data in the following table to use the show dvr interfaces command.

Variable Value
l3isid Specifies the Layer 3 I-SID of the DvR interface.
The range is 0 to 16777215.
vrf Specifies the VRF name.
vrfids Specifies the VRF ID.
The range is 0 to 512.

Viewing DvR host entries

About This Task

View DvR host entries (IPv4 remote host routes) on either a Controller or a Leaf node. The node
displays the host entries learned either locally on its Switched UNI port or dynamically from other nodes
within the DvR domain.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View the DvR host entries.
On a Controller:

show dvr host-entries [domain-id <1–255>]|[ipv4 {A.B.C.D}]|[l2isid

<1-16777215>]|[l3isid <0-16777215>]|[nh-as-mac]|[type <1–2>]|[vrf
WORD<1-16>] [vrfids WORD<0-512>]

On a Leaf node:

show dvr host-entries [domain-id <1–255>]|[ipv4 {A.B.C.D}]|[l2isid

<1-16777215>]|[l3isid <0-16777215>]|[nh-as-mac]|[type <1–2>]

Viewing the DvR host entries for a specific VRF or VRF ID is not supported on a DvR Leaf node.

Example

View DvR host entries on either a Controller or a Leaf node.

Viewing the DvR host entries for a specific VRF or VRF ID is not supported on a DvR Leaf node.
Switch:1#show dvr host-entries domain-id 255 l3isid 55500

==================================================================================================================
DVR Host-Entries
==================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID VRFID PORT ID TYPE NEXT HOP
------------------------------------------------------------------------------------------------------------------

730 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

50.0.1.2 b0:ad:aa:42:ed:04 55500 50500 0 2/23 255 DYNAMIC Cont-1:121

50.0.1.3 b0:ad:aa:4c:3d:01 55500 50500 0 cpp 255 LOCAL Cont-2:122

2 out of 2 Total Num of DVR Host Entries displayed

-------------------------------------------------------------------------------------------------------------------

View DvR host entries for a specific IP address.

In this example, you enter IP address 50.0.1.0 to display host entries for IP addresses 50.0.1.2 and
50.0.1.3.
Switch:1#show dvr host-entries ipv4 50.0.1.0

2 out of 2 Total Num of DVR Host Entries displayed

-------------------------------------------------------------------------------------------------------------------

View DvR host entries where the next hop displays the MAC address instead of the system name.
Switch:1#show dvr host-entries nh-as-mac

2 out of 2 Total Num of DVR Host Entries displayed

-------------------------------------------------------------------------------------------------------------------

View DvR host entries based on the host type. Type 1 indicates local hosts and type 2 dynamic hosts.
Switch:1#show dvr host-entries type 2

1 out of 2 Total Num of DVR Host Entries displayed

-------------------------------------------------------------------------------------------------------------------

VOSS User Guide for version 8.7 731

DvR show commands Distributed Virtual Routing

Variable definitions

Use the data in the following table to use the show dvr host-entries command.

Variable Value
domain-id Specifies the domain ID of the DvR host entry.
The range is 1 to 255.
ipv4 Specifies the IP address (IPv4) of the DvR host entry.
l2isid Specifies the Layer 2 VSN I-SID of the DvR host entry.
The range is 1 to 16777215.
l3isid Specifies the Layer 3 VSN I-SID of the DvR host entry.
The range is 0 to 16777215.
nh-as-mac Specifies the MAC address of the next hop node instead
of the system name.
type Specifies the host type of the DvR host entry.
A value of 1 indicates local hosts and a value of 2 indicates
dynamic hosts.
vrf Specifies the VRF name of the DvR host entry.
vrfids Specifies the VRF ID of the DvR host entry.
The range is 0 to 512.

Viewing DvR routes

About This Task

View the DvR routes (IPv4 network routes) on a DvR Controller or a Leaf node.

Controllers display all the IP subnet routes configured for that DvR domain. The Leaf nodes display
the IP subnet routes that are learned from the Controller(s) for the Layer 2 VSNs in the DvR Domain.
Leaf nodes also display routes that are redistributed by Controllers (direct routes, static routes and the
default route), into the DvR domain.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View the DvR routes.
On a Controller:

show dvr routes [ipv4 {A.B.C.D}]|[l3isid <0-16777215>]|[nh-as-mac]|

[vrf WORD<1-16>]|[vrfids WORD<0-512>]

On a Leaf node:

show dvr routes [ipv4 {A.B.C.D}]|[l3isid <0-16777215>]|[nh-as-mac]

Viewing the DvR routes for a specific VRF or VRF ID is not supported on a DvR Leaf node.

732 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

Example

View DvR routes on either a Controller or a Leaf node.

Viewing the DvR routes for a specific VRF or VRF ID is not supported on a DvR Leaf node.
Switch:1#show dvr routes

========================================================================================================================
DVR Routes
========================================================================================================================
NEXT L3VSN L2VSN
DEST MASK HOP VRFID ISID ISID TYPE COST
------------------------------------------------------------------------------------------------------------------------
50.0.0.0 255.255.0.0 Ctrl-1:8400:121 0 55500 50500 - 1

1 out of 1 Total Num of DVR Routes displayed

-----------------------------------------------------------------------------------------------------------------------
TYPE Legend: E=Ecmp Route

View DvR routes where the next hop MAC address is displayed instead of the system name:
Switch:1#show dvr routes nh-as-mac

1 out of 1 Total Num of DVR Routes displayed

------------------------------------------------------------------------------------------------------------------------
TYPE Legend: E=Ecmp Route

Variable definitions

Use the data in the following table to use the show dvr routes command.

Variable Value
ipv4 {A.B.C.D} Specifies the IP address (IPv4) of the DvR route.
l3isid <0-16777215> Specifies the Layer 3 I-SID of the DvR route.
The range is 0 to 16777215.
nh-as-mac Specifies the MAC address of the next hop node instead
of the system name.
vrf Specifies the VRF name of the DvR route.
vrfids Specifies the VRF ID of the DvR route.
The range is 0 to 512.

Viewing DvR database information

About This Task

View all DvR routes on a Controller or a Leaf node.

VOSS User Guide for version 8.7 733

DvR show commands Distributed Virtual Routing

The Controller node displays all the IP subnet routes configured for that DvR domain. A Leaf node
displays all IP subnet routes learned from the Controller(s) for the Layer 2 VSNs in the DvR Domain. It
also displays the Host Routes (ARPs) learned from other DvR enabled nodes.

Before You Begin

Ensure that DvR is enabled globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View the DvR database.
On a Controller:

show dvr database [home]|[ipv4 {A.B.C.D}]|[l3isid<0-16777215>]|[nh-as-

mac]|[remote]|[vrf WORD<1–16>]|[vrfids WORD<0–512>]

On a Leaf node:

show dvr database [home]|[ipv4 {A.B.C.D}]|[l3isid<0-16777215>]|[nh-as-

mac]|[remote]

Viewing the DvR database for a specific VRF or VRF ID is not supported on a DvR Leaf node.

----------------------------------------------------------------------------------------------------------------------------------

View DvR database entries with next hop MAC address displayed instead of the system name:
Switch:1#show dvr database l3isid 0

====================================================================================================================================

DVR DATABASE

====================================================================================================================================

NEXT L3VSN L2VSN OUTGOING SPB PREFIX

DEST MASK HOP VRFID ISID ISID INTERFACE COST COST AGE

------------------------------------------------------------------------------------------------------------------------------------

40.0.0.0 255.255.0.0 00:bb:00:00:81:21 0 0 40400 cpp 10 1 0 day(s), 05:44:55

40.0.1.2 255.255.255.255 00:bb:00:00:81:21 0 0 40400 cpp 10 1 0 day(s), 05:44:55

40.0.1.3 255.255.255.255 00:bb:00:00:81:22 0 0 40400 Ctrl1-Ctrl2 10 1 0 day(s), 05:44:30

3 out of 3 Total Num of DVR Database entries displayed

-------------------------------------------------------------------------------------------------------------------------------------

Variable definitions

Use the data in the following table to use the show dvr database command.

Variable Value
home Specifies the DvR database information for home
instance.
ipv4 {A.B.C.D} Specifies the IP address (IPv4) of the DvR database entry.
l3isid <0-16777215> Specifies the Layer 3 I-SID of the DvR database entry.
The range is 0 to 16777215.
nh-as-mac Specifies the MAC address of the next hop node instead
of the system name.
remote Specifies the DvR database information for remote
instance.
vrf Specifies the VRF name of the DvR database entry.
vrfids Specifies the VRF ID of the DvR database entry.
The range is 0 to 512.

VOSS User Guide for version 8.7 735

DvR show commands Distributed Virtual Routing

Viewing DvR Backbone Entries

About This Task

View the DvR backbone entries (redistributed host routes) learned from all Controllers in all DvR
domains.

Note
DvR backbone entries can be viewed only on a Controller. Viewing backbone entries is not
applicable on a Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View DvR backbone entries:
show dvr backbone-entries [adv-controller WORD<1-255>]|[domain-
id <1-255>]|[home]|[host-mac-address 0x00:0x00:0x00:0x00:0x00:0x00]|
[ipv4 {A.B.C.D}]|[l2isid <1-16777215>]|[l3isid <0-16777215>]|[next-hop
WORD<1-255>]|[nh-as-mac]|[remote]

Example

View all DvR backbone entries:

Switch:1#show dvr backbone-entries

================================================================================================================================
DVR Backbone-Entries
================================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
--------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-1:8400:121 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.3 b0:ad:aa:43:31:00 0 40400 255 Ctrl-1:8400:121 Ctrl-2:8200:122 HOME area-0.00.20
40.0.1.3 b0:ad:aa:43:31:00 0 40400 255 Ctrl-2:8200:122 Ctrl-2:8200:122 HOME area-0.00.20

Home: 4 out of 4 Total Num of DVR Backbone Routes displayed

--------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries on a specific DvR Controller:

Switch:1#show dvr backbone-entries adv-controller Ctrl-2:8200:122

=================================================================================================================================
DVR Backbone-Entries
=================================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
---------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 Ctrl-1:8400:121 HOME area-0.00.20
40.1.1.3 b0:ad:aa:43:31:00 0 40401 255 Ctrl-2:8200:122 Ctrl-2:8200:122 HOME area-0.00.20

Home: 2 out of 2 Total Num of DVR Backbone Routes displayed

---------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries for a specific host MAC address:

Switch:1#show dvr backbone-entries host-mac-address b0:ad:aa:4c:55:00

736 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

=================================================================================================================================
DVR Backbone-Entries
=================================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
---------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-1:8400:121 Ctrl-1:8400:121 HOME area-0.00.20

Home: 2 out of 2 Total Num of DVR Backbone Routes displayed

---------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries for a specific IP address:

In this example, you enter IP address 40.0.1.0 to display backbone entries for IP addresses
40.0.1.2 and 40.0.1.3.
Switch:1#show dvr backbone-entries ipv4 40.0.1.0

==============================================================================================================================
DVR Backbone-Entries
==============================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-1:8400:121 Ctrl-1:8400:121 HOME area-0.00.20
40.1.1.3 b0:ad:aa:43:31:00 0 40401 255 Ctrl-2:8200:122 Ctrl-2:8200:122 HOME area-0.00.20
40.1.1.3 b0:ad:aa:43:31:00 0 40401 255 Ctrl-2:8200:121 Ctrl-2:8200:122 HOME area-0.00.20
Home: 4 out of 4 Total Num of DVR Backbone Routes displayed
------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries for a specific L3 VSN I-SID:

Switch:1#show dvr backbone-entries l3isid 0

===============================================================================================================================
DVR Backbone-Entries
===============================================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID ID ADV-CONTROLLER NEXT HOP AREA AREA-NAME
-------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-1:8400:121 Ctrl-1:8400:121 HOME area-0.00.20
40.0.1.3 b0:ad:aa:43:31:00 0 40400 255 Ctrl-1:8400:121 Ctrl-2:8200:122 HOME area-0.00.20
40.0.1.3 b0:ad:aa:43:31:00 0 40400 255 Ctrl-2:8200:122 Ctrl-2:8200:122 HOME area-0.00.20

Home: 4 out of 4 Total Num of DVR Backbone Routes displayed

-------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries for a specific next hop node:

Switch:1#show dvr backbone-entries next-hop Ctrl-1:8400:121

Home: 2 out of 2 Total Num of DVR Backbone Routes displayed

------------------------------------------------------------------------------------------------------------------------------

View DvR backbone entries where the next hop nodes are displayed as MAC addresses:
Switch:1#show dvr backbone-entries nh-as-mac

VOSS User Guide for version 8.7 737

DvR show commands Distributed Virtual Routing

-------------------------------------------------------------------------------------------------------------------------------
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-2:8200:122 00:bb:00:00:81:21 HOME area-0.00.20
40.0.1.2 b0:ad:aa:4c:55:00 0 40400 255 Ctrl-1:8400:121 00:bb:00:00:81:21 HOME area-0.00.20

Home: 2 out of 2 Total Num of DVR Backbone Routes displayed

-------------------------------------------------------------------------------------------------------------------------------

Variable definitions

Use the data in the following table to use the show dvr backbone entries command.

Variable Value
adv-controller WORD<1-255> Specifies the system name of the advertising Controller.
domain-id <1-255> Specifies the domain ID of the DvR backbone entry.
The range is 1 to 255.
home Display the DvR backbone entries for the home instance.
host-mac-address Specifies the host MAC address of the DvR backbone
0x00:0x00:0x00:0x00:0x00:0x00 entry.
ipv4 {A.B.C.D} Specifies the IP address (IPv4) of the DvR backbone
entry.
l2isid <1-16777215> Specifies the Layer 2 I-SID of the DvR backbone entry.
The range is 1 to 16777215.
l3isid <0-16777215> Specifies the Layer 3 I-SID of the DvR backbone entry.
The range is 0 to 16777215.
next-hop WORD<1-255> Specifies the system name of the next hop node.
nh-as-mac Specifies the MAC address of the next hop node instead
of the system name.
remote Display the DvR backbone entries for the remote
instance.

Viewing DvR backbone members

About This Task

DvR backbone members are either DvR Controllers or non-DvR BEBs that receive redistributed host
routes from all other DvR Controllers in the SPB network.

Before You Begin

Ensure that DvR is enabled globally on the node.

Procedure

1. Enter Privileged EXEC mode:

enable
2. View DvR backbone member information:
show dvr backbone-members [controller | home | non-dvr-beb | remote]

738 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

Example

View all DvR backbone members:

Switch:1#show dvr backbone-members

==============================================================================================================
DVR BB Members
==============================================================================================================
System Name Nick-Name Nodal MAC Role Domain Id Area Area-Name
--------------------------------------------------------------------------------------------------------------
DVR-D2-C1-40 0.82.40 00:00:82:84:40:00 NON-DVR-BEB 2 HOME area-0.00.20
Ctrl-2:8200:122 0.81.22 00:bb:00:00:81:22 Controller 2 HOME area-0.00.20

Home: 2 out of 2 Total Num of DVR Backbone Members displayed

--------------------------------------------------------------------------------------------------------------

View backbone members that are DvR controllers:

Switch:1#show dvr backbone-members controller

==============================================================================================================
DVR BB Members (Domain ID: 255)
==============================================================================================================
System Name Nick-Name Nodal MAC Role Domain Id Area Area-Name
--------------------------------------------------------------------------------------------------------------
Ctrl-2:8200:122 0.81.22 00:bb:00:00:81:22 Controller 2 HOME area-0.00.20

Home: 1 out of 2 Total Num of DVR Backbone Members displayed

--------------------------------------------------------------------------------------------------------------

View backbone members that are non-DvR BEBs:

Switch:1#show dvr backbone-members non-dvr-beb

Home: 1 out of 2 Total Num of DVR Backbone Members displayed

--------------------------------------------------------------------------------------------------------------

Variable definitions

Use the data in the following table to use the show dvr backbone-members command.

Variable Value
controller Specifies backbone members that are DvR Controllers.
home Specifies DvR backbone members information for the
home instance.
non-dvr-beb Specifies backbone members that are non-DvR BEBs.
remote Specifies DvR backbone members information for the
remote instance.

VOSS User Guide for version 8.7 739

DvR show commands Distributed Virtual Routing

Viewing Layer 3 VSN information

About This Task

View VRFs corresponding to Layer 3 (routed) VSN I-SIDs on either a Controller or a Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. Enter Privileged EXEC mode:

enable
2. View the Layer 3 VSN information:
show dvr l3vsn [l3isid <0-16777215>] | [vrf WORD<1-16>] | [vrfids
WORD<0-512>]

Example

View Layer 3 VSN information on a DvR Controller:

Switch:1#show dvr l3vsn

====================================================================
DVR L3VSN
====================================================================
VRF ID L3VSN ISID VRF NAME INJECT-DEFAULT-ROUTE-DISABLE
--------------------------------------------------------------------
1 55500 vrf600 Disabled
2 55501 vrf601 Disabled
3 55502 vrf602 Disabled
4 55503 vrf603 Disabled

4 out of 4 Total Num of DVR L3VSN displayed

---------------------------------------------------------------------

View Layer 3 VSN information on a DvR Leaf node:

Switch2:1#show dvr l3vsn

====================================================================
DVR L3VSN
====================================================================
VRF ID L3VSN ISID VRF NAME
--------------------------------------------------------------------
1 55500 vrf600
2 55501 vrf601
3 55502 vrf602

3 out of 3 Total Num of DVR L3VSN displayed

---------------------------------------------------------------------

740 VOSS User Guide for version 8.7

Distributed Virtual Routing DvR show commands

Variable definitions

Use the data in the following table to use the show dvr l3vsn command.

Variable Value
l3isid <0-16777215> Specifies the Layer 3 VSN I-SID.
The range is 0 to 16777215.
vrf WORD<1-16> Specifies the VRF name of the VRF corresponding to the
Layer 3 VSN I-SID.
vrfids WORD<0-512> Specifies the VRF ID of the VRF.

Viewing DvR domain redistribution information

About This Task

View DvR domain redistribution information on a Controller or a Leaf node.

Note
You can view DvR domain redistribution information only on a DvR Controller.
An error message displays if you attempt to view this information on a DvR Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View DvR domain redistribution information:
show dvr redistribute [vrf WORD<1-16>] | [vrfids WORD<0-512>]

Example

View DvR domain redistribution information on a Controller:

Switch:1#show dvr redistribute
===============================================================================================
DVR Redistribute List - GlobalRouter
===============================================================================================

SOURCE MET MTYPE ENABLE RPOLICY

-----------------------------------------------------------------------------------------------
STAT 1 External TRUE -

View DvR domain redistribution information for a particular VRF.

Switch:1#show dvr redistribute vrf vrf1
===============================================================================================
DVR Redistribute List - VRF vrf1
===============================================================================================

SOURCE MET MTYPE ENABLE RPOLICY

-----------------------------------------------------------------------------------------------
STAT 20000 External TRUE -

VOSS User Guide for version 8.7 741

Configure a DvR Solution Distributed Virtual Routing

LOC 10000 Internal TRUE -

Variable definitions

Use the data in the following table to use the show dvr redistribute command.

Variable Definitions
vrf WORD<1-16> Specifies the VRF name.
vrfids WORD<0-512> Specifies the VRF ID of the VRF.

Configure a DvR Solution

The following section describes a simple configuration example to configure Distributed Virtual Routing
(DvR) over a Fabric Connect (SPB) network.

About This Task

In this example, you configure two DvR Controllers (with IP addresses 10.133.226.101
and 10.133.226.102) and two DvR Leaf nodes (with IP addresses 10.133.226.103 and
10.133.226.104), in a single DvR domain with domain ID 9. Hosts connect to the DvR nodes
as shown in the figure.

Before You Begin

On the switches to be configured as DvR Controllers:

• Ensure that you configure Fabric Connect.
• Ensure that you configure IP Shortcuts on the node. This is necessary for proper functioning of the
node as a DvR Controller.

742 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a DvR Solution

• Verify that the dvr-leaf-mode boot flag is disabled on the node. To verify the setting, enter show
boot config flags in Privileged EXEC mode.

On the switches to be configured as DvR Leaf nodes:

• Ensure that you configure Fabric Connect.

Procedure
DvR Controller configuration — Controller 1 and Controller 2:
1. Verify configuration of Fabric Connect on each of the switches to be configured as the DvR
Controllers.
The following examples show verification on one of the switches. Perform this verification on both
switches.
a. Verify the SPB configuration:
Switch1:1>en
Switch1:1#show spbm
spbm : enable
ethertype : 0x8100
nick-name server : enable
nick-name allocation : static
nick-name server range : B.00.00-B.FF.FF
Switch1:1#show isis spbm

=============================================================================================================
ISIS SPBM Info
=============================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI ORIGIN
INSTANCE VLAN NAME TRAP HOMING
-------------------------------------------------------------------------------------------------------------
1 4051-4052 4051 0.10.01 disable enable disable enable disable disable dynamic

=============================================================================================================
ISIS SPBM SMLT Info
=============================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
-------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00

--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------

b. Verify the global IS-IS configuration:

Switch1:1#show isis

==============================================================================
ISIS General Info
==============================================================================
AdminState : enabled
RouterType : Level 1
System ID : 00bb.0000.0101
Max LSP Gen Interval : 900
Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 10

VOSS User Guide for version 8.7 743

Configure a DvR Solution Distributed Virtual Routing

PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name : Cont-1
ip source-address : 10.0.0.101
ipv6 source-address :
ip tunnel source-address :
Tunnel vrf :
ip tunnel mtu :
Num of Interfaces : 4
Num of Area Addresses : 1
Inband Mgmt Clip IP :
backbone : disabled
Dynamically Learned Area : 00.0000.0000
FAN Member : No
Multi-Area OperState : disabled
Hello Padding : enabled
Multi-Area OperState : disabled
Multi-Area Flags :

2. Configure the DvR Controllers.

a. Configure Controller 1 (IP address 10.133.226.101) with DvR domain ID 9.
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#dvr controller 9
Switch:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 9
Domain ISID : 16678219
Backbone ISID :
Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled

b. Configure Controller 2 (IP address 10.133.226.102), also with DvR domain ID 9.

Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#dvr controller 9
Switch:1(config)#show dvr

==================================================================
DVR Summary Info
==================================================================
Domain ID : 9
Domain ISID : 16678219
Backbone ISID : 16678216
Role : Controller
My SYS ID : 00:bb:00:00:81:21
Operational State : Up
GW MAC : 00:00:5e:00:01:25
InjectDefaultRouteDisable(GRT) : Disabled

c. Verify the configuration. View the members of the DvR domain.

Switch1:1#show dvr members

============================================================================================

744 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a DvR Solution

DVR Members (Domain ID: 2)

============================================================================================
System Name Nick-Name Nodal MAC Role
--------------------------------------------------------------------------------------------
Cont-1 0.10.01 00:bb:00:00:01:01 Controller
Cont-2 0.10.02 00:bb:00:00:01:02 Controller

2 out of 2 Total Num of DVR Members displayed

--------------------------------------------------------------------------------------------

Layer 2 VSN (VLAN) configuration on the DvR Controllers:

3. Configure Layer 2 VSN on the DvR Controllers, Controller 1 and Controller 2.
a. Configure platform VLANs on Controller 1 (VLAN ID=200 and VLAN ID=202). Associate the
VLANs with the I-SIDs 20200 and 20202 respectively. Configure gateway IPv4 addresses
20.0.1.1 and 20.2.1.1 respectively, and enable DvR on those interfaces.
Switch1:1(config)#vlan create 200 type port-mstprstp 0
Switch1:1(config)#vlan i-sid 200 20200
Switch1:1(config)#interface vlan 200
Switch1:1(config)#dvr gw-ipv4 20.0.1.1
Switch1:1(config)#dvr enable
Switch1:1(config)#ip address 20.0.1.2 255.255.0.0
Switch1:1(config)#vlan create 202 type port-mstprstp 0
Switch1:1(config)#vlan i-sid 202 20202
Switch1:1(config)#interface vlan 202
Switch1:1(config)#dvr gw-ipv4 20.2.1.1
Switch1:1(config)#dvr enable
Switch1:1(config)#ip address 20.2.1.2 255.255.0.0
Switch1:1(config)#exit
Switch1:1#

b. Configure the platform VLANs on Controller 2. Ensure that you configure the same gateway IPv4
addresses on the corresponding VLANs, as on Controller 1.
Switch2:1(config)#vlan create 200 type port-mstprstp 0
Switch2:1(config)#vlan i-sid 200 20200
Switch2:1(config)#interface vlan 200
Switch2:1(config)#dvr gw-ipv4 20.0.1.1
Switch2:1(config)#dvr enable
Switch2:1(config)#ip address 20.0.1.3 255.255.0.0
Switch2:1(config)#vlan create 202 type port-mstprstp 0
Switch2:1(config)#vlan i-sid 202 20202
Switch2:1(config)#interface vlan 202
Switch2:1(config)#dvr gw-ipv4 20.2.1.1
Switch2:1(config)#dvr enable
Switch2:1(config)#ip address 20.2.1.3 255.255.0.0
Switch2:1(config)#exit
Switch2:1#

c. Verify Layer 2 VSN (VLAN) configuration on the Controllers. The following example shows the
verification on Controller 1. Perform this verification on both Controllers.
View the DvR interfaces.

On Controllers, DvR interfaces are created when you configure IP on a DvR enabled Layer 2 VSN
(VLAN, I-SID). You can also view the administrative state of these interfaces on the Controller.
Switch1:1#show dvr interfaces

========================================================================================================================

DVR Interfaces

========================================================================================================================

Admin SPBMC IGMP

Interface Mask L3ISID VRFID L2ISID VLAN GW IPv4 State State Version

VOSS User Guide for version 8.7 745

Configure a DvR Solution Distributed Virtual Routing

------------------------------------------------------------------------------------------------------------------------

20.0.1.2 255.255.0.0 0 0 20200 200 20.0.1.1 enable disable 2

20.2.1.2 255.255.0.0 0 0 20202 202 20.2.1.1 enable disable 2

2 out of 2 Total Num of DVR Interfaces displayed

------------------------------------------------------------------------------------------------------------------------

View the DvR host entries learned locally on the S-UNI port.
Switch1:1#show dvr host-entries

=======================================================================================================
DVR Host-Entries
=======================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID PORT ID TYPE NEXT HOP
-------------------------------------------------------------------------------------------------------
20.0.1.2 b0:ad:aa:42:ed:04 0 20200 cpp 9 LOCAL Cont-1
20.2.1.2 b0:ad:aa:42:ed:04 0 20202 cpp 9 LOCAL Cont-1
2 out of 2 Total Num of DVR Host Entries displayed
--------------------------------------------------------------------------------------------------------

View the DvR database. All IP subnet routes configured on the Controller, for the DvR domain,
are displayed.
Switch1:1#show dvr database

===============================================================================================================================

DVR DATABASE

===============================================================================================================================

NEXT L3VSN L2VSN OUTGOING SPB PREFIX

DEST MASK HOP ISID ISID INTERFACE COST COST AGE

-------------------------------------------------------------------------------------------------------------------------------

20.0.1.2 255.255.255.255 Cont-1 0 20200 cpp 10 1 1 day(s), 06:41:40

20.2.1.2 255.255.255.255 Cont-1 0 20202 cpp 10 1 1 day(s), 06:41:40

2 out of 2 Total Num of DVR Database entries displayed

-------------------------------------------------------------------------------------------------------------------------------

View the DvR routes for the subnets 20.0.0.0 and 20.2.0.0.
Switch1:1#show dvr routes

=====================================================================================================
DVR Routes
=====================================================================================================
NEXT L3VSN L2VSN
DEST MASK HOP ISID ISID TYPE COST
------------------------------------------------------------------------------------------------------
20.0.0.0 255.255.0.0 Cont-1 0 20200 - 1
20.2.0.0 255.255.0.0 Cont-1 0 20202 - 1

2 out of 2 Total Num of DVR Routes displayed

-------------------------------------------------------------------------------------------------------
TYPE Legend: E=Ecmp Route

Layer 3 configuration on the DvR Controllers

4. Configure Layer 3 (VRF) on the DvR Controllers, Controller 1 and Controller 2.
a. Configure Layer 3 on Controller 1. As part of this configuration, you configure a VRF vrf501 and
associate it with a DvR VLAN.
Switch1:1(config)#ip vrf vrf501 vrfid 501
Switch1:1(config)#vlan create 501 type port-mstprstp 0
Switch1:1(config)#vlan i-sid 501 50501

746 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a DvR Solution

Switch1:1(config)#interface Vlan 501

Switch1:1(config)#vrf vrf501
Switch1:1(config)#dvr gw-ipv4 50.1.1.1
Switch1:1(config)#dvr enable
Switch1:1(config)#ip address 50.1.1.2 255.255.0.0
Switch1:1(config)#router vrf vrf501
Switch1:1(router-vrf)#i-sid 55501
Switch1:1(router-vrf)#ipvpn enable
Switch1:1(router-vrf)#exit
Switch1:1(config)#

b. Configure Layer 3 on Controller 2.

Switch2:1(config)#ip vrf vrf501 vrfid 501
Switch2:1(config)#vlan create 501 type port-mstprstp 0
Switch2:1(config)#vlan i-sid 501 50501
Switch2:1(config)#interface Vlan 501
Switch2:1(config)#vrf vrf501
Switch2:1(config)#dvr gw-ipv4 50.1.1.1
Switch2:1(config)#dvr enable
Switch2:1(config)#ip address 50.1.1.3 255.255.0.0
Switch2:1(config)#router vrf vrf501
Switch2:1(router-vrf)#i-sid 55501
Switch2:1(router-vrf)#ipvpn enable
Switch2:1(router-vrf)#exit
Switch2:1(config)#

c. Verify Layer 3 configuration. The following example shows verification on Controller 1. Perform
this verification on both Controllers.
View the DvR host entries.
Switch2:1(config)#show dvr host-entries l3isid 55501

=======================================================================================================
DVR Host-Entries
=======================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID PORT ID TYPE NEXT HOP
-------------------------------------------------------------------------------------------------------
50.1.1.2 b0:ad:aa:42:ed:08 55501 50501 cpp 9 LOCAL Cont-1
50.1.1.3 b0:ad:aa:4c:3d:02 55501 50501 1/23 9 DYNAMIC Cont-2

2 out of 3267 Total Num of DVR Host Entries displayed

-------------------------------------------------------------------------------------------------------

View the DvR interfaces.

Switch2:1(config)#show dvr interfaces l3isid 55501

========================================================================================================================

DVR Interfaces

========================================================================================================================

Admin SPBMC IGMP

Interface Mask L3ISID VRFID L2ISID VLAN GW IPv4 State State Version

------------------------------------------------------------------------------------------------------------------------

50.1.1.2 255.255.0.0 55501 501 50501 501 50.1.1.1 enable disable 2

1 out of 291 Total Num of DVR Interfaces displayed

Switch2:1(config)#show dvr database l3isid 55501

=====================================================================================================================

DVR DATABASE

=====================================================================================================================

NEXT L3VSN L2VSN OUTGOING SPB PREFIX

VOSS User Guide for version 8.7 747

Configure a DvR Solution Distributed Virtual Routing

DEST MASK HOP ISID ISID INTERFACE COST COST AGE

---------------------------------------------------------------------------------------------------------------------

50.1.0.0 255.255.0.0 Cont-1 55501 50501 cpp 10 1 0 day(s), 01:26:49

50.1.1.2 255.255.255.255 Cont-1 55501 50501 cpp 10 1 0 day(s), 01:26:49

50.1.1.3 255.255.255.255 Cont-2 55501 50501 1/23 10 1 0 day(s), 01:24:53

3 out of 3558 Total Num of DVR Database entries displayed

----------------------------------------------------------------------------------------------------------------------

DvR Leaf configuration — Leaf 1 and Leaf 2

5. Configure the boot flag dvr-leaf-mode on the switches to be configured as DvR Leaf nodes.

Caution
Ensure that you save the current configuration on the switch, before you enable the flag.
Enabling the flag removes all existing non-DvR configuration on the switch, such as
platform VLANs and their IP address configuration, CLIP configuration, routing protocol
configuration and VRF configuration. The gateway IPv4 address, if configured, is also
removed.

On switch with IP address 10.133.226.104, configure the boot flag and reboot the switch.
Switch3:1>en
Switch3:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch3:1(config)#boot config flags dvr-leaf-mode
Switch3:1(config)#save config
Switch3:1(config)#reset

On switch with IP address 10.133.226.105, configure the boot flag and reboot the switch.
Switch4:1>en
Switch4:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch4:1(config)#boot config flags dvr-leaf-mode
Switch4:1(config)#save config
Switch4:1(config)#reset

6. After the switches come back up, configure the nodes as DvR Leaf nodes.
Configure switch with IP address 10.133.226.104 as DvR Leaf 1; verify the configuration.
Switch3:1(config)#dvr Leaf 9
Switch3:1(config)#show dvr

=========================================================================
DVR Summary Info
=========================================================================
Domain ID : 9
Domain ISID : 16678219
Role : Leaf
My SYS ID : 00:bb:00:00:80:05
Operational State : Up
GW MAC : 00:00:5e:00:01:25
Inband Mgmt Clip IP :
Virtual Ist local address :
Virtual Ist local subnet mask :
Virtual Ist peer address :
Virtual Ist cluster-id :
Virtual Ist ISID :

748 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a DvR Solution

Configure switch with IP address 10.133.226.105 as DvR Leaf 2; verify the configuration.
Switch4:1(config)#dvr Leaf 9
Switch4:1(config)#show dvr

7. Associate the I-SIDs on the DvR Leaf nodes to the DvR VLANs configured on the Controller.
On Leaf node 1 (IP address 10.133.226.105):
Switch3:1(config)#i-sid 20200 elan
Switch3:1(elan:20200)#c-vid 200 port 1/2
Switch3:1(config)#exit

View the host connections.

Switch3:1#show dvr host-entries nh-as-mac

==============================================================================================================
DVR Host-Entries
==============================================================================================================
HOST L3VSN L2VSN DOMAIN
IP-ADDRESS MAC-ADDRESS ISID ISID PORT ID TYPE NEXT HOP
--------------------------------------------------------------------------------------------------------------
20.0.1.67 00:00:00:00:00:67 0 20200 1/4 9 DYNAMIC 00:bb:00:00:81:21
20.0.1.68 00:00:00:00:00:68 0 20200 1/2 9 DYNAMIC 00:bb:00:00:81:21
2 out of 2 Total Num of DVR Host Entries displayed
--------------------------------------------------------------------------------------------------------------

On Leaf node 2 (IP address 10.133.226.105):

Switch4:1(config)#i-sid 20200 elan
Switch4:1(elan:20200)#c-vid 200 port 1/2
Switch4:1(config)#exit

View the host connections.

Switch4:1#show dvr host-entries nh-as-mac

VOSS User Guide for version 8.7 749

DvR Configuration Using the EDM Distributed Virtual Routing

8. View all members of the DvR domain. You can view this information on either a Leaf node or a
Controller node.
Switch1:1#show dvr members

================================================================================================
DVR Members (Domain ID: 2)
================================================================================================
System Name Nick-Name Nodal MAC Role
------------------------------------------------------------------------------------------------
Cont-1 0.10.01 00:bb:00:00:01:01 Controller
Cont-2 0.10.02 00:bb:00:00:01:02 Controller
Leaf1 0.10.04 00:bb:00:00:80:04 Leaf
Leaf2 0.10.05 00:bb:00:00:80:05 Leaf

4 out of 4 Total Num of DVR Members displayed

-------------------------------------------------------------------------------------------------

DvR Configuration Using the EDM

The following sections describe configuration of Distributed Virtual Routing (DvR) using the Enterprise
Device Manager (EDM).

Configure a DvR Controller or a DvR Leaf Globally

About This Task

Configure a node to perform the role of either a Controller or a Leaf, within the DvR domain.

Before You Begin

Important
For DvR Leaf Configuration only:
You must enable the dvr-leaf-mode boot flag before you configure a node as a DvR
Leaf node. Navigate to Configuration > Edit > Chassis. On the Boot Config tab, select
EnableDvrLeafMode.
Ensure that you save the current configuration on the switch, before you enable the flag.
Enabling the flag removes all non-DvR configuration on the switch.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Globals tab.
4. Enter the domain ID in the DomainId field.

Note
A Controller or a Leaf node can belong to only one DvR domain.

5. Select the role of the node in the Role field.

750 VOSS User Guide for version 8.7

Distributed Virtual Routing Configure a DvR Controller or a DvR Leaf Globally

6. (Optional) On a Controller node, disable injection of default routes into the DvR domain. Select
InjectDefaultRouteDisable.

Note
This field applies only to Controllers. Attempting to select this field on a Leaf node displays
an error message.

7. Update the fields as necessary, and then click Apply to save your configuration.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Field Descriptions
DomainId Uniquely identifies the domain that the node
belongs to.
The range for a Controller or a Leaf is 1 to 255. Set
to 0 if is not configured.
Role Specifies the role of the node in the domain, that
is, either a Controller or a Leaf.
Enable Specifies whether DvR is enabled on the node.
Configuring a Controller or Leaf sets this
parameter to true.
DomainIsid Uniquely identifies the domain I-SID that the node
belongs to.
0 indicates that is not configured.
BackboneIsid Uniquely identifies the backbone I-SID that the
node belongs to.
The valid backbone I-SID is 16678216. It is set to 0
if is not configured.
GatewayMac Specifies the Gateway MAC address used by all
Domains.
InbandMgmtIp Specifies the In-band Management IP address
configured under IS-IS.
Note: You can use this IP address to manage the node,
Exception: not supported on VSP 8600 Series or irrespective of whether DvR is enabled on it.
XA1400 Series.

InjectDefaultRouteDisable Specifies whether injection of default routes is

disabled on the Controller in the domain.
By default, Controllers inject default routes into
the domain so that all Leaf nodes in the domain
learn these routes with the next hop as the
Controller that advertised it. Selecting this field
disables this behavior.
VirtualIstLocalAddr Specifies the local IP address of vIST, if vIST is
configured on a Leaf.
vIST cannot be configured on a Controller.
VirtualIstLocalMask Specifies the local subnet mask of vIST, if vIST is
configured on a Leaf.
vIST cannot be configured on a Controller.

VOSS User Guide for version 8.7 751

View DvR Routes Distributed Virtual Routing

Field Descriptions
VirtualIstPeerAddr Specifies the peer IP address of vIST, if vIST is
configured on a Leaf.
vIST cannot be configured on a Controller.
VirtualIstClusterId Specifies the cluster ID of vIST, if vIST is
configured on a Leaf.
vIST cannot be configured on a Controller.
Set to 0 if vIST is not configured.
VirtuaIIstIsid Specifies the I-SID if vIST is configured.
OperState Specifies the operational state of the node.

View DvR Routes

About This Task

View the DvR routes (host routes and the IPv4 network routes) that are learned on a DvR Controller or a
Leaf node.

Controllers display all the IP subnet routes configured for that DvR domain. Leaf nodes display the
IP subnet routes learned from the Controller(s) for the Layer 2 VSNs in the DvR Domain. Leaf nodes
also display any redistributed routes into the DvR Domain that are learned from the Controllers (direct
routes, static routes and the default route).

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Routes tab.
4. To filter the rows based on the specific criteria, click Filter.

Routes field descriptions

Use the data in the following table to use the Routes tab.

Name Description
DestIpAddrType Specifies the IPv4 destination address type of the
DvR route.
DestIpAddr Specifies the IPv4 destination address of the DvR
route.
DestMask Specifies the destination mask of the DvR route.
L3Isid Specifies the Layer 3 I-SID of the DvR route.
EcmpIndex Specifies the ECMP index for the ECMP routes of
the DvR route.

752 VOSS User Guide for version 8.7

Distributed Virtual Routing View Members of a DvR Domain

Name Description
NextHopMac Specifies the MAC address of the next hop BEB in
the DvR route.
L2Isid Specifies the Layer 2 I-SID of the DvR route.
VrfId Specifies the VRF ID.
Cost Specifies the SPB cost of the DvR route.
NextHopName Specifies the host name of the next hop BEB, in
the DvR route.
Type Specifies the route type of the DvR route.

View Members of a DvR Domain

About This Task

View the members of all DvR domains namely the Controllers and Leaf nodes.

You can view this information on either a Controller or a Leaf node. Both the Controller and the Leaf
node displays the members of the DvR domain to which it belongs.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select DVR.
3. Select the Members tab.
4. (Optional) To filter the rows based on specific criteria, click Filter.

Members field descriptions

Use the data in the following table to use the Members tab.

Name Description
MacAddress Specifies the system ID or the nodal MAC address
of this DvR member.
SysName Specifies the system name of this DvR member.
NickName Specifies the nick name of this DvR member.
Role Specifies the DvR role (Controller or Leaf) of this
DvR member.
DomainId Specifies the domain ID of the DvR domain that
this member belongs to.

VOSS User Guide for version 8.7 753

View DvR Backbone Members Distributed Virtual Routing

View DvR Backbone Members

About This Task

DvR backbone members are either DvR Controllers or non-DvR BEBs that receive redistributed host
routes from all other DvR Controllers in the SPB network.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Backbone Members tab.
4. (Optional) To filter the rows based on specific criteria, click Filter.

Backbone Members field descriptions

Use the data in the following table to use the Backbone Members tab.

Name Description
MacAddress Specifies the system ID or the nodal MAC address
of this DvR backbone member.
SysName Specifies the system name of this DvR backbone
member.
NickName Specifies the nick name of this DvR backbone
member.
Role Specifies the role of this DvR backbone member.
It is either a DvR Controller or a non-DvR BEB.
DomainId Specifies the domain ID of the DvR domain that
this backbone member belongs to.
The domain ID is 0 for a non-DvR BEB.

View Remote DvR Backbone Members

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Ensure that you enable DvR globally on the node.

About This Task

Perform this procedure to view the remote DvR backbone members. DvR backbone members are either
DvR Controllers or non-DvR BEBs that receive redistributed host routes from all other DvR Controllers
in the SPB network.

754 VOSS User Guide for version 8.7

Distributed Virtual Routing View DvR Interfaces

Procedure

1. In the navigation pane, expand Configuration > Fabric .

2. Select DVR Remote.
3. Select the Backbone Members tab.
4. (Optional) To filter the rows based on specific criteria, click Filter.

Backbone Members Field Descriptions

Use the data in the following table to use the Backbone Members tab.

View DvR Interfaces

About This Task

View the DvR interfaces on either a Controller or a Leaf node.

On Controllers, DvR interfaces are created when you configure IP on a DvR enabled Layer 2 VSN (VLAN,
I-SID). Only Controllers display the administrative state of the interfaces because this is where you
enable or disable the interfaces. On a Leaf node, the DvR interface information that the Controllers
push, for example, subnet routes and the gateway IP addresses for the Layer 2 VSNs, are displayed.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Interfaces tab.
Click Filter to filter rows based on specific filter criteria.

Interfaces field descriptions

Use the data in the following table to use the Interfaces tab.

VOSS User Guide for version 8.7 755

View DvR Host Entries Distributed Virtual Routing

Name Description
VlanIpAddrType Specifies the VLAN IP address type of the DvR
interface.
VlanIpAddr Specifies the VLAN IP address (IPv4) of the DvR
interface.
L3Isid Specifies the Layer 3 I-SID of the DvR interface.
The range is 1 to 16777215.
L2Isid Specifies the Layer 2 I-SID of the DvR interface.
The range is 1 to 16777215.
VlanIpMask Specifies the VLAN IP address mask of the DvR
interface.
VrfId Specifies the VRF ID of the DvR interface.
The VRF ID is 0 for the GRT.
VlanId Specifies the VLAN ID of the DvR interface.
GwIpAddrType Specifies the address type of the DvR gateway IP
address (IPv4).
GwIpAddr Specifies the DvR gateway IP address (IPv4).
AdminState Specifies the administrative state of the DvR
interface.
SpbmcState Specifies the state of IP Multicast over Fabric
Connect, on the DvR interface.
IgmpVersion Specifies the version of IGMP that runs on the DvR
interface.

View DvR Host Entries

About This Task

View DvR host entries (IPv4 remote ARPs) on either a Controller or a Leaf node. The node displays the
host entries learned either locally on its UNI port or dynamically from other nodes in the DvR domain.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Host Entries tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Host Entries field descriptions

Use the data in the following table to use the Host Entries tab.

756 VOSS User Guide for version 8.7

Distributed Virtual Routing View Remote DvR Host Entries

Name Description
IpAddrType Specifies the address type of the DvR host entry
(IPv4 remote ARP).
IpAddr Specifies the IPv4 address of the DvR host entry.
Mask Specifies the subnet mask of the DvR host entry.
L3Isid Specifies the Layer 3 I-SID of the DvR host entry.
MacAddr Specifies the MAC address of the DvR host entry.
L2Isid Specifies the Layer 2 I-SID of the DvR host entry.
VrfId Specifies the VRF ID associated with the DvR host
entry.
Port Specifies the port of the DvR host entry.
DomainId Specifies the DvR domain ID of the DvR host
entry.
Type Specifies the host type of the DvR host entry.
NextHopName Specifies the next hop system name of the DvR
host entry.
NextHopMac Specifies the next hop system MAC address of the
DvR host entry.
ClearEntry Clears the entry if the configured value is true.

View Remote DvR Host Entries

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote DvR host entries (IPv4 remote ARPs) on either a Controller
or a Leaf node. The node displays the host entries learned either locally on its UNI port or dynamically
from other nodes in the DvR domain.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select DVR Remote.
3. Select the Host Entries tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Host Entries Field Descriptions

Use the data in the following table to use the Host Entries tab.

VOSS User Guide for version 8.7 757

Clear DvR Host Entries Distributed Virtual Routing

Clear DvR Host Entries

About This Task

Clear DvR host entries (IPv4 remote host routes) on a Controller. The host entries are learned on the
switch either locally on its UNI port or dynamically from other nodes in the DvR domain.

Note
You can clear DvR host entries only on a DvR Controller.
An error message displays if you attempt clearing of host entries on a DvR Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Clear Host Entries tab.
4. Update the fields as necessary, and then click Apply to save your configuration.

Clear Host Entries field descriptions

Use the data in the following table to use the Clear Host Entries tab.

758 VOSS User Guide for version 8.7

Distributed Virtual Routing View Layer 3 VSN Information

Name Description
ClearAll Select to clear all DvR host entries.
ClearIpv4 Specifies the IPv4 address of the DvR host entries
to clear.
The IPv4 address must not be the VLAN IP
address on any Controller within the DvR domain.
ClearL2Isid Specifies the Layer 2 VSN I-SID of the DvR host
entries to clear.
The range is 0 to 16777215.
ClearL3Isid Specifies the Layer 3 VSN I-SID of the DvR host
entries to clear.
The range is 0 to 16777215.

View Layer 3 VSN Information

About This Task

View VRFs corresponding to Layer 3 (routed) VSN I-SIDs on either a Controller or a Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the L3–VSN tab.
Click Filter to filter rows based on specific filter criteria.

L3–VSN field descriptions

Use the data in the following table to use the L3–VSN tab.

Name Description
VrfId Specifies the VRF ID of the VRF corresponding to
the Layer 3 VSN I-SID.
Isid Specifies the Layer 3 VSN I-SID.
VrfName Specifies the VRF name of the VRF corresponding
to the Layer 3 VSN I-SID.
InjectDefaultRouteDisable Specifies whether injection of default routes is
disabled.

View the DvR Database

About This Task

View all DvR routes on a Controller or a Leaf node.

VOSS User Guide for version 8.7 759

View the DvR Database Distributed Virtual Routing

Before You Begin

Ensure that you enable DvR on the node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Click DVR.
3. Click the Database tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Database field descriptions

Use the data in the following table to use the Database tab.

Name Description
DestIpAddrType Specifies the address type of the IPv4 destination
address of the DvR database entry.
DestIpAddr Specifies the IPv4 destination address of the DvR
database entry.
DestMask Specifies the destination mask of the DvR
database entry.
L3Isid Specifies the Layer 3 I-SID of the DvR database
entry.
EcmpIndex Specifies the ECMP index for the DvR database
entry.
NextHop Specifies the MAC address of the next hop BEB, in
the DvR database entry.
L2Isid Specifies the Layer 2 I-SID of the DvR database
entry.
VrfId Specifies the VRF ID for the DvR database entry.
OutgoingInterface Specifies the outgoing interface (port or MLT) of
the DvR database entry.
SpbCost Specifies the SPB cost of the DvR database entry.
PrefixCost Specifies the prefix cost of the DvR database
entry.
NextHopName Specifies the host name of the next hop BEB, in
the DvR database table entry.
Age Specifies the uptime since creation of the DvR
database table entry.

760 VOSS User Guide for version 8.7

Distributed Virtual Routing View the Remote DvR Database

View the Remote DvR Database

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Ensure that you enable DvR on the node.

About This Task

Perform this procedure to view all remote DvR routes on a Controller or a Leaf node.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select DVR Remote.
3. Select the Database tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Database Field Descriptions

Use the data in the following table to use the Database tab.

VOSS User Guide for version 8.7 761

View DvR Backbone Entries on a Controller Distributed Virtual Routing

Name Description
PrefixCost Specifies the prefix cost of the DvR database
entry.
NextHopName Specifies the host name of the next hop BEB, in
the DvR database table entry.
Age Specifies the uptime since creation of the DvR
database table entry.

View DvR Backbone Entries on a Controller

About This Task

View the DvR backbone entries (redistributed host routes) learned from all Controllers in all DvR
domains.

Note
You can view DvR backbone entries only on a Controller. Viewing backbone entries does not
apply to a Leaf node.

Before You Begin

Ensure that you enable DvR globally on the node.

Procedure

1. In the navigation pane, expand Configuration > Fabric folders.

2. Select DVR.
3. Select the Backbone Entries tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Backbone Entries field descriptions

Use the data in the following table to use the Backbone Entries tab.

762 VOSS User Guide for version 8.7

Distributed Virtual Routing View Remote DvR Backbone Entries on a Controller

Name Description
L2Isid Specifies the Layer 2 I-SID of the DvR backbone
host.
AdvControllerName Specifies the host name of the advertising
Controller.
AdvController Specifies the host MAC address of the advertising
Controller.
NextHopName Specifies the host name of the next hop Backbone
host in the DvR route.
NextHopMac Specifies the MAC address of the next hop
Backbone host in the DvR route.

View Remote DvR Backbone Entries on a Controller

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Ensure that you enable DvR globally on the node.

About This Task

Perform this procedure to view the remote DvR backbone entries (redistributed host routes) learned
from all Controllers in all DvR domains.

Note
You can view DvR backbone entries only on a Controller. Viewing backbone entries does not
apply to a Leaf node.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select DVR Remote.
3. Select the Backbone Entries tab.
4. (Optional) To filter the rows based on the specific criteria, click Filter.

Backbone Entries Field Descriptions

Use the data in the following table to use the Backbone Entries tab.

Name Description
IpAddrType Specifies the address type of the DvRbackbone
host (IPv4 remote ARP).
IpAddr Specifies the IPv4 address of the DvR backbone
host.

VOSS User Guide for version 8.7 763

View DvR Multi-area SPB Backbone Entries on a
Controller Distributed Virtual Routing

Name Description
L3Isid Specifies the Layer 3 I-SID of the DvR backbone
host.
DomainId Specifies the domain ID of the DvR backbone
host.
EcmpIndex Specifies the ECMP index of the DvR backbone
host.
HostMacAddr Specifies the MAC address of DvR backbone host.
L2Isid Specifies the Layer 2 I-SID of the DvR backbone
host.
AdvControllerName Specifies the host name of the advertising
Controller.
AdvController Specifies the host MAC address of the advertising
Controller.
NextHopName Specifies the host name of the next hop Backbone
host in the DvR route.
NextHopMac Specifies the MAC address of the next hop
Backbone host in the DvR route.

View DvR Multi-area SPB Backbone Entries on a Controller

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Enable Distributed Virtual Routing (DvR) globally on the node.

About This Task

Perform this procedure to view the DvR Multi-area SPB backbone entries that the system learns from all
Controllers in all DvR domains.

Note
You can view the backbone entries only on a DvR Controller. Viewing backbone entries does
not apply to a DvR Leaf node.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select DVR.
3. Select the MultiArea Backbone Entries tab.
4. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

MultiArea Backbone Entries Field Descriptions

Use the data in the following table to use the MultiArea Backbone Entries tab.

764 VOSS User Guide for version 8.7

View Remote DvR Multi-area SPB Backbone Entries on
Distributed Virtual Routing a Controller

Name Description
IpAddrType Specifies the address type of the DvR backbone
host (IPv4 remote ARP).
IpAddr Specifies the IPv4 address of the DvR backbone
host.
L3Isid Specifies the Layer 3 I-SID of the DvR backbone
host.
DomainId Specifies the domain ID of the DvR backbone
host.
EcmpIndex Specifies the ECMP index of the DvR backbone
host.
HostMacAddr Specifies the MAC address of DvR backbone host.
L2Isid Specifies the Layer 2 I-SID of the DvR backbone
host.
AdvControllerName Specifies the host name of the advertising
Controller.
AdvController Specifies the host MAC address of the advertising
Controller.
NextHopName Specifies the host name of the next hop Backbone
host in the DvR route.
NextHopMac Specifies the MAC address of the next hop
Backbone host in the DvR route.
Area Specifies the type of area as home or remote.

View Remote DvR Multi-area SPB Backbone Entries on a Controller

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Enable Distributed Virtual Routing (DvR) globally on the node.

About This Task

Perform this procedure to view the remote DvR Multi-area SPB backbone entries that the system learns
from all Controllers in all DvR domains.

Note
You can view the backbone entries only on a DvR Controller. Viewing backbone entries does
not apply to a DvR Leaf node.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select DVR Remote.

VOSS User Guide for version 8.7 765

View Remote DvR Multi-area SPB Backbone Entries on
a Controller Distributed Virtual Routing

3. Select the MultiArea Backbone Entries tab.

4. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

MultiArea Backbone Entries Field Descriptions

Use the data in the following table to use the MultiArea Backbone Entries tab.

766 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN
EAPoL on page 769
EAPoL Configuration Using CLI on page 793
EAP Configuration Using Enterprise Device Manager on page 824

Table 79: Extensible Authentication Protocol over LAN product support

Feature Product Release introduced
Extensible Authentication VSP 4450 Series VOSS 4.1
Protocol (EAP) and EAP over
LAN (EAPoL) VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series Not Supported
XA1400 Series Not Supported
EAPoL MHMA-MV VSP 4450 Series VOSS 5.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported
EAPoL enhancements: Enhanced VSP 4450 Series VOSS 6.1
MHMV, Fail Open VLAN, Guest
VLAN VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.1
VSP 8400 Series VOSS 6.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported

VOSS User Guide for version 8.7 767

Extensible Authentication Protocol over LAN

Table 79: Extensible Authentication Protocol over LAN product support (continued)
Feature Product Release introduced
EAP enhancements: EAP on Flex VSP 4450 Series Not Supported
UNI ports, Auto-sense ports,
auto-isid-offset VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported
EAP enhancements: Wake on VSP 4450 Series VOSS 8.3
LAN, Guest I-SID, Fail Open I-SID
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Non EAPoL MAC RADIUS VSP 4450 Series VOSS 4.2.1
authentication
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.2.1
VSP 8400 Series VOSS 4.2.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported
QoS Priority Assignment VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported

768 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAPoL

Table 79: Extensible Authentication Protocol over LAN product support (continued)
Feature Product Release introduced
RADIUS Dynamic User-Based VSP 4450 Series Not Supported
Policies
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported
RADIUS Port and VLAN based VSP 4450 Series VOSS 8.4
Attributes
VSP 4900 Series VOSS 8.4
VSP 7200 Series VOSS 8.4
VSP 7400 Series VOSS 8.4
VSP 8200 Series VOSS 8.4
VSP 8400 Series VOSS 8.4
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Continuity Mode for Fail Open VSP 4450 Series VOSS 8.6
VLAN and Fail Open I-SID
VSP 4900 Series VOSS 8.6
VSP 7200 Series VOSS 8.6
VSP 7400 Series VOSS 8.6
VSP 8200 Series VOSS 8.6
VSP 8400 Series VOSS 8.6
VSP 8600 Series Not Supported
XA1400 Series Not Supported

EAPoL
Extensible Authentication Protocol over LAN (EAPoL or EAP) is a port-based network access control
protocol. EAP provides security by preventing users from accessing network resources before they are
authenticated. The EAP authentication feature prevents users from accessing a network to assume a
valid identity and access confidential material or launch denial-of-service attacks.

You can use EAP to set up network access control on internal LANs and to exchange authentication
information between an end station or server that connects to a switch and an authentication server
(such as a RADIUS server). This security feature extends the benefits of remote authentication to
internal LAN clients. For example, if a new client PC fails the authentication process, EAP prevents the
new client PC from accessing the network.

VOSS User Guide for version 8.7 769

EAP terminology Extensible Authentication Protocol over LAN

EAP terminology
This section lists some components and terms used with EAP-based security.
• Supplicant—a device, such as a PC, that applies for access to the network.
• Authenticator—software on a switch that authorizes or rejects a Supplicant attached to the other
end of a LAN segment.
◦ Port Access Entity (PAE)—software that controls each port on the device. The PAE, which resides
on the switch, supports the Authenticator functionality.
◦ Controlled Port—any port on the device with EAP enabled.
• Authentication Server—a RADIUS server that provides AAA services to the authenticator.

EAP Configuration Considerations

This section lists EAP configuration considerations.

• You must configure at least one EAP RADIUS server and shared secret fields.
• You cannot configure EAP on ports that are currently configured for the following:
◦ Shared segments
◦ MultiLink Trunking
• Change the authentication status to auto for each port that you want to control. The auto setting
automatically authenticates the port according to the results of the RADIUS server. The default
authentication setting for each port is authorized.
• When multiple clients are authenticated on the same port, the priority of the latest incoming client is
applied on the port, and this priority is retained until all the clients log out on that port.

Configuration Process
The Authenticator facilitates the authentication exchanges that occur between the Supplicant and the
Authentication Server. The Authenticator PORT ACCESS ENTITY (PAE) encapsulates the EAP message
into a RADIUS packet, and then sends the packet to the Authentication Server.

The Authenticator manages the access to controlled port. At system initialization, or when a Supplicant
initially connects to one of the controlled ports on the device, the system blocks data traffic of the
Supplicant until gets authenticated. After the Authentication Server notifies the Authenticator PAE
about the success or failure of the authentication, the Authenticator decides whether to permit/deny
the traffic of client on controlled port.

non-EAPoL (NEAP) frames transmit according to the following rules:

• If authentication succeeds, the client blocked from accessing is allowed to the controlled port, which
means the system allows all the incoming and outgoing traffic from that client through the port.
• If authentication fails, client is blocked from accessing, which means both incoming and outgoing
traffic is not allowed to client.

The following figure illustrates how the switch, configured with EAP, reacts to a new network
connection.

770 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP Configuration Considerations

Figure 52: EAP configuration example

In the preceding figure, the switch uses the following steps to authenticate a new client:

1. The switch detects a new connection on one of its EAP-enabled ports and requests a user ID from
the new client PC.
2. The new client sends its user ID to the switch.
3. The switch uses RADIUS to forward the user ID to the RADIUS server.
4. The RADIUS server responds with a request for the password of the user.
5. The switch forwards the request from the RADIUS server to the new client.
6. The new client sends an encrypted password to the switch, within the EAP packet.
7. The switch forwards the EAP packet to the RADIUS server.
8. The RADIUS server authenticates the password.
9. The switch grants the new client access to the network.
10. The new client accesses the network.

If the RADIUS server cannot authenticate the new client, it denies the new client access to the network.

The following figure shows the Ethernet frames and the corresponding codes for EAP as specified by
802.1x.

VOSS User Guide for version 8.7 771

EAP Configuration Considerations Extensible Authentication Protocol over LAN

Figure 53: 802.1x Ethernet frame

The following figure shows the flow diagram for EAP on a switch.

772 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP System Requirements

Figure 54: EAP flow diagram

EAP System Requirements

The following are the minimum system requirements for EAP:
• RADIUS server

VOSS User Guide for version 8.7 773

EAP Dynamic VLAN Assignment Extensible Authentication Protocol over LAN

• Client software that supports EAP

You must specify the RADIUS server that supports EAP as the primary RADIUS server for the switch.
You must configure your switch for VLANs and EAP security.

If you configure EAP on a port, the following limitations apply:

• You cannot enable EAP on ports that belong to an MLT group.
• You cannot add EAP-enabled ports to an MLT group.

• You can configure a total of 32 MAC clients, EAP and NEAP hosts, on an EAP-enabled port. Two
MAC clients per port is a typical configuration.
• You cannot configure EAP on MLT/LACP interfaces.
• You cannot add EAP-enabled ports to an MLT/LACP group.
• You cannot enable VLACP on EAP enabled ports.
• Manual VLAN changes on a EAP enabled port is restricted.
• You cannot change the VLAN port tagging on EAP enabled ports.
• You cannot configure the default VLAN ID. Use the Guest VLAN configuration to access
unauthenticated devices.
• You cannot enable MACsec on EAP enabled ports.
• You cannot enable EAP on network-to-network interface (NNI).
• You cannot egress mirror an EAP PDU.
• Do not use EAP with a brouter port.
• Ping to and from services between nodes over the NNI will work even when it contains only EAP
enabled ports with no authenticated clients on it.
• MHSA and Fail Open VLAN are mutually exclusive.
• Fail-Open I-SID is not supported in MHSA mode.
• You cannot change the EAP operation mode on EAP enabled ports.
• You cannot configure private VLANs as Fail Open VLAN or Guest VLAN.
• You cannot configure SPBM B-VLAN as Fail Open VLAN or Guest VLAN.
• You cannot delete a VLAN if the VLAN is configured as Fail Open VLAN or Guest VLAN.

EAP Dynamic VLAN Assignment

If you configure a RADIUS server to send a VLAN ID in the Access-Accept response, the EAP feature
dynamically changes the VLAN configuration of the port by adding the port to the specified VLAN.

EAP dynamic VLAN assignment affects the following VLAN configuration values:
• Port membership
• Port priority
• Default VLAN ID

When you disable EAP on a port that was previously authorized, VLAN configuration values for that
port are restored directly from the nonvolatile random access memory (NVRAM) of the device.

774 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Multiple Host Multiple VLAN

You can set up your Authentication Server (RADIUS server) for EAP dynamic VLAN assignments. You
can use the Authentication Server to configure user-specific settings for VLAN memberships and port
priority.

When you log on to a system that is configured for EAP authentication, the Authentication Server
recognizes your user ID and notifies the device to assign preconfigured (user-specific) VLAN
membership and port priorities to the device. The configuration settings are based on configuration
parameters that were customized for your user ID and previously stored on the Authentication Server.

Note
Static entries like IGMP, ARP, FDB configured on a port of an VLAN interface, will not
be retained if the port is assigned a same VLAN by the RADIUS server and the client
authenticated on the port gets disconnected or unauthenticated.

Multiple Host Multiple VLAN

With the MHMV feature, you can assign multiple authenticated devices to different VLANs on the same
EAP-enabled port using device MAC addresses. Using RADIUS VLAN attributes, different clients can
access different VLANS. This separates traffic for different MAC clients.

In MHMV mode, the port-priority assigned by the RADIUS server is configured by MAC address for each
authenticated client. After configuration, the QoS level on the port does not change.

Use MHMV to assign multiple authenticated devices to different VLANs on the same port. Clients can
access different VLANs access using the MAC address of the devices. Different clients with different
level of access (unauthorized to authorized) in different VLANs and with different QoS priorities, can
exist on the same port.

With MHMV, EAP Multihost VLAN supports tagged and untagged ports. A port can be a member of
multiple tagged and untagged VLANs.

In MHMV mode, MAC based VLANs support traffic separation between different authenticated MAC
clients. MAC based VLAN traffic separation applies only to untagged VLAN traffic. If the data traffic is
tagged and if VLAN is configured on the port, then the traffic is forwarded to the VLAN associated with
the tag.

Multiple Host Multiple VLAN Usage

The following example illustrates the usage scenario for a MHMV port with n unauthenticated clients:
• Clients (n) connect to a switch port. The maximum number of clients (EAP + NEAP) allowed on a
port is 8192.
• EAP is enabled and the default operation mode is MHMV.
• Modify client counters to authenticate n clients.
• Initial VLANs are the VLANS which are manually set up before EAP is enabled.
• Port default VLAN ID is equal to one of the initial VLAN ID.
• All clients are unauthenticated, hence the clients cannot access the network.

The following figure represents the functionality when clients are not authenticated.

VOSS User Guide for version 8.7 775

Multiple Host Multiple VLAN Extensible Authentication Protocol over LAN

Note
The clients cannot access the network as they are not authenticated.

When client PC1 authenticates, there are two scenarios:

1. Client PC1 does not receive RADIUS VLAN attribute:

• There are no changes to the port membership and port default VLAN ID.
• PC1 is the only client that is allowed access to the initial VLANs.
• A VLAN MAC rule is added that associates the MAC with the default VLAN ID.
• If the VLAN is configured on the port, then the tagged traffic from PC1 is forwarded to the VLAN
associated with the tag.
• Untagged traffic from PC1 is forwarded to the port default VLAN.
2. Client PC1 receives RADIUS VLAN attribute:
• The port is left in all initial VLANs and added to the VLAN corresponding to the RADIUS VLAN
attribute.
• Port default VLAN remains unchanged.
• A VLAN MAC based rule is configured for client PC1.
• Using the VLAN MAC based capabilities, the untagged traffic from PC1 goes to the RADIUS
assigned VLAN 1 as shown in the figure below.

776 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP Functionality on Flex UNI Ports

• Client PC1 can access all initial VLANs using tagged frames.
• The remaining clients stay unauthenticated and cannot access any VLANs.

The following figure represents the functionality when client PC1 authenticates.

Note
PC1 is authenticated with RADIUS VLAN 1. The other clients cannot access the network as
they are unauthenticated.

When a client disconnects the following happens:

• The MAC VLAN rule is removed from the switch.
• If the RADIUS VLAN attribute was used with the client was authenticated and no other clients are
authenticated on that RADIUS VLAN, then the port is removed from the VLAN.
• The RADIUS accounting attribute Acct-Terminate-Cause indicates how a session was terminated.
• The RADIUS accounting attribute Event-Timestamp indicates the time that an event occurred on the
Network Access Server (NAS).

EAP Functionality on Flex UNI Ports

After you enable EAP on a port, all client MACs (MHMV mode) must be authenticated by the RADIUS
server in order to have network access. In Multiple Host Multiple VLAN (MHMV) mode, the RADIUS
server allocates a MAC to I-SID binding to each client that connects to the switch and uses it to transmit

VOSS User Guide for version 8.7 777

EAP and Fabric Attach Extensible Authentication Protocol over LAN

traffic. The binding is not between the MAC and the VLAN. Untagged S-UNIs generated from the
RADIUS server for a MAC or MACs are considered as MAC-based S-UNIs.

The RADIUS server also provides the VLAN:ISID binding for the MAC, which results in the addition of an
untagged Switched UNI (S-UNI) for that particular I-SID. Only the MAC or MACs that receive the I-SID
from the RADIUS server can transmit traffic to Extensible Authentication Protocol (EAP)-enabled Flex
UNI ports.

The switch uses MAC-based S-UNIs with EAP-enabled Flex UNI ports in MHMV mode only.

The MAC-based S-UNI model does not apply to MHSA mode. In Multiple Host Single Authentication
(MHSA) mode used in the untagged S-UNI model that exists on VOSS switches. S-UNIs generated from
the information obtained from the RADIUS server are considered as classic or default untagged S-UNIs.

Note
EAP is not supported on MLT/SMLTs. Only the EAP I-SIDs are synchronized between one vIST
peer and another vIST peer. S-UNIs are not synchronzied with the vIST peer.

EAP with Flex UNI is supported on Distributed Virtual Routing (DvR) Leafs. An untagged S-UNI (where
the system learns MACs based on the I-SID to MAC binding) must have a platform VLAN associated
with it. If a default untagged S-UNI is used, the corresponding S-UNI must be received from the DvR
Controllers.

EAP and Fabric Attach

With Extensible Authentication Protocol (EAP) and Fabric Attach (FA), FA-capable switches can
forward traffic from EAP/NEAP clients over the SPB cloud. The traffic for authenticated clients is
mapped to I-SIDs received from RADIUS server.

You must configure the desired bindings for EAP/NEAP clients on the RADIUS server. When confirming
the authentication request, the RADIUS server also sends the corresponding binding for the EAP/NEAP
client.

The FA Proxy sends to the FA Server the binding received from the RADIUS server. If the FA Server
rejects all the bindings, the client is disconnected. EAP clients are moved from AUTHENTICATED state
to HELD state.

On an FA Server, when an EAP/NEAP device is authenticated and an FA binding is received from the
RADIUS server, a Switched UNI (S-UNI) is created.

After an EAP/NEAP client is disconnected, the switch cleans-up the binding associated with the client, if
no other EAP/NEAP client on that port uses it.

EAP and FA can be enabled in any order; however, EAP must have Flex UNI enabled in order to function
on an FA-enabled port.

FA clients that generate S-UNI bindings must be used with EAP MHSA mode, while FA clients that do
not generate S-UNI bindings should be used with EAP MHMV mode.

778 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN MAC Move Detection on EAP Ports

MAC Move Detection on EAP Ports

The MAC moves mechanism detects when a MAC address migrates from one port to another port, such
as:
• EAPoL-enabled port to EAPoL-enabled port
• EAPoL-enabled port to non-EAPoL (NEAP)-enabled port
• non EAPoL-enabled port to EAPoL-enable port

When a MAC address migrates from one port to another port, the new EAPoL-enabled port triggers a
new RADIUS authentication. New bindings are applied on the new EAPoL-enabled port. The old port
detects the MAC is moved and automatically deletes the old binding or bindings.

The Mac moves mechanism works between vIST peers when a MAC address on one peer migrates to
the other peer but only if the I-SID in which the MAC address is learned exists on the new and the old
peer.

Auto-sense Ports
EAP and NEAP is integrated with Auto-sense infrastructure. If a RADIUS server is configured on the
switch, Auto-sense-enabled ports activate EAP and NEAP authentication automatically.

For more information about Auto-sense functionality, see Auto-sense on page 15.

RADIUS-Assigned VLAN or VLAN:ISID Bindings

RADIUS-assigned VLAN and VLAN:ISID bindings provide greater flexibility and a more centralized
assignment. The RADIUS server can dynamically assign VLANs or VLAN:ISID bindings to a port.

Use VLAN attributes for RADIUS assignments in VLAN mode. This mode applies when the EAP-enabled
port does not have Flex-UNI enabled.

Use VLAN:ISID attributes for RADIUS assignments in I-SID mode. This mode applies when the EAP-
enabled port does have Flex-UNI enabled.

For more information, see RADIUS Attributes on page 2782.

RADIUS Configuration Prerequisites for EAP

Connect the RADIUS server to a force-authorized port. This ensures that the port is always available and
not tied to whether or not the device is EAP-enabled.

RADIUS Accounting for EAP

The switch provides the ability to account EAP and NEAP sessions using the RADIUS accounting
protocol. A user session is defined as the time frame between when a user is authenticated until the
user is unauthenticated.

VOSS User Guide for version 8.7 779

RADIUS Accounting for EAP Extensible Authentication Protocol over LAN

The following table summarizes the accounting events and information logged.

Table 80: Summary of accounting events and information logged

Event RADIUS attributes Description
User is authenticated by EAP Acct-Status-Type Start
Nas-IP-Address IP address to represent the switch
Nas-Port Port number on which the user is
EAP or NEAP authorized
Acct-Session-ID Unique string representing the
session
User-Name EAP user name or NEAP MAC
User logs off Acct-Status-Type Stop
Nas-IP-Address IP address to represent the switch
Nas-Port Port number on which the user is
EAP or NEAP unauthorized
Acct-Session-ID Unique string representing the
session
User-Name EAP user name
Acct-Input-Octets Number of octets input to the port
during the session
Acct-Output-Octets Number of octets output to the
port during the session
Acct-Terminate-Cause Reason for terminating user
session. For more information
about the mapping of 802.1x
session termination cause to
RADIUS accounting attribute, see
the following table.
Acct-Session-Time Session interval

The following table describes the mapping of the causes of 802.1x session terminations to the
corresponding RADIUS accounting attributes.

Table 81: 802.1x session termination mapping

IEEE 802.1Xdot1xAuthSessionTerminateCause Value RADIUSAcct-Terminate-Cause Value
supplicantLogoff(1) User Request (1)
portFailure(2) Lost Carrier (2)
supplicantRestart(3) Supplicant Restart (19)
reauthFailed(4) Reauthentication Failure (20)
authControlForceUnauth(5) Admin Reset (6)
portReInit(6) Port Reinitialized (21)

780 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN RADIUS Dynamic User-Based Policies

Table 81: 802.1x session termination mapping (continued)

IEEE 802.1Xdot1xAuthSessionTerminateCause Value RADIUSAcct-Terminate-Cause Value
portAdminDisabled(7) Port Administratively Disabled (22)
notTerminatedYet(999)

RADIUS Dynamic User-Based Policies

RADIUS Dynamic User-Based Policies is a security feature to control access services on user devices
that connect to the network. Before enabling any services on the user device, the RADIUS server
authenticates each device that connects to the switch port and assigns that port to a VLAN or a
VLAN to I-SID binding. RADIUS Dynamic User-Based Policies implement a dynamic method to apply
filter Access Control List (ACL) rules to Extensible Authentication Protocol (EAP) and Non-EAP (NEAP)
authenticated user traffic. The RADIUS server authenticates the user device for switch access and sends
rules for that user device to the switch.

The system clears the rules when the following events occur:
• You disable EAPoL globally on the switch.
• EAP and NEAP sessions are cleared.
• You shutdown the port.

Note
• You must enable RADIUS and EAP over LAN (EAPoL) on the switch. For more information,
see Enabling RADIUS authentication on page 2736 and Globally enabling EAP on the
device on page 794.
• You must configure an EAP-enabled RADIUS server. For more information, see Configure
an EAP-enabled RADIUS Server on page 797.

RADIUS Dynamic User-Based Policies support one time configuration of policy attributes on the
RADIUS server and dynamically creates the policies on multiple switches within the network. This
process of automatically creating policies enhances the speed of network access for authenticated
users and also facilitates faster network synchronization in the event of network-wide policy changes.

Extreme Vendor ID 1916 supports the following RADIUS Vendor Specific Attribute (VSA) for RADIUS
Dynamic User-Based Policies:
• Extreme-Dynamic-ACL (ID 251)

For more information, see RADIUS Attributes on page 2782.

The RADIUS server contains the RADIUS VSAs in a configuration file for each EAP or NEAP client that
the switch authenticates. Following is an example of a RADIUS VSA configured on the RADIUS server:
00000000000a Cleartext-Password :="00000000000a"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Auth-Type := Accept,
Fabric-Attach-ISID = 10:100,
Extreme-Dynamic-ACL = CLIENT RadiusGuest
Extreme-Dynamic-ACL = acl inPort

VOSS User Guide for version 8.7 781

NEAP host Extensible Authentication Protocol over LAN

Extreme-Dynamic-ACL = ace 1 sec name ACE-A1 ethernet ether-type eq 0x800 & action deny count & ip
ipprotocol-type eq 17 & protocol dst-port eq 4000
Extreme-Dynamic-ACL = ace 2 sec name ACE-A2 ethernet ether-type eq ip & ip dst-ip eq 10.10.10.1 &
action deny
Extreme-Dynamic-ACL = acl set default-action deny

When the switch receives a new VSA with ACL and Access Control Entries (ACE) rules from the RADIUS
server, the switch dynamically creates the ACL infrastructure based on the following:
• Dynamic ACLs - the switch allocates one dynamic ACL for each EAP enabled port. You cannot
manually configure the dynamic ACL. The dynamic behavior of the ACL depends on the EAP port
state (MHMV or MHSA). RADIUS Dynamic User-Based Policies support the inPort and outPort ACL
types. You can display the filter ACL configuration on the switch using the show filter acl
command, to identify the source of ACL configuration (static or dynamic).
• Dynamic ACEs - after the switch configures an ACL as dynamic, the system automatically considers
the ACEs in that ACL as dynamic. You cannot manually configure the ACEs in a dynamic ACL. When
the switch receives an ACE rule from the RADIUS server, the system allocates an ACE ID to it. Each
ACE rule carries a relative order that helps the switch to set priority for the ACE rules that the switch
receives. For handling of Radius ACL rules, the switch parses the rules first. Based on the actions,
the system classifies the rules as security ACEs or QoS ACEs. If the switch is unable to recognize the
qualifiers or actions in a rule, then the switch ignores that rule.
• Multiple Host Multiple VLAN (MHMV) operating mode - the system authenticates each MAC that the
switch receives on the EAP-enabled port and assigns the MAC to a specific VLAN or VLAN to I-SID
binding. The system uses the VLAN to I-SID binding when Flex UNI is enabled on a port. The system
processes the ACE rules that the switch receives from the RADIUS server on a per MAC basis, the
system translates the default-action into an ACE rule with actions, deny or permit. When the switch
processes the RADIUS VSAs, the system adds the MAC as a qualifier for each ACE rule.
• Multiple Host Single Authentication (MHSA) operating mode - the system processes the ACE rules
that it receives from the RADIUS server on a per port basis.

NEAP host
The following section provides information about NEAP hosts on EAP-enabled ports and RADIUS
authentication.

NEAP Hosts on EAP Enabled Ports

For an EAP-enabled port configured for NEAP host support, devices with MAC addresses getting
authenticated are allowed access to the port.

The switch allows the following types of NEAP users:

• NEAP hosts whose MAC addresses are authenticated by RADIUS.

Support for NEAP hosts on EAP-enabled ports is primarily intended to accommodate printers and other
passive devices sharing a hub with EAP clients.

Support for NEAP hosts on EAP-enabled ports includes the following features:
• Authenticated NEAP clients are hosts that satisfy one of the following criteria:
◦ Host MAC address is authenticated by RADIUS.
• NEAP hosts are allowed even if no authenticated EAP hosts exist on the port.

782 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN NEAP client

• When a new host is seen on the port, NEAP authentication is performed as follows:
◦ The switch generates a <username, password> pair, which it forwards to the network RADIUS
server for authentication.

NEAP MAC RADIUS Authentication

For RADIUS authentication of a NEAP host MAC address, the switch generates a <username, password>
pair as follows:
• The username is the NEAP MAC address in string format.
• The password is a string that combines the switch IP address, MAC address, port number and
user-configurable key string. If padding option is enabled, the system will specify a dot(.) for every
missing parameter. IP address is represented by three decimal characters per octet.

Important
Follow these Global Configuration examples to select a password format that combines one
or more of these three elements:
• Padding enabled , password = 010010011253..05. (when the switch IP address and port are
used).
• Padding enabled, password = 010010011253… (when only the switch IP address is used).
• No padding (default option). Password = 000011220001 (when only the user’s MAC
address is used).

The following example illustrates the <username, password> pair format with no padding enabled and
using the IP address, MAC address, and key-string as the password.
switch IP address = 192.0.2.5
non-EAP host MAC address = 00 C0 C1 C2 C3 C4
port = 25
Key-String = abcdef

• username = 00C0C1C2C3C4
• password = 010010011253.00C0C1C2C3C4.25.abcdef

Use the command show eapol system to verify the formatting.

Switch:1>show eapol system

==========================================================================================
Eapol System
==========================================================================================
eap : enabled
Eapol Version : 3
non-eap-pwd-fmt : mac-addr
non-eap-pwd-fmt key : ******
non-eap-pwd-fmt padding : disabled
auto-isid-offset status : disabled
auto-isid-offset value : 15980000

NEAP client
The following section provides information for NEAP client.

VOSS User Guide for version 8.7 783

NEAP client Extensible Authentication Protocol over LAN

NEAP Client Re-Authentication

The NEAP client re-authentication feature supports the re-authentication of NEAP clients at defined
intervals.

When you enable NEAP client re-authentication, an authenticated NEAP client is only removed from
the authenticated client list if you remove the client account from the RADIUS server, or if you clear the
NEAP authenticated client from the switch.

If an authenticated NEAP client does not generate traffic on the network, the system removes the
MAC address for that client from the MAC address table when MAC ages out. Although the system
does not display the client MAC address in the MAC Address table and it can display the client as an
authenticated client.

If you enable NEAP client re-authentication and the RADIUS server that the switch connects to
becomes unavailable, the system clears all authenticated NEAP and removes those clients from the
switch NEAP client list.

You cannot authenticate one NEAP client on more than one switch port simultaneously. If you connect
NEAP clients to a switch port through a hub, those clients are authenticated on that switch port. If
you disconnect a NEAP client from the hub and connect it directly to another switch port, the client
is authenticated on the new port and its authentication is removed from the port to which the hub is
connected.

MAC Move for Authenticated Non-EAP Clients

When you move a Non-EAP client that is authenticated on a specific port, to another port on which
EAPoL or Non-EAP is enabled, MAC move of the client to the new port does not automatically happen.
This is as designed.

As a workaround, do one of the following:

• Clear the non-EAP session on the port that the client is first authenticated on, before you move the
client to another port.
• Create a VLAN on the switch with the same VLAN ID as that dynamically assigned by the RADIUS
server during client authentication. Use the command vlan create <2-4059> type port-
mstprstp <0–63>. Ensure that the new port is a member of this VLAN.

NEAP MAC Learning and Authentication

The system learns the MACs based on the I-SID to MAC binding. When a packet ingresses on a port,
which is associated with Switched UNI (S-UNI) I-SID, the system performs MAC look up based on the
I-SID. The RADIUS server provides the VLAN:I-SID assignment.

Important
If the default untagged S-UNI is used, you must have a platform VLAN associated with it. This
is required to properly transmit traffic and to generate MAC learning events for traffic sent to
MAC-based S-UNIs.

When an untagged S-UNI is present on the port, the untagged MAC is initially learned on that S-UNI.
When an untagged S-UNI does not exist on the port, the untagged MAC is learned on a special
(internal) VLAN. The RADIUS server provides the VLAN:I-SID assignment.

784 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP and NEAP Limitations

MAC learning for tagged traffic occurs only if there is a tagged S-UNI with the corresponding C-VID on
that port. The RADIUS server reconfirms the S-UNI that performed MAC learning.

EAP and NEAP Limitations

The EAP and NEAP MAC clients on port limits the maximum number of all EAP and NEAP clients per
port. EAP and NEAP MAC clients on port enhancements independently limits the EAP and NEAP clients
per port.

The following enhancements are added:

• EAP-MAC-MAX : Limits the total number of EAP clients
• NON-EAP-MAC-MAX: Limits the total number of NEAP clients

Note
Do not connect more than 100 EAP and 100 NEAP devices on the switch.

EAP and NEAP mac-max Settings

The total number of EAP clients can be set between 0 and 32, while the total number of NEAP clients
can be set between 0 and 8192.

Note
EAP-MAC-MAX is overwritten by MAC-MAX. Even if EAP-MAC-MAX is set to a higher limit,
then MAC-MAX must not exceed and you must not authenticate more than MAC-MAX clients.

Note
NON-EAP-MAC-MAX is overwritten by MAC-MAX. Even if NON-EAP-MAC-MAX is set to a
higher limit, then MAC-MAX must not exceed and you must not authenticate more than
MAC-MAX clients.

Example Scenarios

1. Scenario 1:
• EAP-MAC-MAX 32
• NON-EAP-MAC-MAX 32
• MAC-MAX 10

In this scenario, there are ten EAP and NEAP authenticated clients, in the order of authentication.
2. Scenario 2:
• EAP-MAC-MAX 1
• NON-EAP-MAC-MAX 1
• MAC-MAX 1

In this scenario, only one EAP or one NEAP client is authenticated, in the order of authentication.
3. Scenario 3:
• EAP-MAC-MAX 5
• NON-EAP-MAC-MAX 10
• MAC-MAX 32

VOSS User Guide for version 8.7 785

Multiple Host Single Authentication Extensible Authentication Protocol over LAN

In this scenario, up to five EAP clients and ten NEAP clients are allowed.
4. Scenario 4:
• EAP-MAC-MAX 5
• NON-EAP-MAC-MAX 8
• MAC-MAX 7

In this scenario, up to five EAP clients and seven NEAP clients are allowed. The total number of EAP
or NEAP clients is limited to seven.

Multiple Host Single Authentication

Multiple Host Single Authentication (MHSA) allows MACs to access the network without EAP and
NEAP authentication. Unauthenticated devices can access the network only after an EAP or NEAP
client is successfully authenticated on a port. The VLAN to which the devices are allowed is the client
authenticated VLAN. Unless Guest VLAN is configured, there is no authenticated client on the port, and
no MAC is allowed to access the network.

MHSA is primarily intended to accommodate printers and other passive devices sharing a hub with EAP
and NEAP clients.

MHSA support is on a port-by-port basis for EAP enabled ports.

MHSA supports the following functionality:

• The port remains unauthorized when no authenticated hosts exist on the port. Before the first
successful authentication occurs, both EAP and NEAP clients are allowed to negotiate access on that
port but only one host is allowed to perform authentication.
• In MHSA mode, QoS level is configured when processing the Port-Priority attribute, because there
can only be one authenticated client. The devices behind the authenticated client use the port
priority established by the main client.
• In MHSA mode, the Guest VLAN applies only when no authenticated client is present on the port.
• After the first EAP or NEAP client successfully authenticates on a port, other clients cannot
negotiate authentication on that port.
• After the first successful authentication, MACs that are already learned on that port is flushed.
• NEAP clients are not removed at age event in MHSA mode.
• There is no limit to the number of MACs that are allowed after first successful authentication.

EAP and NEAP MAC Clients on a Port with MHSA

EAP and NEAP client counters, such as MAC-MAX, EAP-MAC-MAX, and NON-EAP-MAC-MAX do not
apply when the port operates in MHSA mode. In MHSA mode, there can be only one authenticated
client (EAP or NEAP). Subsequent MACs seen on the port are allowed automatically without
authentication.

Guest VLAN
Guest VLAN support provides limited network access until the client is authenticated. Guest VLAN
is configured irrespective of the number of authenticated clients present on the port. Guest VLAN is

786 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Guest VLAN

available for each port. Only port based VLANs are used as Guest VLANs. When the Guest VLAN is
active, port is added to the VLAN ID, and port default VLAN ID changes to Guest VLAN ID.

Guest VLAN on a MHMV Port Usage Scenario

The following example illustrates the configuration of Guest VLAN support with an EAP MHMV port:
• Clients connect to a switch port through a hub.
• The initial VLANs are the VLANs on which the ports resides after a switch reboot.
• EAP is enabled.
• The port is a member of initial VLANs. The clients cannot access the VLANs since the VLANs are not
authenticated. The port default VLAN ID corresponds to one of the initial VLAN IDs.
• Guest VLAN support is not activated.

The following figure represents the functionality when clients are not authenticated.

Note
The clients cannot access the network as they are not authenticated and Guest VLAN is not
configured.

• Guest VLAN support is activated.

• The MHMV port is in the initial VLAN stage but gets added to the Guest VLAN ID. The default VLAN
ID is updates to correspond to the Guest VLAN ID.

VOSS User Guide for version 8.7 787

Guest VLAN Extensible Authentication Protocol over LAN

• All Clients behind the port can access the Guest VLAN.

The following figure represents the functionality when Guest VLAN is activated.

Note
All clients have Guest VLAN access.

• A client behind the MHMV port gets authenticated. For this usage scenario let us consider PC1 as the
authenticated client.
• The port default VLAN ID is equal to the Guest VLAN ID and remains unchanged.
• The port is copied into the RADIUS assigned VLAN (if any).
• The untagged traffic that originates from PC1 (identified by MAC address) can access only the
RADIUS assigned VLAN or the initial port default VLAN ID, if the RADIUS VLAN attribute is missing.
• The remaining clients that send untagged traffic are unauthenticated devices. The unauthenticated
devices can access only the Guest VLAN because the port VLAN ID is equal to the Guest VLAN ID.
• The initial VLANs are accessed by the following devices:
◦ Authenticated devices that are missing RADIUS VLAN attributes.
◦ Authenticated devices that send corresponding tagged packets.
• When another client gets authenticated, the authenticated client undergoes the same process as
PC1.

The following figure represents the functionality when a client gets authenticated:

788 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Guest VLAN

Note
PC1 is authenticated with RADIUS VLAN 1. The remain clients have guest VLAN access.

When a client disconnects the following happens:

• The MAC VLAN rule is removed from the switch.
• If the RADIUS VLAN attribute was used with the client was authenticated and no other clients are
authenticated on that RADIUS VLAN, then the port is removed from the VLAN. If other clients are
authenticated on that RADIUS VLAN, then the VLAN MAC rule is deleted.
• If RADIUS VLAN attribute is not used when the client is authenticated, then only the VLAN MAC rule
is deleted.

Guest VLAN on a MHSA Port Usage Scenario

The following is a usage example when Guest VLAN is configured with an EAP MHSA port:
• There are no authenticated EAP or NEAP clients on a port.
• The port is removed from the initial VLANs and moved to Guest VLAN ID.
• The default port VLAN ID changes to Guest VLAN ID.
• All MACs seen on the port have Guest VLAN access.
• Port is removed from the Guest VLAN ID.
• If no RADIUS assigned VLAN is present, then the VLAN membership and the default port VLAN ID is
restored to default settings.

VOSS User Guide for version 8.7 789

Guest I-SID Extensible Authentication Protocol over LAN

• If the RADIUS assigned VLAN is present, then the VLAN membership and the default port VLAN ID
is changed according to its value.
• Guest VLAN loses its purpose because all MACs are allowed automatically without authentication

In MHSA mode, the Guest VLAN applies only when no authenticated client is present on the port.

Guest I-SID
Guest I-SID support provides limited network access until the client is authenticated. The switches uses
the Guest I-SID to forward traffic until the client authenticates and receives other VLAN:ISID bindings
from the RADIUS server.

Guest I-SID is a per-port option. You must configure an I-SID either as a C-VLAN or as an ELAN with an
associated platform VLAN before you can configure it as the Guest I-SID. After you configure the Guest
I-SID and you enable EAP, an untagged S-UNI is created based on the supplied I-SID. When you change
the Guest I-SID while EAP is enabled, the untagged S-UNI is replaced on the port.

In MHSA mode, only one untagged S-UNI can exist on a port at one time. Consider the following:
• If there is a manually configured untagged S-UNI on the port, the untagged S-UNI, which uses the
Guest I-SID replaces it.
• If the RADIUS server provides an untagged S-UNI after the client is authenticated, it replaces the
untagged S-UNI, which was created based on the Guest I-SID.
• If the Guest I-SID is removed, the previous manually configured untagged S-UNI is automatically
restored.
• If the RADIUS-assigned untagged S-UNI is no longer present, EAP recreates the untagged S-UNI
created base on the Guest I-SID.

In MHMV mode, the untagged S-UNIs provided by the RADIUS server are treated as MAC-based
untagged S-UNIs, which are different from the untagged S-UNI on the port. Consider the following
factors:
• If there is a manually configured untagged S-UNI on the port, the untagged S-UNI, which uses the
Guest I-SID, replaces it.
• If the Fail-Open I-SID and the Guest I-SID are both configured, the Guest I-SID is applied, as long as a
RADIUS server is reachable.
• If the RADIUS server becomes unreachable, the untagged S-UNI based on the Fail-Open I-SID is
removed and the untagged S-UNI is created based on the Guest I-SID.

EAP and NEAP separation

EAP and NEAP separation provide the ability to have only NEAP clients allowed on one port. This is
done by allowing eap-mac-max to be set to 0. This enhancement gives you the ability to disable EAP
clients authentication without disabling NEAP clients. There are no additional configuration commands.
For more information, see Configuring maximum EAP clients on page 810 and Configuring maximum
NEAP clients on page 811.

790 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP and NEAP VLAN names

EAP and NEAP VLAN names

VLAN names configures VLAN membership of EAP and NEAP clients. You do not have to configure this
feature as this mode is always enabled by default.

Fail Open VLAN with Continuity Mode

Fail Open VLAN provides network connectivity when the switch cannot connect to a RADIUS server. If
an authentication failure occurs that is based on a RADIUS timeout, the port immediately transitions to
the Fail Open VLAN.

Note
Prior to releases that support Continuity Mode, transition to the Fail Open VLAN is based
on interval-based RADIUS server reachability checks. If the RADIUS server is reachable, the
switch continues to check the reachability at a default interval of three minutes. This interval-
based check can lead to a transition delay of up to three minutes, from the moment when the
RADIUS Server becomes unreachable until the port moves to the Fail Open VLAN.

If the switch cannot connect to the primary and secondary RADIUS servers, then after a specified
number of attempts to restore connectivity, the switch declares the RADIUS servers unreachable.

Fail Open VLAN provides the below functionality:

• When the EAP RADIUS servers are not reachable, Fail Open VLAN provides restricted access to
devices, which is separate from the Guest VLAN.
• The EAP and NEAP clients are not affected when the RADIUS servers are not reachable.

To use Fail Open VLAN:

• Fail Open VLAN is a per-port configuration.
• Enable Fail Open VLAN by configuring a valid Fail Open VLAN ID and configure the selected VLAN
ID on the switch.
• Use only port-based VLANs as Fail Open VLANs.

When you configure Fail Open VLAN on a port and the RADIUS servers are not reachable, then the Fail
Open VLAN provides the following functionality:
• The port is removed from Guest VLAN, if configured, but all other VLAN membership is kept and the
port is added to the Fail Open VLAN.
• The default VLAN ID is changed to the Fail Open VLAN ID.
• Traffic from the authenticated EAP and NEAP clients are forwarded as before.
• If re-authentication is enabled in Fail Open VLAN mode, then EAP and NEAP clients stop performing
re-authentication.
• All new MACs seen on the port are considered as potential EAP and NEAP clients and are granted
Fail Open VLAN access.

When at least one RADIUS server recovers, all EAP-enabled ports are removed from the Fail Open
VLAN. All unauthenticated MACs are flushed to give the MACs an opportunity to authenticate.

VOSS User Guide for version 8.7 791

Fail Open I-SID with Continuity Mode Extensible Authentication Protocol over LAN

Fail Open VLAN with Guest VLAN scenarios

When an EAP port is configured with both Fail Open VLAN and Guest VLAN, consider the following
scenarios:

1. EAP port operating in MHMV mode:

• If the EAP RADIUS servers are reachable, then all the authenticated clients have Guest VLAN ID
access.
•If the EAP RADIUS servers are not reachable, then Guest VLAN must be removed from the port
completely. The Fail Open VLAN is the new default VLAN. All unauthenticated MACs have Fail
Open VLAN access.
2. EAP port operating in MHSA mode:
• Fail Open VLAN has no impact on the Guest VLAN functionality in MHSA mode.

Fail Open I-SID with Continuity Mode

Fail Open I-SID provides network connectivity with restricted access to devices when the switch cannot
connect to a RADIUS server. If a failure occurs that is based on a RADIUS timeout, the port immediately
transitions to the Fail Open I-SID.

Note
Prior to releases that support Continuity Mode, transition to the Fail Open I-SID is based
on interval-based RADIUS server reachability checks. If the RADIUS server is reachable, the
switch continues to check the reachability at a default interval of three minutes. This interval-
based check can lead to a transition delay of up to three minutes, from the moment when the
RADIUS Server becomes unreachable until the port moves to the Fail Open I-SID.

Note
EAP and NEAP clients are not affected when the RADIUS servers are unreachable.

To use Fail Open I-SID:

• Fail Open I-SID is a per-port configuration.
• You must configure an I-SID either as a C-VLAN or as an ELAN with an associated platform VLAN
before you can configure it as the Fail-Open I-SID.
• After you configure the Fail Open I-SID and you enable EAP, an untagged S-UNI is created based on
the supplied I-SID. When you change the Fail Open I-SID while EAP is enabled, the untagged S-UNI
is replaced on the port.

Note
Fail Open I-SID is not supported in MHSA mode.

In MHMV mode, the untagged S-UNIs provided by the RADIUS server are treated as MAC-based
untagged S-UNIs, which are different from the untagged S-UNIs on the port. Consider the following
factors:
• If there is a manually configured untagged S-UNI on the port, the untagged S-UNI, which uses the
Fail Open I-SID, replaces it.

792 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN EAP Auto-ISID-Offset

• Caution is advised when both Fail-Open I-SID and Guest I-SID are configured. In this scenario, if
a RADIUS server becomes reachable, the untagged S-UNI created based on the Fail-Open I-SID is
removed and another untagged S-UNI based on the Guest I-SID is created.

EAP Auto-ISID-Offset
EAP auto-isid-offset functionality is used for MACs that do not receive an I-SID attribute from the
RADIUS server. The configured I-SID offset value is used to calculate an I-SID value for a Switched
UNI (S-UNI) when the switch receives only the VLAN attribute from the RADIUS server (not the FA
VLAN:I-SID binding). In that case, the I-SID value is calculated as follows: I-SID = VLAN ID + configured
I-SID offset value.

Wake On LAN
Wake On LAN (WoL) networking standard enables remotely powering-up a shutdown computer from a
sleeping state. In this process, the computer is shutdown with power reserved for the network card. A
packet known as Magic Packet is broadcast on the local LAN or subnet. The network card on, receiving
the Magic Packet, verifies the information. If the information is valid, the network card powers-up the
shutdown computer.

The WoL Magic Packet is a broadcast frame sent over a variety of connectionless protocols, such as
UDP. The most commonly used connectionless protocol is UDP. The Magic Packet contains data that is
a defined constant represented in hexadecimal as FF:FF:FF:FF:FF:FF, followed by 16 repetitions of the
target computer MAC address and possibly by a four or six byte password.

If you implement enhanced network security using 802.1X, the transmission of Magic Packets to
sleeping or unauthorized network devices is blocked. You can use an interface specific 802.1X feature
known as traffic-control to address this requirement of supporting both WoL and 802.1X Authentication
simultaneously. The default mode is in-out. This mode blocks both ingress and egress unauthenticated
traffic on an 802.1X port. Configuring the traffic control mode to in enables the transmission of Magic
Packets to sleeping or unauthenticated devices. This mode allows any network control traffic, such as a
WoL Magic Packet, to be sent to a workstation irrespective of the authentication or sleep status.

Important
If a PC client is assigned to a VLAN based on a previous RADIUS Assigned VLAN, when the
client goes into sleep or hibernation mode it reverts to either the default port-based VLAN or
Guest VLAN configured for that port. Therefore, the WoL Magic Packet must be sent to the
default VLAN or Guest VLAN.

EAPoL Configuration Using CLI

EAPoL (EAP) uses RADIUS protocol for EAP-authorized logons. RADIUS supports IPv4 and IPv6
addresses, with no difference in functionality or configuration.

Before configuring your device, you must configure at least one EAP RADIUS server and shared secret
fields.

VOSS User Guide for version 8.7 793

Globally enabling EAP on the device Extensible Authentication Protocol over LAN

You cannot configure EAP on ports that are currently configured for:
• Shared segments
• MultiLink Trunking (MLT)

Change the status of each port that you want to be controlled to auto. The auto setting automatically
authenticates the port according to the results of the RADIUS server. The default authentication setting
for each port is authorized.

Globally enabling EAP on the device

Enable EAP globally on the switch before you enable it on a port or interface.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Globally configure EAP:
eapol enable

Example

Enable EAP globally:

Switch:1> enable
Switch:1#config t
Switch:1(config)#eapol enable

Configure EAP on an Interface

Configure EAP on an interface.

Before You Begin

• EAP must be globally enabled.

About This Task

When you configure a port with the EAP status of auto (Authorization depends on result of EAP
authentication), only one supplicant is allowed on this port. Multiple EAP supplicants are not allowed on
the same physical switch port.

794 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configuring EAP on a port

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable EAP on an interface:

eapol status {authorized|auto}
3. Disable EAP on on interface:
no eapol status

Examples
Enable EAP on an interface:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)# eapol status auto

Disable EAP on an interface:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)# no eapol status

Variable Definitions
The following table defines parameters for the eapol status command.

Variable Value
authorized Specifies that the port is always authorized. The default value is
authorized.
auto Specifies that port authorization depends on the results of the EAP
authentication by the RADIUS server. The default value is authorized.

Configuring EAP on a port

Configure EAP on a specific port when you do not want to apply EAP to all of the switch ports.

VOSS User Guide for version 8.7 795

Configuring EAP on a port Extensible Authentication Protocol over LAN

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the maximum EAP requests sent to the supplicant before timing out the session:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} max-
request <1-10>
3. Configure the time interval between authentication failure and the start of a new authentication:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
quiet-interval <1-65535>
4. Enable reauthentication:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} re-
authentication enable
5. Configure the time interval between successive authentications:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} re-
authentication-period <1-65535>
6. Configure the EAP authentication status:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
status {authorized|auto}

Example

Configure the maximum EAP requests sent to the supplicant before timing out the session:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)#eapol max-request 10
Switch:1(config-if)#eapol port 1/2 quiet-interval 500

796 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure an EAP-enabled RADIUS Server

Variable Definitions
The following table defines parameters for the eapol port command.

Variable Value
{slot/port[/sub-port] [- Specifies the port or list of ports used by EAP.
slot/port[/sub-port]] Identifies the slot and port in one of the following formats: a
[,...]} single slot and port (slot/port), a range of slots and ports (slot/
port-slot/port), or a series of slots and ports (slot/port,slot/
port,slot/port). If the platform supports channelization and the
port is channelized, you must also specify the sub-port in the
format slot/port/sub-port.
max-request <1-10> Specifies the maximum EAP requests sent to the supplicant
before timing out the session. The default is 2.
quiet-interval <1-65535> Specifies the time interval in seconds between the
authentication failure and start of a new authentication. The
default is 60.
re-authentication enable Enables reauthentication of an existing supplicant at a specified
time interval.
re-authentication-period Specifies the time interval in seconds between successive
<60-65535> reauthentications. The default is 3600 (1 hour).
status {authorized|auto} Specifies the desired EAP authentication status for this port.

Configure an EAP-enabled RADIUS Server

The switch uses RADIUS servers for authentication and accounting services. Use the no form to delete a
RADIUS server.

Before You Begin

• You must enable EAP globally.

About This Task

The RADIUS server uses the secret key to validate users.

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 797

Configure an EAP-enabled RADIUS Server Extensible Authentication Protocol over LAN

2. Add an EAP-enabled RADIUS server:

radius server host WORD <0–46> used-by eapol acct-enable

radius server host WORD <0–46> used-by eapol acct-port <1-65536>

radius server host WORD <0–46> used-by eapol enable

radius server host WORD <0–46> used-by eapol key WORD<0-20>

radius server host WORD <0–46> used-by eapol port <1-65536>

radius server host WORD <0–46> used-by eapol priority <1-10>

radius server host WORD <0–46> used-by eapol retry <0-6>

radius server host WORD <0–46> used-by eapol secure-enable

radius server host WORD <0–46> used-by eapol secure-log-level

radius server host WORD <0–46> used-by eapol secure-mode

radius server host WORD <0–46> used-by eapol secure-profile

radius server host WORD <0–46> used-by eapol source-ip WORD <0–46>

radius server host WORD <0–46> used-by eapol timeout <1-180>

By default, the switch uses RADIUS UDP port 1812 for authentication, and port 1813 for accounting.
You can change the port numbers or other RADIUS server options.

Example

Add an EAP RADIUS server:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#radius server host fe80:0:0:0:21b:4fff:fe5e:73fd key radiustest used-
by eapol

Variable Definitions
The following table defines parameters to configure an EAP-enabled RADIUS server with the radius
server host command.

Variable Value
host WORD<0–46> Specifies the IP address of the selected server. RADIUS supports
IPv4 and IPv6 addresses, with no difference in functionality or
configuration.
WORD<0-20> Specifies the secret key, which is a string of up to 20 characters.

798 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure the Switch for EAP and RADIUS

The following table defines parameters to use optional arguments of the radius server host
command.

Variable Value
port <1-65535> Specifies the port ID number.
priority <1-10> Specifies the priority number. The lowest number is the
highest priority.
retry <0-6> Specifies the retry count of the account.
timeout <1-180> Specifies the timeout of the server. The default is 30.
enable Enables the functions used by the RADIUS server host.
acct-port <1-65536> Specifies the port account.
acct-enable Enables the account.
secure-enable Enable secure mode on the server.
secure-log-level Specifies the RADIUS secure server log severity level.
Possible values are:
• critical
• debug
• error
• info
• warning

secure-mode Specifies the protocol for establishing the secure connection

with the server.
secure-profile Specifies the secure profile name.
source-ip WORD<0–46> Specifies the IP source. RADIUS supports IPv4 and
IPv6 addresses, with no difference in functionality or
Note: configuration.
Exception: only supported on VSP
8600 Series.

Configure the Switch for EAP and RADIUS

Perform the following procedure to configure the switch for EAP and RADIUS.

About This Task

You must configure the switch, through which user-based-policy (UBP) users connect to communicate
with the RADIUS server to exchange EAP authentication information, as well as user role information.
You must specify the IP address of the RADIUS server, as well as the shared secret (a password
that authenticates the device with the RADIUS server as an EAP access point). You must enable EAP
globally on each device, and you must configure EAP authentication on each device port, through
which EAP/UBP users connect.

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.

VOSS User Guide for version 8.7 799

Configure the Switch for EAP and RADIUS Extensible Authentication Protocol over LAN

For more information about EPM and UBP, see the user documentation for your Enterprise Policy
Manager (EPM) application.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Create a RADIUS server that is used by EAP:
radius server host WORD <0–46> key WORD<0-20> used-by eapol
3. Log on to the Interface Configuration mode:
interface vlan <1-4059>
4. Enable the device to communicate through EAP:
eapol enable
5. Exit from VLAN interface mode:
exit
6. Enter Interface Configuration mode:
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}
7. Enable device ports for EAP authentication:
eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} status
auto
8. Enable periodic supplicant re-authenticating:
eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} re-
authentication enable
9. Save your changes:
save config

Example

Switch:1> enable

Switch:1# configure terminal

Create a RADIUS server that is used by EAP:

Switch:1(config)# radius server host fe90:0:0:0:21b:4eee:fe5e:75fd key

radiustest used-by eapol

Switch:1(config)# interface vlan 2

Enable the device to communicate through EAP:

Switch:1(config-if)# eapol enable

Save your changes:

Switch:1(config-if)# save config

800 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Change the Authentication Status of a Port

Variable Definitions
The following table defines parameters for the radius server host WORD<0–46> usedby
eapol command.

Variable Value
host WORD<0–46> Specifies the IP address of the selected server.
This address tells the device where to find the RADIUS server, from
which it obtains EAP authentication and user role information.
RADIUS supports IPv4 and IPv6 addresses, with no difference in
functionality or configuration.
key WORD<0-20> Specifies the shared secret key that you use for RADIUS authentication.
The shared secret is held in common by the RADIUS server and all
EAP-enabled devices in your network. It authenticates each device with
the RADIUS server as an EAP access point. When you configure your
RADIUS server, you must configure the same shared secret value as you
specify here.

Change the Authentication Status of a Port

The switch authorizes ports by default, which means that the ports are always authorized and are not
authenticated by the RADIUS server.

You can also make the ports controlled so that they are dependent on being authorized by the Radius
Server when you globally enable EAP (auto).

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the authorization status of a port:

eapol status {authorized|auto}

Example

Configure the authorization status of a port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 3/1
Switch:1(config-if)#eapol status auto

VOSS User Guide for version 8.7 801

Deleting an EAP-enabled RADIUS server Extensible Authentication Protocol over LAN

Variable Definitions
The following table defines parameters for the eapol status command.

Deleting an EAP-enabled RADIUS server

Delete an EAP-enabled RADIUS server if you want to remove the server.

About This Task

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Delete an EAP-enabled RADIUS server:
no radius server host WORD<0–46> used-by eapol

Example

Switch:1> enable

Switch:1# configure terminal

Switch:1(config)# no radius server host fe79:0:0:0:21d:4fdf:fe5e:73fd

used-by eapol

802 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configuring Fail Open VLAN

Variable Definitions
The following table defines parameters for the radius server host WORD<0–46> usedby
eapol command.

Configuring Fail Open VLAN

About This Task

Use this procedure to configure Fail Open VLAN.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure Fail Open VLAN:

eapol fail-open-vlan <1-4059>

Example

Configure the Fail Open VLAN.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol fail-open-vlan 10

VOSS User Guide for version 8.7 803

Display the Current EAP-Based Security Status Extensible Authentication Protocol over LAN

Variable Definitions
The following table defines parameters for the eapol fail-open-vlan command.

Display the Current EAP-Based Security Status

Use the following procedure to display the status of the EAP-based security.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display the current EAP-based security status:
• show eapol auth-stats interface [gigabitEthernet {slot/port[/sub-
port] [-slot/port[/sub-port]] [,...]}]
• Note
The following command only applies to VSP 8600 Series:

show eapol multihost non-eap-mac status [vlan <1-4059>] [{slot/

port[/sub-port] [-slot/port[/sub-port]] [,...]}]
• show eapol port {interface [gigabitEthernet {slot/port[/sub-port] [-
slot/port[/sub-port]] [,...]}] | {slot/port[/sub-port] [-slot/port[/
sub-port]] [,...]}}
• show eapol session-stats interface [gigabitEthernet {slot/port[/sub-
port] [-slot/port[/sub-port]] [,...]}]
• Note
The following command only applies to VSP 8600 Series:

show eapol status interface [vlan <1-4059>] [gigabitEthernet {slot/

port[/sub-port] [-slot/port[/sub-port]] [,...]}]
• show eapol sessions {eap | neap} [vlan <1-4059>] [{slot/port[/sub-
port] [-slot/port[/sub-port]] [,...]} [verbose]
• Note
The following command does not apply to VSP 8600 Series or XA1400 Series:

804 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Display the Current EAP-Based Security Status

show eapol summary port [{slot/port[/sub-port] [-slot/port[/sub-

port]] [,...]}]
• show eapol system

Examples
Switch:>enable
Switch:1#config terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#show eapol port 1/2
===========================================================================================================================================
======================================
Eapol Configuration
===========================================================================================================================================
======================================

PORT STATUS OPER DYN Flex-UNI MAX QUIET REAUTH REAUTH NON-EAP LLDP-AUTH MAX MAX MAX GST GST FAIL FAIL
COA ADMIN OPER TRAFFIC ORIGIN
NUM MODE MHSA ENABLE REQ INTVL PERIOD ENABLE ENABLE ENABLE MAC EAP NEAP VLAN I-SID VLAN I-SID
ENABLE TRAFFIC TRAFFIC CONTROL

CONTROL CONTROL ORIGIN

===========================================================================================================================================
========================================
1/2 Auth MHMV false false 2 60 3600 false false false 2 2 2 N/A N/A N/A N/A
false in-out in-out CONFIG AUTO-SENSE
-------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------
========================================================
Eapol Configuration
========================================================
PORT REAUTH REAUTH REAUTH REAUTH ORIGIN
NUM ENABLE ORIGIN PERIOD PERIOD
ORIGIN
========================================================
1/2 false CONFIG 3600 CONFIG AUTO-SENSE
--------------------------------------------------------

Switch:>enable
Switch:1#config terminal
Switch:1(config)#show eapol sessions eap verbose
=================================================================================================
Eap Oper Status Verbose
=================================================================================================
PORT MAC PAE VLAN PRI Flex-UNI I-SID VLAN:I-SID ACL ACEs RADIUS DYNAMIC
NUM STATUS ID Enable SOURCE SETTINGS
-------------------------------------------------------------------------------------------------
1/13 00:00:11:11:16:02 authenticated 111 1 false n/a DHCPSNOOP, DAI
1/13 00:00:11:11:16:03 authenticated 111 1 false n/a DHCPSNOOP

Switch:>enable
Switch:1#config terminal
Switch:1(config)#show eapol sessions neap verbose
=================================================================================================
Non-Eap Oper Status Verbose
=================================================================================================
PORT MAC STATE VLAN PRI Flex-UNI I-SID NON-EAP VLAN:I-SID ACL ACEs RADIUS DYNAMIC
NUM ID Enable SOURCE AUTH SETTINGS
-------------------------------------------------------------------------------------------------
1/15 00:00:00:00:00:15 authenticated 1 0 false n/a radius IPSG, DHCPSNOOP, DAI, IGMPSNOOP
1/15 00:00:00:00:00:16 authenticated 1 0 false n/a radius BPDU, SLPPGUARD, WOL, AN-ADVERTISEMENTS:100F
-------------------------------------------------------------------------------------------------
Total Number of NEAP Sessions: 2

Note
Product Notice: auto-isid-offset functionality is not available on VSP 4450 Series, VSP 8600
Series, or XA1400 Series.

Switch:1>show eapol system

================================================================================
Eapol System
================================================================================
eap : disabled
Eapol Version : 3
non-eap-pwd-fmt : mac-addr
non-eap-pwd-fmt key : ******

VOSS User Guide for version 8.7 805

Display the Current EAP-Based Security Status Extensible Authentication Protocol over LAN

non-eap-pwd-fmt padding : disabled

auto-isid-offset status : disabled
auto-isid-offset value : 1000

Variable Definitions
The following table defines parameters for the show eapol command.

Variable Value
auth-stats Displays the authentication statistics interface.
[gigabitEthernet {slot/
port[/sub-port] [-slot/ Note:
port[/sub-port]] [,...]}] auth-stats [gigabitEthernet {slot/port[/sub-
port] [-slot/port[/sub-port]] [,...]}] is useful
only for EAP supplicants. The command output changes only
when the EAP supplicant tries to access the network.

multihost non-eap-mac Displays EAP multihost configuration.

status [vlan <1-4059>]
[{slot/port[/sub-port]
[-slot/port[/sub-port]]
[,...]}]

Note:
Exception: This parameter applies to
VSP 8600 Series only.

port {interface Specifies the ports to display. If no port is entered, all ports are
[gigabitEthernet {slot/ displayed.
port[/sub-port] [-slot/
port[/sub-port]] [,...]}]
| {slot/port[/sub-port]
[-slot/port[/sub-port]]
[,...]}}
session-stats interface Displays the authentication session statistics interface.
[gigabitEthernet {slot/
port[/sub-port] [-slot/
port[/sub-port]] [,...]}]
sessions {eap | Displays EAP and non-EAP authentication sessions on the port.
neap} [vlan<1-4059>]
[{slot/port[/sub-port]
[-slot/port[/sub-port]]
[,...]}] [verbose]

Note:
Exception: This parameter does
not apply to VSP 8600 Series or
XA1400 Series.

806 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Displaying the port VLAN information

Variable Value
status interface [vlan Displays the port EAP operation statistics.
<1-4059>] [gigabitEthernet
{slot/port[/sub-port] [-
slot/port[/sub-port]]
[,...]}]

Note:
Exception: This parameter applies to
VSP 8600 Series only.

summary port[{slot/port[/ Displays EAP and NEAP clients.

sub-port] [-slot/port[/
sub-port]] [,...]}]
system Displays EAP settings.

Displaying the port VLAN information

Use the following procedure to display the port VLAN information.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display the port VLAN information:
show interfaces [gigabitEthernet {slot/port[/sub-port] [-slot/port[/
sub-port]] [,...]}] [vlan <1-4059>]

Example
Switch:#enable
Switch:1#show interfaces gigabitethernet vlan
=====================================================================================
Port Vlans
=====================================================================================
PORT DISCARD DISCARD DEFAULT VLAN PORT UNTAG DYNAMIC UNTAG
NUM TAGGING TAGFRAM UNTAGFRAM VLANID IDS TYPE DEFVLAN VLANS VLANS
-------------------------------------------------------------------------------------
1/1 disable false false 1 1 normal disable P 1
1/2 enable false false 1 1,3,10 normal disable P 1,10
1/3 enable false false 1 1,10,20 normal disable P

VOSS User Guide for version 8.7 807

Configuring the format of the RADIUS password
attribute when authenticating NEAP MAC addresses
using RADIUS Extensible Authentication Protocol over LAN

Variable Definitions
The following table defines parameters for the show interfaces command.

Variable Value
{slot/port[/sub-port] [-slot/ Identifies the slot and port in one of the following formats:
port[/sub-port]] [,...]} a single slot and port (slot/port), a range of slots and
ports (slot/port-slot/port), or a series of slots and ports
(slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and the
system reserves VLAN IDs 4060 to 4094 for internal use.
On switches that support the vrf-scaling and spbm-
config-mode boot configuration flags, if you enable
these flags, the system also reserves VLAN IDs 3500 to
3998. VLAN ID 1 is the default VLAN and you cannot
create or delete VLAN ID 1.

Configuring the format of the RADIUS password attribute when authenticating

NEAP MAC addresses using RADIUS
Use the following procedure to configure the format of the RADIUS password when authenticating
NEAP MAC addresses using RADIUS.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the RADUIS password format:
eapol multihost non-eap-pwd-fmt {[ip-addr] [key WORD<1-32>] [mac-addr]
[padding] [port-number]}

Variable Definitions
The following table defines parameters for the eapol multihost non-eap-pwd-fmt command.

Variable Value
ip-addr Management ip-address of the switch.
key WORD<1-32> Key value used for non-eap password format.
mac-addr Mac-Address of the client.

808 VOSS User Guide for version 8.7

Enabling RADIUS authentication of NEAP hosts on EAP
Extensible Authentication Protocol over LAN enabled ports

Variable Value
padding Includes a dot in the RADIUS password for every missing
parameter.
port-number Index of the port on which MAC is received.

Note
To derive the port number for an interface, use the command show interfaces gigabit
[{slot/port[/sub-port][-slot/port[/sub-port]][,...]}] .
If you configure interface 1/6 on the product, to derive the port-number for this interface, use the
command show interfaces gigabitEthernet 1/6. From this command, you can ascertain
that port number used in the NEAP password is 197.
Switch:1(config)# show interfaces gigabitEthernet 1/6

==========================================================================================
Port Interface
==========================================================================================
PORT LINK PORT PHYSICAL STATUS
NUM INDEX DESCRIPTION TRAP LOCK MTU ADDRESS ADMIN OPERATE
------------------------------------------------------------------------------------------
1/6 197 1000BaseTX true false 1950 f8:15:47:e1:dd:05 up up

Enabling RADIUS authentication of NEAP hosts on EAP enabled ports

For RADIUS authentication of NEAP hosts on EAP-enabled ports, you must enable EAP globally on the
switch and then enable NEAP hosts on the local interface.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable RADIUS authentication of NEAP hosts on the local interface:

eapol multihost radius-non-eap-enable

Configuring the maximum MAC clients

Use this procedure to configure the maximum EAP and NEAP MAC clients supported on a port.

VOSS User Guide for version 8.7 809

Configuring maximum EAP clients Extensible Authentication Protocol over LAN

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Set the maximum limit of allowed EAP and NEAP MAC clients supported on the port:
eapol multihost mac-max <1-8192>

Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 1/16
Switch:1(config-if)# eapol multihost mac-max <1-8192>

Variable Definitions
The following table defines parameters for the eapol multihost mac-max command.

Variable Value
mac-max <1-8192> Specifies the maximum number of EAP and NEAP MAC
addresses allowed on the port. The maximum limit is 8192 MAC
addresses.

Configuring maximum EAP clients

About This Task

Use this procedure to configure the maximum EAP clients allowed on the port at one time.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

810 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configuring maximum NEAP clients

2. Configure the maximum EAP clients:

eapol multihost eap-mac-max <0-32>

Note
eap-mac-max is also used to provide EAP and NEAP separation functionality. By default
the EAP clients are enabled per port and eap-mac-max limit is 2. If eap-mac-max is set
to 0 then EAP client authentication is disabled.

Example

Configure the maximum EAP clients allowed on the port at one time.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol multihost eap-mac-max 10

Variable Definitions
The following table defines parameters for the eapol multihost eap-mac-max command.

Variable Value
<0–32> Specifies the maximum EAP clients allowed on the port at
one time. The default is 2.

Configuring maximum NEAP clients

About This Task

Use this procedure to configure the maximum NEAP clients allowed on the port at one time.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

VOSS User Guide for version 8.7 811

Configuring the Guest VLAN ID Extensible Authentication Protocol over LAN

2. Configure the maximum NEAP clients:

eapol multihost non-eap-mac-max <0-8192>

Note
non-eap-mac-max is also used to provide EAP and NEAP separation functionality. By
default the NEAP clients are enabled per port and non-eap-mac-max limit is 2. If
non-eap-mac-max is set to 0 then NEAP client authentication is disabled.

Example

Configure the maximum NEAP clients allowed on the port at one time.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol multihost non-eap-mac-max 10

Variable Definitions
The following table defines parameters for the eapol multihost non-eap-mac-max command.

Variable Value
<0–8192> Specifies the maximum NEAP clients allowed on the port
at one time. The default is 2.

Configuring the Guest VLAN ID

About This Task

Use this procedure to configure the Guest VLAN ID.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the Guest VLAN ID:

eapol guest—vlan <1-4059>

812 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Clearing NEAP session

Example

Configure the Guest VLAN ID.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol guest-vlan 10

Variable Definitions
The following table defines parameters for the eapol guest-vlan command.

Clearing NEAP session

Use this procedure to clear the NEAP session that is learnt on the switch.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Clear the NEAP session:
clear eapol non-eap
[<0x00:0x00:0x00:0x00:0x00:0x00>] [{slot/port[/sub-port][-slot/port[/
sub-port]][,...]} <0x00:0x00:0x00:0x00:0x00:0x00>]

Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# clear 1/16 00:1b:63:84:45:e6

VOSS User Guide for version 8.7 813

Configuring EAP operational mode Extensible Authentication Protocol over LAN

Variable Definitions
The following table defines parameters for the clear eapol non-eap command.

Variable Value
{slot/port[/sub-port] Specifies the port list on which the NEAP MAC is learnt.
[-slot/port[/sub-port]]
[,...]}
0x00:0x00:0x00:0x00:0x00: Specifies the MAC-Address on the NEAP session.
0x00

Configuring EAP operational mode

About This Task

Use this procedure to configure the EAP operational mode.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. configure the EAP operational mode:

eapol multihost eap-oper-mode {mhmv | mhsa}

Note
The default EAP operational mode is MHMV.

Example

Configure the EAP operational mode:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol eap-oper-mode mhsa

814 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Enabling dynamic changes to EAP sessions on a port

Variable Definitions
The following table defines parameters for the eapol multihost eap-oper-mode command.

Variable Value
mhmv Specifies the EAP operational mode as Mutiple Host
Multiple VLAN.
mhsa Specifies the EAP operational mode as Mutiple Host Single
Authentication.

Enabling dynamic changes to EAP sessions on a port

About This Task

Configure a port to allow dynamic changes to EAP sessions. The default is enable.

Before You Begin

You must enable EAP globally and at the port level.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable RADIUS dynamic authorization server processing requests.

eapol radius-dynamic-server enable

Example
Switch:1>enable
Switch:1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/4
Switch:1(config-if)#eapol radius-dynamic-server enable

Configure EAP auto-isid-offset

Note
This procedure does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.

VOSS User Guide for version 8.7 815

Configure EAP auto-isid-offset Extensible Authentication Protocol over LAN

Before You Begin

• Enable EAP globally or on the port.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure an I-SID offset value:
eapol auto-isid-offset <0-15995903>
3. Enable EAP globally:
eapol enable
4. Confirm that your configuration is correct:
show eapol system

Examples
Configure an I-SID offset value and enable I-SID offset globally on the switch:
Switch:1> enable
Switch:1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#eapol auto-isid-offset 1000
Switch:1(config)#eapol enable

View the current device configuration:

Switch:1>show eapol system
================================================================================
Eapol System
================================================================================
eap : disabled
Eapol Version : 3
non-eap-pwd-fmt : mac-addr
non-eap-pwd-fmt key : ******
non-eap-pwd-fmt padding : disabled
auto-isid-offset status : disabled
auto-isid-offset value : 1000

Variable Definitions
The following table defines parameters for the eapol auto-isid-offset command.

Variable Value
<0-15995903> Specifies the auto I-SID offset value.
The default is 15995903.
enable Enables auto I-SID offset.
The default is disabled.

816 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure the Guest I-SID

Configure the Guest I-SID

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

Before You Begin

Configure a platform VLAN and associate the Guest I-SID. 0 indicates that Guest I-SID is not enabled for
this port.

About This Task

Use this procedure to configure the Guest I-SID.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the Guest I-SID:

eapol guest-isid <1-16000000>

Example

Configure the Guest I-SID.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/10
Switch:1(config-if)#eapol guest-isid 1000

Variable Definitions
The following table defines parameters for the eapol guest-isid command.

Variable Value
<0-16000000> Specifies the Guest I-SID value.
0 indicates that Guest I-SID is not enabled for this port.

VOSS User Guide for version 8.7 817

Configure Fail Open I-SID Extensible Authentication Protocol over LAN

Configure Fail Open I-SID

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

Before You Begin

Configure a platform VLAN and associate the Fail Open I-SID.

About This Task

Use this procedure to configure Fail Open I-SID. If the switch declares the RADIUS servers unreachable,
then all new devices gain access into the configured Fail Open I-SID. 0 indicates that Fail Open I-SID is
not enabled for this port.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure Fail Open I-SID:

eapol fail-open-isid <0-16000000>

Example

Configure the Fail Open I-SID.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config-if)#interface gigabitEthernet 1/10
Switch:1(config-if)#eapol fail-open-isid 1000

Variable Definitions
The following table defines parameters for the eapol fail-open-isid command.

Variable Value
<0-16000000> Specifies the Fail Open I-SID value.
0 indicates that Fail Open I-SID is not enabled for this port.

818 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure Wake-On-LAN

Configure Wake-On-LAN
Use the following procedure to configure Wake-On-LAN functionality.

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure Wake-On-LAN:
eapol traffic-control <in | in-out>

Variable Definitions
The following table defines parameters for the eapol traffic-control command.

Variable Value
in Specifies incoming traffic is blocked when there is no authenticated
device.
in-out Specifies incoming and outgoing traffic is blocked when there is no
authenticated device.
The default value is in-out.

Show the EAPoL Status of the Device

Display the current device configuration.

Note
Use the clear-stats command to clear EAP or NEAP statistics.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the current device configuration by using the following command:
show eapol system

VOSS User Guide for version 8.7 819

Show EAPoL Authenticator Statistics Extensible Authentication Protocol over LAN

Example

Note
Product Notice: auto-isid-offset functionality is not available on VSP 4450 Series, VSP 8600
Series, or XA1400 Series.

Switch:1>show eapol system

Show EAPoL Authenticator Statistics

Display the authenticator statistics to manage network performance.

Note
Use the clear-stats command to clear EAP or NEAP statistics.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the authenticator statistics:

show eapol auth-stats interface [gigabitEthernet [{slot/port[/sub-

port][-slot/port[/sub-port]][,...]}]]

Example
Switch:1#show eapol auth-stats interface
================================================================================
Eap Authenticator Statistics
================================================================================
PORT EAP AUTH-EAP START LOGOFF INVALID LENGTH LAST-RX LAST-RX
RCVD TX RCVD RCVD FRAMES ERROR VER SRC
--------------------------------------------------------------------------------
1/1 716 1074 0 0 0 0 1 18:a9:05:b1:04:ce
1/2 0 0 0 0 0 0 0 00:00:00:00:00:00
1/3 0 0 0 0 0 0 0 00:00:00:00:00:00
1/4 0 5 0 0 0 0 0 00:00:00:00:00:00
1/5 0 0 0 0 0 0 0 00:00:00:00:00:00
1/6 0 0 0 0 0 0 0 00:00:00:00:00:00
1/7 0 0 0 0 0 0 0 00:00:00:00:00:00
1/8 0 0 0 0 0 0 0 00:00:00:00:00:00
1/9 0 0 0 0 0 0 0 00:00:00:00:00:00
1/10 0 0 0 0 0 0 0 00:00:00:00:00:00
--More-- (q = quit)

820 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN View EAPoL Session Statistics

Variable Definitions
Use the data in the following table to use the show eapol auth-stats interface command.

View EAPoL Session Statistics

View EAPoL session statistics to manage network performance.

Note
Use the clear-stats command to clear EAP/NEAP statistics.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the session statistics:

show eapol session—stats interface [gigabitEthernet [{slot/port[/sub-

port][-slot/port[/sub-port]][,...]}]

Example
Switch:1#show eapol session-stats interface
=======================================================================================================
Eap Authenticator Session Statistics
=======================================================================================================
PORT MAC SESSION AUTHENTIC SESSION TERMINATE USER
NUM ID METHOD TIME CAUSE NAME
-------------------------------------------------------------------------------------------------------
1/1 18:a9:05:b1:04:ce cb000000 remote-server 0 day(s), 05:58:16 not-terminated sachin
1/4 00:00:00:00:00:01 cb000002 remote-server 0 day(s), 05:48:01 not-terminated 000000000001
-------------------------------------------------------------------------------------------------------

Variable Definitions
Use the data in the following table to use the show eapol session-stats interface
command.

VOSS User Guide for version 8.7 821

View Non-EAPoL MAC Information Extensible Authentication Protocol over LAN

View Non-EAPoL MAC Information

Note
This procedure only applies to VSP 8600 Series.

Use this procedure to view non-EAPoL client MAC information on a port.

Note
Use the clear-stats command to clear EAP and NEAP statistics.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the non-EAPoL MAC information:
show eapol multihost non-eap-mac status [vlan <1-4059>] [verbose]
[{slot/port[/sub-port][-slot/port[/sub-port]][,...]}]

Example

Note
Not all fields are supported on all hardware platforms.

Switch:1(config)#show eapol multihost non-eap-mac status

========================================================================================
Eap Oper Status
========================================================================================
PORT MAC STATE VLAN PRI Flex-UNI I-SID NON-EAP VLAN:I-SID
NUM ID Enable SOURCE AUTH AUTH
----------------------------------------------------------------------------------------
1/10 00:00:00:00:00:0e authenticated 10 2 true autoconfig radius 0:1015
----------------------------------------------------------------------------------------
Total Number of EAP Sessions: 1
Switch(config-if)#show eapol multihost non-eap-mac status verbose

=============================================================================================================
Non-Eap Oper Status Verbose
=============================================================================================================
PORT MAC STATE VLAN PRI Flex-UNI I-SID NON-EAP VLAN:I-SID ACL ACEs
NUM ID Enable SOURCE AUTH
-------------------------------------------------------------------------------------------------------------
2/11 00:00:00:00:01:02 authenticated N/A 0 true radius radius 0:10555
-------------------------------------------------------------------------------------------------------------
Total Number of NEAP Sessions: 1

Variable Definitions
Use the data in the following table to use the show eapol multihost non-eap-mac status
command.

822 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN View Port EAPoL Operation Statistics

Variable Value
{slot/port[/sub- Identifies the slot and port in one of the following formats: a single slot
port][-slot/port[/ and port (slot/port), a range of slots and ports (slot/port-slot/port), or a
sub-port]][,...]} series of slots and ports (slot/port,slot/port,slot/port). If the platform
supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060
to 4094 for internal use. On switches that support the vrf-scaling
and spbm-config-mode boot configuration flags, if you enable these
flags, the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete VLAN ID 1.
verbose Displays non-EAPoL client MAC information.

View Port EAPoL Operation Statistics

Note
This procedure only applies to VSP 8600 Series.

Use this procedure to view port EAPoL operation statistics.

Note
Use the clear-stats command to clear EAP/NEAP statistics.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the port EAPoL operation statistics information:
show eapol status interface [gigabitEthernet [{slot/port[/sub-port][-
slot/port[/sub-port]][,...]}] [vlan <1-4059>] [verbose]

Examples
Switch:1(config)#show eapol status interface

=============================================================================
Eap Oper Status
=============================================================================
PORT MAC STATE VLAN PRI Flex-UNI I-SID VLAN:I-SID
NUM ID Enable SOURCE AUTH
-----------------------------------------------------------------------------
1/1 18:a9:05:b1:04:ce authenticated 10 2 true radius 0:1015
-----------------------------------------------------------------------------
Total Number of EAP Sessions: 1
Switch:1(config-if)#show eapol status interface gigabitEthernet 2/1,2/11 verbose

=====================================================================================================
Eap Oper Status Verbose
=====================================================================================================
PORT MAC PAE VLAN PRI Flex-UNI I-SID VLAN:I-SID ACL ACEs
NUM STATUS ID Enable SOURCE
-----------------------------------------------------------------------------------------------------
2/1 00:00:02:eb:34:e9 authenticated N/A 0 true radius 111:10111 2 2,3
2/1 00:00:02:eb:34:eb authenticated N/A 0 true radius 111:10111 2 1
2/1 00:00:02:eb:34:ed authenticated 333 0 true n/a 2 4
2/1 00:00:02:eb:34:ef authenticated 444 0 true n/a 2 5

VOSS User Guide for version 8.7 823

EAP Configuration Using Enterprise Device Manager Extensible Authentication Protocol over LAN

2/11 00:00:00:06:a9:df authenticated 11 0 true n/a 1 1

2/11 00:00:00:06:a9:e1 authenticated N/A 0 true radius 111:10111
2/11 00:00:00:06:a9:e3 authenticated 33 0 true n/a 1 2
2/11 00:00:00:06:a9:e5 authenticated 44 0 true n/a 1 3
-----------------------------------------------------------------------------------------------------
Total Number of EAP sessions : 8

Variable Definitions
Use the data in the following table to use the show eapol status command.

EAP Configuration Using Enterprise Device Manager

EAPoL (EAP) uses RADIUS protocol for EAP-authorized logons. RADIUS supports IPv4 and IPv6
addresses with no difference in functionality or configuration in all but the following case. When adding
a RADIUS server in Enterprise Device Manager (EDM) or modifying a RADIUS configuration in EDM, you
must specify if the address type is an IPv4 or an IPv6 address.

Before You Begin

• Before configuring your device, you must configure at least one EAP RADIUS server and shared
secret fields.
• You cannot configure EAP on ports that are currently configured for:
◦ Shared segments
◦ MultiLink Trunking (MLT)
• Change the status of each port that you want to be controlled to auto. For more information on
changing the status, see Configure EAP on a Port on page 825. The auto setting automatically
authenticates the port according to the results of the RADIUS server. The default authentication
setting for each port is force-authorized.

Globally Configure EAP on the Server

About This Task

Globally enable or disable EAP on the switch. By default, EAP is disabled.

Procedure

1. In the navigation pane, expand Configuration > Security > Data Path.
2. Select 802.1X - EAPOL.
3. Select the Global tab.
4. From the AccessControl options, select enable.

824 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure EAP on a Port

5. (Optional) Select the appropriate NonEapRadiusPwdAttrFmt check boxes to configure the format
of the RADIUS password when authenticating non-EAP MAC addresses using RADIUS.
6. (Optional) Enter the key string in the NonNonEapRadiusPwdAttkeystring field.
7. (Optional) Check the ClearNonEap check box to clear the NEAP session that is learned on the
switch.
8. (Optional) Type an I-SID offset number in the AutoIsidOffset field.
This step does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.
9. (Optional) Select the AutoIsidOffsetEnable check box to enable Auto I-SID offset on the switch.
This step does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.
10. Select Apply.

Global field descriptions

Use the data in the following table to use the Global tab.

Name Description
EapolVersion Displays the EAP version on the switch.
AccessControl Enables system authentication control. EAP is
disabled by default.
NonEapRadiusPwdAttrFmt Specifies the password attribute format for non
EAP RADIUS authentication.
• ipAdd: Specifies IP address.
• macAddr: Specifies MAC address.
• portNumber: Specifies port number
• padding: Specifies padding.

NonEapRadiusPwdAttrKeyString Specifies the attribute key string for non EAP

RADIUS password.
ClearNonEap Clears the NEAP session that is learned on the
switch.
AutoIsidOffset Specifies the Auto I-SID Offset value.

Note: Exception: Not supported on VSP 4450

Series, VSP 8600 Series, or XA1400 Series.

AutoIsidOffsetEnable Enables or disables the Auto I-SID Offset feature.

Note: Exception: Not supported on VSP 4450

Series, VSP 8600 Series, or XA1400 Series.

Configure EAP on a Port

About This Task

Configure EAP or change the authentication status on one or more ports.

Ports are force-authorized by default. Force-authorized ports are always authorized and are not
authenticated by the RADIUS server. You can change this setting so that the ports are always
unauthorized.

VOSS User Guide for version 8.7 825

Configure EAP on a Port Extensible Authentication Protocol over LAN

Procedure

1. In the Device Physical View tab, select the port you need to configure.
2. In the navigation pane, expand Configuration > Edit > Port.
3. Select General.
4. Select the EAPOL tab.
5. (Optional) Select the AllowNonEapHost check box to enable hosts that do not participate in 802.1X
authentication to get network access.
6. Select the Status option as auto or forceAuthorized.
7. In the MultiHostMaxClients field, type the maximum limit of allowed EAP and NEAP clients
supported on this port.
8. In the GuestVlanId field, type the VLAN ID to be used as a Guest VLAN ID.
This step does not apply to VSP 8600 Series or XA1400 Series.
9. In the FailOpenVlanId field, type the Fail Open VLAN ID.
This step does not apply to VSP 8600 Series or XA1400 Series.
10. In the NonEapMaxClients field, type the maximum number NEAP authentication MAC addresses
allowed on this port.
11. In the EapMaxClients field, type the maximum number of EAP authentication MAC addresses
allowed on this port.
12. Select the MultiHostSingleAuthEnabled check box to automatically authenticate NEAP MAC
addresses on this port.
13. In the PortGuestIsid field, type the I-SID to be used as a Guest I-SID.
This step does not apply to VSP 8600 Series or XA1400 Series.
14. In the FailOpenIsid field, type the Fail Open I-SID.
This step does not apply to VSP 8600 Series or XA1400 Series.
15. Select the AdminTrafficControl option as inOut or in.
16. (Optional) Select the LldpAuthEnabled check box to enable LLDP authentication for network
access.
This step does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.
17. Select the ReAuthEnabled field.
18. In the QuietPeriod field, type the time interval.
19. In the ReauthPeriod field, type the time between reauthentication.
20.In the RetryMax field, type the number of times.
21. Select Apply.

826 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Configure EAP on a Port

EAPoL Field Descriptions

Use the data in the following table to use the EAPoL tab.

Name Description
PortCapabilities Displays the capabilities of the Port Access Entity (PAE)
associated with the port. This parameter indicates whether
Authenticator functionality, supplicant functionality, both, or
neither, is supported by the PAE of the port.
The following capabilities are supported by the PAE of the
port:
• authImplemented: A Port Access Controller Protocol
(PACP) Extensible Authentication Protocol (EAP)
authenticator functions are implemented.
• virtualPortsImplemented: Virtual Port functions are
implemented.

MultiHostMaxClients Specifies the value representing the maximum number of

supplicants allowed to get authenticated on the port.
GuestVlanId Specifies the VLAN to be used as a Guest VLAN. Access
to unauthenticated hosts connected to this port is provided
through this VLAN. 0 indicates that Guest VLAN is not
enabled for this port.
FailOpenVlanId Specifies the Fail Open VLAN ID for this port. If the switch
declares the RADIUS servers unreachable, then all new
devices are allowed access into the configured Fail Open
VLAN. 0 indicates that Fail Open VLAN is not enabled for
this port.
NonEapMaxClients Specifies the maximum number of NEAP authentication MAC
addresses allowed on this port. Zero indicates that NEAP
authentication is disabled for this port.
EAPMaxClients Specifies the maximum number of EAP authentication MAC
addresses allowed on this port. Zero indicates that EAP
authentication is disabled for this port

VOSS User Guide for version 8.7 827

Configure EAP on a Port Extensible Authentication Protocol over LAN

Name Description
MultiHostSingleAuthEnabled Indicates that the unauthenticated devices can access the
network only after an EAP or NEAP client is successfully
authenticated on the port. The VLAN to which the devices are
allowed access is the authenticated client's VLAN. The default
is false.
PortGuestIsid Specifies the I-SID to be used as a Guest I-SID. Access to
unauthenticated hosts connected to this port is provided
Note: Exception: Not supported on through this I-SID. 0 indicates that Guest I-SID is not enabled
VSP 8600 Series or XA1400 Series. for this port.

FailOpenIsid Specifies the Fail Open I-SID for this port. If the switch
declares the RADIUS servers unreachable, then all new
Note: Exception: Not supported on devices are allowed access into the configured Fail Open
VSP 8600 Series or XA1400 Series. I-SID. 0 indicates that Fail Open I-SID is not enabled for this
port.
FlexUniStatus Displays the current Flex-UNI status for this port.

Note: Exception: Not supported on

VSP 4450 Series, VSP 8600 Series, or
XA1400 Series.

AdminTrafficControl Configures the Administrative Traffic Control. The default is

inOut.
Note: Exception: Not supported on • inOut: enables the Admin Traffic Control for input and
VSP 8600 Series or XA1400 Series. output traffic.
• in: enables the Admin Traffic Control for input traffic only.

OperTrafficControl Displays the current Operational Traffic Control status.

Note: Exception: Not supported on

VSP 8600 Series or XA1400 Series.

LldpAuthEnabled Enables LLDP authentication for this port. The default is

disabled.
Note: Exception: Not supported on
VSP 4450 Series, VSP 8600 Series, or
XA1400 Series.

PortOrigin Specifies the source of EAP configuration on the port:

• config - through CLI or EDM
Note: • autoSense - through Zero Touch Fabric Configuration
Exception: not supported on VSP 8600
Series and XA1400 Series.

DynamicMHSAEnabled Displays the Dynamic MHSA configuration status.

Note: Exception: Not supported on

VSP 4450 Series, VSP 8600 Series, or
XA1400 Series.

828 VOSS User Guide for version 8.7

Configure EAP on an Extreme Integrated Application
Extensible Authentication Protocol over LAN Hosting Port

Name Description
ReauthOrigin Specifies the origin of EAPOL reauthentication configuration
on the port, either manually configured through CLI or
Note: dynamically configured through RADIUS.
Exception: not supported on VSP 8600
Series and XA1400 Series.

ReauthPeriodOrigin Specifies the origin of EAPOL reauthentication period

configuration on the port, either manually configured through
Note: CLI or dynamically configured through RADIUS.
Exception: not supported on VSP 8600
Series and XA1400 Series.

TrafficControlOrigin Specifies the origin of Traffic Control configuration on the

port. The supported values are:
• config - Traffic Control is enabled by the user.
• radius - Traffic Control is enabled by Extensible
Authentication Protocol (EAP) through Remote
Authentication Dial-In User Service (RADIUS) response.

Authenticator configuration Displays the current Authenticator Port Access Entity (PAE)
state.
The states are:
• authenticate
• authenticated
• Failed

ReAuthEnabled Reauthenticates an existing supplicant at the time interval

specified in ReAuthPeriod. The default is disabled.
QuietPeriod Configures the time interval (in seconds) between
authentication failure and the start of a new authentication.
ReAuthPeriod Reauthenticates an existing supplicant at the time interval
specified in ReAuthPeriod.
Configures the time interval (in seconds) between successive
reauthentications. The default is 3600 (1 hour).
RetryMax Specifies the maximum Extensible Authentication Protocol
(EAP) requests sent to the supplicant before timing out the
session. The default is 2.
RetryCount Specifies the maximum number of retries attempted.

Configure EAP on an Extreme Integrated Application Hosting Port

Note
This procedure only applies to VSP 4900 Series and VSP 7400 Series.

About This Task

Perform this procedure to configure EAP or change the authentication status on Extreme Integrated
Application Hosting (IAH) ports. IAH ports are force-authorized by default and are not authenticated by
the RADIUS server. You can change this setting so that the IAH ports stay unauthorized.

VOSS User Guide for version 8.7 829

Configure EAP on an Extreme Integrated Application
Hosting Port Extensible Authentication Protocol over LAN

Procedure

1. In the navigation pane, expand Configuration > Edit > Insight Port.
2. Select the IAH port you want to configure.
3. Select the EAPOL tab.
4. (Optional) Select AllowNonEapHost.
5. In the Status field, select the required option.
6. In the MultiHostMaxClients field, enter a value.
7. In the GuestVlanId field, enter a VLAN ID.
8. In the FailOpenVlanId field, enter a VLAN ID.
9. In the NonEapMaxClients field, enter a value.
10. In the EapMaxClients field, enter a value.
11. Select MultiHostSingleAuthEnabled.
12. In the PortGuestIsid field, type the I-SID to be used as a Guest I-SID.
13. In the FailOpenIsid field, type the Fail Open I-SID.
14. Select the AdminTrafficControl option as inOut or in.
15. Select the LldpAuthEnabled check box to enable LLDP authentication for network access.
16. Select ReAuthEnabled.
17. In the QuietPeriod field, enter a time interval.
18. In the ReAuthPeriod field, enter a time interval.
19. In the RetryMax field, type a value.
20.Select Apply.

EAPOL Field Descriptions

Use data in the following table to use the EAPOL tab.

Name Description
PortCapabilities Shows the capabilities of the Port Access Entity
(PAE) associated with the Extreme Integrated
Application Hosting (IAH) port. This parameter
indicates whether Authenticator functionality,
supplicant functionality, both, or neither, is
supported by the PAE of the IAH port.
The following capabilities are supported by the
PAE of the IAH port:
• authImplemented: A Port Access Controller
Protocol (PACP) Extensible Authentication
Protocol (EAP) authenticator functions are
implemented.
• virtualPortsImplemented: Virtual Port
functions are implemented.

PortVirtualPortsEnable Shows the status of the Virtual Ports function for

the IAH port.
PortCurrentVirtualPorts Shows the current number of virtual ports running
on the IAH port.
PortAuthenticatorEnable Shows the status of the Authenticator function in
the PAE.

830 VOSS User Guide for version 8.7

Configure EAP on an Extreme Integrated Application
Extensible Authentication Protocol over LAN Hosting Port

Name Description
PortSupplicantEnable Shows the Supplicant function in the PAE.
AllowNonEapHost Enables network access to hosts that do not
participate in 802.1X authentication. The default is
disabled.
Status Specifies the authentication status for the IAH
port.
• auto - enables EAP authentication process
by sending the EAP request messages to the
RADIUS server.
• forceAuthorized - disables EAP authentication
and puts the IAH port into force-full authorized
mode.
The default is forceAuthorized.
MultiHostMaxClients Specifies the maximum number of supplicants
authenticated on the IAH port.
GuestVlanId Specifies the VLAN ID to be used as a Guest.
Access to unauthenticated hosts connected to
the IAH port is provided through this VLAN. 0
indicates that Guest VLAN is not enabled.
FailOpenVlanId Specifies the Fail Open VLAN ID for the specific
IAH port. If RADIUS server is not reachable on the
switch, then all new devices are allowed access to
the configured Fail Open VLAN ID. 0 indicates that
Fail Open VLAN ID is not enabled.
NonEapMaxClients Specifies the maximum number of NEAP
authentication MAC addresses allowed on the
specific IAH port. 0 indicates that NEAP
authentication is disabled.
EAPMaxClients Specifies the maximum number of EAP
authentication MAC addresses allowed on
the specific IAH port. 0 indicates that EAP
authentication is disabled.
MultiHostSingleAuthEnabled Enables the functionality for network access to
the unauthenticated devices only after an EAP or
NEAP client is successfully authenticated on the
IAH port. The VLAN ID to which the devices are
allowed access is the authenticated client's VLAN.
The default is disabled.
PortGuestIsid Specifies the I-SID to be used as a Guest I-SID.
Access to unauthenticated hosts connected to the
IAH port is provided through this I-SID. 0 indicates
that Guest I-SID is not enabled for this port.
FailOpenIsid Specifies the Fail Open I-SID for the IAH port.
If the switch declares the RADIUS servers
unreachable, then all new devices are allowed
access into the configured Fail Open I-SID. 0
indicates that Fail Open I-SID is not enabled for
this port.

VOSS User Guide for version 8.7 831

Configure EAP on an Extreme Integrated Application
Hosting Port Extensible Authentication Protocol over LAN

Name Description
FlexUniStatus Displays the current Flex-UNI status for this IAH
port.
AdminTrafficControl Configures the Administrative Traffic Control. The
default is inOut.
• inOut: enables the Admin Traffic Control for
input and output traffic.
• in: enables the Admin Traffic Control for input
traffic only.

OperTrafficControl Displays the current Operational Traffic Control

status.
LldpAuthEnabled Enables LLDP authentication for this IAH port. The
default is disabled.
PortOrigin Specifies the source of EAP configuration on the
IAH port:
• config - through CLI or EDM
• autoSense - through Zero Touch Fabric
Configuration

DynamicMHSAEnabled Displays the Dynamic MHSA configuration status.

TrafficControlOrigin Indicates the origin of Traffic Control configuration
on the port. The supported values are:
• config - Traffic Control is enabled by the user.
• radius - Traffic Control is enabled by
Extensible Authentication Protocol (EAP)
through Remote Authentication Dail-In User
Service (RADIUS) response.

Authenticate Shows the current Authenticator Port Access

Entity (PAE) authenticate status.
Authenticated Shows the current Authenticator Port Access
Entity (PAE) authenticated status.
Failed Shows the current Authenticator Port Access
Entity (PAE) failure status.
ReAuthEnabled Enables reauthentication of an existing supplicant
based on the specified reauthentication time
interval. The default is disabled.
QuietPeriod Specifies the time interval (in seconds) between
authentication failure and start of authentication.
ReauthPeriod Specifies the time interval (in seconds) between
successive reauthentications. The default is 3600
(1 hour).
RetryMax Specifies the maximum Extensible Authentication
Protocol (EAP) requests sent to the supplicant
before timing out the session. The default is 2.
RetryCount Specifies the maximum number of retries
attempted.

832 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Show the Port Access Entity Port Table

Show the Port Access Entity Port Table

About This Task

Use the Port Access Entity (PAE) Port Table to display system-level information for each port the PAE
supports. An entry display in this table for each port of this system.

Procedure

1. In the navigation pane, expand Configuration > Security > Data Path.
2. Select 802.1X - EAPOL.
3. Select the EAP Security tab.

EAP Security Field Descriptions

Use the data in the following table to use the EAP Security tab.

Name Description
PortNumber Indicates the port number associated with this port.
PortCapabilties Indicates the capabilities of this PAE port.
• authImplemented—PACP EAP authenticator functions
are implemented in this PAE.
• virtualPortsImplemented—Virtual Port functions are
implemented in this PAE.

PortVirtualPortsEnable Displays the status of the Virtual Ports function for the real
port as True or False.
PortCurrentVirtualPorts Displays the current number of virtual ports running in the
port
PortAuthenticatorEnable Displays the status of the Authenticator function in the Port
Access Entity (PAE) as True or False.
PortSupplicantEnable Displays the Supplicant function in the Port Access Entity
(PAE) as True or False.
AllowNonEapHost Displays the status if the system is enabled to allow hosts
that do not participate in 802.1X authentication to get
network access.
Status Displays the authentication status for this port. The default is
forceAuthorized.
MultiHostMaxClients Indicates the value representing the maximum number of
supplicants allowed to get authenticated on the port.
GuestVlanId Specifies the VLAN to be used as a Guest VLAN. Access
to unauthenticated hosts connected to this port is provided
through this VLAN. 0 indicates that Guest VLAN is not
enabled for this port.
FailOpenVlanId Specifies the Fail Open VLAN ID for the port. If the switch
declares the RADIUS servers unreachable, then all new
devices are allowed access into the configured Fail Open
VLAN. 0 indicates that Fail Open VLAN is not enabled for
this port.

VOSS User Guide for version 8.7 833

Show the Port Access Entity Port Table Extensible Authentication Protocol over LAN

Name Description
NonEapMaxClients Indicates the maximum number of non-EAPoL
authentication MAC addresses allowed on this port. Zero
indicates that non-EAPol authentication is disabled for this
port.
EapMaxClients Indicates the maximum number of EAPoL authentication
MAC addresses allowed on this port. Zero indicates that
EAPol authentication is disabled for this port.
MultiHostSingleAuthEnabled Indicates that the unauthenticated devices can access the
network only after an EAP or NEAP client is successfully
authenticated on the port. The VLAN to which the
devices are allowed access is the authenticated client's
VLAN. The default is false.
ProcessRadiusCOAPackets Specifies whether to process any RADIUS requests-server
packets that are received on this port.
PortGuestIsid Specifies the I-SID to be used as a Guest I-SID. Access to
unauthenticated hosts connected to this port is provided
Note: Exception: Not supported on VSP through this I-SID. 0 indicates that Guest I-SID is not enabled
8600 Series or XA1400 Series. for this port.

FailOpenIsid Specifies the Fail Open I-SID for the port. If the switch
declares the RADIUS servers unreachable, then all new
Note: Exception: Not supported on VSP devices are allowed access into the configured Fail Open
8600 Series or XA1400 Series. I-SID. 0 indicates that Fail Open I-SID is not enabled for this
port.
FlexUniStatus Displays the Flex-UNI status for the port.

Note: Exception: Not supported on

VSP 4450 Series, VSP 8600 Series, or
XA1400 Series.

AdminTrafficControl Specifies the Administrative Traffic Control for the port. The
default is inOut.
Note: Exception: Not supported on VSP
8600 Series or XA1400 Series.

OperTrafficControl Displays the Operating Traffic Control for the port.

Note: Exception: Not supported on VSP

8600 Series or XA1400 Series.

LldpAuthEnabled Specifies if LLDP Authentication is enabled. The default is 0

(disabled).
Note: Exception: Not supported on VSP
8600 Series or XA1400 Series.

PortOrigin Displays the Port Origin configuration status for the port.

Note: Exception: Not supported on VSP

8600 Series or XA1400 Series.

834 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN Show EAP Authentication

Name Description
DynamicMHSAEnabled Displays the Dynamic MHSA status for the port.

Note: Exception: Not supported on

VSP 4450 Series, VSP 8600 Series, or
XA1400 Series.

TrafficControlOrigin Specifies the origin of Traffic Control configuration on the

ReauthOrigin Specifies the origin of EAPOL reauthentication configuration

on the port, either manually configured through CLI or
Note: dynamically configured through RADIUS.
Exception: not supported on VSP 8600
Series and XA1400 Series.

ReauthPeriodOrigin Specifies the origin of EAPOL reauthentication period

configuration on the port, either manually configured
Note: through CLI or dynamically configured through RADIUS.
Exception: not supported on VSP 8600
Series and XA1400 Series.

Show EAP Authentication

About This Task

Use the Authenticator Configuration table to display configuration objects for the Authenticator PAE
associated with each port.

Procedure

1. In the navigation pane, expand Configuration > Security > Data Path.
2. Click 802.1X - EAPOL.
3. Click the Authentication tab.

Authentication Field Descriptions

Use the data in the following table to use the Authentication tab.

Name Description
PortNumber Indicates the number associated with this port.
Authenticate Indicates the status of the Port Access Entity
(PAE) authenticator requesting authentication.
Authenticated Indicates the current authentication status of the
Port Access Entity (PAE) authenticator.

VOSS User Guide for version 8.7 835

View Multihost Status Information Extensible Authentication Protocol over LAN

Name Description
Failed Indicates the authentication status for failed or
terminated state .
ReAuthEnabled Indicates the re-authentication status of an
existing supplicant at the time interval specified
in ReAuthPeriod. The default is false.
QuietPeriod Indicates the time interval (in seconds) between
authentication failure and the start of a new
authentication.
The default is 60.
ReAuthPeriod Indicates the time interval in seconds between
successive re-authentications. The default is 3600
(1 hour ).
RetryMax Indicates the maximum Extensible Authentication
Protocol (EAP) requests sent to the supplicant
before timing out the session. The default is 2.
RetryCount Indicates the count of the number of
authentication attempts.

View Multihost Status Information

Use the following procedure to display multiple host status for a port.

Procedure

1. In the navigation pane, expand Configuration > Security > Data Path.
2. Select 802.1X – EAPOL.
3. Select the MultiHost Status tab.

MultiHost Status Field Descriptions

The following table describes values on the MultiHost Status tab.

Name Description
PortNumber Indicates the port number associated with this
port.
ClientMACAddr Indicates the MAC address of the client.
PaeState Indicates the current state of the authenticator
PAE state machine.
VlanId Indicates the VLAN assigned to the client.
Priority Specifies the priority associated with this client
MAC. This priority could be the Radius assigned
priority or the port QOS level.
SwUniBindings Indicates the Extensible Authentication Protocol
(EAP) VLAN:ISID bindings that the switch
Note: Exception: Not supported on VSP 4450 represents as an hexadecimal value.
Series, VSP 8600 Series, or XA1400 Series.

836 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN View EAP Session Statistics

Name Description
IsidSource Indicates the origin of I-SID value:
• radius - received from the RADIUS server.
Note: Exception: Not supported on VSP 4450 • autoconfig - calculated using the auto-
Series, VSP 8600 Series, or XA1400 Series.
isid-offset command, that the user
configures on the switch.
• config - configured statically.
• notAvaliable - does not use EAP with FlexUNI,
hence there is no I-SID to use.

AclId Indicates the dynamic Access Control List (ACL)

on the specific port.
Note: Exception: Not supported on VSP 4450
Series, VSP 8600 Series, or XA1400 Series.

AceIdList Indicates the list of dynamic Access Control

Entries (ACE) on the specific port.
Note: Exception: Not supported on VSP 4450
Series, VSP 8600 Series, or XA1400 Series.

DynamicSettings Displays the Dynamic settings received from

the Remote Authentication Dial-In User Service
(RADIUS) server.

View EAP Session Statistics

Use the following procedure to display multiple host session information for a port.

Procedure

1. In the navigation pane, expand Configuration --> Security --> Data Path.
2. Click 802.1X – EAPOL.
3. Click the MultiHost Session tab.

MultiHost Session Field Descriptions

The following table describes values on the MultiHost Session tab.

Name Description
StatsPortNumber Indicates the port number associated with this
port.
StatsClientMACAddr Indicates the MAC address of the client.
Id Indicates the unique identifier for the session.
AuthenticMethod Indicates the authentication method used to
establish the session.
Time Indicates the elapsed time of the session.
TerminateCause Indicates the cause of the session termination.
UserName Indicates the user name that represents the
identity of the supplicant PAE.

VOSS User Guide for version 8.7 837

Viewing EAPoL Authenticator Statistics Extensible Authentication Protocol over LAN

Viewing EAPoL Authenticator Statistics

Use EAPoL Authenticator statistics to display the Authenticator Port Access Entity (PAE) statistics for
each selected port.

Procedure

1. On the Device Physical View, select the port you want to graph.
The system displays a yellow outline around the selected ports

If you want to select multiple ports, press Ctrl and hold down the key while you click the ports you
want to configure. The system displays a yellow outline around the selected ports.
2. In the navigation pane, expand the Configuration > Graph folders.
3. Click Port.
4. Click EAPOL Stats.
5. If you selected multiple ports, from the Graph port EAPoL Stats tab Show list, select: Absolute Value,
Cumulative, Average/sec, Minimum/sec, Maximum/sec, or LastVal/sec.

EAPOL Stats Field Descriptions

The following table describes values on the EAPOL Stats tab.

Name Description
InvalidFramesRx Displays the number of EAPoL frames received by this
Authenticator in which the frame type is not recognized.
EapLengthErrorFramesRx Displays the number of EAPoL frames received by this
Authenticator in which the Packet Body Length field is
invalid.
StartFramesRx Displays the number of EAPoL start frames received by this
Authenticator.
EapFramesRx Displays the number of EAPoL-EAP frames received by this
Authenticator.
LogoffFramesRx Displays the number of EAPoL Logoff frames received by
this Authenticator.
LastRxFrameVersion Displays the last received version of the EAPoL frame by this
Authenticator.
LastRxFrameSource Displays the source MAC address of the last received EAPoL
frame by this Authenticator.
AuthEapFramesTx Displays the number of EAPoL-EAP frames transmitted by
the Authenticator.

View NEAP MAC Information

Use this procedure to view NEAP client MAC information on a port.

Procedure

1. In the navigation pane, expand Configuration --> Security --> Data Path.
2. Select 802.1X – EAPOL.

838 VOSS User Guide for version 8.7

Extensible Authentication Protocol over LAN View NEAP MAC Information

3. Select NEAP Radius tab.

NEAP Radius Field Descriptions

The following table describes values on the NEAP Radius tab.

Name Description
MacPort Indicates the port number associated with this
port.
MacAddr Indicates the MAC address of the client.
MacStatus Indicates the authentication status of the NEAP
host that is authenticated using the RADIUS
server.
VlanId Indicates the VLAN assigned to the client.
MacClear Clears the non EAP MAC entry associated with a
specific index.
MacPriority Indicates the priority associated with this Non-
EAP client MAC. This priority could be the Radius
assigned priority or the port QOS level.
SwUniBindings Indicates the VLAN and I-SID bindings. VLAN is
represented with 2 bytes and I-SID is represented
Note: Exception: Not supported on VSP 4450 with 4 bytes. The output is a continuous
Series, VSP 8600 Series, or XA1400 Series. hexadecimal representation of the VLAN that is
followed by the corresponding I-SID.
IsidSource Indicates the source of the I-SID value. An I-SID
value is generated in one of the following ways:
Note: Exception: Not supported on VSP 4450 • radius—Indicates that that I-SID value is
Series, VSP 8600 Series, or XA1400 Series. learned from the RADIUS server.
• autoconfig—Indicates that I-SID value is
calculated by using the auto-isid-offset that
you configured.
• config—Indicates that the I-SID value is
statically configured.
• notAvailable—Indicates that no I-SID value is
available because EAP with FlexUNI is not
used.

NonEapAuthType Indicates the authentication type of the Non-EAP

client:
Note: Exception: Not supported on VSP 4450 • radius - received from RADIUS server.
Series, VSP 8600 Series, or XA1400 Series. • lldp - received from Link Layer Discovery
Protocol (LLDP).

AclId Indicates the dynamic Access Control List (ACL)

on the specific port.
Note: Exception: Not supported on VSP 4450
Series, VSP 8600 Series, or XA1400 Series.

VOSS User Guide for version 8.7 839

View NEAP MAC Information Extensible Authentication Protocol over LAN

Name Description
AceIdList Indicates the list of dynamic Access Control
Entries (ACE) on the specific port.
Note: Exception: Not supported on VSP 4450
Series, VSP 8600 Series, or XA1400 Series.

DynamicSettings Displays the Dynamic settings received from

the Remote Authentication Dial-In User Service
(RADIUS) server.

840 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent
ExtremeCloud IQ Agent Configuration Considerations on page 842
Zero Touch Deployment on page 843
ExtremeCloud IQ Agent Configuration using CLI on page 844
ExtremeCloud IQ Agent Configuration using EDM on page 849

Table 82: IQ Agent product support

Feature Product Release introduced
ExtremeCloud IQ Agent VSP 4450 Series Not supported
VSP 4900 Series VOSS 8.2
• VSP4900-48P
• VIMs: VIM5-4YE, VIM5-4X,
VIM5-4XE, and VIM5-2Y
VOSS 8.2.5
• VSP4900-24S
• VSP4900-24XE
• VSP4900-12MXU-12XE
• VIMs: VIM5-4Y

VSP 7200 Series Not supported

VSP 7400 Series VOSS 8.2
VSP 8200 Series Not supported
VSP 8400 Series Not supported
VSP 8600 Series Not supported
XA1400 Series VOSS 8.2

For the most current information on switches supported by ExtremeCloud™ IQ, see ExtremeCloud™ IQ
Learning What’s New.

ExtremeCloud IQ provides cloud-managed networking, and delivers unified, full-stack management

of wireless access points, switches, and routers. It enables onboarding, configuration, monitoring,
troubleshooting, reporting, and more. Using innovative machine learning and artificial intelligence
technologies, ExtremeCloud IQ analyzes and interprets millions of network and user data points, from
the network edge to the data center, to power actionable business and IT insights, and to deliver new
levels of network automation and intelligence.

VOSS User Guide for version 8.7 841

ExtremeCloud IQ Agent Configuration Considerations ExtremeCloud IQ Agent

The switch supports a zero touch connection to ExtremeCloud IQ. Zero touch deployment is used to
deploy and configure a switch using ExtremeCloud IQ.

The switch integrates with ExtremeCloud IQ using ExtremeCloud IQ Agent. When you enable IQAgent,
you can configure and monitor VOSS devices using ExtremeCloud IQ.

ExtremeCloud IQ supports the following features for the switch:

• Firmware upgrade
• IQAgent upgrade
• Supplemental CLI

You can configure the following features using the ExtremeCloud IQ interface:
• Hostname configuration
• SNMP location
• Device-level MTU
• Flow control
• Port state, usage type, and settings
• VLAN configuration
• DNS, NTP, SNMP, and Syslog servers

For more information about ExtremeCloud IQ, see https://www.extremenetworks.com/support/

documentation/extremecloud-iq/.

ExtremeCloud IQ Agent Configuration Considerations

The following configuration considerations apply to ExtremeCloud IQ Agent:
• SSH and SSH password authenticaton is required.

boot config flag ssh is enabled when ExtremeCloud IQ Agent is enabled. boot config
flag ssh cannot be disabled while ExtremeCloud IQ Agent is enabled.
• SNMP is required.

boot config flag block-snmp is disabled when ExtremeCloud IQ Agent is enabled. boot
config flag block-snmp cannot be enabled while ExtremeCloud IQ Agent is enabled.
• High Secure mode disables ExtremeCloud IQ Agent automatically. ExtremeCloud IQ Agent must be
enabled manually when this mode is enabled.
• ExtremeCloud IQ Agent is not supported in Enhanced Secure mode.
• An IP address that corresponds to the ExtremeCloud IQ pool and can display it in the NTP list.
The IP does not try to synchronize if NTP is globally disabled on the switch. If NTP is enabled, you
can see synchronization failure messages if the IP for the pool is blocked or is unreachable. As a
best practice, if you have issues connecting to the cloud, check the clock on the switch and if it is
incorrect, resolve this by either configuring an NTP server or manually configuring the correct time.

Note
You must configure a Segmented Management Instance to use ExtremeCloud IQ Agent. For
more information, see Segmented Management on page 69.

842 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent Zero Touch Deployment

For information about onboarding switches, see https://www.extremenetworks.com/support/

documentation/extremecloud-iq/.

Zero Touch Deployment

Zero Touch Deployment enables a VOSS switch to be deployed automatically with ExtremeCloud IQ but
you still must onboard the switch on the ExtremeCloud IQ side. When the switch powers on, the DHCP
Client obtains the IP address and gateway from the DHCP Server, and discovers the Domain Name
Server, connecting the switch automatically to Extreme Management Center or ExtremeCloud IQ - Site
Engine or to ExtremeCloud IQ cloud management applications.

With Zero Touch Deployment, ExtremeCloud IQ Agent is enabled by default.

For more information about preparing your switch for Zero Touch Deployment, see Zero Touch
Deployment on page 58.

DHCP Option 43 Support

To use this functionality, DHCP Client must be enabled. For information about DHCP Client for a
Segmented Management Instance, see DHCP Client for Segmented Management Instance on page 84.

Considerations
The following considerations apply with DHCP option 43:
• A dynamic IP address overwrites the default value (hac.extremecloudiq.com) or 0.0.0.0.
• A static server IP address overwrites a dynamic server IP address.
• A dynamic server IP address does not overwrite an existing static server IP address.

If a static server IP address is already configured and a new value is received from the DHCP
server, the following warning displays on the console: WARNING Dynamic Cloud IQ Server
Address x.x.x.x provided by DHCP option 43 could not be set. Static
configured server address y.y.y.y cannot be overwritten by a dynamic
address.
• The default value (hac.extremecloudiq.com) replaces the dynamic server IP address if the DHCP
Client is disabled on the switch.
• The dynamic server IP address is not saved in the running configuration.

VOSS User Guide for version 8.7 843

ExtremeCloud IQ Agent Configuration using CLI ExtremeCloud IQ Agent

ExtremeCloud IQ Agent Configuration using CLI

After your device is onboarded (that is, the serial number for the device is associated with your
ExtremeCloud IQ account), you are only required to enable ExtremeCloud IQ Agent. Other feature
configuration, such as configuring proxy parameters and configuring access to ExtremeCloud IQ is
optional.

Note
You must configure a Segmented Management Instance to use ExtremeCloud IQ Agent. For
more information, see Segmented Management Instance Configuration using the CLI on page
87.

For information about onboarding switches, see https://www.extremenetworks.com/support/

documentation/extremecloud-iq/.

Configure ExtremeCloud IQ Agent

You must first onboard the device. When zero touch connection establishes, IQ Agent is enabled, by
default. Before IQ Agent is operational, you must first disable IQ Agent, configure the ExtremeCloud IQ
IPv4 address or DNS name, and then reneable IQ Agent.

Before You Begin

You must first onboard the device.

Procedure

1. Enter Application Configuration mode:

enable

configure terminal

application
2. Disable IQ Agent:
no iqagent enable
3. Configure the ExtremeCloud IQ IPv4 address or DNS name:
iqagent server address WORD<1-255>
4. Enable IQ Agent:
iqagent enable

Example

Configure IQ Agent:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#application
Switch:1(config-app)#no iqagent enable
Switch:1(config-app)#iqagent server address hac.extremecloudiq.com
Switch:1(config-app)#iqagent enable

844 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent Configure Access to ExtremeCloud IQ

Display default IQ Agent configuration:

Switch:1>show application iqagent

================================================================================
IQAgent Info
================================================================================
Agent Admin State : true
Agent Version : 0.4.3
Agent Oper State : disconnected
Server Address : hac.extremecloudiq.com
Server Address Origin : None
Proxy Address : 0.0.0.0
Proxy TCP Port : 0
Proxy Username :

Configure Access to ExtremeCloud IQ

Use this task to configure IQ Agent parameters to access ExtremeCloud IQ.

Before You Begin

You must onboard the device and configure any optional IQ Agent parameters on the supported device
before you enable IQ Agent.

You can configure the IQ Agent parameters on the supported devices first, and then onboard the
devices (that is, add the serial numbers for the devices in the ExtremeCloud IQ GUI) or vice versa.

For information about onboarding switches, see https://www.extremenetworks.com/support.

Procedure

1. Enter Application Configuration mode:

enable

configure terminal

application
2. Configure the ExtremeCloud IQ IPv4 address or DNS name:
iqagent server address WORD<1-255>

Examples
Configure access to ExtremeCloud IQ using an IPv4 address:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#application
Switch:1(config-app)#iqagent server address 192.0.2.1

Configure access to ExtremeCloud IQ using a DNS name:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#application
Switch:1(config-app)#iqagent server address extremecloudiq.com

VOSS User Guide for version 8.7 845

Configure Proxy Parameters ExtremeCloud IQ Agent

Variable Definitions
The following table defines parameters for the iqagent server command.

Variable Value
address <WORD 1-255> Specifies the ExtremeCloud IQ IPv4 address or DNS name.

Configure Proxy Parameters

If you use a proxy https server in your network, you must configure proxy parameters so that the IQ
Agent on the device can communicate with ExtremeCloud IQ through the proxy.

Use this task to configure the proxy parameters for ExtremeCloud IQ on the IQ Agent.

Note
You must onboard the device and configure any optional IQ Agent parameters on the
supported device before you enable IQAgent.
You can configure the IQ Agent parameters on the supported devices first, and then onboard
the devices (that is, add the serial numbers for the devices in the ExtremeCloud IQ GUI) or
vice versa.
For information about onboarding switches, see https://www.extremenetworks.com/support.

Procedure
1. Enter Application Configuration mode:
enable

configure terminal

application
2. Configure the proxy IPv4 address or DNS name:
iqagent proxy address <WORD 1-255> tcp-port <1-49151>
3. Configure the proxy username and password for the ExtremeCloud IQ account:
iqagent proxy username <WORD 1-64> password <WORD 1-128>

Examples
Configure proxy parameters using an IPv4 address:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#application
Switch:1(config-app)#iqagent proxy address 192.0.2.254 tcp-port 21
Switch:1(config-app)#iqagent proxy username admin password ****

Configure proxy parameters using a DNS name:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#application
Switch:1(config-app)#iqagent proxy address hac.extremecouldiq.com tcp-port 21
Switch:1(config-app)#iqagent proxy username admin password ****

846 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent Display ExtremeCloud IQ Agent Information

Variable Definitions
The following table defines parameters for the iqagent proxy command.

Variable Value
address <WORD 1-255> Specifies the proxy IPv4 address or DNS name.
tcp-port <1-49151> Specifies the TCP port.
username <WORD 1-64> Specifies the proxy server username.
password <WORD 1-128> Specifies the proxy server password.

Display ExtremeCloud IQ Agent Information

About This Task

Use this task to display ExtremeCloud IQ Agent configuration information and status.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display IQ Agent configuration information and status:
show application iqagent

Example

Display IQ Agent configuration information and status when IQ Agent is enabled using the default
ExtremeCloud IQ server:
Switch:1>show application iqagent

================================================================================
IQAgent Info
================================================================================
Agent Admin State : true
Agent Version : 0.2.7
Agent Oper State : connected
Server Address : hac.extremecloudiq.com
Server Address Origin : None
Proxy Address : extremeiq.com
Proxy TCP Port : 21
Proxy Username : admin

Display IQ Agent disabled state:

Switch:1>show application iqagent

================================================================================
IQAgent Info
================================================================================
Agent Admin State : false
Agent Version : 0.2.7
Agent Oper State : disconnected
Server Address : 0.0.0.0
Server Address Origin : None
Proxy Address : 0.0.0.0
Proxy TCP Port : 0
Proxy Username :

VOSS User Guide for version 8.7 847

Display ExtremeCloud IQ Agent Status ExtremeCloud IQ Agent

Display IQ Agent configuration information and status when DHCP provides a dynamic server IP
address:
Switch:1>show application iqagent

================================================================================
IQAgent Info
================================================================================
Agent Admin State : true
Agent Version : 0.2.7
Agent Oper State : disconnected
Server Address : 192.0.2.1
Server Address Origin : DHCP
Proxy Address : 0.0.0.0
Proxy TCP Port : 0
Proxy Username :

Display IQ Agent configuration information and status when DHCP Client is disabled on the switch:
Switch:1>show application iqagent

================================================================================
IQAgent Info
================================================================================
Agent Admin State : false
Agent Version : 0.2.7
Agent Oper State : disconnected
Server Address : hac.extremecloudiq.com
Server Address Origin : None
Proxy Address : 0.0.0.0
Proxy TCP Port : 0
Proxy Username :

Display ExtremeCloud IQ Agent Status

About This Task

Use this task to display IQ Agent status information.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display IQ Agent status information:
show application iqagent status

Example

Switch:1>show application iqagent status

================================================================================
IQAgent Status
================================================================================
Connection Status : Connected
Last Onboard Time : 18:54:23 11 27 2019 UTC
Agent Version : 0.2.7
Association URL : https://10.16.231.98/hac-webapp/rest/v1/association
Poll URL : https://10.16.231.98/hac-webapp/rest/v1/poll/1904Q-20028
Monitor Frequency : 600
Poll Frequency : 30
Last Poll Status : SUCCESS
Last Poll Success Time : 14:39:16 11 28 2019 UTC
Last Health Status : SUCCESS

848 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent Reinstall ExtremeCloud IQ Agent Firmware

Last Health Success Time : 14:38:35 11 28 2019 UTC

Last Monitor Status : SUCCESS
Last Monitor Success Time : 14:38:35 11 28 2019 UTC

Reinstall ExtremeCloud IQ Agent Firmware

Perform this procedure to return the ExtremeCloud IQ Agent firmware version on the switch to the
version bundled with the OS image currently installed on the switch, for example, if you downgrade the
OS image version and do not reconnect to ExtremeCloud IQ automatically.

Procedure

1. Enter Application Configuration mode:

enable

configure terminal

application
2. Disable ExtremeCloud IQ Agent:
no iqagent enable
3. Reinstall the ExtremeCloud IQ Agent firmware:
software iqagent reinstall
4. Enable ExtremeCloud IQ Agent:
iqagent enable

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#application
Switch:1(config-app)#no iqagent enable
Switch:1(config-app)#software iqagent reinstall

Reinstalling IQAgent from VOSS image

Switch:1(config-app)#iqagent enable

ExtremeCloud IQ Agent Configuration using EDM

Perform the procedures in this section to configure ExtremeCloud IQ Agent on the switch using the
Enterprise Device Manager (EDM).

Configure ExtremeCloud IQ Agent

Before You Begin

You must first onboard the device and configure any optional IQ Agent parameters before you enable
IQ Agent.

Procedure

1. In the navigation pane, expand Configuration > Serviceability.

2. Select IQAgent.

VOSS User Guide for version 8.7 849

Configure ExtremeCloud IQ Agent ExtremeCloud IQ Agent

3. Select the Globals tab.

4. Configure optional parameters as required.
5. Select Apply.
6. Select Enable.
7. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Global tab to configure the ExtremeCloud IQ Agent.

Name Description
Enable Specifies whether IQ Agent is enabled. The default
is enabled.
Version Displays the ExtremeCloud IQ Agent firmware
version running on the switch.
OperStatus Displays the operational status of ExtremeCloud
IQ Agent on the switch.
ServerAddressType Specifies the address type of the ExtremeCloud IQ
server address.
Server/Address Specifies the ExtremeCloud IQ IPv4 address or
DNS name.
The default is hac.extremcloudiq.com.
ServerAddressOrigin Specifies the origin for the ExtremeCloud IQ
server address:
• none–not configured
• configured–manual configuration
• dhcp–obtained through DHCP

Address Specifies the proxy IPv4 address or DNS name.

TcpPort Specifies the TCP connection port.
UserName Specifies the proxy server password.
Password Specifies the proxy server username.
AssociationUrl Displays the association URL of ExtremeCloud IQ.
PollUrl Displays the poll URL of ExtremeCloud IQ.
MonitorFreq Displays the monitoring frequency, in seconds, of
ExtremeCloud IQ.
PollFreq Displays the polling frequency, in seconds, of
ExtremeCloud IQ.
LastOnboardTime Displays the last onboard time of ExtremeCloud
IQ.
LastPollStatus Displays the last poll status of ExtremeCloud IQ.
LastPollTime Displays the last poll time for a successful attempt.
LastMonitorStatus Displays the last monitoring status of
ExtremeCloud IQ.

850 VOSS User Guide for version 8.7

ExtremeCloud IQ Agent Configure ExtremeCloud IQ Agent

Name Description
LastMonitorTime Displays the last monitor time for a successful
attempt.
LastHealthStatus Displays the last health status of ExtremeCloud IQ.
LastHealthTime Displays the last health time for a successful
attempt.

VOSS User Guide for version 8.7 851

Extreme Integrated Application Hosting
Extreme Integrated Application Hosting on page 853
Fabric IPsec Gateway Fundamentals on page 858
Operational Considerations and Restrictions on page 860
Virtual Services Configuration using CLI on page 860
Virtual Services Configuration using EDM on page 874
Fabric IPsec Gateway Configuration using CLI on page 882

Table 83: Extreme Integrated Application Hosting product support

Feature Product Release introduced
Extreme Integrated Application VSP 4450 Series Not Supported
Hosting
VSP 4900 Series VOSS 8.1.5
VSP4900-12MXU-12XE and
VSP4900-24XE only
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.0
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Fabric IPsec Gateway virtual VSP 4450 Series Not Supported
machine
VSP 4900 Series VOSS 8.3
VSP4900-12MXU-12XE and
VSP4900-24XE only
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.2
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

852 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Extreme Integrated Application Hosting

Table 83: Extreme Integrated Application Hosting product support (continued)

Feature Product Release introduced
Egress Shaper for Fabric Extend VSP 4450 Series Not Supported
tunnels on Fabric IPsec Gateway
virtual machine VSP 4900 Series VOSS 8.3.1
VSP4900-12MXU-12XE and
VSP4900-24XE only
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.3.1
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Extreme Integrated Application Hosting

Extreme Integrated Application Hosting (IAH) architecture provides a flexible and open solution
that enables organizations to deploy high-performance and flexible visibility applications pervasively
throughout their network for improved monitoring and troubleshooting. Enabled by the Network
Operating System (NOS), this preconfigured Quick Emulator (QEMU) Kernel-based Virtual Machine
(KVM) environment leverages high performance x86 CPUs to host these applications, extending
visibility customized to the business and operational needs of the organization across the entire
network.

The QEMU KVM environment supports several pretested and well-known packet capture applications
in a Linux virtual machine, including Wireshark and tcpdump. There are a wide variety of additional
applications, tools, and utilities that organizations are able to run in this environment, such as data
analytics applications, packet generators, monitoring tools, troubleshooting utilities, and many others.
While the QEMU KVM environment is open and can host any application, it is designed and ideally
suited for networking applications, tools, and utilities.

IAH architecture supports the creation and use of virtualization domains, such as virtual machines, and
Docker containers. This design creates a common-use host, which coordinates and automates multiple
guest-networking functions into chains. The hardware boots into the virtual Linux OS, providing the
ability to run additional applications or services within a specific virtual machine or a Docker container,
and simultaneously supporting the regular functionality of the switch.

Yet Another Next Generation (YANG) model is used to manage configuration and retrieve operational
data. You access the YANG model through Representational State Transfer Configuration Protocol
(RESTCONF) using a northbound interface, namely ExtremeCloud IQ ‑ Site Engine, that provides
an additional way to configure and monitor the switch. For more information on RESTCONF, see
Representational State Transfer Configuration Protocol (RESTCONF) Fundamentals on page 2793.

Virtual Services Resources

The virtual services resources are isolated from each other, as well as from the Network Operating
System (NOS) running the switch.

VOSS User Guide for version 8.7 853

Extreme Integrated Application Hosting Ports Extreme Integrated Application Hosting

The resources available for all virtual services on VSP 7400 Series switches are as follows:
• ◦ Six Central Processing Unit (CPU) cores
◦ 12 GB Random Access Memory (RAM)
◦ 100 GB Solid State Drive (SSD) flash memory

The resources available for all virtual services on VSP 4900 Series switches are as follows:

Note
You must install a modular SSD unit to use virtual services on VSP 4900 Series switches.

• ◦ Two CPU cores

◦ 4 GB RAM
◦ 120 GB SSD flash memory (separately available modular SSD unit), with 104 GB dedicated for
IAH storage.

The switch OS uses the following resources on VSP 7400 Series and VSP 4900 Series:
• Two CPU cores
• 4 GB RAM
• 8 GB internal flash memory storage

Extreme Integrated Application Hosting Ports

Extreme Integrated Application Hosting (IAH) ports are labeled as Insight ports, which are internal
ports used to support Ethernet connectivity by the virtual services configured on the switch. IAH ports
operate at 10 Gigabits per second (Gbps). The following features support IAH ports on the switch:
• VLANs
• Filters
• Port Statistics
• Basic Interface Configuration
• Mirroring
• Switched UNI
• Transparent Port UNI

Note
Network-to-network interface (NNI) support is not available for IAH ports. IS-IS adjacencies
cannot be established on IAH ports.

For information about how to configure IAH ports, see the following tasks:
• Configure a Virtual Service on page 862
• Configure Virtual Ports on page 878

Connection Types
The VM and Docker virtual ports map to a physical Extreme Integrated Application Hosting port using
the following connection types:
• Open vSwitch (OVS)

854 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Extreme Integrated Application Hosting Ports

• Single Root I/O Virtualization (SR-IOV).

• Virtualization Technology for Directed I/O (VT-d)

Note
You must enable trunking on the Extreme Integrated Application Hosting port when you
use SR-IOV and OVS connection types. For more information about enabling trunking, see
MultiLink Trunking and Split MultiLink Trunking on page 2357.
You can configure Extreme Integrated Application Hosting ports 1/s1 and 1/s2 to
accommodate different connect types. Extreme Integrated Application Hosting ports 1/s1
and 1/s2 can accommodate virtual ports of SR-IOV, OVS, or VT-d connect types as shown in
the table below. Using the virtual-service command, you can specify which Extreme
Integrated Application Hosting port is associated with the configured connect type. You can
also configure the Network Interface Card (NIC) type of the virtual port using the virtual-
service command.

The following table lists the compatible Extreme Integrated Application Hosting port connect type
configurations.

Extreme Integrated Application Hosting port 1/s1 Extreme Integrated Application Hosting port 1/s2
SR-IOV OVS
SR-IOV SR-IOV
SR-IOV VT-d
OVS SR-IOV
OVS OVS
OVS VT-d
VT-d VT-d
VT-d SR-IOV
VT-d OVS

Link Flapping
When the switch initializes, the Extreme Integrated Application Hosting ports connect to the underlying
Linux hypervisor. When a virtual port of connection type OVS or SR-IOV is configured on the switch, the
Linux hypervisor saves this connection, and the link state of the Extreme Integrated Application Hosting
port does not change. However, when a virtual port of connection type VT-d is configured on the
switch, control of the Extreme Integrated Application Hosting port is passed from the Linux hypervisor
to the configured Virtual Machine (VM). The Extreme Integrated Application Hosting port flaps due to
this transition, and the switch reports it in the system log. The Extreme Integrated Application Hosting
port flaps twice during the transition:

1. when the Extreme Integrated Application Hosting port is removed from the Linux hypervisor.
2. when the Extreme Integrated Application Hosting port is added to the VM.

A similar link flap sequence takes place on the Extreme Integrated Application Hosting port when the
associated VM is disabled on the switch, and the control of the Extreme Integrated Application Hosting
port is passed from the VM back to the Linux hypervisor.

VOSS User Guide for version 8.7 855

Third Party Virtual Machine Extreme Integrated Application Hosting

Configuration Requirements
• To use an Extreme Integrated Application Hosting port as an analyzer port on a monitoring BEB
for Fabric RSPAN (Mirror to I-SID), you must associate outer-tag 4091 to egress port 1/s1 or 1/s2
if the connect type is OVS or SR-IOV. Use the monitor-by-isid <1–1000> map-to-vid
<1–4093> command to configure VLAN 4091for Fabric RSPAN.
• To use an Extreme Integrated Application Hosting port with a connect type as OVS or SR-IOV for
Port Mirroring, associate VLAN 4091 to the virtual machine (VM) vport to send the mirrored packets
to the VM.
• To enable Flex UNI on an Extreme Integrated Application Hosting port with a connect type of
VT-d, enable dot1q encapsulation on the VM interfaces. Flex UNI enables tagging on these ports by
default; you must tag the VM ports with the VLANs that these ports use.

Third Party Virtual Machine

The Extreme Integrated Application Hosting (IAH) feature supports the pre-installed Third Party Virtual
Machine (TPVM). For switches that use a modular Solid State Drive (SSD) for IAH , the virtual machine
is pre-installed on the modular SSD. For switches that do not use a modular Solid State Drive (SSD) for
IAH , the virtual machine is pre-installed on the switch.

Note
The Third Party Virtual Machine (TPVM) version is based on Ubuntu 20.04.04 LTS.

You can use the show virtual-service config command to view the information about
the pre-installed virtual machine on the switch. For more information, see Display Virtual Service
Configuration on page 868.

Important
You must upgrade virtual services independently of switch software upgrade; separate
images for virtual services are available. For more information, see Upgrade a Virtual Service
on page 873.

For more information about how to configure virtual services, see Virtual Services Configuration using
CLI on page 860 and Virtual Services Configuration using EDM on page 874.

Third Party Virtual Machine (TPVM) provides a set of troubleshooting tools on the switch. The following
installed packages are available on TPVM:
• build-essential
• checkinstall
• iperf
• mtools
• netperf
• qemu-guest-agent
• tshark
• valgrind
• vim-gnome
• wireshark

856 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Third Party Virtual Machine

• xterm
• isc-dhcp-client
• isc-dhcp-server
• iperf3
• libpcap
• rpcapd
• resolvconf

Important
TPVM includes an administrator account with a default username and password. To ensure
security, you must change the default password when you access TPVM for the first
time, before enabling the IAH ports using the no shutdown command. The software
automatically prompts you to change this password at first boot; no action can be taken
with the VM until you change the password.

The following user applications are available on TPVM:

• Dynamic Host Configuration Protocol (DHCP) server
• Domain Name Server (DNS)
• Authentication, authorization, and accounting (AAA) server for Remote Access Dial-In User Service
(RADIUS) and Terminal Access Controller Access Control Service Plus (TACACS+).
• Syslog server
• Simple Network Management Protocol (SNMP) trap receiver
• Surricata - a free and open-source robust network threat detection engine that provides real time
intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and
offline packet capture (pcap) processing.
• Wireshark – a protocol analyzer that provides packet capturing and analysis.
• Ostinato - provides packet crafting, network traffic generation, and analysis with a user-friendly
Graphical User Interface (GUI).

Note
If you start the console for TPVM without network connectivity to a DHCP server, the VM
remains in a retry loop for approximately 5 minutes while it tries to obtain a DHCP address.
The system displays the following message: [FAILED] Failed to start Raise
network interfaces, and then the VM continues to boot. The VM does start but with the
virtual port, eth0, in the administratively down state.

The following are the virtual services resources for TPVM:

• Two CPU cores
• 4 GB RAM

VOSS User Guide for version 8.7 857

Fabric IPsec Gateway Fundamentals Extreme Integrated Application Hosting

• One virtual port of VT-d connection type

• 1.8 GB up to 32 GB SSD

Note
To use this feature on the applicable models of VSP 4900 Series, you must install an SSD
module in the switch.

Important

Fabric IPsec Gateway Fundamentals

The Fabric IPsec Gateway feature introduces a Virtual Machine (VM) that supports aggregation
of Fabric Extend Tunnels with fragmentation, reassembly, and Internet Protocol Security (IPsec)
encryption functions.

The minimum configuration requirements for the Fabric IPsec Gateway VM are as follows:
• Two Central Processing Unit (CPU) cores
• 4 GB Random Access Memory (RAM)
• One Virtualization Technology for Directed I/O (VT-d) vport (eth0)
• Minimum 10 GB SSD

Note
To use this feature on the applicable models of VSP 4900 Series, you must install an SSD
module in the switch.

To configure IPsec on a switch through the Fabric IPsec Gateway VM, see Fabric IPsec Gateway
Configuration using CLI on page 882.

Fabric IPsec Gateway supports the following services through the VM:
• IPsec with fragmentation and reassembly - for the VXLAN traffic that needs IPsec, the network
routes the packets through the Fabric IPsec Gateway VM that provides IPsec encryption and
decryption for VXLAN packets. The system also supports fragmentation and reassembly for IPsec
tunnels that you configure on the VM, and a minimum of 1300 bytes of Maximum Transmission Unit
(MTU) value. You can configure fragmentation to occur before the packets are encrypted.
• Fragmentation and reassembly - the Fabric IPsec Gateway VM performs fragmentation and
reassembly for VXLAN and IPsec tunnels, for which the network routes the packets through the
VM. The system supports a minimum of 750 bytes of Maximum Transmission Unit (MTU) value.

IPsec Coupled and Decoupled Mode

A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on
two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE)
termination takes place on the same IP address.

The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec
decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric

858 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Digital Certificates for Fabric IPsec Gateway

IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure
the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For
more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on
Fabric IPsec Gateway VM on page 891.

Digital Certificates for Fabric IPsec Gateway

Fabric IPsec Gateway supports digital certificates for IPsec authentication of Fabric Extend tunnels. To
support different certificates for different IPsec tunnels, you can configure multiple certificate authority
(CA) trustpoints and identity subject certificates.

If you are not familiar with digital certificates, see Digital Certificate/PKI on page 3005 for additional
background information like digital certificate terminology.

Online Certificate Provisioning

The switch uses IPsec Simple Certificate Enrollment Protocol (SCEP) to obtain the CA certificate, and
then validates the CA certificate against the certificate chain.

Note
Extreme validated the Fabric IPsec Gateway SCEP implementation with EJBCA CA Server
only. Fabric IPsec Gateway SCEP cannot currently use Win CA like digital certificate support in
VOSS.

Use trustpoints to manage and track CAs and certificates. The switch can enroll with a trustpoint to
obtain an identity certificate. You must configure the CA URL, the CA common name, and select the
HTTP request type to configure the CA server trustpoint.

Configure the certificate subject parameters to provide the device distinguished name (DN) and key
name for the generated key pair (the private key). If you do not configure a private key, the switch
generates one. The switch validates the returned certificate against the trustpoint's CA certificate.

You can remove subject certificates from the CA trustpoint or clean the CA trustpoint only if the
subject-label is not configured on an IPsec tunnel.

Offline Certificate Provisioning

Offline certificate management supports switches that cannot communicate with the CA to obtain the
identity certificate online by certificate enrollment operation.

The switch generates the certificate signing request (CSR) using the subject DN and the private key that
you configure in the CLI. If you do not configure a private key, the switch generates one.

Transfer the CSR to the offline CA to be signed. Retrieve the signed certificate to validate against the
original CSR. You must manually transfer all certificates in the certificate chain to the switch. The signed
certificate must include the subject-label to map it to a locally-generated CSR for validation.

You must manually download Certificate Revocation List (CRL) files. You can remove offline subject
certificates only if the subject-label is not configured on an IPsec tunnel.

VOSS User Guide for version 8.7 859

Egress Shaping for Fabric Extend Tunnels on Fabric
IPsec Gateway Extreme Integrated Application Hosting

Egress Shaping for Fabric Extend Tunnels on Fabric IPsec Gateway

You can configure the egress shaping rate to limit egress bandwidth for tunnels on the Fabric IPsec
Gateway Virtual Machine (VM).

Considerations
Consider the following when you configure the egress shaper rate:
• If the ingress data traffic receives excessive packets with the following DSCP or 802.1p values (high
priority control packets) and egress shaping is configured, a IS-IS flap can be seen.

DHCP value 802.1p value

0x28 6
0x2E 6
0x2F 6
0x30 7
0x38 7
• The egress tunnel shaping rate is impacted if the incoming packet size is greater than the Fabric
Extend tunnel MTU. This is due to the additional packet header required for fragmentation.

Operational Considerations and Restrictions

Consider the following when deploying Extreme Integrated Application Hosting (IAH) on various
switches:

Table 84: Operational Considerations

VSP 7400 Series VSP 4900 Series
Number of IAH ports VSP 7432CQ: 2 VSP4900-12MXU-12XE: 2
VSP 7400-48Y: 1 VSP4900-24XE: 2
Multiple simultaneous VMs Supported Not supported
Pre-installed VM Third Party Virtual Machine Third Party Virtual Machine
Fabric IPsec Gateway Fabric IPsec Gateway
Additional components required None Modular Solid State Drive (SSD)

Virtual Services Configuration using CLI

Perform the procedures in this section to configure Extreme Integrated Application Hosting (IAH)
virtual services on the switch using the command line interface (CLI).

Access a Virtual Service Console

The virtual services running on a Virtual Machine (VM) require a console for configuration and
monitoring purposes.

860 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Install a Virtual Service

About This Task

Perform this procedure to access the virtual service console port for the specific VM.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Enter the following command to access the virtual service console:
virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

Example
Switch:1>enable
Switch:1#virtual-service tpvm console

Variable Definitions
The following table defines parameters for the virtual-service command.

Variable Value
WORD<1-128> Specifies the virtual service name.
console Accesses the console for the specific virtual service.

Install a Virtual Service

A virtual service provides the ability to support additional applications or services and simultaneously
support the regular switching functionality. Each virtual service provides an Open Virtual Appliance
(OVA) image, which is installed on Extreme Integrated Application Hosting (IAH) through
ExtremeCloud IQ ‑ Site Engine.

Before You Begin

Use FTP, SFTP, or SCP to transfer the OVA image to the /var/lib/insight/packages/ directory
on the switch.

Note
The Fabric IPsec Gateway image includes no integrity check. Use SCP to copy the file to the
switch and confirm the file size before installation.

About This Task

Perform this procedure to install a package file to a specific location indicated by a virtual service
name. This procedure also verifies if the package is in OVA format, and if a certificate is provided in the
package.

VOSS User Guide for version 8.7 861

Configure a Virtual Service Extreme Integrated Application Hosting

Procedure

1. Enter Privileged EXEC mode:

enable
2. Install the virtual service package:
virtual-service WORD<1-128> install package WORD<1-512>

Variable Definitions
The following table defines parameters for the virtual-service command.

Variable Value
WORD<1-128> Specifies the virtual service name.
install Installs the virtual service package.
package WORD<1-512> Specifies the package name and path.

Configure a Virtual Service

About This Task

Perform this procedure to configure a virtual service on the switch.

Note
• Following procedure lists the general sequence to configure a virtual service.
• The names of Ethernet ports appearing in a specific Virtual Machine (VM) are not
correlated to the configured virtual port names. Each VM renames the Ethernet ports
as per its requirements, after they are discovered during the VM initialization.
• By default, the system displays all virtual ports of OVS connection type first in the
alphabetical order of their configured names, followed by the virtual ports of SR-IOV and
VT-d connection types.

Before You Begin

• You must enable trunking on the Extreme Integrated Application Hosting (IAH) port when you use
SR-IOV and OVS connection types. For more information about enabling trunking, see MultiLink
Trunking and Split MultiLink Trunking on page 2357.
• Ensure the switch has the Ethernet drivers installed as per the SR-IOV standard, to support the VT-d
and the SR-IOV connection type for the configured virtual ports.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

862 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure a Virtual Service

2. Create a VLAN:

Note
Virtual service configuration supports port-based VLANs only.

vlan create <2-4059> name WORD<0-64> type {port-mstprstp <0-63>}

[color <0-32>]
3. Add the IAH and faceplate port to the VLAN:
vlan members add <1-4059> {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}
4. Enter GigabitEthernet Interface Configuration mode:
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

5. Enable the IAH and faceplate ports:

no shutdown
6. Exit to Global Configuration mode:
exit
7. (Optional) Create a virtual service:
virtual-service WORD<1-128>
8. (Optional) Configure the number of CPU cores to be assigned to the virtual service created:
virtual-service WORD<1-128> num-cores <num_cores>
9. (Optional) Configure the memory size to be assigned to the virtual service created:
virtual-service WORD<1-128> mem-size <mem-size>
10. (Optional) Configure the disk to be assigned to the virtual service created:
virtual-service WORD<1-128> disk WORD<1-32> size <1-30>
11. Configure the virtual port connection type:

Note
Ensure the connection type you configure for the virtual port matches the connection type
supported by the IAH port.

virtual-service WORD<1-128> vport WORD<1-32> connect-type {ovs | sriov

| vtd}

VOSS User Guide for version 8.7 863

Configure a Virtual Service Extreme Integrated Application Hosting

12. Configure the IAH port to associate with the connection type:
virtual-service WORD<1-128> vport WORD<1-32> port WORD<1-32>

Important
You cannot configure two virtual services with conflicting connect types on the same IAH
port. You cannot configure two virtual services with VT-d connect type on the same IAH
port.

13. Configure the NIC type of the IAH port:

virtual-service WORD<1-128> vport WORD<1-32> port WORD<1-32> nic-type
{virtio | e1000}
14. Add the virtual port to the VLAN created:
virtual-service WORD<1-128> vport WORD<1-32> vlan <1-4096>
15. Enable the virtual service:
virtual-service WORD<1-128> enable

Example

Configuring the TPVM virtual service using IAH port 1/s1 with an SR-IOV connection type:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/s1
Switch:1(config-if)#encapsulation dot1q
Switch:1(config-if)#exit
Switch:1(config)#vlan create 10 name tpvm-lan-vlan type port-mstprstp 0
Switch:1(config)#vlan members add 10 1/s1,1/6/2
Switch:1(config)#interface GigabitEthernet 1/s1,1/6/2
Switch:1(config-if)#no shutdown
Switch:1(config-if)#exit
Switch:1(config)#virtual-service tpvm vport eth0 connect-type sriov
Switch:1(config)#virtual-service tpvm vport eth0 vlan 10
Switch:1(config)#virtual-service tpvm enable

Configuring the TPVM virtual service on IAH port 1/s2 with a VT-d connection type:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#vlan create 10 type port-mstprstp 0
Switch:1(config)#vlan member add 10 1/1,1/s2
Switch:1(config)#interface GigabitEthernet 1/s2,1/1
Switch:1(config-if)#no shutdown
Switch:1(config-if)#exit
Switch:1(config-if)virtual-service tpvm vport eth0 port 1/s2
Switch:1(config)#virtual-service tpvm enable

864 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure a Virtual Service

Variable Definitions
The following table defines parameters for the vlan create command.

Variable Value
<2-4059> Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is
the default VLAN and you cannot create or delete VLAN ID 1.
By default, the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrf-scaling
and spbm-config-mode boot configuration flags, if you
enable these flags, the system also reserves VLAN IDs 3500
to 3998.
color<0–32> Specifies the color of the VLAN.
nameWORD<0-64> Specifies a name for the VLAN to be created.
type {port-mstprstp<0-63>} Creates a VLAN by port, with the STP instance ID ranging
from 0 to 63.

Note:
MSTI instance 62 is reserved for SPBM if SPBM is enabled on
the switch.

The following table defines parameters for the vlan members command.

Variable Value
<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system reserves
VLAN IDs 4060 to 4094 for internal use. On switches that
support the vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
{slot/port[/sub-port][-slot/ Identifies the slot and port in one of the following
port[/sub-port]][,...]} formats: a single slot and port (slot/port), a range of slots
and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
add Adds ports to a specified VLAN ID.

VOSS User Guide for version 8.7 865

Shut Down a Virtual Service Extreme Integrated Application Hosting

The following table defines parameters for the virtual-service command.

Variable Value
WORD<1-128> Specifies a name for virtual service.
connect-type {ovs | sriov | Specifies the connection type for the virtual port created.
vtd} The default is VT-d. The switch supports the following
maximums for virtual ports:
• OVS - 16
• SR-IOV - 16
• VT-d - 2

disk WORD<1-32> Specifies the disk assigned to the virtual service.

mem-size <1-5120> Specifies the memory size in Megabytes assigned to the
virtual service. The default value is 1024 Megabytes.
nic-type [virtio | e1000] Specifies the Virtual Port NIC type. The default is e1000.

Note:
Configure this value only when the connect-type parameter
is ovs.

num-cores <num_cores> <num_cores> specifies the number of cores assigned to

the virtual service. Different platforms support different
ranges.

Note:
VSP 4900 Series supports <1-2> cores.
VSP 7400 Series supports <1-6> cores.

The default value is 1.

port WORD<1-32> Specifies the name of the Extreme Integrated Application
Hosting (IAH) port associated with the virtual port.
Depending on the hardware, the switch can support the
following IAH ports:
• 1/s1
• 1/s2

size <1-30> Specifies the size of the disk in Gigabytes.

vlan <1–4096> Specifies the VLAN ID used by the virtual port.
vport WORD<1-32> Specifies the name of the virtual port.

Shut Down a Virtual Service

About This Task

Perform this procedure to disable the virtual service.

866 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Delete Virtual Service Resources

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable the virtual service:
no virtual-service WORD<1-128> enable

Example

Disable the virtual service.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no virtual-service tpvm enable

Delete Virtual Service Resources

About This Task

Perform this procedure to delete the virtual service resource allocation.

Note
If a corresponding virtual machine is running, it is stopped, and then the virtual service
configuration is deleted.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Delete the virtual service resource allocation:
no virtual-service WORD<1-128> [disk WORD<1-32>] [vport WORD<1-32>]

Example

Delete all virtual service resource allocation.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no virtual-service tpvm

VOSS User Guide for version 8.7 867

Uninstall a Virtual Service Extreme Integrated Application Hosting

Uninstall a Virtual Service

About This Task

Perform this procedure to uninstall a configured virtual service.

Note
If a virtual machine is running, it is stopped, and then the service directory is uninstalled.

Before You Begin

You must disable the virtual service before you uninstall it.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Uninstall a specific virtual service:
virtual-service WORD<1-128> uninstall

Example
Switch:1>enable
Switch:1#virtual-service tpvm uninstall

Variable Definitions
Use data in the following table to use the virtual-service command.

Variable Value
WORD<1-128> Specifies the virtual service name.
uninstall Uninstalls the specified virtual service name.

Display Virtual Service Configuration

About This Task

Perform this procedure to display the virtual service configuration on the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the virtual-service configuration:
show virtual-service config [WORD<1-128>]

Example

Display the configuration of all virtual services:

Switch:1>show virtual-service config
==========================================================================================
==========
Installed Packages
==========================================================================================

868 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Display Virtual Service Installation Status

==========
Package: FIGW-SHAPE
Package App Name: FabricIPSecGW_VM_5.0.0.0_20.04
Package Version: 5.0.0.0
Package Name: FabricIPSecGW_VM_5.0.0.0_20.04.ova

==========================================================================================
==========

Virtual Services Config

==========================================================================================
==========

Virtual Service :FIGW-SHAPE

Memory Assigned(M) : 8196
Number of Cores : 6
Additional Disk Assigned:

VPort Information:
Name Vlan Connect Type Insight Port NIC Type
eth0 vtd 1/s1

Management Status : Enabled

------------------------------------------------------------------------------------------
-----------------

Display Virtual Service Installation Status

About This Task

Perform this procedure to display the installation status for the specific virtual service. This procedure
indicates if the installation finished successfully or failed to complete.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display installation status for a specific virtual service:
show virtual-service install WORD<1-128>

Example

Display installation status for a specific virtual service:

Switch:1>show virtual-service install tpvm

Stage: Convert
Status: In Progress

Display Virtual Services Resources

About This Task

Perform the following procedure to display the number of remaining virtual services resources on the
switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

VOSS User Guide for version 8.7 869

Run a VM command from Network Operating System
(NOS) CLI Extreme Integrated Application Hosting

2. Display statistics for all virtual services configured on the switch or a specific virtual service:
show virtual-service statistics [WORD<1-128>]

Example
Switch:1>show virtual-service statistics
==========================================================================
Virtual Services
==========================================================================
Virtual Service : figw
Package App Name : FabricIPSecGW_VM_master.0.22_20.04
Package Name : FabricIPSecGW_VM_master.0.22_20.04.ova
Package Version : 0.22

Memory Utilization (Mega Bytes)

Allocated Used Available
12288 1209 11079

CPU Utilization
Allocated(# cores) CPU Utilization (Total %)
6 12

Disk Utilization
Primary Disk Size : 10G

VPort Information:
Name Vlan Connect Type Insight Port NIC Type
eth0 vtd 1/s1
Guest Intf Name : eth0
MAC Address : 42:fd:46:00:00:01
IPv4 Address : 0.0.0.0
IPv6 Address : fe80:0:0:0:40fd:46ff:fe00:1

Management Status : Enabled

Operational Status : Running
Uptime : 0 day(s), 08:49:30
------------------------------------------------------------------------------------------

==========================================================================================
Hypervisor Remaining Resources
==========================================================================================
Number of Cores Remaining: 0
Total Memory Remaining(M): 147
Total Disk Remaining(GB): 79

Run a VM command from Network Operating System (NOS) CLI

About This Task

Perform this task to run a virtual machine (VM) command from the NOS CLI.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Run the ls command for the VM configs directory from the CLI:
virtual-service WORD<1-128> exec-command WORD<1-256>

870 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Copy VM Files

3. Run a Fabric IPsec Gateway command from the CLI:

virtual-service WORD<1-128> figw-cli WORD<1-256>

Examples
From NOS, list the contents of the home/rwa/configs directory in the Fabric IPsec Gateway VM:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#virtual-service figw exec-command "ls /home/rwa/configs"
config.cfg
figw_cli.log
shadov.txt

From NOS, configure the source VLAN ID for the IPsec tunnel in the Fabric IPsec Gateway VM:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#virtual-service figw figw-cli "set global ipsec-tunnel-src-vlan 71"

Variable Definitions

The following table defines parameters for the virtual-service command.

Variable Value
WORD<1-128> Specifies the virtual service name.
WORD<1-256> Specifies the VM command to run. To include
spaces in the syntax, include the text string in
quotation marks (").

Copy VM Files
About This Task

Perform this task to copy files between the Network Operating System (NOS) and a VM, or between
VMs.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Copy a file:
virtual-service copy-file WORD<1-256> WORD<1-256>

Examples
Copy a file from the NOS to a VM:
Switch:1>enable
Switch:1#virtual-service copy-file /intflash/config_figw.cfg figw:/home/rwa/configs/
config.cfg

VOSS User Guide for version 8.7 871

Change a VM User Password from Network Operating
System (NOS) CLI Extreme Integrated Application Hosting

Copy a file from a VM to the NOS:

Switch:1>enable
Switch:1#virtual-service copy-file figw:/home/rwa/configs/config.cfg /intflash/
config_figw.cfg

Copy a file between VMs:

Switch:1>enable
Switch:1#virtual-service copy-file figw:/home/rwa/configs/config.cfg figw2:/home/rwa/
configs/config.cfg

Variable Definitions

The following table defines parameters for the virtual-service copy-file command.

Variable Value
WORD<1-256> Specifies the source and destination file to copy.
To specify a VM location, use the format
<VM_name>:<VM_file_path/filename>.
To specify a NOS location, use the format </
file_path/filename> where the valid path
can be one of the following:
• /intflash
• /extflash
• /usb
• /var/lib/insight/packages

Change a VM User Password from Network Operating System (NOS) CLI

About This Task

Perform this task to change the password for a VM user. The password must be greater than, or equal
to, 8 characters.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Change the password:
virtual-service WORD<1-128> change-user-pass WORD<1-20>
3. Enter the new password.
4. Enter the new password a second time.

Example

Change the password for the rwa user account in the Fabric IPsec Gateway VM:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

872 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Upgrade a Virtual Service

Switch:1(config)#virtual-service figw change-user-pass rwa

Enter password : ********
Re-enter password : ********

Variable Definitions

The following table defines parameters for the virtual-service WORD<1-128> change-user-
pass command.

Variable Value
WORD<1-20> Specifies the username.
WORD<1-128> Specifies the virtual service name.

Upgrade a Virtual Service

If Extreme Networks makes a new version of the virtual service available, uninstall the original virtual
service and install the newer virtual service. The following generic procedure can apply to all virtual
services. For a Fabric IPsec Gateway-specific procedure, see Upgrade a Fabric IPsec Gateway VM on
page 882.

Important
You can perform an upgrade of Linux inside the virtual service by standard Linux upgrade
procedures. For example, TPVM is Ubuntu based, so you can use sudo apt-get update
and sudo apt-get upgrade. If you complete such an upgrade, Extreme Networks is
not responsible for the behavior of the VM; it has not been tested with every version of the
network operating system (NOS).

Before You Begin

• Ensure the new virtual service image version is compatible with the NOS release that runs on the
switch. For compatibility statements, see VOSS Release Notes. If necessary, upgrade the NOS image
before you upgrade the virtual service image.
• If you installed applications in the Third Party Virtual Machine (TPVM), you must migrate important
data for those applications before you perform this procedure.
• If you created new users in the TPVM, follow standard Linux procedures to back up user names and
passwords.
• For Fabric IPsec Gateway, back up the configuration files (*.cfg) and the shadov.txt file, which
is an encrypted file that contains the authentication keys for the IPsec tunnels. You can use the ls
command within the VM to see the file list. Use FTP within the VM to transfer the files for backup or
see Copy VM Files on page 871.
• Use FTP or SFTP to transfer the new OVA image to the /var/lib/insight/packages/
directory on the switch.

Note
The Fabric IPsec Gateway image includes no integrity check. Use SCP to copy the file to
the switch and confirm the file size before installation.

VOSS User Guide for version 8.7 873

Virtual Services Configuration using EDM Extreme Integrated Application Hosting

About This Task

When you uninstall the original virtual service, the system removes the complete virtual service
configuration from the configuration file.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable the virtual service:
no virtual-service WORD<1-128> enable
3. Return to Privileged EXEC mode:
end
4. Uninstall the virtual service:
virtual-service WORD<1-128> uninstall
5. Install the virtual service package using the new OVA image:
virtual-service WORD<1-128> install package WORD<1-512>
6. Reconfigure the virtual service; for more information, see Configure a Virtual Service on page 862.
7. Remove the original OVA image from the /var/lib/insight/packages/ directory on the
switch:
remove WORD<1-255>

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no virtual-service tpvm enable
Switch:1(config)#end
Switch:1#virtual-service tpvm uninstall
Switch:1#virtual service tpvm install package var/lib/insight/packages/
TPVM_4900_8.2.0.0.img
Switch:1#configure terminal
Switch:1(config)#virtual-service tpvm vport eth0 connect-type sriov
Switch:1(config)#virtual-service tpvm vport eth0 vlan 10
Switch:1(config)#virtual-service tpvm enable
Switch:1(config)#remove /intflash/var/lib/insight/packages/TPVM_4900_8.1.5.0.img

Virtual Services Configuration using EDM

Perform the procedures in this section to configure Extreme Integrated Application Hosting (IAH)
virtual services on the switch using the Enterprise Device Manager (EDM).

Viewing Virtual Services Resources

About This Task

Perform the following procedure to view the number of remaining virtual services resources on the
switch.

874 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Viewing Virtual Services Resources

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Virtual Service.
3. Click the Globals tab.

Globals Field Descriptions

Use data in the following table to use the Globals tab.

Name Description
DiskRemain Shows the remaining disk space available, in
Gigabytes (GB).
NumCoresRemain Shows the remaining number of CPU cores
available.
MemSizeRemain Shows the remaining amount of memory size
available, in Megabytes (MB).
CopySourceFile Specifies the source file to copy. To specify
a location, use the format: {VM_NAME_SRC}:
{VM_FILE_PATH} or {NOS_FILE_PATH}.
For example, figw:/home/rwa/configs/
ipsec1.cfg identifies a file located in the VM. /
intflash/ipsec1.cfg identifies a file located
in the NOS. The valid path for a NOS location can
be one of the following:
• /intflash
• /extflash
• /usb
• /var/lib/insight/packages

CopyDestinationFile Specifies the destination file to copy. To specify

a location, use the format: {VM_NAME_DST}:
{VM_FILE_PATH} or {NOS_FILE_PATH}.
For example, figw:/home/rwa/configs/
ipsec1.cfg identifies a file located in the VM. /
intflash/ipsec1.cfg identifies a file located
in the NOS. The valid path for a NOS location can
be one of the following:
• /intflash
• /extflash
• /usb
• /var/lib/insight/packages

CopyAction Specifies an action to copy a file from source

to destination. The switch supports the following
action:
• Copy
• None

ScalarsName Specifies the virtual service name. You must

specify the virtual service name if you use this tab
to change the password or run a command.

VOSS User Guide for version 8.7 875

Configure a Virtual Service Extreme Integrated Application Hosting

Name Description
ExecuteCommand Specifies the Virtual Machine (VM) command to
run. To include spaces in the syntax, include the
text string in quotation marks (").
User Specifies the virtual service user name. The range
is 0-20 characters.
Password Specifies the virtual service password.
FigwCli Specifies the command to send to the Fabric
IPsec Gateway VM. For more information about
Fabric IPsec Gateway commands, see VOSS CLI
Commands Reference.

Configure a Virtual Service

About This Task

Perform this procedure to configure a virtual service on the switch.

Before You Begin

You must configure at least one virtual port to enable the virtual service. For more information, see
Configure Virtual Ports on page 878.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Select Virtual Service.
3. Select the Virtual Service tab.
4. Select Insert.
5. In the Name field, enter a unique name.
6. (Optional) In the NumCores field, enter a value.
7. (Optional) In the MemSize field, enter a value.
8. Select Insert.
9. In the Enable field for the newly inserted row, change the value to true.
10. Select Apply.

Virtual Service Field Descriptions

Use data in the following table to use the Virtual Service tab.

Name Description
Name Specifies the name of the virtual service. Every
virtual service must have a unique name.
NumCores Specifies the number of CPU cores assigned to the
virtual service. The default is 1.
MemSize Specifies the memory size (in Megabytes)
assigned to the virtual service. The default value
is 1024 Megabytes.

876 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configuring Disks to be used by the Virtual Service

Name Description
Enable Enables the virtual service.

Note:
You must configure at least one virtual port to
enable the virtual service.

PackageInfoName Shows the package name used by the virtual

service.
PackageAppName Shows the application name used by the virtual
service.
PackageAppVersion Shows the application version used by the virtual
service.
UtilCpuAllot Specifies the number of CPUs allocated to the
virtual service.
UtilCpuUtil Specifies the average percentage of CPU
utilization over the past 30 seconds.
UtilMemAllot Specifies the memory (in Megabytes) allocated to
the virtual service.
UtilMemUsed Specifies the memory used (in Megabytes) by the
virtual service.
UtilMemAvailable Specifies the memory available (in Megabytes) for
the virtual service.
State Specifies the operational state of the virtual
service.
UpTime Specifies the operational time of the virtual
service.

Configuring Disks to be used by the Virtual Service

About This Task

Perform the following procedure to configure the number of disks to be used by the virtual service
configured on the switch.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Virtual Service.
3. Click the Disks tab.
4. Click Insert.
5. In the ServName field, enter the virtual service name.
6. In the Name field, enter the disk name.
7. (Optional) In the Size field, enter a value.
8. Click Insert.

VOSS User Guide for version 8.7 877

Configure Virtual Ports Extreme Integrated Application Hosting

Disks Field Descriptions

Use data in the following table to use the Disks tab.

Name Description
ServName Specifies the virtual service name.

Note:
The specified name must match the virtual service
name configured on the switch.

Name Specifies the name of the disk used by the virtual

service.
Size Specifies the disk size (in Gigabytes). The default
is 10 Gigabytes.
SizeAllot Shows the disk size (in Megabytes) allocated to
the virtual service.
SizeAvailable Shows the available disk storage space (in
Megabytes).
SizeUsed Shows the amount of disk storage space (in
Megabytes) used by the virtual service.

Configure Virtual Ports

About This Task

Perform the following procedure to configure virtual ports to be used by the virtual service configured
on the switch.

Note
The names of Ethernet ports appearing in a specific Virtual Machine (VM) are not correlated
to the configured virtual port names. Each VM renames the Ethernet ports as per its
requirements, after they are discovered during the VM initialization.
By default, the system displays all virtual ports of OVS connection type first in the
alphabetical order of their configured names, followed by the virtual ports of SR-IOV and
VT-d connection types.

Before You Begin

• You must enable trunking on the Extreme Integrated Application Hosting (IAH) port when you use
SR-IOV and OVS connection types.
• Ensure the switch has the Ethernet drivers installed as per the SR-IOV standard, to support the VT-d
and the SR-IOV connection type for the configured virtual ports.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Select Virtual Service.
3. Select the VPorts tab.
4. Select Insert.

878 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure Virtual Ports

5. In the Virtual Service Name field, enter the virtual service name.
6. In the Interface Name field, enter a name for the virtual port.
7. (Optional) In the VlanIdList field, enter a VLAN ID.
8. (Optional) In the ConnectType field, select a connection type.

Note
Ensure the connection type you configure for the virtual port matches the connection type
supported by the IAH port.

9. Select Insert.

VPorts Field Descriptions

Use data in the following table to use the VPorts tab.

Name Description
Virtual Service Name Specifies the virtual service name.

Note:
The specified name must match the virtual service
name configured on the switch.

Interface Name Specifies the virtual port.

VlanIdList Specifies the VLAN ID to which the virtual port is
assigned.
ConnectType Specifies the virtual port connect type. The
default is VT-d. The switch supports the following
maximums for virtual ports:
• OVS - 16
• SR-IOV - 16
• VT-d - 2

Port Specifies the name of the Extreme Integrated

Application Hosting port associated with the
virtual port. Depending on hardware, the switch
can support the following Extreme Integrated
Application Hosting ports:
• 1/s1
• 1/s2

NicType Specifies the Virtual Port NIC type. The default is

e1000.
• virtio
• e1000

Note:
Configure this value only when the ConnectType
field is OVS.

VOSS User Guide for version 8.7 879

Install a Virtual Service Extreme Integrated Application Hosting

Install a Virtual Service

Before You Begin
• Use FTP or SFTP to transfer the OVA image to the /var/lib/insight/packages/ directory on
the switch.

About This Task

Perform the following procedure to configure the package information to be used by the virtual service.

Procedure
1. In the navigation pane, expand Configuration > Serviceability.
2. Select Virtual Service.
3. Select the Application tab.
4. Select Insert.
5. In the Name field, enter the virtual service name.
6. Next to the PackageName field, select the ellipsis, select the package to install, and then select Ok.
7. Select Insert.

Application Field Descriptions

Use data in the following table to use the Application tab.

Name Description
Name Specifies the name of the virtual service.
PackageName Specifies the name and location of the package.
InstallResult Shows the status of the virtual service installation.
InstallStage Shows the stages of a package installation.
PackageAppName Shows the application name used by the virtual
service.
PackageAppVersion Shows the application version used by the virtual
service.

Run a VM command from EDM

About This Task

Perform this task to run a VM command from EDM. To include spaces in the syntax, include the text
string in quotation marks (").

Procedure

1. In the navigation pane, expand Configuration > Serviceability.

2. Select the Virtual Service.
3. Select the Globals tab.
4. In the ScalarsName field, type a virtual service name.

880 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Copy VM Files

5. In the ExecuteCommand field, type the ls command for the VM configs directory. For example,
"ls /home/rwa/configs".
6. In the FigwCli field, type a command to send it to the Fabric IPsec Gateway. For more information
about Fabric IPsec Gateway commands, see VOSS CLI Commands Reference.
7. Select Apply.

Copy VM Files
About This Task

Perform this task to copy files between the Network Operating System (NOS) and a VM or between
VMs. The valid path for a NOS location can be one of the following:
• /intflash
• /extflash
• /usb
• /var/lib/insight/packages

Procedure

1. In the navigation pane, expand Configuration > Serviceability.

2. Select Virtual Service.
3. Select the Globals tab.
4. In the CopySourceFile field, type a location of the source file using the following
format: {VM_NAME_SRC}:{VM_FILE_PATH} or {NOS_FILE_PATH}. For example, figw:/
home/rwa/configs/ipsec1.cfg identifies a file located in the VM. /intflash/
ipsec1.cfg identifies a file located in the NOS.
5. In the CopyDestinationFile field, type a location of the destination file using the
following format: {VM_NAME_DST}:{VM_FILE_PATH} or {NOS_FILE_PATH}. For example,
figw:/home/rwa/configs/ipsec1.cfg identifies a file located in the VM. /intflash/
ipsec1.cfg identifies a file located in the NOS.
6. In the CopyAction field, select Copy.
7. Select Apply.

Change a VM User Password from EDM

About This Task

Perform this task to change the password for a VM user.

Procedure

1. In the navigation pane, expand Configuration > Serviceability.

2. Select Vitual Sevice.
3. Select the Globals tab.
4. In the ScalarsName field, type a virtual service name.
5. In the User field, type the user name.
6. In the Password field, type a password.

VOSS User Guide for version 8.7 881

Viewing Virtual Services Package File Information Extreme Integrated Application Hosting

7. Select Apply.

Viewing Virtual Services Package File Information

About This Task

Perform the following procedure to view information about the package files available in
the /var/lib/insight/packages directory, which you can use to install a new virtual service.

Procedure

1. In the navigation pane, expand the Configuration > Serviceability folders.

2. Click Virtual Service.
3. Click the PackageFile tab.

PackageFile Field Descriptions

Use data in the following table to use the PackageFile tab.

Name Description
Name Shows the name and absolute path information
for package files available in the /var/lib/
insight/packages directory.
Date Shows the date and time when the package file
was added to the directory.
Size Shows the size (in bytes) of the package file.

Fabric IPsec Gateway Configuration using CLI

Perform the procedures in this section to configure services like IPsec, fragmentation and reassembly,
and to manage the Fabric IPsec Gateway Virtual Machine using the command line interface (CLI).

Upgrade a Fabric IPsec Gateway VM

If Extreme Networks makes a new version of the Fabric IPsec Gateway available, disable or uninstall the
original virtual service, and then install the newer virtual service.

Before You Begin

• Ensure the image version is compatible with the NOS release that runs on the switch. For
compatibility statements, see VOSS Release Notes. If necessary, upgrade the NOS image before
you upgrade the virtual service image.
• Note
The Fabric IPsec Gateway image includes no integrity check. Use SCP to copy the file to
the switch and confirm the file size before installation.

882 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Upgrade a Fabric IPsec Gateway VM

About This Task

Steps in this procedure include examples or links to background procedures if you are unfamiliar with
how to complete a particular step.

Procedure

1. Within the VM, save the configuration. For more information, see Save Running Configuration to a
File on page 904.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#virtual-service figwOld console
Connected to domain figw5.2 Escape character is ^Y
FIGW> save config
File already exists, do you want to overwrite [y/n]: y
FIGW>

2. Copy the configuration files (*.cfg), the shadov.txt file, which is an encrypted file that contains
the authentication keys for the IPsec tunnels, and the default-config-file.txt file from
the VM to intflash within the NOS. For more information, see Run a VM command from Network
Operating System (NOS) CLI on page 870 and Copy VM Files on page 871.
Switch:1(config)#mkdir figw
Switch:1(config)#virtual-service figwOld exec-command "ls /home/rwa/configs/"
config.cfg
figw.cfg
figw_cli.log
new.cfg
shadov.txt
Switch:1(config)#exit
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/config.cfg /intflash/figw/
config.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/new.cfg /intflash/figw/
new.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/figw.cfg /intflash/figw/
figw.cfg
Switch:1#virtual-service copy-file figwOld:/home/rwa/default-config-file.txt /intflash/
figw/default-config-file.txt
Switch:1#virtual-service copy-file figwOld:/home/rwa/configs/shadov.txt /intflash/figw/
shadov.txt

3. Verify the file copy:

Switch:1#ls figw/
Listing Directory /intflash/figw/:
drwxr-xr-x 2 0 0 4096 Jun 17 13:46 ./
drwxr-xr-x 31 0 0 4096 Jun 17 13:43 ../
-rw-r--r-- 1 0 0 851 Jun 17 13:44 config.cfg
-rw-r--r-- 1 0 0 8 Jun 17 13:46 default-config-file.txt
-rw-r--r-- 1 0 0 0 Jun 17 13:45 figw.cfg
-rw-r--r-- 1 0 0 851 Jun 17 13:45 new.cfg
-rw-r--r-- 1 0 0 32 Jun 17 13:45 shadov.txt

4. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 883

Upgrade a Fabric IPsec Gateway VM Extreme Integrated Application Hosting

5. Disable the virtual service:

no virtual-service WORD<1-128> enable

Note
If you instead uninstall the original virtual service, the system removes the complete virtual
service configuration from the configuration file.

6. Return to Privileged EXEC mode:

end
7. Install the virtual service package using the new image:
virtual-service WORD<1-128> install package WORD<1-512>
8. Reconfigure the virtual service. For more information, see Configure a Virtual Service on page 862.
9. Copy the files you saved from the old VM to the same folder path in the new VM:
Switch:1(config)#exit
Switch:1#virtual-service copy-file /intflash/figw/config.cfg figwNew:/home/rwa/configs/
config.cfg
Switch:1#virtual-service copy-file /intflash/figw/figw.cfg figwNew:/home/rwa/configs/
figw.cfg
Switch:1#virtual-service copy-file /intflash/figw/new.cfg figwNew:/home/rwa/configs/
new.cfg
Switch:1#virtual-service copy-file /intflash/figw/shadov.txt figwNew:/home/rwa/configs/
shadov.txt
Switch:1#virtual-service copy-file /intflash/figw/default-config-file.txt figwNew:/
home/rwa/default-config-file.txt

10. Verify the file copy:

configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#virtual-service figwNew exec-command "ls /home/rwa/configs"
config.cfg
figw.cfg
figw_cli.log
new.cfg
shadov.txt

11. Reboot the Fabric IPsec Gateway VM. For more information, see Reboot Fabric IPsec Gateway VM
on page 910.

Tip
As an alternative, you can disable and reenable the Fabric IPsec Gateway virtual service.

12. Verify the running configuration of the new VM matches the configuration of the old VM:
Switch:1(config)#virtual-service figwNew figw-cli "show running-config"
set global ipsec-tunnel-src-vlan 30
set global ipsec-tunnel-src-ip 30.30.30.2/24
set global lan-intf-vlan 100
set global lan-intf-ip 100.100.100.2/24
set global lan-intf-gw-ip 100.100.100.102
set global fe-tunnel-src-ip 102.102.102.102
set global wan-intf-gw-ip 30.30.30.102
set global mtu 1950
set global services sshd enable
set ipsec 104 auth-key ******
set ipsec 104 responder-only true
set ipsec 104 fe-tunnel-dest-ip 104.104.104.104
set ipsec 104 fragment-before-encrypt enable

884 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure FTP Connection to an IP Address

set ipsec 104 admin-state enable

set ipsec 105 auth-key ******
set ipsec 105 responder-only true
set ipsec 105 fe-tunnel-dest-ip 105.105.105.105
set ipsec 105 fragment-before-encrypt enable
set ipsec 105 admin-state enable
set ipsec 107 auth-key ******
set ipsec 107 responder-only true
set ipsec 107 fe-tunnel-dest-ip 192.168.22.107
set ipsec 107 admin-state enable

13. Remove the original image from the /var/lib/insight/packages/ directory on the switch:
remove WORD<1-255>

Configure FTP Connection to an IP Address

Fabric IPsec Gateway Virtual Machine (VM) provides a File Transfer Protocol (FTP) CLI to copy the
configuration files to the VM.

About This Task

Perform this procedure to configure an FTP connection to a specific IP Address.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure FTP connection:

ftp {A.B.C.D}

Example

Configuring FTP connection to 192.0.2.50:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> ftp 192.0.2.50

Variable Definitions
The following table defines the variable for ftp command.

Variable Value
{A.B.C.D} Specifies the IP Address to establish the FTP connection with.

VOSS User Guide for version 8.7 885

Display the Default Directory on Fabric IPsec Gateway
VM Extreme Integrated Application Hosting

Display the Default Directory on Fabric IPsec Gateway VM

About This Task

Perform this procedure to display content in the default directory on the Fabric IPsec Gateway Virtual
Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display the configured directory:

Example
Displaying the configured directory on the VM.
Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> ls
coupled.cfg

Load Configuration File to Fabric IPsec Gateway VM

About This Task

Perform this procedure to load a configuration file to the Fabric IPsec Gateway Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Load a specific configuration file to the VM :

load WORD <1-255>

886 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Ping an IP Address on Fabric IPsec Gateway VM

Example

Loading a configuration file to the VM.

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> load coupled.cfg

Variable Definitions
The following table defines the variable for load command.

Variable Value
WORD <1-255> Specifies the configuration file name.

Ping an IP Address on Fabric IPsec Gateway VM

About This Task

Perform this procedure to ping an IP Address on the Fabric IPsec Gateway Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Ping an IP Address:
ping {A.B.C.D}

Example
Pinging an IP Address on the VM.

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> ping 192.0.2.35

VOSS User Guide for version 8.7 887

Configure Global Parameters on Fabric IPsec Gateway
VM Extreme Integrated Application Hosting

Variable Definitions
The following table defines parameters for the ping command.

Variable Value
{A.B.C.D} Specifies the IP address.

Configure Global Parameters on Fabric IPsec Gateway VM

About This Task

Perform this procedure to configure IPsec source IP address, Local Area Network (LAN ) interface IP
and gateway IP address, maximum transmission unit (MTU) value, and so on globally, on the Fabric
IPsec Gateway Virtual Machine (VM).

Note
You must perform this procedure only after the VM boots up.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure IPsec source IP address for a Fabric Extend (FE) tunnel for IPsec in decoupled mode:
set global ipsec-tunnel-src-ip {A.B.C.D/X}
3. Assign VLAN ID to the configured IPsec source IP address:
set global ipsec-tunnel-src-vlan <2-4059>
4. Configure the LAN interface IP address on the first Ethernet interface (eth0) of Fabric IPsec Gateway
VM:
set global lan-intf-ip {A.B.C.D/X}
5. Assign VLAN ID to the configured LAN interface IP address:
set global lan-intf-vlan <2-4059>
6. Configure the LAN interface gateway IP address on the VOSS switch:
set global lan-intf-gw-ip {A.B.C.D}
7. Configure the logical interface gateway IP address, to add routes for FE tunnels that need
Fragmentation:
set global fe-tunnel-gw-ip {A.B.C.D}

888 VOSS User Guide for version 8.7

Configure Global Parameters on Fabric IPsec Gateway
Extreme Integrated Application Hosting VM

8. Configure the logical interface source IP address for the FE tunnel:

set global fe-tunnel-src-ip {A.B.C.D}

Note
The logical interface source IP address must be same as the source IP address configured
on the VOSS switch.

9. Configure the global MTU value:

set global mtu <mtu-value>

Note
• The switch applies the global MTU value, if you do not configure MTU during the IPsec
tunnel configuration.
• If an IPsec tunnel is not using the fragmentation and reassembly capabilities, the
default MTU value is 1950.

10. Configure the Wide Area Network (WAN) interface gateway IP address, which is the next hop for
IPsec tunnels.
set global wan-intf-gw-ip {A.B.C.D}
11. Configure the virtual reassembly interface IP address:
set global virtual-reassembly-intf-ip {A.B.C.D/X}

Note
You must configure the virtual reassembly interface IP address to use the fragmentation
and reassembly service.

12. Assign VLAN ID to the configured virtual reassembly interface IP address:

set global virtual-reassembly-intf-vlan <2-4059>
13. Disable IPsec on all configured tunnels:
set global ipsec-disable
14. Set IPsec log level:
set global ipsec-log-level <-1-5>

Example
Configuring global parameters on Fabric IPsec Gateway VM to configure an IPsec tunnel between two
switches:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> set global ipsec-tunnel-src-ip 192.0.2.10/24
FIGW> set global ipsec-tunnel-src-vlan 101
FIGW> set global lan-intf-ip 192.0.2.20/24
FIGW> set global lan-intf-vlan 30
FIGW> set global lan-intf-gw-ip 192.0.2.30
FIGW> set global fe-tunnel-src-ip 192.0.2.40

VOSS User Guide for version 8.7 889

Configure Global Parameters on Fabric IPsec Gateway
VM Extreme Integrated Application Hosting

FIGW> set global wan-intf-gw-ip 192.0.2.50

FIGW> set global mtu 1950

Variable Definitions
The following table defines parameters for the set global command.

Variable Value
ipsec-tunnel-src-ip Specifies the source IP address and subnet mask for IPsec tunnel.
{A.B.C.D/X}
ipsec-tunnel-src- Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the
vlan <2-4059> default VLAN and you cannot create or delete VLAN ID 1. By default,
the system reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998.
lan-intf-ip Specifies the IP address and subnet mask for Local Area Network (LAN)
{A.B.C.D/X} interface.
lan-intf-vlan Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the
<2-4059> default VLAN and you cannot create or delete VLAN ID 1. By default,
the system reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998.
lan-intf-gw-ip Specifies the gateway IP address for LAN interface.
{A.B.C.D}
fe-tunnel-gw-ip Specifies the gateway IP address for Fabric Extend (FE) tunnel.
{A.B.C.D}
fe-tunnel-src-ip Specifies the source IP address for FE tunnel.
{A.B.C.D}
mtu <750-9000> Specifies the Maximum Transmission Unit (MTU) value.

Note:
If an IPsec tunnel is not using the fragmentation and reassembly
capabilities, the default MTU value is 1950.

wan-intf-gw-ip Specifies the Wide Area Network (WAN) interface gateway IP address.
{A.B.C.D}
virtual-reassembly- Specifies the virtual-reassembly interface IP address and subnet mask on
intf-ip {A.B.C.D/X} the Fabric IPsec Gateway (VM).

Note:
You must configure the virtual reassembly interface IP address to use the
fragmentation and reassembly service.

virtual-reassembly- Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the

intf-vlan <2-4059> default VLAN and you cannot create or delete VLAN ID 1. By default,
the system reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998.

890 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure IPsec Tunnels on Fabric IPsec Gateway VM

Variable Value
ipsec-disable Disables IPsec operationally on all tunnels in the Fabric IPsec Gateway
VM.
ipsec-log-level Specifies the IPsec log levels on Fabric IPsec Gateway VM. Following are
<-1-5> the three levels:
• -1: Absolutely Silent
• 0-4: Log levels
• 5: Clear Logs

Configure IPsec Tunnels on Fabric IPsec Gateway VM

About This Task

Perform this procedure to configure IPsec tunnels on Fabric IPsec Gateway Virtual Machine (VM).

Procedure
1. Enter Fabric IPsec Gateway Configuration mode:
enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure the Maximum Transmission Unit (MTU) value for the specific IPsec tunnel:
set ipsec <1-255> mtu <1300 - 9000>

Note
The MTU range <1300-9000> is applicable for FE tunnels with IPsec and fragmentation
and reassembly capabilities.

3. Configure the ESP cipher suite for the IPsec tunnel:

set ipsec <1-255> esp <aes128gcm16-sha256 | aes256-sha256 |
aes256gcm16-sha256>
4. Configure the authentication key for specific IPsec tunnel:
set ipsec <1-255> auth-key WORD <1-32>

Note
Do not use special characters ?, \, &, <, >, #.

5. Configure VXLAN destination IP address for IPsec tunnel:

set ipsec <1-255> fe-tunnel-dest-ip {A.B.C.D}

Note
The VXLAN destination IP address for IPsec tunnel must be the same as the VXLAN
destination IP address for FE tunnel.

VOSS User Guide for version 8.7 891

Configure IPsec Tunnels on Fabric IPsec Gateway VM Extreme Integrated Application Hosting

6. Configure the IPsec destination IP address for the specific tunnel deployed in decoupled mode:
set ipsec <1-255> ipsec-dest-ip {A.B.C.D}
7. Configure a name for the IPsec tunnel:
set ipsec <1-255> tunnel-name WORD <1-64>
8. Identify if the specific tunnel is a responder or initiator in Network Address Translation (NAT) cases:
set ipsec <1-255> responder-only <true | False>
9. Enable the IPsec on a specific tunnel:
set ipsec <1-255> admin-state enable

Example

Configure parameters for IPsec tunnel on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> set ipsec 1 ipsec-dest-ip 192.0.2.5
FIGW> set ipsec 1 mtu 1950
FIGW> set ipsec 1 auth-key abcd
FIGW> set ipsec 1 tunnel-name Tunnel-to-BEB2
FIGW> set ipsec 1 fe-tunnel-dest-ip 192.0.2.15
FIGW> set ipsec 1 esp aes256gcm16-sha256
FIGW> set ipsec 1 admin-state enable

Variable Definitions
The following table defines parameters for the set ipsec command.

Variable Value
<1-255> Specifies the unique ID for the IPsec tunnel.
admin-state <enable | Enables or disables IPsec on the specific IPsec tunnel.
disable>
auth-key WORD Specifies the pre-shared authentication key.
<1-32>
Note:
Do not use special characters ?, \, &, <, >, #.

encryption-key- Specifies the encryption key length for the IPsec tunnel. The default
length <128 | 256> encryption key length is 128. As a best practice, use the newer esp
parameter instead; the encryption-key-length parameter remains
for backward compatibility.
esp <aes128gcm16- Specifies the ESP cipher suites for the IPsec tunnel. The default is
sha256 | aes256- aes128gcm16-sha256. aes256-sha256 is not supported in the current
sha256 | release.
aes256gcm16-sha256>
fe-tunnel-dest-ip Specifies the destination IP address for Fabric Extend (FE) tunnel.
{A.B.C.D}

892 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure IPsec Compression

Variable Value
ipsec-dest-ip Specifies the destination IP address for IPsec tunnel.
{A.B.C.D}
mtu <1300-9000 Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel
with both IPsec and fragmentation and assembly capabilities.
responder-only Specifies if the IPsec session in the FE tunnel will be in responder only
<true | false> mode or initiator mode. When in responder mode the FE tunnel will only
respond to the incoming request and not initiate the IPsec connection. By
default both sides of IPSec connection will be initiators in the FE tunnel.
Configure the IPsec tunnel to be in responder only mode when there is
Network Address Translation (NAT) between the IPsec connection.
For more information about NAT, see IPsec NAT-T on page 1776.
tunnel-name WORD Specifies a name for the IPsec tunnel.
<1-64>
egress-shaping-rate Specifies the egress shaper rate for the IPsec tunnel.
<1-1000>

Configure IPsec Compression

Note
This procedure only applies to VSP 4900 Series and VSP 7400 Series using Fabric IPsec
Gateway.

Before You Begin

Ensure IPsec fragmentation before encryption is disabled.

About This Task

Perform this procedure to enable IPsec compression on Fabric IPsec Gateway Virtual Machine (VM).

Note
By default, IPsec compression is disabled. You must enable IPsec compression on both ends
of the adjacency.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Enable IPsec compression:

set ipsec compression

VOSS User Guide for version 8.7 893

Enable Fragmentation Before Encryption on Fabric
IPsec Gateway VM Extreme Integrated Application Hosting

Enable Fragmentation Before Encryption on Fabric IPsec Gateway VM

Perform this procedure to fragment packets larger than the IPsec tunnel maximum transmission unit
(MTU) before the packets are sent for encryption.

Before You Begin

• Ensure IPsec is disabled on the tunnel. The administrative state must be disabled before you can
enable or disable fragmentation before encryption.
• Configure the IPsec destination IP address or enable responder mode.

About This Task

By default, fragmentation before encryption is disabled.

Procedure
1. Enter Fabric IPsec Gateway Configuration mode:
enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Enable fragmentation before IPsec encryption:

set ipsec <1-255> fragment-before-encrypt enable

Configure the Subject Identity on Fabric IPsec Gateway VM

About This Task

Use this procedure to configure the subject parameters to identify the device.

Procedure
1. Enter Fabric IPsec Gateway Configuration mode:
enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure the distinguished name of the device:

set certificate subject <subject-label> DN <name>
3. (Optional) Configure the name of the generated key-pair:
set certificate subject <subject-label> key-label <key-label>

Example
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>set certificate subject ExtremeLab DN "CN=subca5, OU=Test, O=Extreme, L=Town,

894 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Generate the Key Pair on Fabric IPsec Gateway VM

ST=State, [email protected]"
FIGW>set certificate subject ExtremeLab key-label key1

Variable Definitions
The following table defines parameters for the set certificate subject command.

Variable Value
DN <name> Specifies the distinguished name. You can create a comma-separated list.
key-label <key- Specifies the key name of the generated key pair. This parameter is
label> optional. If you do not configure one, the switch generates one the same as
the subject-label.
<subject-label> Specifies the subject identity. You cannot use the following special
characters:
• question mark (?)
• backslash (\)
• ampersand (&)
• less than (<)
• greater than (>)
• pound (#)

Generate the Key Pair on Fabric IPsec Gateway VM

About This Task

Use the following procedure to generate the private and public key pair. By default, VOSS generates a
2,048 RSA key when the system starts. You can use this procedure to generate a new key.

Before You Begin

• Configure an EJBCA CA server.
• Configure a route from Fabric IPsec Gateway to the EJBCA CA server.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Generate the key:

certificate generate key <type> <size> <key-label>

Example
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>certificate generate key rsa 2048 key_rsa
fingerprint: 09ac0c64b9bf3ad04dc67f20942c674e

VOSS User Guide for version 8.7 895

Configure a Trustpoint CA on Fabric IPsec Gateway VM Extreme Integrated Application Hosting

Variable Definitions
The following table defines parameters for the certificate generate key command.

Variable Value
key-label Specifies the key name of the generated key pair.
size Specifies the size of key-pair to be generated. The
switch supports 2048.
type Specifies the type of cryptography algorithm used
to generate the key-pair. The switch uses only rsa
as the cryptography algorithm type.

Configure a Trustpoint CA on Fabric IPsec Gateway VM

About This Task

Use this procedure to configure the certificate authority (CA) to use Simple Certificate Enrollment
Protocol (SCEP) with a CA server for online certificate provisioning.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure the trusted CA URL:

set certificate ca-trustpoint <ca-label> ca-url <ca-url>
3. Configure the common name of the CA:
set certificate ca-trustpoint <ca-label> caname <caname>
4. Configure the HTTP request type to support the type of CA:
set certificate ca-trustpoint <ca-label> get-method <post | get>
5. Configure the appropriate action:
• Configure the trustpoint, authenticate the trustpoint CA by getting the certificate of the CA, and
store the CA certificate locally:

certificate ca <ca-trustpoint> caAuth

• Generate the certificate enrollment request, get the digital certificate, and store it locally,
associating with the trustpoint CA:

certificate ca <ca-trustpoint> enroll <subject-label>

• Get the Certificate Revocation List (CRL) from the CDP and store into a file:

certificate get crl-from <A.B.C.D> <user> <file-path> <cacert-

filename>

896 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Configure a Trustpoint CA on Fabric IPsec Gateway VM

• Get the CA certificate obtained from the trustpoint CA:

certificate get cacert-from <A.B.C.D> <user> <file-path>

• Get the subject certificate obtained from the trustpoint CA:

certificate get signedcert-from <A.B.C.D> <user> <file-path>

<subject-label>
• Release the locally stored certificate associated with the trustpoint CA after revocation:

certificate ca <ca-trustpoint> remove <subject-label>

• Remove all certificates from the CA trustpoint:

Note
You can clean the CA trustpoint only if the subject-label is not configured on an IPsec
tunnel.

certificate ca <ca-trustpoint> clean

Example
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>set certificate ca-trustpoint caExtremeEJBCA ca-url http://192.0.2.9:8080/ejbca/
publicweb/apply/scep/test/pkiclient.exe
FIGW>set certificate ca-trustpoint caExtremeEJBCA caname subca5
FIGW>set certificate ca-trustpoint caExtremeEJBCA get-method post

Variable Definitions

The following table defines parameters for the set certificate ca-trustpoint command.

Variable Value
<ca-label> Specifies the name of the certificate authority (CA). The name can use
alphanumeric characters and is case-sensitive. The maximum length is 45
characters.
ca-url <ca-url> Specifies the trusted CA URL.
caname <caname> Specifies the name of the owner of the device or user.
get-method <post | Specifies the HTTP request style. You can use post for EJBCA or get for
get> Win2012 CA. The default value is post.

The following table defines parameters for the certificate ca command.

Variable Value
<ca-trustpoint> Specifies the name of the certificate authority. The
name can be alphanumeric and is case-sensitive.
The maximum length is 45 characters.
<subject-label> Specifies the subject identity.

VOSS User Guide for version 8.7 897

Generate the Certificate Signing Request on Fabric
IPsec Gateway VM Extreme Integrated Application Hosting

The following table defines parameters for the certificate get command.

Variable Value
cacert-from <A.B.C.D> <user> <file- Specifies where to obtain the CA certificate.
path> Specify the IP address, username, and remote file
path.
crl-from <A.B.C.D> <user> <file- Specifies where to obtain the Certificate
path> <cacert-filename> Revocation List. Specify the IP address, username,
remote file path, and the CA certificate file to
verify the CRL.
signedcert-from <A.B.C.D> <user> Specifies where to obtain the subject certificate.
<file-path> <subject-label> Specify the IP address, username, remote file path,
and subject label.

Generate the Certificate Signing Request on Fabric IPsec Gateway VM

About This Task

Use this procedure to generate a certificate signing request (CSR) and store it into a file. This CSR is
required to obtain the offline subject certificate.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Generate the CSR:

certificate generate csr <subject-label>
3. Configure where to send the CSR for signing:
certificate send-csr-to <A.B.C.D> <user> <remote-path> <subject-label>

Variable Definitions

The following table defines parameters for the certificate generate csr command.

Variable Value
<subject-label> Specifies the subject identity.

898 VOSS User Guide for version 8.7

Remove Keys and Certificates on Fabric IPsec Gateway
Extreme Integrated Application Hosting VM

The following table defines parameters for the certificate send-csr-to command.

Variable Value
<A.B.C.D> Specifies the IP address for the certificate authority.
<remote-path> Specifies the file path on the certificate authority.
<subject-label> Specifies the subject identity.
<user> Specifies the username for the certificate authority.

Remove Keys and Certificates on Fabric IPsec Gateway VM

Before You Begin

You can remove subject certificates from the certificate authority (CA) trustpoint only if the subject-
label is not configured on an IPsec tunnel.

About This Task

Use this procedure to remove keys or certificates from the certificate store.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Remove a key:
certificate remove key <key-label>
3. Remove a specific certificate from the store:
certificate remove offline-cacert <filename>
4. Remove a Certificate Revocation List (CRL) certificate from the store:
certificate remove offline-crl <filename>
5. Remove signed certificates for a specific subject label:
certificate remove offline-subject-certs <subject-label>
6. Remove a specific identity certificate from the CA trustpoint:
certificate ca <ca-trustpoint> remove <subject-label>
7. Remove all certificates from the CA trustPoint:
certificate ca <ca-trustpoint> clean

Variable Definitions
The following table defines parameters for the certificate remove command.

VOSS User Guide for version 8.7 899

View the Certificate Details on Fabric IPsec Gateway VM Extreme Integrated Application Hosting

Variable Value
key <key-label> Specifies the key name to remove.
offline-cacert Specifies the certificate filename to remove.
<filename>
offline-crl Specifies the Certificate Revocation List (CRL) certificate filename to
<filename> remove.
offline-subject- Specifies the subject label for which to remove signed certificates.
certs <subject-
label>

The following table defines parameters for the certificate ca command.

View the Certificate Details on Fabric IPsec Gateway VM

About This Task

Use this procedure for the following tasks:

• Display the digital certificate for a certificate type or list all the certificate details from the local store.
• Display the certificate authority (CA) details for a trustpoint CA name or list all the CA details from
the local store if the CA name is not specified.
• Display the configured key details for a key name.
• Display the configured subject details.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display all digital certificates:

show certificates all
3. Display the CA details:
show certificates cacert [<ca-label>]
4. Display Certificate Revocation List (CRL) certificate details:
show certificates crl [<ca-label>]

900 VOSS User Guide for version 8.7

View the Certificate Configuration on Fabric IPsec
Extreme Integrated Application Hosting Gateway VM

5. Display the certificate signing request (CSR) details:

show certificates csr [<ca-label>]
6. Display the name and public key of all the key-pairs:
show certificate keys
7. Display the details of signed certificates:
show certificate signed [<ca-label>]

Example
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>show certificates keys key_rsa
Key Label: key_rsa
private key with:
pubkey: RSA 2048 bits
keyid: ef:4c:1d:a7:cc:84:6f:87:da:e4:de:99:07:3d:96:fc:9a:d1:c9:f4
subjkey: cb:d1:67:a0:da:9c:05:ce:c0:0d:a3:5c:1b:ba:ce:3f:ff:af:8f:77

Variable Definitions
The following table defines parameters for the show certificates command.

Variable Value
ca <ca-label> Specifies the name of the certificate authority (CA).
If you do not specify the name, the command displays the details of all configured CAs.

View the Certificate Configuration on Fabric IPsec Gateway VM

About This Task

Use this procedure to view the certificate configuration for the VM.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display all configured entries:

show running-config
3. Display the CA trustpoint configuration:
show certificate-config ca-trustpoint [<ca-label>]
4. Display the subject-related configuration:
show certificate-config subject [<subject-label>]

VOSS User Guide for version 8.7 901

Configure Egress Shaping Rate for IPsec Tunnels on
Fabric IPsec Gateway VM Extreme Integrated Application Hosting

Examples
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>show certificate-config ca-trustpoint
certificate {
ca-trustpoint {
ca-label a;
caname subCaVpn;
ca-url http://10.2.38.35:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe;
get-method post;
}
Switch:1>enable
Switch:1#virtual-service FIGW console
FIGW>show certificate-config subject
certificate {
subject {
subject-label fig;
DN CN=FIGW;
key-label gigi;
}
subject {
subject-label figv;
DN CN=figvpn;
}

Configure Egress Shaping Rate for IPsec Tunnels on Fabric IPsec Gateway VM
Before You Begin

Before you can configure the egress shaping rate for the IPsec tunnel on the VM, you must first disable
the IPsec tunnel.

About This Task

Perform this procedure to configure the egress shaping rate for IPsec tunnels on Fabric IPsec Gateway
Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Disable the IPsec tunnel:

delete ipsec <1-255> admin-state enable
3. Configure the egress shaping rate for the IPsec tunnel:
set ipsec <1-255> egress-shaping-rate <1-1000>
4. Enable the IPsec tunnel:
set ipsec <1-255> admin-state-enable

902 VOSS User Guide for version 8.7

Configure Logical Interface Tunnel on Fabric IPsec
Extreme Integrated Application Hosting Gateway VM

Example
Configuring egress-shaping-rate for the IPsec tunnel on the Fabric IPsec Gateway VM:
Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> delete ipsec 1 admin-state enable
FIGW> set ipsec 1 egress-shaping-rate 200
FIGW> set ipsec 1 admin-state enable

Variable Definitions
The following table defines parameters for the set ipsec command.

Variable Value
<1-255> Specifies the unique ID for the IPsec tunnel.
admin-state <enable | Enables or disables IPsec on the specific IPsec tunnel.
disable>
egress-shaping-rate Specifies the egress shaping rate for the IPsec tunnel.
<1-1000>

Configure Logical Interface Tunnel on Fabric IPsec Gateway VM

About This Task

Perform this procedure to configure a Fabric Extend (FE) tunnel with only fragmentation and
reassembly capabilities, on the Fabric IPsec Gateway Virtual Machine (VM).

Procedure
1. Enter Fabric IPsec Gateway Configuration mode:
enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Configure the logical interface destination IP address for the specific tunnel:
set logical-intf-tunnel <1-255> fe-tunnel-dest-ip {A.B.C.D}
3. Configure the Maximum Transmission Unit (MTU) value for the specific tunnel:
set logical-intf-tunnel <1-255> mtu <750-9000>

Note
The MTU range <750-9000> is applicable for FE tunnels with only fragmentation and
reassembly capabilities.

4. Configure tunnel name:

set logical-intf-tunnel <1-255> tunnel-name WORD <1-64>

VOSS User Guide for version 8.7 903

Save Running Configuration to a File Extreme Integrated Application Hosting

5. Configure the egress shaping rate for a specific tunnel:

set logical-intf-tunnel <1-255> egress-shaping-rate <1-1000>

Example
Configuring logical interface tunnel on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> set logical-intf-tunnel 2 fe-tunnel-dest-ip 192.0.2.50
FIGW> set logical-intf-tunnel 2 mtu 1300
FIGW> set logical-intf-tunnel 2 egress-shaping-rate 5
FIGW> set logical-intf-tunnel 2 tunnel-name Tunnel-to-BEB2

Variable Definitions
The following table defines parameters for the set logical-intf-tunnel command.

Variable Value
<1-255> Specifies the unique ID for the logical interface tunnel.
fe-tunnel-dest-ip Specifies the FE tunnel destination IP address for the logical interface.
{A.B.C.D}
mtu <750-9000> Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel
with only fragmentation and assembly capabilities.
tunnel-name WORD Specifies a name for the the logical interface tunnel.
<1-64>
egress-shaping- Specifies the egress shaping rate for the logical interface tunnel.
rate<1-1000>

Save Running Configuration to a File

About This Task

Perform this procedure to save the current configuration on Fabric IPsec Gateway Virtual Machine (VM)
to a specific file.

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Save configuration to the default configuration file:

save config [-y]

904 VOSS User Guide for version 8.7

Remove Configuration File from Fabric IPsec Gateway
Extreme Integrated Application Hosting VM

3. Save configuration to a specific file in the Fabric IPsec Gateway VM.

save config file WORD <1-255> [-y]

Example

Save the Fabric IPsec Gateway configuration to file "test":

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW>save config file test.txt
File already exists, do you want to overwrite [y/n]: y

Save the Fabric IPsec Gateway configuration to file "test", forcing the switch to overwrite the file
without confirmation:
Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> save config file test.txt -y

Variable Definitions
The following table defines parameters for the save config command.

Variable Value
file WORD <1-255> Specifies the name of file to save the configuration of the Fabric IPsec
Gateway VM.
-y Forces the switch to overwrite the configuration file without confirmation.

Remove Configuration File from Fabric IPsec Gateway VM

About This Task

Perform this procedure to remove a specific configuration file from Fabric IPsec Gateway Virtual
Machine (VM).

Procedure
1. Enter Fabric IPsec Gateway Configuration mode:
enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Remove the configuration file:

remove WORD <1-255>

VOSS User Guide for version 8.7 905

Delete Global Configuration on Fabric IPsec Gateway
VM Extreme Integrated Application Hosting

Example
Remove configuration file "test" from Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> remove test

Variable Definitions
The following table defines parameters for the remove command.

Variable Value
WORD <1-255> Specifies the configuration file name that the system removes from Fabric
IPsec Gateway VM.

Delete Global Configuration on Fabric IPsec Gateway VM

About This Task

Perform this procedure to delete the global parameters that you configure on Fabric IPsec Gateway
Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Delete configuration of specific global parameters:

Example
Deleting the global Maximum Transmission Unit (MTU) configuration on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> delete global mtu

906 VOSS User Guide for version 8.7

Delete IPsec Tunnel Configuration on Fabric IPsec
Extreme Integrated Application Hosting Gateway VM

Variable Definitions
The following table defines parameters for the delete global command.

Variable Value
fe-tunnel-gw-ip Deletes the global gateway IP address for Fabric Extend (FE) tunnel.
fe-tunnel-src-ip Deletes the global source IP address for FE tunnel.
ipsec-disable Deletes the global IPsec configuration.
ipsec-tunnel-src-ip Deletes the global source IP address and subnet mask for IPsec tunnel.
ipsec-tunnel-src- Deletes the global source VLAN configuration for IPsec tunnel.
vlan
lan-intf-gw-ip Deletes the global gateway IP address on the Local Area Network (LAN)
interface.
lan-intf-ip Deletes the global IP address and subnet mask on LAN interface.
lan-intf-vlan Deletes the global VLAN configuration on LAN interface.
mtu Resets the Maximum Transmission Unit (MTU) value to its default, that is
1950 bytes.
virtual-reassembly- Deletes the global virtual-reassembly interface IP address and subnet
intf-ip mask.
virtual-reassembly- Deletes the global virtual-reassembly interface VLAN configuration.
intf-vlan
wan-intf-gw-ip Deletes the global gateway IP address on the Wide Area Network (WAN)
interface.

Delete IPsec Tunnel Configuration on Fabric IPsec Gateway VM

Before You Begin

You must disable the IPsec administrative state on the tunnel before you can remove IPsec
configuration.

About This Task

Perform this procedure to delete the configuration of a specific IPsec tunnel on Fabric IPsec Gateway
Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

VOSS User Guide for version 8.7 907

Delete Logical Interface Tunnel Configuration on Fabric
IPsec Gateway VM Extreme Integrated Application Hosting

2. Delete the configuration of a specific tunnel:

Example

Delete configuration on IPsec tunnel ID 2:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW>delete ipsec 2 admin-state enable
FIGW>delete ipsec 2 auth-key
FIGW>delete ipsec 2 tunnel-name
FIGW>delete ipsec 2 fragment-before-encrypt enable

Variable Definitions
The following table defines parameters for the delete ipsec command.

Variable Value
<1-255> Specifies the unique ID of the configured IPsec tunnel.
admin-state enable Disables the IPsec status on the specific IPsec tunnel.
auth-key Deletes the authentication key that you configure on the specific IPsec
tunnel.
encryption-key- Resets the encryption key length for the specific IPsec tunnel to its
length default value, that is 128 bit.
fe-tunnel-dest-ip Deletes the destination IP address that you configure on the Fabric
Extend (FE) tunnel.
fragment-before- Disables the fragmentation of packets before IPsec encryption on the
encrypt enable tunnel. By default, fragmentation before encryption is disabled.
ipsec-dest-ip Deletes the destination IP address that you configure on the IPsec tunnel.
mtu Resets the Maximum Transmission Unit (MTU) value for the specific IPsec
tunnel to the MTU value configured globally.
responder-only Deletes the mode that you configure for the IPsec session in FE tunnel.
tunnel-name Deletes the name that you configure for the IPsec tunnel.
egress-shaping-rate Deletes the egress shaping rate for the IPsec tunnel.

Delete Logical Interface Tunnel Configuration on Fabric IPsec Gateway VM

About This Task

Perform this procedure to delete configuration of a specific logical interface tunnel on Fabric IPsec
Gateway Virtual Machine (VM).

908 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Display Data in a File on Fabric IPsec Gateway VM

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Delete configuration of specific logical interface tunnel:

delete logical-intf-tunnel <1-255> < fe-tunnel-dest-ip | mtu | egress-
shaping-rate>

Example
Deleting the destination IP address for Fabric Extend (FE) tunnel configured on the logical interface
tunnel with ID 3.

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> delete logical-intf-tunnel 3 fe-tunnel-dest-ip

Variable Definitions
The following table defines parameters for the delete logical-intf-tunnel command.

Variable Value
<1-255> Specifies the unique ID of the logical interface tunnel.
fe-tunnel-dest-ip Deletes the destination IP address that you configure on the logical
interface tunnel.
mtu Resets the Maximum Transmission Unit (MTU) value for the specific
logical interface tunnel to the MTU value configured globally.
egress-shaping-rate Deletes the egress shaping rate on the logical interface tunnel.

Display Data in a File on Fabric IPsec Gateway VM

About This Task

Perform this procedure to display the data in a specific file on Fabric IPsec Gateway Virtual Machine
(VM).

VOSS User Guide for version 8.7 909

Reboot Fabric IPsec Gateway VM Extreme Integrated Application Hosting

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display data in a file:

more WORD <1-255>

Example
Display the data from coupled.cfg file:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> more coupled.cfg
set global ipsec-tunnel-src-vlan 125
set global ipsec-tunnel-src-ip 192.0.2.10/24
set global lan-intf-vlan 30
set global lan-intf-ip 192.0.2.20/24
set global lan-intf-gw-ip 192.0.2.25
set global fe-tunnel-src-ip 192.0.2.45
set global wan-intf-gw-ip 192.0.2.11
set global mtu 1950
set ipsec 1 auth-key ******
set ipsec 1 fe-tunnel-dest-ip 192.0.2.50
set ipsec 1 encryption-key-length 128
set ipsec 1 admin-state enable

Reboot Fabric IPsec Gateway VM

About This Task

Perform this procedure to reboot the Fabric IPsec Gateway Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Reboot the VM:

reboot

910 VOSS User Guide for version 8.7

Reset Current Configuration on Fabric IPsec Gateway
Extreme Integrated Application Hosting VM

Example
Rebooting Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> reboot

Reset Current Configuration on Fabric IPsec Gateway VM

About This Task

Perform this procedure to reset the current configuration on Fabric IPsec Gateway Virtual Machine
(VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Reset current configuration:

reset-config

Note
Reboot the Fabric IPsec Gateway VM after you reset the configuration.

Example
Resetting current configuration on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> reset-config

Traceroute to an IP address on Fabric IPsec Gateway VM

About This Task

Perform this procedure to traceroute to an IP address on Fabric IPsec Gateway Virtual Machine (VM).

VOSS User Guide for version 8.7 911

Display the Default Configuration File on Fabric IPsec
Gateway VM Extreme Integrated Application Hosting

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Traceroute to an IP address:
traceroute {A.B.C.D}

Example
Traceroute to IP address.

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> traceroute 192.0.2.100

Variable Definitions
The following table defines parameters for the traceroute command.

Variable Value
{A.B.C.D} Specifies the IP address to initiate traceroute to.

Display the Default Configuration File on Fabric IPsec Gateway VM

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display IPsec routes installed:

show ipsec-routes

Example
Displaying the IPsec routes configured on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> show ipsec-routes
192.0.2.30 via 192.0.2.20 dev eth0.125 mtu lock 1950
192.0.2.1/24 dev eth0.30 proto kernel scope link src 192.0.2.2
192.0.2.10 via 192.0.2.45 dev eth0.30
192.0.2.100/24 dev eth0.125 proto kernel scope link src 192.0.2.60
192.0.2.11/16 dev docker0 proto kernel scope link src 192.0.2.12 linkdown

Display IPsec Encryption Statistics on Fabric IPsec Gateway VM

About This Task

Perform this procedure to display the IPsec encryption statistics on the Fabric IPsec Gateway Virtual
Machine (VM).

914 VOSS User Guide for version 8.7

Display IPsec Encryption Statistics on Fabric IPsec
Extreme Integrated Application Hosting Gateway VM

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display IPsec encryption statistics:

show ipsec-stats

Example
Displaying IPsec encryption statistics on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> show ipsec-stats
src 192.0.2.30 dst 192.0.2.40
proto esp spi 0xc0c2d9cd(3233995213) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0xa9c1923a4b4c5618ea2f3596de821261218bdea2 (160 bits) 128
anti-replay context: seq 0x0, oseq 0x138, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3268(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
475650(bytes), 312(packets)
add <<yyyy-mm-dd>> <<hh:mm:ss>> use <<yyyy-mm-dd>> <<hh:mm:ss>>
stats:
replay-window 0 replay 0 failed 0
src 192.0.2.40 dst 192.0.2.30
proto esp spi 0xc92b08e5(3375040741) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x9ca3568095298cefaaa709b9b932eb5141bd252c (160 bits) 128
anti-replay context: seq 0x135, oseq 0x0, bitmap 0xffffffff
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3341(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
470953(bytes), 309(packets)
add <<yyyy-mm-dd>> <<hh:mm:ss>> use <<yyyy-mm-dd>> <<hh:mm:ss>>
stats:
replay-window 0 replay 0 failed 0

VOSS User Guide for version 8.7 915

Display the Status of IPsec Tunnels on Fabric IPsec
Gateway VM Extreme Integrated Application Hosting

Display the Status of IPsec Tunnels on Fabric IPsec Gateway VM

About This Task

Perform this procedure to display the status of configured IPsec tunnel on the Fabric IPsec Gateway
Virtual Machine (VM):

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display the status of IPsec tunnels configured on the VM:

show ipsec-status

Example
Displaying the status of configured IPsec tunnel on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> show ipsec-status
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-128-generic, x86_64):
uptime: 13 days, since <<month, day hh:mm:ss year>>
malloc: sbrk 2433024, mmap 0, used 369408, free 2063616
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509
revocation constraints
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
192.0.2.40
192.0.2.20
Connections:
ipsec0-192.0.2.5: 192.0.2.40...192.0.2.5 IKEv2, dpddelay=3s
ipsec0-192.0.2.5: local: [192.0.2.60] uses pre-shared key authentication
ipsec0-192.0.2.5: remote: [192.0.2.5] uses pre-shared key authentication
ipsec0-192.0.2.5: child: 192.0.2.60/32 === 192.0.2.5/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
ipsec0-192.0.2.5[29]: ESTABLISHED 21 hours ago,
192.0.2.40[192.0.2.60]...192.0.2.5[192.0.2.5]
ipsec0-192.0.2.5[29]: IKEv2 SPIs: dcf0a2d545d40679_i 55006e07252b9934_r*, pre-shared key
reauthentication in 2 hours
ipsec0-192.0.2.5[29]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ipsec0-192.0.2.5{377}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c92b08e5_i c0c2d9cd_o
ipsec0-192.0.2.5{377}: AES_GCM_16_128, 291247 bytes_i (190 pkts, 6s ago), 297523 bytes_o
(194 pkts, 1s ago), rekeying in 30 minutes
ipsec0-192.0.2.5{377}: 192.0.2.60/32 === 192.0.2.5/32

916 VOSS User Guide for version 8.7

Displays the IPsec Configuration on the Fabric IPsec
Extreme Integrated Application Hosting Gateway VM

Displays the IPsec Configuration on the Fabric IPsec Gateway VM

About This Task

Perform this procedure to display the IPsec configuration on the Fabric IPsec Gateway Virtual Machine
(VM):

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display the IPsec configuration on the configured on the VM:

show ipsec-config <1-255>

Example

Displaying the IPsec configuration on the configured on the VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

FIGW> show ipsec-config 2

ipsec {
tunnel_id 2;
encryption-key-length 128;
fe-tunnel-dest-ip 10.10.10.10;
ipsec-dest-ip 70.70.70.73;
mtu 1950;
responder-only false;
tunnel-name ----;
auth-method psk;
cert-subject;
auth-key *****;
egress-shaping-rate 110;
fragment-before-encrypt enable;
admin-state enable

Display the Logical Interface IPsec Configurations on the Fabric IPsec Gateway VM
About This Task

Perform this procedure to display the logical interface IPsec configurations on the Fabric IPsec Gateway
Virtual Machine (VM):

VOSS User Guide for version 8.7 917

Display Current Configuration on Fabric IPsec Gateway
VM Extreme Integrated Application Hosting

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display the logical interface IPsec configurations on the VM:

show logical-intf-config <1-255>

Example

Displaying the logical interface IPsec configurations on the on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW>
FIGW> show logical-intf-config 1
logical-intf-tunnel {
tunnel_id 1;
tunnel-name ----;
fe-tunnel-dest-ip 20.20.20.20;
mtu 1950;
egress-shaping-rate 110;

Display Current Configuration on Fabric IPsec Gateway VM

About This Task

Perform this procedure to display the parameters configured currently on the Fabric IPsec Gateway
Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display the parameters currently configured on the VM:

show running-config

918 VOSS User Guide for version 8.7

Extreme Integrated Application Hosting Display Current Version of Fabric IPsec Gateway VM

Example
Displaying the parameters configured on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> show running-config
set global ipsec-tunnel-src-vlan 125
set global ipsec-tunnel-src-ip 192.0.2.1/24
set global lan-intf-vlan 30
set global lan-intf-ip 192.0.2.10/24
set global lan-intf-gw-ip 192.0.2.25
set global fe-tunnel-src-ip 192.0.2.55
set global wan-intf-gw-ip 192.0.2.11
set global mtu 1950
set ipsec 1 auth-key ******
set ipsec 1 fe-tunnel-dest-ip 192.0.2.70
set ipsec 1 encryption-key-length 128
set ipsec 1 admin-state enable

Display Current Version of Fabric IPsec Gateway VM

About This Task

Display current version of the Fabric IPsec Gateway Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Display current version of the VM:

show version

Example

Displaying current version of the Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW>show version
FabricIPSecGW_VM_4.0.0.0

VOSS User Guide for version 8.7 919

Log Out of Fabric IPsec Gateway VM Extreme Integrated Application Hosting

Log Out of Fabric IPsec Gateway VM

About This Task

Perform this procedure to log out of the Fabric IPsec Gateway Virtual Machine (VM).

Procedure

1. Enter Fabric IPsec Gateway Configuration mode:

enable

virtual-service WORD<1-128> console

Note
Type CTRL+Y to exit the console.

2. Log out of VM:

exit

Example
Logging out of the Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

<cr>
FIGW> exit

920 VOSS User Guide for version 8.7

Fabric Configuration Work Flow
This section describes the generic work flow to configure SPBM and IS-IS infrastructure and services on
your network.

Note
This section is an overview. For further details on the SPBM and IS-IS infrastructure and
configuration, see the sections described in the Documentation Sources section that follows.

1. Infrastructure configuration

As a first step, you must configure your basic infrastructure for Shortest Path Bridging MAC (SPBM).
2. Services configuration

After you complete the infrastructure configuration, you configure the appropriate services for your
network to run on top of your base architecture. This includes:
• Layer 2 and Layer 3 VSNs
• IP Shortcuts
• Inter-VSN routing
3. Fabric interoperations

You can also configure Fabric gateway functionality like SPB-PIM Gateway and VXLAN Gateway.
4. Operations and Management

To debug connectivity issues and isolate network faults in the SPBM network, you can use
Connectivity Fault Management (CFM).

Documentation Sources
See the following documentation sources:
• For information on basic SPBM infrastructure and IS-IS configuration and Layer 2 services, see Fabric
Basics and Layer 2 Services on page 923.

This section also contains information on configuring Fabric Extend, which enables your enterprise
to extend Fabric Connect technology over Layer 2 or Layer 3 core networks.
• For information on Fabric Layer 3 services configuration, see Fabric Layer 3 Services on page 1341.
• For information on IP Multicast over Fabric Connect configuration and services, see IP Multicast over
Fabric Connect on page 1682. SPB-PIM Gateway configuration on page 3187 also contains information
about configuring the SPB-PIM Gateway (SPB-PIM GW), which provides multicast inter-domain
communication between an SPB network and a PIM network. The SPB-PIM GW can also connect
two independent SPB domains.

VOSS User Guide for version 8.7 921

Documentation Sources Fabric Configuration Work Flow

• For information on CFM, see Connectivity Fault Management on page 3506.

• For information on VXLAN Gateway configuration, see VXLAN Gateway on page 3918.

922 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services
SPBM and IS-IS Infrastructure Configuration on page 923
Layer 2 VSN configuration on page 1270
Inter-VSN Routing Configuration on page 1316
SBPM Reference Architectures on page 1326

SPBM and IS-IS Infrastructure Configuration

SPBM and IS-IS Infrastructure Fundamentals

Shortest Path Bridging MAC (SPBM) is a next generation virtualization technology that revolutionizes
the design, deployment, and operations of carriers and service providers, along with enterprise campus
core networks and the enterprise data center. SPBM provides massive scalability while at the same time
reducing the complexity of the network.

SPBM eliminates the need for multiple overlay protocols in the core of the network by reducing the core
to a single Ethernet based link-state protocol that provides all virtualization services in an integrated
model. In addition, by relying on endpoint service provisioning only, the idea of building your network
once and not touching it again becomes a true reality. This technology provides all the features and
benefits required by carrier-grade, enterprise and service provider deployments without the complexity
of alternative technologies, for example, Multiprotocol Label Switching (MPLS).

SPBM simplifies deployments by eliminating the need to configure multiple points throughout the
network. When you add new connectivity services to an SPBM network you do not need intrusive core
provisioning. The simple endpoint provisioning is done where the application meets the network, with
all points in between automatically provisioned through the robust link-state protocol, Intermediate-
System-to-Intermediate-System (IS-IS).

Most Ethernet based networks use 802.1Q tagged interfaces between the routing switches. SPBM uses
two Backbone VLANs (B-VLANs) that are used as the transport instance. A B-VLAN is not a traditional
VLAN in the sense that it does not flood unknown, broadcast or multicast traffic, but only forwards
based on IS-IS provisioned backbone MAC (B-MAC) tables. After you configure the B-VLANs and the
IS-IS protocol is operational, you can map the services to service instances.

SPBM uses IS-IS to discover and advertise the network topology, which enables it to compute the
shortest path to all nodes in the SPBM network. SPBM uses IS-IS shortest path trees to populate
forwarding tables for the individual B-MAC addresses of each participating node.

VOSS User Guide for version 8.7 923

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

To forward customer traffic across the core network backbone, SPBM uses IEEE 802.1ah Provider
Backbone Bridging (PBB) MAC-in-MAC encapsulation, which hides the customer MAC (C-MAC)
addresses in a backbone MAC (B-MAC) address pair. MAC-in-MAC encapsulation defines a B-MAC
destination address (BMAC-DA) and a B-MAC source address (BMAC-SA). Encapsulating customer
MAC addresses in B-MAC addresses improves network scalability (no end-user C-MAC learning is
required in the core) and also significantly improves network robustness (loops have no effect on the
backbone infrastructure.)

The SPBM B-MAC header includes a Service Instance Identifier (I-SID) with a length of 32 bits with a
24-bit ID. I-SIDs identify and transmit virtualized traffic in an encapsulated SPBM frame. You can use
I-SIDs in a Virtual Services Network (VSN) for VLANs or VRFs across the MAC-in-MAC backbone:
• Unicast
◦ For a Layer 2 VSN, the device associates the I-SID with a customer VLAN, which the device then
virtualizes across the backbone. Layer 2 VSNs associate one VLAN per I-SID.
◦ With Layer 3 VSN, the device associates the I-SID with a customer VRF, which the device
virtualizes across the backbone. Layer 3 VSNs associate one VRF per I-SID.
◦ With Inter-VSN routing, Layer 3 devices, routers, or hosts connect to the SPBM cloud using the
SPBM Layer 2 VSN service. The Backbone Core Bridge can transmit traffic between different
VLANs with different I-SIDs.
◦ With IP shortcuts, no I-SID is required, forwarding for the Global Routing Table (GRT) is done
using IS-IS based shortest path BMAC reachability.

For more information on Fabric Layer 3 services, see Fabric Layer 3 Services on page 1341.

• Multicast
◦ With Layer 2 VSN with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream and the scope I-SID is based on the Layer 2 VSN I-SID.
◦ With Layer 3 VSN with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream and the scope I-SID is based on the Layer 3 VSN I-SID.
◦ With IP Shortcuts with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream, but there is no I-SID for the scope, which is the Global Routing Table (GRT).

For more information on IP multicast over Fabric Connect, see IP Multicast over Fabric Connect on
page 1682.

Note
Inter-VSN routing for IP multicast over Fabric Connect is not supported.

The switch supports the IEEE 802.1aq standard of SPBM, which allows for larger Layer 2 topologies and
permits faster convergence.

Multiple tenants using different SPBM services

The following figure shows multiple tenants using different services within an SPBM metro network. In
this network, you can use some or all of the SPBM implementation options to meet the needs of the
community while maintaining the security of information within VLAN members.

924 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Figure 55: Multi-tenant SPBM metro network

To illustrate the versatility and robustness of SPBM even further, the following figure shows a logical
view of multiple tenants in a ring topology. In this architecture, each tenant has its own domain where
some users have VLAN requirements and are using Layer 2 VSNs and others have VRF requirements
and are using Layer 3 VSNs. In all three domains, they can share data center resources across the SPBM
network.

Figure 56: SPBM ring topology with shared data centers

VOSS User Guide for version 8.7 925

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

spbm-config-mode boot flag

Shortest Path Bridging (SPB) and Protocol Independent Multicast (PIM) cannot interoperate with each
other on the switch at the same time. The boot flag called spbm-config-mode ensures that SPB and
PIM stay mutually exclusive.
• The spbm-config-mode boot flag is enabled by default. This enables you to configure SPB and
IS-IS, but you cannot configure PIM either globally or on an interface.
• If you disable the boot flag, save the configuration and reboot with the saved configuration. After
you enable the flag, you can configure PIM and IGMP Snooping, but you cannot configure SPB or
IS-IS.

Important
• Any change to the spbm-config-mode boot flag requires a reboot for the change to
take effect.
• If you disable the boot flag, save the configuration and reboot with the saved
configuration. After you disable the flag, you can configure PIM and IGMP Snooping, but
you cannot configure SPB or IS-IS.

For more information, see IP Multicast on page 1457.

vxlan-gw-full-interworking-mode Boot Configuration Flag

The VXLAN Gateway implementation is available in the following modes:
• Base Interworking Mode – This is the default mode. In this mode, VXLAN Gateway supports Layer 2
gateway communication between VXLAN and traditional VLAN environments.
• Full Interworking Mode – This mode supports the Base mode communication between VXLAN
and traditional VLAN environments as well as VXLAN-to-VXLAN communication and all SPB
functionality including vIST and SMLT. To enter this mode, you must enable the vxlan-gw-full-
interworking-mode boot configuration flag.

Note
Changing the mode requires a reboot for the change to take effect.

MAC-in-MAC encapsulation
To forward customer traffic across the core network backbone, SPBM uses IEEE 802.1ah Provider
Backbone Bridging (PBB) MAC-in-MAC encapsulation, which hides the customer MAC (C-MAC)
addresses in a backbone MAC (B-MAC) address pair. MAC-in-MAC encapsulation defines a B-MAC
source address (BMAC-SA) and a B-MAC destination address (BMAC-DA) to identify the backbone
source and destination addresses.

The originating node creates a MAC header that is used for delivery from end to end. As the MAC
header stays the same across the network, there is no need to swap a label or do a route lookup at each
node, allowing the frame to follow the most efficient forwarding path end to end.

Encapsulating customer MAC addresses in B-MAC addresses improves network scalability (no end-user
C-MAC learning is required in the core) and also significantly improves network robustness (loops in
access networks do not impact forwarding results in the backbone infrastructure.)

926 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

I-SID
SPBM introduces a service instance identifier called I-SID. SPBM uses I-SIDs to separate services from
the infrastructure. After you create an SPBM infrastructure, you can add additional services (such
as VLAN extensions or VRF extensions) by provisioning the endpoints only. The SPBM endpoints
are Backbone Edge Bridges (BEBs), which mark the boundary between the core MAC-in-MAC SPBM
domain and the edge customer 802.1Q domain. I-SIDs are provisioned on the BEBs to be associated
with a particular service instance. In the SPBM core, the bridges are Backbone Core Bridges (BCBs).
BCBs forward encapsulated traffic based on the BMAC-DA.

The SPBM B-MAC header includes a Service Instance Identifier (I-SID) with a length of 32 bits with
a 24-bit ID. I-SIDs identify a service instance for virtualized traffic in an encapsulated SPBM frame.
You can use I-SIDs in a Virtual Services Network (VSN) for VLANs or VRFs across the MAC-in-MAC
backbone:
• For a Layer 2 VSN, the I-SID is associated with a customer VLAN, which is then virtualized across the
backbone. Layer 2 VSNs offer an any-any LAN service type. Layer 2 VSNs associate one VLAN per
I-SID.
• For a Layer 2 VSN with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream and a scope I-SID that defines the scope as Layer 2 VSN. A multicast stream with a
scope of Layer 2 VSN can only transmit a multicast stream for the same Layer 2 VSN.
• For a Transparent Port UNI, the I-SID is associated with a port or MLT, which is then virtualized across
the backbone. Transparent Port UNI associates multiple ports or MLT to an I-SID.
• For a Layer 3 VSN, the I-SID is associated with a customer VRF, which is also virtualized across the
backbone. Layer 3 VSNs are always full-mesh topologies. Layer 3 VSNs associate one VRF per I-SID.
• For a Layer 3 VSN with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream and a scope I-SID that defines the scope as Layer 3 VSN. A multicast stream with a
scope of Layer 3 VSN can only transmit a multicast stream for the same Layer 3 VSN.
• For IP Shortcuts with IP multicast over Fabric Connect, the BEB associates a data I-SID with the
multicast stream and defines the scope as Layer 3 GRT. A multicast stream with a scope of Layer 3
GRT can only transmit a multicast stream for a Layer 3 GRT.

Note
I-SID configuration is required only for virtual services such as Layer 2 VSN and Layer 3 VSN.
With IP Shortcuts with unicast, no I-SID is required, forwarding for the Global Routing table is
done using IS-IS based shortest path B-MAC reachability.

Note
I-SID to VLAN binding is used to automatically determine the path between client and server
in order to attach network devices to FA Zero touch services.

VOSS User Guide for version 8.7 927

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

BCBs and BEBs

Table 85: Fabric Mode product support

Feature Product Release introduced
Fabric BCB mode VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Fabric BEB mode VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50

The boundary between the core MAC-in-MAC SPBM domain and the edge customer 802.1Q domain is
handled by Backbone Edge Bridges (BEBs). I-SIDs are provisioned on the BEBs to be associated with a
particular service instance.

In the SPBM core, the bridges are referred to as Backbone Core Bridges (BCBs). BCBs forward
encapsulated traffic based on the BMAC-DA.

Important
SPBM separates the payload from the transport over the SPBM infrastructure. Configure all
virtualization services on the BEBs at the edge of the network. There is no provisioning
required on the core SPBM switches. This provides a robust carrier grade architecture where
configuration on the core switches never needs to be touched when adding new services.

A BEB performs the same functionality as a BCB, but it also terminates one or more Virtual Service
Networks (VSN). A BCB does not terminate any VSNs and is unaware of the VSN traffic it transports. A
BCB simply knows how to reach any other BEB in the SPBM backbone.

VLANs without member ports

If a VLAN is attached to an I-SID there must be another instance of that same I-SID in the SPBM
network.
• If another instance of that I-SID exists, the device designates that VLAN as operationally up
regardless of whether it has a member port or not.

928 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

When the VLAN is operationally up, the IP address of the VLAN will be in the routing table.
• If no matching instance of the I-SID exists in the SPBM network, then that VLAN has no reachable
members and does not act as a network-to-network interface (NNI).

The VLAN does not act as a UNI interface because it does not have a member port.

Therefore, the device does not designate the VLAN as operationally up because the VLAN does not
act as a UNI or an NNI.

If the device acts as a BCB with two VLANs configured and two I-SIDs, there must be a UNI side with
the corresponding I-SID existing in the network.

If the device acts as both BEB and BCB, then there must be a member port in that VLAN to push out
the UNI traffic.

Basic SPBM network topology

The following figure shows a basic SPBM network topology, specifically a Layer 2 VSN. Switches A
and D are the Backbone Edge Bridges (BEB) that provide the boundary between the customer VLANs
(C-VLAN) and the Backbone. Switches B and C are the Backbone Core Bridges (BCB) that form the
core of the SPBM network.

Figure 57: SPBM L2 VSN

SPBM uses IS-IS in the core so that all BEBs and BCBs learn the IS-IS System-ID (B-MAC) of every
other switch in the network. For example, BEB-A uses IS-IS to build an SPBM unicast forwarding table
containing the B-MAC of switches BCB-B, BCB-C, and BEB-D.

VOSS User Guide for version 8.7 929

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

The BEBs provide the boundary between the SPBM domain and the virtualized services domain. For a
Layer 2 VSN service, the BEBs map a C-VLAN to an I-SID based on local service provisioning. Any BEB
in the network that has the same I-SID configured can participate in the same Layer 2 VSN.

In this example, BEB A and BEB D are provisioned to associate C-VLAN 20 with I-SID 100. When BEB
A receives traffic from C-VLAN 20 that must be forwarded to the far-end location, it performs a lookup
and determines that C-VLAN 20 is associated with I-SID 100 and that BEB D is the destination for I-SID
100. BEB A then encapsulates the data and C-MAC header into a new B-MAC header, using its own
nodal B-MAC: A as the source address and B-MAC: D as the destination address. BEB A then forwards
the encapsulated traffic to BCB B.

To forward traffic in the core toward the destination node D, BCB B and BCB C perform Ethernet
switching using the B-MAC information only.

At BEB D, the node strips off the B-MAC encapsulation, and performs a lookup to determine the
destination for traffic with I-SID 100. BEB D identifies the destination on the C-VLAN header as C-VLAN
20 and forwards the packet to the appropriate destination VLAN and port.

E-Tree and Private VLAN topology

Table 86: E-Tree and Private VLANs product support

Feature Product Release introduced
E-Tree and private VLANs VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Routing on Private VLANs VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.5
VSP 7200 Series VOSS 8.5
VSP 7400 Series VOSS 8.5
VSP 8200 Series VOSS 8.5
VSP 8400 Series VOSS 8.5
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Ethernet Private Tree (E-Tree) extends Shortest Path Bridging MAC (SPBM) to Private VLANs (PVLAN).

Transport within the SPBM network is achieved by associating the private VLAN with an I-SID. Flooded
traffic from both promiscuous and isolated devices is transported over the same I-SID multicast tree

930 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

and suppression for spoke-to-spoke traffic is done on the egress SPB Backbone Edge Bridge (BEB).
This means the Private VLAN IDs are globally significant and must be the same on all BEBs

The following list provides details for E-Tree and Private VLAN topology:
• E-Tree associates a Private VLAN with an I-SID.

Note
The same I-SID could be attached to a regular VLAN. In that case, all ports on the regular
VLAN behave like Promiscuous ports on the PVLAN.

• Other SPB BEBs can associate a regular CVLAN to the same I-SID that E-Tree uses.

Note
The CVLAN ID must match the primary PVLAN ID.

• CVLAN devices assigned to the same I-SID that E-Tree uses have Promiscuous connectivity within
the segment.

The following figure shows a basic E-Tree network topology consisting of groups of private VLANs
connected by the SPBM core network.

Figure 58: Sample E-Tree configuration

Private VLAN port types

The private VLAN port type is isolated, promiscuous, or trunk. If the port is a member of an MLT, then
the port inherits the private VLAN type of the MLT.

In terms of network topology, the isolated port is considered a spoke. The isolated port, or spoke, does
not communicate with any other isolated port in the network. The isolated port only communicates with
the promiscuous ports, or hubs.

VOSS User Guide for version 8.7 931

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

E-Tree and Private VLAN limitations

The following limitations apply to E-Tree and Private VLAN topology:

• A port that is of Private VLAN type trunk must be tagged. Isolated and Promiscuous Private VLAN
ports can be either tagged or untagged.
• When a port or MLT that has a Private VLAN type set to Isolated or Promiscuous is added to a
private VLAN, if that port is used by other non private VLANs, then those non private VLANs are
removed.
• A port which is Private VLAN type Isolated and is tagged can belong to only one Private VLAN.

IS-IS

Table 87: IS-IS product support

Feature Product Release introduced
IS-IS authentication with VSP 4450 Series VOSS 7.0
SHA-256
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
Suspend duplicate system ID VSP 4450 Series VOSS 6.1
detection
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.1
VSP 8400 Series VOSS 6.1
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
Multiple IS-IS parallel adjacencies VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported

932 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

SPBM eliminates the need for multiple overlay protocols in the core of the network by reducing the core
to a single Ethernet-based, link-state protocol (IS-IS). IS-IS provides virtualization services using a pure
Ethernet technology base. SPBM also uses IS-IS to discover and advertise the network topology, which
enables it to compute the shortest path to all nodes in the SPBM network.

IS-IS is a link-state, interior gateway protocol that was developed for the International Organization for
Standardization (ISO). ISO terminology refers to routers as Intermediate Systems (IS), hence the name
Intermediate System-to-Intermediate System (IS-IS).

To provide a loop-free network and to learn and distribute network information, SPBM uses the
Intermediate-System-to-Intermediate-System (IS-IS) link state routing protocol. IS-IS is designed to find
the shortest path from any one destination to any other in a dynamic fashion. IS-IS creates any-to-any
connectivity in a network in an optimized, loop-free manner, without the long convergence delay
experienced with the Spanning Tree Protocol. IS-IS does not block ports from use, but rather employs a
specific path. As such, all links are available for use.

IS-IS dynamically learns the topology of a network and constructs unicast and multicast mesh
connectivity. IS-IS parallel adjacency support allows you to configure multiple IS-IS links between the
two nodes. Each node in the network calculates a shortest-path tree to every other network node based
on System-IDs (B-MAC addresses). Only one adjacency with the shortest path is selected as an active
adjacency.

Note
Only an active interface with an active adjacency is added into local SPF calculations. This
mechanism ensures the local node selects the shortest path and has the same view as the rest
of the SPB network.

In the SPBM environment for Layer 2 VSNs, IS-IS carries only pure Layer 2 information with no
requirement for an underlying IP control plane or forwarding path. IS-IS runs directly over Layer 2.

Note
SPBM carries Layer 3 information for Layer 3 VSNs.

In SPBM networks, IS-IS performs the following functions:

• Discovers the network topology
• Builds shortest path trees between the network nodes:
◦ Forwards unicast traffic
◦ Determines the forwarding table for multicast traffic
• Communicates network information in the control plane:
◦ Service Instance Identifier (I-SID) information

SPBM can distribute I-SID service information to all SPBM nodes, as the I-SIDs are created. SPBM
includes I-SID information in the IS-IS Link State protocol data units (PDUs). When a new service
instance is provisioned on a node, its membership is flooded throughout the topology using an IS-IS
advertisement.

VOSS User Guide for version 8.7 933

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

Standard TLVs
IS-IS uses Type-Length-Value (TLV) encoding. SPBM employs IS-IS as the interior gateway protocol and
implements additional TLVs to support additional functionality. The switch also supports Sub-TLVs. TLVs
exist inside IS-IS packets and Sub-TLVs exist as additional information in TLVs.

The switch supports and is in full compliance with standard 802.1 aq TLVs. The IEEE ratified the 802.1aq
standard that defines SPBM and the Type-Length-Value (TLV) encoding that IS-IS uses to support
SPBM services. The following table lists all the TLVs that the switch supports.

Table 88: Standard TLVs

TLV Description Usage
1 Area addresses — The Area IS-IS area
Addresses TLV contains the area
addresses to which the IS-IS is
connected.
22 Extended IS reachability — IS-IS adjacencies
The Extended IS Reachability Sub-TLV 29: SPBM link metric is
TLV contains information about carried within this TLV.
adjacent neighbors.
129 Protocols supported — The SPBM in addition to existing
Protocol supported TLV carries NLPID (IPV4 0xCC, IPV6 0x*E..),
the Network Layer Protocol IEEE 802.1aq defined SPBM
Identifiers (NLPID) for the NLPID as 0xC1.
Network Layer protocols where
the IS-IS can be used.
135 Extended IP reachability — The SPBM uses this existing IS-IS TLV
Extended IP Reachability TLV to carry IP Shortcut routes in the
135 is used to distribution IP Global Routing Table (GRT).
reachability between IS-IS peers.

934 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Table 88: Standard TLVs (continued)

TLV Description Usage
143 Multi-topology port aware This TLV carries the following
capability (MT-Port-Capability) SPBM Sub TLV:
TLV • Sub-TLV 6: SPB B-VID
This TLV carries the SPB instance Sub TLV indicates the
ID in a multiple SPB instances mapping between a VLAN
environment. This TLV is carried and its equal cost tree
within IS-IS Hello Packets (IIH), (ECT) algorithm. To form an
only when parallel links exist. adjacency, both nodes must
have a matching primary
(B-VLAN, ECT) pair, and
secondary (B-VLAN, ECT)
pair, the number of B-VLANs
must be equal, B-VLAN
values must match, ECT
values for the B-VLANs must
match. Used in IS-IS Hellos
only.
• MCID Sub TLV: The MCID
is a digest of the VLANs
and MSTI. Neighboring SPBM
nodes must agree on the
MCID to form an adjacency.
The MCID is set to all zeros
(0).

After the switch receives a

non-zero MCID Sub TLV, it
reflects content back to the
neighbor.
• Link L1 Metric Sub-TLV 7:
Contains L1 metric of the link

144 Multi-topology Capability (MT- TLV 144 is the service identifier

Capability) TLV. TLV. TLV 144 advertizes B-MAC
This TLV carries the SPB instance and I-SID information.
ID in a multiple SPB instance This TLV carries the following
environment. This TLV is carried Sub TLVs:
within LSPs. Sub-TLV 1: SPB instance Sub TLV
In multicast over Fabric Connect, contains a unique SPSourceID
TLV 144 on the BEB bridge, (nickname) to identify the SPBM
where the sender is located, has node within this SPB topology.
the transmit (Tx) bit set. On the Sub-TLV 3: SPB Service ID (I-
BEB bridge, where the receiver is SID) is stored in TLV 144 sub-
located the receive (Rx) bit is set. TLV 3. Sub-TLV 3 carries service
group membership (I-SIDs) for a
particular SPBM B-VLAN.
184 SPBM IP VPN reachability — IS- IP reachability for Layer 3 VSNs
IS TLV 184 is used to advertise
SPBM L3 VSN route information
across the SPBM cloud.

VOSS User Guide for version 8.7 935

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

Table 88: Standard TLVs (continued)

TLV Description Usage
185 IPVPN multicast TLV with IPMC TLV 185 on the BEB bridge,
sub TLV — The IPVPN multicast where the source is located,
TLV contains information about displays the multicast source
the scope I-SID. and group addresses and has
the transmit (Tx) bit set. Each
multicast group has its own data
I-SID that maps to the source
and group addresses.
As part of the IPVPN TLV,
sub-TLVs define IPv4 unicast,
IPv6 unicast and IPv4 multicast
information.
Layer 2 VSN IP multicast over
Fabric Connect and Layer 3 VSN
IP multicast over Fabric Connect
(using VRF) use TLV 185.
186 IP multicast TLV (GRT) — TLV IP Shortcuts with IP multicast
186 on the BEB bridge, where over Fabric Connect use TLV 186.
the source is located, displays All multicast streams are
the multicast source and group constrained within the level in
addresses and has the transmit which they originate, which is
(Tx) bit set. Each multicast group called the scope level.
has its own data I-SID that
maps to the source and group
addresses.
236 IPv6 Reachability — The IPv6 SPBM uses the existing IS-IS TLV
reachability TLV 236 is used to carry IPv6 shortcut routes
to distribute IPv6 network through the SPBM core.
reachability between IS-IS peers.

For more information on IP multicast over Fabric Connect, see IP Multicast over Fabric Connect on page
1682.

IS-IS hierarchies
IS-IS is a dynamic routing protocol that operates within an autonomous system (or domain). IS-IS
provides support for hierarchical routing, which enables you to partition large routing domains into
smaller areas. When used separately from SPBM, IS-IS uses a two-level hierarchy, dividing the domain
into multiple Level 1 areas and one Level 2 area. When used separately from SPBM, the Level 2 area
serves as backbone of the domain, connecting to all the Level 1 areas. SPBM currently uses only Level 1
areas.

Important
The IEEE 802.1aq standard currently only defines the use of one hierarchy, Level 1. Level 2
function is disabled.

IS-IS PDUs
Intermediate System to Intermediate System Hello (IIH) packets discover IS-IS neighbors and establish
and maintain IS-IS adjacencies. An IIH is sent in every Hello-interval to maintain the established

936 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

adjacency. If a node has not heard IIHs from its neighbor for (hello-interval x hello-multiple) seconds,
the node tears down the adjacency. IIH carries TLV 143 and SPB B-VLAN Sub-TLV (among other
sub-TLVs). For two nodes to form an adjacency the B-VLAN pairs for primary B-VLAN and secondary
B-VLAN must match.

Link State Packets (LSP) advertise link state information. The system uses the link state information to
compute the shortest path. LSP also advertises MT-capability TLV 144 and SPB instance Sub-TLV, and
SPB I-SIDs Sub-TLV.

Complete Sequence Number Packets (CSNP) contain the most recent sequence numbers of all LSPs
in the database. CSNP notifies neighbors about the local LSDB. After a neighbor receives a CSNP, it
compares the LSPs in the CSNP with the LSP in the local LSDB. If the neighbor is missing LSPs, it sends
a Partial Sequence Number Packets (PSNP) to request the missing LSPs. This process synchronizes the
LSDBs among neighbors. A synchronized LSDB among all nodes in the network is crucial to producing a
loop-free shortest path.

IS-IS configuration parameters

IS-IS system identifiers

The IS-IS system identifiers consist of three parts:

• System ID — The system ID is any 6 bytes that are unique in a given area or level. The system
ID defaults to the baseMacAddress of the chassis but you can configure a non-default value.
The system ID must use a unicast MAC address; do not use a multicast MAC address. A MAC
address that has the low order bit 1 set in the highest byte is a multicast MAC address. For
example, the following are multicast MAC addresses: x1xx.xxxx.xxxx, x3xx.xxxx.xxxx, x5xx.xxxx.xxxx,
x7xx.xxxx.xxxx, x9xx.xxxx.xxxx, xBxx.xxxx.xxxx, xDxx.xxxx.xxxx, and xFxx.xxxx.xxxx.
• Manual area — The manual area or area ID is up to 13 bytes long. The first byte of the area number
(for example, 49) is the Authority and Format Indicator (AFI). The next bytes are the assigned
domain (area) identifier, which is up to 12 bytes (for example, 49.0102.0304.0506.0708.0910.1112).
IS-IS supports a maximum of three manual areas, but the switch software only supports one manual
area.
• NSEL — The last byte (00) is the n-selector. In this implementation, this part is automatically
attached. There is no user input accepted.

The Network Entity Title (NET) is the combination of all three global parameters.

All routers have at least one manual area. Typically, a Level 1 router does not participate in more than
one area.

The following are the requirements for system IDs:

• All IS-IS enabled routers must have one manual area and a unique system ID.
• All routers in the same area must have the same area ID.
• All routers must have system IDs of the same length (6 bytes).
• All IS-IS enabled routers must have a unique nickname.

PSNP interval

You can change the PSNP interval rate. A longer interval reduces overhead, while a shorter interval
speeds up convergence.

VOSS User Guide for version 8.7 937

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

CSNP periodic and interval rate

You can configure the CSNP periodic and interval rate. A longer interval reduces overhead, while a
shorter interval speeds up convergence.

Parameters for the link state packet

Link state packets (LSPs) contain vital information about the state of adjacencies, which must be
exchanged with neighboring IS-IS systems. Routers periodically flood LSPs throughout an area to
maintain synchronization. You can configure the LSP to reduce overhead or speed up convergence.

The following list describes IS-IS parameters related to LSPs:

• The max-lsp-gen-interval is the time interval at which the generated LSP is refreshed. The
default is 900 seconds with a range of 30 to 900.
• The retransmit-lsp-interval is the minimum amount of time between retransmission of an
LSP. When transmitting or flooding an LSP an acknowledgement (ACK) is expected. If the ack is not
received within retransmit-lsp-interval, the LSP is re-transmitted. The default is 5 seconds
with a range of 1 to 300.

Point-to-point mode

All SPBM links are point-to-point links. The switch does not support broadcast links.

IS-IS interface authentication

Configure IS-IS interface authentication to improve security and to guarantee that only trusted routers
are included in the IS-IS network. Interface level authentication only checks the IIH PDUs. If the
authentication type or key in a received IIH does not match the locally-configured type and key, the IIH
is rejected. By default, authentication is disabled.

You can use either one of the following authentication methods:

• Simple password authentication — Uses a text password in the transmitted packet. The receiving
router uses an authentication key (password) to verify the packet.
• MD5 authentication — Creates a Message Digest (MD5) key.
• SHA-256 — Adds a Hash-based Message Authentication Code (HMAC) digest to each IS-IS Hello
packet.

Important
If the .isis_md5key.txt and .isis_simplekey.txt are missing, IS-IS adjacencies cannot be
established.

Password considerations

To reset the authentication password type, you must set the type to none.

The switch software supports only interface level authentication. The switch software does not support
area level or domain level authentication.

938 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

SHA-256 considerations

IS-IS Hello packets are sent periodically to discover IS-IS neighbors, and to establish and maintain IS-IS
adjacencies. If you enable SHA-256 authentication, the switch adds an HMAC-SHA256 digest to each
Hello packet.

Note
The interfaces used to make the adjacencies must have SPBM configured.

The switch that receives the Hello packet computes the digest of the packet and compares it with the
received digest. If the digests match, the packet is accepted. If the digests do not match, the receiving
switch discards the packet.

Directly connected switches must share the same key (secret), which can have a maximum length of 16
characters.

Hellos

To update the identities of neighboring routers, you can configure the:

• IS-IS Interface Level 1 Hello interval
• IS-IS Interface Level 1 Hello multiplier

IS-IS Interface Level 1 Hello interval

IS-IS uses level 1 Hello packets to initialize and maintain adjacencies between neighboring routers.

You can configure the IS-IS interface level 1 Hello interval to change how often Hello packets are sent
out from an interface level.

IS-IS Interface Level 1 Hello multiplier

You can configure the IS-IS interface level 1 Hello multiplier to specify how many Hellos the switch must
miss before it considers the adjacency with a neighboring switch down. By default, the hold (wait) time
is the Hello interval multiplied by the Hello multiplier. By default, if the Hello interval is 9 and the Hello
multiplier is 3, the hold time is 27. If the Hello multiplier is increased to 10, the hold time is increased to
90.

IS-IS Interface Level 1 Link metric

You can configure the IS-IS interface level 1 link metric to overwrite the default metric value. By
configuring the metric, you can specify a preferred path. Low cost reflects high-speed media, and high
cost reflects slower media. For the wide metric, the value ranges from 1 to 16,777,215.
• The switch only supports the wide metric.
• The total cost of a path equals the sum of the cost of each link.

VOSS User Guide for version 8.7 939

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

• The default value for wide metrics is 10.

Note
When multiple paths exist to reach a node, the path with the lowest sum of metrics of the
individual links is chosen. If the sum of the paths are the same, the one with the lowest
number of hops is chosen. If the number of hops is the same as well, then the tie-breaking is
done by the system ID.
For the primary B-VLAN, the path that has a node with the lowest system ID is chosen.
Whereas, for the secondary B-VLAN, the path that has a node with the highest system ID is
chosen.

Disabling IS-IS

You can disable IS-IS globally or at the interface level. If IS-IS is globally disabled, then all IS-IS functions
stop. If IS-IS is enabled at the global level and disabled at one of the interface levels, then IS-IS
continues on all other interfaces.

Overload Bit

A node sends the overload bit in LSP updates to inform other devices whether to use that node to pass
transit traffic. For example, when a device receives an LSP with an overload bit, the device ignores that
LSP in its Shortest Path First (SPF) calculation to avoid sending transit traffic through the overloaded
node; however, the overloaded node can still receive traffic destined to itself.

The system activates the overload bit on bootup and clears it after 20 seconds. You can use the
overload-on-startup parameter to control the time before the overload bit is cleared after
bootup.

You can permanently configure the overload bit using the overload parameter. If you use this
parameter, the system does not clear the overload bit after bootup and sends it in all LSP updates. If
the overload bit is configured, other devices do not include this node for use as a transit node in IS-IS
computations. By default, the overload parameter is set to false.

The overload and overload-on-startup parameters are configured under the router isis
configuration mode in the CLI.

When IS-IS is enabled on a switch, the switch delays a reset by two seconds so that LSPs with the
overload bit can be sent to all Backbone Edge Bridges (BEB) and Backbone Core Bridges (BCB) in the
SPB domain.

SPBM B-VLAN
Each SPBM network instance is associated with at least one backbone VLAN (B-VLAN) in the core
SPBM network.

Note
SPB internally uses spanning tree group (STG) 63 or Multiple Spanning Tree Instance (MSTI)
62. STG 63 or MSTI 62 cannot be used by another VLAN or MSTI. For non-SPB customer
networks, if you use STG 63 or MSTI 62 in the configuration, you must delete STG 63 or MSTI
62 before you can configure SPBM.

940 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

This VLAN is used for both control plane traffic and dataplane traffic.

Note
Always configure two B-VLANs in the core to allow load distribution over both B-VLANs.

SPBM alters the behavior of the VLAN. When a B-VLAN is associated with an SPBM network the
following VLAN attributes and behaviors are modified for the B-VLAN:
• Flooding is disabled
• Broadcasting is disabled
• Source address learning is disabled
• Unknown MAC discard is disabled

You cannot add ports to a B-VLAN manually, IS-IS enabled ports are automatically added to the
B-VLAN.

Essentially the B-MAC addresses are programmed into the B-VLAN Forwarding Information Bases
(FIBs) by IS-IS instead of the traditional VLANs flooding and learning approach.

Modification of the VLAN behavior is necessary to ensure proper control over the SPBM traffic.

Pre-populated FIB
An Ethernet network usually learns MAC addresses as frames are sent through the switch. This process
is called reverse learning and is accomplished through broadcast.

SPBM does not allow any broadcast flooding of traffic on the B-VLAN in order to prevent looping
accomplished through flooding packets with unknown destinations (although multicast traffic is
supported). As such, MAC addresses must be distributed within SPBM. This is accomplished by carrying
the necessary B-MAC addresses inside the IS-IS link state database. To that end, SPBM supports an IS-IS
TLV that advertises the I-SID and B-MAC information across the network. This functionality enables the
powerful end-point-provisioning of SPBM.

These Backbone MAC addresses are populated into the SPBM VLAN Forwarding Information Base (FIB)
to maximize efficiency and to allow Reverse Path Forwarding Check (RPFC) to operate properly.

RPFC
A loop prevention mechanism is required at Layer 2 to stop wayward traffic from crippling the network.
Reverse Path Forwarding Check (RPFC) is the chosen method of suppressing loop traffic with SPBM.
RPFC was originally designed for IP traffic at Layer 3 where it checks the source address of the packet
against the routing entry in the routing table. The source address must match the route for the port it
came in on otherwise the packet is illegitimate and therefore dropped.

With SPBM, the node matches the source B-MAC address against the ingress port to establish validity.
If the frame is not supposed to come in that port, it is immediately suppressed imposing a guaranteed
loop control. If there is no VLAN FDB entry to the source MAC address with the outgoing port as the
ingress port, the frame will be dropped.

VOSS User Guide for version 8.7 941

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

SPBM Unicast FIB

Unicast FIB

The unicast computation runs a single Dijkstra (unlike all pair Dijkstras for multicast). SPBM produces
only one Shortest Path First (SPF) tree and the tree is rooted on the computing node.

The unicast computation generates an entry for each node in the network. The Destination Address
(DA) for that entry is the system-id of the node. In addition, if a node advertises MAC addresses other
than the system-id, each MAC address has an entry in the unicast FIB table, and the shortest path to
that MAC should be exactly the same as the path to the node.

Unicast FIB entries are installed to the vlan-fdb table.

The following text shows an example of the unicast FIB.

Switch:1# show isis spbm unicast-fib
==================================================================================================
SPBM UNICAST FIB ENTRY INFO
==================================================================================================
DESTINATION BVLAN SYSID HOST-NAME OUTGOING COST AREA AREA-NAME
ADDRESS INTERFACE
--------------------------------------------------------------------------------------------------
00:16:ca:23:73:df 1000 0016.ca23.73df SPBM-1 1/21 10 HOME area-9.00.02
00:16:ca:23:73:df 2000 0016.ca23.73df SPBM-1 1/21 10 HOME area-9.00.02
00:18:b0:bb:b3:df 1000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02
00:14:c7:e1:33:e0 1000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02
00:18:b0:bb:b3:df 2000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02

--------------------------------------------------------------------------------------------------
Home: Total number of SPBM UNICAST FIB entries 5
Remote: Total number of SPBM UNICAST FIB entries 0
--------------------------------------------------------------------------------------------------

SPBM Restrictions

RSTP and MSTP

The following list identifies restrictions and limitations associated with RSTP and MSTP:
• RSTP mode does not support SPBM.
• A C-VLAN-level loop across SPBM network-to-network interface (NNI) ports cannot be detected
and needs to be resolved at the provisional level.
• SPBM NNI ports are not part of the Layer 2 VSN C-VLAN, and BPDUs are not transmitted over the
SPBM tunnel. SPBM can only guarantee loop-free topologies consisting of the NNI ports. You should
always use Simple Loop Prevention Protocol (SLPP) in an SMLT environment.

Note
Deploy SLPP on C-VLANs to detect loops created by customers in their access networks.
However, SLPP is not required on B-VLANs, and it is not supported. The B-VLAN active
topology is controlled by IS-IS that has loop mitigation and prevention capabilities built
into the protocol.

• SPB internally uses spanning tree group (STG) 63 or Multiple Spanning Tree Instance (MSTI) 62. STG
63 or MSTI 62 cannot be used by another VLAN or MSTI. For non-SPB customer networks, if you use

942 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

STG 63 or MSTI 62 in the configuration, you must delete STG 63 or MSTI 62 before you can configure
SPBM.
• You must configure SPBM B-VLANs on all devices in the same MSTP region. MSTP requires this
configuration to generate the correct digest.
• Configure the SPBM B-VLANs to use matching VLAN IDs.

Best Practices for SPB Regarding MSTP

Use NNI ports exclusively to transport traffic for SPB-based services and not be configured as members
of any VLANs other than SPB B-VLANs. In releases that do not support nni-mstp, when an SPBM
IS-IS interface is created on an NNI port or an MLT, MSTP is automatically disabled for MSTI-62 on the
port/MLT. However, MSTP is not automatically disabled on NNI ports for the CIST (default MSTI). In
releases that support the boot config flags nni-mstp command, the default behavior of the
MSTP NNI ports is that CIST is disabled automatically on the NNI and the NNI ports cannot be members
of any VLANs other than B-VLANs. The default boot config flags nni-mstp must be set to false (which is
the default). The following example shows the command to disable the MSTP on the NNI ports.
Switch:1(config)#interface gigabitEthernet 1/8
Switch:1(config-if)#no spanning-tree mstp

Coexistence of MSTP and SPB-Based Services on NNI Ports

In releases that do not support nni-mstp boot configuration, you can support the coexistence of
non-SPB based services on the NNI ports, by adding NNI ports as members of VLANs, except for
B-VLANs. These other VLANs rely on the use of MSTP for Loop prevention. The network operator
must carefully consider the implications of keeping MSTP enabled on the NNI ports because any MSTP
topology changes detected on the NNI ports impacts all services and causes most dynamically learned
information on the UNI side to be flushed and relearned. This includes, but is not limited to, all customer
MAC and ARP records. This can also cause all the UNI ports on a BEB to be temporarily put into a
spanning-tree blocking state before transitioning to a forwarding state again. The net result is that
MSTP topology changes on the NNI ports adversely impact traffic for SPB-based services. Therefore,
the NNI ports be used exclusively for SPB traffic.

SPBM IS-IS

The following list identifies restrictions and limitations associated with SPBM IS-IS:
• The switch does not support IP over IS-IS as defined by RFC 1195. IS-IS protocol is only to facilitate
SPBM.
• The switch uses level 1 IS-IS. The switch does not support level 2 IS-IS. The CLI command show
isis int-l2-contl-pkts is not supported because the IEEE 802.1aq standard currently only
defines the use of one hierarchy, Level 1.
• The IS-IS standard defines wide (32bit ) metrics and narrow (8 bits) metrics. The switch supports the
wide metric.
• To run IS-IS on an MLT, add the ports to the MLT, and then enable IS-IS on the MLT.

SPBM NNI SMLT

The switch does not support NNI on SMLT links.

VOSS User Guide for version 8.7 943

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

VLACP

VLACP is generally used when a repeater or switch exists between connected switches to detect when
a connection is down even when the link LED is lit. You can enable VLACP on Ethernet ports that are
NNI, as well as Ethernet ports that are part of a NNI MLT.

SNMP Traps

On each SPBM peer, if you configure the SPBM B-VLANs to use different VLAN IDs, for example, VLAN
10 and 20 on one switch, and VLAN 30 and 40 on the second, the system does not generate a trap
message to alert of the mismatch because the two switches cannot receive control packets from one
another. Configure the SPBM B-VLANs to use matching VLAN IDs.

System MTU

Do not change the system MTU to less than the default value of 1950 bytes. The system MTU must be
1950 or jumbo because of the header size increase when transmitting packets over the SPBM cloud.

IP Multicast over Fabric Connect

IP multicast over Fabric Connect cannot connect to existing Protocol Independent Multicast (PIM)
networks that connect to SPB originated streams or that add PIM network streams into the SPB
network. SPB-PIM Gateway (SPB-PIM GW), however, provides multicast interdomain communication
between an SPB network and a PIM network. SPB-PIM GW accomplishes this interdomain
communication across a special Gateway VLAN. The Gateway VLAN communicates with the PIM
network through the PIM protocol messaging and translates the PIM network requirements into SPB
language, and vice versa. For more information about SPB-PIM GW, see SPB-PIM Gateway configuration
on page 3187.

Other

The following list identifies other restrictions or considerations:

• You cannot use 3.33.33 as the SPB nickname because of a conflict with reserved IPv6 Ethernet
multicast address 33:33:xx:xx:xx:xx.
• The software does not support I-SID filters.
• You cannot enable C-VLAN and B-VLAN on the same port.
• To ensure proper cleanup of MAC tables after you run the no spbm command, save the
configuration, and then reboot the switch.

944 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Network Load Balancing (NLB)

SPBM supports Network Load Balancing (NLB) Unicast and Multicast modes.

NLB is a clustering technology available with Microsoft Windows 2000, Microsoft Windows 2003,
Microsoft Windows 2008, and Microsoft Windows 2012 server family of operating systems. You can
use NLB to share the workload among multiple clustering servers. NLB uses a distributed algorithm to
load balance TCP/IP network traffic across a number of hosts, enhancing the scalability and availability
of mission critical, IP based services, such as web, VPN, streaming media, and firewalls. NLB also
provides high availability by detecting host failures and automatically redistributing traffic to remaining
operational hosts.

VOSS User Guide for version 8.7 945

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

SPBM Script

Table 90: run spbm installation script product support

Feature Product Release introduced
run spbm installation script VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

You can use a CLI script to quickly configure the SPB and IS-IS infrastructure to enable Fabric Connect
on a switch. You can use the SPB script, rather than manually configure the minimum SPBM and IS-IS
parameters.

You can use the command run spbm to quickly configure the following:
• Configure the SPB Ethertype.
• Create an SPB instance.
• Create an SPBM backbone VLAN and associate it to the SPB instance.
• Create an SPBM secondary backbone VLAN and associate it to the SPB instance.
• Add an SPB nickname.
• Create a manual area.
• Enable IS-IS on one of the switch interfaces.
• Enable IS-IS globally.
• Configure the IS-IS system name.
• Configure the IS-IS system ID.
• Configure SPBM port and MLT interfaces.
• Clean up any SPBM configuration.

The following table displays the default values applied if you use the run spbm command. The SPB
script creates some of the default values based on the MAC address of the switch, including the
nickname and System ID value.

Parameter Default values

Ethertype 0x8100
Primary B-VLAN 4051
Secondary B-VLAN 4052
Manual area 49.0000
Nickname Derived from the chassis MAC

946 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Parameter Default values

System name Derived from the command line prompt
System ID value Derived from the chassis MAC, using a different algorithm from that for the
Nickname

Note
The SPB script only creates the SPBM instance, VLAN, or other parameters if they do not
already exist. For example, if the SPBM instance and VLAN already exist, the SPB script does
not create them. If the SPB script cannot create one of the parameters because the parameter
is already configured, the script stops and an error message displays.

Layer 2 Video Surveillance install script

Table 91: Layer 2 Video Surveillance install script product support

Feature Product Release introduced
Layer 2 Video Surveillance install VSP 4450 Series VOSS 6.1
script
VSP 4900 Series VOSS 8.1
To support this feature, VIM
installation is mandatory in
VSP4900-48P.
VSP 7200 Series Not Supported
VSP 7400 Series Not Supported
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

The Layer 2 Video Surveillance install script pre-configures configuration parameters for video
surveillance solutions. With this script, a technician can quickly and easily deploy a typical video
surveillance network that supports up to 2000 IP cameras, a recording solution, systems management,
and viewing stations.

The install script uses best practices for converged solutions and provides redundant paths for all video
traffic. The script configures the basic deployment of Shortest Path Bridging (SPB) and uses Layer 2
VSNs to enable full multicast capabilities between all IP subnets and VLANs.

Configuration Parameters

The syntax of the install script command is run vms layer-2 switch <5-99> where the switch
value (between 5 and 99) is a user-defined variable. The install script uses this switch value to configure
the camera IP zone for the switch and to specify a unique SPB nickname, system-id, and IP source value.

VOSS User Guide for version 8.7 947

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

The install script configures the following major parameters and populates the xx with the user-defined
variable for the switch value:
• IP Loopback Interface Address: 192.168.0.xx (Management IP address on the switch.)
• IP-Source Address: 192.168.0.xx (IS-IS source IP address for the switch.)
• VLAN ID: 200 (On hardware platforms that only have NNI links, there is no need to create a
surveillance VLAN.)
• System ID: 0011.0011.07xx (SPB system-id of switch)
• Nickname: 0.07.xx (SPB Nickname for switch)
• SPB Manual Area ID: 49.0001
• Backbone VLAN IDs: 4051 and 4052 (with 4051 as Primary)
• SPB Mulitcast: enabled
• SFP and SFP+ ports: (Define all ports as NNI links.)

Note
The install script does not configure DHCP Relay parameters.

Optional syntax Parameter

The install script requires that the switch be in the factory default state. The script prompts you to
confirm this, but it does not check if you did so. The script continues running commands even if some
of the commands in the script fail, and the failure of script commands is not evident by the script
completion message.

The syntax of the install script command is: run vms layer-2 switch <5-99> [syntax]. The
optional syntax parameter prints out all the commands run by the script onto the console. If you do
not use the syntax parameter, you will not see an error message when a command fails to run.

Important
Use the syntax parameter to display all the commands run by the script and show any
errors that the script encounters. This is the only way to ensure that all configurations are
configured without error.

Configuration Filename

Upon successful completion of the install script, the switch configuration is saved with a filename based
on the switch value used when the script was run. The switch primary boot config file flags are updated
with the new filename.

For example, if you use 6 as the switch value, the command run vms layer–2 switch 6 results in
a switch configuration filename of vms-layer2–switch-6.cfg.

If you run the install script with the syntax parameter, you will see the pre-install command output:
• save config file pre_vms_layer2_install.cfg
• Save config to file /intflash/pre_vms_layer2_install.cfg successful.

and the completed install script output:

• save config file vms-layer2-switch-6.cfg

948 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

• Save config to file /intflash/vms-layer2-switch-6.cfg successful.

IS-IS external metric

The software supports the IS-IS external metric to differentiate between internal and external routes
with Accept Policies.

With this feature you can use IS-IS to:

• change the external metric-type of a route when redistributing it from another protocol to IS-IS
through route redistribution using a route-map.
• change the external metric-type of a route when accepting a remote IS-IS route with the help of
IS-IS accept policies using a route-map.
• match the external metric-type when redistributing IS-IS routes into other protocols using the match
option in the route-map.
• match the external metric-type when accepting a remote IS-IS route with the help of IS-IS accept
policies by using a route-map
• process the external metric-type in the route selection process.

The IS-IS metric type can also be set using the base redistribute command without using the route-
map.

SPB Ethertype
The switch aligns the SPB ethertype to BCB's locally configured SPB ethertype. The BCBs mark the
BTAG Ethertype of a transit MAC-in-MAC packet to match its locally configured value when it exits on a
different network-to-network interface (NNI) port, even if the BTAG Ethertype on the incoming packet
(CFM or SPB) does not match its configured value.

Note
ISIS Hello packets are always marked with 0x8100 ethertype, and do not change according to
the BCB's locally configured values.

Equal Cost Multipath Pathlist with Fabric Connect

Table 92: ECMP Pathlist with Fabric Connect product support

Feature Product Release introduced
ECMP Pathlist with Fabric VSP 4450 Series VOSS 8.1.5
Connect (IS-IS routes)
VSP 4900 Series VOSS 8.1.5
VSP 7200 Series VOSS 8.1.5
VSP 7400 Series VOSS 8.1.5
VSP 8200 Series VOSS 8.1.5
VSP 8400 Series VOSS 8.1.5
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.1.5

VOSS User Guide for version 8.7 949

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

If you use Equal Cost Multipath (ECMP) in a Shortest Path Bridging (SPB) scenario, the Intermediate
System-to-Intermediate System (IS-IS) protocol sends multiple routes with the same destination to the
routing manager. IS-IS can add up to eight equal cost routes with the same destination to the routing
table and the router uses one route for traffic forwarding based on load management. Use the ECMP
Pathlist feature to control how many equal-cost paths to add to the routing manager for the same
destination.

Note
Different hardware platforms can support a different number of ECMP paths. For more
information about the maximum number of ECMP paths supported on the switch, see the
scaling information in VOSS Release Notes.

For information about how to configure ECMP Pathlist, see Configure ECMP on page 1859 and
Configure ECMP on page 1886.

FAN Transit
Fabric Area Network (FAN) transit refers to the ability of a switch to forward traffic between SPB nodes
participating in a FAN. The switch is neither a part of the FAN nor does it originate or sink FAN traffic. It
only forwards the traffic between the FAN end-points.

For information on how to verify the functioning of a transit switch within a FAN, see Troubleshooting
FAN Transit on page 3694.

Dynamic Nickname Assignment

Table 93: Dynamic Nickname Assignment product support

Feature Product Release introduced
Dynamic Nickname Assignment VSP 4450 Series VOSS 7.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0.5
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported
Extends the assignment VSP 4450 Series VOSS 8.3
behavior with a prefix
VSP 4900 Series VOSS 8.3
parameter
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported

950 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Dynamic Nickname Assignment is a service that provides unique nicknames to compatible switches
across a Fabric Area Network (FAN).

You can configure a node in a FAN as a nickname server. The nickname server cannot be started until
you configure it with a static nickname. As a best practice, configure at least two nickname servers in a
FAN to provide redundancy.

Note
Configure the nickname server with a static nickname that is outside any configured dynamic
nickname server range in the network, or you can configure the nickname server with a static
nickname from the first 10 values of the configured dynamic nickname server range in the
network.

The nickname server interrogates FAN nodes that have been assigned a dynamic nickname to avoid
nickname duplication.

VOSS User Guide for version 8.7 951

SPBM and IS-IS Infrastructure Fundamentals Fabric Basics and Layer 2 Services

A client joining the dynamic FAN in factory default mode initially does not have a nickname, and issues
a broadcast soliciting a valid nickname assignment. The nickname server receives the request and
responds with a nickname assignment offer. The client then explicitly requests the particular nickname
offered and the nickname server sends an acknowledgment.

The client maintains the nickname in persistent memory regardless of whether the active nickname
server is the same server that originally provided the nickname. The client generates a trap and notifies
the user if it is unable to receive a nickname from the server. When IS-IS starts, it issues a trap if a client
does not have a nickname and clears the trap when the client receives a nickname from the nickname
server.

A client rebooting or reconnecting to the FAN requests the same nickname assignment it had before
reboot. If the requested nickname is within the nickname server’s configured range of nicknames and
is still available, the server acknowledges the nickname. If the requested nickname is outside of the
nickname server’s configured range or if the nickname has been assigned to another client, the request
is denied by the nickname server and the client must request a new nickname.

Static and Dynamic Nickname Servers

You can use static nickname assignment and Dynamic Nickname Assignment in the same FAN.

You can configure Dynamic Nickname Assignment using a range prefix that can use a range from
0.00.00 to F.FF.FF. This method provides 256 groups that cover the range of 0.00.00 to F.FF.FF.

Note
You can configure the nickname server with a static nickname from the first 10 values of the
configured dynamic nickname server range in the network.

Do not use nicknames from the dynamic nickname range when you assign nicknames statically to
non-server nodes. However, if there are existing nodes in the network with static nicknames in the
dynamic nickname range, it is not a requirement to change their nickname assignment. If a node is
assigned a dynamic nickname that is being used in the network, duplicate nickname protection is
initiated. If the node that has the dynamic nickname loses the nickname election, it requests a different
nickname from the nickname server. If a node with a static nickname loses the nickname election, IS-IS
is disabled on that node and you must manually re-assign the nickname and re-enable IS-IS.

You can configure nicknames from a dynamic range if the nickname server is not started.

Note
You must disable Dynamic Nickname Assignment before you can change the nickname prefix.

Debugging

A node must be a member of a FAN to host Dynamic Nickname Assignment applications. FAN
connectivity enables the exchange of information between nickname clients and servers, such as
nickname requests or nickname assignments. You can use Connectivity Fault Management (CFM) to
debug connectivity issues or isolate faults. For more information about CFM, see Connectivity Fault
Management on page 3506.

952 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS Infrastructure Fundamentals

Dynamic Nickname Assignment Considerations

Consider the following information when implementing this feature:

• You must configure a nickname server to assign unique nicknames to clients based on established
policies.
• You can configure multiple nickname servers in a FAN to provide resiliency. If you configure multiple
nickname servers, you must ensure that the ranges for nickname allocation do not overlap.
• Dynamic Nickname Assignment is not supported in a FAN that contains ERS 4900 or ERS 5900
products, or on products running VOSS releases prior to 7.0.

MSTP-Fabric Connect Multi Homing

Table 94: MSTP-Fabric Connect Multi Homing product support

Feature Product Release introduced
MSTP-Fabric Connect Multi VSP 4450 Series VOSS 7.0
Homing
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 7.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 7.0
VSP 8400 Series VOSS 7.0
VSP 8600 Series Not Supported
XA1400 Series Not Supported

The MSTP-Fabric Connect Multi Homing feature allows MSTP or RSTP network to be multi-homed into a
Fabric Connect network, providing a loop-free topology. MSTP-Fabric Connect Multi Homing enables an
MSTP network to be multihomed into the SPB Fabric network through single node-to-multiple nodes or
multiple nodes-to-multiple nodes.

Important
You must enable MSTP-Fabric Connect Multi Homing before you establish multihoming with
an MSTP network.

MSTP-Fabric Connect Multi Homing uses I-SID 16777003. The switch creates this I-SID automatically
and it cannot be modified.

MSTP-Fabric Connect Multi Homing is supported on SPBM mode only.

VOSS User Guide for version 8.7 953

Fabric Extend Fabric Basics and Layer 2 Services

Fabric Extend

Table 95: Fabric Extend product support

Feature Product Release introduced
Fabric Extend VSP 4450 Series VOSS 5.0*
*Platforms require an Open
Networking Adapter (ONA). VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.0
VSP 8400 Series VOSS 5.0
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.0.50
Fabric Extend over IPsec VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.3
VSP4900-12MXU-12XE and
VSP4900-24XE using Fabric
IPsec Gateway
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.2 using Fabric IPsec
Gateway
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.0.50
Digital Certificate Authentication VSP 4450 Series Not Supported
for Fabric Extend over IPsec
VSP 4900 Series VOSS 8.3
VSP4900-12MXU-12XE and
VSP4900-24XE using Fabric
IPsec Gateway
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.3 using Fabric IPsec
Gateway
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.3

954 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

Table 95: Fabric Extend product support (continued)

Feature Product Release introduced
ECMP support for Fabric Extend VSP 4450 Series Not Supported
VSP 4900 Series Not Supported
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.0.50
IPsec compression VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.7
VSP4900-12MXU-12XE and
VSP4900-24XE using Fabric
IPsec Gateway
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.7 using Fabric IPsec
Gateway
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.1.8
Ability to adjust the maximum VSP 4450 Series Not Supported
segment size (MSS)
VSP 4900 Series VOSS 8.3.1
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.3.1
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.1.8
IS-IS hello padding VSP 4450 Series VOSS 8.2.7
VSP 4900 Series VOSS 8.2.7
VSP 7200 Series VOSS 8.2.7
VSP 7400 Series VOSS 8.2.7
VSP 8200 Series VOSS 8.2.7
VSP 8400 Series VOSS 8.2.7
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.2.7

VOSS User Guide for version 8.7 955

Fabric Extend Fabric Basics and Layer 2 Services

Table 95: Fabric Extend product support (continued)

Feature Product Release introduced
IPsec fragmentation before VSP 4450 Series Not Supported
encryption
VSP 4900 Series VOSS 8.3.1
VSP4900-12MXU-12XE and
VSP4900-24XE using Fabric
IPsec Gateway
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.3.1 using Fabric IPsec
Gateway
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.2.7
Ability to configure a specific VSP 4450 Series Not Supported
IPsec source IP per tunnel
VSP 4900 Series Not Supported
VSP 7200 Series Not Supported
VSP 7400 Series Not Supported
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series VOSS 8.3.1

Some hardware platforms support Fabric Extend natively. You can use these switches in a main office of
a hub and spoke deployment or to connect one Data Center to another Data Center.

The VSP 4450 Series also supports Fabric Extend, but the switch must be connected to an Open
Networking Adapter (ONA) because the VSP 4450 Series does not support Fabric Extend natively. The
ONA enables the VSP 4450 Series to support Fabric Extend. The VSP 4450 Series uses the ONA to
encapsulate Fabric Connect traffic. For example, you can use the VSP 4450 Series in a branch office of a
hub and spoke deployment.

Note
In a Layer 2 core Fabric Extend solution, the VSP 4450 Series does not require an
ONA because the tunnels are point-to-point VLAN connections, not VXLAN connections.
Therefore, there is no need for an ONA to encapsulate a VXLAN header to SPB packets.

Fabric Extend enables Enterprises to extend the Fabric Connect technology over Layer 2 or Layer 3 core
networks. The logical IS-IS interface is the mechanism that enables Fabric Extend to connect SPB fabric
nodes. Logical IS-IS interfaces create virtual tunnels and encapsulate SPB traffic by adding a VXLAN
header to SPB packets.

956 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

The following figure illustrates two Fabric Connect “islands” separated by a third-party core IP network.
The IP network could be third-party equipment in an enterprise or a service provider’s infrastructure
such as an MPLS VPN service.

Figure 59: Fabric Connect networks connected by an IP network

The following figure illustrates how Fabric Extend enables you to connect the fabric islands to create
ONE Fabric Connect network. This figure shows a Layer 3 core network where Fabric Extend uses IP
tunneling by adding a VXLAN header to the SPBM packets. This can be over a third party IPv4 transport
network such as MPLS IP-VPN or in a Campus IP backbones.

Figure 60: Single Fabric Connect Domain realized using Fabric Extend
The following figure shows a Layer 2 core network where Fabric Extend can transport SPBM packets
over a Layer 2 MPLS VPLS or PBB E-LINE service by creating layer 3 tunnels over a Layer 2 third party
network.

Figure 61: Fabric Extend over VLAN tunnels

VOSS User Guide for version 8.7 957

Fabric Extend Fabric Basics and Layer 2 Services

Advantages of Fabric Extend

Fabric Connect is an Ethernet-based, industry-standard (IEEE 802.1aq) networking virtualization
solution. With Fabric Connect, you can have thousands of virtualized service instances at any point
in the network. Other Fabric Connect advantages include rapid time to service, Layer 2 and Layer 3
Unicast and IP Multicast virtualization, and scalable IP multicast. But the most significant advantage of
Fabric Connect is that you provision services at the network edge only, not the core.

The Fabric Extend feature enables you to extend the Fabric Connect model over Layer 2 and Layer 3
core networks. The interconnection of Fabric Connect deployments can be over any IP-based network
whether it’s a campus backbone, Data Center, or a MAN/WAN IP MPLS network.

Fabric Extend and ONA

Some hardware platforms support Fabric Extend natively on any of its physical ports. However, the
VSP 4450 Series requires an Open Networking Adapter (ONA) to enable this functionality. The ONA is
the Fabric Extend packet encapsulation engine for the VSP 4450 Series. The ONA / VSP 4450 Series
combination can also provide enhanced features such as IP fragmentation and reassembly on Fabric
Extend tunnels.

Note
In a Layer 2 core Fabric Extend solution, the VSP 4450 Series does not require an ONA
because the tunnels are point-to-point VLAN connections, not VXLAN. Therefore, there is no
need for an ONA to encapsulate a VXLAN header to SPB packets.

The VSP 4450 Series manages the ONA in the following ways:
• Controls and provisions the ONA.
• If PoE capable, the VSP 4450 Series supplies power to the ONA. (The ONA also supports an optional
wall unit power adapter.)
• Transports traffic to and from the ONA over 1 GbE ports and sets QoS appropriately to the ONA’s.
◦ The ONA 1101GT can support basic Fabric Extend at line rate 1G traffic from the VSP 4450 Series
at 1500 byte packet sizes.
◦ Oversubscription of the ONA’s packet engine may result if packets are smaller than 1500 bytes
or if you enable enhanced features such as fragmentation and reassembly of packets. This results
in packet drop starting with lower QoS queued packets consistent with PCP and DSCP markings
on packets received from the VSP 4450 Series. For more details on the ONA 1101GT forwarding
performance, see ONA Considerations on page 973.

The ONA can operate in different modes. Fabric Extend is Operational Mode 1. To enable Fabric Extend,
use the ONA’s Manual Configuration menu to change the Operational Mode parameter to 1. For more
information, refer to the manual that ships with the ONA.

In the following figure, the VSP 8200 Series is in a Fabric Connect network and is configured with Fabric
Extend (FE). The VSP 4450 Series is also in a Fabric Connect network and is configured with SPB. The
VSP 8200 Series and the VSP 4450 Series use industry-standard VXLAN tunnels to create a flow for FE
traffic between the VSP 8200 Series and the ONA attached to the VSP 4450 Series.

958 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

Figure 62: Fabric Extend traffic flow

The following flow occurs when User A sends a packet to User B:
• The VSP 8200 Series receives the packet and encapsulates it with a MAC-in-MAC header.
• The VSP 8200 Series sends the MAC-in-MAC-encapsulated packet over the VXLAN tunnel to the
VSP 4450 Series.
• The VSP 4450 Series receives the packet and sends it to the ONA network port.
• The ONA decapsulates the packet by removing the VXLAN header and sends the MAC-in-MAC
packet header out the ONA device port back to the VSP 4450 Series.
• The VSP 4450 Series decapsulates the MAC-in-MAC header and forwards the packet to User B.

The following flow occurs when User B sends a packet to User A:

• The VSP 4450 Series receives the packet and sends it to the ONA over the ONA device port with
MAC-in-MAC encapsulation.
• The ONA encapsulates the packet with a VXLAN header.
• The ONA then sends the packet out the ONA network port and back to the VSP 4450 Series.
• The VSP 4450 Series sends the VXLAN-encapsulated packet over the Routed IP network to the VSP
8200 Series.

Note
To interoperate with the VSP 8200 Series, you must set the MTU on the VSP 4450
Series/ONA combination to 1950 bytes.

• The VSP 8200 Series decapsulates the packet by removing the VXLAN header and the MAC-in-MAC
header, and then forwards it to User A.

Note
Connect the ONA as shown with two ports to the VSP 4450 Series. You cannot connect
the ONA directly to the IP core infrastructure.

Logical IS-IS interface

The logical IS-IS interface is the mechanism that enables Fabric Extend to connect SPB fabric nodes.

Logical IS-IS interfaces perform the following functions depending on the type of core network:
• In a Layer 3 core network, logical IS-IS interfaces create virtual IP tunnels and encapsulate SPB traffic
by adding a Virtual Extensible LAN (VXLAN) header to SPB packets.

VOSS User Guide for version 8.7 959

Fabric Extend Fabric Basics and Layer 2 Services

• In a Layer 2 core network, logical IS-IS interfaces do not use VXLAN. The tunnels are point-to-point
VLAN connections so there is no need to encapsulate a VXLAN header to SPB packets. The logical
IS-IS interfaces translate the Backbone VLAN IDs (B-VIDs) and maps them to each of the branch
provider VIDs.

Fabric Extend uses virtual tunnels in Layer 3 core solutions to connect SPB fabric nodes. These nodes
can stretch over IP routed campus networks, service provider Layer 2 core networks, or service provider
Layer 3 core networks such as IP MPLS VPNs.

Note
VLACP cannot be used on logical IS-IS interface connections.

Layer 2 core network

If the service provider has a Layer 2 core network, note the following points:
• The syntax for configuring a logical interface is:

logical-intf isis <id> vid <list of vlans> primary-vid <vlanId> port

<slot/port> Mlt <mltId> [name <name>]
◦ vid <list of vlans> should have two VLANs, not more than two or less than two. The VID
range is <2-4059>. You do not have to configure the VIDs as platforms VLANs.
◦ primary-vid should be included in vid <list of vlans>.
◦ Each logical interface must have a unique set of VIDs for each port or MLT. The same VIDs
however, can be reused across a different set of ports or MLTs.
◦ Logical interface VIDs and B-VLANs cannot be the same.
◦ Configuring the same VIDs as primary and secondary is not allowed.
◦ The port/MLT on which the Layer 2 core IS-IS logical interface is configured cannot be part of
any other user configured VLANs.
◦ Cannot delete an MLT that is configured as a logical interface tunnel MLT.
• A logical interface consists of a port/MLT and a list of VLANs, where port/MLT is the physical
connectivity to the Layer 2 core network and VLANs are the list of VLANs used to transport/bridge
IS-IS control packets and Mac-in-Mac data traffic.
• VXLAN headers are not used in Layer 2 core Fabric Extend solutions.
• IS-IS control packets are not encapsulated before they are sent over a logical interface. Instead, the
VLAN in the outer Ethernet header (SPB primary bvid) is replaced by the user configured logical
interface VLAN.
• Spanning tree is disabled by default on port/MLT on which a Layer 2 core logical IS-IS interface is
configured.

Layer 3 core network

If the service provider has a Layer 3 core network, note the following points:
• The syntax for configuring a logical interface is:

logical-intf isis <id> dest-ip <destIpAddr> [name <name>]

• A logical IS-IS interface points to a remote BEB destination IP address.

960 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

• Port and VlanId are not needed to create a logical IS-IS interface, instead they can be retrieved from
the next hop of destination IP address.
• IS-IS control packets (IS-IS hello, LSDB, CSNP, PSNP) are encapsulated with a VXLAN header and
sent over a logical IS-IS interface.

IPsec Compression
IPsec compression reduces the size of the IP datagram to improve the communication performance
between hosts connected behind Backbone Edge Bridges (BEB).

Note
This feature is supported on XA1400 Series, VSP 4900 Series, and VSP 7400 Series. VSP
4900 Series and VSP 7400 Series switches provide that support using Fabric IPsec Gateway.

Tip
As a best practice, use IPsec compression only for Fabric Extend tunnels where latency is
greater than 70ms.

The following list identifies how you can implement IPsec compression:
• You can configure IPsec compression for each logical-interface.
• You can configure multiple IPsec Fabric Extend (FE) adjacencies with or without compression
simultaneously.
• You must enable IPsec compression on both BEBs to use IPsec compression for an FE adjacency.
• You cannot configure IPsec compression if fragmentation before encryption is already enabled.
• You can change the IPsec compression configuration only if IPsec is disabled.

For configuration information, see the following tasks:

• Configure Fabric Extend Over IPsec on page 1055 (using CLI)
• Configure Fabric Extend Logical Interfaces for Native Support on page 1176 (using EDM)

IS-IS Hello Padding

To detect maximum transmission unit (MTU) mismatches, Intermediate System-to-Intermediate System
(IS-IS) pads hello packets to the full interface MTU. All hello packets on Fabric Extend network-to-
network interface (NNI) links are padded . On non-Fabric Extend point-to-point NNI links, hello packets
are padded until a hello packet is received from the other side.

Note
If you downgrade to a release that does not support this feature, you must disable the feature
and save the configuration before you downgrade. You must have a compatible configuration
file if you downgrade to an earlier release.

IPsec Fragmentation Before Encryption

XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec fragmentation before
encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using
Fabric IPsec Gateway.

The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.

VOSS User Guide for version 8.7 961

Fabric Extend Fabric Basics and Layer 2 Services

Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation.
Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec
header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel
configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality
enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets
only.

The following list identifies how you can implement IPsec fragmentation before encryption:
• You can configure IPsec fragmentation before encryption for each logical-interface.
• You must configure IPsec over Fabric Extend in IPsec decoupled mode, which means the IPsec
source and destination IP addresses are different than the Fabric Extend addresses.
• You cannot configure IPsec compression if fragmentation before encryption is already enabled on
the logical interface.

IPsec Coupled and Decoupled Mode

The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec
decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric
IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure
the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For
more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on
Fabric IPsec Gateway VM on page 891.

For more information, see the following tasks:

• For XA1400 Series configuration using VOSS:
◦ Enable IPsec Fragmentation Before Encryption on page 1063
◦ Disable IPsec Fragmentation Before Encryption on page 1065
• For VSP 4900 Series and VSP 7400 Series configuration using Fabric IPsec Gateway, see Enable
Fragmentation Before Encryption on Fabric IPsec Gateway VM on page 894.

Adjusting the TCP Maximum Segment Size

You can adjust the TCP maximum segment size (MSS) to improve the throughput for the TCP session
over a Fabric Extend (FE) adjacency.

TCP MSS Overview

When a client initiates a connection with a server, it uses TCP SYN packets to negotiate the MSS to
avoid fragmentation. The client and server use the outgoing maximum transmission unit (MTU) to
advertise the MSS.

If a tunnel exists between the client and server, the encapsulation consumes more room in the outer IP
header. As a result, the router that performs the tunnel encapsulation fragments the packet to fit over
the tunnel. Adjust the MSS to modify the value in the TCP SYN packet so the client and server negotiate
a lower number and leave headroom for tunnel encapsulation.

962 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

This adjustment functionality applies to IPv4 only.

Important
If you enable this functionality and port mirroring simultaneously, the switch does not mirror
CP-generated packets.

VSP 4900 Series Support

TCP MSS adjustment applies unidirectionally when a packet is forwarded from a UNI interface to any
other interface. To use this functionality, you must enable TCP MSS adjustment on both sides of the FE
tunnel.

VSP 7400 Series Support

TCP MSS adjustment applies unidirectionally when a packet is forwarded into an FE tunnel. To use this
functionality, you must enable TCP MSS adjustment on both sides of the FE tunnel.

XA1400 Series Support

The MSS adjustment functionality only activates when at least one Fabric Extend (FE) tunnel with a
MTU less than or equal to 1500 is configured. The functionality is inactive if no FE tunnels with MTU
less than or equal to 1500 are configured. Deleting the last tunnel with MTU less than or equal to 1500
results in the functionality becoming inactive.

The switch can auto-derive the MSS value based of the tunnel MTUs or you can manually configure the
MSS value. The formula for the auto-derived value is

min(Tunnels MTUs) - 200B (size for VXLAN + MIM + IPSEC + IP+TCP headers)

If you configure multiple FE tunnels with MTU less than or equal to 1500, then the switch uses
the lowest of all tunnel MTUs to auto-derive the TCP MSS adjust value. The same value applies
bidirectionally, to all TCP syn packets that transmit NNI to UNI and UNI to NNI.

Tip
As a best practice, disable this enhancement on the head-end side and enable only at the
branch side.

The switch does not support different TCP adjust MSS values if you configure different FE tunnel MTUs
on different tunnels.

If you configure FE tunnels and regular NNIs on the same adjacency, then the TCP adjust MSS value
applies to all TCP packets traversing across regular NNIs and FE tunnels.

Types of Fabric Extend Deployments

As the number of Fabric Connect networks increased, the need to connect those networks became
more and more desirable. Fabric Extend solves the problem of going beyond the Ethernet Fabric
Connect connections to include the following IP routed wide area network (WAN) and campus
solutions:

1. Fabric Extend over an MPLS IP-VPN provider WAN

2. Fabric Extend over an MPLS Virtual Private LAN Service (VPLS) or Provider Backbone Bridging
(PBB) Ethernet LAN (ELAN) provider network

VOSS User Guide for version 8.7 963

Fabric Extend Fabric Basics and Layer 2 Services

3. Fabric Extend over an IP campus network

4. Fabric Extend over an MPLS Pseudo-Wire or Ethernet Virtual Private Line (E-Line) provider network
5. Fabric Extend over IPsec

Fabric Extend over an MPLS IP-VPN Provider WAN

The most common Fabric Extend deployment is a hub and spoke topology that connects the Main
office over a service provider’s MPLS IP VPN to multiple Branch offices. The following figure illustrates
how the hub device on the main site establishes virtual tunnels with all of the spoke devices in the same
domain. In this scenario, the traffic flows are bidirectional: from hub-to-spoke and spoke-to-hub.

Branch Sites

XA1440

Site 1
Fabric Connect
192.168.1.1/24
XA1480
Main/Hub Site
192.168.2.1/24
MPLS Router
192.168.0.1/24
Site 2
WAN MPLS Router

VSP 7400 IP-VPN 192.168.3.1/24 5720

MPLS Router

MPLS Router Site 3

MPLS Router
VSP 4900
192.168.4.1/24

Site 4

ExtremeCloud IQ - Site Engine

Fabric Extend Manager
Figure 63: Fabric Extend IP VPN Deployment Option

Note
If Fabric Extend with IPsec or fragmentation and reassembly is a requirement, depending on
your requirements, you can use a mix of VSP 7400 Series, VSP 4900 Series, or 5720 Series
with Fabric IPsec Gateway and XA1400 Series at the main and branch sites.

964 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

Fabric Extend over an MPLS VPLS/P2P-VPLS/E-LINE/P2P-VLAN Provider Network

Where the preceding hub and spoke deployment is over a Layer 3 MPLS IP-VPN, the following VPLS
deployment is over a Layer 2 segment. This type of hub and spoke deployment extends the fabric
over an MPLS Virtual Private LAN Service (VPLS) or Provider Backbone Bridging (PBB) Ethernet LAN
(E-LINE) network. In this scenario, the SPB nodes are connected with a point-to-point Ethernet link.

Branch Sites

XA1440

Site 1
Fabric Connect
192.168.1.1/24
XA1480
Main/Hub Site
192.168.2.1/24
MPLS Router
192.168.0.1/24
Site 2
MPLS VPLS MPLS Router

VSP 7400 or
PBB E-LAN 192.168.3.1/24 5720
MPLS Router

MPLS Router Site 3

MPLS Router
VSP 4900
192.168.4.1/24

Site 4

ExtremeCloud IQ - Site Engine

Fabric Extend Manager
Figure 64: Fabric Extend VPLS Deployment Option

Fabric Extend over an IP Campus Network

Some customers do not want to migrate their infrastructures to SPB immediately. They want to keep
their existing IP core network and deploy SPB on the edge. In this scenario, Fabric Extend supports a
fabric overlay on top of the existing campus infrastructure.

The following figure illustrates how this deployment supports any-to-any traffic with full-mesh tunnels
between fabric nodes. The fabric nodes serve as campus switches, support routing into the IP
infrastructure, and provide an overlay fabric that enables all fabric benefits.

VOSS User Guide for version 8.7 965

Fabric Extend Fabric Basics and Layer 2 Services

Figure 65: Fabric Extend Full Mesh Campus Deployment Option

Fabric Extend over an MPLS PWE3/E-Line Provider Network

The following hub and spoke deployment over an MPLS Pseudowire or Ethernet Virtual Private Line
(E-Line) uses service provider VLAN tunnels. Because you can map many (VID, port/mlt list) sets to an
I-SID, this gives Service Providers the flexibility to let more than one customer use the same VLAN with
different I-SIDs.

Note
The VSP 4450 Series switches in this type of deployment do not require an ONA because the
tunnels are point-to-point VLAN connections, not VXLAN. Therefore, there is no need for an
ONA to encapsulate a VXLAN header to SPB packets.

The following figure illustrates how two dedicated Backbone VLAN IDs (B-VIDs) are mapped from
the hub to spoke sites. Logical IS-IS interfaces translate the B-VIDs and maps them to each of the
branch provider VIDs.

For a detailed configuration example showing logical interfaces using B-VID translation to two different
logical VLAN IDs, see Shortest Path Bridging (802.1aq) Technical Configuration Guide.

966 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

Figure 66: Fabric Extend Pseudowire Deployment Option

Fabric Extend over IPsec

The Fabric Extend over IPsec hub and remote deployment uses service provider VLAN tunnels and
IPsec to provide permanent connections between locations. It is best used for site-to-site connections,
such as connecting remote sites to the core network. Because IPsec works at the network layer, this
type of configuration is not limited or dedicated to a particular application.

Note
FE over IPsec connectivity requires an XA1400 Series device on each end of the FE tunnel.

The following figure illustrates how the FE over IPsec deployment supports the site-to-site connections.
It shows a Layer 3 core network where Fabric Extend uses IP tunneling by adding a VXLAN header to
the SPBM packets. This can be over a third party IPv4 transport network such as MPLS IP-VPN or in a
Campus IP backbone.

Figure 67: Fabric Extend over IPsec Deployment Option

VOSS User Guide for version 8.7 967

Fabric Extend Fabric Basics and Layer 2 Services

Fabric Extend Tunnel MTU

You can configure a unique MTU value for each Fabric Extend (FE) tunnel on a XA1400 Series device.

You can configure each ISIS logical interface with a unique MTU value for each FE tunnel in the
VXLAN interface to improve fragmentation and reassembly in WAN connectivity over MPLS IP VPN and
internet-based connections through a NAT router.

Fragmentation and reassembly is based on the MTU value configured for each FE tunnel. You can
change the MTU configuration at any time for each FE tunnel. The supported MTU range is 750 to
9000, and the default MTU value is 1950.

Note
FE Tunnel MTU is an optional configuration.

For example, if you configure an FE tunnel with an MTU of 900, and a packet size of 1950 is received
on UNI with the destination on the FE tunnel, the system fragments the original 1950-sized packet into
the three packets (900, 900, 150) with a packet size equal to or less than 900. The system transmits the
three fragmented packets over the ISIS logical interface of the FE tunnel. After the packets are received
at the destination, the system performs the packet reassembly (900, 900, 150) into the 1950-sized
packet.

Fabric Extend Tunnel MTU Considerations

Consider the following interactions between route MTU and FE Tunnel MTU configurations:
• If route MTU is not configured, the MTU value for each FE tunnel is applicable to ingress and egress
traffic on the tunnel.
• If route MTU is configured, the MTU value for each FE tunnel is applicable for ingress traffic on the
tunnel. The route MTU value applies to all egress traffic.

Note
System MTU maximum is a separate configuration. You can configure a system maximum
MTU size of 1522, 1950, or 9022. The default value is 1950.

IPsec Source IP Address Per Tunnel Interface

To deploy the XA1400 Series in an environment that includes more than one provider connection with
IPsec, you require a source IP address for each IPsec tunnel.

When you connect to a broadband provider such as cable modem, DSL, or LTE, the only routable IP
interface is the one that is assigned by the provider (either through DHCP or statically). As a result, the
Internet can only route the assigned subnet. You cannot deploy a routing protocol between the branch
device and the provider modem.

When you connect two different providers to a branch device, each provider uses a different subnet.
The XA1400 Series must apply a different source IP address for each IPsec tunnel.

968 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

The following options are available to configure a specific source IP address for each IPsec tunnel:
• Statically configure a source IP address for each IPsec tunnel:
◦ You must configure a VLAN, brouter, or CLIP IP address for the IPsec tunnel to use; this address
must be in the same VRF as the tunnel.
◦ You cannot delete the VLAN, brouter, or CLIP IP address if it is used as the static IPsec source IP.
◦ You must disable IPsec on the logical interface before you configure an IPsec source IP.
◦ The specified IP must be different than the global IPsec IP source address.
◦ The specified IP can be the same as the management IP if you do not configure other logical
IPsec interfaces with a source IP type of DHCP.
◦ Multiple logical interfaces can use the same statically configured IPsec source IP.
• Dynamically obtain the source IP address for each IPsec tunnel from the management VLAN IP
address assigned through DHCP:
◦ You must enable DHCP on the management VLAN.
◦ The coexistence mode, where both the management IP stack and the routing IP stack share the
same IP address and default routes, must be present. For more information, see VLAN on page
78.
◦ After you run the ipsec tunnel-source-address type dhcp command, the system
imports the IP and VRF used by the management VLAN as the IPsec source IP on the logical
interface.
◦ The VRF can be different than the tunnel VRF.
◦ You cannot delete the VLAN or modify its IP address if the IP address is used as the IPsec source
IP.
◦ The IPsec source IP type DHCP cannot be the same as the global IPsec source IP address or
statically configured IP address.
◦ After the system imports the DHCP IP address for use by IPsec, you can modify the management
VLAN. For example, you can disable DHCP on the management VLAN, change the management
VLAN ID, or delete the management VLAN.
◦ After you save the configuration, the IP and VRF that the system imported for use by
IPsec is saved to the configuration file using ipsec tunnel-source-ip type dhcp
<IP_address> vrf <vrf_name>. After you reboot the switch, it loads the information
from the configuration file and the IPsec tunnel IP address is no longer imported from the
management VLAN.

Fabric Extend Considerations

Review the following restrictions, limitations, and behavioral characteristics that are associated with
Fabric Extend.

Note
If your Fabric Extend configuration includes a VSP 4450 Series/ONA combination, see ONA
Considerations on page 973 for more information.

Tunnel Source IP

Fabric Extend supports the tunnel source IP address using a brouter port interface, a CLIP IP, or a VLAN
IP.

VOSS User Guide for version 8.7 969

Fabric Extend Fabric Basics and Layer 2 Services

The following table shows the product support.

Product Tunnel source IP

Brouter port CLIP IP VLAN IP
VSP 4450 Series Yes Yes Yes
VSP 4900 Series Yes Yes Yes
VSP 7200 Series Yes Yes Yes
VSP 7400 Series Yes Yes Yes
VSP 8200 Series Yes Yes Yes
VSP 8400 Series Yes Yes Yes
VSP 8600 Series Not supported Not supported Not supported
XA1400 Series Yes Yes Yes

• Configure route-maps to not permit redistribution of the local route used as the tunnel source
address (ip-tunnel-source-address command).
• Configure an accept policy to deny IS-IS routes that overlap with the destination tunnel IP address.

Tunnel Failover Time

With IS-IS interface default values, tunnel failure detection can take up to 27 seconds. You can reduce
the IS-IS interface hello timers to speed up logical link failure detection, but be careful to avoid link
flapping due to values that are too low.

Note
If the number of IS-IS interfaces on a node is greater than 100, it is a good practice to set the
hello timer not lower than 5 seconds.

ACL Filters over VXLAN

IP filters configured to match IP header fields in the headers of VXLAN encapsulated packets, work
only when the switch acts as a transit router and does not participate in the initiation or termination of
VXLAN traffic.

VLACP

VLACP is not supported over logical IS-IS interfaces.

CFM CCM

CFM Continuity Check Messages are not supported over logical IS-IS interfaces.

CFM traceroute and tracemroute

If CFM packets transit over a layer 3 tunnel (that is the CFM packets ingress a Fabric Extend layer 3
core tunnel and egress through another layer 3 core tunnel), the transit SPBM nodes do not display as
intermediate hops in the output for CFM l2 traceroute and l2 tracemroute.

970 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

This is because the CFM packets are encapsulated in the outer layer 3 header as part of VXLAN
encapsulation, and the transit SPBM nodes cannot look into the payload of the VXLAN packet and send
a copy of the CFM packet to local CPU for processing.

CFM L2 Ping

CFM Layer 2 ping to MCoSPB source mac is not supported and can fail if they are reachable via Fabric
Extend tunnel.

MACsec

Switch-based MAC Security (MACsec) encryption is Layer 2 so it cannot be used with Fabric Extend IP,
which is Layer 3.

MTU Minimum in Layer 2 Pseudowire Core Networks

Service provider Layer 2 connections must be at least 1544 bytes. In this type of deployment the tunnels
are point-to-point VLAN connections that do not require VXLAN encapsulation. The default MTU value
is 1950.

Logical IS-IS Interfaces

Layer 2 core and Layer 3 core logical IS-IS interfaces are not supported on the same switch at the same
time.

Fragmentation and Reassembly

There is no fragmentation and reassembly support in Layer 2 core solutions.

If a tunnel was initially UP between a VSP 4450 Series and another switch with MTU 1950 and then the
VSP 4450 Series was later configured for fragmentation, the following behavior occurs:
• If the ONA MTU is less than 1594, the tunnel to the other switch will go DOWN.
• If the ONA MTU is 1594 and above, the tunnel will stay UP, but any fragmented packets received
from the VSP 4450 Series will be lost at the other switch site.

RFC4963 and RFC4459 Considerations

The ONA 1101GT provides for the IP MTU of the Network port to be reduced from the default setting
of 1950 bytes to 1500 bytes or lower. The MTU reduction feature with Fabric Extend is provided to
facilitate the connection of two Fabric Connect networks over an IP network with any MTU without
requiring end stations on the networks to reduce their MTU. The ONA 1101GT with the IP MTU of the
network port set to 1500 bytes will fragment Fabric Extend VXLAN tunnel packets exceeding 1500
bytes. The ONA 1101GT will also reassemble fragmented Fabric Extend VXLAN tunnel packets at the
tunnel termination point. The IP fragmentation and reassembly RFC 791 describes the procedure for
IP fragmentation, and transmission and reassembly of datagrams and RFC4963 and RFC4459 detail
limitations and network design considerations when using fragmentation to avoid out of order packets
and performance degradation.

The following list identifies factors that can impact performance:

• The link speed per VXLAN IP address should be slower than 1G to avoid reassembly context
exhaustion.

VOSS User Guide for version 8.7 971

Fabric Extend Fabric Basics and Layer 2 Services

• ECMP and link aggregation algorithms in the IP core should be configured not to use UDP port
hashing that could send IP fragments after the first fragment on different paths causing out of order
packets. This is due to the fact that subsequent fragments do not have UDP port information.

Important
Different MTU sizes on each end can result in traffic drops.

Layer 2 Logical IS-IS Interfaces

Layer 2 logical IS-IS interfaces are created using VLANs. Different Layer 2 network Service Providers can
share the same VLAN as long as they use different ports or MLT IDs.

Note
Exception: Layer 2 logical IS-IS interfaces are not supported on XA1400 Series.

MTU Minimum in Layer 3 Core Networks

Service provider IP connections must be at least 1594 bytes to establish IS-IS adjacency over FE tunnels.
The 1594 bytes includes the actual maximum frame size with MAC-in-MAC and VXLAN headers. If this
required MTU size is not available, a log message reports that the IS-IS adjacency was not established.
MTU cannot be auto-discovered over an IP tunnel so the tunnel MTU will not be automatically set. The
default MTU value is 1950.

If the maximum MTU size has to be fewer than 1594 bytes, then you require fragmentation
and reassembly of packets. The XA1400 Series and VSP 4450 Series/ONA combination supports
fragmentation and reassembly, but you must have either an XA1400 Series or VSP 4450 Series with
ONAs at BOTH ends of the IP WAN connection.

IP Shortcuts

The tunnel destination IP cannot be reachable through an IP Shortcuts route.

Important
If you enable IP Shortcuts and you are using the GRT as the tunnel source VRF, you must
configure an IS-IS accept policy or exclude route-map to ensure that tunnel destination IP
addresses are not learned through IS-IS.
If you enable IP Shortcuts and you are using a VRF as the tunnel source VRF, this is not an
issue.

Layer 3 over Layer 2 Limitation

• The switch requires a single next hop (default gateway) for all tunnels.
◦ Over a Layer 3 core network, on a given outgoing port or MLT, there is no issue as the one router
next hop can support multiple VXLAN tunnels to one or more remote sites.
◦ For Layer 3 tunneling over a Layer 2 core, the switch without any specific configuration supports
only one Fabric Extend tunnel to one remote site. The workaround for this single next hop issue is
to create an additional VRF, VLAN, and loopback interface.

Note
This limitation does not apply to VSP 4450 Series.

972 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

• You cannot establish a Virtual IST (vIST) session over a logical IS-IS interface. IST hellos cannot be
processed or sent over a logical IS-IS interface if that is the only interface to reach BEBs in vIST pairs.

Assume that vIST is established over a regular network-to-network interface (NNI) and the NNI goes
down. If the vIST pairs are reachable through a logical IS-IS interface, then the vIST session goes
down in up to 240 seconds (based on the IST hold down timer). During this time, the error message
IST packets cannot be sent over Fabric Extend tunnels, vist session
may go down is logged.

Caution
Expect traffic loss when the vIST session is down or when the error message is being
logged.

Port Mirroring Resources

Port mirroring resources are limited to four ports simultaneously (where each mirroring direction counts
as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic
then all four mirroring ports are consumed.

Port mirroring shares these four resources with other applications such as port mirroring RSPAN,
Fabric Extend, Application Telemetry, IPFIX, and ACL with mirror action. Each one of these applications
consumes at least one port mirroring resource. (port mirroring RSPAN consumes two if you configure
both Ingress and Egress modes.)

Important
To enable any one of the preceding applications, you must have at least one free mirroring
resource. If all four port mirroring resources are already in use, the switch displays a
Resource not available error message when you try to enable the application.
The VSP 8600 Series uses the four reserved resources for port mirroring and ACLs that have
a mirroring action. For the other applications, this restriction does not apply because the
VSP 8600 Series uses mirroring resources that do not come out of the four reserved port
mirroring resources.

Fabric Extend over IPsec Limitations

• Fabric Extend over IPsec is only supported on XA1400 Series devices or on VSP 4900 Series and
VSP 7400 Series using Fabric IPsec Gateway.
• Only pre-shared authentication key IPsec parameters are user configurable. Other, third-party
solutions are not configurable.
• IKEv2 protocol key exchange only.
• IPsec support is only added for Fabric Extend tunnels.
• IPsec is not supported for regular Layer 3 routed packets.

ONA Considerations
Review the following restrictions, limitations, and behavioral characteristics that are associated with the
ONA.

VOSS User Guide for version 8.7 973

Fabric Extend Fabric Basics and Layer 2 Services

ONA Network port requirements

The following are Network port mandatory requirements for configuring Fabric Extend on the VSP
4450 Series:
• The ONA Network port should not be part of any static/LACP MLT configurations.
• The ONA Network port should be part of a VLAN that belongs to the GRT.
• The ONA Network port that is configured on the switch cannot be tagged. It must be an Access
port.

ONA Device port requirements

The following are Device port mandatory requirements for configuring Fabric Extend on the VSP 4450
Series:
• The ONA Device port should not be part of any static/LACP MLT, VLAN, or brouter configurations.
• The ONA Device port should not be configured as an access port. It is automatically configured as a
trunk port when the ip-tunnel-source-address command is configured.
• The ONA Device port has to be connected directly to the VSP 4450 Series node where the FE
tunnels originate.

Layer 3 and Layer 2 ONA requirements

An ONA is required for Fabric Extend Layer 3 core solutions. An ONA is not required in Layer 2 core
solutions because the tunnels are point-to-point VLAN connections, not VXLAN. Therefore, there is no
need for an ONA to encapsulate a VXLAN header to SPB packets.

DHCP server

ONAs require access to a local DHCP server to automatically configure IP addresses. Configure an
untagged ONA management VLAN to where the ONA is connected with its network side interface. If
DHCP is used, a DHCP relay configuration needs to be added to the ONA network side port in order for
the ONA to get an IP address assigned from a DHCP server. Alternatively, you can manually configure its
IP address and other required settings with the ONA Manual Configuration menu.

IP tunnel source address

Before the ONA can get an IP tunnel source address from the VSP 4450 Series, the following steps must
be taken:
• Connect the Device and Network ports on the ONA to the VSP 4450 Series.
• Make sure that the ONA is connected to a DHCP server. If a DHCP server is unavailable, statically
configure an IP tunnel source address on the ONA.
• Create a Management VLAN on the ONA that includes the Network port.
• Designate the Device port for the IP tunnel source address in the configuration file.

The syntax for the IP tunnel source address is: ip-tunnel-source-address <A.B.C.D> port
<slot/port> [mtu <mtu_value>] [vrf WORD<1–16>].

Automatic routing of VXLAN packets on the VSP 4450 Series

If you configure an IP tunnel source address in a VRF instead of a GRT, then the VSP 4450 Series
automatically routes VXLAN packets from the ONA network port into the VRF configured as part of the
IP tunnel source. Although the ONA network port is a part of the management VLAN that is in the GRT,

974 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

for VXLAN encapsulated packets, the VSP 4450 Series automatically routes the packets into the VRF
in which the tunnel source IP address is configured. This is done using a filter rule that the VSP 4450
Series software automatically sets up that filters based on whether the incoming port is equal to the
ONA network port and the packet has a VXLAN header.

The Management VLAN on the VSP 4450 Series that is used to communicate with the ONA must
always be in a GRT and must not be a part of the IP tunnel source VRF.

Figure 68: Autorouting between GRT and VRF

ONA Gateway

The ONA gateway has to be a local IP address on the ONA Management VLAN. The ONA gateway IP
address must be the same as the local IP address of the VSP 4000 connected to the ONA.

Note
Extreme does not support ONA gateway IP addresses that are not local to the VSP 4450
Series. For example, you cannot use a VRRP IP address configured in a switch cluster for the
ONA gateway.

Maximum MTU

The ONA supports a maximum transmission unit (MTU) size of 1950 bytes. For the VSP 4450 Series to
work with a switch that supports Fabric Extend natively, the MTU size must be left at the default setting
of 1950. If the core network does not support jumbo frames, the VSP 4450 Series with ONA must be
used on all sites.

Fragmentation and reassembly

If the maximum MTU size has to be fewer than 1594 bytes, then you require fragmentation and
reassembly of packets. The VSP 4450 Series with ONAs support fragmentation and reassembly, but you
must have VSP 4450 Series switches with ONAs at BOTH ends of the IP WAN connection.

VOSS User Guide for version 8.7 975

Fabric Extend Fabric Basics and Layer 2 Services

QoS priority queues

The ONA 1101GT implements both Layer 2 and Layer 3 QoS. Specifically, it implements IEEE 802.1Q
VLAN TCI PCP (Priority Code Point) and IETF IPv4 DSCP (Differentiated Services Code Point).
These are implemented in hardware with the limitation that there are four Weighted Random Early
Detection (WRED) priority queues, numbered 4 (highest) to 7 (lowest). The following tables show the
mappings from the PCP and DSCP values in the packet to the priority queue.

The hardware puts each packet in 1 of the 4 HW queues in the following order:

1. If a packet is a tagged VLAN packet, the PCP field determines the priority queue. (Ethertypes
0x8100 and 0x88a8 identify tagged VLAN packets.)
2. If the packet is an IPv4 packet, the DSCP field determines the priority queue.
3. Use the highest priority queue (4).

The HW QoS is always enabled, and the CP to priority queue mappings are static.

The following table defines the 3 bit VLAN PCP value to queue number mapping. The queues are
numbered 4..7 with 4 being the highest priority and 7 the lowest priority.

Table 96: VLAN PCP to queue mapping

VLAN PCP Queue Number
0 7
1 7
2 6
3 6
4 5
5 5
6 4
7 4

The following table defines the 6 bit IPv4 DSCP value to queue number mapping. The queues are
numbered 4..7 with 4 being the highest priority and 7 the lowest.

Table 97: IPv4 DSCP to queue mapping

IPv4 DSCP VLAN PCP Queue Number
0 1 7
1 1 7
2 1 7
3 1 7
4 1 7
5 1 7
6 1 7

976 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend

Table 97: IPv4 DSCP to queue mapping (continued)

IPv4 DSCP VLAN PCP Queue Number
7 1 7
8 2 6
9 1 7
10 2 6
11 1 7
12 2 6
13 1 7
14 2 6
15 1 7
16 3 6
17 1 7
18 3 6
19 1 7
20 3 6
21 1 7
22 3 6
23 1 7
24 4 5
25 1 7
26 4 5
27 4 5
28 4 5
29 1 7
30 4 5
31 1 7
32 5 5
33 1 7
34 5 5
35 5 5
36 5 5
37 1 7
38 5 5
39 1 7
40 6 4

VOSS User Guide for version 8.7 977

Fabric Extend Fabric Basics and Layer 2 Services

Table 97: IPv4 DSCP to queue mapping (continued)

IPv4 DSCP VLAN PCP Queue Number
41 5 5
42 1 7
43 1 7
44 1 7
45 1 7
46 6 4
47 6 4
48 7 4
49 1 7
50 1 7
51 1 7
52 1 7
53 1 7
54 1 7
55 1 7
56 7 4
57 1 7
58 1 7
59 1 7
60 1 7
61 1 7
62 1 7
63 1 7

978 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

Fabric Attach

Table 98: Fabric Attach product support

Feature Product Release introduced
Fabric Attach Server VSP 4450 Series VOSS 5.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.0
VSP 8400 Series VOSS 5.0
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Supported

With Fabric Attach, network edge devices that do not support Shortest Path Bridging (SPB), MAC-in-
MAC encapsulation (802.1ah) or service identifiers (I-SIDs) can take advantage of SPB infrastructure.
To attach to an SPB network, edge devices signal an SPB-aware FA Server to automatically configure
the I-SIDs. The edge devices can then utilize existing SPB features across the fabric and leverage SPB
infrastructure capabilities without manual configuration. Fabric Attach uses the IEEE 802.1AB Logical
Link Discovery Protocol (LLDP) to signal a desire to join the SPB network.

FA uses the client-server model. An initial handshake occurs between the FA Server and the FA
Client. After the discovery phase is complete, the FA Server accepts requests (from FA Clients) to add
the C-VID (VLAN ID) and I-SID elements in the SPB network, and also automatically configures the
necessary C-VID and I-SID. The FA Server then responds with an acknowledgement of whether the
request succeeded. FA Clients can also be aggregated into a proxy device that handles the handshakes
and requests on behalf of many clients, to the server. All of the discovery handshakes and I-SID
mapping requests are then transferred using LLDP Type, Length, Value (TLV) fields.

FA leverages LLDP to discover directly connected FA peers and to exchange information associated
with FA between those peers. Based on the LLDP standard, FA information is transmitted using
organizational TLVs within LLDP Protocol Data Units (PDU).

VOSS User Guide for version 8.7 979

Fabric Attach Fabric Basics and Layer 2 Services

FA Zero Touch Client Attachment

Table 99: Fabric Attach Zero Touch Client Attachment product support
Feature Product Release introduced
Fabric Attach Zero Touch Client VSP 4450 Series VOSS 6.0
Attachment
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 6.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 6.0
VSP 8400 Series VOSS 6.0
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Supported

FA Zero Touch Client Attachment eases the configuration process on FA-capable devices by automating
specific configuration tasks required for FA functionality.

Note
Only the base functionality of Zero Touch Client Attachment is supported.

After you initially configure Zero Touch Client Attachment on the FA Server, the settings are exported to
receiving FA devices, where the required configuration tasks are automatically performed.

Base Zero Touch Client Attachment operation is tightly coupled with FA operation. Although you can
enable or disable Zero Touch Client Attachment separately from FA, the feature is dependant on data
that is only available during exchanges between the FA Server and FA Proxies, after a primary FA Server
has been selected. By default, base Zero Touch Client Attachment support is enabled.

Base Zero Touch Client Attachment operation, when enabled, extracts management VLAN data from
the primary FA Server advertisements and uses this data to update the in-use management VLAN
if applicable. An FA Client can also utilize FA-provided management VLAN data after the FA Proxy or
Server is discovered.

Zero Touch is active when the following criteria are met:

• On an FA Proxy:
◦ Zero Touch Client Attachment is enabled
◦ Fabric Attach is enabled
◦ A primary FA Server is discovered and selected
• On an FA Server:
◦ Zero Touch Client Attachment is enabled
◦ FA is enabled
◦ FA Proxies or FA Clients are discovered

980 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.

Note
You must enable Base Zero Touch auto-client attach and define the target Fabric Attach
client in order to initiate Zero Touch Client Attachment processing.

FA Signaling generated by an FA Proxy or Server contains management VLAN data. If the management
VLAN advertised by the primary FA Server differs from the management VLAN currently configured on
the FA Proxy, Zero Touch Client Attachment initiates the following:
• VLAN creation — If the FA Server-specified management VLAN does not exist on the FA Proxy, Zero
Touch Client Attachment creates a port-based VLAN.
• Management VLAN update — The created port-based VLAN becomes the designated management
VLAN for the FA Proxy. No operations related to the previous management VLAN, such as port
membership updates or VLAN deletion, are performed.
• Port VLAN membership update (FA Proxy/Server) — If required, Zero Touch Client Attachment
updates the port VLAN membership to ensure that the uplink port through which the primary FA
Server is accessed is a member of the management VLAN, for network accessibility.
• Port Default VLAN (PVID) update — The port-based PVID is automatically updated based on the
VLAN ID value.
• Port Default Priority update — The default 802.1p user priority for the port is updated based on the
specified port priority value of the Zero Touch client (range is 0–7).
• Zero Touch Client Specification removal — All Zero Touch client-related settings are updated based
on the FA client discovery. Deleting a Zero Touch client specification or disabling any related Zero
Touch option does not result in the immediate removal of any previously applied settings.

Note
The FA Proxy does not update the acquired management VLAN if the primary FA Server is
lost. This data is updated if the management VLAN advertised by the current primary FA
Server changes or if another primary FA Server is selected and new management VLAN data
is advertised by the server.
Management VLAN and port membership updates performed by Zero Touch are maintained
in non-volatile storage and are restored following a system reset. You must remove or update
these configuration settings if they are deemed unnecessary at a later time.

• IP Address Source Mode Update — Updates the IP address source mode of the receiving device to
DHCP-When-Needed, to initiate DHCP-based IP address acquisition if necessary.
• Automation of the FA Client Port Mode — Automates the configuration of EAP port modes based
on the type of discovered FA Clients. Applies to FA Proxy and FA Server devices. Automated
configuration is applied only to FA-enabled ports.
• ZTC Installation — Initiates ZTC installation on applicable ports on the receiving device. Applies to
FA Proxy and, in a limited manner, to FA Server devices. Automated configuration is applied only to
FA-enabled ports.

VOSS User Guide for version 8.7 981

Fabric Attach Fabric Basics and Layer 2 Services

• Auto Trusted FA Client Port Mode — Initiates automatic QoS interface class update based on the
type of discovered FA clients. Applies to FA Proxy and FA Server devices. Automated configuration
is applied only to FA-enabled ports.
• Auto PVID FA Client Port Mode — Initiates automatic port PVID, port management VLAN
membership and post tagging mode based on the type of discovered FA device. Applies to FA
Proxy and FA Server devices. Automated configuration is applied only to FA-enabled ports. This
configuration is incompatible with the automatic FA Client Port Mode and ZTC Automatic attach
options.

Fabric Attach Components

FA components dynamically communicate with each other using FA signaling.

FA Signaling

FA has defined organizational specific TLVs within the standard LLDP protocol, to exchange
messages and data amongst components of an FA solution. The FA TLVs facilitate handshaking
and authentication, processing of requests for the creation of services, and providing responses on
whether the requests succeeded. In addition, these services are deleted when the service requests are
terminated, or when the authentication criteria are no longer valid. All components that participate in
FA must be able to send, receive, and interpret the FA TLVs.

FA Components

FA includes the following network elements as components:

• FA Server:

An SPB-capable switch at the edge of a Fabric Connect cloud.

An FA Server receives requests from FA Clients or FA Proxies to create services with specific
I-SID-to-VLAN bindings. The FA Server completes the association between conventional networks
and fabric-based virtual service networks. For more details on the operation of an FA Server, see
Fabric Attach Server on page 982.
• FA Proxy:

A network switch that supports the definition of I-SID-to-VLAN assignments and has the ability to
advertise these assignments for possible use by an FA Server. FA Proxy switches also support the
client mode for directly attached users or end devices. Typically, FA Proxies support downstream FA
Client devices, while being directly connected to an upstream FA Server device.
• FA Client:

A network attached end-point device that advertises I-SID-to-VLAN binding requests for service
creation, to an FA Proxy or an FA Server. FA Clients use FA signaling to automatically attach to fabric
services.

Fabric Attach Server

FA Server operation

In an FA solution, the FA Server performs the role of connecting FA Clients and FA Proxies to the SPB
fabric, with minimal configuration. As part of the discovery handshake between the FA Server and client
or proxy devices, LLDP PDUs are exchanged. Using standard LLDP, the FA Server learns neighbors,

982 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

that include the proxy and client devices. In addition, the FA Server transmits organizational-specific
element-discovery TLVs that are used by the client or proxy device to recognize its attachment to the
FA Server.

Figure 69: Fabric Attach Server connecting client or proxy devices to the Fabric network
After the initial discovery handshake is complete, the client or proxy device transmits I-SID-to-VLAN
assignment mapping requests to the FA Server to join the SPB fabric. These requests include the C-VID
(VLAN ID) and the I-SID that the client or proxy device needs to join. The FA Server then creates the
requested C-VID and I-SID on its device. It then responds with a PDU (containing the FA-specific TLV) to
indicate whether the request succeeded. The I-SID thus created is a ELAN I-SID with endpoints of type
Switched UNI. After I-SID creation, the I-SID is also advertised to the SPB network by IS-IS.

The traffic that is sent to or received from the SPB cloud is MAC-in-MAC (MiM) encapsulated. The FA
Server, being SPB-capable, decapsulates the MiM traffic. If the I-SID matches the I-SID created on behalf
of the client or proxy, the FA Server sends the traffic to that client or proxy and passes it on the C-VID
that it expects.

FA Server configuration

An FA Server can be configured at two levels—global and interface.

Configuration at the global level enables or disables FA on the entire switch. However, for attachment
of clients or proxy devices, you must also configure FA at the interface level. Interfaces can be ports
(including channelized ports), MLTs, SMLT or LACP MLTs. Enabling FA on an interface also enables
transmission of LLDP packets that contain the FA-specific TLVs.

When you disable FA on an interface, LLDP transmission automatically stops on that interface.

Caution
Disabling FA or IS-IS triggers a flush of FA information on the switch. Disabling FA at the
global level flushes all FA element-discovery information and mappings. Disabling at the
interface level flushes element-discovery information and mappings associated with that
interface.

Important
The only provisioning mode supported on the FA Server is SPB.

VOSS User Guide for version 8.7 983

Fabric Attach Fabric Basics and Layer 2 Services

FA Proxies and FA Clients

The configuration mode of FA Proxies and FA Clients is not supported. However, in an FA solution, the
FA Server interacts with FA Proxies and FA Clients by accepting LLDP PDUs (containing FA TLVs) and
using them to automatically create Switched UNI I-SIDs and endpoints, based on the mapping requests
contained in those TLVs. For more information, see FA TLVs on page 984.

Fabric Attach operation

The following sections detail FA operation.

FA TLVs

FA leverages LLDP to discover directly connected FA peers and to exchange information associated
with FA amongst those peers. FA information is transmitted using company-specific proprietary
organizational Type, Length, Value (TLV) fields within LLDP Protocol Data Units (PDU). The following
section describes the TLVs for FA.

FA uses two TLVs:

• FA Element TLV
• FA Assignment TLV

FA Element TLV

The FA Element TLV is used by FA elements to advertise Fabric Attach capabilities. This data forms the
basis for FA element discovery and is used in the initial handshake between the FA Server and a client
or proxy device.

Figure 70: FA Element TLV format

Table 100: FA Element TLV field descriptions

Field Description
TLV Type Indicates whether the discovered element is a client or a proxy device.
OUI and Subtype The information in these fields is used in LLDP packet handling.

984 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

Table 100: FA Element TLV field descriptions (continued)

Field Description
HMAC-SHA Digest Data integrity and source validation is supported through the use of the HMAC-
SHA256 message authentication. This field supports a digest exchange between
the source and destination devices. Symmetric private keys are used for digest
generation. The HMAC-SHA256 generated digest size is 32 octets.
The HMAC-SHA256 digest is computed starting with the Element Type data,
that is, it starts at zero-based byte 38 of the TLV. The digest is then placed in
the HMAC-SHA256 Digest field in the TLV prior to transmission. Upon receipt,
the digest is again computed and the resulting digest is compared against the
received digest. If the received digest is the same as the newly computed digest,
the TLV is considered valid and processing commences. If the comparison fails,
the TLV is discarded and processing is terminated.

Caution:
If FA communication occurs between non-secure systems, the HMAC-SHA256
Digest data must always be zero. If one system operates in secure mode and the
other operates in non-secure mode, the FA Element TLV is discarded before it is
processed by the system operating in secure mode.

Element Type Indicates the supported element type. The primary element types are the FA
Server, FA Proxy and FA Client.
An FA Server is an SPB capable device that accepts externally generated I-SID-
to-VLAN assignments. An FA Proxy is a non-SPBM device that supports I-SID-
to-VLAN assignment definitions and advertises these assignments for possible
use by an FA Server. An FA Client, also a non-SPBM device, advertises I-SID-to-
VLAN assignments to a directly connected FA Proxy or an FA Server. Both
tagged and untagged FA Client connections are supported.
The list of supported element types and their values are:
• FA Element Type - Other (1)
• FA Server (2)
• FA Proxy (3)
• FA Server No Authentication (4)
• FA Proxy No Authentication (5)
• FA Client - Wireless Access Point Type 1, which directly attaches to the SPBM
network.
• FA Client - Wireless Access Point Type 2, which is tunneled to a controller.
• FA Client - Switch (8)
• FA Client - Router (9)
• FA Client - IP Phone (10)
• FA Client - IP Camera (11)
• FA Client - IP Video (12)
• FA Client - Security Device (13)
• FA Client – Virtual Switch (14)
• FA Client – Server/Endpoint (15)

VOSS User Guide for version 8.7 985

Fabric Attach Fabric Basics and Layer 2 Services

Table 100: FA Element TLV field descriptions (continued)

Field Description
State Indicates the link tagging requirements in FA Client-sourced frames. This field
also indicates the current provisioning mode.
The Link VLAN Tagging bit (bit 1) has one of the following values:
• 0 — indicates that all traffic on the link is tagged. In this case, all discovered
FA Clients are treated as tagged.
• 1 — indicates that traffic on the link is either tagged or untagged. Here, all
discovered FA Clients are treated as untagged.
The automatic provisioning mode bits (bits 2 and 3) always have the value 1 for
SPB provisioning. The switch only supports the SPB provisioning mode.
Mgmt VLAN When you configure a management VLAN on the FA Server, it is included in
this field in FA Server or FA Proxy sourced frames, and is used to support
management VLAN auto-configuration on the downstream proxy and client
devices.
System ID This field contains connection information that a TLV recipient can use to enforce
connectivity restrictions.
It contains the system MAC address (6 octets) for MLT configurations and
the virtual BMAC address for vIST and SMLT configurations. It also contains
information on the connection type such as MLT or SMLT.

Limitations
• The FA Element TLV exists only once in an LLDP PDU and is included in all PDUs when the FA
service is enabled.
• The maximum length of the FA Element TLV is 56 bytes.

FA I-SID-to-VLAN Assignment TLV

The FA I-SID-to-VLAN Assignment TLV is used by FA Clients to distribute I-SID-to-VLAN assignments

that need to be supported by an FA Proxy or an FA Server.

Figure 71: FA Assignment TLV format

FA I-SID-to-VLAN Assignment TLV fields

986 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

Some fields are common to both the FA Element and FA Assignment TLVs. The following fields are
specific only to the FA Assignment TLV.

TLV Field Description

HMAC-SHA Digest The HMAC-SHA256 digest is computed for the series 1 to 94 of I-SID-to-VLAN
assignments, that is, the data for the digest computation starts at zero-based
byte 38 of the TLV. The digest is then placed in the HMAC-SHA256 Digest field
in the TLV prior to transmission. Upon receipt, the digest is again computed for
the series 1 to 94 of I-SID-to-VLAN assignments in the received TLV and the
resulting digest is compared against the received digest. If the received digest
is the same as the newly computed digest, the TLV is considered valid and
processing can commence. If the comparison fails, the TLV is discarded and
processing is terminated.

Caution:
If FA communication occurs between non-secure systems, the HMAC-SHA256
Digest data must always be zero. If one system operates in secure mode and
the other operates in non-secure mode, the FA I-SID-toVLAN Assignment TLV is
discarded before it is processed by the system operating in secure mode.

Assignment status Indicates whether the FA Server accepted or rejected the I-SID-to-VLAN
mapping request from a client or proxy device.
VLAN Indicates the C-VID value advertised by the client or proxy device in the FA
I-SID-to-VLAN mapping request.
I-SID Indicates the I-SID that is advertised by a client or proxy device in the FA
I-SID-to-VLAN mapping request. This I-SID is used to create a Switched UNI
(ELAN) I-SID.

Note:
This I-SID cannot be used by IPVPN, MVPN, SPBM dynamic multicast range, or
Transparent Port UNI.

Limitations
• The FA I-SID-to-VLAN Assignment TLV is included in an LLDP PDU only if the FA Server and proxy
or client devices are directly connected to each other.
• This TLV can exist only once in an LLDP PDU.
• The size limit of this TLV is 511 bytes. This limits the maximum number of I-SID-to-VLAN assignments
supported in an LLDP PDU to 94.
• For an FA I-SID-to-VLAN Assignment TLV to be processed, the FA Element TLV must also be
present in the LLDP PDU.

FA Element Discovery

The first stage of establishing FA connectivity is element discovery.

On an FA Server, FA is enabled globally by default. However, you must explicitly enable FA on a desired
port or MLT interface. After FA is enabled, the FA Server begins transmitting LLDP PDUs that contain
the element discovery TLVs. This information is received by FA Client and FA Proxy devices which in
turn also transmit their FA capabilities and settings. After the element handshake completes, the FA
Server receives I-SID-to-VLAN assignment mappings from the connected client or proxy devices.

VOSS User Guide for version 8.7 987

Fabric Attach Fabric Basics and Layer 2 Services

An FA Server can communicate with multiple different FA Client and FA Proxy devices.

FA data processing

In the following FA deployment, a client device (Client 1) attaches to the FA Server (FA Server 1) using a
proxy device. Another client device (Client 2) attaches to the FA Server (FA Server 2) at the other edge
of the network. The following section describes how data is processed when data traffic is transmitted
from Client 1 to Client 2.

When Client 1 successfully attaches to FA Server 1, FA Server 1 creates a unique I-SID-to-VLAN mapping
for Client 1 on its device. This mapping contains the I-SID and C-VID advertised by Client 1, using the FA
Assignment TLV. For example, assume that Client 1 advertises I-SID 200 and C-VID 250.

Similarly, when Client 2 attaches to FA Server 2, FA Server 2 creates an I-SID-to-VLAN mapping for
Client 2 on its device with, for example, I-SID 200 and C-VID 100. This is depicted in the following figure.

Figure 72: Learning of I-SID-to-VLAN mappings

When data traffic ingresses FA Server 1 at the FA-enabled port 1/1, it contains the C-VID of Client 1,
which is, 250. The data is VLAN-encapsulated at this stage. As traffic egresses FA Server 1 into the SPB
cloud, it is encapsulated with the ELAN I-SID created on FA Server 1 on behalf of Client 1, that is I-SID
200. The traffic is now MiM encapsulated with I-SID 200.

The following figure depicts VLAN encapsulation of data traffic from the FA Client to the FA Server (at
either end of the SPB cloud) and its MiM encapsulation as it traverses the SPB cloud.

Figure 73: Data encapsulation — VLAN encapsulation and MiM encapsulation

As traffic exits the SPB cloud and ingresses the remote FA Server 2, it continues to be MiM encapsulated
with I-SID 200.

At FA Server 2, the MiM traffic is decapsulated. Since the I-SID in the data packet matches the I-SID
created on its device on behalf of Client 2, FA Server 2 prepares to send traffic to Client 2. At this stage,
to successfully transmit the data traffic to Client 2, FA Server 2 must additionally know the C-VID that

988 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

Client 2 expects traffic on. This information is obtained from the I-SID-to-VLAN mapping on FA Server
2 created on behalf of Client 2, which is C–VID 100. Thus FA Server 2 translates the C-VID in its data
packets to this VLAN ID, and then passes it on to Client 2.

The following figure depicts the typical MiM encapsulation of a data packet. The B-DA and B-SA
components indicated the system ID of the FA Server running SPB.

Figure 74: MiM encapsulation

FA Server and I-SID-to-VLAN Assignments

FA Client or FA Proxy devices advertise I-SID-to-VLAN assignments to be supported on the FA Server.

These assignments can be accepted or rejected by the FA Server. All communication between FA
Proxies or Clients and the FA Server is using LLDP. Successful assignments result in the creation of a
Switched UNI I-SIDs and endpoints based on the mapping requests.

VOSS User Guide for version 8.7 989

Fabric Attach Fabric Basics and Layer 2 Services

The FA Server rejects I-SID-to-VLAN assignment requests if:

• FA is not configured properly on the port or MLT.
• Router IS-IS is disabled.

Note
For Fabric Attach to operate properly and for the FA Server to accept I-SID-to-VLAN
assignment requests, IS-IS must be enabled.
The following error message is logged immediately after IS-IS is disabled, and displays
the error message only once in the log file. The system does not display it again when an
assignment request is made from the FA Proxy.
CP1 [12/04/15 00:33:49.733:UTC] 0x00374589 00000000
GlobalRouter FA INFO Fabric Attach Assignments will be rejected
since ISIS is disabled.

• The C-VID and I-SID are not within the supported range.

Different hardware platforms support different customer C-VID ranges. The value 4095 is not
supported. The value 4096 indicates that the port is untagged. An I-SID value of 0 is not supported
on the FA Server.
• The I-SID is already assigned to an IP VPN.

The system displays the error message I-SID is already assigned to an IPVPN.
• The I-SID is already in use for SPB multicast.

The system displays the error message SPB Multicast is enabled, ISID 16000000
and greater reserved for dynamic data-isid's used to carry Multicast
traffic over SPB.
• The I-SID has a value that is reserved for internal use.
• The I-SID cannot be used in an IS-IS accept policy.
• The I-SID is associated with a platform VLAN and that VLAN is used as a private VLAN (that is, has a
secondary VLAN specified).
• The I-SID is already in use for Transparent Port UNI.
• The port that receives the I-SID-to-VLAN assignment is a member of an MLT, but FA is not
successfully enabled on that MLT interface.
• There is a resource error on the FA Server system, such as lack of memory.
• The number of I-SID-to-VLAN assignments on a port exceeds the maximum limit which is 94.
• The number of I-SIDs on the switch exceeds the maximum limit.
• The same endpoint is configured on more than one I-SID.
• The port or MLT is associated with more than one C-VID in the same I-SID.

When the FA Server rejects I-SID-to-VLAN assignments, aside from viewing the log file, you can use
trace to troubleshoot the cause of rejection.

For an example on troubleshooting rejection of I-SID-to-VLAN assignments on the FA Server and for
more information on using trace, see Troubleshooting Fabric Attach on page 3684.

990 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

FA management

You can configure a management I-SID on an FA-enabled port or MLT. This I-SID includes an optional
C-VID parameter, which is a VLAN ID that is locally significant to the port or MLT and does not represent
a platform VLAN.

Depending on whether the C-VID value is specified, the behavior is as follows:

• If the C-VID value is specified, the FA Server transmits this VLAN ID as the management VLAN in the
FA Element TLV. A client or proxy receiving this TLV uses this VLAN ID for management traffic on
the FA Server uplink.

Different hardware platforms support different customer C-VID ranges.

• If the C-VID value is not specified, the FA Server transmits a management VLAN with a VLAN ID
value of 4095 in the FA Element TLV. A client or proxy receiving this TLV uses untagged traffic for
network management on the FA Server uplink.

If you do not configure a management I-SID, the FA Server transmits a management VLAN ID value of 0
in the FA Element TLV. A client/proxy that receives the FA Element TLV retains the initial management
configuration (if any) on its device.
Limitations of FA management I-SIDs
• A management I-SID value of 0 is not supported on the FA Server.
• You cannot enable BPDU on a management I-SID.

FA management configuration considerations

A Switched UNI I-SID that is created when an FA assignment is learned on a port or MLT, is uniquely
identified by a tuple comprising of one of the combinations of (port, I-SID and C-VID) or (MLT ID,
I-SID and C-VID). When you configure FA management, similar tuples are used. You can configure FA
management on an FA-enabled port or MLT on which FA assignment mappings are learned, as long as
the FA management tuple exactly matches the tuple created by the learned FA mapping.

The following scenarios describe the behavior when you configure FA management on a port or MLT
that also receives learned FA mappings, but the tuples do not match.
• Scenario 1: You attempt to configure FA management on a port or MLT where an FA assignment
mapping is already learned.

For example, consider an FA-enabled port 1/1 on which an assignment mapping is learned, with
I-SID 100 and C-VID 20. You can configure FA management on port 1/1 as long as the I-SID and
C-VID values exactly match that of the learned FA mapping. However, if you attempt to configure FA
management on the port with a different I-SID and C-VID value, the configuration is not successful
and an error message displays.
• Scenario 2: An FA assignment mapping is learned on a port or MLT that already has FA
management configured.

For example, consider that FA management is configured on port 1/1. If an FA assignment mapping
is learned on the port with the same I-SID and C-VID values as that of the FA management
configuration, then the mapping is accepted. Otherwise the mapping is rejected.

VOSS User Guide for version 8.7 991

Fabric Attach Fabric Basics and Layer 2 Services

FA message authentication and integrity protection

For the security of FA communication in terms of data integrity and authenticity, a keyed-hash message
authentication code can be transmitted within every FA TLV.

It protects the I-SID-to-VLAN assignment exchanges between the FA Server and FA Proxy. The
standard HMAC-SHA256 algorithm calculates the message authentication code (digest) involving a
cryptographic hash function (SHA-256) in combination with a shared secret key. The key is symmetric,
that is, it is known by both the source and destination parties.

By default, on the FA Server, message authentication is enabled at the interface level and a default key
is defined to provide secure communication.

You can configure a different authentication key on an interface (port or MLT) on the FA Server, to
authenticate a client on that interface. The authentication key is stored in encrypted form when you
save configuration on the FA Server. For an FA Client to authenticate and attach to the FA Server, the
authentication key must match on both the client and the server. In general, the FA authentication key
must match between two FA components exchanging FA TLVs through LLDP.

When you enable FA message authentication, the message authentication key (default or configured)
generates a Hash-based Message Authentication Code (HMAC) digest that is included in FA I-SID-to-
VLAN Assignment TLV. Upon receipt, the HMAC digest is recomputed for the TLV data and compared
against the digest included in the TLV. If the digests are the same, the data is valid. If the digests are not
the same, the data is considered invalid and is ignored.

The FA secure communication setting (enabled/disabled) and the symmetric key data are maintained
across resets and restored during FA initialization.

Fabric Attach and Switched UNI

With the C-VLAN UNI feature, I-SID-to-VLAN mappings must be unique across the network. With the
Transparent Port UNI (ELAN Transparent) feature, you can map an entire port or MLT to an I-SID.

With the Switched UNI feature, you can associate many different C-VID/port or C-VID/MLT list
combinations to a single I-SID.

Switched UNI and FA

FA brings the capability of automatically creating Switched UNI I-SIDs on a switch, without manual
intervention. The I-SIDs thus created are ELAN I-SIDs with endpoints of type Switched UNI, and are
by default for Layer 2. MAC learning takes place and there is an any-to-any relationship. For Layer 3
participation, you must configure a platform VLAN with the same I-SID value as that of the I-SID in a
learned FA mapping.

Note
The number of Switched UNI I-SIDs created are different for different product families. For
more information, see VOSS Release Notes.

Limitations of FA-created Switched UNI I-SIDs

• An FA-created Switched UNI I-SID is always ELAN.

• You cannot enable BPDU on an FA-created Switched UNI I-SID.

992 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

• The ELAN I-SIDs created are by default for Layer 2. For Layer 3 participation, you must manually
configure a platform VLAN with the same I-SID value as that of the I-SID in a learned FA mapping.
You can configure the platform VLAN with the same VLAN ID as that of the C-VID, or use a different
value.
• The Switched UNI (ELAN) I-SID cannot be used by IPVPN, MVPN, SPBM dynamic multicast range, or
a T-UNI.
• You cannot change from one UNI type to another dynamically. The I-SID must be deleted and
created with the new UNI type (Customer VLAN (C-VLAN), Transparent Port user-network-interface
(T-UNI), ELAN).
• If the port is a member of an MLT, you must add the entire MLT to the C-VID.
• The port is always in the forwarding state.
• You cannot associate a port or MLT with more than one C-VID in the same I-SID.
• The same C-VID, port or MLT cannot be a member of more than one I-SID. Different hardware
platforms support different customer C-VID ranges. The value 4095 is not supported and cannot be
configured. The value 4096 indicates that the port is untagged.
• An I-SID value of 0 is not supported on the FA Server.

Fabric Attach Deployment Scenarios

Fabric Attach is typically deployed in the access layer(s) of a Fabric Connect network.

Fabric Attach, when used with a Fabric Connect solution, provides the same capabilities at the access
layer, but those services and policies are now mapped across the entire network end-to-end. FA makes
user and end device attachment simple and creates network configuration and sets up resources only
when needed.

An FA Server can be connected to FA Client or FA Proxy devices on three types of interfaces, namely, a
port, MLT or an SMLT. The following sections discuss FA in SMLT and non-SMLT deployments.

FA and Switched UNI in non-SMLT deployments

The following deployment shows an SPBM network in which one edge has manually configured
Switched UNI I-SIDs and the other edge has Fabric Attach (FA). At the FA edge, the I-SIDs are learned
using FA TLVs and are automatically created on the FA Server as ELAN I-SIDs with Switched UNI
endpoints.

This deployment demonstrates that the FA-created I-SIDs can communicate with any other I-SID
(manually created Switched UNI or a C-VLAN with an I-SID), on the local switch or across the SPBM
fabric, as long as the I-SID values are the same.

VOSS User Guide for version 8.7 993

Fabric Attach Fabric Basics and Layer 2 Services

BEB-B is a switch acting as the FA Server with a network-to-network interface (NNI) to the SPBM
cloud. FA Client and FA Proxy devices send I-SID-to-VLAN mapping requests to the FA Server on the
respective FA-enabled ports, using LLDP TLVs. This enables the I-SID endpoints to communicate with
the SPB cloud.

If several clients are aggregated in an MLT, at least one of the ports must send the mapping requests
for the FA Server to create the I-SID endpoints for that MLT. For example, let Client 2 be a wireless FA
Client (such as an WLAN 9100 AP device) on port 1/21, that sends an FA mapping request for I-SID 100
and C-VID (VLAN ID) 100. The FA Server (BEB-B) creates the requested I-SID 100 on its device, and
advertises it to the SPB cloud.

BEB-A has manually configured Switched UNI endpoints, one of which is Client 1 (connected at port 1/1)
using the same I-SID value 100.

With this setup, data traffic can freely flow between Client 1 and Client 2 through the two BEBs and the
BCB.

Thus the Switched UNI I-SIDs learned using FA TLVs on one edge of the Fabric Connect (SPBM)
network can communicate with the manually created I-SIDs on the other edge, as long as they both
have the same value.

FA and Switched UNI in SMLT deployments

The following examples discuss FA in dual-homed and single-homed SMLT deployments.

Fabric Attach in a dual-homed SMLT deployment

The following section describes FA in a dual-homed SMLT deployment. A pair of switches that operate
as IST peers act as the FA Server. An FA Proxy (typically a wiring closet switch or an access switch)
is connected to FA Clients and in turn to end devices. The FA Clients or FA Proxies advertise I-SID-to-
VLAN mappings namely the interface C-VID and the I-SID to the FA Server switches. Both switches
receive the mapping information using LLDP TLVs. The switch that learns the mapping first from the
LLDP TLV considers the I-SID endpoint to be discovered locally, and creates the I-SID on its device. It
then sends the mapping information to its peer switch. When the peer switch receives the mapping
across IST in a new SMLT message, it too creates the I-SID and endpoint on its device. This I-SID
however, is considered to be discovered remotely, because the data was synchronized from its peer.

Note
• For the peer switches acting as the FA Server to transmit the same FA System ID (based
on the virtual MAC), SMLT configuration must be the same on both peers.
• For successful FA operation, configuration of FA message authentication and the
authentication key must be the same on both peers.
• For successful operation in Layer 3, a platform VLAN must be configured on both peers.
This is necessary for proper MAC learning.

994 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach

Figure 75: FA in a dual-homed SMLT deployment

In the above example deployment, BEB-A and BEB-B are IST peers collectively acting as the FA Server.
FA TLVs sent from the clients (through the proxy) are learned on FA-enabled ports on BEB-A and
BEB-B. When BEB-A learns the mapping for the first time on its port, it creates an I-SID on its device.
This is considered locally discovered. In addition, it sends an SMLT message to its peer BEB-B, which
also creates the I-SID on its device. This time, the I-SID is considered remotely discovered. Similarly, if
BEB-B receives a mapping from a client for the first time, it creates an I-SID (locally discovered) and
also sends an IST message to its peer to create an I-SID (remotely discovered).

Irrespective of whether the I-SID creation on the FA peers is triggered by a local TLV event or
by messaging from the IST peer, they can both receive data traffic. Thus in a dual-homed SMLT
deployment, any I-SID can be learned irrespective of whether it is discovered locally, discovered
remotely or both.

Note
On the IST peers, if an FA TLV is learned on a port or normal MLT (instead of the admin SMLT),
only the I-SID is sent to the peer switch.

Fabric Attach in a single-homed SMLT deployment

In the single-homed SMLT, as shown in the following deployment, the FA Server creates either a locally
discovered I-SID (if received from a client using FA TLVs) or a remotely discovered I-SID (if synchronized
from its IST peer), but not both.

VOSS User Guide for version 8.7 995

Fabric Attach Fabric Basics and Layer 2 Services

Figure 76: Fabric Attach in a single-homed SMLT deployment

Fabric Attach Considerations

Review the following restrictions, limitations, and behavioral characteristics for Fabric Attach.
• IS-IS and FA must be globally enabled on the FA Server, for FA to operate successfully.
• Static MAC, Static ARP and configuration of a static IGMP group are not supported on FA-enabled
ports.
• An FA port cannot be a BROUTER port.
• You cannot enable FA on an existing Transparent Port UNI or a C-VLAN UNI port.
• On VSP 8600 Series, you cannot enable FA on an existing Switched UNI.
• FA I-SID-to-VLAN assignment mapping requests from a client or proxy device can be accepted or
rejected by the FA Server.
• On an FA-enabled port or MLT, you must first disable LACP before you change the LACP key.
• You can only enable VLACP on an FA enabled MLT; VLACP is not supported on FA enabled non-MLT
ports.
• On VLACP enabled ports, FA and LLDP signaling run independent of the VLACP state. Therefore,
requests and responses are exchanged between the FA Server and client or proxy devices even if
VLACP is operationally down. However, forwarding of data traffic is dependent on VLACP being
operationally up on the port.

For example, if VLACP is enabled on the FA Server side of the link but not on the proxy or the client
side, the FA Server learns the I-SID-to-VLAN assignment mappings and creates the required I-SIDs
on its device. However, data traffic is not forwarded on the port until VLACP is operationally up.
• On VSP 4450 Series, you cannot use a port designated as a Fabric Extend tunnel source, configured
using the command ip-tunnel-source-address, for Fabric Attach.
• FA uses the virtual MAC to create the FA system ID when the FA is on an SMLT. If you delete the
SPBM instance, then this information is no longer available. Therefore, you must delete the FA on
SMLT before deleting the SPBM instance.

996 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Endpoint Tracking

• You cannot enable FA and Endpoint Tracking simultaneously on the same interface.
• On VSP 8600 Series, dynamically learned Fabric Attach announced VLAN:ISID bindings and
manually configured Switched-UNI end-points are not supported on the same interface.

Endpoint Tracking

Table 101: Endpoint Tracking product support

Feature Product Release introduced
Endpoint Tracking VSP 4450 Series Not Supported
VSP 4900 Series VOSS 8.7
VSP 7200 Series VOSS 8.1.1
VSP 7400 Series VOSS 8.1.1
VSP 8200 Series VOSS 8.1.1
VSP 8400 Series VOSS 8.1.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Endpoint Tracking Overview

Endpoint Tracking provides dynamic assignment of virtual machines (VMs) to IP subnets as they attach
to a Shortest Path Bridging (SPB) cloud. Deployment scenarios include VMs connecting to DvR Leaf
nodes, or regular SPBM deployments.

Extreme Management Center or ExtremeCloud IQ - Site Engine is integral to the Endpoint Tracking
solution. Extreme Management Center or ExtremeCloud IQ - Site Engine delivers automation; there is
no need to manually configure server VLANs on data center access switches. Additionally, Extreme
Management Center or ExtremeCloud IQ - Site Engine) provides the ability to see what VM MACs exist,
and where they are located.

Extreme Management Center or ExtremeCloud IQ - Site Engine's ExtremeConnect module integrates

with third-party virtualization software (such as VMware or Microsoft HyperV) and communicates with
the ExtremeControl module to automatically extract all of the VM MACs (including VLAN assignment
for each MAC) and then automatically create all of the necessary authentication profiles, rules and
mappings.

When the switch detects a new VM on a port, it sends a RADIUS request to Extreme Management
Center or ExtremeCloud IQ - Site Engine. ExtremeConnect checks with VCenter for the Port Group,
VLAN ID, and I-SID information that corresponds with the VM, communicates with the ExtremeControl
module for the RADIUS authentication, and sends the RADIUS response back to the switch with the
VLAN:ISID binding information. Based on the binding, the switch then automatically creates a dynamic
Switched UNI (S-UNI). Dynamic S-UNIs are not saved into the configuration file.

Typical Endpoint Tracking Implementation Example

The following example shows a typical implementation of Endpoint Tracking and the dynamic I-SID
assignment process, as provisioned in Extreme Management Center or ExtremeCloud IQ - Site Engine.

VOSS User Guide for version 8.7 997

Endpoint Tracking Fabric Basics and Layer 2 Services

Figure 77: Endpoint Tracking Example

The sequence within and among the four example VLANs in this configuration is as follows:

1. The RADIUS server authenticates VM1, and the switch automatically creates a Switched UNI with
VLAN 10 and I-SID 10 binding, (using the outbound attributes received from the RADIUS server).
Subsequently, the server authenticates VM2, which uses the same Switched UNI.
2. Similarly, on the other side of the SPB cloud, the RADIUS server authenticates VM5 and the switch
automatically creates a Switched UNI with VLAN 30 and I-SID 10 binding, (using the outbound
attributes received from the RADIUS server). Subsequently, the server authenticates VM6, which
uses the same Switched UNI.
3. The same sequence occurs for VMs 3 and 4, and PCs 7 and 8, with the first authentication in each
VLAN providing the outbound RADIUS attributes needed for the creation of a Switched UNI for that
VLAN.
4. The final result is that VMs 1, 2, 5, and 6 can access each other on I-SID 10, and VMs 3, 4, 7, and 8 can
access each other on I-SID 20.

Static S-UNIs and Visibility Mode

Endpoint Tracking can also be used in cases where static S-UNIs are configured on Endpoint Tracking-
enabled ports. In this case, the MACs are allowed by default on the static S-UNI. However, by default,

998 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Endpoint Tracking

the MACs learned on a static S-UNI are not learned at the Endpoint Tracking level. Endpoint Tracking
Visibility Mode allows tracking of MACs that are learned on static S-UNIs. This implies that a binding is
created for these MACs, but these bindings do not create dynamic S-UNIs, they are used for tracking
purposes only.

Interface Support
Endpoint Tracking is supported on Ethernet ports, MLTs, and SMLTs.

If the switch is a Virtual IST (vIST) peer, the dynamic Switched UNI is synchronized to its vIST peer as
follows:
• If the MAC is learned on an SMLT UNI interface, all Switched UNI information is synchronized to the
vIST peer.
• If the MAC is learned on a non-SMLT UNI interface, only the I-SID is synchronized to the vIST peer.

VM Moves and VLAN:ISID Bindings

When a VM moves to a new switch within a network (with no change to the VLAN segment), the
new switch triggers a new RADIUS authentication, which points that VM MAC to the new switch, and
new bindings are applied on the new switch. The old switch detects that the VM MAC is moved and
automatically deletes the old binding, if the old binding has not already aged out.

However, if a VM remains attached to the same (previously authenticated) switch, but the VLAN
segment is changed, you must push a reauthentication request from Extreme Management Center or
ExtremeCloud IQ - Site Engine to force the required binding updates. For more information about
managing binding updates using RADIUS Change-of-Authorization (CoA) functionality, see Extreme
Management Center or ExtremeCloud IQ - Site Engine Integration on page 999.

Operational Considerations
Consider the following when implementing Endpoint Tracking:
• A RADIUS server used for Endpoint Tracking provides authorization only; no accounting processes
are supported. Although accounting is enabled by default for all RADIUS servers, it is not currently
supported for use with Endpoint Tracking, even if left enabled.
• Fabric Attach is not supported on ports or MLT/SMLTs that have Endpoint Tracking enabled.

Extreme Management Center or ExtremeCloud IQ - Site Engine Integration

Endpoint Tracking integrates with Extreme Management Center or ExtremeCloud IQ - Site Engine
ExtremeConnect and ExtremeControl modules. The ExtremeConnect module offers API integration
with third party products, such as VMware or Mircrosoft HyperV, from which VM endpoint information is
extracted and automatically converted into usable policies for use in the ExtremeControl module, which
acts as a RADIUS server for authorizing Endpoint Tracking MACs.

The following diagram illustrates an example of Extreme Management Center or ExtremeCloud IQ - Site
Engine interaction with a switch for Endpoint Tracking:

VOSS User Guide for version 8.7 999

Endpoint Tracking Fabric Basics and Layer 2 Services

Figure 78: Extreme Management Center or ExtremeCloud IQ - Site Engine Endpoint Tracking
Interaction Example

RADIUS Server Attributes

The RADIUS attributes to configure in either standard or custom Extreme Management Center or
ExtremeCloud IQ - Site Engine RADIUS profiles for Endpoint Tracking depend on your deployment and
traffic type:
• For tagged traffic, if the RADIUS server provides both the VLAN ID and I-SID value, use only the
FA-VLAN-ISID attribute.
• For tagged traffic, if the RADIUS server provides only the VLAN ID (and you are therefore using an
I-SID offset value), use only the Tunnel-Private-Group-ID attribute.
• For untagged traffic, if the RADIUS server provides both the VLAN ID and I-SID value, use the
FA-VLAN-ISID and Egress-VLANID or Egress-VLAN-name attributes.
• For untagged traffic, if the RADIUS server provides only the VLAN ID (and you are therefore using
an I-SID offset value), use the Tunnel-Private-Group-ID and Egress-VLANID or Egress-
VLAN-name attributes.
• Use the Session-Timeout attribute to override the default timeout period of 24 hours, which is
amount of time, in seconds, between a MAC address authentication and the deletion of that MAC
address from the Endpoint Tracking binding table.

All other RADIUS attributes are ignored.

Managing Binding Updates using RADIUS Change-of-Authorization

Endpoint Tracking uses RADIUS RFC 5176 Change-of-Authorization (CoA) functionality to enable
forced VLAN:ISID binding updates.

For example, when a VLAN segment is changed on a VM that resides on a previously authenticated
switch, that VM requires a new VLAN:ISID binding to reflect the new VLAN segment. Because the
switch has previously been authenticated, you must force a new authentication request to update the
binding information.

Using ExtremeControl, you can manually push a reauthentication request for the VM MAC. This action
sends a disconnect-request from the RADIUS server to the switch, which deletes the old binding. When
the switch detects the VM again, a new RADIUS authentication request is sent from the switch to the
RADIUS server, resulting in updated binding information upon sucessful authentication.

For more information about RADIUS Dynamic Session Change Support (RFC 5176), see RFC 5176 —
Dynamic Session Change on page 2729.

1000 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Endpoint Tracking

Deployment Examples
Endpoint Tracking deployment scenarios include Distributed Virtual Routing (DvR) deployments, or
regular SPBM deployments.

The following example illustrates a DvR depoyment:

Figure 79: DvR Topology Example

The following example illustrates a regular SPBM depoyment:

VOSS User Guide for version 8.7 1001

Endpoint Tracking Fabric Basics and Layer 2 Services

Figure 80: SPBM Cloud Example

Configuration Fundamentals

Extreme Management Center or ExtremeCloud IQ - Site Engine Configuration

To configure Endpoint Tracking, you must perform the following:

• Using the ExtremeConnect component, configure and manage your third-party virtualization
platform.
• Using the ExtremeControl component, configure and manage the RADIUS server used for Endpoint
Tracking authentication.

For information about configuring Extreme Management Center or ExtremeCloud IQ - Site Engine,
see the Extreme Management Center or ExtremeCloud IQ - Site Engine documentation at https://
www.extremenetworks.com/support/documentation/.

Switch Configuration

To configure Endpoint Tracking, you must perform the following:

• Add, configure, and enable the RADIUS server host as configured in the Extreme Management
Center or ExtremeCloud IQ - Site Engine to function as the switch authentication server for Endpoint
Tracking. Ensure that you select endpoint-tracking for the used-by variable. Add, configure

1002 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB

and enable the RADIUS dynamic-server client. For information about adding a RADIUS server host
and a RADIUS dynamic-server client to the switch, see RADIUS on page 2721.
• Optionally configure a global I-SID offset value.

When you provision the Endpoint Tracking RADIUS server in Extreme Management Center or
ExtremeCloud IQ - Site Engine, you choose which outbound attributes the RADIUS server includes in
each authentication response. If you always include an I-SID value in those outbound attributes, you
do not need to configure an I-SID offset value on the switch.

For MACs that do not receive an I-SID attribute from the RADIUS server, use Auto-ISID-Offset
functionality. The configured I-SID offset value is used to calculate an I-SID value for a switched UNI
when no I-SID value is provided by the RADIUS server in the outbound attributes. In that case, the
I-SID value is calculated as follows:

I-SID = VLAN ID + configured I-SID offset value.

• After optionally configuring a global I-SID offset value, enable Endpoint Tracking globally on the
switch.
• Create and enable Endpoint Tracking on each interface. Ensure that you have deleted any existing
VLAN bindings on the interfaces, as the Endpoint Tracking bindings are dynamic.

CLI commands provide the functionality to separate the creation, deletion, enabling, and disabling of
Endpoint Tracking on interfaces. For example, if you want to flush all VLAN:ISID bindings on a port,
you can disable (but not delete) Endpoint Tracking on that port, keeping the port distinct from other
ports where Endpoint Tracking is not yet created.

Multi-area SPB

Table 102: Multi-area SPB

Feature Product Release introduced
Multi-area SPB Boundary Node VSP 4450 Series Not Supported
VSP 4900 Series Not Supported
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.4
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

The Multi-area SPB feature enables building a scalable Shortest Path Bridging (SPB) network, consisting
of multiple Intermediate System-to-Intermediate System (IS-IS) areas that connect to each other
through the boundary nodes. The Multi-area SPB feature provides flexible network design through
which you can group the nodes in the areas on a need basis.

Each area in the Multi-area SPB network contains the interior nodes and the boundary nodes.

VOSS User Guide for version 8.7 1003

Multi-area SPB Fabric Basics and Layer 2 Services

Figure 81: Boundary nodes in the Multi-area SPB network

Each boundary node runs two Intermediate-System-to-Intermediate-System (IS-IS) instances,
representing the home area and the remote area. Each IS-IS instance runs the Shortest Path First (SFP)
computation and uses its own Link State Database (LSDB). The boundary nodes support Backbone
Edge Bridge (BEB) functionality in addition to the Backbone Control Bridge (BCB) configuration and
the UNIs belong only to the home area. You can configure IS-IS interfaces on each instance.

Note
The boundary nodes do not support Auto-sense, you must manually configure all NNI on the
boundary nodes.

The multiple areas in the Multi-area SPB network connect in various patterns, for example, the hub and
spoke topology and the daisy chain topology.

Designated and Non-designated Boundary Nodes

Among the boundary nodes in the Multi-area SPB network, the system elects the designated boundary
node on basis of the unique chassis MAC value of the node. The nodes in the SPB area advertise their
chassis MAC value using the link state packet (LSP) and the system elects the node with the smallest
chassis MAC value as the designated boundary node. Each node in the network detects the designated
boundary node on basis of the LSDB information.

The functions of the boundary nodes in the Multi-area SPB network are:
• Designated boundary node:
◦ Creates the area virtual node LSPs on each IS-IS instance.
◦ Configures the virtual node's adjacency with the other boundary node on basis of the
reachability of the node.
◦ Advertises the services on the area virtual node on basis of the redistribution policies that you
configure.

1004 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB

• Non-designated boundary node:

◦ Connects to the area virtual node and the system uses it to forward the traffic on basis of the
IS-IS computation.
◦ Takes over as the designated boundary node if the designated boundary node is no longer
available in any area.

For more information about the area virtual node, see Area Virtual Node on page 1005.

Minimum Requirements
The minimum requirements for the Multi-area SPB to function are:
• Two boundary nodes to provide redundancy.
• Multi-area SPB redistribution policies between areas, like layer 2 redistribution, layer 3 unicast
redistribution, multicast redistribution, Distributed Virtual Routing (DvR) backbone redistribution
and so on. For more information, see Multi-area SPB Redistribution and Policies on page 1006.

Area Virtual Node

The designated boundary node in the Multi-area SPB network creates the area virtual node. The area
virtual node sums up an entire network topology in a single virtual node representing all the services
from the represented area.

Figure 82: Representation of area virtual node

When considering the shortest path between two nodes in different areas in the Multi-area SPB
network, the area virtual node logically connects the shortest path within one area to the shortest path
within another area. The area virtual nodes help the Multi-area SPB network to visualize any external
area as a single IS-IS entity.

The boundary nodes in the Multi-area SPB network exposes one virtual node in each of two connected
areas, to represent a collection of nodes from the other area. On the basis of the policies that you
configure on the boundary nodes, you can control the services that the system exports from a home

VOSS User Guide for version 8.7 1005

Multi-area SPB Fabric Basics and Layer 2 Services

area to the remote area as the system includes the configuration in the Link State Packets (LSP) of the
corresponding area virtual node.

You can configure the area virtual node parameters on both home and remote IS-IS instances. For more
information about configuring the area virtual node, see Configure IS-IS Multi-area SPB Virtual Node on
page 1112.

Remote IS-IS Instance

The Multi-area SPB feature introduces the remote Intermediate-System-to-Intermediate-System (IS-IS)
instance. You can configure the manual area, system ID, nickname, and area virtual node parameters
on the remote IS-IS instance. When enabling Remote IS-IS Instance, make sure that the physical node
nickname, virtual node nickname and system ID are different. To configure the remote IS-IS instance on
the switch, you must:
• Configure manual area and nickname manually on the switch.
• Enable IS-IS and remote IS-IS instances on the switch, globally.
• Configure Shortest Path Bridging MAC (SPBM) instance on both home and remote IS-IS instances.
• Configure Backbone-VLANs (B-VLANs) globally on both home and remote instances.

For more information, see Enable Remote IS-IS Router Configuration Globally on page 1119.

Multi-area SPB Redistribution and Policies

The Multi-area SPB redistribution and policies govern the process of importing routes in the Multi-area
SPB network across the boundary nodes, that is from the home area to the remote area or vice versa.
The traffic flow between the areas within the Multi-area SPB network is the same as the packet flow
between the source and destination in a flat SPB network. If more than one boundary node connects to
same two areas then the redistribution configuration on the boundary nodes must be consistent, that is
the system must permit or deny the same routes to the cross area boundaries.With Multi-area SPB you
can configure layer 2 redistribution, layer 3 unicast redistribution, multicast over SPB redistribution, and
Distributed Virtual Routing backbone redistribution on the switch.

Layer 2 Redistribution

In the Multi-area SPB network the layer 2 redistribution identifies the services that the system
transports from the home area to the remote area and the I-SIDs that the system extends across
the boundary nodes in an area. The destination area permits or denies the services on basis of the layer
2 redistribution policies that you configure.

You can configure the layer 2 I-SID redistribution on the switch globally. The layer 2 redistribution
policies are bidirectional, which means only one redistribution filter applies to both the home area and
the remote area.

Note
Any changes in the layer 2 I-SIDs in the home area will trigger updates to the I-SIDs in the
remote area or vice versa.

For more information about configuring Multi-area SPB layer 2 redistribution, see:
• Configure Multi-area SPB Layer 2 I-SID Redistribution on page 1121
• Configure Multi-area SPB Layer 2 I-SID List on page 1120

1006 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB

Layer 3 Unicast Redistribution

The layer 3 VSN functionality within the Multi-area SPB network is same as the layer 3 VSN functionality
in the flat SPB network. In the Multi-area SPB network, for the layer 3 services to pass the area
boundary, you must explicitly configure them on the boundary nodes. Inter-VRF routes on the
boundary node will not be redistributed across area boundaries. You can configure redistribution
unidirectionally on the boundary nodes. You can also apply different policies from home to remote and
remote to home.

The configuration guidelines for the layer 3 Multi-area SPB redistribution are:
• To redistribute inter-area routes in GRT, configure IPSC on the boundary nodes.
• To redistribute inter-area routes in a specific VRF, configure IPSC and layer 3 VSN for that VRF.

Note
The system does not redistribute inter-vrf routes on the boundary nodes across the area
boundaries.

For information about configuring layer 3 unicast redistribution, see:

• Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution on page 1122
• Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution on a VRF Instance on page 1125
• Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution on page 1123
• Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution on a VRF Instance on page 1127

Multicast over SPB Redistribution

Multicast over Shortest Path Bridging (SPB) redistribution manages filtering of the IP multicast streams
that the system transports from one area to another. The IP multicast services pass through to the
other area on the boundary node depending on the policy that you configure specific to the sender IP
address, the multicast group IP address and the Virtual Router Forwarding (VRF) ID.

Multicast over SPB policy is a unidirectional solution, the system filters the IP multicast streams from the
area that they originate to the other area or vice versa, independently. Each IP multicast stream that
the system advertises in one area will also be advertised on the corresponding area virtual node after it
passes the multicast over SPB policy.

Following are the configuration guidelines for the multicast over SPB redistribution:
• Enable multicast on the boundary nodes.
• For layer 3 VSNs, configure Multiprotocol Label Switching Virtual Private Network (MVPN) on the
boundary nodes.
• For layer 2 multicast, the scope I-SID must pass the layer 2 VSN policy.
• Configure the same policies as the boundary node on the peer boundary nodes.

For information about configuring Multi-area SPB multicast redistribution, see:

• Configure Multi-area SPB IPv4 Routed Multicast Redistribution on page 1131
• Configure IS-IS Multi-area SPB IPv4 Routed Multicast Redistribution on a VRF Instance on page 1133

VOSS User Guide for version 8.7 1007

Multi-area SPB Fabric Basics and Layer 2 Services

Distributed Virtual Routing Backbone Redistribution

The Distributed Virtual Routing (DvR) functionality within the Multi-area SPB network is same as
the DvR functionality in the flat SPB network. For more information, see Distributed Virtual Routing
Fundamentals on page 690. To configure Multi-area SPB DvR backbone redistribution, the boundary
node must be a functional DvR controller in a domain in the home area or a non-DvR Backbone Edge
Bridge.

Note
DvR domains can only be a part of one area, you must not configure the same DvR domain in
multiple areas.

When you enable the Multi-area SPB DvR backbone redistribution the system extends the DvR
backbone across the area boundaries. The boundary node in the Multi-area SPB network performs
the DvR controller functions to receive and propagate the hosts in the DvR domain. Since the interior
nodes in one area of the Multi-area SPB network are not visible to the interior nodes in other areas, the
system sends the area virtual nodes representing the specific area as a gateway in the DvR route TLV.
When the system sends the DvR traffic to another DvR domain in a specific destination area, the system
sends the traffic to the destination area’s boundary nodes and the boundary nodes perform the route
lookup and forward the traffic to the correct DvR domain in the destination area.

For information about configuring Multi-area SPB DvR backbone redistribution, see Configure Multi-
area SPB DvR Backbone Redistribution on page 1128.

Multi-area SPB Considerations and Restrictions

The following list identifies the restrictions and considerations that apply to the Multi-area SPB feature:
• You must not connect the same Protocol Independent Multicast (PIM) domain to the SPB-PIM
Gateway nodes that are in different Intermediate-System-to-Intermediate-System (IS-IS) areas, to
avoid the inter-area redistribution of the same multicast information.
• You can enable the Dynamic Nickname server on the boundary nodes in the home area, but the
boundary nodes cannot be clients in any of the two areas. The boundary nodes do not support the
Dynamic Nickname server in the remote area.
• The virtual node MAC address does not support CFM layer 2 ping and layer 2 traceroute.
• You must manually configure the backbone VLANs (B-VLAN) on the boundary nodes, so the system
does not learn the dynamic values that it receives through the Link Layer Discovery Protocol (LLDP).
However, the system sends the manually configured B-VLANs on the BN through LLDP, so that other
neighbors can learn them (both in home and remote areas).
• If you enable Auto-sense on a port and it receives a Fabric Connect TLV through LLDP then the
port transitions to the NNI pending state and the system logs a message. In this state the system
does not enable IS-IS (including home and remote area), and no IS-IS adjacency forms. For more
information, see Auto-sense Port States on page 18.
• If the system forms an adjacency between two boundary nodes that are part of the home and
remote area, the hello packets in the home area will use the home manual area and the hello packets
in the remote area use the remote manual area.
• If the system forms a home and a remote adjacency on the same port then the Multi-area SPB
feature uses different Backbone VLAN IDs (B-VIDs) for each adjacency, the home adjacency uses
the primary B-VID and the remote adjacency uses the secondary B-VID.

1008 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

• If the system forms an IS-IS adjacency in both the home and remote areas on a boundary node, of
the same port then the remote adjacency stays up only with another boundary node that also has
IS-IS configured on both the home and remote areas of the same port.
• If a boundary node connects to a Backbone Edge Bridge (BEB) in the remote area and if you
configure IS-IS in the home area on the same interface, then the remote adjacency goes down.
• On the boundary node, to install a route from a remote area in the routing table manager (RTM), the
route must pass the accept policy and the Multi-area SPB redistribution policy that you configure on
the specific Virtual Router Forwarding (VRF) instance.
• On the boundary node, to install an inter-VRF route from a remote area in the routing table manager
(RTM), the inter-VRF route must pass the accept policy and the Multi-area SPB redistribution policy
that you configure on both the source and destination VRF instances.
• Nickname for the physical node and virtual node must be different.
• When enabling Remote IS-IS Instance, make sure that the physical node nickname, virtual node
nickname and system ID are different.

Duplicate System IDs Between IS-IS Areas

Duplicate system IDs between adjacent IS-IS areas are not supported.

If a duplicate system ID exists between adjacent areas, the boundary node logs an event like the
following:

1 2021-09-21T02:08:44.734-04:00 GB12 CP1 - 0x001dc705 - 00000000

GlobalRouter ISIS WARNING Duplicate System ID 0022.2222.2415 detected on
Boundary Node between HostName:B15 Chassis MAC:b0:ad:aa:41:c0:00 (HOME
area) and HostName:B14 Chassis MAC:b0:ad:aa:41:b8:00 (REMOTE area)

To recover from this event and ensure the information on the boundary node is correctly updated, you
must perform the following tasks:

1. Change the system ID on one of the nodes.

2. Disable and re-enable IS-IS on the other node.

Delete errors can display on the boundary node but they have no functional impact.

SPBM and IS-IS infrastructure configuration using CLI

This section provides procedures to configure SPBM and IS-IS using Command Line Interface (CLI).

Important
The spbm-config-mode boot flag must be enabled (default) before you can configure
SPBM or IS-IS. To verify the setting, enter show boot config flags in Privileged EXEC
mode.

Running the SPBM script

Use the following procedure to run the SPBM script to automate the minimum required SPBM and IS-IS
parameters to allow Fabric Connect to operate on the switch.

VOSS User Guide for version 8.7 1009

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Before You Begin

• Enable SPBM before running the SPBM script.

• Delete existing IS-IS interfaces before running this script. See Removing specific IS-IS and MLT
interfaces on page 1013 for information on removing IS-IS interfaces.

About This Task

You can use this procedure to quickly configure the minimum SPBM and IS-IS parameters. However,
a manual procedure is available instead of using this script. The default values are given in square
brackets. You may input your values at the prompt or if you wish to accept the default values, press
Enter. This command first accepts all values and then removes existing SPBM configurations before
configuring the entered values.

Note
This process causes the SPBM traffic to flap temporarily.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Run the SPBM script:
run spbm

Note
If the script causes a configuration conflict or cannot execute a command, an error
message displays and the script stops.

Example

Run the SPBM script:

Switch:1(config)# run spbm

*****************************************************************
*** This script will guide you through configuring the ***
*** switch for optimal operation SPB. ***
*** --------------------------------------------------- ***
*** The values in [] are the default values, you can ***
*** input alternative values at any of the prompts. ***
*** If you wish to terminate or exit this script ***
*** enter ^C <control-C> at any prompt. ***
*** NOTE: THE COMMAND WILL TEMPORARILY FLAP IS-IS,SPBM ***
******************************************************************
SPB Ethertype <0x8100,0x88a8> [0x8100]:
SPB primary BVLAN 2-4059 [4051]:300
SPB secondary BVLAN 2-4059 [4052]:400
ISIS system id <xxxx.xxxx.xxxx> [a051.c6eb.7c65]:0200.0000.0100
SPB nickname <x.xx.xx> [b.7c.65]:0.02.02
SPB Manual Area <xx.xxxx.xxxx...xxxx> [49.0000]:50
ISIS System Name [Switch]:BEB1
Enable SPBM multicast (y/n) [n]:y

1010 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Enable IP shortcuts (y/n) [n]:y

Loopback interface ID <1-256> [1]:1
Loopback interface IP and subnet <a.b.c.d/x>:20.1.1.1/24
Configure SPBM SMLT? (y/n) [n]:y
Peer system id <xxxx.xxxx.xxxx>:0200.0000.0200
SMLT virtual BMAC <0x00:0x00:0x00:0x00:0x00:0x00>:02:00:00:10:00:10
ISIS MLT interface <MLT ID LIST>[]:1
Enable CFM SPBM (y/n) [n]:y
Enter CFM SPBM MEPID <1-8191> [1]:2
Enter CFM SPBM level <0-7> [4]:4

****CONFIGURATION IN PROGRESS****
*SPBM enabled globally*
*SPBM instance 1 configured*
*SPBM BVLANS configured*
*SPBM SMLT configured*
*SPBM multicast enabled globally*
*IP shortcuts configured*
*SPBM SMLT configured*
*IS-IS enabled*
*IS-IS on port 1/5 configured*
*IS-IS on port 1/6 configured*
*IS-IS on MLT 1 configured*
*CFM SPBM configured*
****SCRIPT EXECUTION COMPLETE****

Remove Existing SPBM Configuration

Use the following procedure to remove existing SPBM configurations, disable CFM, and return the CFM
MEP-ID and level configurations to default values.

Before You Begin

• Enable SPBM before running this script.
• If the switch uses Zero Touch Fabric Configuration, you must run the following commands before
you perform this procedure:
◦ no auto-sense onboarding i-sid
◦ no vlan i-sid <1-4059>

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Run the script:
run spbm clean

Note
If the script causes a configuration conflict or cannot run a command, an error message
displays and the script stops.

3. To ensure proper cleanup of MAC tables, save the configuration, and then reboot the switch.

VOSS User Guide for version 8.7 1011

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Example

Run the script:

Switch:1(config)#no auto-sense onboarding i-sid

Switch:1(config)#no vlan i-sid
Switch:1(config)#run spbm clean
The following will delete all SPBM and interfaces and default the CFM configurations. Do
you want to continue? <y/n>[n]:y

Switch:1(config)#no router isis enable

Switch:1(config)#interface gigabitethernet 1/10
Switch:1(config-if)#no isis
Switch:1(config-if)#interface gigabitethernet 1/11
Switch:1(config-if)#no isis
Switch:1(config-if)#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no vlan 4051
Switch:1(config)#no vlan 4052
Switch:1(config)#router isis
Switch:1(config-isis)#no spbm 1
Switch:1(config-isis)#router isis
Switch:1(config-isis)#no ip-source-address
Switch:1(config-isis)#no system-id
Switch:1(config-isis)#no manual-area 49.0000
Switch:1(config-isis)#no cfm spbm enable
Switch:1(config)#cfm spbm level 4
Switch:1(config)#cfm spbm mepid 1
Switch:1(config)#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#

SPBM configurations have been removed

Configuring the IS-IS port interfaces using SPBM script

Use the following procedure to run the SPBM script to configure the IS-IS port interfaces. As this
command does not flap IS-IS or SPBM, it is particularly effective to use this command when SPBM
is already configured and you require to configure additional ports or MLTs. Running the run spbm
interface command does not alter existing IS-IS or SPBM configurations.

About This Task

You can use this procedure to quickly configure the minimum SPBM and IS-IS parameters. However, a
manual procedure is available instead of using this script.

Note
You must enable SPBM before running the SPBM script.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

1012 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

2. Run the SPBM script:

run spbm interface

Note
If the script causes a configuration conflict or cannot execute a command, an error
message displays and the script stops.

Example

Run the SPBM script:

Switch:1(config)# run spbm interface

*****************************************************************
*** This script will guide you through configuring the ***
*** switch for optimal operation SPB. ***
*** --------------------------------------------------- ***
*** The values in [] are the default values, you can ***
*** input alternative values at any of the prompts. ***
*** If you wish to terminate or exit this script ***
*** enter ^C <control-C> at any prompt. ***
******************************************************************
ISIS port interfaces <a/b,c/d> []:1/2,1/4,1/8
ISIS MLT interface <MLT ID LIST> []:1
*IS-IS on port 1/2 configured*
*IS-IS on port 1/4 configured*
*IS-IS on port 1/8 configured*
*IS-IS on MLT-1 configured*

Removing specific IS-IS and MLT interfaces

Use the following procedure to remove specific IS-IS ports and MLT interfaces when you get
the error IS-IS SPBM interfaces have been configured. Please delete these
interfaces.

About This Task

This procedure removes existing IS-IS ports and MLT interfaces. You can choose which port and MLT
interfaces need to be removed. This command does not alter the other SPBM or IS-IS configurations.

Note
You must enable SPBM before running the SPBM script.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 1013

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

2. Run the script:

run spbm interface clean

Note
If the script causes a configuration conflict or cannot execute a command, an error
message displays and the script stops.

Example

Run the spbm interface clean script:

Switch:1(config)# run spbm interface clean

*****************************************************************
*** This script will guide you through deleting the ***
*** IS-IS SPBM interfaces. ***
*** --------------------------------------------------- ***
*** The values in [] are the default values. ***
*** If you wish to terminate or exit this script ***
*** enter ^C <control-C> at any prompt. ***
******************************************************************
ISIS port interfaces to be deleted <a/b,c/d>[]:1/2,1/4,1/8
ISIS MLT interface <MLT ID LIST> []:1
IS-IS port 1/2 deleted
IS-IS port 1/4 deleted
IS-IS port 1/8 deleted
** 3 IS-IS port interfaces deleted **
MLT 1 deleted
** 1 IS-IS MLTs deleted **

Configure Minimum SPBM and IS-IS Parameters

Use the following procedure to configure the minimum required SPBM and IS-IS parameters to enable
SPBM operation on the switch.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable SPBM globally:
spbm
3. Enter IS-IS Router Configuration mode:
router isis
4. Create the SPBM instance (only one SPBM instance is supported):
spbm <1–100>
5. Add the SPBM B-VLAN to the SPBM instance:
spbm <1–100> b-vid {<vlan-id [-vlan-id][,...]} [primary <1-4059>]

1014 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

6. Configure the system nickname (2.5 bytes in the format <x.xx.xx>):

spbm <1–100> nick-name <x.xx.xx>

Note
Although it is not strictly required for SPBM operation, you should change the IS-IS system
ID from the default B-MAC value to a recognizable address to easily identify a switch (Log
on to IS-IS Router configuration mode and use the system-id <xxxx.xxxx.xxxx>
command). This helps to recognize source and destination addresses for troubleshooting
purposes.

7. Configure an IS-IS manual area (1-13 bytes in the format <xx.xxxx.xxxx...xxxx>, only one manual area
is supported.):
manual-area <xx.xxxx.xxxx...xxxx>
8. Exit IS-IS Router Configuration mode to Global Configuration mode:
exit
9. Create the SPBM backbone VLAN (B-VLAN):
vlan create <2-4059> type spbm-bvlan
10. Enter Interface Configuration mode, by specifying the ports or MLTs that are going to link to the
SPBM network:
interface {GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-
port]][,...]}| mlt <1–512> }
11. Configure an IS-IS interface on the selected ports or MLTs:

a. Create an IS-IS circuit and interface on the selected ports or MLTs:

isis
b. Enable the SPBM instance on the IS-IS interfaces:
isis spbm <1–100>
c. Enable the IS-IS circuit/interface on the selected ports or MLTs:
isis enable
12. Enable interface.
13. Exit Interface Configuration mode:
exit
14. Enable IS-IS globally:
router isis enable
15. Display the SPBM configurations:
show isis spbm
16. Display the global IS-IS configuration:
show isis
17. Display the interface IS-IS configuration:
show isis interface

Examples
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

VOSS User Guide for version 8.7 1015

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Switch:1(config)#spbm
Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1
Switch:1(config-isis)#spbm 1 b–vid 4051,4052 primary 10
Switch:1(config-isis)#spbm 1 nick-name 1.11.16
Switch:1(config-isis)#manual-area c0.2000.000.00
Switch:1(config-isis)#exit
Switch:1(config)#interface GigabitEthernet 1/21
Switch:1(config-if)#isis
Switch:1(config-if)#isis spbm 1
Switch:1(config-if)#isis enable
Switch:1(config-if)#exit
Switch:1(config)#vlan create 4051 type spbm-vlan
Switch:1(config)#vlan create 4052 type spbm-vlan
Switch:1(config)#router isis enable
Switch:1(config)#show isis spbm

========================================================================================================================
ISIS SPBM Info
========================================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI ORIGIN
INSTANCE VLAN NAME TRAP HOMING
------------------------------------------------------------------------------------------------------------------------
1 4051-4052 4051 disable disable disable disable disable disable dynamic

========================================================================================================================
ISIS SPBM SMLT Info
========================================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
------------------------------------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00

--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------

Total Num of SPBM instances: 1

--------------------------------------------------------------------------------

Switch:1>show isis
================================================================================
ISIS General Info
================================================================================
AdminState : enabled
RouterType : Level 1
System ID : 0014.c7e1.33df
Max LSP Gen Interval : 900
Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 10
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name : Switch1
ip source-address : 41.41.41.100
ipv6 source-address : 41:0:0:0:0:0:0:100
ip tunnel source-address : 11.11.12.11
Tunnel vrf : spboip
ip tunnel mtu : 1950
Num of Interfaces : 2
Num of Area Addresses : 1
inband-mgmt-ip :

1016 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

backbone : disabled
Dynamically Learned Area : 00.0000.0000
FAN Member : No
Hello Padding : enabled
Multi-Area OperState : disabled
Multi-Area Flags : home-always-up

Switch:1# show isis interface

===================================================================================================================
ISIS Interfaces
===================================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1 OP-SPBM- ORIGIN AREA AREA-NAME
-METRIC L1-METRIC
--------------------------------------------------------------------------------------------------------------------
Mlt2 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02
Port1/21 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02

Variable definitions

The following table defines parameters for the isis command.

Variable Value
enable Enables or disables the IS-IS circuit/interface on the specified port or MLT.
The default is disabled. Use the no option to disable IS-IS on the specified interface.
spbm <1–100> Enable the SPBM instance on the IS-IS interfaces.

The following table defines parameters for the manual-area command.

Variable Value
<xx.xxx.xxx...xxx> Specifies the IS-IS manual-area (1–13 bytes in the format <xx.xxx.xxx...xxx>). Only
one manual area is supported. For IS-IS to operate, you must configure at least one
area.
Use the no option to delete the manual area.

The following table defines parameters for the spbm command.

Variable Value
<1–100> Creates the SPBM instance. Only one SPBM instance is supported.
b-vid {<vlan-id [- Sets the IS-IS SPBM instance data VLANs.
vlan-id] [,...]} Use the no option to remove the specified B-VLAN from the SPBM
instance.
nick-name <x.xx.xx> Specifies a nickname for the SPBM instance globally.
The value is 2.5 bytes in the format <x.xx.xx>. Use the no or default
options to delete the configured nickname.
primary <1-4059> Sets the IS-IS instance primary data B-VLAN.

VOSS User Guide for version 8.7 1017

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

The following table defines parameters for the vlan create command.

Variable Value
<2-4059> Specifies the VLAN ID. Creates an SPBM Backbone VLAN (B-VLAN). You
can optionally specify a name for the SPBM B-VLAN.
type Specifies the type of VLAN created.
{port-mstprstp| • port-mstprstp — Create a VLAN by port.
protocol- • protocol-mstprstp — Create a VLAN by protocol.
mstprstp|spbm-
bvlan} • spbm-bvlan — Create an SPBM B-VLAN.

Job aid

Important
After you have configured the SPBM nickname and enabled IS-IS. To maintain the same
nickname with a different system ID, perform the following steps:

1. Disable IS-IS.
2. Change the system ID.
3. Change the nickname to a temporary one.
4. Enable IS-IS.
5. Wait up to 20 minutes for the LSPs with the original system ID to age out.

Note
To check the age out time, use the show isis lsdb sysid <original-
sys-id> command on any of the other SPB nodes in the network. When there
is no output from this command, proceed to the next step. The time left (in
seconds) for the LSPs to age out is shown under the column LIFETIME.

6. Disable IS-IS.
7. Change the nickname to the original nickname.
8. Enable IS-IS.

Configure Minimum SPBM and IS-IS Parameters using auto-nni Command

Use the following procedure to configure the minimum required SPBM and IS-IS parameters using the
auto-nni command to have the node create an IS-IS interface, attach the interface to an SPBM
instance, and then enable IS-IS on the port interface.

This procedure is only for the port interface. The auto-nni command is not supported on the MLT
interface and the Fabric Extend Logical Interface.

About This Task

The auto-nni command provides a quick and simple way to configure the IS-IS interface. You can
use the auto-nni command instead of the following existing IS-IS commands on the physical (port)
interface:
• isis
• isis spbm instance

1018 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

• isis enable

The existing commands are still available and you have the option to use the new command or the three
existing commands. If you need to modify any of the default parameters under isis or isis spbm
instance , use isis and isis spbm instance constructs even if you created the interface with
the auto-nni command.

Procedure

1. Enter Global Configuration mode:

enable

7. Configure an IS-IS manual area (1-13 bytes in the format <xx.xxxx.xxxx...xxxx>. Only one manual area
is supported.):
manual-area <xx.xxxx.xxxx...xxxx>
8. Exit IS-IS Router Configuration mode to Global Configuration mode:
exit
9. Create the SPBM backbone VLAN (B-VLAN):
vlan create <2-4059> type spbm-bvlan
10. Enter Interface Configuration mode, by specifying the ports or MLTs that are going to link to the
SPBM network:
interface {GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-
port]][,...]}| mlt <1–512> }
11. Configure an IS-IS interface on the selected ports.
auto-nni
12. Enable interface.

VOSS User Guide for version 8.7 1019

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

13. Exit Interface Configuration mode:

exit
14. Enable IS-IS globally:
router isis enable
15. Display the SPBM configurations:
show isis spbm
16. Display the global IS-IS configuration:
show isis
17. Display the interface IS-IS configuration:
show isis interface

Examples
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#spbm
Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1
Switch:1(config-isis)#spbm 1 b-vid 10,20 primary 10
Switch:1(config-isis)#spbm 1 nick-name 1.11.16
Switch:1(config-isis)#manual-area c0.2000.000.00
Switch:1(config-isis)#exit
Switch:1(config)#interface gigabitethernet 1/21
Switch:1(config-if)#auto-nni
Switch:1(config-if)#exit
Switch:1(config)#vlan create 10 type spbm-vlan
Switch:1(config)#vlan create 20 type spbm-vlan
Switch:1(config)#router isis enable
Switch:1(config)#show isis spbm
Switch:1(config)#show isis spbm
==============================================================================================================
ISIS SPBM Info
==============================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI
INSTANCE VLAN NAME TRAP HOMING
--------------------------------------------------------------------------------------------------------------
1 4051-4052 4051 disable disable disable enable disable enable

==============================================================================================================
ISIS SPBM SMLT Info
==============================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
--------------------------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00

--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------

1020 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Max LSP Gen Interval : 900

Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 10
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name : Switch1
ip source-address : 41.41.41.100
ipv6 source-address : 41:0:0:0:0:0:0:100
ip tunnel source-address : 11.11.12.11
Tunnel vrf : spboip
ip tunnel mtu : 1950
Num of Interfaces : 2
Num of Area Addresses : 1
inband-mgmt-ip :
backbone : disabled
Dynamically Learned Area : 00.0000.0000
FAN Member : No
Hello Padding : enabled
Multi-Area OperState : disabled
Multi-Area Flags : home-always-up

Switch:1# show isis interface

Configure I-SIDs for Private VLANs

Before You Begin

• A private VLAN must be created. For more information about creating private VLANs, see Create a
Private VLAN on page 3775.

About This Task

Assign one I-SID for each private VLAN.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Assign the I-SID to the primary and secondary VLAN.
vlan i—sid <1-4059> <0-16777215> [force]

Example

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#vlan i-sid 5 75

VOSS User Guide for version 8.7 1021

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Switch:1(config)#show vlan private-vlan

========================================================================
PRIVATE VLAN
========================================================================
Primary Primary Secondary Secondary
VLAN ISID VLAN ISID
------------------------------------------------------------------------
5 75 6 75

Variable Definitions

The following table defines parameters for the vlan i-sid command.

Variable Value
<1-4059> Specifies the VLAN ID.
Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system reserves
VLAN IDs 4060 to 4094 for internal use. On switches that
support the vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
<0-16777215> Specifies the service instance identifier (I-SID). You cannot
use I-SID 0x00ffffff. The system reserves this I-SID to
advertise the virtual BMAC in an SMLT dual-homing
environment.
This value is the same for the primary and secondary VLANs.
force Specifies the software must replace the existing VLAN-to-I-
SID mapping, if one exists.

Displaying global SPBM parameters

Use the following procedure to verify the proper global SPBM configuration.

Procedure
1. Display the SPBM configuration:
show isis spbm
2. You can also use the following command to identify SPBM VLANs. For spbm-bvlan, the attribute
TYPE displays spbm-bvlan instead of byport. For private VLANs,. the attribute TYPE displays
private instead of byport.
show vlan basic

Example
Switch# show isis spbm

==============================================================================================================
ISIS SPBM Info
==============================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI
INSTANCE VLAN NAME TRAP HOMING
--------------------------------------------------------------------------------------------------------------
1 4051-4052 4051 disable disable disable enable disable enable

==============================================================================================================
ISIS SPBM SMLT Info

1022 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

==============================================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
--------------------------------------------------------------------------------------------------------------
1 primary 00:00:00:00:00:00

--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------

Switch# show vlan basic

=====================================================================================
Vlan Basic
=====================================================================================
VLAN INST
ID NAME TYPE ID PROTOCOLID SUBNETADDR SUBNETMASK VRFID
-------------------------------------------------------------------------------------
1 Default byPort 0 none N/A N/A 0
10 VLAN-10 spbm-bvlan 62 none N/A N/A 0
20 VLAN-20 spbm-bvlan 62 none N/A N/A 0
100 VLAN-100 byPort 0 none N/A N/A 0

All 5 out of 5 Total Num of Vlans displayed

Display Global IS-IS Parameters

Use the following procedure to display the global IS-IS parameters.

Procedure

1. Display IS-IS configuration information:

show isis
2. Display the IS-IS system-id:
show isis system-id
3. Display IS-IS net info:
show isis net

Example
Switch:1>show isis
================================================================================
ISIS General Info
================================================================================
AdminState : enabled
RouterType : Level 1
System ID : 0014.c7e1.33df
Max LSP Gen Interval : 900
Metric : wide
Overload-on-startup : 20
Overload : false
Csnp Interval : 10
PSNP Interval : 2
Rxmt LSP Interval : 5
spf-delay : 100
Router Name : Switch1
ip source-address : 41.41.41.100
ipv6 source-address : 41:0:0:0:0:0:0:100
ip tunnel source-address : 11.11.12.11
Tunnel vrf : spboip
ip tunnel mtu : 1950
Num of Interfaces : 2
Num of Area Addresses : 1

VOSS User Guide for version 8.7 1023

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

inband-mgmt-ip :
backbone : disabled
Dynamically Learned Area : 00.0000.0000
FAN Member : No
Hello Padding : enabled
Multi-Area OperState : disabled
Multi-Area Flags : home-always-up

Switch# show isis system-id

================================================================================
ISIS System-Id
================================================================================
SYSTEM-ID AREA AREA-NAME
--------------------------------------------------------------------------------
0014.c7e1.33df HOME
Switch# show isis net
================================================================================
ISIS Net Info
================================================================================
NET
--------------------------------------------------------------------------------
c0.2000.0000.0000.14c7.e133.df00

Displaying IS-IS areas

Use the following procedure to display IS-IS areas.

Procedure
Use the following procedure to display IS-IS areas.
show isis manual-area

Example
Switch# show isis manual-area
================================================================================
ISIS Manual Area Address
================================================================================

AREA ADDRESS AREA AREA-NAME

--------------------------------------------------------------------------------
c0.2000.0000.00 HOME

1024 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Configuring SMLT parameters for SPBM

Use the following procedure to configure the required Split MultiLink Trunking (SMLT) parameters to
allow SPBM to interoperate with SMLT on the switch.

Note
• The assignment of primary and secondary roles to the vIST peers is automatic. The switch
with the lower system ID (between the two vIST peers) is primary, and the switch with the
higher system ID is secondary when default system-id values are being used.
• SMLT peer system ID is part of the required configuration. You must configure the SMLT
peer system ID as the nodal MAC of the peer device. In the IS-IS network, the nodal MAC
of devices should be eight apart from each other.
• When using the default hardware assigned system-id value, the SMLT Virtual BMAC is
automatically derived by comparing the system-id values of the two vIST peers. A value of
0x01 plus the lower of the two system-id values is used as the SMLT Virtual BMAC.

When using a manually configured system-id value, the SMLT Virtual BMAC must also be
manually configured.
• An I-SID must be assigned to every VLAN that is a member of a Layer 2 VSN. Also, if a
Layer 2 VSN is created on one vIST Peer, it must also be created on the other vIST peer.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable IS-IS on the switch:
no router isis enable
3. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
4. Specify the system ID of the vIST peer, so that if it goes down, the local peer can take over
forwarding for the failed peer:
spbm <1–100> smlt-peer—system—id <xxxx.xxxx.xxxx>
5. Configure the virtual B-MAC, which is shared and advertised by both peers:
spbm <1–100> smlt-virtual-bmac <0x00:0x00:0x00:0x00:0x00:0x00>
6. Exit to Global Configuration mode:
exit
7. Enable IS-IS on the switch:
router isis enable
8. Display the SPBM SMLT configuration:
show isis spbm

VOSS User Guide for version 8.7 1025

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Example
Switch:1>enable
Switch:1#configure terminal

Disable IS-IS on the switch:

Switch:1(config)#no router isis enable

Enter the IS-IS Router Configuration mode:

Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1 smlt-peer-system-id 0018.b0bb.b3df
Switch:1(config-isis)#spbm 1 smlt-virtual-bmac 00:14:c7:e1:33:e0
Switch:1(config-isis)#router isis enable
Switch:1(config-isis)#show isis spbm
==============================================================================================================
ISIS SPBM Info
==============================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI
INSTANCE VLAN NAME TRAP HOMING
--------------------------------------------------------------------------------------------------------------
1 4051-4052 4051 disable disable disable enable disable enable

--------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------

Variable definitions

The following table defines parameters for the spbm command.

1026 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Variable Value
smlt-peer-system-id Specifies the IS-IS SPBM peer system ID.
<xxxx.xxxx.xxxx> SMLT peer system ID is part of the required configuration.
You must configure the SMLT peer system ID as the nodal
MAC of the peer device. In the IS-IS network, the nodal MAC
of devices should be eight apart from each other.
smlt-virtual-bmac Specifies a virtual MAC address that can be used by both
<0x00:0x00:0x00:0x00:0x00:0 peers.
x00> SMLT virtual B-MAC is an optional configuration.

Note:
• If SMLT virtual B-MAC is not configured, the system
derives SMLT virtual B-MAC from the configured SMLT
peer system ID and the nodal MAC of the device (IS-IS
system ID). The system compares the nodal MAC of the
device with the SMLT peer system ID configured and
takes the small one, plus 0x01, as the SMLT virtual B-MAC.
• The system also derives SMLT split BEB from the SMLT
peer system ID and nodal MAC of the device. The device
with the lower system ID is primary, the device with the
higher system ID is secondary.

Configuring optional SPBM parameters

Use the following procedure to configure optional SPBM parameters.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the SPBM ethertype:
spbm ethertype {0x8100 | 0x88a8}
3. Configure the optional link-state database (LSDB) trap global parameter. To configure this
parameter, you must globally disable IS-IS on the switch:
a. Disable IS-IS on the switch:
no router isis enable
b. Enter IS-IS Router Configuration mode:
router isis
c. Enable a trap when the SPBM LSDB changes:
spbm <1–100> lsdb-trap enable
d. Enable IS-IS on the switch:
router isis enable
e. Exit IS-IS Router Configuration mode:
exit

VOSS User Guide for version 8.7 1027

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

4. Configure the optional SPBM interface parameters. To configure these parameters, you must disable
IS-IS on the interface:
a. Specify an SPBM interface to configure:
interface {GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-
port]][,...]} | mlt <mltid> }
b. Disable IS-IS on the interface:
no isis enable
c. Configure SPBM instance interface-type on IS-IS interface. SPBM supports only pt-pt:
isis spbm <1–100> interface-type {broadcast|pt-pt}
d. Configure the IS-IS Interface level 1 metric:
isis spbm <1–100> l1-metric <1–16777215>
e. Enable IS-IS on the switch:
isis enable

Example

Switch> enable

Switch# configure terminal

Switch(config)# spbm ethertype 0x8100

Switch(config-isis)# no router isis enable

Switch(config)# router isis

Switch(config-isis)# spbm 1 lsdb-trap enable

Switch(config-isis)# router isis enable

Switch(config-isis)# exit

Switch(config)# interface gigabitethernet 1/7

Switch(config-if)# no isis enable

Switch(config-if)# isis spbm 1 interface-type pt-pt

Switch(config-if)# isis spbm 1 l1–metric 500

Switch(config-if)# isis enable

Variable definitions

1028 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

The following table defines parameters for the spbm command.

Variable Value
ethertype {0x8100 | Configures the SPBM ethertype. The default value is 0x8100.
0x88a8}
<1–100> lsdb-trap Configures whether to enable or disable a trap when the SPBM
enable LSDB changes.
The default is disabled. Use the no or default options to disable
LSDB traps.

The following table defines parameters for the isis spbm command.

Variable Value
<1–100> interface- Configures the SPBM instance interface-type on the IS-IS interface
type {broadcast|pt- located on the specified port or MLT. SPBM only supports the point-to-
pt} point (pt-pt) interface type.
The default is pt-pt. Use the no or default options to set this
parameter to the default value of pt-pt.
<1–100> l1–metric <1– Configures the IS-IS interface level 1 metric on the specified port or MLT.
16777215> The default value is 10.
Use the no or default options to set this parameter to the default.

Configuring optional IS-IS global parameters

Use the following procedure to configure optional IS-IS global parameters.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure optional IS-IS global parameters:
a. Specify the Complete Sequence Number Packet (CSNP) interval in seconds:
csnp-interval <1–600>
b. Configure the router type globally:
is-type {l1|l12}
c. Configure the maximum level, in seconds, between generated LSPs by this Intermediate System:
max-lsp-gen-interval <30–900>
d. Configure the IS-IS metric type:
metric {narrow|wide}
e. Set or clear the overload condition:
overload
f. Configure the overload-on-startup value in seconds:
overload-on-startup <15–3600>

VOSS User Guide for version 8.7 1029

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

g. Configure the Partial Sequence Number Packet (PSNP) in seconds:

psnp-interval <1–120>
h. Configure the minimum time between retransmission of an LSP:
retransmit-lsp-interval <1–300>
i. Configure the SPF delay in milliseconds:
spf-delay <0–5000>
j. Configure the name for the system:
sys-name WORD<0–255>
k. Configure the IS-IS system ID for the switch:
system-id <xxxx.xxxx.xxxx>

Example

Switch> enable

Switch# configure terminal

Switch(config)# router isis

Switch(config-isis)# csnp-interval 10

Switch(config-isis)# is-type l1

Switch(config-isis)# max-lsp-gen-interval 800

Switch(config-isis)# metric wide

Switch(config-isis)# overload

Switch(config-isis)# overload-on-startup 30

Switch(config-isis)# psnp-interval 10

Switch(config-isis)# retransmit-lsp-interval 10

Switch(config-isis)# default sys-name

Switch(config-isis)# spf-delay 200

Switch(config-isis)# default system-id

1030 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Variable definitions

The following table defines parameters for the csnp-interval command.

Variable Value
<1–600> Specifies the CSNP interval in seconds. This is a system level parameter that applies for
level 1 CSNP generation on all interfaces. A longer interval reduces overhead, while a
shorter interval speeds up convergence.
The default value is 10. Use the no or default options to set this parameter to the default
value of 10.

The following table defines parameters for the is-type command.

Variable Value
{l1|l12} Sets the router type globally:
• l1: Level-1 router type
• l12: Not valid.
The default value is l1. Use the no or default options to set this parameter to the default
value of l1.

The following table defines parameters for the max-lsp-gen-interval command.

Variable Value
<30–900> Specifies the maximum interval, in seconds, between generated LSPs by this Intermediate
System.
The default value is 900 seconds. Use the no or default options to set this parameter
to the default value of 900.

The following table defines parameters for the metric command.

Variable Value
{narrow|wide} Specifies the IS-IS metric type. Only wide is supported.
The default value is wide. Use the no or default options to set this parameter to
the default value of wide.

The following table defines parameters for the overload command.

Variable Value
overload Sets or clears the overload condition.
The default value is disabled. Use the no or default options to set this parameter to the
default value of disabled.

VOSS User Guide for version 8.7 1031

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

The following table defines parameters for the overload-on-startup command.

Variable Value
<15–3600> Specifies the IS-IS overload-on-startup value in seconds. The overload-on-startup value
is used as a timer to control when to send out LSPs with the overload bit cleared after
IS-IS startup.
The default value is 20. Use the no or default options to set this parameter to the
default value of 20.

The following table defines parameters for the psnp-interval command.

Variable Value
<1–120> Specifies the PSNP interval in seconds. This is a system level parameter that applies for
level 1 PSNP generation on all interfaces. A longer interval reduces overhead, while a
shorter interval speeds up convergence.
The default value is 2. Use the no or default options to set this parameter to the default
value of 2.

The following table defines parameters for the retransmit-lsp-interval command.

Variable Value
<1–300> Specifies the minimum time between retransmission of an LSP. This defines how fast the
switch resends the same LSP. This is a system level parameter that applies for Level1
retransmission of LSPs.
The default value is 5 seconds. Use the no or default options to set this parameter to the
default value of 5.

The following table defines parameters for the spf-delay command.

Variable Value
<0–5000> Configures the delay, in milliseconds, to pace successive Shortest Path First (SPF) runs.
The timer prevents more than two SPF runs from being scheduled back-to-back. The
mechanism for pacing SPF allows two back-to-back SPF runs.
The default value is 100 milliseconds. Use the no or default options to set this
parameter to the default value of 100 milliseconds.

The following table defines parameters for the sys-name command.

Variable Value
WORD<0– Specifies a name for the system. This may be used as the host name for dynamic host
255> name exchange in accordance with RFC 2763.
By default, the system name comes from the host name configured at the system
level.
Use the no or default options to set this parameter to the default value (host
name).

Note:
The system does not display any consistency checks when you edit sys-name.

1032 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

The following table defines parameters for the system-id command.

Variable Value
<xxxx.xxxx.xxxx> Specifies the IS-IS system ID for the switch.
Use the no or default options to set this parameter to the default value
(node BMAC).

Job aid

Important
After you have configured the SPBM nickname and enabled IS-IS. To maintain the same
nickname with a different system ID, perform the following steps:

1. Disable IS-IS.
2. Change the system ID.
3. Change the nickname to a temporary one.
4. Enable IS-IS.
5. Wait up to 20 minutes for the LSPs with the original system ID to age out.

6. Disable IS-IS.
7. Change the nickname to the original nickname.
8. Enable IS-IS.

Configuring Optional IS-IS Interface Level 1 Parameters

Use the following procedure to configure optional IS-IS interface level 1 parameters.

Important
Save your configuration using save config for the updates to be available after reboot.
Saving the configuration also ensures that any authentication keys (passwords) specified
during the configuration are properly encrypted.

VOSS User Guide for version 8.7 1033

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure optional IS-IS interface level 1 parameters:

a. Specify the authentication type used for IS-IS hello packets on the interface:
isis hello-auth type {none|simple|hmac-md5|hmac-sha-256}
b. If you select simple as the hello-auth type, you must also specify a key value but the
key-id is optional:
isis hello-auth type simple key WORD<1–16> [key-id <1–255>]
c. If you select hmac-md5 or hmac-sha-256, you must also specify a key value. The key-id is
optional:
isis hello-auth type hmac-md5 key WORD<1–16> [key-id <1–255>]]

isis hello-auth type hmac-sha-256 key WORD<1–16> [key-id <1–255>]]

d. Configure the IS-IS Interface level 1 designated router priority:
isis [l1-dr-priority <0–127>]

Note
This parameter is not used for SPBM because SPBM only runs on point-to-point
interfaces. This parameter is for designated router election on a broadcast LAN
segment, which is not supported.

e. Configure the IS-IS Interface level 1 hello interval:

isis [l1-hello-interval <1–600>]
f. Configure the IS-IS Interface level 1 hello multiplier:
isis [l1-hello-multiplier <1–600>]

Example

Switch:1> enable

Switch:1# configure terminal

Switch(config):1# interface gigabitethernet 1/1

Switch(config-if):1# isis

Switch(config-if):1# isis hello-auth type hmac-md5 key test

1034 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Switch(config-if):1# isis l1–dr-priority 100

Switch(config-if):1# isis l1–hello-interval 20

Switch(config-if):1# isis l1–hello-multiplier 10

Switch(config):1# save config

Variable Definitions

The following table defines parameters for the isis command.

VOSS User Guide for version 8.7 1035

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Variable Value
hello-auth Specifies the authentication type used for IS-IS hello packets
type {none|simple|hmac-md5| on the interface. type can be one of the following:
hmac-sha-256}][key [key • none
WORD<1–16> ] [key-id <1– • simple: If selected, you must also specify a key value but
255> ] the key id is optional. Simple password authentication
uses a text password in the transmitted packet. The
receiving router uses an authentication key (password)
to verify the packet.
• hmac-md5: If selected, you must also specify a key value
but the key-id is optional. MD5 authentication creates
an encoded checksum in the transmitted packet. The
receiving router uses an authentication key (password)
to verify the MD5 checksum of the packet. There is an
optional key ID.
• hmac-sha–256: If selected, you must also specify a
key value but the key-id is optional. With SHA-256
authentication, the switch adds an hmac-sha–256 digest
to each Hello packet. The switch that receives the Hello
packet computes the digest of the packet and compares
it with the received digest. If the digests match, the
packet is accepted. If the digests do not match, the
receiving switch discards the packet. There is an optional
key ID.

Note:
Secure Hashing Algorithm 256 bits (SHA-256) is a
cipher and a cryptographic hash function of SHA2
authentication. You can use SHA-256 to authenticate IS-
IS Hello messages. This authentication method uses the
SHA-256 hash function and a secret key to establish a
secure connection between switches that share the same
key.
This feature is in full compliance with RFC 5310.

The default is none. Use the no or default options to set

the hello-auth type to none.
l1-dr-priority <0–127> Configures the IS-IS Interface level 1 designated router
priority to the specified value. The default value is 64.
Use the no or default options to set this parameter to the
default value of 64.

Note:
This parameter is not used for SPBM because SPBM only runs
on point-to-point interfaces. This parameter is for designated
router election on a broadcast LAN segment, which is not
supported.

1036 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Variable Value
l1-hello-interval <1–600> Configures the IS-IS interface level 1 hello interval. The default
value is 9 seconds.
Use the no or default options to set this parameter to the
default value of 9 seconds.
l1-hello-multiplier <1–600> Configures the IS-IS interface level 1 hello multiplier. The
default value is 3 seconds.
Use the no or default options to set this parameter to the
default value of 3 seconds.

Display IS-IS Interface Parameters

Use the following procedure to display the IS-IS interface parameters.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display IS-IS interface configuration and status parameters (including adjacencies):
show isis interface [l1|l2|l12] [home|remote]
3. Display IS-IS interface authentication configuration:
show isis int-auth [home|remote]
4. Display IS-IS interface timers:
show isis int-timers [home|remote]
5. Display IS-IS circuit level parameters:
show isis int-ckt-level [home|remote]

Example
Switch:1# show isis interface
===================================================================================================================
ISIS Interfaces
===================================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1 OP-SPBM- ORIGIN AREA AREA-NAME
-METRIC L1-METRIC
--------------------------------------------------------------------------------------------------------------------
Mlt2 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02
Port1/21 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02

Switch:1# show isis int-auth home

================================================================================
ISIS Interface Auth
================================================================================
IFIDX AUTH-TYPE AUTH-KEYID AUTH-KEY ORIGIN AREA AREA-NAME
--------------------------------------------------------------------------------
Mlt2 none 0 CONFIG HOME
area-9.00.02
Port1/21 none 0 CONFIG HOME area-9.00.02
Switch:1# show isis int-timers home
================================================================================
ISIS Interface Timers
================================================================================
IFIDX LEVEL HELLO HELLO HELLO AREA AREA-NAME
INTERVAL MULTIPLIER DR
--------------------------------------------------------------------------------
Mlt2 Level 1 9 3 3 HOME area-9.00.02

VOSS User Guide for version 8.7 1037

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Port1/21 Level 1 9 3 3 HOME area-9.00.02

Switch:1# show isis int-ckt-level home

================================================================================
ISIS Circuit level parameters
================================================================================
IFIDX LEVEL DIS CKTID AREA AREA-NAME
--------------------------------------------------------------------------------
Mlt2 Level 1 1 HOME area-9.00.02
Port1/21 Level 1 2 HOME area-9.00.02

Variable Definitions

The following table defines parameters for the show isis interface command.

Variable Value
home Displays the IS-IS interface information that the system
configures in the home area.
l1 Displays the interface information for Level 1.
l2 Displays the interface information for Level 2.
l12 Displays the interface information for Level 1 and Level 2.
remote Displays the IS-IS interface information that the system
configures in the remote area.

The following table defines parameters for the show isis ini-auth command.

Variable Value
home Displays the IS-IS interface authentication information
that the system configures in the home area.
remote Displays the IS-IS interface authentication information
that the system configures in the remote area.

The following table defines parameters for the show isis ini-timer command.

Variable Value
home Displays the IS-IS interface timer information that the
system configures in the home area.
remote Displays the IS-IS interface timer information that the
system configures in the remote area.

1038 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

The following table defines parameters for the show isis ini-ckt-level command.

Variable Value
home Displays the IS-IS interface circuit level parameters that
the system configures in the home area.
remote Displays the IS-IS interface circuit level parameters that
the system configures in the remote area.

Display the IP Unicast FIB, Unicast FIB, and Unicast Tree

About This Task

In SPBM, Backbone MAC (B-MAC) addresses are carried within the IS-IS link-state database. To do this,
SPBM supports an IS-IS Type-Length-Value (TLV) that advertises the Service Instance Identifier (I-SID)
and B-MAC information across the network. Each node has a System ID, which also serves as B-MAC of
the switch. These B-MAC addresses are populated into the SPBM Forwarding Information Base (FIB).

When the network topology is discovered and stored in the IS-IS link-state database, each node
calculates shortest path trees for each source node, so that a unicast path now exists from every node
to every other node. With this information, each node populates unicast information received from
SPBM into the FIB for forwarding purposes.

I-SIDs are only used for virtual services (Layer 2 VSNs and Layer 3 VSNs). If you only enable IP Shortcuts
on the Backbone Edge Bridges, I-SIDs are never exchanged in the network as IP Shortcuts allow Global
Routing Table (GRT) IP networks to be transported across IS-IS.

The show isis spbm ip-unicast-fib or show isis spbm ipv6-unicast-fib command
displays all of the IS-IS routes in the IS-IS LSDB. The IP ROUTE PREFERENCE column in the show output
displays the IP route preference.

Routes within the same VSN are added to the LSDB with a default preference of 7. Inter-VSN routes are
added to the LSDB with a route preference of 200. IS-IS accept policies enable you to change the route
preference for incoming routes. If the same route is learned from multiple sources with different route
preferences, then the routes are not considered equal cost multipath (ECMP) routes. The route with the
lowest route preference is the preferred route. In Layer 2, in the event of a tie-break between routes
from multiple sources, the tie-breaking is based on cost and hop count.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display the SPBM IP unicast FIB:
• For IPv4:

show isis spbm ip-unicast-fib [all] [id <1–16777215] [spbm-nh-as-

mac] [home|remote]
• For IPv6:

show isis spbm ipv6-unicast-fib [all] [id <1–16777215] [spbm-nh-as-

mac] [home|remote]

VOSS User Guide for version 8.7 1039

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

3. Display the SPBM unicast FIB:

show isis spbm unicast-fib [b-mac <0x00:0x00:0x00:0x00:0x00:0x00>]
[vlan <1-4059>] [summary] [home|remote]
4. Display the SPBM unicast tree:
show isis spbm unicast-tree <1-4059> [destination <xxxx.xxxx.xxxx>]

Examples
Switch# show isis spbm ip-unicast-fib

================================================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
================================================================================================================
VRF DEST OUTGOING SPBM PREFIX PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST TYPE PREFERENCE AREA AREA-NAME
----------------------------------------------------------------------------------------------------------------
GRT - - 10.133.136.0/24 4K3(*) 4058 1/3 10 1 Internal 7 HOME area-9.00.02
GRT - - 10.133.136.0/24 4K3(*) 4059 1/3 10 1 Internal 7 HOME area-9.00.02
GRT - - 10.133.136.0/24 4K4(*) 4058 to_4k4 10000 1 Internal 7 HOME area-9.00.02
GRT - - 10.133.136.0/24 4K4(*) 4059 to_4k4 10000 1 Internal 7 HOME area-9.00.02
----------------------------------------------------------------------------------------------------------------
Home : Total number of SPBM IP-UNICAST FIB entries 4
Remote: Total number of SPBM IP-UNICAST FIB entries 0
----------------------------------------------------------------------------------------------------------------

Switch# show isis spbm unicast-fib

==================================================================================================
SPBM UNICAST FIB ENTRY INFO
==================================================================================================
DESTINATION BVLAN SYSID HOST-NAME OUTGOING COST AREA AREA-NAME
ADDRESS INTERFACE
--------------------------------------------------------------------------------------------------
00:16:ca:23:73:df 1000 0016.ca23.73df SPBM-1 1/21 10 HOME area-9.00.02
00:16:ca:23:73:df 2000 0016.ca23.73df SPBM-1 1/21 10 HOME area-9.00.02
00:18:b0:bb:b3:df 1000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02
00:14:c7:e1:33:e0 1000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02
00:18:b0:bb:b3:df 2000 0018.b0bb.b3df SPBM-2 MLT-2 10 HOME area-9.00.02

Variable Definitions

The following table defines parameters for the show isis spbm ip-unicast-fib command.

Variable Value
all Displays entries for the Global Routing Table (GRT) and all Virtual Routing and
Forwarding (VRF) instances.

Note:
If you use the command show isis spbm ip-unicast-fib the device
displays only GRT entries. The command shows IP routes from remote Backbone
Edge Bridges (BEBs).

home Displays the IS-IS SPBM IP unicast Forwarding Information Base (FIB)
information that the system configures in the home area.
id <1–16777215> Displays IS-IS SPBM IP unicast FIB information by Service Instance Identifier
(I-SID) ID.

1040 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Variable Value
remote Displays the IS-IS SPBM IP unicast FIB information that the system configures in
the remote area.
spbm-nh-as-mac Displays the next hop B-MAC of the IP unicast FIB entry.

The following table defines parameters for the show isis spbm ipv6-unicast-fib command.

Variable Value
all Displays entries for the Global Routing Table (GRT) and all Virtual Routing and
Forwarding (VRF) instances.

Note:
If you use the command show isis spbm ipv6-unicast-fib the device
displays only GRT entries. The command shows IPv6 routes from remote
Backbone Edge Bridges (BEBs).

home Displays the IS-IS SPBM IPv6 unicast Forwarding Information Base (FIB)
information that the system configures in the home area.
id <1–16777215> Displays IS-IS SPBM IPv6 unicast FIB information by Service Instance Identifier
(I-SID) ID.
remote Displays the IS-IS SPBM IPv6 unicast FIB information that the system configures
in the remote area.
spbm-nh-as-mac Displays the next hop as MAC of the IPv6 unicast FIB entry.

The following table defines parameters for the show isis spbm unicast-fib command.

Variable Value
b-mac Displays the FIB for the specified BMAC.
<0x00:0x00:0x00:0x00:0x00:0x00>
home Displays the IS-IS SPBM unicast Forwarding
Information Base (FIB) information that the system
configures in the home area.
remote Displays the IS-IS SPBM unicast FIB information that
the system configures in the remote area.
vlan <1-4059> Displays the FIB for the specified SPBM VLAN.
summary Displays a summary of the FIB.

The following table defines parameters for the show isis spbm unicast-tree command.

Variable Value
<1-4059> Specifies the SPBM B-VLAN ID.
destination <xxxx.xxxx.xxxx> Displays the unicast tree for the specified destination.

VOSS User Guide for version 8.7 1041

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Display IS-IS LSDB and Adjacencies

Use the following procedure to display the IS-IS LSDB and adjacencies.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the IS-IS LSDB:
show isis lsdb [level {l1|l2|l12}] [sysid <xxxx.xxxx.xxxx>] [lspid
<xxxx.xxxx.xxxx.xx-xx>] [tlv <1–236>] [detail] [home|remote]
3. Display IS-IS adjacencies:
show isis adjacencies [home|remote]
4. Clear IS-IS LSDB:
clear isis lsdb

Example
Switch:1# show isis lsdb
================================================================================
ISIS LSDB
================================================================================
LSP ID LEVEL LIFETIME SEQNUM CHKSUM HOST-NAME AREA
--------------------------------------------------------------------------------
0014.c7e1.33df.00-00 1 545 0xb1 0xed28 NewYork HOME
0016.ca23.73df.00-00 1 1119 0x9f 0x9c9d Switch-Lab2 HOME
0018.b0bb.b3df.00-00 1 708 0xb9 0xcb1a Switch-Lab1 HOME

--------------------------------------------------------------------------------
Level-1 HOME AREA: 3 out of 3 Total Num of LSP Entries
Level-1 REMOTE AREA: 0 out of 3 Total Num of LSP Entries
Level-2 HOME AREA: 0 out of 0 Total Num of LSP Entries
Level-2 REMOTE AREA: 0 out of 3 Total Num of LSP Entries

Switch:1# show isis adjacencies

====================================================================================================
ISIS Adjacencies
====================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
----------------------------------------------------------------------------------------------------
Port1/11 1 UP 05:02:18 127 22 beb0.0000.7204 Switch-Lab1 ACTIVE HOME area-9.00.02
Port1/12 1 UP 05:00:18 127 25 beb0.0000.7204 Switch-Lab2 BACKUP HOME area-9.00.02
Port1/16 1 UP 05:00:25 127 24 beb0.0000.7204 Switch-Lab3 BACKUP HOME area-9.00.02

----------------------------------------------------------------------------------------------------
Home: 3 out of 3 interfaces have formed an adjacency
Remote: 0 out of 0 interfaces have formed an adjacency

----------------------------------------------------------------------------------------------------

Switch:1> show isis lsdb detail

Level-1 LspID: 0001.bcb0.0003.00-001 SeqNum: 0x00000522 Lifetime: 1144

Chksum: 0x32f7 PDU Length: 312
Host_name: C0
Attributes: IS-Type 1
TLV:1 Area Addresses: 1
c1.3000.0000.00

1042 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

TLV:22 Extended IS reachability:

VOSS User Guide for version 8.7 1043

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

num of trees: 2
vid tuple : u-bit 1 m-bit 1 ect-alg 0x80c201 base vid 1000
vid tuple : u-bit 1 m-bit 1 ect-alg 0x80c202 base vid 1001
TLV:144 SUB-TLV 3 ISID:
Instance: 0
Metric: 0
B-MAC: 00-00-bc-b1-00-03
BVID:1000
Number of ISID's:8
3001(Both),3002(Rx),3003(Both),3004(Rx),4001(Both),4002(
Rx),4003(Both),4004(Rx)

Instance: 0
Metric: 0
B-MAC: 00-00-bc-b1-00-03

--More-- (q = quit)

Variable Definitions

The following table defines parameters for the show isis lsdb command.

Variable Value
detail Displays detailed information.
home Displays the IS-IS LSDB information that the system
configures in the home area.
level {l1|l2|l12}] Displays the LSDB for the specified level: l1, l2, or l12.
local Displays IS-IS local LSDB information.
remote Displays the IS-IS LSDB information that the system
configures in the remote area.
sysid <xxxx.xxxx.xxxx> Displays the LSDB for the specified system ID.
lspid <xxxx.xxxx.xxxx.xx- Displays the LSDB for the specified LSP ID.
xx>
tlv <1–236> Displays the LSDB by TLV type.

The following table defines parameters for the show isis adjacencies command.

Variable Value
home Displays the IS-IS adjacencies that the system configures
in the home area.
remote Displays the IS-IS adjacencies that the system configures
in the remote area.

1044 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

The following table defines parameters for the clear isis command.

Variable Value
lsdb Clears the IS-IS Link State Database (LSDB). The command clears learned LSPs only. The
command does not clear local generated LSPs. As soon as the platform clears the LSDB
the LSP synchronization process starts immediately and the LSDB synchronizes with its
neighbors.

Display IS-IS Statistics and Counters

Use the following procedure to display the IS-IS statistics and counters.

Procedure
1. Display IS-IS system statistics:
show isis statistics
2. Display IS-IS interface counters:
show isis int-counters [home|remote]
3. Display IS-IS level 1 control packet counters:
show isis int-l1-cntl-pkts [home|remote]

Note
The switch uses level 1 IS-IS. The switch does not support level 2 IS-IS. The command show
isis int-l2-contl-pkts is not supported because the IEEE 802.1aq standard
currently only defines the use of one hierarchy, Level 1.

4. Clear IS-IS statistics:

clear isis stats [error-counters] [packet-counters]

Example
Switch:1# show isis statistics
======================================================================================================
ISIS System Stats
======================================================================================================
LEVEL CORR AUTH AREA MAX SEQ SEQ NUM OWN LSP BAD ID PART LSP DB AREA AREA-NAME
LSPs FAILS DROP EXCEEDED SKIPS PURGE LEN CHANGES OLOAD
------------------------------------------------------------------------------------------------------
Level-1 0 0 0 0 1 0 0 0 0 HOME area-9.00.02
Level-1 0 0 0 0 1 0 0 0 0 REMOTE area-9.00.02

Switch:1# show isis int-counters

===============================================================================================
ISIS Interface Counters
===============================================================================================
IFIDX LEVEL AUTH ADJ INIT REJ ID LEN MAX AREA LAN DIS AREA AREA-NAME
FAILS CHANGES FAILS ADJ CHANGES
----------------------------------------------------------------------------------------------
Mlt2 Level 1 0 1 0 0 0 0 0 HOME area-9.00.02
Port1/21 Level 1 0 1 0 0 0 0 0 HOME area-9.00.02

Switch:1# show isis int-l1-cntl-pkts

============================================================================================
ISIS L1 Control Packet counters
============================================================================================
IFIDX DIRECTION HELLO LSP CSNP PSNP AREA AREA-NAME
--------------------------------------------------------------------------------------------
Mlt2 Transmitted 13346 231 2 229 HOME area-9.00.02
Mlt2 Received 13329 230 1 230 HOME area-9.00.02

VOSS User Guide for version 8.7 1045

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Port1/21 Transmitted 13340 227 2 226 HOME area-9.00.02

Port1/21 Received 13335 226 1 227 HOME area-9.00.02

Variable Definitions

The following table defines parameters for the show isis int-counters command.

Variable Value
home Displays the IS-IS interface counters that the system
configures in the home area.
remote Displays the IS-IS interface counters that the system
configures in the remote area.

The following table defines parameters for the show isis int-l1-cntl-pkts command.

Variable Value
home Displays the IS-IS L1 control packet counters that the system
configures in the home area.
remote Displays the IS-IS L1 control packet counters that the system
configures in the remote area.

The following table defines parameters for the clear isis stats command.

Variable Value
error-counters Clears IS-IS stats error-counters.
packet-counters Clears IS-IS stats packet-counters.

Run the Layer 2 Video Surveillance install script

Use the following procedure to run the Layer 2 Video Surveillance install script.

Before You Begin

The switch must be in the factory default state. When you start the install script, the switch displays a
prompt to remind you to do this.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Run the install script:
run vms layer-2 switch <5–99> [syntax]

The script uses the value that you assign to the switch number (between 5 and 99) to seed unique
values in the configuration script.

1046 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Examples

The following example shows the complete output of the install script without the syntax parameter.
As you can see, there is no indication that the script encountered any errors.
Switch:1>enable
Switch:1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)# run vms layer-2 switch 6

Do you want to execute the run vms layer-2 script? Device needs to be in factory default
state. (y/n) ? y

Previous configurations stored in pre_vms_layer2_install.cfg

**New VMS configurations stored in new primary config file vms-layer2-switch-6.cfg**
*** VMS Layer-2 script execution complete ***
Switch:1(config)#boot config choice primary config-file /intflash/vms-layer2-switch-6.cfg

The following example displays the output of the script using the syntax parameter. This example is
only a small sample of the output, but it shows how the script reports warnings and errors it encounters.
Switch:1>enable
Switch:1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)# run vms layer-2 switch 6 syntax

Do you want to execute the run vms layer-2 script? Device needs to be in factory default
state. (y/n) ? y

Switch:1(config)# save config file pre_vms_layer2_install.cfg

File [/intflash/pre_vms_layer2_install.cfg] already existing,CP-1: Save config to file /
intflash/pre_vms_layer2_install.cfg successful.
WARNING: Choice Primary Node Config file is "/intflash/vms-layer2-switch-6.cfg".

Switch:1(config)# spbm
Switch:1(config)# spbm ethertype 0x8100
Switch:1(config)# router isis
Switch:1(config-isis)# spbm 1

Error: ISIS - IS-IS is enabled, runtime change not allowed.

Switch:1(config)# exit

Switch:1(config)# save config file vms-layer2-switch-6.cfg

File [/intflash/vms-layer2-switch-6.cfg] already existing,CP-1: Save config to file /
intflash/vms-layer2-switch-6.cfg successful.

Switch:1(config)# boot config choice primary config-file /intflash/vms-layer2-switch-6.cfg

Switch:1(config)#
**Previous configurations stored in pre_vms_layer2_install.cfg**
**New VMS configurations stored in new primary config file vms-layer2-switch-6.cfg**
*** VMS Layer-2 script execution complete ***
Switch:1(config)#boot config choice primary config-file /intflash/vms-layer2-switch-6.cfg

Variable Definitions

The following table defines parameters for the run vms layer-2 switch command.

VOSS User Guide for version 8.7 1047

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Variable Value
<5-99> Specifies a switch value, which is then used as a common
element to configure switch parameters such as nickname,
VLAN ID, SPB and IP parameters.
This switch value is also used in the name of the saved
configuration file. For example, 6 is the switch value in vms-
layer2-switch-6.cfg
syntax Species that the switch displays all the commands run by the
script on the console. Use this parameter to see errors that
the script encounters.

Note:
The script does not stop if it encounters errors. To verify that
the script runs without errors, use the syntax parameter to
display errors or conflicting configurations on the switch.

Suspend Duplicate System ID Detection When Replacing a Switch

When a switch is replaced and the original system ID and nickname is used, you must wait up to
20 minutes for the LSPs with the original system to age out. This is due to duplicate system ID and
nickname detection. However, you can suspend duplicate detection on the replacement switch so that
you can bring the switch into the network immediately.

About This Task

To temporarily disable duplicate detection on the replacement switch, perform the following steps:

Procedure

1. Copy the configuration file of the original switch to the replacement switch.
2. Power up the replacement switch while it is not connected to the SPB network, that is, network-to-
network interface (NNI) ports are not connected.
3. Disable IS-IS on the original switch, or remove the switch from the network.
4. On the replacement switch, enter the following Global Configuration command to suspend duplicate
detection for up to 21 minutes:
isis dup-detection-temp-disable
5. To check the remaining time, use the show isis dup-detection-temp-disable
remaining time command.
6. Remove the original switch from the network.
7. Connect the replacement switch to the network.

Configure Dynamic Nickname Assignment

About This Task

Use this procedure to specify a nickname prefix for Dynamic Nickname Assignment.

Note
You must disable Dynamic Nickname Assignment before you can change the nickname prefix.

1048 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the Dynamic Nickname Assignment nickname allocation:
spbm nick-name server prefix x.xx.xx
3. Enable Dynamic Nickname Assignment:
spbm nick-name server
4. Verify the configuration:
show spbm

Examples

Configure a nickname allocation prefix and enable Dynamic Nickname Assignment:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#spbm nick-name server prefix C.30.00
Switch:1(config)#spbm nick-name server

Dynamic Nickname Assignment configuration values and their associated behavior are shown in the
following output from the show spbm command:
Switch:1>show spbm
spbm : enable
ethertype : 0x8100
nick-name server : enable
nick-name allocation : static
nick-name server range : C.30.00-C.3F.FF

Variable Definitions

The following table defines parameters for the spbm nick-name server command.

Variable Value
prefix x.xx.xx Specifies the nickname server allocation prefix. x.xx.xx uses the form
X.X0.00 from 0.00.00 to F.F0.00. A group, X.X0.00 to X.XF.FF, can
provide up to 4,096 nicknames. The default nickname allocation
range is A.00.00-A.0F.FF.

Display Dynamic Nickname Assignment

About This Task

Use this procedure to display the current status and values for Dynamic Nickname Assignment.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display Dynamic Nickname Assignment configuration values:
show spbm

VOSS User Guide for version 8.7 1049

SPBM and IS-IS infrastructure configuration using CLI Fabric Basics and Layer 2 Services

Example
Switch:1>show spbm
spbm : enable
ethertype : 0x8100
nick-name server : disable
nick-name allocation : static
nick-name server range : A.00.00-A.0F.FF

Enable MSTP-Fabric Connect Multi Homing

Note
This procedure does not apply to VSP 8600 Series or XA1400 Series.

Before You Begin

You must configure a nickname for the specific SPBM instance on which you enable MSTP-Fabric
Connect Multi Homing.

About This Task

Perform this procedure to enable MSTP-Fabric Connect Multi Homing for a specific SPBM instance.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Enable MSTP-Fabric Connect Multi Homing on a specified SPBM instance:
spbm <1-100> stp-multi-homing enable

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1 stp-multi-homing enable

Variable definitions

The following table defines parameters for the spbm command.

Variable Value
<1–100> Specifies the IS-IS SPBM instance ID to create an SPBM instance.
stp-multi-homing Enables MSTP-Fabric Connect Multi Homing on the specific SPBM
enable instance. The default is disabled.

1050 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using CLI

Determine the Root Bridge in an MSTP-Fabric Connect Multi Homing Configuration

Identify the root bridge by determining where the Common and Internal Spanning Tree (CIST) regional
root MAC address is learned for the STP-reserved I-SID. Check which MAC address has the same first
five octets as the CIST regional root MAC address.

About This Task

When you enable MSTP-Fabric Connect Multi Homing, you can use the following two commands to
determine which BEB is the root bridge:
• show spanning-tree mstp status
• show i-sid mac-address-entry 16777003

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Determine the CIST regional root:
show spanning-tree mstp status
3. Determine which MAC address has the same first five octets as seen in the CIST regional root MAC
address:
show i-sid mac-address-entry 16777003

Example

In the following example, bold text identifies the relevant information in the command output. In the
output of the second command, the DEST-MAC shows 10:cd:ae:6e:d8:84, which is the system ID of the
CIST regional root BEB, and the system name is BEB-1000.
Switch:1>show spanning-tree mstp status

==========================================================================================
MSTP Status
==========================================================================================
------------------------------------------------------------------------------------------
Bridge Address : b0:ad:aa:4d:b8:00
Cist Root : 80:00:10:cd:ae:6e:d8:00
Cist Regional Root : 80:00:10:cd:ae:6e:d8:00
Cist Root Port : fabric
Cist Root Cost : 0
Cist Regional Root Cost : 2000000
Cist Instance Vlan Mapped : 1-1024
Cist Instance Vlan Mapped2k : 1025-2048
Cist Instance Vlan Mapped3k : 2049-3072
Cist Instance Vlan Mapped4k : 3073-4050,4053-4059
Cist Max Age : 20 seconds
Cist Forward Delay : 15 seconds
Switch:1>show i-sid mac-address-entry 16777003
===========================================================================================================================================
I-SID Fdb Table
===========================================================================================================================================
I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
-------------------------------------------------------------------------------------------------------------------------------------------
16777003 learned 10:cd:ae:6e:d8:82 Port-1/9 NON-LOCAL 10:cd:ae:6e:d8:84 4051 BEB-1000 HOME
area-20.0020
16777003 learned 10:cd:ae:db:a4:83 Port-1/40 NON-LOCAL 10:cd:ae:db:a4:84 4051 7208 HOME area-20.0020
16777003 learned b0:ad:aa:40:14:82 Port-1/40 NON-LOCAL b0:ad:aa:40:14:84 4051 6222 REMOTE area-20.0020

VOSS User Guide for version 8.7 1051

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

Fabric Extend configuration using the CLI

The following sections provide procedural information you can use to configure Fabric Extend (FE)
using the Command Line Interface (CLI).

Configure Fabric Extend

Use the following procedure to configure Fabric Extend (FE) between a Main office to a Branch office,
which is a typical deployment. However, if your deployment creates tunnels between two switches that
support Fabric Extend natively, then repeat those steps and ignore the steps for switches that require
an ONA.

Before You Begin

The tunnel source IP address can be a brouter port IP, a CLIP IP, or a VLAN IP.

Note
Product Notice: Except VSP 8600 Series, all product series support a VLAN IP as the Fabric
Extend tunnel source IP address.

For information about product support, see Fabric Extend Considerations on page 969.

If using the tunnel originating address on the GRT, Fabric Extend has the following requirements:
• The tunnel source IP address must be on the GRT, not on a VRF.

Note
A best practice is to use separate IP addresses for the SPBM IP Shortcuts ip-source-
address command and the Fabric Extend ip-tunnel-source-address command.
However, if you want these IP addresses to be the same, you MUST exclude the ip-
source-address address with an IS-IS accept policy. You cannot use the redistribute
command with a route map exclusion.
Specify a CLIP interface to use as the source address for SPBM IP shortcuts.

• If IP Shortcuts is enabled, you must configure an IS-IS accept policy or exclude route-map to ensure
that tunnel destination IP addresses are not learned through IS-IS.

If you are using the tunnel originating address on a VRF, Fabric Extend has the following requirements:
• Configure a CLIP and tunnel source IP address on the VRF.
• Remote management of the VSP 4450 Series is only possible after establishing IP Shortcut over
IS-IS. (Alternatively, you can enable GRT-VRF redistribution locally.)

About This Task

Configuring Fabric Extend consists of two primary tasks: configuring the tunnel source address and
configuring the logical interface. These tasks must be completed on both ends of the tunnel.

The VSP 4450 Series source address command is different from other platforms. Also note that the
logical interface commands are different between Layer 2 and Layer 3 networks.

Note
VRF is an optional parameter. If a VRF is not configured, then FE uses the GRT.

1052 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Procedure

The following steps are for platforms that support FE natively:

1. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
2. Configure the IP tunnel source address:
ip-tunnel-source-address <A.B.C.D> [vrf WORD<1–16>] [overlay]
3. Enter Global Configuration mode:
exit
4. Use one of the following commands to create a logical IS-IS interface:
• In a network with a Layer 3 Core, enter logical-intf isis <1–255> dest-ip
<A.B.C.D> [name WORD<1–64>] [mtu <750-9000>]
• In a network with a Layer 2 Core, enter logical-intf isis <1–255> vid <list
of vids> primary-vid <2–4059> port <slot/port> mlt <mltId> [name
WORD<1–64>] [mtu <750-9000>]

Note
The primary VLAN ID (primary-vid must be one of the VIDs in the vid <list of
vids>.

The following steps are for platforms that require an ONA to support FE:

Note
The interface VLAN connecting to the ONA network port is always in the GRT and the
member port that the VLAN is part of is always an access port.

5. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
6. Configure the IP tunnel source address on the port that connects to the Device side of the ONA:
ip-tunnel-source-address <A.B.C.D> port <slot/port> [mtu <mtu_value>]
[vrf WORD<1–16>]
7. Exit back into Global Configuration mode:
exit

VOSS User Guide for version 8.7 1053

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

8. Use one of the following commands to create a logical IS-IS interface:

• In a network with a Layer 3 Core, enter:

logical-intf isis <1–255> dest-ip <A.B.C.D> [name WORD<1–64>]

• In a network with a Layer 2 Core, enter:

logical-intf isis <1–255> vid <list of vids> primary-vid <2–4059>

port <slot/port> mlt <mltId> [name WORD<1–64>]

Note
The primary VLAN ID (primary-vid) must be one of the VIDs in the vid <list
of vids>.

Variable Definitions

The following table defines parameters for the ip-tunnel-source-address command.

Variable Value
<A.B.C.D> Specifies the IS-IS IPv4 tunnel source address, which can be a
brouter interface IP, a CLIP IP, or a VLAN IP.
overlay Permits the configuration of the tunnel source address even though
it belongs to a VRF with an attached I-SID.
port <slot/port> Specifies the port that is connected to the ONA device port.

Note:
Exception: only supported on
VSP 4450 Series.

vrf WORD<1–16> Specifies the VRF name associated with the IP tunnel.
mtu <mtu_value> Specifies the Maximum Transmission Unit (MTU) size for each
packet. Different hardware platforms support different MTU ranges.
Note: Use the CLI Help to see the available range for the switch.
Exception: only supported on This parameter only applies to an ONA configuration.
VSP 4450 Series.

The following tables define parameters for the logical-intf isis command, depending on
whether you have a Layer 2 or Layer 3 core.

Table 103: Layer 2 core

Variable Value
<1–255> Specifies the index number that uniquely identifies this
logical interface.
port {slot/port[/sub-port] Specifies the physical port that the logical interface is
[-slot/port[/sub-port]] connected to in a Layer 2 network.
[,...]}

1054 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Table 103: Layer 2 core (continued)

Variable Value
vid <list of vids> Specifies the list of VLANs that are associated with this
logical interface.
primary-vid <2–4059> Specifies the primary tunnel VLAN ID associated with this
Layer 2 IS-IS logical interface.
mlt <mltId> Specifies the MLT ID that the logical interface is connected to
in a Layer 2 network.
name WORD<1–64> Specifies the administratively-assigned name of this logical
interface, which can be up to 64 characters.
mtu<750-9000> Specifies the Maximum Transmission Unit (MTU) size of each
packet. The default MTU value is 1950.
Note:
Exception: only supported on XA1400
Series.

Table 104: Layer 3 core

Variable Value
<1–255> Specifies the index number that uniquely identifies this
logical interface.
dest-ip <A.B.C.D> Specifies the tunnel destination IP address of the remote
BEB.
name WORD<1–64> Specifies the administratively-assigned name of this logical
interface, which can be up to 64 characters.
mtu<750-9000> Specifies the Maximum Transmission Unit (MTU) size of each
packet. The default MTU value is 1950.
Note:
Exception: only supported on XA1400
Series.

Configure Fabric Extend Over IPsec

Note
This procedure only applies to XA1400 Series.

Use the following procedure to configure Fabric Extend (FE) over IPsec.

Before You Begin

The tunnel source IP address can be a brouter port IP, a CLIP IP, or a VLAN IP.

VOSS User Guide for version 8.7 1055

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

About This Task

Configuring Fabric Extend over IPsec consists of two primary tasks: configuring the tunnel source
address and configuring the logical interface. These tasks must be completed on both ends of the
tunnel.

For information about how to configure an IPsec NAT-T Responder, see IPsec configuration using CLI on
page 1780.

Procedure

Switch A Steps
1. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
2. Configure the IP tunnel source address:
ip-tunnel-source-address <A.B.C.D> [vrf WORD<1–16>]
3. Enter Global Configuration mode:
exit
4. Use one of the following commands to create a logical IS-IS interface:
• In a network with a Layer 3 Core, enter logical-intf isis <1–255> dest-ip
<A.B.C.D> [name WORD<1–64>] [mtu <750-9000>]
5. Configure an IS-IS interface on the selected ports or MLTs:

a. Create an IS-IS circuit and interface on the selected ports or MLTs:

isis
b. Enable the SPBM instance on the IS-IS interfaces:
isis spbm <1–100>
c. Enable the IS-IS circuit/interface on the selected ports or MLTs:
isis enable
6. Configure the IPsec authentication method:
ipsec auth-method <pre-share |rsa-sig>
7. Create the authentication key, if using a pre-shared key:
auth-key WORD<1-32>
8. Configure IPsec encryption key length for FE tunnel.
ipsec encryption-key-length <128 | 256>

Note
• You cannot change the encryption key length when IPsec is enabled on the FE tunnel.

1056 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

9. (Optional) Enable IPsec compression on the logical interface:

ipsec compression

By default, IPsec compression is disabled. If you enable it, you must enable it on both ends of the
adjacency.
10. Enable IPsec on the logical interface:
ipsec
11. Exit interface configuration mode:
exit
Switch B Steps
12. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
13. Configure the IP tunnel source address:
ip-tunnel-source-address <A.B.C.D> [vrf WORD<1–16>]
14. Enter Global Configuration mode:
exit
15. Use one of the following commands to create a logical IS-IS interface:
• In a network with a Layer 3 Core, enter logical-intf isis <1–255> dest-ip
<A.B.C.D> [name WORD<1–64>] [mtu <750-9000>]
16. Configure an IS-IS interface on the selected ports or MLTs:

a. Create an IS-IS circuit and interface on the selected ports or MLTs:

isis
b. Enable the SPBM instance on the IS-IS interfaces:
isis spbm <1–100>
c. Enable the IS-IS circuit/interface on the selected ports or MLTs:
isis enable
17. Configure the IPsec authentication method:
ipsec auth-method <pre-share |rsa-sig>
18. Create the authentication key, if using a pre-shared key:
auth-key WORD<1-32>
19. Configure IPsec encryption key length for FE tunnel.
ipsec encryption-key-length <128 | 256>

Note
• You cannot change the encryption key length when IPsec is enabled on the FE tunnel.

VOSS User Guide for version 8.7 1057

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

20.(Optional) Enable IPsec compression on the logical interface:

ipsec compression

By default, IPsec compression is disabled. If you enable it, you must enable it on both ends of the
adjacency.
21. Enable IPsec on the logical interface:
ipsec
22. Exit interface configuration mode:
exit

Variable Definitions

The following table defines parameters to configure Fabric Extend (FE) over IPsec on a device.

The following table defines parameters for the ip-tunnel-source-address command.

Variable Value
<A.B.C.D> Specifies the IS-IS IPv4 tunnel source address,
which can be a brouter IP, a CLIP IP, or a VLAN
IP.
vrf WORD<1–16> Specifies the VRF name associated with the IP
tunnel.

Table 105: Layer 3 core

Variable Value
<1–255> Specifies the index number that uniquely identifies
this logical interface.
<A.B.C.D> Specifies the IS-IS IPv4 tunnel source address,
which can be either a brouter interface IP or a
CLIP IP.
name WORD<1–64> Specifies the administratively-assigned name of
this logical interface, which can be up to 64
characters.
mtu <750–9000> Specifies the Maximum Transmission Unit (MTU)
size of each packet. The default MTU value is 1950.

The following table defines parameters for the isis command.

1058 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

The following table defines parameters for the auth-key command.

Variable Value
WORD<1–32> Specifies the authentication key on the assigned logical interface if using a pre-shared
key.
Use the no option to disable the authentication key on the specified interface.

The following table defines parameters for the ipsec command.

Variable Value
auth-method <pre-share Configures the authentication method for IPsec. The default is a
| rsa-sig> pre-shared key. Use rsa-sig to use an installed digital certificate
instead.
encryption-key-length Specifies the IPsec encryption key length for FE tunnel, which is 128
<128 | 256> bit or 256 bit.
The default IPsec encryption key length value is 128 bit.

Configure Static Source IP Address for IPsec Tunnel

Note
This procedure only applies to XA1400 Series.

Perform this procedure to configure a specific source IP address for the IPsec tunnel when you deploy
the XA1400 Series in an environment that requires more than one provider connection with IPsec.

Before You Begin

• Configure a VLAN, brouter, or CLIP IP address for the IPsec tunnel to use; this address must be in the
same VRF as the tunnel.
• Disable IPsec on the logical interface.

About This Task

The static source IP address for the IPsec tunnel cannot be the same as the global or dynamically
configured source IP address.

Procedure

1. Enter Logical IS-IS Interface Configuration mode:

enable

configure terminal

logical-intf isis <1–255>

2. Configure the IP address to use as the source IP address for IPsec tunnel:
ipsec tunnel-source-address type static {A.B.C.D}
3. Enable IPsec on the logical interface:
ipsec

VOSS User Guide for version 8.7 1059

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#logical-intf isis 3
Switch:1(config-isis-3-198.51.100.1)#ipsec tunnel-source-address type static 20.20.20.20
Switch:1(config-isis-3-198.51.100.1)#ipsec

Variable Definitions

The following table defines parameters for the ipsec tunnel-source-address type static
command.

Variable Value
{A.B.C.D} Specifies the manually configured source IP address for the IPsec tunnel.
The source IP address must be on the same VRF as the source IP address
for the IP tunnel.

Configure DHCP Source IP Address for IPsec Tunnel

Note
This procedure only applies to XA1400 Series.

Perform this procedure to dynamically obtain the source IP address for the IPsec tunnel from DHCP
when you deploy the XA1400 Series in an environment that requires more than one provider connection
with IPsec.

Before You Begin

• Disable IPsec on the logical interface.
• Ensure that the DHCP client is enabled for the Management Instance VLAN interface.
• Ensure that there is coexistence between the VOSS routing stack and the Management Instance
VLAN interface. Use the propagate-to-routing command from the mgmt VLAN level to move
to the coexistence mode automatically. For more information, see VLAN on page 78.

About This Task

The static source IP address for the IPsec tunnel cannot be the same as the global or dynamically
configured source IP address.

Procedure
1. Enter Logical IS-IS Interface Configuration mode:
enable

configure terminal

logical-intf isis <1–255>

2. Import the source IP address from DHCP:
ipsec tunnel-source-address type dhcp
3. Enable IPsec on the logical interface:
ipsec

1060 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Configure ESP Cipher Suite for IPsec

Note
This procedure only applies to XA1400 Series.

Before You Begin

About This Task

Configure the Encapsulating Security Payload (ESP) cipher suite for IPsec.

Procedure

1. Enter Logical IS-IS Interface Configuration mode:

enable

configure terminal

logical-intf isis <1–255>

2. Configure the ESP cipher suite for IPsec:
ipsec esp [<aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256 >]

Variable Definitions

The following table defines parameters for the ipsec esp command.

Variable Value
<aes128gcm16- Specifies the AES cipher with a 128-bit encryption key and GCM block
sha256> mode.
<aes256-sha256> Specifies the AES cipher with a 256-bit encryption key and CBC block
mode (for QAT performance mode).
<aes256gcm16- Specifies the AES cipher with a 256-bit encryption key and GCM block
sha256> mode.

Disable IPsec Compression

Note
If you downgrade to an earlier release that does not support this feature, you must disable
the feature and save the configuration. Downgrading to an earlier release will require a
compatible configuration file.

VOSS User Guide for version 8.7 1061

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

Procedure

1. Enter Logical IS-IS Interface Configuration mode:

enable

configure terminal

logical-intf isis <1–255>

2. Disable IPsec:
no ipsec
3. Disable IPsec compression:
no ipsec compression
4. Enable IPsec:
ipsec
5. Save the configuration.
6. Verify the configuration:
show isis logical-interface ipsec

Example
Switch:1(config-isis-2-192.0.2.10)# no ipsec
Switch:1(config-isis-2-192.0.2.10)# no ipsec compression
Switch:1(config-isis-2-192.0.2.10)# ipsec
Switch:1(config-isis-2-192.0.2.10)#show isis logical-interface ipsec
=================================================================================
ISIS Logical Interface IPSec
=================================================================================
ID Authentication-Key Responder-Only Remote NAT IP Compression
---------------------------------------------------------------------------------
2 ****** False - False
---------------------------------------------------------------------------------
1 out of 2 Total Num of Logical ISIS interfaces
---------------------------------------------------------------------------------

Configure IS-IS Hello Padding

Note
This procedure does not apply to VSP 8600 Series.

Perform this procedure to dynamically configure IS-IS hello padding on all IS-IS network-to-network
interface (NNI) links. IS-IS hello padding is enabled by default.

About This Task

Disable hello padding if the WAN-line MTU is less than 1596 bytes and fragmentation and reassembly
functionality is enabled.

1062 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Perform one of the following actions:
• Disable hello padding: no hello-padding
• Enable hello padding, if previously disabled: hello-padding
3. Verify the configuration:
show isis

Example

Verify IS-IS hello padding status:

Enable IPsec Fragmentation Before Encryption

Note
This procedure only applies to XA1400 Series.

Configure IPsec fragmentation before encryption to avoid possible throughput penalty for sending
fragmented packets over the Internet.

VOSS User Guide for version 8.7 1063

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

Before You Begin

• Configure the IPsec tunnel source address globally.
• Disable IPsec on the logical interface.
• IPsec over Fabric Extend must be in IPsec decoupled mode. For more information, see Fabric IPsec
Gateway Fundamentals on page 858.
• Configure one of the following:
◦ the IPsec tunnel destination IP
◦ IPsec NAT-T responder only mode
◦ IPsec responder remote NAT IP address

Procedure
1. Enter Logical IS-IS Interface Configuration mode:
enable

configure terminal

logical-intf isis <1–255>

2. Enable IPsec fragmentation before encryption on the logical interface:
ipsec fragment-before-encrypt
3. Enable IPsec on the logical interface:
ipsec
4. Verify the configuration:
show isis logical-interface ipsec

Example

Enable IPsec fragment before encryption and verify the configuration:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#logical-intf isis 2
Switch:1(config-isis-2-192.0.2.24)#ipsec fragment-before-encrypt
Switch:1(config-isis-2-192.0.2.24)#ipsec
Switch:1>show isis logical-interface ipsec
=======================================================================================================================================
ISIS Logical Interface IPSec
=======================================================================================================================================
ID Status Auth-Method Auth-Key ESP Responder-Only Remote NAT IP Auth-Key-Len Compression Frag-before-encrypt
---------------------------------------------------------------------------------------------------------------------------------------
1 Enable RSA-SIG ****** aes128gcm16-sha256 False - 128 False True

---------------------------------------------------------------------------------------------------------------------------------------
1 out of 1 Total Num of Logical ISIS interfaces
---------------------------------------------------------------------------------------------------------------------------------------

======================================================================================================================
IPSec Tunnel General Info
======================================================================================================================
IPSec tunnel global source-ip-address : 203.0.113.1

======================================================================================================================
ISIS IPSec Tunnels
======================================================================================================================

ID IPSec source IP IPSec Dst Ip TUNNEL_NEXT_HOP

type address PORT/MLT VLAN VRF
----------------------------------------------------------------------------------------------------------------------
1 global 203.0.113.1 100.100.100.6 Port1/6 100 GlobalRouter
----------------------------------------------------------------------------------------------------------------------
1 out of 1 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------------------------------------

1064 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Disable IPsec Fragmentation Before Encryption

Note
This procedure only applies to XA1400 Series.

If you downgrade to an earlier release that does not support this feature, you must disable the feature
and save the configuration. You must have a compatible configuration file if you downgrade to an earlier
release.

Before You Begin

Procedure
1. Enter Logical IS-IS Interface Configuration mode:
enable

configure terminal

logical-intf isis <1–255>

2. Disable IPsec on the logical interface:
no ipsec
3. Disable IPsec fragmentation before encryption on the logical interface:
no ipsec fragment-before-encrypt
4. Enable IPsec on the logical interface:
ipsec
5. Verify the configuration:
show isis logical-interface ipsec

Example

Disable IPsec and IPsec fragementation before encryption and verify the configuration:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#logical-intf isis 2
Switch:1(config-isis-2-192.168.20.1)#no ipsec
Switch:1(config-isis-2-192.168.20.1)#no ipsec fragment-before-encrypt
Switch:1(config-isis-2-192.168.20.1)#ipsec
Switch:1(config-isis-2-192.168.20.1)#show isis logical-interface ipsec
========================================================================================================================================
ISIS Logical Interface IPSec
========================================================================================================================================
ID Status Auth-Method Auth-Key ESP Responder-Only Remote NAT IP Auth-Key-Len Compression Frag-before-encrypt
-----------------------------------------------------------------------------------------------------------------------------------------
1 Enable RSA-SIG ****** aes128gcm16-sha256 False - 128 False False

-----------------------------------------------------------------------------------------------------------------------------------------
1 out of 1 Total Num of Logical ISIS interfaces
-----------------------------------------------------------------------------------------------------------------------------------------

ID IPSec source IP IPSec Dst Ip TUNNEL_NEXT_HOP

VOSS User Guide for version 8.7 1065

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

----------------------------------------------------------------------------------------------------------------------
1 out of 1 Total Num of Logical ISIS interfaces

Adjust the TCP Maximum Segment Size

Note
This procedure only applies to VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

Adjust the TCP maximum segment size (MSS) to improve the throughput for the TCP session over a
Fabric Extend (FE) adjacency.

About This Task

Note
If you downgrade to an earlier release that does not support this feature, you must disable the
feature and save the configuration. Downgrading to an earlier release requires a compatible
configuration file.

The default varies depending on hardware platform:

• For XA1400 Series, this functionality is enabled when at least one Fabric Extend (FE) tunnel with a
MTU less than or equal to 1500 is configured, and the value is auto-derived.
• For VSP 4900 Series and VSP 7400 Series, this functionality is disabled. The default value, when
enabled, is 1300.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Use one of the following commands to configure the MSS adjustment functionality as required:
a. Configure an explicit MSS adjust value:
ip tcp adjust-mss <max-segment-size> [enable]
b. Disable MSS adjustment explicitly:
no ip tcp adjust-mss enable
c. Disable a configured MSS adjustment value and return to the auto-derived value:

Note
An auto-derived value is only supported on XA1400 Series.

no ip tcp adjust-mss enable

3. Verify the configuration:
show ip tcp adjust-mss

Examples

Configure an MSS value of 1100 and verify the configuration.

Switch:1>enable
Switch:1#configure terminal

1066 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)#ip tcp adjust-mss 1200
Switch:1>show ip tcp adjust-mss
================================================================================
IP TCP Adjust MSS
================================================================================
ENABLE STATUS TCP MSS TCP MSS
TYPE VALUE
--------------------------------------------------------------------------------
TRUE ACTIVE MANUAL-CONFIG 1200

Disable the configured MSS adjustment value on XA1400 Series and verify the configuration:
.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no ip tcp adjust-mss enable
Switch:1(config)#show ip tcp adjust-mss
============================================================================
IP TCP Adjust MSS
============================================================================
ENABLE STATUS TCP MSS TCP MSS
TYPE VALUE
----------------------------------------------------------------------------
TRUE ACTIVE AUTO-DERIVED 1300

Displaying Fabric Extend over IPsec tunnel status

Use the following procedure to display the Fabric Extend over IPsec tunnel status on the switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the Fabric Extend over IPsec tunnel status:
show io logical-intf-ipsec

Example of a Fabric Extend over IPsec tunnel status.

Switch:1> show io logical-intf-ipsec
bash-4.3# ipsec status | grep ESTABLISHED
ipsec1-192.0.2.192[12]: ESTABLISHED 13 hours ago,
192.0.2.193[192.0.2.193]...192.0.2.192[192.0.2.192]
ipsec0-192.0.2.182[11]: ESTABLISHED 13 hours ago,
192.0.2.193[192.0.2.193]...192.0.2.182[192.0.2.182]

Configure BFD on a Fabric Extend Tunnel

About This Task

Use the following procedure to configure BFD on a Fabric Extend Tunnel.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 1067

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

2. Enable BFD:
router bfd enable
3. In the VLAN Interface Configuration mode, you can enable BFD:
ip bfd enable
4. In the Loopback Interface Configuration mode, you can enable BFD:
ip bfd enable
5. Enable BFD on an IS-IS Logical Interface:
logical-intf isis <1–255> bfd enable

Example

Enable BFD on a Fabric Extend tunnel:

Switch:1>enable
Switch:1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router bfd enable
Switch:1(config)#interface loopback 1
Switch:1(config-if)#ip bfd enable
Switch:1(config-if)#logical-intf isis 1
Switch:1(config-isis-1-1.2.3.5)#bfd enable

Display IS-IS Logical Interfaces

Use the following procedure to display the Intermediate-System-to-Intermediate-System (IS-IS) logical
interfaces configured on the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the IS-IS logical interfaces:
show isis logical-interface [name | ipsec | shaper | mtu]

Examples

Example of a Layer 2 Core

Switch:1> show isis logical-interface
========================================================================================
ISIS Logical Interfaces
========================================================================================
IFIDX NAME ENCAP L2_INFO TUNNEL L3_TUNNEL_NEXT_HOP_INFO
TYPE PORT/MLT VIDS(PRIMARY) DEST-IP PORT/MLT VLAN VRF
----------------------------------------------------------------------------------------
1 -- L2-P2P-VID Port2/40 101,201(101) -- -- -- --
2 -- L2-P2P-VID Port1/3 102,202(102) -- -- -- --
----------------------------------------------------------------------------------------
2 out of 2 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------

Example of a Layer 3 Core

1068 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

TYPE PORT/MLT VIDS(PRIMARY) DEST-IP PORT/MLT VLAN VRF

----------------------------------------------------------------------------------------
1 SPBoIP_T1 IP -- -- 41.41.41.41 MLT10 2 vrf24
2 SPBoIP_T2 IP -- -- 42.42.42.42 MLT10 2 vrf24
3 SPBoIP_4K5 IP -- -- 187.187.187.187 MLT10 2 vrf24
----------------------------------------------------------------------------------------
3 out of 3 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------

Example showing the status of BFD configurations on the IS-IS Logical interface
Switch:1> show isis logical-interface
==============================================================================================
ISIS Logical Interfaces
==============================================================================================
IFIDX NAME ENCAP L2_INFO TUNNEL L3_TUNNEL_NEXT_HOP_INFO BFD
TYPE PORT/MLT VIDS(PRIMARY) DEST-IP PORT/MLT VLAN VRF STATUS
-----------------------------------------------------------------------------------------------
1 tunnel01 IP -- -- 198.51.100.1 Port1/2 123 vrf30 disabled
2 tunnel102 IP -- -- 198.51.100.2 Port1/3 345 vrf20 disabled
-----------------------------------------------------------------------------------------------
2 out of 2 Total Num of Logical ISIS interfaces
-----------------------------------------------------------------------------------------------

Example showing the full IS-IS logical interface name

The command show isis logical-interface truncates the IS-IS logical interface name to the
first 16 characters. To view the entire name (up to a maximum of 64 characters), use the command
show isis logical-interface name.
Switch:1> show isis logical-interface name
========================================================================================
ISIS Logical Interface name
========================================================================================
ID NAME

----------------------------------------------------------------------------------------
1 SPBoIP_T1
2 SPBoIP_T2
3 SPBoIP_4K5
6 This_Is_A_50_Character_ISIS_Logical_Interface_Name
----------------------------------------------------------------------------------------
4 out of 4 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------

Display IS-IS logical interface IPsec configuration.

Switch:1>show isis logical-interface ipsec
=======================================================================================================================================
ISIS Logical Interface IPSec
=======================================================================================================================================
ID Status Auth-Method Auth-Key ESP Responder-Only Remote NAT IP Auth-Key-Len Compression Frag-before-encrypt
---------------------------------------------------------------------------------------------------------------------------------------
1 Enable RSA-SIG ****** aes128gcm16-sha256 False - 128 False True

======================================================================================================================
ISIS IPSec Tunnels

VOSS User Guide for version 8.7 1069

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

======================================================================================================================

ID IPSec source IP IPSec Dst Ip TUNNEL_NEXT_HOP

Display the IS-IS logical interface egress shaping rate values. This command displays interfaces with
egress shaping rates configured.
Switch:1>show isis logical-interface shaper
========================================================================================
ISIS Logical Interface Egress Shaping Rate
========================================================================================
ID NAME service-rate(Mbps)
----------------------------------------------------------------------------------------
1 remote1 135
2 remote2 120
3 remote3 178
----------------------------------------------------------------------------------------
3 out of 3 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------

Example showing the IS-IS logical interfaces mtu values

This command displays the Maximum Transmission Unit (MTU) size for each logical interface.
Switch:1>show isis logical-interface mtu
========================================================================================
ISIS Logical Interface Mtu
========================================================================================
ID NAME MTU
----------------------------------------------------------------------------------------
1 SPBoIP_T1 751
2 SPBoIP_T2 1000
3 SPBoIP_4K5 1950
----------------------------------------------------------------------------------------
3 out of 3 Total Num of Logical ISIS interfaces
----------------------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the show isis logical-interface command.

Variable Value
name Displays the full name of the IS-IS logical interface (up to a
maximum of 64 characters).
ipsec Displays the IS-IS logical interface ID and IPsec
authentication key.
shaper Displays the IS-IS logical interface egress shaping rate
values. Only interfaces that have egress shaping rates
configured display.

Display BFD Fabric Extend Neighbor Information

About This Task

Use this procedure to display BFD Fabric Extend neighbors.

1070 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend configuration using the CLI

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the BFD configurations:
show ip bfd neighbors vrf WORD<1-16>

Example
Switch:1>show ip bfd neighbors vrf vrf30
========================================================================================================================
BFD Session - VRF vrf30
========================================================================================================================

MY_DISC YOUR_DISC NEXT_HOP STATE MULTI MIN_TX MIN_RX ACT_TX DETECT_TIME REMOTE_STATE APP RUN

1 1 192.0.2.11 UP 3 200 200 1000 600 UP ISIS ISIS

Configure Global Source IP Address for IPsec Tunnel

About This Task

Perform this procedure to configure the global source IP address for IPsec tunnel on the switch.

Note
Product Notice: This procedure only applies to XA1400 Series switches.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure the source IP address for IPsec tunnel:
ipsec tunnel-source-address {A.B.C.D}

Note
You must configure the source IP address for IPsec tunnel on the same VRF as the source
address for IP tunnel.

Example
Configuring source IP address for IPsec tunnel.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#ipsec tunnel-source-address 192.0.2.10

VOSS User Guide for version 8.7 1071

Fabric Extend configuration using the CLI Fabric Basics and Layer 2 Services

Variable Definitions

The following table defines the variable for ipsec tunnel-source-address command.

Variable Value
{A.B.C.D} Specifies the global IP address for IPsec tunnel, which is configured on the
same VRF as the source address for IP tunnel.

Configure Destination IP Address for IPsec Tunnel

About This Task

Perform this procedure to configure the destination IP address for the IPsec tunnel on a specific IS-IS
logical interface on the switch.

Note
Product Notice: This procedure only applies to XA1400 Series switches.

Procedure

1. Enter Logical IS-IS Interface Configuration mode:

enable

configure terminal

logical-intf isis <1–255>

2. Configure destination IP address for IPsec tunnel:
ipsec tunnel-dest-ip {A.B.C.D}

Example
Configuring destination IP address for IPsec tunnel.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#logical-intf isis 1
Switch:1(config-isis-1-192.0.2.25)ipsec tunnel-dest-ip 192.0.2.30

Variable Definitions

The following table defines the variable for ipsec tunnel-dest-ip command.

Variable Value
{A.B.C.D} Specifies destination IP address for the IPsec tunnel on a specific IS-IS
logical interface.

Note:
When you configure the destination IP address for the IPsec tunnel, IKE
protocol uses UDP port 500. However, if IPsec NAT-T is detected, IKE
protocol uses UDP port 4500 instead.

1072 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Fabric Attach Configuration using the CLI

The following sections provide procedural information you can use to configure Fabric Attach (FA) and
Logical Link Discovery Protocol (LLDP) using the Command Line Interface (CLI). For information about
LLDP related to FA, see Link Layer Discovery Protocol configuration using CLI on page 2202.

Configure Fabric Attach Globally

For proper operation, FA must be enabled at both the global level and at the interface level on the FA
Server. By default, FA is globally enabled. However, FA is disabled by default at the interface level and
must be explicitly enabled on each interface.

Use this procedure to enable Fabric Attach globally on a switch.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable FA:
fa enable
3. (Optional) Disable FA:
no fa enable

Caution
Disabling FA flushes all FA element discovery and mappings.

4. View the FA configuration status. Use one of the following commands:

• show fa
• show fa agent

Example
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#fa enable

Switch:1>show fa

================================================================================
Fabric Attach Configuration
================================================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 240
FA Discovery Timeout : 240
FA Provision Mode : spbm
Switch:1>show fa agent

VOSS User Guide for version 8.7 1073

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

FA Assignment Timeout : 240

FA Discovery Timeout : 240
FA Provision Mode : spbm

Configuring Fabric Attach discovery timeout

Use this procedure to configure the Fabric Attach discovery time-out.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the FA discovery time-out in seconds:
fa discovery-timeout <45–480>

Note
The discovery time-out must be greater than or equal to the assignment time-out.

3. (Optional) Configure the default FA discovery time-out:

default fa discovery-timeout

Example

Configure the FA discovery time-out.

Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#fa discovery-timeout 50

Verify the configuration.

Switch:1(config)#show fa

=======================================================================
Fabric Attach Configuration
=======================================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 45
FA Discovery Timeout : 50
FA Provision Mode : spbm

Variable definitions

The following table defines parameters for the fa discovery-timeout command.

Variable Value
<45–480> Specifies the Fabric Attach discovery time-out in seconds.
The default value is 240 seconds.

Configuring Fabric Attach assignment timeout

Use this procedure to configure the Fabric Attach assignment time-out.

1074 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the FA assignment time-out in seconds:
fa assignment-timeout <45–480>

Note
The assignment time-out must be less than or equal to the discovery time-out.

3. (Optional) Configure the default FA assignment time-out value:

default fa assignment-timeout

Example

Configure the FA assignment time-out:

Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#fa assignment-timeout 50

Verify the configuration:

Switch:1(config)#show fa

======================================================================
Fabric Attach Configuration
======================================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 50
FA Discovery Timeout : 240
FA Provision Mode : spbm

Variable definitions

The following table defines parameters for the fa assignment-timeout command.

Variable Value
<45–480> Specifies the Fabric Attach assignment time-out in seconds.
The default value is 240 seconds.

Enabling Fabric Attach on an interface

Use this procedure to enable Fabric Attach on an interface (port, static MLT or LACP MLT). Enabling FA
on an MLT enables FA on all ports of the MLT. If your platform supports channelization, FA can also be
enabled on channelized ports.

Before You Begin

Verify that FA is enabled globally on the switch.

VOSS User Guide for version 8.7 1075

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

About This Task

Enabling FA on a port or MLT is necessary for element discovery.

On the FA Server, FA is enabled globally by default. However, you must explicitly enable FA on the
desired port or MLT interface. FA is successfully enabled on an MLT only if all ports of the MLT have FA
successfully enabled. Enabling FA automatically configures LLDP on all ports. Tagging is configured and
spanning tree is disabled.

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable FA on the interface:

fa enable
3. (Optional) Disable FA on the interface:
no fa enable

Caution
Disabling FA flushes all FA element discovery and I-SID-to-VLAN mappings associated
with the interface.

4. View the FA configuration status:

show fa interface [disabled-auth] [enabled-auth] [mlt <1–512>] [port
<{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}>]

Example

Enable FA on a port:
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitethernet 1/2
Switch:1(config-if)#fa enable
Switch:1(config-if)#exit
Switch:1(config)#

Enable FA on an MLT:
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#fa enable

1076 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Switch:1(config-mlt)#exit
Switch:1(config)#

Verify that FA is enabled on the interfaces.

Note
When FA is enabled, message authentication is enabled by default. The authentication key is
set to the default value and displays encrypted on the output.

Switch:1>show fa interface

=====================================================================
Fabric Attach Interfaces
=====================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
---------------------------------------------------------------------
Port2/10 enabled 0 0 enabled ****
Port4/6 enabled 0 0 enabled ****
Port4/11 enabled 0 0 enabled ****
Mlt2 enabled 0 0 enabled ****

---------------------------------------------------------------------
4 out of 4 Total Num of fabric attach interfaces displayed
---------------------------------------------------------------------

For example, disable FA on port 1/1 and Mlt1.

Switch:1(config)#interface gigabitethernet 1/1
Switch:1(config-if)#no fa enable
Switch:1(config-if)#exit
Switch:1(config)#interface mlt 1
Switch:1(config-mlt)#no fa enable
Switch:1(config-mlt)#exit

Verify that FA is disabled on port 1/1 and Mlt1.

Switch:1(config)#show fa interface

===================================================================
Fabric Attach Interfaces
===================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
-------------------------------------------------------------------
Port1/1 disabled 0 0 enabled ****
Port1/2 enabled 0 0 enabled ****
Mlt1 disabled 0 0 enabled ****
Mlt10 enabled 0 0 enabled ****
-------------------------------------------------------------------
4 out of 4 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

View the FA interfaces that have authentication enabled:

Switch:1(config)#show fa interface enabled-auth

======================================================================
Fabric Attach Interfaces
======================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH

VOSS User Guide for version 8.7 1077

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

ORIGIN
STATUS ISID CVID STATUS KEY
----------------------------------------------------------------------
Port1/2 enabled 0 0 enabled ****
Mlt10 enabled 0 0 enabled ****
----------------------------------------------------------------------
2 out of 2 Total Num of fabric attach interfaces displayed
----------------------------------------------------------------------

Optionally, disable FA message authentication on 1/1 and Mlt1.

Switch:1(config)#interface gigabitethernet 1/1
Switch:1(config-if)#no fa message-authentication
Switch:1(config-if)#exit
Switch:1(config)#interface mlt 1
Switch:1(config-mlt)#no fa message-authentication
Switch:1(config-mlt)#exit

Verify that both FA and FA message authentication are disabled on 1/1 and Mlt1, as indicated by the
SERVER STATUS and MSG AUTH STATUS fields respectively.
Switch:1(config)#show fa interface

===================================================================
Fabric Attach Interfaces
===================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
-------------------------------------------------------------------
Port1/1 disabled 0 0 disabled ****
Port1/2 enabled 0 0 enabled ****
Mlt1 disabled 0 0 disabled ****
Mlt10 enabled 0 0 enabled ****
-------------------------------------------------------------------
4 out of 4 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

View the FA interfaces that have authentication disabled:

Switch:1(config)#show fa interface disabled-auth

=======================================================================
Fabric Attach Interfaces
=======================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
-----------------------------------------------------------------------
Port1/1 disabled 0 0 disabled ****
Mlt1 disabled 0 0 disabled ****
-----------------------------------------------------------------------
2 out of 2 Total Num of fabric attach interfaces displayed
-----------------------------------------------------------------------

1078 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Variable definitions

The following table defines parameters for the show fa interface command.

Variable Value
disabled-auth Displays the FA interfaces (port or MLT) that have
authentication disabled.
enabled-auth Displays the FA interfaces (port or MLT) that have
authentication enabled.
<1–512> The valid range for MLT ID.
Displays FA configuration on the specified MLT interface.
port {slot/port[/sub-port] [- Identifies the slot and port in one of the following formats:
slot/port[/sub-port]] [,...]} a single slot and port (slot/port), a range of slots and
ports (slot/port-slot/port), or a series of slots and ports
(slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
Displays FA configuration on the specified port.

Configuring FA message authentication on an interface

Use this procedure to configure FA message authentication on an interface (port or MLT).

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure FA message authentication on a port or MLT:

[default] [no] fa message-authentication

Note
When FA is enabled, message authentication is enabled by default. The authentication key
is set to the default value and displays encrypted on the output.

Example
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#

VOSS User Guide for version 8.7 1079

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

Enable message authentication on a port.

Switch:1(config)#interface gigabitEthernet 1/2

Switch:1(config-if)#fa message-authentication
Switch:1(config-if)#show fa interface port 1/2

==================================================================
Fabric Attach Interfaces
==================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
------------------------------------------------------------------
Port1/2 enabled 0 0 enabled ****

------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
------------------------------------------------------------------
Switch:1(config-if)#exit
Switch:1(config)#

Enable message authentication on an MLT.

Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#fa message-authentication
Switch:1(config-mlt)#show fa interface mlt 10

-------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------
Switch:1(config-mlt)#exit
Switch:1(config)#

The following example demonstrates disabling message authentication on a port or MLT.

Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#no fa message-authentication
Switch:1(config-if)exit
Switch:1(config)
Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#no fa message-authentication

Switch:1(config-mlt)#show fa interface

===================================================================
Fabric Attach Interfaces
===================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
-------------------------------------------------------------------
Port1/2 enabled 0 0 disabled ****
Mlt10 enabled 0 0 disabled ****
-------------------------------------------------------------------
2 out of 2 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

1080 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Configuring the FA authentication key on an interface

On the FA Server, you can configure an authentication key on an interface (port, static MLT or LACP
MLT), to authenticate a client or proxy device on that interface. The authentication key is stored in
encrypted form when you save configuration on the FA Server.

Before You Begin

Ensure that:
• On the FA Server, FA is enabled globally and also on the interface.
• FA message authentication is enabled on the interface.

Note
By default, enabling FA enables message authentication. The authentication key is set to
the default value and the system displays the encrypted authentication key on the output.

About This Task

Use this procedure to configure an FA authentication key on a specified port or on all ports of an MLT,
on the switch. If you do not configure an authentication key, the default value is used. If you specify a
key, the default value is overridden and is stored in encrypted format in a separate file other than the
configuration file, when you execute the save config command.

Caution
For an FA Client or an FA Proxy device to successfully authenticate and attach to the
FA Server, the authentication key must match on both the client and the server. If the
authentication key is changed on the FA Server switch, it must correspondingly be changed
on the FA Client or Proxy attached to it, for FA to operate properly.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the FA authentication key:

fa authentication-key WORD<0-32>
3. (Optional) Configure the default FA authentication key:
default fa authentication-key

VOSS User Guide for version 8.7 1081

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

Example
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Enable FA and message authentication on a port. Configure the authentication key phone-network
on the port.
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#fa enable
Switch:1(config-if)#fa message-authentication
Switch:1(config-mlt)#fa authentication-key phone-network
Switch:1(config-if)#exit
Switch:1(config)#

Enable FA and message authentication on an MLT. Configure the authentication key client-network
on the MLT.
Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#fa enable
Switch:1(config-mlt)#fa message-authentication
Switch:1(config-mlt)#fa authentication-key client-network

Verify configuration of the FA authentication key. The system displays the encrypted authentication key
on the output.
Switch:1(config-if)#show fa interface

-------------------------------------------------------------------
2 out of 2 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the fa authentication-key command.

Variable Value
WORD<0–32> Specifies the authentication key on the port or MLT.

Configure FA Management on a Port or MLT

Use this procedure to configure a management I-SID on a Fabric Attach (FA)-enabled port or MLT.

To configure an FA management I-SID for Auto-sense-enabled ports, see Configure a Management

I-SID for Auto-sense Fabric Attach Proxy Switches on page 32.

Before You Begin

Ensure that the port or MLT is enabled for FA.

1082 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

About This Task

This command applies to all traffic sent or received on a port or MLT, carrying the VLAN ID specified
using the c-vid parameter. This parameter is optional.

Depending on whether the c-vid parameter is specified or not, the behavior is as follows:
• If you specify the c-vid parameter, the FA Server transmits this VLAN ID as the management
VLAN in the FA Element TLV. A client or proxy receiving this TLV uses this VLAN-ID for management
traffic on the FA Server uplink.
• If you do not specify the c-vid parameter, the FA Server transmits a management VLAN with a
VLAN ID value of 4095 in the FA Element TLV. A client or proxy receiving this TLV uses untagged
traffic for network management on the FA Server uplink.

An FA management I-SID can have a platform VLAN associated with it. For Layer 3 support on the
management I-SID, you must create a platform VLAN by port and associate the platform VLAN with the
management I-SID. The C-VID can be of the same value or of a different value than that of the platform
VLAN.

If the management I-SID matches one of the FA Switched UNI (ELAN) I-SIDs (as displayed by the
command show i-sid elan), then the platform VLAN is automatically associated with the FA-
enabled interface (port or MLT).

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the FA management I-SID:

fa management i-sid <i-sid><c-vid>

Important
If you do not specify a C-VID value, the port or MLT is untagged.

3. Verify configuration of FA management on the port or MLT, using the following commands:
• show i—sid <i-sid>
• show interfaces gigabitEthernet i-sid [{slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}]
• show mlt i-sid [<1–512>]

VOSS User Guide for version 8.7 1083

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

Examples

Configure FA management on port 1/2:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitethernet 1/2
Switch:1(config-if)#fa management i-sid 101 c-vid 101
Switch:1(config-if)#show i-sid 101
========================================================================================
Isid Info
========================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------
101 ELAN 3 - - CONFIG EXTRSERVER_101

The following example demonstrates the Origin as "auto-sense".

Switch:1(config-if)#show i-sid 500
========================================================================================
Isid Info
========================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------
101 ELAN - c300:1/45 - AUTO-SENSE ISID_500
Switch:1(config-if)#show interfaces gigabitEthernet i-sid
==================================================================================
PORT Isid Info
==================================================================================
ISID ISID ISID MAC
PORTNUM IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU SUNI
----------------------------------------------------------------------------------
1/2 193 101 3 101 ELAN MANAGEMENT EXTRSERVER_101
----------------------------------------------------------------------------------

1 out of 1 Total Num of i-sid endpoints displayed

Configure FA management on MLT 10.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#fa management i-sid 101

Verify configuration of FA management on the MLT. Because the C-VID is not specified, the MLT
displays as untagged.
Switch:1(config-mlt)#show i-sid 101
========================================================================================
Isid Info
========================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------
101 ELAN 3 - u:10 CONFIG EXTRSERVER_101

1084 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

In the following example, for Layer 3 support, create a platform VLAN 3 and associate it with the
management I-SID 101.
Switch:1(config-if)#vlan create 3 type port-mstprstp 0
Switch:1(config-if)#vlan i-sid 3 101
Switch:1(config)#show i-sid
====================================================================================================
Isid Info
====================================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------------------
15999999 ELAN 4048 - - C --- - --- - - Onboarding I-SID
16777001 ELAN N/A - - C --- - --- - - FAN-ISID

c: customer vid u: untagged-traffic

All 2 out of 2 Total Num of i-sids displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense; R: multi-area redist
l: discover by local switch r: discover by remote VIST switch
Switch:1(config-if)#show vlan i-sid

====================================================================
Vlan I-SID
====================================================================
VLAN_ID I-SID I-SID NAME
--------------------------------------------------------------------
1
2
3 101 EXTRSERVER_101
33
999

Because the management I-SID matches one of the FA Switched UNI (ELAN) I-SIDs, the platform VLAN
is automatically associated with the FA-enabled port 1/2.
Switch:1(config-if)#show interfaces gigabitEthernet i-sid
==================================================================================
PORT Isid Info
==================================================================================
ISID ISID ISID MAC
PORTNUM IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU SUNI
----------------------------------------------------------------------------------
1/2 193 101 3 101 ELAN MANAGEMENT EXTRSERVER_101
----------------------------------------------------------------------------------

1 out of 1 Total Num of i-sid endpoints displayed

VOSS User Guide for version 8.7 1085

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

Variable Definitions

The following table defines parameters for the fa management command.

Variable Value
i-sid <i-sid> Specifies the management I-SID. Different hardware
platforms support different customer I-SID ranges. To see
the available range for the switch, use the CLI Help.
<c-vid> Specifies the customer VLAN ID. Different hardware
platforms support different customer VLAN ID ranges. Use
the CLI Help to see the available range for the switch.

Important:
If you do not specify a C-VID value, the port or MLT is
untagged.

View Fabric Attach Global Configuration Status

Use this procedure to display the Fabric Attach global configuration status on a switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the FA configuration status using one of the following commands:
• show fa
• show fa agent

Example

Sample output for the show fa command:

Switch:1>show fa

Sample output for the show fa agent command:

Switch:1>show fa agent

1086 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Viewing Fabric Attach interface configuration

Use this procedure to view FA interface configuration.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. View all FA interfaces (ports and MLTs):
show fa interface
3. To view FA interface configuration on ports, use one of the following commands:
• View FA configuration on all ports:

show fa interface port

• View FA configuration on a specific port, enter:

show fa interface port [{slot/port[/sub-port] [-slot/port[/sub-

port]] [,...]}]
4. To view FA interface configuration on MLTs, use one of the following commands:
• View FA configuration on all MLTs:

show fa interface mlt

• View FA configuration on a specific MLT:

show fa interface mlt [<1-512>]

Example

The following example displays sample outputs for the show fa interface command.
Switch:1>show fa interface

---------------------------------------------------------------------
4 out of 4 Total Num of fabric attach interfaces displayed
---------------------------------------------------------------------

The following is a sample output for the show fa interface command for the port 2/10.
Switch:1>show fa interface port 2/10

VOSS User Guide for version 8.7 1087

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

------------------------------------------------------------------
1 out of 4 Total Num of fabric attach interfaces displayed
------------------------------------------------------------------

The following is a sample output for the show fa interface command for the MLT 2.
Switch:1>show fa interface mlt 2

-------------------------------------------------------------------
1 out of 4 Total Num of fabric attach interfaces displayed
-------------------------------------------------------------------

Variable definitions

The following table defines parameters for the show fa interface port command.

Variable Value
{slot/port[/sub-port] [- Identifies the slot and port in one of the following
slot/port[/sub-port]] formats: a single slot and port (slot/port), a range of slots
[,...]} and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.

The following table defines parameters for the show fa interface mlt command.

Variable Value
<1–512> The valid range for MLT ID.

Viewing Fabric Attach Discovered Elements

Use this procedure to view Fabric Attach discovered elements.

About This Task

When FA is enabled on an FA Server switch, LLDP PDUs are exchanged between the FA Server and FA
Clients or FA Proxies. Standard LLDPs allow neighbors to be learned. With the help of organizational-
specific element discovery TLVs, the client or proxy recognizes that it has attached to the FA Server.
Only after the discovery handshake is complete, an FA Client or FA Proxy can transmit I-SID-to-VLAN
assignments to join the SPB Fabric network through the FA Server.

Procedure

1. Enter Privileged EXEC mode:

enable

1088 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

2. Display FA discovered elements:

show fa elements
3. Display FA discovered elements on a specific port:
show fa elements [{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}]

Example

The following example displays the sample output for the show fa elements command.
Switch:1#show fa elements

================================================================================
Fabric Attach Discovery Elements
================================================================================
MGMT ELEM ASGN
PORT TYPE VLAN STATE SYSTEM ID AUTH AUTH
--------------------------------------------------------------------------------
1/5 proxy 710 T / S 50:61:84:ee:8c:00:20:00:00:01 AP AP
1/6 proxy 710 T / S 50:61:84:ee:8c:00:20:00:00:01 AP AP

================================================================================
Fabric Attach Authentication Detail
================================================================================
ELEM OPER ASGN OPER
PORT AUTH STATUS AUTH STATUS
--------------------------------------------------------------------------------
1/5 successAuth successAuth
1/6 successAuth successAuth

State Legend: (Tagging/AutoConfig)

T= Tagged, U= Untagged, D= Disabled, S= Spbm, V= Vlan, I= Invalid

Auth Legend:
AP= Authentication Pass, AF= Authentication Fail,
NA= Not Authenticated, N= None

--------------------------------------------------------------------------------

2 out of 2 Total Num of fabric attach discovery elements displayed

Variable definitions

The following table defines parameters for the show fa elements command.

Viewing Fabric Attach I-SID-to-VLAN Assignments

Use this procedure to display the I-SID-to-VLAN assignments advertised by an FA Client or an FA Proxy,
to be supported on the FA Server. These assignments can be accepted or rejected by the FA Server. An

VOSS User Guide for version 8.7 1089

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

assignment that is successfully accepted by the FA Server results in the creation of a Switched UNI I-SID
on the interface.

Before You Begin

Verify that IS-IS and SPBM are properly configured on the FA Server switch.
• Verify SPBM configuration using the command show running-config module spbm.
• Verify IS-IS configuration using one of the following commands:
◦ show isis
◦ show isis interface
◦ show isis adjacency
◦ show isis lsdb

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display FA I-SID-to-VLAN assignments:
show fa assignment
3. Display FA I-SID-to-VLAN assignments on specific ports:
show fa assignment [{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}]

Example

The following example displays a sample output for the show fa assignment command.

Note
The state of I-SID-to-VLAN assignments on a client or proxy device is pending until it is
changed by the FA Server to active or reject.

Switch:>en
Switch:1#show fa assignment
=======================================================================
Fabric Attach Assignment Map
=======================================================================
Interface I-SID Vlan State Origin
-----------------------------------------------------------------------
1/1 2 2 active proxy
1/2 3 3 active proxy
1/2 4 4 active proxy
1/3 5 5 reject proxy
-----------------------------------------------------------------------

4 out of 4 Total Num of fabric attach assignment mappings displayed

-----------------------------------------------------------------------

1090 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Variable definitions

The following table defines parameters for the show fa assignment command.

Viewing Fabric Attach Statistics

If FA discovery fails, use this procedure to display FA statistics to determine if FA discovery TLVs were
processed. You can also view the FA assignment statistics to determine the number of FA assignments
that were accepted or rejected by the FA Server.

You can view the statistics at either the global level or at the port (interface) level.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View global level FA statistics:
show fa statistics [summary]
3. View FA statistics at the slot/port level:
show fa statistics [{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}]

Note
If a slot is removed from the switch chassis, the FA statistics are not displayed on the slot
ports. When the slot is inserted back again, the statistics counters are reset.

4. (Optional) Clear FA statistics:

clear fa statistics [summary] [{slot/port[/sub-port] [-slot/port[/sub-
port]] [,...]}]

Examples

Viewing FA discovery and assignment statistics:

Switch:1>en
Switch:1#show fa statistics

==========================================================================
Fabric Attach STATISTICS
==========================================================================
Port DiscElem DiscElem DiscElem DiscAuth
Received Expired Deleted Failed
--------------------------------------------------------------------------
1/1 3057 0 1 0
1/2 2000 0 1 0

===========================================================================

VOSS User Guide for version 8.7 1091

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

Fabric Attach ASSIGNMENTS STATISTICS

===========================================================================
Port Asgn Asgn Asgn Asgn Asgn AsgnAuth
Received Accepted Rejected Expired Deleted Failed
---------------------------------------------------------------------------
1/1 3149 3 1 3 0 0
1/2 1500 0 1 2 0 0

View a summary of the FA discovery and assignment statistics:

Switch:1#show fa statistics summary

==========================================================================
Fabric Attach STATISTICS SUMMARY
==========================================================================
Port DiscElem DiscElem DiscElem DiscAuth
Received Expired Deleted Failed
--------------------------------------------------------------------------
1/1 3057 0 1 0
1/2 2000 0 1 0

===========================================================================
Fabric Attach ASSIGNMENTS STATISTICS SUMMARY
===========================================================================
Port Asgn Asgn Asgn Asgn Asgn AsgnAuth
Received Accepted Rejected Expired Deleted Failed
---------------------------------------------------------------------------
1/1 3149 3 1 3 0 0
1/2 1500 0 1 2 0 0

Viewing FA statistics on a specific port (port 1/1):

Switch:1>en
Switch:1#show fa statistics 1/1

==========================================================================
Fabric Attach ASSIGNMENTS STATISTICS
==========================================================================
Port Asgn Asgn Asgn Asgn Asgn AsgnAuth
Received Accepted Rejected Expired Deleted Failed
--------------------------------------------------------------------------
1/1 3149 3 1 3 0 0

Optionally, clear FA statistics and verify that the statistics are cleared.
Switch:1#clear fa statistics
Switch:1#show fa statistics

1092 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

--------------------------------------------------------------------------
1/1 0 0 0 0
1/2 0 0 0 0

Variable Definitions

The following table defines parameters for the show fa statistics command.

Variable Value
summary Displays a summary of Fabric Attach element discovery and
assignment statistics at the global level.
{slot/port[/sub-port] [- Identifies the slot and port in one of the following
slot/port[/sub-port]] formats: a single slot and port (slot/port), a range of slots
[,...]} and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.

Display Learned LLDP Neighbors

Use this procedure to verify details of the LLDP neighbors learned.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Verify details of LLDP neighbors learned:
show lldp neighbor
3. Verify details of LLDP neighbors learned on a specific port:
show lldp neighbor port {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}

Example

The following example shows how two switches—an FA Server and an FA Proxy discover each other as
LLDP neighbors.

Switch A, which is the FA Server is a VSP 7200 Series switch (model 7254XSQ) and switch B which is
the proxy device is an ERS 4826GTS switch.

The following examples show neighbor discovery on non-channelized ports.

On the non-channelized port 1/1 on the FA Server, verify neighbor discovery of the proxy switch.
Switch:1>enable
Switch:1#show lldp neighbor

VOSS User Guide for version 8.7 1093

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

==========================================================================================
LLDP Neighbor
==========================================================================================

Port: 1/1 Index : 1

Time: 1 day(s), 04:03:52
ChassisId: MAC Address 70:30:18:5a:05:00
PortId : MAC Address 70:30:18:5a:05:07
SysName :
SysCap : Br / Br
PortDescr: Port 7
SysDescr : Ethernet Routing Switch 4826GTS HW:10 FW:5.8.0.1 SW:v6.9.2.027

------------------------------------------------------------------------------------------
Total Neighbors : 1
------------------------------------------------------------------------------------------
Capabilities Legend: (Supported/Enabled)
B= Bridge, D= DOCSIS, O= Other, R= Repeater,
S= Station, T= Telephone, W= WLAN, r= Router
Switch:1(config)#

On the proxy switch, verify discovery of the FA Server switch.

Switch:1>enable
Switch:1#show lldp neighbor
-------------------------------------------------------------------------------
LLDP neighbor
-------------------------------------------------------------------------------
Port: 7 Index: 71
Time: 12 days, 21:40:30
ChassisId: MAC address a4:25:1b:52:70:00
PortId: MAC address a4:25:1b:52:70:04
SysName: BEB1-7254XSQ
SysCap: rB / rB (Supported/Enabled)
PortDesc: Virtual Services Platform 7254XSQ - Gbic1000BaseT Port 1/1
SysDescr: VSP-7254XSQ (6.0.0.0_GA)
-------------------------------------------------------------------------------
Sys capability: O-Other; R-Repeater; B-Bridge; W-WLAN accesspoint; r-Router;
T-Telephone; D-DOCSIS cable device; S-Station only.
Total neighbors: 1

The following examples show neighbor discovery on channelized ports (if your platform supports
channelization).

On the channelized port 1/1/1 on the FA Server switch, verify discovery of the proxy switch.
Switch:1>enable
Switch:1#show lldp neighbor

==========================================================================================
LLDP Neighbor
==========================================================================================

Port: 1/1/1 Index : 1

Time: 1 day(s), 04:03:52
ChassisId: MAC Address 70:30:18:5a:05:00
PortId : MAC Address 70:30:18:5a:05:07
SysName :
SysCap : Br / Br
PortDescr: Port 7
SysDescr : FA Proxy 4826GTS HW:10 FW:5.8.0.1 SW:v5.9.2.027

1094 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

Verify neighbor discovery on the proxy switch.

Switch:1>enable
Switch:1#show lldp neighbor
-------------------------------------------------------------------------------
LLDP neighbor
-------------------------------------------------------------------------------
Port: 7 Index: 71
Time: 12 days, 21:40:30
ChassisId: MAC address a4:25:1b:52:70:00
PortId: MAC address a4:25:1b:52:70:04
SysName: BEB1-7254XSQ
SysCap: rB / rB (Supported/Enabled)
PortDesc: Virtual Services Platform 7254XSQ - 40GbCR4-Channel Port
1/1/1
SysDescr: VSP-7254XSQ (6.0.0.0_GA)
-------------------------------------------------------------------------------
Sys capability: O-Other; R-Repeater; B-Bridge; W-WLAN accesspoint; r-Router;
T-Telephone; D-DOCSIS cable device; S-Station only.
Total neighbors: 1

Variable Definitions

The following table defines parameters for the show lldp neighbor command.

Variable Value
port {slot/port[/ Identifies the slot and port in one of the following formats: a single slot
sub-port] [- and port (slot/port), a range of slots and ports (slot/port-slot/port), or a
slot/port[/sub- series of slots and ports (slot/port,slot/port,slot/port). If the platform supports
port]] [,...]} channelization and the port is channelized, you must also specify the sub-port
in the format slot/port/sub-port.
Displays LLDP neighbor information on the specified port.

Display Switched UNI (ELAN) I-SID Information

Use this procedure to display information on FA-created Switched UNI (ELAN) I-SIDs.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display all Switched UNI (ELAN) I-SIDs:
show i-sid elan

VOSS User Guide for version 8.7 1095

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

3. Display ELAN I-SID information on an MLT:

show mlt i-sid [<1–512>]

Note
Viewing ELAN I-SID information on an MLT is useful to understand the origin of the
I-SID when multiple client or proxy devices connecting to the FA Server using SMLT MLT
advertise the same I-SID-to-VLAN mappings. In the event of a link failure on an MLT, the
origin of the I-SID helps determine on which MLT, and thereby from which proxy or client
device, the mappings were successfully learnt.

4. Display ELAN I-SID information on ports:

show interfaces gigabitEthernet i-sid [{slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}]

Examples

Display information on all Switched UNI (ELAN) I-SIDs.

The following sample output displays, for example, the I-SID information on one of the peer switches of
the FA Server, in a dual-homed SMLT configuration.
Switch:1>enable
Switch:1#show i-sid elan

==========================================================================================
Isid Info
==========================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
------------------------------------------------------------------------------------------
2002 ELAN N/A c2002:1/10 - - --- - -l- - EXTRSERVER_1
4000 ELAN N/A - c4000:1 - --- - --r - EXTRSERVER_12
4001 ELAN N/A - c4001:1 - --- - -l- - EXTRSERVER_101
4030 ELAN N/A - c4030:1 - --- - --r - EXTRSERVER_102
4051 ELAN N/A - c4051:1 - --- - -l- - EXTRSERVER_103
10200 ELAN N/A - c200:1 - --- - --r - EXTRSERVER_2

c: customer vid u: untagged-traffic

All 6 out of 6 Total Num of Elan i-sids displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Note
The I-SID TYPE field displays once for each I-SID. The I-SID TYPE of an I-SID that is
either learned through FA mapping assignments or configured as an FA management I-SID,
is always ELAN. If a platform VLAN has the same I-SID value as that of the I-SID in an FA
mapping assignment or in an FA management I-SID configuration, then the platform VLAN is
associated with the I-SID endpoint and displays in the VLANID column.

Display MLT I-SID information for MLT 1.

In this sample output, the ORIGIN field indicates the origin of the I-SID endpoint.
Switch:1>show mlt i-sid
=====================================================================================
MLT Isid Info
=====================================================================================
ISID ISID ISID

1096 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach Configuration using the CLI

MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU

-------------------------------------------------------------------------------------
3 6146 3 N/A 33 ELAN C --- - --- - ISID-3
-------------------------------------------------------------------------------------
1 out of 1 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Display I-SID information on the port 1/10:

In this sample output, the ORIGIN field indicates the origin of the I-SID endpoint.

Switch:1#show interface gigabitEthernet i-sid

=======================================================================================
PORT Isid Info
=======================================================================================
ISID ISID ISID MAC
PORTNUM IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU SUNI
----------------------------------------------------------------------------------------
1/1 192 27 N/A 4000 ELAN C --- - --- - ISID-27 FALSE
1/1 192 270 N/A 4001 ELAN C --- - --- - ISID-270 FALSE
1/1 192 309 N/A 309 ELAN C --- - --- - ISID-309 FALSE
1/1 192 401 N/A 401 ELAN C --- - --- - ISID-401 FALSE
1/1 192 1001 N/A 1001 ELAN C --- - --- - ISID-1001 FALSE
1/1 192 1111 N/A 1111 ELAN C --- - --- - ISID-1111 FALSE
1/1 192 1121 N/A 1121 ELAN C --- - --- - ISID-1121 FALSE
1/1 192 1201 N/A 1201 ELAN C --- - --- - ISID-1201 FALSE
1/1 192 2001 N/A 2001 ELAN C --- - --- - ISID-2001 FALSE
1/2 193 38 N/A 4000 ELAN C --- - --- - ISID-38 FALSE
1/2 193 310 N/A 310 ELAN C --- - --- - ISID-310 FALSE
1/2 193 380 N/A 4001 ELAN C --- - --- - ISID-380 FALSE
1/2 193 402 N/A 402 ELAN C --- - --- - ISID-402 FALSE

13 out of 152 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Variable Definitions

The following table defines parameters for the show i-sid command.

Variable Value
elan Displays all ELAN I-SIDs.

The following table defines parameters for the show mlt i-sid command.

Variable Value
<1–512> The valid range for MLT ID.

VOSS User Guide for version 8.7 1097

Fabric Attach Configuration using the CLI Fabric Basics and Layer 2 Services

The following table defines parameters for the show interfaces gigabitEthernet i-sid
command.

Variable Value
{slot/port[/sub-port] Identifies the slot and port in one of the following formats: a single
[-slot/port[/sub-port]] slot and port (slot/port), a range of slots and ports (slot/port-slot/
[,...]} port), or a series of slots and ports (slot/port,slot/port,slot/port). If
the platform supports channelization and the port is channelized,
you must also specify the sub-port in the format slot/port/sub-port.

Enabling or disabling FA Zero Touch Client Attachment

Use this procedure to enable or disable the global FA Zero Touch Client Attachment feature on an FA
Proxy or Server. By default, FA Zero Touch Client Attachment support is enabled.

Procedure

1. Enter Global Configuration mode:

enable

Example
Switch:1(config)# fa zero-touch-client standard camera i-sid 1003
Switch:1(config)# no fa zero-touch-client standard camera

Variable definitions

The following table defines parameters for the fa zero-touch-client standard command.

Variable Value
camera Specify element type to match camera.
ona-sdn Specify element type to match ona-sdn.
ona-spb-over-ip Specify element type to match ona-spb-over-ip.
phone Specify element type to match phone.
router Specify element type to match router.
security-device Specify element type to match security-device.
srvr-endpt Specify element type to match srvr-endpt.

1098 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Configure Endpoint Tracking Using CLI

Variable Value
switch Specify element type to match switch.
video Specify element type to match video.
virtual-switch Specify element type to match virtual-switch.
wap-type1 Specify element type to match wap-type1.
wap-type2 Specify element type to match wap-type2.

Displaying FA Zero Touch Client Attachment

Use this procedure to display the Zero Touch Client Attachment data you have configured on an FA
Server.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display Zero Touch Client Attachment data:
show fa zero-touch-client

Example

The following example displays sample output for the show fa zero-touch-client command.
Switch:1#show fa zero-touch-client

================================================================================

Fabric Attach Zero Touch Client

================================================================================

Type Description I-SID VLAN I-SID Name

--------------------------------------------------------------------------------
6 wap-type1 11111 123
11 camera 2000 200
17 ona-spb-over-ip 40001 4001
--------------------------------------------------------------------------------

3 out of 3 Total Num of Fabric Attach Zero Touch Client entries displayed
--------------------------------------------------------------------------------

Configure Endpoint Tracking Using CLI

The following sections provide procedural information to configure Endpoint Tracking using CLI.

Configure Endpoint Tracking Interfaces

Create and enable Endpoint Tracking on ports and MLT/SMLT interfaces. Creating, deleting, enabling,
and disabling Endpoint Tracking on interfaces can be accomplished as separate steps using this
procedure.

Before You Begin

• In ExtremeCloud IQ ‑ Site Engine, configure your third-party virtualization platform, and the
RADIUS server used for Endpoint Tracking authentication. For information about configuring

VOSS User Guide for version 8.7 1099

Configure Endpoint Tracking Using CLI Fabric Basics and Layer 2 Services

ExtremeCloud IQ ‑ Site Engine, see the ExtremeCloud IQ ‑ Site Engine documentation at https://
www.extremenetworks.com/support/documentation/.
• On the switch, add and configure the RADIUS server as configured in ExtremeCloud IQ ‑ Site Engine.

About This Task

Configure ports and MLT/SMLT interfaces to function as Switched UNI interfaces, and then create and
enable Endpoint Tracking on those interfaces.

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable Flex UNI on the interface:

flex-uni enable
3. Create and enable Endpoint Tracking:
• Create Endpoint Tracking on the interface:

endpoint-tracking
• Create and enable Endpoint Tracking on the interface:

endpoint-tracking enable

What to Do Next

Configure Endpoint Tracking globally on the switch.

Configure Endpoint Tracking Globally

Configure Endpoint Tracking globally on the switch.

Before You Begin

• In ExtremeCloud IQ ‑ Site Engine, configure your third-party virtualization platform, and the
RADIUS server used for Endpoint Tracking authentication. For information about configuring
ExtremeCloud IQ ‑ Site Engine, see the ExtremeCloud IQ ‑ Site Engine documentation at https://
www.extremenetworks.com/support/documentation/.
• On the switch, add and configure the RADIUS server as configured in ExtremeCloud IQ ‑ Site Engine.
• Create and enable Endpoint Tracking on interfaces.

1100 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Configure Endpoint Tracking Using CLI

About This Task

Optionally, if the RADIUS outbound attributes do not include an I-SID value, configure an I-SID offset
value, and globally enable I-SID offset for Endpoint Tracking. The I-SID offset value is used to calculate
an I-SID value for a switched UNI if no I-SID value is provided by the RADIUS server. In that case, the
I-SID value is calculated as follows: I-SID = VLAN ID + configured I-SID offset value.

After optionally configuring an I-SID offset value, enable Endpoint Tracking globally on the switch.

Note
If you have previously enabled Endpoint Tracking globally and want to change the currently
configured I-SID offset value, you must disable Endpoint Tracking globally, change the I-SID
value, and then re-enable Endpoint Tracking globally.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. (Optional) Configure an I-SID offset value, and enable I-SID offset globally on the switch:
endpoint-tracking auto-isid-offset <0-15995903>
endpoint-tracking auto-isid-offset enable
3. Enable Endpoint Tracking globally on the switch:
endpoint-tracking enable

Variable Definitions

The following table defines parameters for the endpoint-tracking auto-isid-offset

command.

Variable Value
<0-15995903> The I-SID offset value. The default is 15990000.
enable Enables or disables I-SID offset value globally on the switch.
The default is disabled.

Configure Endpoint Tracking Visibility Mode

Configure Endpoint Tracking visibility mode on the switch.

Before You Begin

VOSS User Guide for version 8.7 1101

Configure Endpoint Tracking Using CLI Fabric Basics and Layer 2 Services

About This Task

Enable visibility mode to allow MAC learning on static S-UNIs for Endpoint Tracking.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable Endpoint Tracking visibility mode on the switch:
endpoint-tracking visibility-mode

Display Endpoint Tracking Configuration Information

Perform this procedure to display configuration information for Endpoint Tracking.

About This Task

Perform this procedure to display global, interface and binding information for Endpoint Tracking.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the global status of Endpoint Tracking on the switch, and the configured I-SID offset value, if
applicable:
show endpoint-tracking
3. Display the status of all interfaces that have Endpoint Tracking created:
show endpoint-tracking interfaces [gigabitEthernet {slot/port[/sub-
port][-slot/port[/sub-port]][,...]}] | [mlt <1-512>]]
4. Display a summary of the VLAN:ISID binding information for all ports, or MLT/SMLT interfaces:
show endpoint-tracking bindings summary
5. Display the VLAN:ISID binding information for the switch, for ports, or for MLT/SMLT interfaces:
show endpoint-tracking bindings [gigabitEthernet {slot/port[/sub-port]
[-slot/port[/sub-port]][,...]}] | [mlt <1-512>]]

Example

The following example displays all of the Endpoint Tracking configuration information for a switch.
Switch:1>show endpoint-tracking
=======================================================================================
Endpoint Tracking Configuration
=======================================================================================

endpoint tracking status : ENABLED

auto-isid-offset value : 15990000
auto-isid-offset enabled : ENABLED
visibility-mode status : ENABLED
Switch:1>show endpoint-tracking interfaces
==========================================================================================

Endpoint Tracking Interfaces

==========================================================================================
PORT

1102 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services IS-IS external metric configuration using the CLI

NUM INDEX STATUS

------------------------------------------------------------------------------------------

1/1 192 Enabled

1/10 201 Enabled
MLT-2 6145 Enabled
MLT-5 6148 Disabled
--------------------------------------------------------------------------------
4 out of 4 Total Num of Endpoint Tracking interfaces displayed
--------------------------------------------------------------------------------
Switch:1>show endpoint-tracking bindings summary
==================================================================================================================
Endpoint Tracking Bindings
==================================================================================================================
PORT/MLT INDEX TOTAL ACCEPTED REJECTED PENDING TIMEOUT SERVER-UNREACHABLE
------------------------------------------------------------------------------------------------------------------
1/10 201 5 5 0 0 0 0

Switch:1>show endpoint-tracking bindings

==================================================================================================================
Endpoint Tracking Bindings
==================================================================================================================
PORT/MLT INDEX MAC STATUS VLAN ID ISID SOURCE TIMEOUT TIME REMAINING
------------------------------------------------------------------------------------------------------------------
1/10 201 00:00:00:00:1b:01 accept 27 15990027 autoconfig 0 day(s), 00:01:40 0 day(s), 00:00:00
1/10 201 00:00:00:00:1b:02 accept 27 15990027 autoconfig 0 day(s), 00:01:40 0 day(s), 00:00:00
1/10 201 00:00:00:00:1b:03 accept 27 15990027 autoconfig 0 day(s), 00:01:40 0 day(s), 00:00:00
1/10 201 00:00:00:00:1b:04 accept 27 15990027 autoconfig 0 day(s), 00:01:40 0 day(s), 00:00:00
1/10 201 00:00:00:00:1b:05 accept 27 15990027 autoconfig 0 day(s), 00:01:40 0 day(s), 00:00:00

5 out of 5 Total Num of Endpoint Tracking bindings displayed.

Variable Definitions

The following table defines parameters for the show endpoint-tracking bindings command.

Variable Value
gigabitEthernet {slot/ Identifies the slot and port in one of the following formats: a single slot
port[/sub-port] [- and port (slot/port), a range of slots and ports (slot/port-slot/port), or
slot/port[/sub-port]] a series of slots and ports (slot/port,slot/port,slot/port). If the platform
[,...]} supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
MLT <1-512> Specifies the MLT ID.
summary Provides a summary of the total number and status of bindings for all
interfaces.

IS-IS external metric configuration using the CLI

This section provides procedures for IS-IS external metric configuration.

Matching metric type for IS-IS routes

VOSS User Guide for version 8.7 1103

IS-IS external metric configuration using the CLI Fabric Basics and Layer 2 Services

About This Task

Use this procedure to match the external metric-type by using a route-map for any of the following
cases:
• accepting a remote IS-IS route with the help of IS-IS accept policies.
• redistributing IS-IS routes into other protocols.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

• You must log on to the route-map configuration mode in the CLI.

Procedure

1. Enter Route-Map Configuration mode:

enable

configure terminal

route-map WORD<1-64> <1-65535>

2. Match IS-IS metric type:
match metric-type-isis {any|internal|external}
3. Permit the route policy action:
permit
4. Enable the route policy
enable

Example

Match metric type for IS-IS routes:

Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# match metric-type-isis internal
Switch:1(route-map)# permit
Switch:1(route-map)# enable
Match metric type for IS-IS routes in accept policies:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# match metric-type-isis internal
Switch:1(route-map)# permit
Switch:1(route-map)# enable
Switch:1(route-map)# exit
Switch:1(config)# router isis
Switch:1(config-isis)# accept route-map ro1
Switch:1(config-isis)# exit
Switch:1(config)# isis apply accept
Match metric type to redistribute IS-IS routes into some other protocol (OSPF,RIP,BGP)
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# match metric-type-isis internal
Switch:1(route-map)# permit

1104 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services IS-IS external metric configuration using the CLI

Switch:1(route-map)# enable
Switch:1(route-map)# exit
Switch:1(config)# router bgp
Switch:1(router-bgp)# redistribute isis route-map ro1
Switch:1(router-bgp)# exit
Switch:1(config)# ip bgp apply redistribute

Variable Definitions

The following table defines parameters for the match metric-type-isis command.

Variable Value
metric-type-isis {any|internal|external} Specifies the IS-IS metric type:
• internal – permits or denies routes that are
internal to the IS-IS domain.
• external – permits or denies routes that
originate from an external routing protocol
domain.
• any – permits or denies both internal routes as
well as external routes.

Setting metric type for IS-IS routes

About This Task

Use this procedure to set the IS-IS external metric-type by using a route-map for any of the following
cases:
• accepting a remote IS-IS route with the help of IS-IS accept policies.
• redistributing routes from other protocols into IS-IS.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

• You must log on to the route-map configuration mode in the CLI.

Procedure

1. Enter Route-Map Configuration mode:

enable

configure terminal

route-map WORD<1-64> <1-65535>

2. Set IS-IS metric type:
set metric-type-isis {any|internal|external}
3. Permit the route policy action:
permit
4. Enable the route policy
enable

VOSS User Guide for version 8.7 1105

IS-IS external metric configuration using the CLI Fabric Basics and Layer 2 Services

Example

Set metric type for IS-IS routes:

Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# set metric-type-isis internal
Switch:1(route-map)# permit
Switch:1(route-map)# enable
Set metric type for IS-IS routes in accept policies:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# set metric-type-isis internal
Switch:1(route-map)# permit
Switch:1(route-map)# enable
Switch:1(route-map)# exit
Switch:1(config)# router isis
Switch:1(config-isis)# accept route-map ro1
Switch:1(config-isis)# exit
Switch:1(config)# isis apply accept
Set metric type to redistribute routes from other protocols into IS-IS:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# route-map ro1 10
Switch:1(route-map)# match metric-type-isis internal
Switch:1(route-map)# permit
Switch:1(route-map)# enable
Switch:1(route-map)# exit
Switch:1(config)# router isis
Switch:1(config-isis)# redistribute bgp route-map ro1
Switch:1(config-isis)# exit
Switch:1(config)# isis apply redistribute

Variable Definitions

The following table defines parameters for the set metric-type-isis command.

Setting metric type for IS-IS routes using global redistribute command

About This Task

Use this procedure to set the IS-IS external metric-type using the global redistribute command for the
following cases redistributing routes from other protocols into IS-IS.

1106 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

• You must log on to the IS-IS router configuration mode in the CLI.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Set IS-IS metric type using global redistribute command:
redistribute direct metric-type {internal|external}
3. Enable the route policy
redistribute direct enable

Example

Set metric type for IS-IS routes using global redistribute command:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# router isis
Switch:1(config-isis)# redistribute direct metric-type internal
Switch:1(config-isis)# redistribute direct enable

Variable Definitions

The following table defines parameters for the redistribute direct metric-type command.

Variable Value
metric-type {internal|external} Specifies the IS-IS metric type:
• internal – permits or denies routes that are
internal to the IS-IS domain.
• external – permits or denies routes that
originate from an external routing protocol
domain.

Multi-area SPB Configuration using CLI

Perform the procedures in this section to configure Multi-area SPB parameters like virtual
node,router remote Intermediate-System-to-Intermediate-System (IS-IS), layer 2 unicast and multicast
redistribution, and IPv4 and IPv6 route redistribution on the switch using the Command Line Interface
(CLI).

Multi-area SPB Configuration Flow

Note
This procedure only applies to the VSP 7400 Series.

VOSS User Guide for version 8.7 1107

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Perform the following procedures in sequence to configure the Multi-area SPB feature on the switch.

Procedure

1. Configure Remote IS-IS Multi-area SPB Nickname for an SPBM Instance on page 1108.
2. Display the Remote IS-IS SPBM Nickname Configuration on page 1135.
3. Configure Remote IS-IS Manual Area on page 1109.
4. Configure Remote IS-IS System ID on page 1110.
5. Configure an IS-IS Area Name on page 1111
6. Display IS-IS Remote Area Configuration on page 1135.
7. Display IS-IS Area Configuration on page 1136.
8. Configure IS-IS Multi-area SPB Virtual Node on page 1112.
9. Display IS-IS Area Virtual Node Configuration on page 1136.
10. Configure Remote IS-IS Hello Authentication on a Port on page 1113.
11. Configure Remote IS-IS Layer 1 Designated Router Priority on a Port on page 1114.
12. Configure Remote IS-IS Hello Interval on a Port on page 1115.
13. Configure Remote IS-IS Hello Multiplier on a Port on page 1116.
14. Configure Remote IS-IS SPBM Parameters on a Port on page 1117.
15. Enable Remote IS-IS on a Port on page 1118.
16. Enable Remote IS-IS Router Configuration Globally on page 1119.
17. Display IS-IS Remote Area Configuration on page 1135.
18. Configure Multi-area SPB Layer 2 I-SID List on page 1120.
19. Display IS-IS Multi-area SPB Layer 2 I-SID List Information on page 1137.
20.Configure Multi-area SPB Layer 2 I-SID Redistribution on page 1121.
21. Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution on page 1122.
22. Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution on page 1123.
23. Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution on a VRF Instance on page 1125.
24. Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution on a VRF Instance on page 1127.
25. Configure Multi-area SPB DvR Backbone Redistribution on page 1128.
26. Display IS-IS Multi-area SPB DvR Configuration on page 1140.
27. Configure Multi-area SPB Layer 2 Multicast Snooping Redistribution on page 1129.
28. Configure Multi-area SPB IPv4 Routed Multicast Redistribution on page 1131.
29. Configure IS-IS Multi-area SPB IPv4 Routed Multicast Redistribution on a VRF Instance on page
1133.

Configure Remote IS-IS Multi-area SPB Nickname for an SPBM Instance

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure remote IS-IS Multi-area SPB nickname for a specific SPBM instance
on the switch.

1108 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Procedure

1. Enter IS-IS Router Remote Configuration mode:

enable

configure terminal

router isis remote

2. Configure IS-IS Multi-area SPB nickname:
spbm <1-100> nick-name <x.xx.xx>

Example

Configuring remote IS-IS Multi-area SPB nickname for SPBM instance:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis remote
Switch:1(config-remote)spbm 4 nick-name 1.11.16

What to Do Next

To verify the configuration, see Display the Remote IS-IS SPBM Nickname Configuration on page 1135.

Variable Definitions

The following table defines parameters for the spbm command.

Variable Value
<1-100> Specifies the SPBM instance on the remote IS-IS interface.
nick-name<x.xx.xx> Specifies a nickname for the remote IS-IS SPBM Multi-area SPB instance.
The value is 2.5 bytes in the format <x.xx.xx>.

Configure Remote IS-IS Manual Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote Intermediate System-to-Intermediate System (IS-IS)
manual area.

Procedure

1. Enter IS-IS Router Remote Configuration mode:

enable

configure terminal

router isis remote

VOSS User Guide for version 8.7 1109

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

2. Configure the manual-area:

manual-area xx.xxxx.xxxx...xxxx

Example

Configuring remote IS-IS manual area:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis remote
Switch:1(config-isis-remote)manual-area c1.1000.000.00

What to Do Next

To verify the configuration, see Display IS-IS Remote Area Configuration on page 1135 and Display IS-IS
Area Configuration on page 1136.

Variable Definitions

The following table defines parameters for the manual-area command.

Variable Value
<xx.xxxx.xxxx...xxx Specifies the remote IS-IS manual-area in the range of 1 to 13 bytes.
x>

Configure Remote IS-IS System ID

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote Intermediate System-to-Intermediate System (IS-IS)
system ID on the switch.

Procedure

1. Enter IS-IS Router Remote Configuration mode:

enable

configure terminal

router isis remote

2. Configure the remote IS-IS system ID:
system-id xxxx.xxxx.xxxx

Example

Configuring the remote IS-IS system ID:

Switch:1>enable
Switch:1#configure terminal

1110 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Switch:1(config)#router isis remote

Switch:1(config-isis-remote)#system-id 0017.c6ed.44df

What to Do Next

To verify the configuration, see Display IS-IS Remote Area Configuration on page 1135 and Display IS-IS
Area Configuration on page 1136.

Variable Definitions

The following table defines parameters for the system-id command.

Variable Value
xxxx.xxxx.xxxx Specifies the remote IS-IS system ID for the switch.

Configure an IS-IS Area Name

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

• You must disable IS-IS or remote IS-IS.

About This Task

Perform this procedure to configure the area name for home and remote areas.

Procedure

1. Enter either IS-IS Router Configuration or IS-IS Router Remote Configuration mode:
enable

configure terminal

router isis or router isis remote

2. Configure the area name:
area-name WORD<0-255>
3. Enable IS-IS or remote IS-IS:
router isis enable or router isis remote enable

Example

Configure the home and remote area names:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router isis
Switch:1(config-isis)#area-name 30
Switch:1(config)#router isis remote
Switch:1(config-isis-remote)# area-name 50

VOSS User Guide for version 8.7 1111

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Variable Definitions

The following table defines parameters for the area-name command.

Variable Value
WORD<0-255> Specifies the area name. The default value is area-manual-area, where
manual-area represents the IS-IS or remote IS-IS manual-area value that
you configure.

Configure IS-IS Multi-area SPB Virtual Node

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the IS-IS Multi-area SPB virtual node parameters like nick-name,
system ID, and system name in the home or remote area.

Procedure
1. Enter either IS-IS Router Configuration or IS-IS Router Remote Configuration mode:
enable

configure terminal

router isis or router isis remote

2. Configure the nick-name for the IS-IS Multi-area SPB virtual node:
area-vnode nick-name <x.xx.xx>
3. Configure the system name for the IS-IS Multi-area SPB virtual node:
area-vnode sys-name WORD<0-255>
4. Configure the system ID for the IS-IS Multi-area SPB virtual node:
area-vnode system-id xxxx.xxxx.xxxx

Example

Configuring the IS-IS Multi-area SPB virtual node in the home area:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#area-vnode nick-name 0.82.40
Switch:1(config-isis)#area-vnode sys-name SwitchC
Switch:1(config-isis)#area-vnode system-id 1222.3300.0000

Configuring the IS-IS Multi-area SPB virtual node in the remote area:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis remote
Switch:1(config-isis)#area-vnode nick-name 0.82.60
Switch:1(config-isis)#area-vnode sys-name SwitchA
Switch:1(config-isis)#area-vnode system-id 1222.3311.2222

1112 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

What to Do Next

To verify the configuration, see Display IS-IS Area Virtual Node Configuration on page 1136.

Variable Definitions

The following table defines parameters for the area-vnode command.

Variable Value
nick-name x.xx.xx Specifies a nickname for the IS-IS SPBM Multi-area SPB instance. The
value is 2.5 bytes in the format x.xx.xx.
sys-name Specifies the name of the system.
WORD<0-255>
system-id Specifies the IS-IS Multi-area SPB virtual node system ID.
xxxx.xxxx.xxxx

Configure Remote IS-IS Hello Authentication on a Port

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure authentication type used for remote Intermediate-System-to-
Intermediate-System (IS-IS) hello packets on the interface. The type can be one of the following: none,
simple, hmac-md5, or hmac-sha-256.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the hello authentication type:

isis remote hello-auth type {none | simple | hmac-md5 | hmac-sha-256}
[key WORD<1-16>] [key-id <1-255>]

Example

Configuring the simple authentication type for remote IS-IS hello packets on port 1/2:

Switch:1>enable
Switch:1#configure terminal

VOSS User Guide for version 8.7 1113

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Switch:1(config)#interface gigabitEthernet 1/2

Switch:1(config-if)#isis remote hello-auth type simple key Test key-id 125

Variable Definitions

The following table defines parameters for the isis remote hello-auth command.

Variable Value
key WORD<1-16> Specifies the authentication key (password) that the receiving router uses
to verify the packet.
key-id <1-255> Specifies the optional key ID.
type {none | simple Specifies the authentication type used for remote IS-IS hello packets on
| hmac-md5 | hmac- the interface. The type can be one of the following:
sha-256} • Simple - Simple password authentication uses a text password in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the packet. You can also specify a key value.
• hmac-md5 - MD5 authentication creates an encoded checksum in the
transmitted packet. The receiving router uses an authentication key
(password) to verify the MD5 checksum of the packet. You can also
specify a key value and key-id.
• hmac-sha-256 - With SHA-256 authentication, the switch adds an
HMAC-SHA256 digest to each Hello packet. The switch that receives
the Hello packet computes the digest of the packet and compares it
with the received digest. If the digests match, the packet is accepted.
If the digests do not match, the receiving switch discards the packet.
You can also specify a key value and key-id.
The default type is none.

Configure Remote IS-IS Layer 1 Designated Router Priority on a Port

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Level 1 remote Intermediate-System-to-Intermediate-System

(IS-IS) designated router priority to the specified value.

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

1114 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

2. Configure the Level 1 remote IS-IS designated router priority:

isis remote l1-dr-priority <0-127>

Example

Configuring the remote IS-IS designated router priority for port 1/4:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#isis remote l1-dr-priority 1

Variable Definitions

The following table defines parameters for the isis remote l1-dr-priority command.

Variable Value
<0-127> Specifies the level 1 remote Intermediate-System-to-Intermediate-System
(IS-IS) designated router priority value. The default value is 64.

Configure Remote IS-IS Hello Interval on a Port

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote hello interval to change how often hello packets are
sent out from an interface level.

Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the remote hello interval:

isis remote l1-hello-interval <1-600>

Example

Configuring the remote hello interval on port 1/3:

Switch:1>enable

VOSS User Guide for version 8.7 1115

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/3
Switch:1(config-if)#isis remote l1-hello-interval 1

Variable Definitions

The following table defines parameters for the isis remote l1-hello-interval command.

Variable Value
<1-600> Configures the Level 1 remote hello interval. The default value is 9
seconds.

Configure Remote IS-IS Hello Multiplier on a Port

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote hello multiplier to specify how many hellos the switch
must miss before it considers the adjacency with a neighboring switch down.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the level 1 hello multiplier:

isis remote l1-hello-multiplier <1-600>

Example

Configuring the remote hello multiplier on port 1/2:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#isis remote l1-hello-multiplier 1

1116 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Variable Definitions

The following table defines parameters for the isis remote l1-hello-multiplier command.

Variable Value
<1-600> Configures the Level 1 hello multiplier. The default value is 3 seconds.

Configure Remote IS-IS SPBM Parameters on a Port

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote Intermediate-System-to-Intermediate-System (IS-IS)

Shortest Path Bridging MAC (SPBM) parameters on a specific port.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface mlt <1-512>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the remote IS-IS SPBM interface type:

isis remote spbm <1-100> interface-type {broadcast | pt-pt}
3. Configure the cost of the remote SPBM instance:
isis remote spbm <1-100> l1-metric <1-16777215>

Example

Configuring the remote IS-IS SPBM interface type and layer 1 metric on port 1/2:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#isis remote spbm 2 interface-type broadcast
Switch:1(config-if)#isis remote spbm 2 l1-metric 2

VOSS User Guide for version 8.7 1117

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Variable Definitions

The following table defines parameters for the isis remote spbm command.

Variable Value
<1-100> Specifies the SPBM instance.
interface-type Specifies the IS-IS SPBM interface type as broadcast or point-to-point
{broadcast | pt-pt} (pt-pt).
l1-metric Specifies the SPBM instance layer 1 metric on the IS-IS interface located
<1-16777215> on a specific port.

Enable Remote IS-IS on a Port

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

• Configure manual-area in both home and remote area.
• Configure the Shortest Path Bridging MAC (SPBM) instance and backbone VLANs (B-VLAN)
manually.
• Configure the nickname in both home and remote area manually.
• Disable Auto-sense on the port.
• Make sure that the physical node nickname, virtual node nickname and system ID are different.

About This Task

Perform this procedure to enable remote Intermediate-System-to-Intermediate-System (IS-IS) interface

on the selected port(s).

Note
When the switch receives a Fabric Connect TLV through LLDP on a port that has remote IS-IS
enabled on it, the port transitions to the Auto-sense NNI pending state. For more information,
see Auto-sense Port States on page 18.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

1118 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

2. Enable remote IS-IS interface:

isis remote enable

Example

Enabling remote IS-IS interface on port 1/2:

Switch:1>enable
Switch:1#confiure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)isis remote enable

Variable Definitions

The following table defines parameters for the isis remote command.

Variable Value
enable Enables a remote IS-IS interface on the selected ports.

Enable Remote IS-IS Router Configuration Globally

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

About This Task

Perform this procedure to enable remote IS-IS router configuration on the switch, globally.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable IS-IS router remote configuration:
router isis remote [enable]

Example

Enabling IS-IS router remote configuration globally:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis remote enable

VOSS User Guide for version 8.7 1119

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

What to Do Next

To verify the configuration, see Display IS-IS Remote Area Configuration on page 1135.

Variable Definitions

The following table defines parameters for the router isis remote command.

Variable Value
enable Enables router IS-IS remote configuration globally on the switch.

Configure Multi-area SPB Layer 2 I-SID List

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB layer 2 I-SID list.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure the Multi-area SPB layer 2 I-SID list:
multi-area l2 isid-list WORD<1-32> WORD<1-1024>

Example

Configuring the Multi-area SPB layer 2 I-SID list that includes specific I-SID values:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#multi-area l2 isid-list testlist 1,3,5,100-200

What to Do Next

To verify the configuration, see Display IS-IS Multi-area SPB Layer 2 I-SID List Information on page 1137.

Variable Definitions

The following table defines parameters for the multi-area l2 isid-list command.

Variable Value
WORD<1-32> Specifies the name of the I-SID list.
WORD<1-1024> Specifies the list of I-SID values.

1120 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Configure Multi-area SPB Layer 2 I-SID Redistribution

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB layer 2 I-SID redistribution.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure the Multi-area SPB layer2 I-SID redistribution:
multi-area l2 redistribute i-sid {deny-all | permit-all} [except-isid-
list WORD<1-32>]
3. Verify the Multi-area SPB layer2 I-SID redistribution configuration:
show isis multi-area l2 redistribute i-sid
4. Apply the layer 2 I-SID redistribution:
isis multi-area l2 apply redistribute i-sid

Example

Configuring Multi-area SPB layer 2 I-SID redistribution and exclude the I-SID values specified in the I-SID
list:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#multi-area l2 redistribute i-sid permit-all except-isid-list
testlist
Switch:1(config-isis)#show isis multi-area l2 redistribute i-sid
=========================================================================
MULTI AREA L2 ISID REDIST POLICY
=========================================================================
Permit Except List Name
-------------------------------------------------------------------------
permit-all testlist
-------------------------------------------------------------------------
Switch:1(config-isis)#isis multi-area l2 apply redistribute i-sid

VOSS User Guide for version 8.7 1121

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Variable Definitions

The following table defines parameters for the multi-area l2 redistribute i-sid command.

Variable Value
deny-all Denies the Multi-area SPB IPv6 unicast redistribution configuration for the
specified I-SID list name.
except-isid-list Specifies the name of the I-SID list.
WORD<1-32>
permit-all Permits the Multi-area SPB IPv6 unicast redistribution configuration for
the specified I-SID list name.

Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Configure IP Shortcuts on the boundary nodes.

About This Task

Perform this procedure to configure Multi-area SPB IPv4 unicast redistribution on the switch.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Create the Multi-area SPB IPv4 unicast redistribution instance:
multi-area ip redistribute unicast [home-to-remote | remote-to-home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

3. (Optional) Configure a route policy to govern the redistribution:

multi-area ip redistribute unicast [home-to-remote | remote-to-home]
route-map WORD<1-64>
4. Enable the Multi-area SPB IPv4 unicast redistribution instance:
multi-area ip redistribute unicast [home-to-remote | remote-to-home]
enable
5. Verify the Multi-area SPB IPv4 unicast redistribution configuration:
show isis multi-area ip redistribute unicast [home-to-remote | remote-
to-home]

1122 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

6. Apply the Multi-area SPB IPv4 unicast redistribution:

isis multi-area ip apply redistribute unicast [home-to-remote |
remote-to-home]

Example

Configuring Multi-area SPB IPv4 unicast redistribution for home to remote direction:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#multi-area ip redistribute unicast home-to-remote
Switch:1(config-isis)#multi-area ip redistribute unicast home-to-remote route-map test
Switch:1(config-isis)#multi-area ip redistribute unicast home-to-remote enable
Switch:1(config-isis)#show isis multi-area ip redistribute home-to-remote
================================================================================
ISIS Multiarea Redistribute List for ip unicast - GlobalRouter
================================================================================
DIRECTION ENABLE RPOLICY
--------------------------------------------------------------------------------
home-to-remote TRUE test
--------------------------------------------------------------------------------
Switch:1(config-isis)#isis multi-area ip apply redistribute unicast home-to-remote

Variable Definitions

The following table defines parameters for the multi-area ip redistribute unicast and the
isis multi-area ip apply redistribute unicast commands.

Variable Value
enable Enables Multi-area SPB IPv4 unicast redistribution.
home-to-remote Specifies the IPv4 unicast redistribution configuration for home to remote
direction.
remote-to-home Specifies the IPv4 unicast redistribution configuration for remote to home
direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the unicast redistribution configuration for specific VRF
instance.

Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Configure IP Shortcuts on the boundary nodes.

About This Task

Perform this procedure to configure Multi-area SPB IPv6 unicast redistribution on the switch.

VOSS User Guide for version 8.7 1123

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Create the Multi-area SPB IPv6 unicast redistribution:
multi-area ipv6 redistribute unicast [home-to-remote | remote-to-home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

3. (Optional) Configure a route policy to govern the redistribution:

multi-area ipv6 redistribute unicast [home-to-remote | remote-to-home]
route-map WORD<1-64>
4. Enable the Multi-area SPB IPv6 unicast redistribution instance:
multi-area ipv6 redistribute unicast [home-to-remote | remote-to-home]
enable
5. Verify the Multi-area SPB IPv6 unicast redistribution configuration:
show isis multi-area ipv6 redistribute unicast [home-to-remote |
remote-to-home]
6. Apply the Multi-area SPB IPv6 unicast redistribution:
isis multi-area ipv6 apply redistribute unicast [home-to-remote |
remote-to-home]

Example

Configuring Multi-area SPB IPv6 unicast redistribution for home to remote direction:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#multi-area ipv6 redistribute unicast home-to-remote
Switch:1(config-isis)#multi-area ipv6 redistribute unicast home-to-remote route-map test
Switch:1(config-isis)#multi-area ipv6 redistribute unicast home-to-remote enable
Switch:1(config-isis)#show isis multi-area ipv6 redistribute home-to-remote
======================================================================================
ISIS Multiarea Redistribute List for ipv6 unicast - GlobalRouter
======================================================================================
DIRECTION ENABLE RPOLICY
--------------------------------------------------------------------------------------
home-to-remote TRUE test
--------------------------------------------------------------------------------------
Switch:1(config-isis)#isis multi-area ipv6 apply redistribute unicast home-to-remote

1124 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Variable Definitions

The following table defines parameters for the multi-area ipv6 redistribute unicast and
the isis multi-area ipv6 apply redistribute unicast commands.

Variable Value
enable Enables Multi-area SPB IPv6 unicast redistribution on the switch.
home-to-remote Specifies the IPv6 unicast redistribution configuration for home to remote
direction.
remote-to-home Specifies the IPv6 unicast redistribution configuration for remote to home
direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the IPv6 unicast redistribution configuration for a specific VRF
instance.

Configure IS-IS Multi-area SPB IPv4 Unicast Redistribution on a VRF Instance

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Configure IP Shortcuts and layer 3 VSN on the Virtual Router Forwarding (VRF) instance.

About This Task

Perform this procedure to configure IS-IS Multi-area SPB IPv4 unicast redistribution on a specific VRF
instance on the switch.

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Create the IS-IS Multi-area SPB IPv4 unicast redistribution instance on the VRF:
isis multi-area ip redistribute unicast [home-to-remote | remote-to-
home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

3. (Optional) Configure a route policy to govern the redistribution:

isis multi-area ip redistribute unicast [home-to-remote | remote-to-
home] route-map WORD<1-64>

VOSS User Guide for version 8.7 1125

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

4. Enable the Multi-area SPB IPv4 unicast redistribution instance on the VRF:
isis multi-area ip redistribute unicast [home-to-remote | remote-to-
home] enable
5. Verify the Multi-area SPB IPv4 unicast redistribution configuration on the VRF:
show isis multi-area ip redistribute unicast [home-to-remote | remote-
to-home] vrf WORD<1-16>
6. Exit to Global Configuration mode:
exit
7. Apply the Multi-area SPB IPv4 unicast redistribution on the VRF:
isis multi-area ip apply redistribute unicast [home-to-remote |
[remote-to-home] vrf WORD<1-16>

Example

Configuring IS-IS Multi-area SPB IPv4 unicast redistribution for home to remote direction:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf VRF1
Switch:1(router-vrf)#isis multi-area ip redistribute unicast home-to-remote
Switch:1(router-vrf)#isis multi-area ip redistribute unicast home-to-remote route-map test
Switch:1(router-vrf)#isis multi-area ip redistribute unicast home-to-remote enable
Switch:1(router-vrf)#show isis multi-area ip redistribute unicast home-to-remote vrf VRF1
==================================================================================
ISIS Multiarea Redistribute List for ip unicast - VRF VRF1
==================================================================================
DIRECTION ENABLE RPOLICY
----------------------------------------------------------------------------------
home-to-remote TRUE test
----------------------------------------------------------------------------------
Switch:1(router-vrf)#exit
Switch:1(config)#isis multi-area ip apply redistribute unicast home-to-remote vrf VRF1

Variable Definitions

The following table defines parameters for the isis multi-area ip redistribute unicast
and the isis multi-area ip apply redistribute unicast commands.

Variable Value
enable Enables IPv4 unicast redistribution on the VRF instance.
home-to-remote Specifies the IPv4 unicast redistribution configuration for home to remote
direction.
remote-to-home Specifies the IPv4 unicast redistribution configuration for remote to home
direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the IPv4 unicast redistribution configuration for specific VRF
instance.

1126 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Configure IS-IS Multi-area SPB IPv6 Unicast Redistribution on a VRF Instance

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

Configure IP Shortcuts and layer 3 VSN on the Virtual Router Forwarding (VRF) instance.

About This Task

Perform this procedure to configure IS-IS Multi-area SPB IPv6 unicast redistribution on a specific Virtual
Router Forwarding (VRF) instance on the switch.

Procedure
1. Enter VRF Router Configuration mode for a specific VRF context:
enable

configure terminal

router vrf WORD<1-16>

2. Create the IS-IS Multi-area SPB IPv6 unicast redistribution instance on the VRF:
isis multi-area ipv6 redistribute unicast [home-to-remote | remote-to-
home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

3. (Optional) Configure a route policy to govern the redistribution:

isis multi-area ipv6 redistribute unicast [home-to-remote | remote-to-
home] route-map WORD<1-64>
4. Enable the Multi-area SPB IPv6 unicast redistribution instance on the VRF:
isis multi-area ipv6 redistribute unicast [home-to-remote | remote-to-
home] enable
5. Verify the Multi-area SPB IPv6 unicast redistribution configuration on the VRF:
show isis multi-area ipv6 redistribute unicast [home-to-remote |
remote-to-home] vrf WORD<1-16>
6. Exit to Global Configuration mode:
exit
7. Apply the Multi-area SPB IPv6 unicast redistribution on the VRF:
isis multi-area ipv6 apply redistribute unicast [home-to-remote |
[remote-to-home] vrf WORD<1-16>

Example

Configuring IS-IS Multi-area SPB IPv6 unicast redistribution for home to remote direction:

VOSS User Guide for version 8.7 1127

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf VRF1
Switch:1(router-vrf)#isis multi-area ipv6 redistribute unicast home-to-remote
Switch:1(router-vrf)#isis multi-area ipv6 redistribute unicast home-to-remote route-map
test
Switch:1(router-vrf)#isis multi-area ipv6 redistribute unicast home-to-remote enable
Switch:1(router-vrf)#show isis multi-area ipv6 redistribute unicast home-to-remote vrf
VRF1
====================================================================================
ISIS Multiarea Redistribute List for ipv6 unicast - VRF VRF1
====================================================================================
DIRECTION ENABLE RPOLICY
------------------------------------------------------------------------------------
home-to-remote TRUE test
------------------------------------------------------------------------------------
Switch:1(router-vrf)#exit
Switch:1(config)#isis multi-area ipv6 apply redistribute unicast home-to-remote vrf VRF1

Variable Definitions

The following table defines parameters for the isis multi-area ipv6 redistribute
unicast and the isis multi-area ipv6 apply redistribute unicast commands.

Variable Value
enable Enables IPv6 unicast redistribution on the VRF instance.
home-to-remote Specifies the IPv6 unicast redistribution configuration for home to remote
direction.
remote-to-home Specifies the IPv6 unicast redistribution configuration for remote to home
direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the IPv6 unicast redistribution configuration for a specific VRF
instance.

Configure Multi-area SPB DvR Backbone Redistribution

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB Distributed Virtual Routing (DvR) backbone
redistribution on the switch.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis

1128 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

2. Configure IS-IS Multi-area SPB DvR backbone redistribution:

multi-area dvr redistribute backbone

Example

Configuring Multi-area SPB DvR backbone redistribution:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)multi-area dvr redistribute backbone

What to Do Next

To verify the configuration, see Display IS-IS Multi-area SPB DvR Configuration on page 1140.

Configure Multi-area SPB Layer 2 Multicast Snooping Redistribution

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB layer 2 multicast snooping redistribution for specific
I-SID values or a specific I-SID list.

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Create the Multi-area SPB layer 2 snooping multicast redistribution for a specific I-SID or I-SID list:
multi-area l2 redistribute snoop-multicast {home-to-remote | remote-
to-home} {i-sid <1-16777215> | isid-list WORD<1-32>}
3. (Optional) Configure a route policy to govern the redistribution:
multi-area l2 redistribute snoop-multicast {home-to-remote | remote-
to-home} {i-sid <1-16777215> | isid-list WORD<1-32>} route-map
WORD<1-64>
4. Enable the Multi-area SPB layer 2 snooping multicast redistribution instance:
multi-area l2 redistribute snoop-multicast {home-to-remote | remote-
to-home} {i-sid <1-16777215> | isid-list WORD<1-32>} enable
5. Verify the Multi-area SPB layer 2 snooping multicast redistribution configuration:
show isis multi-area l2 redistribute snoop-multicast
6. Apply the Multi-area SPB layer 2 snooping multicast redistribution:
isis multi-area l2 apply redistribute snoop-multicast [home-to-remote
| remote-to-home]

VOSS User Guide for version 8.7 1129

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Example

Configuring Multi-area SPB layer 2 home to remote multicast snooping redistribution:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis

Configuring Multi-area SPB layer 2 home to remote multicast snooping redistribution for I-SID 1100:

Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote i-sid 1100

Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote i-sid
1100
route-map test
Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote i-sid
1100
enable

Configuring Multi-area SPB layer 2 home to remote multicast snooping redistribution for I-SID list List1:

Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote isid-list

List1
Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote isid-list
List1 route-map test
Switch:1(config-isis)#multi-area l2 redistribute snoop-multicast home-to-remote isid-list
List1 enable

Verifying the Multi-area SPB layer 2 home to remote multicast snooping redistribution configuration:

Switch:1(config-isis)#show isis multi-area l2 redistribute snoop-multicast

================================================================================
MULTI-AREA L2 SNOOP MULTICAST REDISTRIBUTE BY ISID
================================================================================
ISID DIRECTION ENABLE RPOLICY
--------------------------------------------------------------------------------
1100 home-to-remote TRUE test
================================================================================
MULTI-AREA L2 SNOOP MULTICAST REDISTRIBUTE BY ISID LIST
================================================================================
ISID LIST DIRECTION ENABLE RPOLICY
--------------------------------------------------------------------------------
List1 home-to-remote TRUE test

--------------------------------------------------------------------------------

Applying the Multi-area SPB layer 2 home to remote multicast snooping redistribution:

Switch:1(config-isis)#isis multi-area l2 apply redistribute snoop-multicast home-to-remote

1130 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Variable Definitions

The following table defines parameters for the multi-area l2 redistribute snoop-
multicast and the isis multi-area l2 apply redistribute snoop-multicast
commands.

Variable Value
enable Enables Multi-area SPB layer 2 multicast snooping redistribution.
i-sid <1-16777215> Specifies the I-SID value.
isid-list Specifies the name of the I-SID list.
WORD<1-32>
home-to-remote Specifies the layer 2 multicast snooping redistribution configuration for
home to remote direction.
remote-to-home Specifies the layer 2 multicast snooping redistribution configuration for
remote to home direction.
route-map Specifies the name of the route policy.
WORD<1-64>

Configure Multi-area SPB IPv4 Routed Multicast Redistribution

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

• Enable multicast on the boundary nodes.
• Configure Multiprotocol Label Switching Virtual Private Network (MVPN) on the boundary nodes, for
layer 3 VSN.
• Configure the same policies as the boundary node on the peer boundary nodes.

About This Task

Perform this procedure to configure Multi-area SPB IPv4 routed multicast redistribution on the switch.

Procedure
1. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
2. Create the Multi-area SPB IPv4 routed multicast redistribution instance:
multi-area ip redistribute routed-multicast [home-to-remote | remote-
to-home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

VOSS User Guide for version 8.7 1131

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

3. (Optional) Configure a route policy to govern the redistribution:

multi-area ip redistribute routed-multicast [home-to-remote | remote-
to-home] route-map WORD<1-64>
4. Enable the Multi-area SPB IPv4 routed multicast redistribution instance:
multi-area ip redistribute routed-multicast [home-to-remote | remote-
to-home] enable
5. Verify the Multi-area SPB IPv4 routed multicast redistribution configuration:
show isis multi-area ip redistribute routed-multicast [home-to-remote
| remote-to-home]
6. Apply the Multi-area SPB IPv4 routed multicast redistribution:
isis multi-area ip apply redistribute routed-multicast [home-to-remote
| remote-to-home]

Example

Configuring Multi-area SPB IPv4 routed multicast redistribution for home to remote direction:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#multi-area ip redistribute routed-multicast home-to-remote
Switch:1(config-isis)#multi-area ip redistribute routed-multicast home-to-remote route-
map test
Switch:1(config-isis)#multi-area ip redistribute routed-multicast home-to-remote enable
Switch:1(config-isis)#show isis multi-area ip redistribute routed-multicast home-to-remote
====================================================================================
ISIS Multiarea Redistribute List for routed multicast - GlobalRouter
====================================================================================
DIRECTION ENABLE RPOLICY
------------------------------------------------------------------------------------
home-to-remote TRUE test
------------------------------------------------------------------------------------
Switch:1(config-isis)#isis multi-area ip apply redistribute routed-multicast home-to-
remote

Variable Definitions

The following table defines parameters for the multi-area ip redistribute routed-
multicast and the isis multi-area ip apply redistribute routed-multicast
command.

Variable Value
enable Enables Multi-area SPB IPv4 routed multicast redistribution.
home-to-remote Specifies the IPv4 routed multicast redistribution configuration for home
to remote direction.
remote-to-home Specifies the IPv4 routed multicast redistribution configuration for remote
to home direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the multicast routing redistribution configuration for specific
VRF instance.

1132 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using CLI

Configure IS-IS Multi-area SPB IPv4 Routed Multicast Redistribution on a VRF Instance

Note
This procedure only applies to the VSP 7400 Series.

Before You Begin

About This Task

Perform this procedure to configure IS-IS Multi-area SPB IPv4 routed multicast redistribution on a
specific Virtual Router Forwarding (VRF) instance on the switch.

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Create the IS-IS Multi-area SPB IPv4 routed multicast redistribution instance on the VRF:
isis multi-area ip redistribute routed-multicast [home-to-remote |
remote-to-home]

Note
If you do not specify the direction for redistribution then the system applies the
redistribution in both directions by default.

3. (Optional) Configure a route policy to govern the redistribution:

isis multi-area ip redistribute routed-multicast [home-to-remote |
remote-to-home] route-map WORD<1-64>
4. Enable the Multi-area SPB IPv4 routed multicast redistribution instance on the VRF:
isis multi-area ip redistribute routed-multicast [home-to-remote |
remote-to-home] enable
5. Verify the Multi-area SPB IPv4 routed multicast redistribution configuration on the VRF:
show isis multi-area ip redistribute routed-multicast [home-to-remote
| remote-to-home] [vrf WORD<1-16> | vrfids WORD<0-512>]
6. Exit to Global Configuration mode:
exit
7. Apply the Multi-area SPB IPv4 routed multicast redistribution on the VRF:
isis multi-area ip apply redistribute routed-multicast [home-to-remote
| [remote-to-home] vrf WORD<1-16>

VOSS User Guide for version 8.7 1133

Multi-area SPB Configuration using CLI Fabric Basics and Layer 2 Services

Example

Configuring IS-IS Multi-area SPB IPv4 routed multicast redistribution for home to remote direction on
VRF VRF1:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf VRF1
Switch:1(router-vrf)#isis multi-area ip redistribute routed-multicast home-to-remote
Switch:1(router-vrf)#isis multi-area ip redistribute routed-multicast home-to-remote
route-map test
Switch:1(router-vrf)#isis multi-area ip redistribute routed-multicast home-to-remote
enable
Switch:1(router-vrf)#show isis multi-area ip redistribute routed-multicast home-to-remote
vrf VRF1
=======================================================================================
ISIS Multiarea Redistribute List for routed multicast - VRF VRF1
=======================================================================================
DIRECTION ENABLE RPOLICY
---------------------------------------------------------------------------------------
home-to-remote TRUE test
---------------------------------------------------------------------------------------
Switch:1(router-vrf)#exit
Switch:1(config)#isis multi-area ip apply redistribute routed-multicast home-to-remote
vrf VRF1

Variable Definitions

The following table defines parameters for the isis multi-area ip redistribute routed-
multicast and the isis multi-area ip apply redistribute routed-multicast
commands.

Variable Value
enable Enables IPv4 routed multicast redistribution on the VRF instance.
home-to-remote Specifies the IPv4 routed multicast redistribution configuration for home
to remote direction.
remote-to-home Specifies the IPv4 routed multicast redistribution configuration for remote
to home direction.
route-map Specifies the name of the route policy.
WORD<1-64>
vrf WORD<1-16> Specifies the multicast routing redistribution configuration for specific
VRF instance.

Configure Multi-area Flags Functionality

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB node as a boundary node to forward traffic
from the UNIs to the remote-area and from the remote-area to the UNIs without requiring an
established adjacency in the home area.

1134 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Verification using CLI

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure the multi-area flags functionality:
multi-area flags home-always-up

Multi-area SPB Verification using CLI

Perform the procedures in this section to verify the Multi-area SPB configuration on the switch using the
Command Line Interface (CLI).

Display the Remote IS-IS SPBM Nickname Configuration

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to display the remote Intermediate-System-to-Intermediate-System (IS-IS)

Shortest Path Bridging MAC (SPBM) nickname configuration on the switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the remote IS-IS SPBM nickname configuration:
show isis spbm nick-name remote

Example

Displaying the remote IS-IS SPBM nickname configuration:

Switch:1>show isis spbm nick-name remote

=============================================================================================================
ISIS SPBM NICK-NAME
=============================================================================================================
LSP ID LIFETIME NICK-NAME VIRTUAL-BMAC HOST-NAME AREA AREA NAME
-------------------------------------------------------------------------------------------------------------
0001.0004.0005.00-00 1057 0.01.45 00:55:11:55:22:55 Switch-A REMOTE area-9.00.01
209e.f77e.2086.00-00 432 0.84.78 00:00:00:00:00:00 Switch-B REMOTE area-9.00.01
5005.5005.5005.00-00 1185 0.01.55 00:55:11:55:22:55 Switch-C REMOTE area-9.00.01
840c.8404.8404.00-00 528 8.84.04 00:00:00:00:00:00 Switch-D REMOTE area-9.00.01
9200.02ff.fff0.00-00 432 9.00.02 00:00:00:00:00:00 Switch-E REMOTE area-9.00.01
f46e.959f.8c86.00-00 363 0.01.40 00:00:00:00:00:00 Switch-F REMOTE area-9.00.01
-------------------------------------------------------------------------------------------------------------
Remote: 6 out of 6 Total Num of Entries
-------------------------------------------------------------------------------------------------------------

Display IS-IS Remote Area Configuration

Note
This procedure only applies to the VSP 7400 Series.

VOSS User Guide for version 8.7 1135

Multi-area SPB Verification using CLI Fabric Basics and Layer 2 Services

About This Task

Perform this procedure to display the IS-IS remote area configuration on the switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display IS-IS remote configuration:
show isis remote

Example

Displaying IS-IS remote area information:

Switch:1>show isis remote

==========================================================================================
ISIS Remote Area Info
==========================================================================================
AdminState : disabled
System ID : 209e.f77e.2086
Num of Interfaces : 4
Num of Area Addresses : 1
Dynamically Learned Area : 49.0002
Multi-Area OperState : designated

Display IS-IS Area Configuration

About This Task

Perform this procedure to display the IS-IS area configuration on the switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display IS-IS area configuration:
show isis area

Example

Displaying IS-IS area configuration:

Switch:1>show isis area

====================================================================================
ISIS Area Address
====================================================================================

ADDRESS ORIGIN AREA AREA-NAME

------------------------------------------------------------------------------------
49.0030 config HOME 30
49.0050 config REMOTE 50
------------------------------------------------------------------------------------

Display IS-IS Area Virtual Node Configuration

Note
This procedure only applies to the VSP 7400 Series.

1136 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Verification using CLI

About This Task

Perform this procedure to display the IS-IS area virtual node configuration on the switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display IS-IS area virtual node configuration:
show isis area-vnode

Example

Displaying IS-IS area virtual node configuration:

Switch:1>show isis area-vnode

=================================================================================================
ISIS SPBM Multi-Area VNode Info
=================================================================================================
VNODE VNODE VNODE REPRESENTED REPRESENTED VNODE
SYSTEM-ID NICK-NAME HOST-NAME AREA-ADDRESS AREA USED-IN-AREA
-------------------------------------------------------------------------------------------------
9200.30ff.fff0 9.00.30 vn-30 49.0030 HOME REMOTE
9200.50ff.fff0 9.00.50 vn-50 49.0050 REMOTE HOME

Display IS-IS Multi-area SPB Layer 2 I-SID List Information

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to display the IS-IS Multi-area SPB layer 2 I-SID list information.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the I-SID list information on the switch:
show isis multi-area l2 isid-list WORD<1-32>

Example

Displaying the IS-IS Multi-area SPB layer 2 I-SID list information:

Switch:1>show isis multi-area l2 isid-list test

===========================================================================
MULTI AREA L2 ISID LIST
===========================================================================
List Name I-SID / I-SID RANGE
---------------------------------------------------------------------------
test 50510-50513

All 1 out of 1 Total Num of Isid Lists displayed

VOSS User Guide for version 8.7 1137

Multi-area SPB Verification using CLI Fabric Basics and Layer 2 Services

Display IS-IS Multi-area SPB I-SID Redistribution Configuration

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to display the IS-IS Multi-area SPB layer 2 I-SID redistribution configuration on
the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the IS-IS Multi-area SPB layer 2 I-SID redistribution configuration:
show isis multi-area l2 redistribute i-sid

Example

Displaying the IS-IS Multi-area SPB layer 2 I-SID redistribution configuration:

Switch:1>show isis multi-area l2 redistribute i-sid

=================================================================================
MULTI AREA L2 ISID REDIST POLICY
=================================================================================
Permit Except List Name
---------------------------------------------------------------------------------
permit-all TestList1

Display IS-IS Multi-area SPB IPv4 Redistribution Configuration

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to display the IS-IS Multi-area SPB IPv4 redistribution configuration for home to
remote, remote to home, unicast, routed multicast, specific Virtual Router Forwarding (VRF) instance,
and VRF IDs on the switch.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the IS-IS Multi-area SPB IPv4 home to remote redistribution configuration:
show isis multi-area ip redistribute [home-to-remote [vrf WORD<1-16> |
vrfids WORD<0-512>]]
3. Display the IS-IS Multi-area SPB IPv4 remote to home redistribution configuration:
show isis multi-area ip redistribute [remote-to-home [vrf WORD<1-16> |
vrfids WORD<0-512>]]
4. Display the IS-IS Multi-area SPB IPv4 routed multicast redistribution configuration:
show isis multi-area ip redistribute routed-multicast [home-to-remote
[vrf WORD<1-16> | vrfids WORD<0-512>] | remote-to-home [vrf WORD<1-16>
| vrfids WORD<0-512>] | vrf WORD<1-16> | vrfids WORD<0-512>]]

1138 VOSS User Guide for version 8.7

1140 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the multicast snooping redistribution configuration:
show isis multi-area l2 redistribute snoop-multicast

Example

Displaying the IS-IS Multi-area SPB layer 2 multicast snooping redistribution configuration on the
switch:

Switch>show isis multi-area l2 redistribute snoop-multicast

=================================================================================
MULTI-AREA L2 SNOOP MULTICAST REDISTRIBUTE BY ISID
=================================================================================
ISID DIRECTION ENABLE RPOLICY
---------------------------------------------------------------------------------
1100 home-to-remote TRUE test
=================================================================================
MULTI-AREA L2 SNOOP MULTICAST REDISTRIBUTE BY ISID LIST
=================================================================================
ISID LIST DIRECTION ENABLE RPOLICY
---------------------------------------------------------------------------------
List1 home-to-remote TRUE test

---------------------------------------------------------------------------------

SPBM and IS-IS infrastructure configuration using EDM

This section provides procedures to configure basic SPBM and IS-IS infrastructure using Enterprise
Device Manager (EDM).

Important
The EnableSpbmConfigMode boot flag must be enabled (default) before you can configure
SPBM or IS-IS. To verify the setting, navigate to Configuration > Edit > Chassis and click on
the Boot Config tab.

Configure Required SPBM and IS-IS Parameters

About This Task

Use the following procedure to configure the minimum required SPBM and IS-IS parameters to enable
SPBM to operate on the switch. SPBM uses the Intermediate-System-to-Intermediate-System (IS-IS)
link state routing protocol to provide a loop free Ethernet topology that creates a shortest path
topology from every node to every other node in the network based on node MAC addresses.

Procedure

1. Configure SBPM B-VLANs:

Note
Always configure two B-VLANs in the core to enable load distribution over both B-VLANs.

VOSS User Guide for version 8.7 1141

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

a. In the navigation pane, expand Configuration > VLAN.

b. Select VLANs.
c. Select the Basic tab.
d. Select Insert.
e. In the type field, select spbm-bvlan.
f. Select Insert.
2. Enable SPBM globally:
a. In the navigation pane, expand Configuration > Fabric.
b. Select SPBM.
c. Select the Globals tab.
d. In the GlobalEnable field, select enable to enable SPBM globally.
e. Select Apply.
3. Create an SPBM instance:

Note
Only one SBPM instance is supported.

a. In the navigation pane, expand Configuration > Fabric.

b. Select SPBM.
c. Select the SPBM tab.
d. Select Insert to create an SPBM instance.
e. In the Id field, specify the SPBM instance ID.
f. In the NodeNickName field, specify the node nickname (valid value is 2.5 bytes in the format
<x.xx.xx>).
g. In the Vlans field, specify the IDs of the SPBM B-VLANs to add to the SPBM instance.
h. In the PrimaryVlan field, specify which of the SPBM B-VLANs specified in the previous step is the
primary B-VLAN.
i. Select Insert.
4. Create a manual area:

Note
Only one manual area is supported.

a. In the navigation pane, expand Configuration > Fabric.

b. Select IS-IS.
c. Select the Manual Area tab.
d. Select Insert.
e. Specify the Manual Area address (a valid value is 1–13 bytes in the format <xx.xxxx.xxxx...xxxx>).
f. Select Insert.
5. Update the default IS-IS system ID to a recognizable address:
a. In the navigation pane, expand Configuration > Fabric.
b. Select IS-IS.
c. Select the Globals tab.

1142 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

d. In the SystemId field, update the default B-MAC value to a recognizable address.

Note
Although it is not strictly required for SPBM operation, you must change the IS-
IS system ID from the default B-MAC value to a recognizable address to easily
identify a switch. This helps to recognize the source and destination addresses for
troubleshooting purposes.

e. In the AdminState field, select on.

f. Select Apply.
6. Create an IS-IS circuit and enable SPBM on the circuit:
a. In the navigation pane, expand Configuration > Fabric.
b. Select IS-IS.
c. Select the Interfaces tab.
d. Select Insert to create an IS-IS circuit.
e. In the IfIndex field, specify the port or MLT on which to create the IS-IS circuit.
f. Select Insert.
g. Select the newly created IS-IS circuit entry, and select SPBM.
h. In the Interfaces SPBM tab, select Insert.
i. In the State field, select enable.
j. Select Insert. This enables the SPBM instance on the IS-IS circuit.
k. Navigate back to the Interfaces tab.
l. In the AdminState field for the IS-IS circuit entry, select on to enable the IS-IS circuit.
m. Select Apply.

SPBM Field Descriptions

Note
The following tables list the minimum required SPBM and IS-IS parameters to allow SPBM
to operate on the switch. For more detailed information on all of the parameters see
the procedures that follow. For more information on how to configure VLANs, see VLAN
Configuration using EDM on page 3804.

Use the data in the following table to use the VLANs Basic tab.

Name Description
Type Specifies the type of VLAN:
• byPort
• byProtocolId
• spbm-bvlan
• private

VOSS User Guide for version 8.7 1143

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Use the data in the following table to use the SPBM Globals tab.

Name Description
GlobalEnable Enables or disables SPBM globally. The default is
disabled.
To ensure proper cleanup of MAC tables after you
disable SPBM, save the configuration, and then
reboot the switch.
GlobalEtherType Specifies the global ethertype value as 0x8100 or
0x88a8. The default value is 0x8100.
NicknameServerEnable Enables or disables the nickname server. The
default is disabled.
Note:
Exception: not supported on VSP 8600 Series or
XA1400 Series.

NicknameDynamicAllocationStatus Displays the Dynamic Nickname Allocation service

operational status.
Note:
Exception: not supported on VSP 8600 Series or
XA1400 Series.

NicknameServerPrefix Specifies the nickname server allocation prefix.

x.xx.xx uses the form X.X0.00 from 0.00.00 to
Note: F.F0.00. A group, X.X0.00 to X.XF.FF, can provide
Exception: not supported on VSP 8600 Series or up to 4,096 nicknames. The default is A.00.00.
XA1400 Series.

Use the data in the following table to use the SPBM tab.

1144 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
SmltVirtualBmac Specifies a virtual MAC address that can be used
by both peers.
SmltPeerSysId Specifies the system ID of the SPBM SMLT for this
SPBM instance.
Mcast Specifies if IP multicast over SPBM is enabled. The
default is disabled.
McastFwdCacheTimeout Specifies the global forward cache timeout in
seconds. The default is 210 seconds.
Ipv6Shortcut Enables or disables SPBM IPv6 shortcut state. The
default is disable.
McastSpbPimGwControllerEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway controller. Disabled by default.
McastSpbPimGwGatewayEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway. Disabled by default.
StpMultiHoming Enables or disables MSTP-Fabric Connect Multi
Homing.
The default is disabled (false).
BVlanOrigin Shows how the B-VLAN was created. The values
can be config for manual configuration using
Note: CLI or SNMP, or dynamic through Zero Touch
Exception: not supported on XA1400 Series and Fabric Configuration and Auto-sense. The default
VSP 8600 Series. is dynamic.

Use the data in the following table to use the IS-IS Manual Area tab.

Name Description
AreaAddr Specifies the IS-IS manual area. Valid value is 1-13
bytes in the format <xx.xxxx.xxxx...xxxx>. Only
one manual area is supported. Use the same
manual area across the entire SPBM cloud. For
IS-IS to operate, you must configure at least one
manual area.

VOSS User Guide for version 8.7 1145

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Use the data in the following table to use the IS-IS Globals tab.

Name Description
AdminState Specifies the global status of IS-IS on the switch:
on or off. The default is off.
SystemId Specifies the IS-IS system ID for the switch.
Valid value is a 6–byte value in the format
<xxxx.xxxx.xxxx>.

Important:
After you have configured the SPBM nickname
and enabled IS-IS, if you require a change of the
system ID, you must also change the nickname.
However, for naming convention purposes or
configuration purposes, you may not want to
change the nickname. To maintain the same
nickname with a different system ID, see Job aid
on page 1018.

Use the data in the following table to use the IS-IS Interfaces tab.

Use the data in the following table to use the IS-IS Interfaces SPBM tab.

Name Description
State Specifies whether the SPBM interface is enabled
or disabled.

1146 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Job aid

Important
After you have configured the SPBM nickname and enabled IS-IS. To maintain the same
nickname with a different system ID, perform the following steps:

1. Disable IS-IS.
2. Change the system ID.
3. Change the nickname to a temporary one.
4. Enable IS-IS.
5. Wait up to 20 minutes for the LSPs with the original system ID to age out.

6. Disable IS-IS.
7. Change the nickname to the original nickname.
8. Enable IS-IS.

Displaying SPBM and IS-IS summary information

Use the following procedure to view a summary of SPBM and IS-IS protocol information.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Protocol Summary tab.

Protocol Summary field descriptions

Use the data in the following table to use the Protocol Summary tab.

Name Description
Globals ISIS
AdminState Indicates the global status of IS-IS on the switch.
SystemId Indicates the IS-IS system ID for the switch. Valid value is a
6–byte value in the format <xxxx.xxxx.xxxx>
HostName Indicates a name for the system. This may be used as the
host name for dynamic host name exchange in accordance
with RFC 2763.
By default, the system name comes from the host name
configured at the system level.
Globals SPBM
GlobalEnable Indicates whether SPBM is enabled or disabled at the global
level.

VOSS User Guide for version 8.7 1147

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
NodeNickName Indicates the nickname for the SPBM instance globally. Valid
value is 2.5 bytes in the format <x.xx.xx>.
PrimaryVlan Indicates the primary VLAN ID for this SPBM instance.
SmltSplitBEB Indicates whether the switch is the primary or secondary IST
peer.
ISIS Interfaces
Circuit Index Displays the identifier of this IS-IS circuit, unique within the
Intermediate System. This is for SNMP Indexing purposes
only and need not have any relation to any protocol value.
IfIndex Indicates the interface to which this circuit corresponds.
AdminState Indicates the administrative state of the circuit: on or off.
OperState Indicates the operational state of the circuit: up or down.
ISIS Adjacency View
Circuit Index Displays the identifier of this IS-IS circuit, unique within
the Intermediate System. This value is for SNMP Indexing
purposes only and need not have any relation to any protocol
value.
AdjIndex Displays a unique value identifying the IS adjacency from
all other such adjacencies on this circuit. This value is
automatically assigned by the system when the adjacency
is created
AdjIfIndex Indicates the interface to which this circuit corresponds.
AdjState Indicates the state of the adjacency:
• down
• initializing
• up
• failed

AdjNeighSysID Indicates the system ID of the neighboring Intermediate

System.
AdjHostName Indicates the host name listed in the LSP, or the system name
if the host name is not configured.

View the SPBM I-SID Information

Use the following procedure to display the SPBM Service Instance Identifier (I-SID) information. The
SPBM B-MAC header includes an I-SID with a length of 24 bits. This I-SID can be used to identify and
transmit any virtualized traffic in an encapsulated SPBM frame.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the I-SID tab.

1148 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

I-SID field descriptions

Use the data in the following table to use the I-SID tab.

Name Description
SysId Indicates the system identifier.
Vlan Indicates the B-VLAN where this I-SID was configured or
discovered.
Isid Indicates the IS-IS SPBM I-SID identifier.
NickName Indicates the nickname of the node where this I-SID was
configured or discovered.
HostName Indicates the host name listed in the LSP, or the system name
if the host name is not configured.
Type Indicates the SPBM I-SID type; either configured or
discovered.

View Level 1 Area Information

Use the following procedure to display Level 1 area information. IS-IS provides support for hierarchical
routing, which enables you to partition large routing domains into smaller areas. IS-IS uses a two-level
hierarchy, dividing the domain into multiple Level 1 areas and one Level 2 area. The Level 2 area serves
as backbone of the domain, connecting to all the Level 1 areas.

Important
The IEEE 802.1aq standard currently only defines the use of one hierarchy, Level 1. Level 2
function is disabled.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the L1 Area tab.

L1 Area field descriptions

Use the data in the following table to use the L1 Area tab.

Table 106:
Name Description
AreaAddr Specifies an area address reported in a Level 1
link-state packets (LSP) generated or received by
this Intermediate System.

VOSS User Guide for version 8.7 1149

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Configure SMLT Parameters for SPBM

Use the following procedure to configure the required Split MultiLink Trunking (SMLT) parameters to
enable SPBM to interoperate with SMLT on the switch.

When using a manually configured system-id value, the SMLT Virtual BMAC must also be
manually configured.
• An I-SID must be assigned to every VLAN that is a member of an Layer 2 VSN. Also if an
Layer 2 VSN is created on one vIST Peer, it must also be created on the other vIST peer.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the SPBM tab.
4. Use the SmltSplitBEB field to see whether the switch is the primary or secondary vIST peer. This
field cannot be modified.
5. Use the SmltVirtualBmac field to specify a virtual MAC address that can be used by both peers.
6. Use the SmltPeerSysId field to specify the vIST peer B-MAC address.
7. Select Apply.

Enable or Disable SPBM at the Global Level

Use the following procedure to enable or disable SPBM at the global level. SPBM uses the Intermediate-
System-to-Intermediate-System (IS-IS) link state routing protocol to provide a loop free Ethernet
topology that creates a shortest path topology from every node to every other node in the network
based on node MAC addresses.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the Globals tab.
4. To enable or disable SPBM, select enable or disable in the GlobalEnable field.
5. To configure the global ethertype value, select the desired option in the GlobalEtherType field.
6. Select Apply.

1150 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

NicknameDynamicAllocationStatus Displays the Dynamic Nickname Allocation service

operational status.
Note:
Exception: not supported on VSP 8600 Series or
XA1400 Series.

NicknameServerPrefix Specifies the nickname server allocation prefix.

Configuring SPBM parameters

Use the following procedure to configure SPBM global parameters. SPBM uses the Intermediate-
System-to-Intermediate-System (IS-IS) link state routing protocol to provide a loop free Ethernet
topology that creates a shortest path topology from every node to every other node in the network
based on node MAC addresses.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the SPBM tab.
4. To create an SPBM instance, click Insert.
5. Configure the SPBM parameters.
6. Select Apply.

SPBM Field Descriptions

Use the data in the following table to use the SPBM tab.

VOSS User Guide for version 8.7 1151

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
Id Specifies the SPBM instance ID. Only one SPBM
instance is supported.
NodeNickName Specifies a nickname for the SPBM instance
globally. Valid value is 2.5 bytes in the format
<x.xx.xx>.
PrimaryVlan Specifies the primary SPBM B-VLANs to add to
the SPBM instance.
Vlans Specifies the SPBM B-VLANs to add to the SPBM
instance.
LsdbTrap Configures whether to enable or disable a trap
when the SPBM LSDB changes. The default is
disable.
IpShortcut Enables or disables SPBM IP shortcut state. The
default is disable.
SmltSplitBEB Specifies whether the switch is the primary or
secondary vIST peer. The default is primary.
SmltVirtualBmac Specifies a virtual MAC address that can be used
by both peers.
SmltPeerSysId Specifies the system ID of the SPBM SMLT for this
SPBM instance.
Mcast Specifies if IP multicast over SPBM is enabled. The
default is disabled.
McastFwdCacheTimeout Specifies the global forward cache timeout in
seconds. The default is 210 seconds.
Ipv6Shortcut Enables or disables SPBM IPv6 shortcut state. The
default is disable.
McastSpbPimGwControllerEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway controller. Disabled by default.
McastSpbPimGwGatewayEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway. Disabled by default.
StpMultiHoming Enables or disables MSTP-Fabric Connect Multi
Homing.
The default is disabled (false).
BVlanOrigin Shows how the B-VLAN was created. The values
can be config for manual configuration using
Note: CLI or SNMP, or dynamic through Zero Touch
Exception: not supported on XA1400 Series and Fabric Configuration and Auto-sense. The default
VSP 8600 Series. is dynamic.

Displaying SPBM nicknames

Use the following procedure to display SPBM nicknames.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

1152 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

2. Select SPBM.
3. Select the Nick Names tab.

Nickname field descriptions

Use the data in the following table to use the NickName tab.

Name Description
Level Indicates the level at which the system displays this LSP.
ID Indicates the 8 byte LSP ID, consisting of the SystemID,
Circuit ID, and Fragment Number.
LifetimeRemain Indicates the remaining lifetime in seconds for the LSP.
NickName Indicates the nickname for the SPBM node.
HostName Indicates the hostname listed in the LSP, or the system name
if the host name is not configured.

Configure Interface SPBM Parameters

Use the following procedure to configure the SPBM interface parameters.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the Interfaces SPBM tab.
4. Configure the SPBM interface parameters.
5. Select Apply.

Interfaces SPBM Field Descriptions

Use the data in the following table to use the Interfaces SPBM tab.

Name Description
Index Specifies an Index value for the SPBM interface.
SpbmId Specifies the SPBM ID.
State Specifies whether the SPBM interface is enabled
or disabled.
Type Configures the SPBM instance interface-type on
the IS-IS interface located on the specified port or
MLT: ptpt or bcast. Only the point-to-point (ptpt)
interface type is supported.
L1Metric Configures the IS-IS Interface level 1 metric on the
specified port or MLT. The default value is 10.
Origin Specifies the source of the SPBM instance
configuration, either manually configured through
Note: CLI or EDM, or dynamically configured through
Exception: not supported on VSP 8600 Series or Auto-sense.
XA1400 Series.

VOSS User Guide for version 8.7 1153

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Configuring SPBM on an interface

Use the following procedure to configure SPBM on an interface.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces tab.
4. Select the SPBM button.
5. In the Interfaces SPBM tab, select Insert.
6. Select Insert.

SPBM field descriptions

Use the data in the following table to use the Interfaces SPBM tab.

View the IP Unicast FIB

Use the following procedure to display the IP unicast Forwarding Information Base (FIB). The tab shows
IP routes from remote Backbone Edge Bridges (BEBs)

In SPBM, each node has a System ID, which also serves as Backbone MAC address (B-MAC) of the
switch. These Backbone MAC addresses are populated into the SPBM VLAN Forwarding Information
Base (FIB). When the network topology is discovered and stored in the IS-IS link-state database, each
node calculates shortest path trees for each source node, so that a unicast path now exists from every
node to every other node. With this information, each node populates unicast information received from
SPBM into the FIB for forwarding purposes.

I-SIDs are only used for virtual services (Layer 2 VSNs and Layer 3 VSNs). If you only enable IP Shortcuts
on the Backbone Edge Bridges, I-SIDs are never exchanged in the network as IP Shortcuts allows for
Global Routing Table (GRT) IP networks to be transported across IS-IS.

1154 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

The IP Unicast FIB tab displays all of the IS-IS routes in the IS-IS LSDB. The Preference column in the IP
Unicast FIB tab displays the IP route preference.

Routes within the same VSN are added to the LSDB with a default preference of 7. Inter-VSN routes are
added to the LSDB with a route preference of 200. IS-IS accept policies allow you to change the route
preference for incoming routes. If the same route is learned from multiple sources with different route
preferences, then the routes are not considered equal cost multipath (ECMP) routes. The route with the
lowest route preference is the preferred route. In Layer 2, in the event of a tie-break between routes
from multiple sources, the tie-breaking is based on cost and hop count.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the IP Unicast FIB tab.

IP Unicast FIB field descriptions

Use the data in the following table to use the IP Unicast FIB tab.

Name Description
VrfId Specifies the VRF ID of the IP unicast FIB entry, 0 indicates
NRE.
DestinationIpAddrType Specifies the address type of the destination IP address.
DestinationIpAddr Specifies the destination IP Address of the IP unicast FIB
entry.
DestinationMask Specifies the destination IP mask of the IP unicast FIB entry
NextHopBmac Specifies the nexthop B-MAC of the IP unicast FIB entry.
DestId Specifies the destination I-SID of the IP unicast FIB entry.
Vlan Specifies the VLAN of the IP unicast FIB entry.
Isid Specifies the I-SID of the IP unicast FIB entry.
NextHopName Specifies the nexthop hostname of the IP unicast FIB entry.
OutgoingPort Specifies the outgoing port of the IP unicast FIB entry.
PrefixCost Specifies the prefix cost of the IP unicast FIB entry.
SpbmCost Specifies the B-MAC cost of the IP unicast FIB entry.
Preference Specifies the IP Route preference of the IP unicast FIB entry
MetricType Specifies the IP Metric Type of the IP unicast FIB entry.

View the IPv6 Unicast FIB

Use the following procedure to display the IPv6 unicast Forwarding Information Base (FIB). The tab
shows IPv6 routes from remote Backbone Edge Bridges (BEBs)

VOSS User Guide for version 8.7 1155

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

node to every other node. With this information, each node populates unicast information received from
SPBM into the FIB for forwarding purposes.

I-SIDs are only used for virtual services (Layer 2 VSNs and Layer 3 VSNs). If you only enable IP Shortcuts
on the Backbone Edge Bridges, I-SIDs are never exchanged in the network as IP Shortcuts allows for
Global Routing Table (GRT) IP networks to be transported across IS-IS.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the IPv6 Unicast FIB tab.

IPv6 Unicast FIB Field Descriptions

Use the data in the following table to use the IPv6 Unicast FIB tab.

Name Description
VrfId Specifies the VRF ID of the IPv6 unicast FIB entry, 0 indicates
NRE.
DestinationIpAddrType Specifies the address type of the destination IPv6 address.
DestinationIpAddr Specifies the destination IPv6 Address of the IPv6 unicast FIB
entry.
DestinationMask Specifies the destination IPv6 mask of the IPv6 unicast FIB
entry
NextHopBmac Specifies the nexthop B-MAC of the IPv6 unicast FIB entry.
DestIsid Specifies the destination I-SID of the IPv6 unicast FIB entry.
Vlan Specifies the VLAN of the IPv6 unicast FIB entry.
Isid Specifies the I-SID of the IPv6 unicast FIB entry.
NextHopName Specifies the nexthop hostname of the IPv6 unicast FIB entry.
OutgoingPort Specifies the outgoing port of the IPv6 unicast FIB entry.
PrefixCost Specifies the prefix cost of the IPv6 unicast FIB entry.
SpbmCost Specifies the B-MAC cost of the IPv6 unicast FIB entry.
MetricType Specifies the Metric Type of the IPv6 unicast FIB entry.

View the Unicast FIB

Use the following procedure to display the unicast FIB.

In SPBM, B-MAC addresses are carried within the IS-IS link-state database. To do this, SPBM supports an
IS-IS TLV that advertises the I-SID and B-MAC information across the network. Each node has a System
ID, which also serves as Backbone MAC address (B-MAC) of the switch. These Backbone MAC addresses
are populated into the SPBM VLAN Forwarding Information Base (FIB).

When the network topology is discovered and stored in the IS-IS link-state database, each node
calculates shortest path trees for each source node, so that a unicast path now exists from every node

1156 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

to every other node. With this information, each node populates unicast information received from
SPBM into the FIB for forwarding purposes.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the Unicast FIB tab.

Unicast FIB field descriptions

Use the data in the following table to use the Unicast FIB tab.

Name Description
SysId Specifies the system ID of the node where the unicast FIB
entry originated.
Vlan Specifies the VLAN of the unicast FIB entry.
DestinationMacAddr Specifies the destination MAC Address of the unicast FIB
entry.
OutgoingPort Specifies the outgoing port of the unicast FIB entry.
HostName Specifies the host name of the node where unicast FIB entry
originated.
Cost Specifies the cost of the unicast FIB entry.

View LSP Summary Information

Use the following procedure to display link-state packet (LSP) summary information. Link State Packets
(LSP) contain information about the state of adjacencies or defined and distributed static routes.
Intermediate System to Intermediate System (IS-IS) exchanges this information with neighboring IS-IS
routers at periodic intervals.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the LSP Summary tab.

LSP Summary field descriptions

Use the data in the following table to use the LSP Summary tab.

Table 107:

Level Specifies the level at which the system displays

this LSP.
ID Specifies the 8 byte LSP ID, consisting of the
SystemID, Circuit ID, and Fragment Number.
Seq Specifies the sequence number for this LSP.
Checksum Specifies the 16 bit Fletcher Checksum for this LSP.

VOSS User Guide for version 8.7 1157

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Table 107: (continued)

LifetimeRemain The remaining lifetime in seconds for this LSP.

HostName The hostname listed in LSP, or the system name if
host name is not configured.

View IS-IS Adjacencies

Use the following procedure to display IS-IS adjacency information. The platform sends IS-IS Hello
(IIH) packets to discover IS-IS neighbors and establish and maintain IS-IS adjacencies. The platform
continues to send IIH packets to maintain the established adjacencies. For two nodes to form an
adjacency the B-VLAN pairs for the primary B-VLAN and secondary B-VLAN must match.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Adjacency tab.

Adjacency field descriptions

Use the data in the following table to use the Adjacency tab.

Name Description
Interface Specifies the IS-IS interface on which the
adjacency is found.
Level Indicates the level of the IS-IS interface (Level 1
[default] or Level 2).
State Specifies the state of the adjacency:
• down
• initializing
• up
• failed

LastUpTime Indicates when the adjacency most recently

entered the state up, measured in hundredths
of a second since the last re-initialization of the
network management subsystem. Displays 0 if the
adjacency has never been in state up.
NeighPriority Specifies the priority of the neighboring
Intermediate System for becoming the Designated
Intermediate System.
HoldTimer Specifies the holding time in seconds for this
adjacency. This value is based on received IS-
IS Hello (IIH) PDUs and the elapsed time since
receipt.
NeighSysID Specifies the system ID of the neighboring
Intermediate System.

1158 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
AdjHostName Specifies the host name listed in the LSP, or the
system name if host name is not configured.
ParallelActive Specifies if the current adjacency among all the
parallel adjacencies between two nodes is active.
• true
• false

Configure IS-IS Global Parameters

Use the following procedure to configure IS-IS global parameters. SPBM uses IS-IS to discover network
topology, build shortest path trees between network nodes, and communicate network information in
the control plane.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Globals tab.
4. Configure the global IS-IS parameters.
5. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Name Description
AdminState Specifies the global status of IS-IS on the switch:
on or off. The default is off.
LevelType Sets the router type globally:
• level1: Level-1 router type
• level1and2: Level–1/2 router type is not
supported.
The default value is level1.
SystemId Specifies the IS-IS system ID for the switch.
Valid value is a 6–byte value in the format
<xxxx.xxxx.xxxx>.

VOSS User Guide for version 8.7 1159

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
MaxLspGenInt Specifies the maximum interval, in seconds,
between generated LSPs by this Intermediate
system. The value must be greater than any value
configured for RxmtLspInt.
The default value is 900 seconds.
CsnpInt Specifies the Complete Sequence Number Packet
(CSNP) interval in seconds. This is a system level
parameter that applies for L1 CSNP generation on
all interfaces.
The default value is 10.
RxmtLspInt Specifies the minimum time between
retransmission of an LSP. This defines how fast
the switch resends the same LSP. This is a system
level parameter that applies for L1 retransmission
of LSPs.
The default value is 5 seconds.
PSNPInterval Specifies the Partial Sequence Number Packet
(PSNP) interval in seconds. This is a system level
parameter that applies for L1 PSNP generation on
all interfaces.
The default value is 2.
SpfDelay Specifies the SPF delay in milliseconds. This value
is used to pace successive SPF runs. The timer
prevents two SPF runs from being scheduled very
closely.
The default value is 100 milliseconds.
HostName Specifies a name for the system. This can be
used as the host name for dynamic host name
exchange in accordance with RFC 2763.
By default, the system name comes from the host
name configured at the system level.
IpSourceAddress Specifies IP source address for SPBM IP shortcuts.
Ipv6SourceAddress Specifies IPv6 source address for SPBM IP
shortcuts.
IpTunnelSourceAddress Specifies the IS-IS IPv4 tunnel source address.

Note:
Exception: Not supported on VSP 8600 Series.

IpTunnelPort Specifies the physical port that the logical

interface is connected to in an Layer 2 network.
Note:
Exception: only supported on VSP 4450 Series.

IpTunnelVrf Specifies the VRF name associated with the IP

tunnel.
Note:
Exception: Not supported on VSP 8600 Series.

1160 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
IpTunnelOverlay Permits the configuration of the tunnel source
address even though it belongs to a VRF with an
attached I-SID. The default is disabled.
IpTunnelMtu Specifies the size of the maximum transmission
unit (MTU). The default is 1950.
Note: This parameter applies to an ONA configuration
Exception: only supported on VSP 4450 Series. only.

MgmtClipIpAddr Specifies the DvR management IP address for this

node, in the DvR domain.
Note:
Exception: Not supported on VSP 8600 Series.

BackboneEnable Select to enable this node to join the DvR

backbone so that it can receive redistributed
DvR host routes from all DvR Controllers in the
network.
FanMember Specifies whether the node is a member of the
Fabric Area Network (FAN) .
Note:
Exception: Not supported on VSP 8600 Series.

DynamicallyLearnedArea For FAN members, specifies the IS-IS area that

is dynamically learned from the neighbor’s Hello
Note: PDU if the node does not have the IS-IS manual
Exception: Not supported on VSP 8600 Series. area configured.

MAOperState Specifies the Multi-area SPB operational state. The

default is disabled.
Note:
Exception: Only supported on VSP 7400 Series.

HelloPadding Configures IS-IS hello padding on all IS-IS

network-to-network interface (NNI) links. IS-IS
Note: hello padding is enabled by default.
Exception: Not supported on VSP 8600 Series.

Configuring system-level IS-IS parameters

Use the following procedure to configure system-level IS-IS parameters.

Procedure

1. In the navigation pane, expand Configuration > Fabric > IS-IS.

2. Select the System Level tab.
3. Configure the IS-IS system level parameters.
4. Select Apply.

VOSS User Guide for version 8.7 1161

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

System Level field descriptions

Use the data in the following table to use the System Level tab.

Name Description
Index Specifies the level: l1 or l2.
Only l1 is supported.
State Specifies the state of the database at this level. The value 'off'
indicates that IS-IS is not active at this level. The value 'on'
indicates that IS-IS is active at this level, and not overloaded.
The value 'waiting' indicates a database that is low on
an essential resources, such as memory. The administrator
may force the state to 'overloaded' by setting the object
SetOverload. If the state is 'waiting' or 'overloaded', you
originate LSPs with the Overload bit set.
SetOverload Sets or clears the overload condition. The possible values are
true or false.
The default value is false.
SetOverloadUntil Sets the IS-IS overload-on-startup value in seconds. The
overload-on-startup value is used as a timer to control when
to send out LSPs with the overload bit cleared after IS-IS
startup.

Note:
If you configure SetOverloadUntil to a number other than
zero, then the overload bit is set at this level when
the AdminState variable goes to the state 'on' for this
Intermediate System.
After the SetOverloadUntil seconds elapse, the overload flag
remains set if the implementation runs out of memory or if
you configured it manually using SetOverload to true.
If SetOverload is false, the system clears the overload bit
after SetOverloadUntil seconds elapse, if the system has not
run out of memory.

The default value is 20.

MetricStyle Specifies the IS-IS metric type. Available values are narrow,
wide or both. Only wide is supported.

View IS-IS System Statistics

Use the following procedure to view the Intermediate-System-to-Intermediate-System (IS-IS) system
statistics.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select Stats.
3. Select the System Stats tab.

System Stats field descriptions

Use the data in the following table to use the System Stats tab.

1162 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
CorrLSPs Indicates the number of corrupted in-memory link-state
packets (LSPs) detected. LSPs received from the wire with
a bad checksum are silently dropped and not counted.
AuthFails Indicates the number of authentication key failures
recognized by this Intermediate System.
LSPDbaseOloads Indicates the number of times the LSP database has become
overloaded.
ManAddrDropFromAreas Indicates the number of times a manual address has been
dropped from the area.
AttmptToExMaxSeqNums Indicates the number of times the IS has attempted to
exceed the maximum sequence number.
SeqNumSkips Indicates the number of times a sequence number skip has
occurred.
OwnLSPPurges Indicates the number of times a zero-aged copy of the
system's own LSP is received from some other node.
IDFieldLenMismatches Indicates the number of times a PDU is received with a
different value for ID field length to that of the receiving
system.
PartChanges Indicates partition changes.
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/sec Displays the average value for each second.
Minimum/sec Displays the minimum value for each second.
Maximum/sec Displays the maximum value for each second.
LastVal/sec Displays the last value for each second.

Configure IS-IS Interfaces

Use the following procedure to configure the IS-IS interfaces. SPBM uses IS-IS to discover network
topology, build shortest path trees between network nodes, and communicate network information in
the control plane.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces tab.
4. Configure the IS-IS interface parameters.
5. Select Apply.

Interfaces Field Descriptions

Use the data in the following table to use the Interfaces tab.

VOSS User Guide for version 8.7 1163

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
Index The identifier of this circuit, unique within the
Intermediate System. This value is for SNMP
Indexing purposes only and need not have any
relation to any protocol value.
IfIndex Specifies the interface on which the circuit is
configured (port or MLT).
Type Specifies the IS-IS circuit type. Only the point-to-
point (PtToPt) interface type is supported.
AdminState Specifies the administrative state of the circuit: on
or off.
OperState Specifies the operational state of the circuit.
AuthType Specifies the authentication type:
• none
• simple: If selected, you must also specify a
key value but the key id is optional. Simple
password authentication uses a text password
in the transmitted packet. The receiving router
uses an authentication key (password) to verify
the packet.
• hmac-md5: If selected, you must also specify
a key value, but the key-id is optional. MD5
authentication creates an encoded checksum
in the transmitted packet. The receiving router
uses an authentication key (password) to verify
the MD5 checksum of the packet. There is an
optional key ID.
• hmac-sha–256: If selected, you must also
specify a key value, but the key-id is optional.
With SHA-256 authentication, the switch adds
an hmac-sha–256 digest to each Hello packet.
The switch that receives the Hello packet
computes the digest of the packet and
compares it with the received digest. If the
digests match, the packet is accepted. If the
digests do not match, the receiving switch
discards the packet. There is an optional key
ID.

Note:
Secure Hashing Algorithm 256 bits (SHA-256)
is a cipher and a cryptographic hash function
of SHA2 authentication. You can use SHA-256
to authenticate IS-IS Hello messages. This
authentication method uses the SHA-256 hash
function and a secret key to establish a secure
connection between switches that share the
same key.
This feature is in full compliance with RFC 5310.

The default is none.

AuthKey Specifies the authentication key.

1164 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
KeyId Specifies the authentication key ID.
LevelType Specifies the router type globally:
• level1: Level-1 router type
• level 1and2: Level–1/2 router type. This type is
not supported.
The default value is level1.
NumAdj Specifies the number of adjacencies on this circuit.
NumUpAdj Specifies the number of adjacencies that are up.
AutoNniEnable Enable to have the node create an IS-IS interface,
attach the interface to an SPBM instance, and then
enable IS-IS on the port interface.
This field displays on the Insert Interfaces dialog
box and applies to port interfaces only.
Origin Specifies the origin of the IS-IS circuit
configuration on the port, either manually
Note: configured through CLI or EDM or dynamically
Exception: not supported on VSP 8600 Series and configured through Auto-sense.
XA1400 Series.

Configure IS-IS Interface Level Parameters

Use the following procedure to configure IS-IS interface level parameters. SPBM uses IS-IS to discover
network topology, build shortest path trees between network nodes, and communicate network
information in the control plane.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces Level tab.
4. Configure the IS-IS interface level parameters.
5. (Optional) Select the Remote button to configure the remote IS-IS interface level parameters.

Note
This step only applies to the VSP 7400 Series.

6. Select Apply.

Interfaces Level Field Descriptions

Use the data in the following table to use the Interfaces Level tab.

VOSS User Guide for version 8.7 1165

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
Index The identifier of this circuit, unique within the Intermediate
System. This value is for SNMP Indexing purposes only and
need not have any relation to any protocol value.
Level Specifies the router type globally:
• l1: Level1 router type
• l12: Level1/Level2 router type. This type is not supported.
The default value is l1.
ISPriority Specifies an integer sub-range for IS-IS priority. The default is
64.
HelloTimer Configures the level 1 hello interval.
Specifies the maximum period, in milliseconds, between IS-IS
Hello Packets (IIH) PDUs on multiaccess networks at this level
for LANs. The value at Level1 is used as the period between
Hellos on Level1/Level2 point to point circuits. Setting this
value at Level 2 on an Level1/Level2 point-to-point circuit
results in an error of InconsistentValue.
The default value is 9000 milliseconds or 9 seconds.
HelloMultiplier Configures the level 1 hello multiplier. The default value is 3
seconds.
DRHelloTimer Indicates the period, in milliseconds, between Hello PDUs on
multiaccess networks when this Intermediate System is the
Designated Intermediate System. The default is 3.

View IS-IS Interface Counters

Use the following procedure to view the Intermediate-System-Intermediate-System (IS-IS) interface
counters.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select Stats.
3. Select the Interface Counters tab.

Interface Counters Field Descriptions

Use the data in the following table to use the Interface Counters tab.

1166 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Name Description
InitFails Shows the number of times initialization of this circuit has
failed. This counts events such as PPP NCP failures. Failures
to form an adjacency are counted by isisCircRejAdjs.
RejAdjs Shows the number of times an adjacency has been rejected
on this circuit.
IDFieldLenMismatches Shows the number of times an IS-IS control PDU with an
ID field length different to that for this system has been
received.
MaxAreaAddrMismatches Shows the number of times an IS-IS control PDU with a max
area address field different to that for this system has been
received.
AuthFails Shows the number of times an IS-IS control PDU with the
correct auth type has failed to pass authentication validation.
LANDesISChanges Shows the number of times the Designated IS has changed
on this circuit at this level. If the circuit is point to point, this
count is zero.

View IS-IS interface control packets

Use the following procedure to view the Intermediate-System-to-Intermediate-System (IS-IS) interface
control packets.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select Stats.
3. Select the Interface Control Packets tab.

Interface Control Packets Field Descriptions

Use the data in the following table to use the Interface Control Packets tab.

Name Description
Index Shows a unique value identifying the Intermediate-System-
to-Intermediate-System (IS-IS) interface.
Direction Indicates whether the switch is sending or receiving the
PDUs.
Hello Indicates the number of IS-IS Hello frames seen in this
direction at this level.
LSP Indicates the number of IS-IS LSP frames seen in this
direction at this level.
CSNP Indicates the number of IS-IS Complete Sequence Number
Packets (CSNP) frames seen in this direction at this level.
PSNP Indicates the number of IS-IS Partial Sequence Number
Packets (PSNP) frames seen in this direction at this level.

VOSS User Guide for version 8.7 1167

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

View Statistical Graph of IS-IS Interface Counters

Use the following procedure to view statistical graph of the IS-IS interface counters.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces tab.
4. Select an interface.
5. Select the Graph button.

Interface Counters field descriptions

The following table describes the fields in the Interface Counters tab.

Name Description
InitFails Indicates the number of times initialization of this circuit has
failed. This counts events such as PPP NCP failures.
RejAdjs Indicates the number of times an adjacency has been
rejected on this circuit.
IDFieldLenMismatches Indicates the number of times an Intermediate-System-to-
Intermediate-System (IS-IS) control PDU with an ID field
length different from that for this system has been received.
MaxAreaAddrMismatches Indicates the number of times an IS-IS control PDU with a
max area address field different from that for this system has
been received.
AuthFails Indicates the number of times an IS-IS control PDU with the
correct auth type has failed to pass authentication validation.
LANDesISChanges Indicates the number of times the Designated IS has changed
on this circuit at this level. If the circuit is point to point, this
count is zero.
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/Sec Displays the average value for each second.
Minimum/Sec Displays the minimum value for each second.
Maximum/Sec Displays the maximum value for each second.
Last Val/Sec Displays the last value for each second.

View Statistical Graph of IS-IS Interface Sending Control Packet

Use the following procedure to view the statistical graph of the IS-IS interface sending control packet.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces tab.
4. Select an interface.

1168 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

5. Select the Graph button.

6. Select the Interface Sending Control Packets tab.

Interface Sending Control Packets field descriptions

The following table describes the fields in the Interface Sending Control Packets tab.

Name Description
Hello Indicates the number of IS-IS Hello (IIH) PDUs seen in this
direction at this level. Point-to-Point IIH PDUs are counted at
the lowest enabled level: at L1 on Layer 1 or L1L2 circuits, and
at Layer 2 otherwise.
LSP Indicates the number of IS-IS LSP frames seen in this
direction at this level.
CSNP Indicates the number of IS-IS Complete Sequence Number
Packet (CSNP) frames seen in this direction at this level.
PSNP Indicates the number of IS-IS Partial Sequence Number
Packets (PSNPs) seen in this direction at this level.
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/Sec Displays the average value for each second.
Minimum/Sec Displays the minimum value for each second.
Maximum/Sec Displays the maximum value for each second.
Last Val/Sec Displays the last value for each second.

View Statistical Graph of IS-IS Interface Receiving Control Packets

Use the following procedure to view statistical graph of the IS-IS interface receiving control packets.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Interfaces tab.
4. Select an interface.
5. Select the Graph button.
6. Select the Interface Receiving Control Packets tab.

Interface Receiving Control Packets field descriptions

The following table describes the fields in the Interface Receiving Control Packets tab.

VOSS User Guide for version 8.7 1169

SPBM and IS-IS infrastructure configuration using EDM Fabric Basics and Layer 2 Services

Name Description
Hello Indicates the number of IS-IS Hello PDUs seen in this
direction at this level. Point-to-Point IIH PDUs are counted
at the lowest enabled level: at L1 on Layer 1 or L1L2 circuits,
and at Layer 2 otherwise.
LSP Indicates the number of IS-IS link-state packet (LSP) frames
seen in this direction at this level.
CSNP Indicates the number of IS-IS Complete Sequence Number
Packet (CSNP) frames seen in this direction at this level.
PSNP Indicates the number of IS-IS Partial Sequence Number
Packets (PSNPs) seen in this direction at this level.
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/Sec Displays the average value for each second.
Minimum/Sec Displays the minimum value for each second.
Maximum/Sec Displays the maximum value for each second.
Last Val/Sec Displays the last value for each second.

Configure an IS-IS Manual Area

Use the following procedure to configure an IS-IS manual area.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Manual Area tab.
4. Select Insert.
5. In the AreaAddr field, type the Area Address.
6. Select Insert.

Manual Area or Manual Area Remote Field Descriptions

Use the data in the following table to use the Manual Area or Manual Area Remote tab.

1170 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM and IS-IS infrastructure configuration using EDM

Configure Dynamic Nickname Assignment

About This Task

Use this procedure to enable Dynamic Nickname Assignment and specify a nickname allocation range.

Note
You must disable Dynamic Nickname Assignment before you can change the nickname
allocation range.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the Globals tab.
4. To enable the Nick-name server, select enable for NicknameServerEnable.
5. In NicknameServerPrefix, type a prefix.
6. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

NicknameDynamicAllocationStatus Displays the Dynamic Nickname Allocation service

operational status.
Note:
Exception: not supported on VSP 8600 Series or
XA1400 Series.

NicknameServerPrefix Specifies the nickname server allocation prefix.

VOSS User Guide for version 8.7 1171

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Fabric Extend Configuration using EDM

The following sections provide procedural information you can use to configure Fabric Extend (FE)
using Enterprise Device Manager (EDM).

For information about how to configure an IPsec NAT-T Responder, see IPsec configuration using EDM
on page 1803.

Configure Fabric Extend Tunnels

Use the following procedure to configure Fabric Extend (FE) between a Main office to a Branch office.
This is a typical deployment. However, if your deployment creates tunnels between two switches that
support Fabric Extend natively, then repeat those steps and ignore the steps for switches that require
an ONA.

Before You Begin

The tunnel source IP address can be either a brouter port IP, a CLIP IP, or a VLAN IP.

Note
Product Notice: Except VSP 8600 Series, all product series support a VLAN IP as the Fabric
Extend tunnel source IP address.

If using the tunnel originating address on the GRT, Fabric Extend has the following requirements:
• The tunnel source IP address must be on the GRT, not on a VRF.

• If IP Shortcuts is enabled, you must configure an IS-IS accept policy or exclude route-map to ensure
that tunnel destination IP addresses are not learned through IS-IS.

If you are using the tunnel originating address on a VRF, Fabric Extend has the following requirements:
• Configure a CLIP and tunnel source IP address on the VRF.
• Remote management of the VSP 4450 Series is possible after establishing IP Shortcut over IS-IS.
(Alternatively, you can enable GRT-VRF redistribution locally.)

About This Task

Configuring Fabric Extend consists of two primary tasks: configuring the tunnel source address and
configuring the logical interface. These tasks must be completed on both ends of the tunnel.

1172 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

The VSP 4450 Series source address command is different from other platforms. Also note that the
logical interface commands are different between Layer 2 and Layer 3 networks.

Note
VRF is an optional parameter. If a VRF is not configured, then FE uses the GRT.

Procedure

The following steps are for platforms that support FE natively:

1. In the navigation pane, expand Configuration > Fabric.
2. Select IS-IS.
3. Select the Globals tab.
4. In the IpTunnelSourceAddress field, enter the IP tunnel source address.
5. If you are using a VRF, select IpTunnelVrf field.
6. Select Apply.
The following steps are for platforms that require an ONA to support FE:

Note
The interface VLAN connecting to the ONA network port is always in the GRT and the
member port that the VLAN is part of is always an access port.

7. In the navigation pane, expand Configuration > Fabric.

8. Select IS-IS.
9. Select the Globals tab.
10. In the IpTunnelSourceAddress field, enter the IP tunnel source address.
11. In the IpTunnelPort field, select the physical port that the logical interface is connected to in an
Layer 2 network.
12. If you are using a VRF, select its name from the list for IpTunnelVrf.
13. In the IpTunnelMtu field, enter a value between 750 and 1950 to specify the size of the maximum
transmission unit (MTU).
14. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

VOSS User Guide for version 8.7 1173

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
SystemId Specifies the IS-IS system ID for the switch.
Valid value is a 6–byte value in the format
<xxxx.xxxx.xxxx>.

MaxLspGenInt Specifies the maximum interval, in seconds,

between generated LSPs by this Intermediate
system. The value must be greater than any value
configured for RxmtLspInt.
The default value is 900 seconds.
CsnpInt Specifies the Complete Sequence Number Packet
(CSNP) interval in seconds. This is a system level
parameter that applies for L1 CSNP generation on
all interfaces.
The default value is 10.
RxmtLspInt Specifies the minimum time between
retransmission of an LSP. This defines how fast
the switch resends the same LSP. This is a system
level parameter that applies for L1 retransmission
of LSPs.
The default value is 5 seconds.
PSNPInterval Specifies the Partial Sequence Number Packet
(PSNP) interval in seconds. This is a system level
parameter that applies for L1 PSNP generation on
all interfaces.
The default value is 2.
SpfDelay Specifies the SPF delay in milliseconds. This value
is used to pace successive SPF runs. The timer
prevents two SPF runs from being scheduled very
closely.
The default value is 100 milliseconds.
HostName Specifies a name for the system. This can be
used as the host name for dynamic host name
exchange in accordance with RFC 2763.
By default, the system name comes from the host
name configured at the system level.
IpSourceAddress Specifies IP source address for SPBM IP shortcuts.
Ipv6SourceAddress Specifies IPv6 source address for SPBM IP
shortcuts.

1174 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

Name Description
IpTunnelSourceAddress Specifies the IS-IS IPv4 tunnel source address.

Note:
Exception: Not supported on VSP 8600 Series.

IpTunnelPort Specifies the physical port that the logical

interface is connected to in an Layer 2 network.
Note:
Exception: only supported on VSP 4450 Series.

IpTunnelVrf Specifies the VRF name associated with the IP

tunnel.
Note:
Exception: Not supported on VSP 8600 Series.

IpTunnelOverlay Permits the configuration of the tunnel source

address even though it belongs to a VRF with an
attached I-SID. The default is disabled.
IpTunnelMtu Specifies the size of the maximum transmission
unit (MTU). The default is 1950.
Note: This parameter applies to an ONA configuration
Exception: only supported on VSP 4450 Series. only.

MgmtClipIpAddr Specifies the DvR management IP address for this

node, in the DvR domain.
Note:
Exception: Not supported on VSP 8600 Series.

BackboneEnable Select to enable this node to join the DvR

DynamicallyLearnedArea For FAN members, specifies the IS-IS area that

is dynamically learned from the neighbor’s Hello
Note: PDU if the node does not have the IS-IS manual
Exception: Not supported on VSP 8600 Series. area configured.

VOSS User Guide for version 8.7 1175

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
MAOperState Specifies the Multi-area SPB operational state. The
default is disabled.
Note:
Exception: Only supported on VSP 7400 Series.

HelloPadding Configures IS-IS hello padding on all IS-IS

network-to-network interface (NNI) links. IS-IS
Note: hello padding is enabled by default.
Exception: Not supported on VSP 8600 Series.

Configure Fabric Extend Logical Interfaces

Use the following procedures to configure Fabric Extend (FE) between a Main office to a Branch office,
which is a typical deployment.

VSP 4450 Series supports FE, but the switch must connect to an Open Networking Adapter (ONA)
because the VSP 4450 Series does not support FE natively:
• Configure Fabric Extend Logical Interfaces for Native Support on page 1176
• Configure Fabric Extend Logical Interfaces for ONA Support on page 1177

Configure Fabric Extend Logical Interfaces for Native Support

About This Task

Configuring Fabric Extend consists of two primary tasks: configuring the tunnel source address and
configuring the logical interface. These tasks must be completed on both ends of the tunnel.

VRF is an optional parameter. If a VRF is not configured, then FE uses the GRT.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Logical Interfaces tab.
4. Select Insert.
5. In Id, type the index number that uniquely identifies this logical interface.
6. For Type, select the type of core network that the tunnel will traverse:

Note
Different fields will be available depending on the type of core network you select.

• If it is a Layer 2 Core, select layer2.

•If it is a Layer 3 Core, select ip.
7. For Name, type the name of this logical interface.
8. To enable BFD, select enable for BFDEnable.

1176 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

9. For a Layer 2 Core, configure the following fields:

Note
This step does not apply to XA1400 Series.

a. For DestIfIndex, select the physical port that the logical interface connects to or enter the name
of the MLT.
b. In Vids, type the list of VLANs for this logical interface.
c. In PrimaryVid, type the primary tunnel VLAN ID.

Note
The primary VLAN ID must be one of the VIDs listed in the Vids field.

10. For a Layer 3 Core, complete the following field:

a. In DestIPAddr, type the destination IP address for the logical interface.
11. For XA1400 Series only, make the following selections:
a. For Compression, select whether to enable compression for a Fabric Extend over IPsec
connection.
b. For IpsecEnable, select whether to enable a Fabric Extend over IPsec connection for the logical
interface.
c. Select the IPsec authentication method.
d. For a pre-shared key, in AuthenticationKey, type the authentication key to secure your Fabric
Extend over IPsec connection fo the logical interface.
e. In ShapingRate, type the value in Mbps of the shaper used for Egress Tunnel Shaping.
f. In Mtu, type a value to specify the size of the maximum transmission unit (MTU).
g. For Esp, select the Encapsulating Security Payload (ESP) cipher suite for IPsec.

Note
You cannot change the ESP cipher suite when IPsec is enabled on the FE tunnel.

h. In IpsecTunnelDestAddress, type the destination IP address for the IPsec tunnel.

i. For TunnelSourceType, select the source type for the IPsec tunnel.
j. In TunnelSourceAddress, type the source IP address for the IPsec tunnel.
k. If you are using a VRF, in TunnelVrf, type the VRF name for the source IPsec tunnel.
12. Select Insert.

Configure Fabric Extend Logical Interfaces for ONA Support

About This Task

Configuring Fabric Extend consists of two primary tasks: configuring the tunnel source address and
configuring the logical interface. These tasks must be completed on both ends of the tunnel.

VOSS User Guide for version 8.7 1177

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

The VSP 4450 Series source address command is different than other platforms. The logical interface
commands are different between Layer 2 and Layer 3 networks.

Note
The interface VLAN that connects to the ONA network port is always in the GRT, and the
member port that the VLAN is part of is always an access port.

VRF is an optional parameter. If a VRF is not configured, then FE uses the GRT.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. Select the Logical Interfaces tab.
4. Select Insert.
5. In Id, type the index number that uniquely identifies this logical interface.
6. For Name, type the name of this logical interface.
7. For Type, select the type of core network that the tunnel will traverse:

Note
Different fields will be available depending on the type of core network you select.

• If it is a Layer 2 Core, select layer2.

•
If it is a Layer 3 Core, select ip.
8. For a Layer 2 Core, complete the following fields:
a. For DestIfIndex, select the physical port that the logical interface connects to or enter the name
of the MLT.
b. In Vids, type the list of VLANs for this logical interface.
c. In PrimaryVid, type the primary tunnel VLAN ID.

Note
The primary VLAN ID must be one of the VIDs listed in the Vids field.

9. For a Layer 3 Core, configure the following field:

a. In DestIPAddr, type the destination IP address for the logical interface.
10. For IpsecEnable, select whether to enable a Fabric Extend over IPsec connection for the logical
interface.
11. For AuthenticationKey field, type the authentication key to secure your Fabric Extend over IPsec
connection fo the logical interface.
12. For ShapingRate field, type the value in Mbps of the shaper used for Egress Tunnel Shaping.
13. Select Insert.

Logical Interfaces Field Descriptions

Use the data in the following table to use the Logical Interfaces tab and the Insert Logical Interfaces
dialog. The available fields in the dialog differ depending on the type of core you select: layer 2 or ip.

1178 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

Name Description
Id Specifies the index number that uniquely identifies this logical
interface.
This field displays on the Insert Logical Interfaces dialog only.
IfIndex Specifies the index number that uniquely identifies this logical
interface. This field is read-only.
This field displays on the Logical Interfaces tab only.
Name Specifies the administratively assigned name of this logical
interface, which can be up to 64 characters.
Type Specifies the type of logical interface to create:
• Specify layer 2 for a Layer 2 core network that the tunnel
Note: will traverse.
Exception: Type Layer 2 is not • Specify ip for a Layer 3 core network that the tunnel will
supported on XA1400 Series. traverse.

DestIPAddr Specifies the destination IP address for the IP-type logical

interface.
DestIfIndex Specifies the physical port or MultiLink Trunking (MLT) that the
Layer 2 logical interface is connected to.
Note:
Exception: Not supported on XA1400
Series.

Vids Specifies the list of VLANs that are associated with this logical
interface.
Note:
Exception: Not supported on XA1400
Series.

PrimaryVid Specifies the primary tunnel VLAN ID associated with this

Layer 2 Intermediate-System-to-Intermediate-System (IS-IS)
Note: logical interface.
Exception: Not supported on XA1400
Series.

CircIndex Identifies the IS-IS circuit created under the logical interface.
This field displays on the Logical Interfaces tab only.
NextHopVrf Identifies the next-hop VRF name to reach the logical tunnel
destination IP.
Note: This field displays on the Logical Interfaces tab only.
Exception: Not supported on XA1400
Series.

IpsecEnable Specifies whether the logical interface should use IPsec.

Note:
Exception: Only supported on XA1400
Series.

VOSS User Guide for version 8.7 1179

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
AuthenticationKey Specifies the authentication key of this logical interface, which
can be up to 32 characters.
Note:
Exception: Only supported on XA1400
Series.

ShapingRate Specifies the value, in Mbps, of the Egress Tunnel Shaper

applied to the logical interface.
Note:
Exception: Only supported on XA1400
Series.

Mtu Specifies the Maximum Transmission Unit (MTU) size for each
logical interface. The default MTU value is 1950.
Note:
Exception: Only supported on XA1400
Series.

IpsecTunnelDestAddress Specifies the destination IP address for the IPsec tunnel.

Note: Note:
Exception: Only supported on XA1400 When you configure the destination IP address for the IPsec
Series. tunnel, IKE protocol uses UDP port 500. However, if IPsec
NAT-T is detected, IKE protocol uses UDP port 4500 instead.

BfdEnable Enables or disables BFD on an IS-IS Logical Interface.

Note: Exception: Not supported on

VSP 8600 Series or XA1400 Series.

IpsecResponderOnly Specifies whether the device is a Responder device in an IPsec

Network Address Translation Traversal (NAT-T) connection.
Note:
Exception: Only supported on XA1400
Series.

IpsecRemoteNatIPAddr Specifies the public IP address of the NAT router connected to

the Responder device in an IPsec NAT-T connection.
Note:
Exception: Only supported on XA1400 Note:
Series. When you configure the IPsec remote NAT IP address, IKE
protocol uses UDP port 4500.

IpsecAuthMethod Configures the IPsec authentication method for the tunnel as

either a pre-shared key or RSA signature for digital certificates.
Note: The default is pre-shared key.
Exception: Only supported on XA1400
Series.

1180 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

Name Description
CertSubjectName Specifies the digital certificate subject name used as the
identity certificate.
Note:
Exception: Only supported on XA1400
Series.

Compression Reduces the size of the IP datagram to improve the

communication performance between hosts connected
Note: behind Backbone Edge Bridges (BEB).
Exception: Only supported on XA1400
Series. Tip:
As a best practice, use IPsec compression only for Fabric
Extend tunnels where latency is greater than 70ms.

FragmentBeforeEncrypt Enables or disables the fragmentation of packets before IPsec

encryption on the tunnel. By default, fragmentation before
Note: encryption is disabled.
Exception: Only supported on XA1400
Series.

TunnelSourceType Specifies the type of source IP address for the IPsec tunnel.
• global specifies the tunnel source address configured in
Note: the IpTunnelSourceAddress field of the ISIS Globals tab.
Exception: Only supported on XA1400 • static specifies the manually configured source IP address
Series. for the IPsec tunnel.
• dhcp specifies the source IP address automatically
obtained from the management IP assigned through DHCP.
The default is global.
TunnelSourceAddress Specifies the source IP address for the IPsec tunnel.

Note:
Exception: Only supported on XA1400
Series.

TunnelVrf Specifies the VRF name associated with the IPsec tunnel.

Note:
Exception: Only supported on XA1400
Series.

Esp Specifies the Encapsulating Security Payload (ESP) cipher

suite for IPsec.
Note: • aes128gcm16-sha256 specifies the AES cipher with a 128-
Exception: Only supported on XA1400 bit encryption key and GCM block mode.
Series. • aes256-sha256 specifies the AES cipher with a 256-bit
encryption key and CBC block mode (for QAT performance
mode).
• aes256gcm16-sha256 specifies the AES cipher with a 256-
bit encryption key and GCM block mode.
The default value is aes128gcm16-sha256.

VOSS User Guide for version 8.7 1181

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Adjust the TCP Maximum Segment Size

Note
This procedure only applies to VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

Adjust the TCP maximum segment size (MSS) to improve the throughput for the TCP session over a
Fabric Extend (FE) adjacency.

About This Task

The default varies depending on hardware platform:

• For XA1400 Series, this functionality is enabled when at least one Fabric Extend (FE) tunnel with a
MTU less than or equal to 1500 is configured, and the value is auto-derived.
• For VSP 4900 Series and VSP 7400 Series this functionality is disabled. The default value, when
enabled, is 1300.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IP.
3. Select the Globals tab.
4. Select TcpAdjustMssEnable to enable this functionality.
5. (Optional) Enter a value in TcpAdjustMssValue.
6. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Name Description
Forwarding Configures the system for forwarding
(routing) or for dropping. The default value
is forwarding.
DefaultTTL Configures the default time-to-live (TTL)
value for a routed packet. TTL indicates
the maximum number of seconds elapsed
before a packet is discarded. Enter an integer
from 1 to 255. The default value of 255
is used if a value is not supplied in the
datagram header.
ReasmTimeout Specifies the maximum number of seconds
that received fragments are held while they
wait for reassembly. The default value is 30
seconds.

1182 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration using EDM

Name Description
ICMPUnreachableMsgEnable Enables the generation of Internet
Control Message Protocol (ICMP) network
unreachable messages if the destination
network is not reachable from this system.
These messages help determine if the
system is reachable over the network. The
default is disabled.

Important:
As a best pactice, enable icmp-unreach-
msg only if it is absolutely required. If
icmp-unreach-msg is enabled and a packet
is received for which there is no route
in the routing table, CPU utilization can
dramatically increase.

ICMPRedirectMsgEnable Enables or disables the system sending ICMP

destination redirect messages.
IcmpEchoBroadcastRequestEnable Enables or disables IP ICMP echo broadcast
request feature. The default is enabled.
IcmpDropFragmentsEnable Enables or disables IPv4 Fragmented ICMP
packet filtering globally. The default is
Note: Exception: Not supported on VSP 8600 Series disabled.
and XA1400 Series.

AlternativeEnable Globally enables or disables the Alternative

Route feature.
If the alternative-route parameter is disabled,
all existing alternative routes are removed.
After the parameter is enabled, all alternative
routes are re-added. The default is enabled.
RouteDiscoveryEnable Enables the ICMP Router Discovery feature.
The default is disabled (not selected). Use
ICMP Router Discovery to enable hosts
attached to multicast or broadcast networks
to discover the IP addresses of neighboring
routers.
AllowMoreSpecificNonLocalRouteEnable Enables or disables a more-specific nonlocal
route. If enabled, the system can enter a
more-specific nonlocal route into the routing
table. The default is disabled.
SuperNetEnable Enables or disables supernetting.
If supernetting is globally enabled, the
system can learn routes with a route mask
less than 8 bits. Routes with a mask length
less than 8 bits cannot have ECMP paths,
even if you globally enable the ECMP feature.
The default is disabled.
UdpCheckSumEnable Enables or disables the UDP checksum
calculation. The default is enable.

VOSS User Guide for version 8.7 1183

Fabric Extend Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
SourceRouteEnable Enables or disables IP Source Routing
globally. It is disabled by default.
ARPLifeTime Specifies the lifetime of an ARP entry within
the system, global to the switch. The default
value is 360 minutes.
EcmpEnable Globally enables or disables the Equal Cost
Multipath (ECMP) feature. The default is
disabled.
After ECMP is disabled, the EcmpMaxPath is
reset to the default value of 1.
EcmpMaxPath Globally configures the maximum number of
ECMP paths.
You cannot configure this feature unless
ECMP is enabled globally.
Different hardware platforms can support a
different number of ECMP paths. For more
information, see VOSS Release Notes.
Ecmp1PathList Selects a preconfigured ECMP path.
Ecmp2PathList Selects a preconfigured ECMP path.
Ecmp3PathList Selects a preconfigured ECMP path.
Ecmp4PathList Selects a preconfigured ECMP path.
Ecmp5PathList Selects a preconfigured ECMP path.
Ecmp6PathList Selects a preconfigured ECMP path.
Ecmp7PathList Selects a preconfigured ECMP path.
Ecmp8PathList Selects a preconfigured ECMP path.
EcmpPathListApply Applies changes in the ECMP pathlist
configuration, or in the prefix lists configured
as the pathlists.
TcpAdjustMssEnable Adjusts the TCP maximum segment size
(MSS) to improve the throughput for the TCP
Note: session over a Fabric Extend (FE) adjacency.
Exception: Only supported on VSP 4900 Series, VSP The default varies depending on hardware
7400 Series, and XA1400 Series. platform:
• For XA1400 Series, the default value is
enabled when at least one Fabric Extend
(FE) tunnel with a MTU less than or equal
to 1500 is configured.
• For VSP 4900 Series and VSP 7400
Series, the default is disabled.

TcpAdjustMssStatus Displays the activation status of the MSS

adjustment functionality.
Note: On XA1400 Series, the MSS adjustment
Exception: Only supported on VSP 4900 Series, VSP functionality only activates when at least
7400 Series, and XA1400 Series. one FE tunnel with a maximum transmission
unit (MTU) less than or equal to 1500 is
configured.

1184 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration using the EDM

Name Description
TcpAdjustMssType Displays if the MSS adjustment value is
manually configured or auto-derived.
Note:
Exception: Only supported on VSP 4900 Series, VSP
7400 Series, and XA1400 Series.

TcpAdjustMssValue Configures the MSS adjustment value.

The default varies depending on hardware
Note: platform:
Exception: Only supported on VSP 4900 Series, VSP • For XA1400 Series, the default value is
7400 Series, and XA1400 Series. auto-derived.
• For VSP 4900 Series and VSP 7400
Series, the default value is 1300.

Display the Logical Interface Next Hop

Use the following procedure to display the next hop for the logical interface.

Procedure

1. In the navigation pane, expand Configuration > Fabric > IS-IS.

2. Select the Logical Interfaces NextHop tab.

Logical Interfaces NextHop field descriptions

Use the data in the following table to use the Logical Interfaces NextHop tab.

Name Description
Id Shows a unique value that identifies the logical
interface tunnel.
Ip Shows a unique value that identifies the next hop
IP address of the logical interface tunnel.
DestIfIndex Shows the next hop destination interface index
to reach the next hop IP of the logical interface
tunnel.
DestVid Shows the next hop destination VLAN ID to reach
the next hop IP of the logical interface tunnel.

Fabric Attach configuration using the EDM

The following sections provide procedural information you can use to configure Fabric Attach (FA) and
Logical Link Discovery Protocol (LLDP) using Enterprise Device Manager (EDM). For information about
LLDP related to FA, see Link Layer Discovery Protocol configuration using EDM on page 2226.

Configure Fabric Attach Globally

Use this procedure to configure FA globally or view existing FA global configuration.

VOSS User Guide for version 8.7 1185

Fabric Attach configuration using the EDM Fabric Basics and Layer 2 Services

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.
3. Click the Globals tab.
4. To enable or disable the Fabric Attach service, click enabled or disabled in the Service field.

Caution
Disabling FA flushes all FA element discovery and mappings.

5. View the element type in the ElementType field.

Note
The only supported element type is faServer (FA Server).

6. To specify the assignment time-out, enter a time-out value in seconds in the AsgnTimeout field.
7. View the provision mode in the ProvisionMode field.

Note
The supported provision mode is spbm.

8. To specify the discovery time-out, enter a time-out value in seconds in the DiscTimeout field.
9. To clear the FA statistics, select the Clear FA Statistics checkbox.
10. To clear the error counters, select the check boxes ClearErrorCounters and/or
ClearGlobalErrorCounters.
11. Click Apply.

Fabric Attach Globals Field Descriptions

Use the data in the following table to use the Fabric Attach Globals tab.

Name Description
Service Enables or disables Fabric Attach service globally.
The default is enable.
ElementType Specifies the Fabric Attach element type.
The supported element type is Fabric Attach Server.
AsgnTimeout Specifies the Fabric Attach assignment time-out in seconds.
The range is 45 to 480 seconds. The default is 240 seconds.
ProvisionMode Specifies the Fabric Attach provision mode.
The supported provision mode is SPB.
DiscTimeout Specifies the Fabric Attach discovery time-out in seconds.
The range is 45 to 480 seconds. The default is 240 seconds.
Clear FA Statistics Clears Fabric Attach statistics.
ClearGlobalErrorCounters Clears Fabric Attach global error counters. Disabled by default.

Configure Fabric Attach I-SID-to-VLAN Assignments

Use this procedure to view or configure FA I-SID-to-VLAN assignment information.

1186 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration using the EDM

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.
3. Click the Assignment tab.
4. If you make configuration changes, click Apply to save changes.

Assignments Field Descriptions

Use the data in the following table to use the Assignments tab.

Name Description
IfIndex Specifies the interface identifier of the I-SID-to-VLAN assignment.
Isid Specifies the I-SID value of the I-SID-to-VLAN assignment.
Vlan Specifies the VLAN ID component of the I-SID-to-VLAN assignment.
State Specifies the current state of the I-SID-to-VLAN assignment.
It can be one of the following values:
• Other
• Pending
• Active
• Rejected

Origin Specifies the origin information of the I-SID-to-VLAN assignment.

Isid name Specifies the I-SID name.

Configure Fabric Attach Interface-level Settings

Use this procedure to configure FA interface-level settings or view existing interface-level settings.

You can enable Fabric Attach on a port, static MLT or an LACP MLT. Enabling FA on a port not only
enables tagging but also disables spanning tree on that port. Enabling FA on an MLT enables FA on all
ports of the MLT. When FA is enabled on ports in an MLT or LACP MLT, tagging is enabled and spanning
tree is disabled on all those ports.

Before You Begin

Ensure that FA is enabled globally on the switch.

About This Task

Enabling FA on a port or MLT is necessary for element discovery. On the FA Server, FA is enabled
globally by default. However, you must explicitly enable FA on a desired port or MLT interface, following
which the FA Server can begin transmitting LLDP PDUs that contain the element discovery TLVs.
This information is received by FA Client and FA Proxy devices which in turn also transmit their FA
capabilities and settings. After the element handshake completes, the FA Server receives I-SID-to-VLAN
assignment mappings from the connected client or proxy devices, on that port or MLT.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.

VOSS User Guide for version 8.7 1187

Fabric Attach configuration using the EDM Fabric Basics and Layer 2 Services

3. Click the Ports tab.

The FA interface-level settings are displayed.
4. To modify existing settings, double-click on the fields on this window. After making the required
changes, click Apply to save your changes.
5. To configure FA on a new port or MLT interface:
a. Click Insert.
The Insert Ports dialog box opens.
b. To configure FA on a port, enter a port number in the format slot/port[/sub-port], or click Port to
select from a list of available ports.
c. To configure FA on an MLT, enter an MLT ID or click Mlt to select from a list of configured MLTs.

Note
FA is successfully enabled on the MLT, only if all ports of the MLT have FA successfully
enabled. Enabling FA enables LLDP on all ports. Tagging is enabled and spanning tree
is disabled.

d. Click Insert to save your changes.

6. To remove (delete) FA on a port or MLT:
a. In the content pane, select a port or MLT from the list.
b. Click Delete.

Caution
Removing FA on an interface flushes all FA element discovery and I-SID-to-VLAN
mappings associated with that interface.

Ports Field Descriptions

Use the data in the following table to use the Ports tab.

Name Description
IfIndex Specifies the interface (port or MLT) on which Fabric Attach is
configured.
State Specifies the current state of the Fabric Attach port. It is either
enabled or disabled.
This field indicates whether LLDP PDUs (that include FA TLVs) are
generated on the port (enabled) or not (disabled).
MsgAuthStatus Specifies the Fabric Attach message authentication status on the
port. It is either enabled or disabled.
MsgAuthKey Specifies the Fabric Attach message authentication key for the
associated port.
The maximum length of this key is 32 characters.
MgmtIsid Specifies the Fabric Attach management I-SID for the associated
port. The range is 0 to 16777215.
A zero value indicates that the management I-SID is not specified
for the interface.

1188 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration using the EDM

Name Description
MgmtCvid Specifies the Fabric Attach management customer VLAN ID (C-
VID) for the interface.
A zero value indicates that no C-VID is specified for the interface.
Using the maximum configuration value for your switch indicates
the port is untagged. Platform support determines the C-VID
range.
Origin Specifies the origin of Fabric Attach port, either manually
configured through CLI or EDM, or dynamically configured through
Note: Auto-sense.
Exception: not supported on VSP
8600 Series or XA1400 Series.

Viewing Fabric Attach discovered elements

Use this procedure to view discovered Fabric Attach elements.

About This Task

When FA is enabled on an FA Server switch, LLDP PDUs are exchanged between the FA Server and
FA Clients or Proxies. Standard LLDPs allow neighbors to be learned. In addition, organizational specific
element discovery TLVs allow the Client or Proxy to recognize that it has attached to an FA Server.
Only after the discovery handshake is complete, an FA Client or Proxy can transmit I-SID-to-VLAN
assignments to join the SPB Fabric through the FA Server.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.
3. In the content pane, click the Elements tab.

Elements field descriptions

Use the data in the following table to use the Elements tab.

Name Description
IfIndex Specifies the interface (port or MLT) at which the Fabric Attach element
was discovered.
ElementType Specifies the element type of the discovered Fabric Attach element, as
advertised using LLDP.
The supported element type is the Fabric Attach Server.
ElementVlan Specifies the VLAN ID of the discovered Fabric Attach element, as
advertised using LLDP.
ElementId Specifies the system ID of the discovered Fabric Attach element, as
advertised using LLDP.
ElementState Specifies the state flag data associated with the discovered Fabric
Attach element, as advertised using LLDP.
ElementOperAuthStatus Specifies the authentication status of the discovered Fabric Attach
element.

VOSS User Guide for version 8.7 1189

Fabric Attach configuration using the EDM Fabric Basics and Layer 2 Services

Name Description
ElementAsgnsOperAuthStat Specifies the authentication status of remote assignments.
us
ElementAuth Specifies the discovered element authentication status.
AsgnsAuth Specifies the assignment authentication status.

Viewing FA statistics
Use this procedure to view FA statistics.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.
3. In the content pane, click the Stats tab.

Stats field descriptions

Use the data in the following table to use the Stats tab.

Name Description
PortIndex Specifies the port for which the FA statistics are displayed.
DiscElemReceived Specifies the number of element discoveries received on the port.
AsgnReceived Specifies the number of remote assignments received on the port.
AsgnAccepted Specifies the number of remote assignments accepted on the port.
AsgnRejected Specifies the number of remote assignments rejected on the port.
AsgnExpired Specifies the number of remote assignments that have expired, on the
port.
AuthFailed Specifies the number of authentications that have failed on the port.
DiscElemExpired Specifies the number of discovery elements that have expired on the
port.
DiscElemDeleted Specifies the number of discovery elements that are deleted on the
port.
AsgnDeleted Specifies the number of remote assignments deleted on the port.
AsgnAuthFailed Specifies the number of remote assignment authentications that failed
on the port.

View Global FA Statistics Graphically

Use this procedure to view the global FA statistics graphically.

Procedure

1. In the navigation pane, expand Configuration > Graph.

2. Click Chassis.
3. Click the Fabric Attach tab.

1190 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration using the EDM

4. To view a graphical representation of the statistics, select a row and click the appropriate icon on the
top left-hand-side of the menu bar to draw a line chart, area chart, bar chart or a pie chart.
5. Click Clear Counters to clear the existing counters, and fix a reference point in time to restart the
counters.
6. Click Export, to export the statistical data to a file.
7. To fix a poll interval, select an appropriate value from the Poll Interval drop-down list.

Fabric Attach field descriptions

Use the data in the following table to use the Fabric Attach tab.

Name Description
DiscElemReceived Specifies the number of discovery elements
received globally.
AsgnReceived Specifies the number of remote I-SID-to-VLAN
assignments received globally.
AsgnAccepted Specifies the number of remote I-SID-to-VLAN
assignments accepted globally.
AsgnRejected Specifies the number of remote I-SID-to-VLAN
assignments rejected globally.
AsgnExpired Specifies the number of remote I-SID-to-VLAN
assignments that expired globally.
AuthFailed Specifies the number of authentications that failed
globally.
DiscAuthFailed Specifies the number of discovery authentications
that failed globally.
DiscElemExpired Specifies the number of discovery elements that
expired globally.
DiscElemDeleted Specifies the number of discovery elements that
were deleted globally.
AsgnDeleted Specifies the number of remote assignments that
were deleted globally.

View FA Port Statistics Graphically

Use this procedure to view the FA port statistics graphically.

Before You Begin

Ensure that a switch port is selected in the Device Physical View tab.

Procedure

1. In the navigation pane, expand Graph > Port.

2. Click the Fabric Attach tab.
The FA port statistics are displayed.
3. To view a graphical representation of the port statistics, select a row and click the appropriate icon
on the top left-hand-side of the menu bar to draw a line chart, area chart, bar chart or a pie chart.

VOSS User Guide for version 8.7 1191

Fabric Attach configuration using the EDM Fabric Basics and Layer 2 Services

4. Click Clear Counters to clear the existing counters, and fix a reference point in time to restart the
counters.
5. Click Export, to export the statistical data to a file.
6. To fix a poll interval, select an appropriate value from the Poll Interval drop-down list.

Fabric Attach Field Descriptions

Use the data in the following table to use the Fabric Attach tab.

Name Description
DiscElemReceived Specifies the number of discovery elements received on a given port.
AsgnReceived Specifies the number of remote I-SID-to-VLAN assignments received
on a given port.
AsgnAccepted Specifies the number of remote I-SID-to-VLAN assignments accepted
on a given port.
AsgnRejected Specifies the number of remote I-SID-to-VLAN assignments rejected on
a given port.
AsgnExpired Specifies the number of remote I-SID-to-VLAN assignments that
expired on a given port.
AuthFailed Indicates the number of received TLVs for which authentication was
attempted and failed on the identified port.
DiscElemExpired Specifies the number of discovery elements that expired on a given
port.
DiscElemDeleted Specifies the number of discovery elements that were deleted on a
given port.
AsgnDeleted Specifies the number of remote assignments that were deleted on a
given port.
AsgnAuthFailed Specifies the number of remote assignment authentications that failed
on a given port.

Inserting a Zero Touch Client

Use this procedure to insert a FA Zero Touch Client.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Click Fabric Attach.
3. Click the Zero Touch Client Auto Attach tab.
4. Click Insert.
The Insert Zero Touch Client dialog box opens.
5. In the Type field click the ellipsis and select a client. Click Ok to select the client or Refresh to update
the list.
6. In the Isid field enter the I-SID value.
The I-SID value is between 0 and 16777214.
7. Click Insert.

1192 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration using the EDM

Configure FA Zero Touch Client Auto Attach

Use this procedure to configure FA Zero Touch Client auto attach.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select Fabric Attach
3. Select the Zero Touch Client Auto Attach tab.
From the Zero Touch Client Auto Attach tab you can configure a number of auto attach settings.
4. Select Insert.
5. In the Type field, select the ellipsis and select a client.
6. Select Ok to select the client or Refresh to update the list.
7. In the Isid field enter the I-SID value.
8. Select Insert.
9. (Optional) To Delete a FA Zero Touch client select it from the auto attach table and select Delete.

Zero Touch Client Auto Attach Field Descriptions

Use the data in the following table to use the Zero Touch Client Auto Attach tab

Field Description
Type This column describes the type of client assigned to auto attach. Available FA client types are:
• Wireless AP (Type 1)
• Wireless AP (Type 2)
• Switch
• Router
• IP Phone
• IP Camera
• IP Video
• Security Device
• Virtual Switch
• Server Endpoint
• ONA (SDN)
• ONA (spb0IP)

Vlan Specifies the VLAN ID component of the I-SID-to-VLAN assignment.

Isid Specifies the I-SID value of the I-SID-to-VLAN assignment.

VOSS User Guide for version 8.7 1193

Configure Endpoint Tracking Using EDM Fabric Basics and Layer 2 Services

Configure Endpoint Tracking Using EDM

The following sections provide procedural information to configure Endpoint Tracking using Enterprise
Device Manager (EDM).

Configure Endpoint Tracking Interfaces

Configure ports and MLT/SMLT interfaces for Endpoint Tracking.

Before You Begin

• In Extreme Management Center or ExtremeCloud IQ - Site Engine, configure your third-party
virtualization platform, and the RADIUS server used for Endpoint Tracking authentication. For
information about configuring Extreme Management Center, see theExtreme Management Center or
ExtremeCloud IQ - Site Engine documentation at https://www.extremenetworks.com/support/
documentation/.
• On the switch, add and configure the RADIUS server as configured in Extreme Management
Center or ExtremeCloud IQ - Site Engine.

About This Task

Enable Endpoint Tracking on ports or MLT/SMLT interfaces.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Endpoint Tracking.
3. Select the Interface tab.
4. Select Insert.
5. Select Port or Mlt, select the slot and port number or MLT ID, and select OK.
6. Select InterfaceEnable.
7. Select Insert.
8. Select Apply.

What to Do Next

Configure Endpoint Tracking globally on the switch.

Interface Field Descriptions

Use the data in the following table to use the Interfaces tab.

Name Description
InterfaceIndex Specifies the interface index of the selected port or MLT.
InterfaceEnable Enables Endpoint Tracking on the selected port or MLT.

1194 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Configure Endpoint Tracking Using EDM

Configure Endpoint Tracking Globally

Configure Endpoint Tracking globally on the switch.

Before You Begin

• In Extreme Management Center or ExtremeCloud IQ - Site Engine, configure your third-party
virtualization platform, and the RADIUS server used for Endpoint Tracking authentication. For
information about configuring Extreme Management Center or ExtremeCloud IQ - Site Engine,
see the Extreme Management Center or ExtremeCloud IQ - Site Engine documentation at https://
www.extremenetworks.com/support/documentation/.
• On the switch, add and configure the RADIUS server as configured in Extreme Management
Center or ExtremeCloud IQ - Site Engine.
• Create and enable Endpoint Tracking on interfaces.

About This Task

After optionally configuring an I-SID offset value, enable Endpoint Tracking globally on the switch.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Endpoint Tracking.
3. Select the Globals tab.
4. (Optional) Configure an I-SID offset value, and enable I-SID offset globally on the switch:
Enter a value into the AutoIsidOffset field and select AutoIsidOffsetEnable.
5. Select GlobalEnable.
6. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

Name Description
AutoIsidOffset The I-SID offset value. The default is 15990000.
AutoIsidOffsetEnable Enables or disables I-SID offset value globally on the switch. The default is
disabled.

VOSS User Guide for version 8.7 1195

Configure Endpoint Tracking Using EDM Fabric Basics and Layer 2 Services

Name Description
GlobalEnable Enables or disables Endpoint Tracking globally on the switch. The default is
disabled.
VisibilityEnable Enables or disables visibility mode for Endpoint Tracking. The default is
disabled.

Display Binding Information

Display Endpoint Tracking binding information.

About This Task

Display all VLAN:ISID binding information on the switch for Endpoint Tracking.

Procedure

1. In the navigation pane, expand Configuration > Edit.

2. Select Endpoint Tracking.
3. Select the Binding tab.

Binding Field Descriptions

Use the data in the following table to use the Binding tab.

Name Description
IfIndex Specifies the interface index of the selected port or MLT.
MacAddress Specifies the MAC address that corresponds to the VLAN:ISID binding.
Status Specifies the Endpoint Tracking data binding status as follows:
• pending: indicates that a request has been sent to the RADIUS server
• accept: indicates that the RADIUS server has successfully returned the request
• reject: indicates that the RADIUS server has rejected the request
• timeout: indicates that the RADIUS server request has timed out. The entry is
deleted if it remains in this state for 15 minutes.
• serverNotConfigured: indicates that the RADIUS server is not configured for
Endpoint Tracking. The entry is deleted if it remains in this state for 15 minutes.

VlanId Specifies the VLAN ID.

Isid Specifies the I-SID value, either provided by the RADIUS server, or calculated using
the VLAN ID plus the configured I-SID offset value.
IsidSource Specifies whether the I-SID value is provided by the RADIUS server (radius), or
calculated using the VLAN ID plus the configured endpoint-tracking offset value
(autoconfig).
Timeout Specifies the timeout period that is applied to the MAC in the bindings table when
the MAC is aged out. If the MAC is in timeout state (there is no response from
the RADIUS server), the timeout triggers immediately with a 15 minute period.
Otherwise, the default timeout is one day, and triggers the moment the MAC
ages out from the VLAN/I-SID bridge forwarding database (FDB) table. The default
timeout of one day can be overridden by the RADIUS server if the Session-Timeout
attribute is configured and returned.
TimeRemaining Specifies the time remaining until the Endpoint Tracking data binding entry expires.

1196 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Multi-area SPB Configuration using EDM

Perform the procedures in this section to configure Multi-area SPB parameters like area virtual
node, remote Intermediate-System-to-Intermediate-System (IS-IS), remote Shortest Path Bridging MAC
(SPBM), layer 2 unicast and multicast redistribution, and IPv4 and IPv6 route redistribution on the
switch using the Enterprise Device Manager (EDM).

Configure Multi-area SPB Layer 2 I-SID List

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure layer 2 I-SID list.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L2 ISID List tab.
4. Select Insert.
5. Configure the layer 2 I-SID list parameters.
6. Select Insert.

L2 I-SID List Field Descriptions

Use data in the following table to use the L2 I-SID List tab.

Name Description
Name Specifies the name of the layer 2 I-SID list.
RangeStart Specifies the I-SID value as the starting range for the layer 2 I-SID list.
RangeEnd Specifies the I-SID value as the ending range for the layer 2 I-SID list.

Configure Layer 2 Multi-area SPB I-SID Redistribution

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB layer 2 redistribution.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L2 ISID Redist tab.
4. Select Insert.
5. Configure the layer 2 I-SID redistribution parameters.

VOSS User Guide for version 8.7 1197

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

6. Select Insert.

L2 Redistribute Field Descriptions

Use the data in the following table to use the L2 Redistribute tab.

Name Description
Type Specifies the layer 2 Redistribution type.
Permit Configures the Multi-area SPB layer 2 I-SID redistribution policy as permit or deny.
ExceptListName Configures the name of layer 2 I-SID list. The system does not apply the Multi-area
SPB layer 2 I-SID redistribution policy to I-SID values or the range of I-SID values in
the layer 2 I-SID list.

Configure Multi-area SPB Layer 2 Multicast I-SID Redistribution for Home Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB layer 2 multicast redistribution for specific I-SID
value(s) in the home area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L2 MC Redist Home ISID tab.
4. Select Insert.
5. In the I-sid field, type the I-SID value.
6. Select Enable.
7. (Optional) In the PolicyName field, type the name of the redistribution policy.
8. Select Insert.

L2 MC Redist Home ISID Field Descriptions

Use the data in the following table to use the L2 MC Redist Home ISID tab.

Name Description
I-sid Specifies the I-SID value.
Enable Enables layer 2 multicast redistribution for specific I-SID value in the home area.
PolicyName Specifies the name of the redistribution policy.

Configure Multi-area SPB L2 Multicast I-SID List Redistribution for Home Area

Note
This procedure only applies to the VSP 7400 Series.

1198 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

About This Task

Perform this procedure to configure the Multi-area SPB layer 2 multicast I-SID list redistribution for the
home area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L2 MC Redist Home ISID List tab.
4. Select Insert.
5. In the ISID List Name field, type the name of the I-SID list.
6. Select Enable.
7. (Optional) In the PolicyName field, type the policy name.
8. Select Insert.

L2 MC Redist Home ISID List Field Descriptions

Use the data in the following table to use the L2 MC Redist Home ISID List tab.

Name Description
ISID List Name Specifies the name of the I-SID list.
Enable Enables Multi-area SPB layer 2 multicast redistribution for the specific I-SID list in the
home area.
PolicyName Specifies the name of the redistribution policy.

Apply Multi-area SPB Layer 2 Multicast Redistribution in Home Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to apply the Multi-area SPB layer 2 multicast redistribution that you configure in
the home area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea
3. Select the L2 MC Apply Home tab.
4. In the McastApply field, select apply.

L2 MC Apply Home Field Descriptions

Use data in the following table to use the L2 MC Apply Home tab.

VOSS User Guide for version 8.7 1199

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
McastApply Applies or disables the Multi-area SPB layer 2 multicast redistribution in the home area.
• noAction
• apply

Configure Multi-area SPB Layer 2 Multicast I-SID Redistribution for Remote Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB layer 2 multicast redistribution for specific I-SID
value(s) in the remote area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L2 MC Redist Remote ISID tab.
4. Select Insert.
5. In the I-sid field, type the I-SID value.
6. Select Enable.
7. (Optional) In the PolicyName field, type the name of the redistribution policy.
8. Select Insert.

L2 MC Redist Remote ISID Field Descriptions

Use the data in the following table to use the L2 MC Redist Remote ISID tab.

Name Description
I-sid Specifies the I-SID value.
Enable Enables layer 2 multicast redistribution for specific I-SID value in the remote area.
PolicyName Specifies the name of the redistribution policy.

Configure Multi-area SPB L2 Multicast I-SID List Redistribution for Remote Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB layer 2 multicast I-SID list redistribution for the
remote area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

1200 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

2. Select MultiArea.
3. Select the L2 MC Redist Remote ISID List tab.
4. Select Insert.
5. In the ISID List Name field, type the name of the I-SID list.
6. Select Enable.
7. (Optional) In the PolicyName field, type the policy name.
8. Select Insert.

L2 MC Redist Remote ISID List Field Descriptions

Use the data in the following table to use the L2 MC Redist Remote ISID List tab.
6

Name Description
ISID List Name Specifies the name of the I-SID list.
Enable Enables Multi-area SPB layer 2 multicast redistribution for the specific I-SID list in the
remote area.
PolicyName Specifies the name of the redistribution policy.

Apply Multi-area SPB Layer 2 Multicast Redistribution in Remote Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to apply the Multi-area SPB layer 2 multicast redistribution that you configure in
the remote area.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select MultiArea
3. Select the L2 MC Apply Remote tab.
4. In the McastApply field, select apply.

L2 MC Apply Remote Field Descriptions

Use data in the following table to use the L2 MC Apply Remote tab.

Name Description
McastApply Applies or disables the Multi-area SPB layer 2 multicast redistribution in the remote area.
• noAction
• apply

VOSS User Guide for version 8.7 1201

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Configure Multi-area SPB Layer 3 Redistribution in Home Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB layer 3 redistribution in the home area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L3 Redist Home tab.
4. Select Insert.
5. In the VrfId field, type the Virtual Router Forwarding ID.
6. In the Type field, select the layer 3 redistribution type.
7. (Optional) In the RoutePolicy field, type the name of the redistribution policy.
8. Select Enable.
9. In the Apply field, select apply.
10. Select Insert.

L3 Redist Home Field Descriptions

Use the data in the following table to use the L3 Redist Home tab.

Name Description
VrfId Specifies the Virtual Router Forwarding ID.
Type Specifies the layer 3 redistribution type. The options are:
• ip-ucast - IPv4 unicast
• ip-mcast - IPv4 multicast
• ipv6-ucast - IPv6 unicast

RoutePolicy Associates a route policy to a specific layer 3 redistribution entry in the home area.
Enable Enables layer 3 redistribution in the home area. The default value is disabled.
Apply Applies the Multi-area SPB layer 3 redistribution filters in the home area. The default
value is noAction.

Configure Multi-area SPB Layer 3 Redistribution in Remote Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure Multi-area SPB layer 3 redistribution in the remote area.

1202 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea.
3. Select the L3 Redist Remote tab.
4. Select Insert.
5. In the VrfId field, type the Virtual Router Forwarding ID.
6. In the Type field, select the layer 3 redistribution type.
7. (Optional) In the RoutePolicy field, type the name of the redistribution policy.
8. Select Enable.
9. In the Apply field, select apply.
10. Select Insert.

L3 Redist Remote Field Descriptions

Use the data in the following table to use the L3 Redist Remote tab.

RoutePolicy Associates a route policy to a specific layer 3 redistribution entry in the remote area.
Enable Enables layer 3 redistribution in the remote area. The default value is disabled.
Apply Applies the Multi-area SPB layer 3 redistribution filters in the remote area. The default
value is noAction.

Configure Multi-area SPB DvR Redistribution

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the Multi-area SPB Distributed Virtual Routing (DvR) backbone
redistribtuion on the switch.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select MultiArea
3. Select the DVR Redistribute tab.
4. Select DvrBbRedistribute.
5. Select Apply.

VOSS User Guide for version 8.7 1203

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

DVR Redistribute Field Descriptions

Use data in the following table to use the DVR Redistribute tab.

Name Description
DvrBbRedistribute Configures the Multi-area SPB DvR redistribution on the switch. The default is
disabled.

Display Remote IS-IS and SPBM Summary

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote Intermediate-System-to-Intermediate-System (IS-IS) and

SPBM summary.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Protocol Summary tab.

Protocol Summary Field Descriptions

Use data in the following table to use the Protocol Summary tab.

Name Description
AdminState Indicates the global status of remote IS-IS on the
switch.
SystemId Indicates the remote IS-IS system ID of the switch.
NodeNickName Indicates the nickname for the remote SPBM
instance globally.
Circuit Index Indicates the identifier of the IS-IS circuit. This
value is for SNMP indexing purposes only and
does not have any relation to any protocol value.
IfIndex Indicates the interface to which the circuit
corresponds.
AdminState Indicates the administrative state of the circuit.
• on
• off

OperState Indicates the operational state of the circuit.

• up
• down

1204 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
Circuit Index Indicates the unique identifier of the remote IS-IS
circuit. This value is for SNMP Indexing purposes
only and does not have any relation to any
protocol value.
AdjIndex Indicates value identifying the IS-IS adjacency
from all other such adjacencies on the circuit.
The system dynamically assigns this value when
it forms an adjacency.
Interface Indicates the remote IS-IS interface.
AdjState Indicates the state of the adjacency:
• down
• initializing
• up
• failed

AdjNeighSysID Indicates the system ID of the neighboring IS-IS.

AdjHostName Indicates the host name listed in the LSP, or the
system name if the host name is not configured.

Configure Remote IS-IS Global Parameters

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure remote IS-IS global parameters. SPBM uses IS-IS to discover
network topology, build shortest path trees between network nodes, and communicate network
information in the control plane.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Globals tab.
4. Configure the remote IS-IS global parameters.
5. Click Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.

VOSS User Guide for version 8.7 1205

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
AdminState Specifies the global status of remote IS-IS on the
switch. The default is off.
SystemId Specifies the IS-IS system ID for the switch.
Valid value is a 6–byte value in the format
<xxxx.xxxx.xxxx>.

Important:
After you configure the SPBM nickname and
enable remote IS-IS, if you change the system
ID, you must also change the nickname. However,
changing the nickname could impact the naming
convention or configuration. To maintain the same
nickname with a different system ID, see Job aid
on page 1018.

DynamicallyLearnedArea For FAN members, specifies the remote IS-IS area

that is dynamically learned from the neighbor’s
Hello PDU if the node does not have the IS-IS
manual area configured.
MAOperState Specifies the Multi-area SPB operational state:
• Disabled – Multi-area SPB is disabled on the
switch.
• Init – the switch is initializing to function as a
boundary node.
• Designated – the switch is up and running as a
designated boundary node.
• Non-designated – the switch is up and running
as a non-designated boundary node.
The default is disabled.
MAFlags Specifies the Multi-area SPB as a boundary node
to forward traffic from the UNIs to the remote-
area and from the remote-area to the UNIs
without requiring an established adjacency in the
home area.
The default is disabled.

Configure Remote IS-IS Interfaces

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote IS-IS interfaces. SPBM uses IS-IS to discover network
topology, build shortest path trees between network nodes, and communicate network information in
the control plane.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

1206 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

2. Select IS-IS Remote.

3. Select the Interfaces tab.
4. Select Insert to create a remote IS-IS instance.
5. Configure the IS-IS interface parameters.
6. Select Insert.

Interfaces Field Descriptions

Use the data in the following table to use theInterfaces tab.

Name Description
Index Specifies the identifier of the circuit, unique within
the Intermediate System. This value is for SNMP
Indexing purposes only and need not have any
relation to any protocol value.
IfIndex Specifies the interface on which the circuit is
configured (port or MLT).
Type Specifies the IS-IS circuit type. Only the point-to-
point (PtToPt) interface type is supported.
AdminState Specifies the administrative state of the circuit: on
or off.
OperState Specifies the operational state of the circuit.

VOSS User Guide for version 8.7 1207

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
AuthType Specifies the authentication type:
• none
• simple: If selected, you must also specify a
key value but the key id is optional. Simple
password authentication uses a text password
in the transmitted packet. The receiving router
uses an authentication key (password) to verify
the packet.
• hmac-md5: If selected, you must also specify
a key value, but the key-id is optional. MD5
authentication creates an encoded checksum
in the transmitted packet. The receiving router
uses an authentication key (password) to verify
the MD5 checksum of the packet. There is an
optional key ID.
• hmac-sha–256: If selected, you must also
specify a key value, but the key-id is optional.
With SHA-256 authentication, the switch adds
an hmac-sha–256 digest to each Hello packet.
The switch that receives the Hello packet
computes the digest of the packet and
compares it with the received digest. If the
digests match, the packet is accepted. If the
digests do not match, the receiving switch
discards the packet. There is an optional key
ID.

Note:
Secure Hashing Algorithm 256 bits (SHA-256)
is a cipher and a cryptographic hash function
of SHA2 authentication. You can use SHA-256
to authenticate IS-IS Hello messages. This
authentication method uses the SHA-256 hash
function and a secret key to establish a secure
connection between switches that share the
same key.
This feature is in full compliance with RFC 5310.

The default is none.

AuthKey Specifies the authentication key.
KeyId Specifies the authentication key ID.
LevelType Specifies the router type globally:
• level1: Level-1 router type
• level 1and2: Level–1/2 router type. This type is
not supported.
The default value is level1.
NumAdj Specifies the number of adjacencies on this circuit.
NumUpAdj Specifies the number of adjacencies that are up.

1208 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
AutoNniEnable Enable to have the node create an IS-IS interface,
attach the interface to an SPBM instance, and then
enable IS-IS on the port interface.
This field displays on the Insert Interfaces dialog
box and applies to port interfaces only.
Origin Specifies the origin of the IS-IS circuit
configuration on the port, either manually
configured through CLI or EDM or dynamically
configured through Auto-sense.

Configure Remote IS-IS Interface Level Parameters

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure remote IS-IS interface level parameters. SPBM uses IS-IS to discover
network topology, build shortest path trees between network nodes, and communicate network
information in the control plane.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Interfaces Level tab.
4. Configure the remote IS-IS interface level parameters.
5. Select Apply.

Interfaces Level Field Descriptions

Use the data in the following table to use the Interfaces Level tab.

Name Description
Index Specifies the identifier of the circuit, the value is unique
within the remote IS-IS. The value is for SNMP Indexing
purposes only and does not relate to any protocol value.
Level Specifies the router type globally:
• l1: Level1 router type
• l12: Level1/Level2 router type. This type is not supported.
The default value is l1.
ISPriority Specifies an integer sub-range for remote IS-IS priority. The
default is 64.

VOSS User Guide for version 8.7 1209

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
HelloTimer Configures the level 1 hello interval.
Specifies the maximum period, in milliseconds, between IS-IS
Hello Packets (IIH) PDUs on multiaccess networks at this level
for LANs. The value at Level1 is used as the period between
Hellos on Level1/Level2 point to point circuits. Setting this
value at Level 2 on an Level1/Level2 point-to-point circuit
results in an error of InconsistentValue.
The default value is 9000 milliseconds or 9 seconds.
HelloMultiplier Configures the level 1 hello multiplier. The default value is 3
seconds.
DRHelloTimer Indicates the period, in milliseconds, between Hello PDUs on
multiaccess networks when this Intermediate System is the
Designated Intermediate System. The default is 3.

Configure Remote SPBM on an Interface

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure remote Shortest Path Bridging MAC (SPBM) on an interface.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Interfaces tab.
4. Select the SPBM button.
5. Select Insert
6. Configure the interfaces SPBM parameters.
7. Select Insert.

SPBM Field Descriptions

Interface Receiving Control Packets Field Descriptions

Use data in the following table to use the Interface Receiving Control Packets tab.

Name Description
Hello Indicates the number of IS-IS Hello PDUs seen in this
direction at this level. Point-to-Point IIH PDUs are counted
at the lowest enabled level: at L1 on L1 or L1L2 circuits, and at
L2 otherwise.
LSP Indicates the number of IS-IS link-state packet (LSP) frames
seen in this direction at this level.
CSNP Indicates the number of IS-IS Complete Sequence Number
Packet (CSNP) frames seen in this direction at this level.
PSNP Indicates the number of IS-IS Partial Sequence Number
Packets (PSNPs) seen in this direction at this level.
AbsoluteValue Displays the counter value.
Cumulative Displays the total value since you opened the Stats tab.
Average/Sec Displays the average value for each second.
Minimum/Sec Displays the minimum value for each second.
Maximum/Sec Displays the maximum value for each second.
Last Val/Sec Displays the last value for each second.

VOSS User Guide for version 8.7 1213

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Configure Remote IS-IS Manual Area

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure a remote IS-IS manual area.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Manual Area tab.
4. Select Insert.
5. In the AreaAddr field, type the Area Address.
6. Select Insert.

Manual Area Field Descriptions

Use the data in the following table to use the Manual Area tab.

Name Description
AreaAddr Specifies the remote IS-IS manual-area in the
range of 1 to 13 bytes.

View Level 1 Remote Area Information

Note
This procedure applies only to the VSP 7400 Series.

About This Task

Perform this procedure to display Level 1 remote area information. Remote Intermediate-System-to-
Intermediate-System (IS-IS) provides support for hierarchical routing, which enables the system to
partition large routing domains into smaller areas. Remote IS-IS uses a two-level hierarchy, dividing the
domain into multiple Level 1 areas and one Level 2 area. The Level 2 area serves as backbone of the
domain, connecting to all the Level 1 areas.

Important
The IEEE 802.1aq standard currently only defines the use of one hierarchy, Level 1. Level 2
function is disabled.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the L1 Area tab.

1214 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

L1 Area Remote Field Descriptions

Use the data in the following table to use the L1 Area Remote tab.

Name Description
AreaAddr Specifies an area address reported in a Level 1 link-state
packets (LSP) that the system generates or receives through
the Intermediate System.

View Remote LSP Summary Information

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote link-state packet (LSP) summary information. Link
State Packets (LSP) contain information about the state of adjacencies or defined and distributed
static routes. Intermediate-System-to-Intermediate-System (IS-IS) exchanges this information with
neighboring IS-IS routers at periodic intervals.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the LSP Summary tab.

LSP Summary Field Descriptions

Use the data in the following table to use the LSP Summary tab.

Name Description
Level Specifies the level at which the system displays the remote
LSP.
ID Specifies the 8-byte LSP ID, consisting of the system ID,
circuit ID, and Fragment Number.
Seq Specifies the sequence number for the LSP.
Checksum Specifies the 16-bit Fletcher Checksum for the LSP.
LifetimeRemain Specifies the remaining lifetime in seconds for the LSP.
HostName Specifies the host name.

View Remote IS-IS Adjacencies

Note
This procedure only applies to the VSP 7400 Series.

VOSS User Guide for version 8.7 1215

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

About This Task

Perform this procedure to view remote IS-IS adjacency information. The platform sends IS-IS Hello
(IIH) packets to discover IS-IS neighbors and establish and maintain the IS-IS adjacency. The platform
continues to send IIH packets to maintain the adjacencies that the system establishes. For two nodes to
form an adjacency the B-VLAN pairs for the primary B-VLAN and secondary B-VLAN must match.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Adjacency tab.

Adjacency Field Descriptions

Use the data in the following table to use the Adjacency tab.

Name Description
Interface Specifies the remote IS-IS interface on which the adjacency is
found.
Level Indicates the level of the remote IS-IS interface (Level 1
[default] or Level 2).
State Specifies the state of the adjacency:
• down
• initializing
• up
• failed

LastUpTime Indicates when the adjacency most recently entered the

state up, measured in hundredths of a second since the
last re-initialization of the network management subsystem.
Displays 0 if the adjacency has never been in state up.
NeighPriority Specifies the priority of the neighboring Intermediate System
to transition to the Designated Intermediate System.
HoldTimer Specifies the holding time in seconds for this adjacency. This
value is based on received IS-IS Hello (IIH) PDUs and the
elapsed time since receipt.
NeighSysID Specifies the system ID of the neighboring Intermediate
System.
AdjHostName Specifies the host name listed in the LSP.
ParallelActive Specifies if the current adjacency among all the parallel
adjacencies between two nodes is active. The values are:
• true
• false

Configure IS-IS Area Virtual Node

Note
This procedure only applies to the VSP 7400 Series.

1216 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

About This Task

Perform this procedure to configure the area virtual node parameters like system name, system ID, and
nickname on the Intermediate-System-to-Intermediate-System (IS-IS) instance.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS.
3. Select the Area VNode tab.
4. Configure the parameters.
5. Select Apply.

Area VNode Field Descriptions

Use the data in the following table to use the Area VNode tab.

Name Description
VNodeNickName Specifies the nickname of the virtual node on the IS-IS instance.
VNodeSysId Specifies the system ID of the virtual node on the IS-IS instance.
VNodeSysName Specifies the system name of the virtual node on the IS-IS instance.

Configure Remote IS-IS Area Virtual Node

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the area virtual node parameters like system name, system ID, and
nickname on the remote Intermediate-to-Intermediate-System (IS-IS) instance.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select IS-IS Remote.
3. Select the Area VNode tab.
4. Configure the parameters.
5. Select Apply.

Area VNode Field Descriptions

Use the data in the following table to use the Area VNode tab.

Name Description
VNodeNickName Specifies the nickname of the virtual node on remote IS-IS instance.
VNodeSysId Specifies the system ID of the virtual node on remote IS-IS instance.
VNodeSysName Specifies the system name of the virtual node on remote IS-IS instance.

VOSS User Guide for version 8.7 1217

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Configure Remote SPBM Parameters

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure remote SPBM global parameters. SPBM uses the remote
Intermediate-System-to-Intermediate-System (IS-IS) link state routing protocol to provide a loop free
Ethernet topology that creates a shortest path topology from every node to every other node in the
network based on node MAC addresses.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the SPBM tab.
4. Select Insert to create a remote SPBM instance.
5. Configure the remote SPBM parameters.
6. Select Insert.

SPBM Field Descriptions

Use data in the following table to use the SPBM tab.

Name Description
Id Specifies the remote SPBM instance ID.
NodeNickName Specifies a nickname for the remote SPBM
instance globally. The value is 2.5 bytes in the
format <x.xx.xx>.
PrimaryVlan Specifies the primary SPBM B-VLANs to add to
the remote SPBM instance.
Vlans Specifies the SPBM B-VLANs to add to the remote
SPBM instance.
LsdbTrap Enables or disables a trap when the SPBM LSDB
changes. The default is disable.
IpShortcut Enables or disables SPBM IP shortcut state. The
default is disable.
SmltSplitBEB Specifies whether the switch is the primary or
secondary vIST peer. The default is primary.
SmltVirtualBmac Specifies a virtual MAC address that can be used
by both peers.
SmltPeerSysId Specifies the system ID of the SPBM SMLT for this
remote SPBM instance.
Mcast Specifies if IP multicast over remote SPBM is
enabled. The default is disabled.
McastFwdCacheTimeout Specifies the global forward cache timeout in
seconds. The default is 210 seconds.

1218 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
Ipv6Shortcut Enables or disables SPBM IPv6 shortcut state. The
default is disable.
McastSpbPimGwControllerEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway controller. Disabled by default.
McastSpbPimGwGatewayEnable Enables or disables ISIS PLSB Multicast SPB PIM
Gateway. Disabled by default.
StpMultiHoming Enables or disables MSTP-Fabric Connect Multi
Homing.
The default is disabled (false).
BVlanOrigin Specifies the origin of the B-VLAN. The values are:
• config - manual configuration using CLI or
SNMP.
• dynamic - through Zero Touch Fabric
Configuration and Auto-sense.
The default is dynamic.

Configure Remote SPBM Parameters on the Interface

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to configure the remote SPBM interface parameters.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the Interfaces SPBM tab.
4. Select Insert to create a remote SPBM instance on the interface.
5. Configure the remote SPBM interface parameters.
6. Select Insert.

Interfaces SPBM Field Descriptions

Use the data in the following table to use the Interfaces SPBM tab.

Name Description
Index Specifies an Index value for the remote SPBM
interface.
SpbmId Specifies the remote SPBM ID.
State Specifies whether the remote SPBM interface is
enabled or disabled.

VOSS User Guide for version 8.7 1219

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
Type Configures the remote SPBM instance interface-
type on the IS-IS interface on the specific port
or MLT, the values are point-to-point (ptpt) or
broadcast (bcast). The system supports the ptpt
interface type only.
L1Metric Configures the remote SPBM instance l1-metric on
the IS-IS interface on the specific port or MLT. The
default value is 10.
Origin Specifies the source of the remote SPBM instance
configuration.
• config - configure manually through CLI or
EDM.
• dynamic - configure dynamically through
Auto-sense.

View Remote SPBM I-SID Information

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the SPBM Service Instance Identifier (I-SID) information. The SPBM
B-MAC header includes an I-SID with a length of 24 bits. This I-SID can be used to identify and transmit
any virtualized traffic in an encapsulated SPBM frame.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the I-SID tab.
4. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

I-SID Field Descriptions

Use data in the following table to use the I-SID tab.

Name Description
SysId Indicates the system identifier.
Vlan Indicates the B-VLAN where the remote I-SID is configured
or discovered.
Isid Indicates the remote IS-IS SPBM I-SID identifier.
NickName Indicates the nickname of the node where the remote I-SID is
configured or discovered.

1220 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
HostName Indicates the host name listed in the LSP, or the system
name, if you do not configure the host name.
Type Indicates the remote SPBM I-SID type. The values are
discover or configure.

View Remote SPBM Nicknames

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view remote SPBM nicknames on the switch.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the Nick Names tab.

Nick Names Field Descriptions

Use the data in the following table to use the Nick Names tab.

Name Description
Level Indicates the level at which the system displays this LSP.
ID Indicates the 8 byte LSP ID, consisting of the System ID,
Circuit ID, and Fragment Number.
LifetimeRemain Indicates the remaining lifetime in seconds for the LSP.
NickName Indicates the nickname for the remote SPBM node.
HostName Indicates the hostname that the system displays in the LSP,
or the system name if the host name is not configured.

View Remote IP Unicast FIB

Note
This procedure only applies to the VSP 7400 Series.

In SPBM, each node has a System ID, which also serves as Backbone MAC address (B-MAC) of
the switch. The system populates these Backbone MAC addresses into the SPBM VLAN Forwarding
Information Base (FIB). When the system discovers a network topology and stores it in the IS-IS
link-state database, each node calculates shortest path trees for each source node, so that a unicast
path now exists from every node to every other node. With this information, each node populates
unicast information that it receives from SPBM into the FIB for forwarding purposes.

VOSS User Guide for version 8.7 1221

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

I-SIDs are only used for virtual services (Layer 2 VSNs and Layer 3 VSNs). If you only enable IP Shortcuts
on the Backbone Edge Bridges, I-SIDs are never exchanged in the network as IP Shortcuts allows for
Global Routing Table (GRT) IP networks to be transported across IS-IS.

The system adds the routes within the same VSN to the LSDB with a default preference of 7 and the
inter-VSN routes with a route preference of 200. With IS-IS accept policies you can change the route
preference for incoming routes. If the system learns the same route from multiple sources with different
route preferences, then the routes are not equal cost multipath (ECMP) routes. The system prefers the
route with the lowest route preference. In Layer 2, if there is a tie-break between routes from multiple
sources, the tie-breaking is based on cost and hop count.

About This Task

Perform this procedure to display the remote IP unicast FIB. You can view the IP routes from remote
Backbone Edge Bridges (BEBs)

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the IP Unicast FIB tab.
4. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

IP Unicast FIB Field Descriptions

Use the data in the following table to use the IP Unicast FIB tab.

Name Description
VrfId Specifies the VRF ID of the remote IP unicast FIB entry, 0
indicates NRE.
DestinationIpAddrType Specifies the address type of the destination IP address.
DestinationIpAddr Specifies the destination IP Address of the remote IP unicast
FIB entry.
DestinationMask Specifies the destination IP mask of the remote IP unicast FIB
entry
NextHopBmac Specifies the nexthop B-MAC of the remote IP unicast FIB
entry.
DestIsid Specifies the destination I-SID of the remote IP unicast FIB
entry.
Vlan Specifies the VLAN of the remote IP unicast FIB entry.
Isid Specifies the I-SID of the remote IP unicast FIB entry.
NextHopName Specifies the nexthop hostname of the remote IP unicast FIB
entry.
OutgoingPort Specifies the outgoing port of the remote IP unicast FIB
entry.
PrefixCost Specifies the prefix cost of the remote IP unicast FIB entry.
SpbmCost Specifies the B-MAC cost of the remote IP unicast FIB entry.

1222 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
Preference Specifies the IP Route preference of the remote IP unicast FIB
entry
MetricType Specifies the IP Metric Type of the remote IP unicast FIB
entry.

View Remote IPv6 Unicast FIB

Note
This procedure only applies to the VSP 7400 Series.

I-SIDs are only used for virtual services (Layer 2 VSNs and Layer 3 VSNs). If you only enable IP Shortcuts
on the Backbone Edge Bridges, I-SIDs are not exchanged in the network as IP Shortcuts allows for
Global Routing Table (GRT) IP networks to be transported across IS-IS.

About This Task

Perform this procedure to display the remote IPv6 unicast FIB. You can view the IPv6 routes from
remote Backbone Edge Bridges (BEBs).

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the IPv6 Unicast FIB tab.
4. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

IPv6 Unicast FIB Field Descriptions

Use the data in the following table to use the IPv6 Unicast FIB tab.

Name Description
VrfId Specifies the VRF ID of the remote IPv6 unicast FIB entry, 0
indicates NRE.
DestinationIpAddrType Specifies the address type of the destination IPv6 address.
DestinationIpAddr Specifies the destination IPv6 Address of the remote IPv6
unicast FIB entry.
DestinationMask Specifies the destination IPv6 mask of the remote IPv6
unicast FIB entry
NextHopBmac Specifies the nexthop B-MAC of the remote IPv6 unicast FIB
entry.

VOSS User Guide for version 8.7 1223

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
DestIsid Specifies the destination I-SID of the remote IPv6 unicast FIB
entry.
Vlan Specifies the VLAN of the remote IPv6 unicast FIB entry.
Isid Specifies the I-SID of the IPv6 unicast FIB entry.
NextHopName Specifies the nexthop hostname of the remote IPv6 unicast
FIB entry.
OutgoingPort Specifies the outgoing port of the remote IPv6 unicast FIB
entry.
PrefixCost Specifies the prefix cost of the remote IPv6 unicast FIB entry.
SpbmCost Specifies the B-MAC cost of the remote IPv6 unicast FIB
entry.
MetricType Specifies the Metric Type of the remote IPv6 unicast FIB
entry.

View Remote Unicast FIB

Note
This procedure only applies to the VSP 7400 Series.

In SPBM, the IS-IS link-state database carries the B-MAC addresses. To do this, SPBM supports an IS-IS
TLV that advertises the I-SID and B-MAC information across the network. Each node has a System ID,
which also serves as Backbone MAC address (B-MAC) of the switch. These Backbone MAC addresses
are populated into the SPBM VLAN Forwarding Information Base (FIB).

When the system discovers a network topology and stores it in the IS-IS link-state database, each node
calculates shortest path trees for each source node, so that a unicast path now exists from every node
to every other node. With this information, each node populates unicast information that it receives
from SPBM into the FIB for forwarding purposes.

About This Task

Perform this procedure to view the remote unicast FIB.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the Unicast FIB tab.

Unicast FIB Remote Field Descriptions

Use the data in the following table to use the Unicast FIB Remote tab.

1224 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
SysId Specifies the system ID of the node where the remote unicast
FIB entry originates.
Vlan Specifies the VLAN of the remote unicast FIB entry.
DestinationMacAddr Specifies the destination MAC Address of the remote unicast
FIB entry.
OutgoingPort Specifies the outgoing port of the remote unicast FIB entry.
HostName Specifies the host name of the node where the remote
unicast FIB entry originates.
Cost Specifies the cost of the remote unicast FIB entry.

View Remote Multicast FIB

Note
This procedure only applies to the VSP 7400 Series.

In SPBM, the IS-IS link-state database carries the B-MAC addresses. To do this, SPBM supports an IS-IS
TLV that advertises the I-SID and B-MAC information across the network. Each node has a System
ID, which also serves as Backbone MAC address (B-MAC) of the switch. The system populates these
Backbone MAC addresses into the SPBM VLAN Forwarding Information Base (FIB).

The system produces the remote multicast FIB only after you configure the virtual services and the
system learns them.

About This Task

Perform this procedure to view the remote multicast FIB.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the Multicast FIB tab.

Multicast FIB Field Descriptions

Use the data in the following table to use the Multicast FIB tab.

Name Description
SysId Specifies the system ID of the node where the remote
multicast FIB entry originates.
Vlan Specifies the VLAN ID of the remote multicast FIB entry.

VOSS User Guide for version 8.7 1225

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
McastDestMacAddr Specifies the multicast destination MAC Address of the
remote multicast FIB entry.
Isid Specifies the I-SID value in the remote multicast FIB entry.
Isid Name Specifies the name that the system assigns to the I-SID.
HostName Specifies the host name of the node where the multicast FIB
entry originates.
OutgoingInterfaces Specifies the switched UNI port outgoing interface of the
remote multicast FIB entry.
IncomingInterface Specifies the incoming interface (port or MLT) of the remote
multicast FIB entry.

View Remote IP Multicast over Fabric Connect Routes

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote IP Multicast over Fabric Connect routes.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the IpMcastRoutes tab.

IpMcastRoutes Field Descriptions

Use the data in the following table to use the IpMcastRoutes tab.

1226 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
DataIsid Specifies the data I-SID for the IP Multicast
over Fabric Connect route. A a BEB receives IP
multicast data from a sender, a BEB allocates
a data I-SID in the range of 16,000,000 to
16,512,000 for the stream. The stream is identified
by the source IP address, group IP address, and
the local VLAN the stream is received on. The data
I-SID is a child of the scope or VSN I-SID.
Type Specifies the type for the IP Multicast over Fabric
Connect route.
Bvlan Specifies the B-VLAN for the IP Multicast over
Fabric Connect route.
NniInterfaces Specifies the NNI ports for the IP multicast route.
SPBM runs in the core on the ports that connect to
the core. These ports are NNI ports. Ports that face
a customer VLAN are user-to-network interface
(UNI) ports.

View UNI Ports for remote IP Multicast Routes

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the UNI ports associated with particular remote IP multicast routes.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select SPBM Remote.
3. Select the IpMcastRoutes tab.
4. Select an entry.
5. Select the UNI Ports button.

IpMcastRoutes-Uni Ports Field Descriptions

Use data in the following table to use the IpMcastRoutes-Uni Ports tab.

VOSS User Guide for version 8.7 1227

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
EgressVlan Specifies the egress VLAN of the IP multicast
route.
EgressActivePorts Specifies the egress active ports.

View Remote IS-IS System Statistics

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote Intermediate-System-to-Intermediate-System (IS-IS) system

statistics.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select Stats Remote.
3. Select the System Stats tab.

System Stats Field Descriptions

Use the data in the following table to use the System Stats tab.

1228 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration using EDM

Name Description
Average/sec Displays the average value for each second.
Minimum/sec Displays the minimum value for each second.
Maximum/sec Displays the maximum value for each second.
LastVal/sec Displays the last value for each second.

View Remote IS-IS Interface Counters

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote Intermediate-System-Intermediate-System (IS-IS) interface

counters.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select Stats Remote.
3. Select the Interface Counters tab.

Interface Counters Field Descriptions

Use the data in the following table to use the Interface Counters tab.

Name Description
Index Shows a unique value identifying the IS-IS interface.
Level Shows the type of circuit that discovered the interface
counters. The point to point Hello PDU includes both Layer
1 and Layer 2, and IS from a single adjacency on point to
point links, therefore combining counts on point to point links
into one group.
AdjChanges Shows the number of times an adjacency state change has
occurred on this circuit.
InitFails Shows the number of times initialization of this circuit has
failed. This counts events such as PPP NCP failures. Failures
to form an adjacency are counted by isisCircRejAdjs.
RejAdjs Shows the number of times an adjacency has been rejected
on this circuit.
IDFieldLenMismatches Shows the number of times an IS-IS control PDU with an
ID field length different to that for this system has been
received.
MaxAreaAddrMismatches Shows the number of times an IS-IS control PDU with a max
area address field different to that for this system has been
received.

VOSS User Guide for version 8.7 1229

Multi-area SPB Configuration using EDM Fabric Basics and Layer 2 Services

Name Description
AuthFails Shows the number of times an IS-IS control PDU with the
correct auth type has failed to pass authentication validation.
LANDesISChanges Shows the number of times the Designated IS has changed
on this circuit at this level. If the circuit is point to point, this
count is zero.

View Remote IS-IS Interface Control Packets

Note
This procedure only applies to the VSP 7400 Series.

About This Task

Perform this procedure to view the remote Intermediate-System-to-Intermediate-System (IS-IS)

interface control packets.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select Stats Remote.
3. Select the Interface Control Packets tab.

Interface Control Packets Field Descriptions

Use the data in the following table to use the Interface Control Packets tab.

Name Description
Index Shows a unique value identifying the Intermediate-System-
to-Intermediate-System (IS-IS) interface.
Level Specifies the level.
Direction Indicates whether the switch is sending or receiving the
PDUs.
Hello Indicates the number of IS-IS Hello frames seen in this
direction at this level.
LSP Indicates the number of IS-IS LSP frames seen in this
direction at this level.
CSNP Indicates the number of IS-IS Complete Sequence Number
Packets (CSNP) frames seen in this direction at this level.
PSNP Indicates the number of IS-IS Partial Sequence Number
Packets (PSNP) frames seen in this direction at this level.

View the Remote I-SID Forwarding Database

Note
This procedure only applies to the VSP 7400 Series.

1230 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM configuration examples

About This Task

Perform this procedure to view the remote I-SID forwarding database (FDB) on the switch.

Note
To view the T-UNI I-SID FDB entries filtered on a port that is part of an MLT, you must mention
the MLT ID in the option for the port.

Procedure

1. In the navigation pane, expand the Configuration > Fabric folders.

2. Select ISID Remote.
3. (Optional) Select the Filter button to filter the rows on basis of specific criteria.

FDB Field Descriptions

Use data in the following table to use the FDB tab.

Name Description
IsidId Specifies the service interface identifier (I-SID).
Address Specifies the MAC address of the port assigned to the specific I-SID or
C-MAC learned on the particular I-SID.
Status Specifies the learning status of the associated MAC.
Port Specifies the port on which the MAC is learned for the specific I-SID.
PortType Specifies if the MAC address is learned locally or on an NNI port from a
remote destination.
RemoteMacDestAddr Specifies the virtual BMAC address or system-ID of the remote destination.
RemoteMacBVlanId Specifies the B-VLAN ID on which the remote destination was discovered.
RemoteMacDestSysName Specifies the remote destination system name.
Cvid Specifies the customer VLAN ID of the associated Switched UNI port.

SPBM configuration examples

This section provides configuration examples to configure basic SPBM and IS-IS infrastructure.

Examples and network illustrations in this document may illustrate only one of the supported platforms.
Unless otherwise noted, the concept illustrated applies to all supported platforms.

Basic SPBM configuration example

The following figure shows a sample greenfield deployment for SPBM.

Figure 83: Greenfield SPBM deployment

VOSS User Guide for version 8.7 1231

SPBM configuration examples Fabric Basics and Layer 2 Services

Note
For migration purposes, SPBM can coexist with existing SMLT configurations.

Ethernet and MLT configuration

The following sections show the steps required to configure the Ethernet and MLT interfaces in this
example.

SwitchC
PORT CONFIGURATION - PHASE 1

interface GigabitEthernet 1/30

encapsulation dot1q
exit

SwitchG
PORT CONFIGURATION - PHASE 1

interface GigabitEthernet 1/5

encapsulation dot1q
exit

MLT CONFIGURATION

mlt 1 enable
mlt 1 member 1/21-1/22
mlt 1 encapsulation dot1q

SwitchD
MLT CONFIGURATION

mlt 1 enable
mlt 1 member 1/20,1/30
mlt 1 encapsulation dot1q

IS-IS SPBM global configuration

The following figure shows the IS-IS area information added to the network.

1232 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM configuration examples

Figure 84: IS-IS SPBM global

The following sections show the steps required to configure the global IS-IS SPBM parameters in this
example.

SwitchC
enable
configure terminal
prompt SwitchC

BOOT CONFIGURATION

spbm
spbm ethertype 0x8100

ISIS SPBM CONFIGURATION

router isis
spbm 1
spbm 1 nick-name f.30.13
spbm 1 b-vid 20

ISIS CONFIGURATION

is-type l1
manual-area 30.0000
sys-name SwitchC
exit
router isis enable

VLAN CONFIGURATION

vlan create 20 name "B-VLAN" type spbm-bvlan

SwitchG
enable
configure terminal
prompt SwitchG

BOOT CONFIGURATION

spbm
spbm ethertype 0x8100

ISIS SPBM CONFIGURATION

router isis

VOSS User Guide for version 8.7 1233

SPBM configuration examples Fabric Basics and Layer 2 Services

spbm 1
spbm 1 nick-name f.30.10
spbm 1 b-vid 20

ISIS CONFIGURATION

is-type l1
manual-area 30.0000
sys-name SwitchG
exit
router isis enable

VLAN CONFIGURATION

vlan create 20 name "B-VLAN" type spbm-bvlan

SwitchD
enable
configure terminal
prompt SwitchD

BOOT CONFIGURATION

spbm
spbm ethertype 0x8100

ISIS SPBM CONFIGURATION

router isis
spbm 1
spbm 1 nick-name f.30.14
spbm 1 b-vid 20

ISIS CONFIGURATION

is-type l1
manual-area 30.0000
sys-name SwitchD
exit
router isis enable

VLAN CONFIGURATION

vlan create 20 name "B-VLAN" type spbm-bvlan

IS-IS SPBM Interface Configuration

The following figure shows the IS-IS area information and interfaces in the network.

Figure 85: IS-IS SPBM interface

1234 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services SPBM configuration examples

The following sections show the steps required to configure the IS-IS SPBM interfaces in this example.

SwitchC
PORT CONFIGURATION - PHASE II

interface GigabitEthernet 1/30

isis
isis spbm 1
isis enable
exit

SwitchG
PORT CONFIGURATION - PHASE II

interface GigabitEthernet 1/5

isis
isis spbm 1
isis enable
exit

MLT INTERFACE CONFIGURATION

interface mlt 1
isis
isis spbm 1
isis enable
exit

SwitchD
MLT INTERFACE CONFIGURATION

interface mlt 1
isis
isis spbm 1
isis enable
exit

Verify SPBM Operations

The following sections show the output from verifying the sample IS-IS SPBM configuration.

Checking Operation — SwitchC

SwitchC:1# show isis interface
===================================================================================================================
ISIS Interfaces
===================================================================================================================

VOSS User Guide for version 8.7 1235

SPBM configuration examples Fabric Basics and Layer 2 Services

IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJSPBM-L1 OP-SPBM- ORIGIN AREA AREA-NAME
-METRIC L1-METRIC
--------------------------------------------------------------------------------------------------------------------
Port1/30 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02

SwitchC:1# show isis adjacencies

----------------------------------------------------------------------------------------------------
Home: 1 out of 1 interfaces have formed an adjacency
Remote: 0 out of 0 interfaces have formed an adjacency

----------------------------------------------------------------------------------------------------
SwitchC:1# show isis spbm unicast-fib
==================================================================================================
SPBM UNICAST FIB ENTRY INFO
==================================================================================================
DESTINATION BVLAN SYSID HOST-NAME OUTGOING COST AREA AREA-NAME
ADDRESS INTERFACE
--------------------------------------------------------------------------------------------------
00:0e:62:25:a3:df 4000 0016.ca23.73df SwitchG 1/30 10 HOME area-9.00.02
00:14:0d:a0:13:df 4000 0014.0da0.13df SwitchD 1/30 10 HOME area-9.00.02

--------------------------------------------------------------------------------------------------
Home: Total number of SPBM UNICAST FIB entries 2
Remote: Total number of SPBM UNICAST FIB entries 0
--------------------------------------------------------------------------------------------------
SwitchC:1# show isis spbm unicast-tree 4000
Node:000e.6225.a3df.00 (SwitchG) -> ROOT
Node:0014.0da0.13df.00 (SwitchD) -> Node:000e.6225.a3df.00 (SwitchG) -> ROOT

Checking Operation — SwitchG

SwitchG:1# show isis interface
===================================================================================================================
ISIS Interfaces
===================================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1 OP-SPBM- ORIGIN AREA AREA-NAME
-METRIC L1-METRIC
--------------------------------------------------------------------------------------------------------------------
Port1/5 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02
Mlt1 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02

SwitchG:1# show isis adjacencies

====================================================================================================
ISIS Adjacencies
=========================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
---------------------------------------------------------------------------------------------------------
Port1/30 1 UP 1d 19:19:52 127 26 beb0.0000.7204 SwitchC ACTIVE HOME area-9.00.02
Mlt1 1 UP 04:57:34 127 20 0014.0da0.13df SwitchD ACTIVE HOME area-9.00.02
---------------------------------------------------------------------------------------------------------
Home: 2 out of 2 interfaces have formed an adjacency
Remote: 0 out of 0 interfaces have formed an adjacency

----------------------------------------------------------------------------------------------------

SwitchG:1# show isis spbm unicast-fib

==================================================================================================
SPBM UNICAST FIB ENTRY INFO
==================================================================================================
DESTINATION BVLAN SYSID HOST-NAME OUTGOING COST AREA AREA-NAME
ADDRESS INTERFACE
--------------------------------------------------------------------------------------------------
00:14:0d:a0:13:df 4000 0014.0da0.13df SwitchD MLT-1 10 HOME area-9.00.02
00:15:e8:9f:e3:df 4000 0015.e89f.e3df SwitchC 1/5 10 HOME area-9.00.02

1236 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

--------------------------------------------------------------------------------------------------
Home: Total number of SPBM UNICAST FIB entries 2
Remote: Total number of SPBM UNICAST FIB entries 0
--------------------------------------------------------------------------------------------------
SwitchG:1# show isis spbm unicast-tree 4000
Node:0015.e89f.e3df.00 (SwitchC) -> ROOT
Node:0014.0da0.13df.00 (SwitchD) -> ROOT

Checking Operation — SwitchD

SwitchD:1# show isis interface
===================================================================================================================
ISIS Interfaces
===================================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1 OP-SPBM- ORIGIN AREA AREA-NAME
-METRIC L1-METRIC
--------------------------------------------------------------------------------------------------------------------
Mlt1 pt-pt Level 1 UP UP 1 1 10 10 CONFIG HOME area-9.00.02

SwitchD:1# show isis adjacencies

=====================================================================================================
ISIS Adjacencies
=====================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
-----------------------------------------------------------------------------------------------------
Mlt1 1 UP 05:03:59 127 21 000e.6225.a3df SwitchG ACTIVE HOME area-9.00.02
-----------------------------------------------------------------------------------------------------
Home: 1 out of 1 interfaces have formed an adjacency
Remote: 0 out of 0 interfaces have formed an adjacency

-----------------------------------------------------------------------------------------------------
SwitchD:1# show isis spbm unicast-fib
==================================================================================================
SPBM UNICAST FIB ENTRY INFO
==================================================================================================
DESTINATION BVLAN SYSID HOST-NAME OUTGOING COST AREA AREA-NAME
ADDRESS INTERFACE
--------------------------------------------------------------------------------------------------
00:0e:62:25:a3:df 4000 000e.6225.a3df SwitchG MLT-1 10 HOME area-9.00.02
00:15:e8:9f:e3:df 4000 0015.e89f.e3df SwitchC MLT-1 10 HOME area-9.00.02

--------------------------------------------------------------------------------------------------
Home: Total number of SPBM UNICAST FIB entries 2
Remote: Total number of SPBM UNICAST FIB entries 0
--------------------------------------------------------------------------------------------------
SwitchD:1# show isis spbm unicast-tree 4000
Node:000e.6225.a3df.00 (SwitchG) -> ROOT
Node:0015.e89f.e3df.00 (SwitchC) -> Node:000e.6225.a3df.00 (SwitchG) -> ROOT

Fabric Extend Configuration Examples

This section provides configuration examples to configure Fabric Extend in the following deployment
scenarios:
• Fabric Extend over IP using the GRT on page 1238
• Fabric Extend over IP using a VRF on page 1241
• Fabric Extend over VPLS on page 1243
• Fabric Extend over Layer 2 Pseudowire on page 1246

VOSS User Guide for version 8.7 1237

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

• Fabric Extend with ONAs in the Core and Branches on page 1248
• Fabric Extend Over IPsec on page 1251

For more configuration examples, see Shortest Path Bridging (802.1aq) Technical Configuration Guide.

Fabric Extend over IP using the GRT

This example shows a typical Fabric Extend deployment with a 10/40/100 Gbps switch in the core and a
1 Gbps switch in one of the branch offices. The 10/40/100 Gbps switch supports Fabric Extend natively
and is connected over an IP network to a 1 Gbps switch, which requires an ONA to encapsulate SPB
traffic with a VXLAN header. The ONA sets up a bridge between the ONA device-side port and the ONA
network-side port. Fabric Extend uses a VXLAN tunnel to send traffic to and from the 10/40/100 Gbps
switch through the 1 Gbps switch to the ONA.

Note
• This deployment uses the GRT so the tunnel source IP address must be on the GRT, not on
a VRF.
• If IP Shortcuts is enabled, you must configure an IS-IS accept policy or exclude route-map
to ensure that tunnel destination IP addresses are not learned through IS-IS.
• Add any IP address used for setting up the logical tunnel (such as local network and
loopback IP addresses) to the IS-IS accept policy or exclude route-map to prevent these
addresses from being advertised into IS-IS.

The following figure shows a sample Fabric Extend deployment over IP using the GRT.

Figure 86: IP using GRT traffic flow

Figure 87: IP (GRT) traffic flow component view

1238 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

For 10/40/100 Gbps Switches

(The tunnel source IP address is configured in the GRT.)

Switch(config)# interface GigabitEthernet 2/14
Switch(config-if)# no shutdown
Switch(config-if)# default-vlan-id 0
Switch(config-if)# name "ospf-intf-SP-core"
Switch(config-if)# brouter port 2/14 vlan 3036 subnet 197.1.1.2/255.255.255.0
Switch(config-if)# no spanning-tree mstp force-port-state enable
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.1.2
Switch(config-isis)# exit

Switch(config)# logical-intf isis 255 dest-ip 197.1.6.2 name "Tunnel-to-Branch1"

Switch(config-isis-255-197.1.6.2)# isis
Switch(config-isis-255-197.1.6.2)# isis spbm 1
Switch(config-isis-255-197.1.6.2)# isis enable
Switch(config-isis-255-197.1.6.2)# exit

Switch(config)# ip prefix-list "isis-tunnel-addr" 197.1.0.0/16 ge 16 le 32

Switch(config)# route-map "deny-isis-tunnel-network" 1
Switch(route-map)# no permit
Switch(route-map)# enable
Switch(route-map)# match network "isis-tunnel-addr"
Switch(route-map)# match protocol isis
Switch(route-map)# exit

Switch(config)# router isis

Switch(config-isis)# accept route-map "deny-isis-tunnel-network"
Switch(config-isis)# exit
Switch(config)# isis apply accept

For 1 Gbps Switches

(The tunnel source address is a CLIP address on the GRT. This address is configured on the 1 Gbps
switch and then automatically assigned to the ONA.)
Switch(config)# interface loopback 256
Switch(config-if)# ip address 256 197.1.6.2/255.255.255.0
Switch(config-if)# ip ospf 256
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet 1/7-1/8; enables ports to ONA

Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# vlan create 3037 name "ospf-intf-SP-core" type port-mstprstp 0

Switch(config)# vlan members 3037 1/49-1/50 portmember
Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 1/49-1/50
Switch(config)# mlt 11 vlan 3037
Switch(config)# interface vlan 3037
Switch(config-if)# ip address 197.1.11.2 255.255.255.0 0
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3025 name "ONA-Mgmt-vlan" type port-mstprstp 0

Switch(config)# vlan members 3025 1/7 portmember
Switch(config)# interface vlan 3025

VOSS User Guide for version 8.7 1239

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

Switch(config-if)# ip address 197.2.1.1 255.255.255.0 3

Switch(config-if)# exit

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 enable
Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 mode bootp_dhcp

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.6.2 port 1/8 mtu 1950
Switch(config-isis)# exit
Switch(config)# logical-intf isis 255 dest-ip 197.1.1.2 name "Tunnel-to-HQ"
Switch(config-isis-255-197.1.1.2)# isis
Switch(config-isis-255-197.1.1.2)# isis spbm 1
Switch(config-isis-255-197.1.1.2)# isis enable
Switch(config-isis-255-197.1.1.2)# exit

Switch(config)# ip prefix-list "isis-tunnel-addr" 197.1.0.0/16 ge 16 le 32

Switch(config)# router isis

Switch(config-isis)# accept route-map "deny-isis-tunnel-network"
Switch(config-isis)# exit
Switch(config)# isis apply accept

For Intermediate Router 1

Intermediate routers are typically configured by an Internet service provider (ISP). The following
configurations are for reference only.
Switch(config)# interface GigabitEthernet 8/19
Switch(config-if)# default-vlan-id 0
Switch(config-if)# name "ospf-intf-from-Headoffice"
Switch(config-if)# no shutdown
Switch(config-if)# brouter port 8/19 vlan 3036 subnet 197.1.1.3/255.255.255.0 mac-offset 2
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0

Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039
Switch(config)# ip address 197.1.8.1 255.255.255.0 2
Switch(config)# ip ospf enable
Switch(config)# exit

For Intermediate Router 2

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0
Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039
Switch(config)# ip address 197.1.8.2 255.255.255.0 0
Switch(config)# ip ospf enable
Switch(config)# exit

Switch(config)# vlan create 3037 name "ospf-intf-from-branch1" type port-mstprstp 0

Switch(config)# vlan members 3037 8/21-8/22 portmember
Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 8/21-8/22
Switch(config)# mlt 11 vlan 3037

1240 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Switch(config)# interface Vlan 3037

Switch(config)# ip address 197.1.11.1 255.255.255.0 5
Switch(config)# ip ospf enable
Switch(config)# exit

Fabric Extend over IP using a VRF

This example is the same as the previous IP example except this Fabric Extend deployment uses a
VRF instead of the GRT. Because this deployment is using a VRF, Fabric Extend has the following
requirements:
• Configure a CLIP and tunnel source IP address on the same VRF.
• Remote management of the 1 Gbps switch is only possible after establishing IP Shortcut over IS-IS.
(Alternatively, you can enable GRT-VRF redistribution locally.)

The following figure shows a sample Fabric Extend deployment over IP using a VRF.

Figure 88: IP using VRF traffic flow

Figure 89: IP (VRF) traffic flow component view

For 10/40/100 Gbps Switches

(The tunnel source IP address is configured as a brouter address in the VRF.)

Switch(config)# ip vrf vrf24
Switch(config)# router vrf vrf24
Switch(router-vrf)# ip ospf
Switch(router-vrf)# ip ospf admin-state
Switch(router-vrf)# exit

Switch(config)# interface GigabitEthernet 2/14

Switch(config-if)# no shutdown
Switch(config-if)# default-vlan-id 0
Switch(config-if)# name "ospf-intf-SP-core"
Switch(config-if)# vrf vrf24
Switch(config-if)# brouter port 2/14 vlan 3036 subnet 197.1.1.2/255.255.255.0 mac-offset 1

VOSS User Guide for version 8.7 1241

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

Switch(config-if)# no spanning-tree mstp force-port-state enable

Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.1.2 vrf vrf24
Switch(config-isis)# exit

Switch(config)# logical-intf isis 255 dest-ip 197.1.6.2 name "Tunnel-to-Branch1"

Switch(config-isis-255-197.1.6.2)# isis
Switch(config-isis-255-197.1.6.2)# isis spbm 1
Switch(config-isis-255-197.1.6.2)# isis enable
Switch(config-isis-255-197.1.6.2)# exit

For 1 Gbps Switches

(The tunnel source address is a CLIP address on the VRF. This address is configured on the 1 Gbps
switch and then automatically assigned to the ONA.)
Switch(config)# ip vrf vrf24

Switch(config)# router vrf vrf24

Switch(router-vrf)# ip ospf
Switch(router-vrf)# ip ospf admin-state
Switch(router-vrf)# exit

Switch(config)# interface loopback 256

Switch(config-if)# ip address 197.1.6.2 255.255.255.255 vrf vrf24
Switch(config-if)# ip ospf vrf vrf24
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet 1/7-1/8; enables ports to ONA

Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# vlan create 3037 name "ospf-intf-SP-core" type port-mstprstp 0

Switch(config)# vlan members 3037 1/49-1/50 portmember
Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 1/49-1/50
Switch(config)# mlt 11 vlan 3037
Switch(config)# interface vlan 3037
Switch(config-if)# vrf vrf24
Switch(config-if)# ip address 197.1.11.2 255.255.255.0 0
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3025 name "ONA-Mgmt-vlan" type port-mstprstp 0

Switch(config)# vlan members 3025 1/7 portmember
Switch(config)# interface vlan 3025
Switch(config-if)# ip address 197.2.1.1 255.255.255.0 3
Switch(config-if)# exit

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 enable
Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 mode bootp_dhcp

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.6.2 port 1/8 vrf vrf24 mtu 1950
Switch(config-isis)# exit

Switch(config)# logical-intf isis 255 dest-ip 197.1.1.2 name "Tunnel-to-HQ"

Switch(config-isis-255-197.1.1.2)# isis
Switch(config-isis-255-197.1.1.2)# isis spbm 1

1242 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Switch(config-isis-255-197.1.1.2)# isis enable

Switch(config-isis-255-197.1.1.2)# exit

Intermediate routers are typically configured by an Internet service provider (ISP). The following
configurations are for reference only.

For Intermediate Router 1

Switch(config)# interface GigabitEthernet 8/19
Switch(config-if)# default-vlan-id 0
Switch(config-if)# name "ospf-intf-from-Headoffice"
Switch(config-if)# no shutdown
Switch(config-if)# brouter port 8/19 vlan 3036 subnet 197.1.1.3/255.255.255.0 mac-offset 2
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0

Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039
Switch(config)# ip address 197.1.8.1 255.255.255.0 2
Switch(config)# ip ospf enable
Switch(config)# exit

For Intermediate Router 2

Switch(config)# vlan create 3037 name "ospf-intf-from-branch1" type port-mstprstp 0

Switch(config)# vlan members 3037 8/21-8/22 portmember
Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 8/21-8/22
Switch(config)# mlt 11 vlan 3037
Switch(config)# interface Vlan 3037
Switch(config)# ip address 197.1.11.1 255.255.255.0 5
Switch(config)# ip ospf enable
Switch(config)# exit

Fabric Extend over VPLS

This example shows a Fabric Extend deployment over MPLS Virtual Private LAN Service (VPLS). In this
scenario, VPLS emulates a LAN with full mesh connectivity. The SPB nodes connect with point-to-point
Ethernet links and also use MPLS for normal forwarding.

Note
On the Core side, the 10/40/100 Gbps switches require a single next hop IP address as a
default gateway for all tunnels. To ensure the single next hop, VPLS uses a loopback IP
address and an additional VRF.

The following figure shows a sample Fabric Extend deployment over VPLS.

VOSS User Guide for version 8.7 1243

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

Figure 90: FE over VPLS traffic flow

For 10/40/100 Gbps Switches

(The tunnel source IP address is configured as a brouter address in the VRF.)

Switch(config)# interface GigabitEthernet 2/14
Switch(config-if)# no shutdown
Switch(config-if)# default-vlan-id 0
Switch(config-if)# name "ospf-intf-SP-core"
Switch(config-if)# vrf vrf24
Switch(config-if)# brouter port 2/14 vlan 3036 subnet 197.1.1.2/255.255.255.0 mac-offset 1
Switch(config-if)# no spanning-tree mstp force-port-state enable
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.1.2 vrf vrf24
Switch(config-isis)# exit
Switch(config)# logical-intf isis 255 dest-ip 197.1.6.2 name "Tunnel-to-Branch1"
Switch(config-isis-255-197.1.6.2)# isis
Switch(config-isis-255-197.1.6.2)# isis spbm 1
Switch(config-isis-255-197.1.6.2)# isis enable
Switch(config-isis-255-197.1.6.2)# exit

For 1 Gbps Switches

(The tunnel source address is a CLIP address on the VRF. This address is configured on the 1 Gbps
switch and then automatically assigned to the ONA.)
Switch(config)# ip vrf vrf24

Switch(config)# router vrf vrf24

Switch(router-vrf)# ip ospf
Switch(router-vrf)# ip ospf admin-state
Switch(router-vrf)# exit

Switch(config)# interface loopback 256

Switch(config-if)# ip address 197.1.6.2 255.255.255.255 vrf vrf24

1244 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Switch(config-if)# ip ospf vrf vrf24

Switch(config-if)# exit

Switch(config)# interface GigabitEthernet 1/7-1/8; enables ports to ONA

Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# vlan create 3037 name "ospf-intf-SP-core" type port-mstprstp 0

Switch(config)# vlan members 3037 1/49-1/50 portmember
Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 1/49-1/50
Switch(config)# mlt 11 vlan 3037
Switch(config)# interface vlan 3037
Switch(config-if)# vrf tunnel
Switch(config-if)# ip address 197.1.11.2 255.255.255.0 0
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3025 name "ONA-Mgmt-vlan" type port-mstprstp 0

Switch(config)# vlan members 3025 1/7 portmember
Switch(config)# interface vlan 3025
Switch(config-if)# ip address 197.2.1.1 255.255.255.0 3
Switch(config-if)# exit

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 enable
Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 mode bootp_dhcp

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.6.2 port 1/8 vrf vrf24 mtu 1950
Switch(config-isis)# exit
Switch(config)# logical-intf isis 255 dest-ip 197.1.1.2 name "Tunnel-to-HQ"
Switch(config-isis-255-197.1.1.2)# isis
Switch(config-isis-255-197.1.1.2)# isis spbm 1
Switch(config-isis-255-197.1.1.2)# isis enable
Switch(config-isis-255-197.1.1.2)# exit

Intermediate routers are typically configured by an Internet service provider (ISP). The following
configurations are for reference only.

For Intermediate Router 1

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0

Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039
Switch(config)# ip address 197.1.8.1 255.255.255.0 2
Switch(config)# ip ospf enable
Switch(config)# exit

For Intermediate Router 2

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0
Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039

VOSS User Guide for version 8.7 1245

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

Switch(config)# ip address 197.1.8.2 255.255.255.0 0

Switch(config)# ip ospf enable
Switch(config)# exit

Switch(config)# vlan create 3037 name "ospf-intf-from-branch1" type port-mstprstp 0

Fabric Extend over Layer 2 Pseudowire

This example shows a Fabric Extend deployment using service provider VLAN tunnels over MPLS
Pseudowire. In this scenario, you map two dedicated VLAN IDs (VIDs) from the Hub to the Spoke sites.
Then the logical IS-IS interfaces translate the BVIDs to map them to the per branch provider VIDs.

Because the tunnels are point-to-point VLAN connections, not VXLAN, there is no need to encapsulate
a VXLAN header to SPB packets. Therefore, the 1 Gbps switches in this type of deployment do not
require ONAs.

Important
10/40/100 Gbps switch — — — — — — Core — — — — — — 1 Gbps switch
• You cannot have IS-IS in the Core.
• Do not create the two VLANs represented in the logical interface connection on the BEBs.
If you do, you will not be able add any Fabric Extend ports to be members of those
VLANs. One links the port that is facing the core and those VLANs in the logical interface
connection.

The following figure shows a sample Fabric Extend deployment over Pseudowire.

Figure 91: FE over Pseudowire traffic flow

1246 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Figure 92: FE over Pseudowire traffic flow component view

For 10/40/100 Gbps Switches

Note
Logical interface VLANs cannot be the same as the SPBM B-VLANs and you cannot create
these VLANs locally. Use these VLANs for configuring the logical interface only. Once a port is
being used for a logical interface it cannot be added to any platform VLAN and spanning tree
is automatically disabled on the port.

Switch(config)# logical-intf isis 255 vid 200,300 primary-vid 200 port 2/14 name
fe_to_Switch
Switch(config-isis-255)# isis
Switch(config-isis-255)# isis spbm 1
Switch(config-isis-255)# isis enable
Switch(config-isis-255)# exit

For 1 Gbps Switches

Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 1/49-1/50
Switch(config)# router isis enable

Switch(config)# logical-intf isis 255 vid 200,300 primary-vid 200 mlt 11 name fe_to_Switch
Switch(config-isis-255)# isis
Switch(config-isis-255)# isis spbm 1
Switch(config-isis-255)# isis enable
Switch(config-isis-255)# exit

For Intermediate Router 1

Intermediate routers are typically configured by an Internet service provider (ISP). The following
configurations are for reference only.
Switch(config)# vlan create 200 type port-mstprstp 1
Switch(config)# vlan create 300 type port-mstprstp 1
Switch(config)# vlan member add 200 8/1,8/19
Switch(config)# vlan member add 300 8/1,8/19

VOSS User Guide for version 8.7 1247

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

For Intermediate Router 2

Switch(config)# mlt 11
Switch(config)# mlt 11 encapsulation dot1q
Switch(config)# mlt 11 mem 8/21-8/22
Switch(config)# vlan create 200 type port-mstprstp 1
Switch(config)# vlan create 300 type port-mstprstp 1
Switch(config)# vlan member add 200 8/1
Switch(config)# vlan mlt 200 11
Switch(config)# vlan member add 300 8/1
Switch(config)# vlan mlt 300 11

Fabric Extend with ONAs in the Core and Branches

This example shows a Fabric Extend deployment with 1 Gbps switches in the core of the network and
in the branch sites. This type of deployment is not only a lower cost Fabric Extend solution, it also
addresses situations where large MTU sizes (over 1594 bytes) are a problem for the Service Provider.

MTU sizes less than 1594 bytes require fragmentation and reassembly of packets and the 1 Gbps switch
with ONA supports fragmentation and reassembly. However, you must have 1 Gbps switches with ONAs
at BOTH ends of the IP WAN connection.

Important
There is no fragmentation/reassembly support in Layer 2 core solutions.

The following figure shows a sample Fabric Extend deployment using VRFs with both switches.

Figure 93: Fabric Extend traffic flow

Figure 94: Fabric Extend traffic flow component view

1248 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Core switch configuration

(The tunnel source address is a CLIP address on the VRF. This address is configured on the switch and
then automatically assigned to the ONA.)
Switch(config)# ip vrf vrf24
Switch(config)# router vrf vrf24
Switch(router-vrf)# ip ospf
Switch(router-vrf)# ip ospf admin-state
Switch(router-vrf)# exit

Switch(config)# interface loopback 256

Switch(config-if)# ip address 197.1.5.2 255.255.255.255 vrf vrf24
Switch(config-if)# ip ospf vrf vrf24
Switch(config-if)# exit

Switch(config)# interface GigabitEthernet 1/7-1/8; enables ports to ONA

Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# vlan create 3036 name "ospf-intf-SP-core" type port-mstprstp 0

Switch(config)# vlan members 3036 1/14 portmember
Switch(config)# interface vlan 3036
Switch(config)# vrf vrf24
Switch(config-if)# ip address 197.1.1.2 255.255.255.0 0
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3024 name "ONA-Mgmt-vlan" type port-mstprstp 0

Switch(config)# vlan members 3024 1/8 portmember
Switch(config)# interface vlan 3024
Switch(config-if)# ip address 197.3.1.1 255.255.255.0 3
Switch(config-if)# exit

Switch(config)# ip dhcp-relay fwd-path 197.3.1.1 197.10.1.11

Switch(config)# ip dhcp-relay fwd-path 197.3.1.1 197.10.1.11 enable
Switch(config)# ip dhcp-relay fwd-path 197.3.1.1 197.10.1.11 mode bootp_dhcp

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.5.2 port 1/7 vrf vrf24 mtu 1950
Switch(config-isis)# exit
Switch(config)# logical-intf isis 255 dest-ip 197.1.6.2 name "Tunnel-to-Branch1"
Switch(config-isis-255-197.1.6.2)# isis
Switch(config-isis-255-197.1.6.2)# isis spbm 1
Switch(config-isis-255-197.1.6.2)# isis enable
Switch(config-isis-255-197.2.1.1)# exit

Branch switch configuration

(The tunnel source address is a CLIP address on the VRF. This address is configured on the switch and
then automatically assigned to the ONA.)
Switch(config)# ip vrf vrf24

Switch(config)# router vrf vrf24

Switch(router-vrf)# ip ospf
Switch(router-vrf)# ip ospf admin-state
Switch(router-vrf)# exit

Switch(config)# interface loopback 256

Switch(config-if)# ip address 197.1.6.2 255.255.255.255 vrf vrf24
Switch(config-if)# ip ospf vrf vrf24
Switch(config-if)# exit

VOSS User Guide for version 8.7 1249

Fabric Extend Configuration Examples Fabric Basics and Layer 2 Services

Switch(config)# interface GigabitEthernet 1/7-1/8; enables ports to ONA

Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch(config)# vlan create 3037 name "ospf-intf-SP-core" type port-mstprstp 0

Switch(config)# vlan members 3037 1/49-1/50 portmember
Switch(config)# interface vlan 3037
Switch(config-if)# vrf vrf24
Switch(config-if)# ip address 197.1.11.2 255.255.255.0 0
Switch(config-if)# ip ospf enable
Switch(config-if)# exit

Switch(config)# vlan create 3025 name "ONA-Mgmt-vlan" type port-mstprstp 0

Switch(config)# vlan members 3025 1/8 portmember
Switch(config)# interface vlan 3025
Switch(config-if)# ip address 197.2.1.1 255.255.255.0 3
Switch(config-if)# exit

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11

Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 enable
Switch(config)# ip dhcp-relay fwd-path 197.2.1.1 197.10.1.11 mode bootp_dhcp

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 197.1.6.2 port 1/7 vrf vrf24 mtu 1950
Switch(config-isis)# exit
Switch(config)# logical-intf isis 255 dest-ip 197.1.5.2 name "Tunnel-to-HQ"
Switch(config-isis-255-197.1.1.2)# isis
Switch(config-isis-255-197.1.1.2)# isis spbm 1
Switch(config-isis-255-197.1.1.2)# isis enable
Switch(config-isis-255-197.1.1.2)# exit

Intermediate routers are typically configured by an Internet service provider (ISP). The following
configurations are for reference only.

Intermediate Router 1 Configuration

Switch(config)# vlan create 3039 name "core-ospf-vlan" type port-mstprstp 0

Switch(config)# vlan members 3039 8/1 portmember
Switch(config)# interface Vlan 3039
Switch(config)# ip address 197.1.8.1 255.255.255.0 2
Switch(config)# ip ospf enable
Switch(config)# exit

Intermediate Router 2 Configuration

Switch(config)# vlan create 3037 name "ospf-intf-from-branch1" type port-mstprstp 0

Switch(config)# vlan members 3037 8/21-8/22 portmember
Switch(config)# mlt 11

1250 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Extend Configuration Examples

Switch(config)# mlt 11 encapsulation dot1q

Switch(config)# mlt 11 mem 8/21-8/22
Switch(config)# mlt 11 vlan 3037
Switch(config)# interface Vlan 3037
Switch(config)# ip address 197.1.11.1 255.255.255.0 5
Switch(config)# ip ospf enable
Switch(config)# exit

Fabric Extend Over IPsec

The following example shows a Fabric Extend deployment using service provider VLAN tunnels and
IPsec.

Note
Fabric Extend over IPsec limitations:
• Only pre-shared authentication key IPsec parameters are user configurable. Other, third-
party solutions are not configurable.
• The key exchange only uses the Internet Key Exchange (IKE) v2 protocol.
• IPsec support is only added for Fabric Extend tunnels.
• IPsec is not supported for regular layer 3 routed packets.

Global SPBM for Fabric Extend over IPsec Configuration

The global SPBM parameters must be configured before you can configure the Fabric Extend over IPsec
tunnel.

Note
The ipsec command is only available after the auth-key command is configured.

Switch> enable
Switch# configure terminal

Switch(config)# spbm
Switch(config-isis)# router isis
Switch(config-isis)# spbm 1
Switch(config-isis)# spbm 1 nick-name 1.11.40
Switch(config-isis)# spbm 1 b-vid 2,3 primary 2
Switch(config-isis)# is-type l1
Switch(config-isis)# manual-area c0.2000.0000.00
Switch(config-isis)# sys-name SwitchB
Switch(config-isis)# exit

Switch(config)# vlan create 2 type spbm-bvlan

Switch(config)# vlan create 3 type spbm-bvlan
Switch(config)# router isis enable

VOSS User Guide for version 8.7 1251

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

Fabric Extend tunnel and IPsec configuration

Switch> enable
Switch# configure terminal

Switch(config)# interface GigabitEthernet 1/1

Switch(config-if)# brouter port 1/1 vlan 2500 subnet 192.0.2.0/255.255.255.0 mac-offset 0
Switch(config-if)# exit

Switch(config)# router isis

Switch(config-isis)# ip-tunnel-source-address 192.0.2.0
Switch(config-isis)# exit

Switch(config)# logical-intf isis 1 dest-ip 198.51.100.0

Switch(config-isis-1-198.51.100.0)# isis
Switch(config-isis-1-198.51.100.0)# isis spbm 1
Switch(config-isis-1-198.51.100.0)# isis enable
Switch(config-isis-1-198.51.100.0)# auth-key 12345678
Switch(config-isis-1-198.51.100.0)# ipsec encryption-key-length 256
Switch(config-isis-1-198.51.100.0)# ipsec
Switch(config-isis-1-198.51.100.0)# exit

Note
Product Notice: 256-bit IPsec Encryption for Fabric Extend Tunnels is only supported on
XA1400 Series devices.

Fabric Attach configuration examples

This section provides configuration examples to configure Fabric Attach.

Configure a Fabric Attach Solution

The following section describes a simple configuration example to configure Fabric Attach (FA) at the
edge of a Fabric Connect network. This is a typical deployment at its simplest level and is powerful
because of its use in conjunction with a Fabric Connect core.

About This Task

Configuring FA primarily consists of configuring the FA Server. The FA Server in turn discovers
neighboring FA component devices (like the FA Proxies and FA Clients) using FA TLVs within the
LLDP PDUs.

In the following deployment, the switch at the edge of the Fabric Connect cloud is configured as the
FA Server. On this switch, FA is enabled globally and at the interface (port) level. Another switch,
functioning as the FA Proxy connects to the FA enabled port (1/3) on the FA Server. User A is an end
user device that needs to send and receive data traffic from User B (another end user device) across the
network.

1252 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

Before You Begin

Configure SPBM and IS-IS on the edge and core switches. For more information, see Configure
Minimum SPBM and IS-IS Parameters on page 1014.

Procedure

Configure the edge switch (BEB) as the FA Server:

1. Enter Global Configuration mode:
enable

configure terminal
2. Enable FA globally:
fa enable
3. Enter port interface configuration mode:
interface GigabitEthernet {slot/port[/sub-port] [-slot/port[/sub-
port]] [,...]}
4. Enable FA on the port:
fa enable

Note
Enabling FA automatically enables message authentication. Also, the authentication key is
set to the default value and the system displays the encrypted authentication key on the
output.

Note
Enabling FA on a port not only enables tagging but also disables spanning tree on that
port.

Verify global and interface level FA configuration:

VOSS User Guide for version 8.7 1253

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

5. Verify global configuration of FA using one of the following commands:

• show fa
• show fa agent
6. Verify interface level configuration of FA:
show fa interface
7. Verify the discovery of clients attaching to the FA Server:
show fa elements
8. Display the FA I-SID-to-VLAN assignments:
show fa assignment

To verify I-SID-to-VLAN assignments on a specific port, enter:

show fa assignment {slot/port[/sub-port] [-slot/port[/sub-port]]

[,...]}
9. Verify creation of Switched UNI (ELAN) I-SIDs:
show i-sid elan

Example

SPBM and IS-IS configuration on the core and edge switches:

SPBM configuration:
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#spbm
Switch:1(config)#spbm ethertype 0x8100

IS-IS SPBM configuration:

Switch:1(config)#router isis
Switch:1(config)#spbm 1
Switch:1(config-isis)#spbm 1 nick-name 1.00.01
Switch:1(config-isis)#spbm 1 b-vid 41-42 primary 41
Switch:1(config-isis)#spbm 1 ip enable

IS-IS router configuration:

Switch:1(config-isis)#router isis
Switch:1(config-isis)#sys-name BEB-Switch
Switch:1(config-isis)#ip-source-address 3.3.3.3
Switch:1(config-isis)#is-type l1
Switch:1(config-isis)#system-id 0001.0001.0001
Switch:1(config-isis)#manual-area c0.2000.000.00
Switch:1(config-isis)#exit

Interface (port-level) configuration

Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)#no shutdown
Switch:1(config-if)#isis
Switch:1(config-if)#isis spbm 1
Switch:1(config-if)#isis enable
Switch:1(config-isis)#exit
Switch(config)#vlan create 41 type spbm-vlan
Switch(config)#vlan create 42 type spbm-vlan

1254 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

Switch(config)#router isis enable

Switch(config)#show isis spbm

Configuration of the edge switch as the FA Server.

Enable FA globally.
Switch:1(config)#fa enable
Switch:1(config)#show fa

=========================================================
Fabric Attach Configuration
=========================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 240
FA Discovery Timeout : 240
FA Provision Mode : spbm

Enable FA on the port.

Enabling FA automatically enables message authentication. The authentication key is configured with
the default value, which the system displays in encrypted format in the output.
Switch:1(config)#int gigabitEthernet 1/3
Switch:1(config-if)#fa enable
Switch:1(config-if)#show fa interface port 1/3

Verify that the FA Proxy is discovered by the FA Server.

Switch:1(config)#show fa elements

VOSS User Guide for version 8.7 1255

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

State Legend: (Tagging/AutoConfig)

T= Tagged, U= Untagged, D= Disabled, S= Spbm, V= Vlan, I= Invalid

Auth Legend:
AP= Authentication Pass, AF= Authentication Fail,
NA= Not Authenticated, N= None

--------------------------------------------------------------------------------

2 out of 2 Total Num of fabric attach discovery elements displayed

Verify the FA I-SID-to-VLAN assignment. An active state indicates that the FA (ELAN) I-SID is
successfully created with endpoint of type Switched UNI. By default, this I-SID is created for Layer 2.
Switch:1#show fa assignment

========================================================================
Fabric Attach Assignment Map
========================================================================
Interface I-SID Vlan State Origin
------------------------------------------------------------------------
1/3 44 2 active proxy

------------------------------------------------------------------------
1 out of 1 Total Num of fabric attach assignment mappings displayed
------------------------------------------------------------------------

For Layer 3 support, you must configure a platform VLAN. The platform VLAN can have the same value
as that of the C-VID or it can have a different value.

In this example, the platform VLAN has the same value as the C-VID.
Switch:1(config)#vlan create 2 type port-mstprstp 0
Switch:1(config)#vlan i-sid 2 44
Switch:1#show i-sid elan

======================================================================
Isid Info
======================================================================
ISID ISID PORT MLT ORIGIN
ISID
ID TYPE VLANID INTERFACES INTERFACES
NAME
----------------------------------------------------------------------
44 ELAN 2 c2:1/3 DISC_LOCAL ISID-44

c: customer vid u: untagged-traffic

All 1 out of 1 Total Num of Elan i-sids displayed

Verify neighbor discovery on the FA Proxy switch:

Note that the edge switch (BEB) is discovered as the FA Server by the FA Proxy.
Switch:2(config)#show fa agent

Fabric Attach Service Status: Enabled

Fabric Attach Element Type: Proxy
Fabric Attach Zero Touch Status: Enabled

1256 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

Fabric Attach Auto Provision Setting: Proxy

Fabric Attach Provision Mode: SPBM
Fabric Attach Client Proxy Status: Enabled
Fabric Attach Standalone Proxy Status: Disabled
Fabric Attach Agent Timeout: 50 seconds
Fabric Attach Extended Logging Status: Enabled
Fabric Attach Primary Server Id: aa:bb:cc:dd:ee:11:30:01:00:01 (SPBM)
Fabric Attach Primary Server Descr:BEB-Switch (6.0.0.0_GA)
Switch:2(config)#show fa elements

Unit/ Element Element Element

Port Type Subtype VLAN Auth System ID
------- ------- -------------------- ------- ---- -----------------------------
1/3 Server Server (Auth) 0 AP aa:bb:cc:dd:ee:11:30:01:00:01
Switch:2(config)#show fa i-sid

I-SID VLAN Source Status

------- ---- ------------ -------
44 2 Proxy Active

Configure Fabric Attach in an SMLT

The following example describes FA configuration and behavior in a dual-homed SMLT deployment.

The following figure shows a simple FA solution in a dual-homed SMLT deployment. In this deployment,
a pair of BEB switches (BEB A and BEB B) operating as IST peers are configured as the FA Server.
An access switch or a wiring closet switch configured as an FA Proxy connects to the FA Server.
The FA Proxy advertises I-SID-to-VLAN assignment mappings to the FA Server. Both BEB switches
receive the mapping information using LLDP PDUs containing assignment TLVs. The switch that learns
the mapping first considers the I-SID to be discovered locally and creates the I-SID on its device.
The mapping information is then shared with its IST peer switch. When the peer switch receives
the mapping across IST in a new SMLT message, it too creates the I-SID on its device. This I-SID
however, is considered to be discovered remotely because it is learnt from synchronization with the
peer switch. The mappings can also be learned on the FA Server from both LLDP PDUs and from IST
synchronization.

VOSS User Guide for version 8.7 1257

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

Figure 95: FA configuration in dual-homed SMLT

Before You Begin

Ensure that the proxy device (for example, an access switch) is properly configured for FA. See the
corresponding product documentation for information on how to configure FA on the switch.

Procedure

1. Configure SMLT and vIST on switches BEB A and BEB B.

Caution
For the IST peer switches acting as the FA Server to transmit the same FA System ID
(based on the virtual MAC), SMLT configuration on both the switches must be the same.

For detailed information on configuring SMLT and vIST, see MultiLink Trunking and Split MultiLink
Trunking on page 2357.
Configure BEB A and BEB B as the FA Server

Perform the following configuration on each switch.

2. Enter Global Configuration mode:
enable

configure terminal

1258 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

3. Enable FA globally:
fa enable
4. Enter MLT interface configuration mode:
interface mlt <1–512>
5. Enable FA on the MLT:
fa enable

Note
Enabling FA automatically enables message authentication. Also, the authentication key is
set to the default value and the system displays the encrypted authentication key on the
output.

6. (Optional) Configure an FA authentication key with a value different from that of the default value:
fa authentication-key [WORD<0-32>]

Caution
When you configure the FA authentication key, you must configure the same value on
both BEB switches in the SMLT.

Verify global and MLT-level FA configuration on BEB A and BEB B:

7. Verify global configuration of FA using one of the following commands:
• show fa
• show fa agent
8. Verify MLT-level (interface-level) configuration of FA:
show fa interface
Verify FA discovery on BEB A and BEB B:
9. Verify discovery of the FA Proxy.
show fa elements
View FA I-SID-to-VLAN assignments on BEB A and BEB B:
10. View the FA I-SID-to-VLAN assignments:
show fa assignment

To view FA I-SID-to-VLAN assignments on specific ports, enter:

show fa assignment {slot/port[/sub-port] [-slot/port[/sub-port]]

[,...]}
Verify creation of Switched UNI I-SIDs on BEB A and BEB B:

VOSS User Guide for version 8.7 1259

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

11. Verify creation of Switched UNI (ELAN) I-SIDs:

• View ELAN I-SID information using show i-sid elan.
• View ELAN I-SID information on a specific MLT using show mlt i-sid [<1–512>].

Note
Viewing ELAN I-SID information on an MLT is very useful to understand the origin of
the I-SID, when multiple client or proxy devices connecting to the FA Server using
SMLT MLT advertise the same I-SID-to-VLAN mappings. In the event of a link failure on
an MLT, the origin of the I-SID helps determine on which MLT, and thereby from which
proxy or client device, the mappings were successfully learnt.

Examples

SMLT configuration on BEB A and BEB B:

On BEB A:
Switch:1>en
Switch:1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface mlt 1
Switch:1(config)#smlt

On BEB B:
Switch:2>en
Switch:2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch:2(config)#interface mlt 1
Switch:2(config)#smlt

vIST configuration on BEB A and BEB B:

On BEB A:
Switch:1(config)#vlan create 2261 type port-mstprstp 0
Switch:1(config)#vlan i-sid 2261 1502261
Switch:1(config)#interface vlan 2261
Switch:1(config)#ip address 192.0.2.0 255.255.255.0 2

Configure BEB B (IP address 192.0.2.1) as the IST peer.

Switch:1(config)#virtual-ist peer-ip 192.0.2.1 vlan 2261
Switch:1(config)#show virtual-ist
Switch:1(config)#exit

On BEB B:
Switch:2(config)#vlan create 2261 type port-mstprstp 0
Switch:2(config)#vlan i-sid 2261 1502261
Switch:2(config)#interface vlan 2261
Switch:2(config)#ip address 192.0.2.1 255.255.255.0 2

Configure BEB A (IP address 192.0.2.1) as the IST peer.

Switch:2(config)#virtual-ist peer-ip 192.0.2.1 vlan 2261
Switch:2(config)#show virtual-ist
Switch:2(config)#exit

1260 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

FA configuration on BEB A:

Enable FA globally and on the MLT:

Switch:1(config)#fa enable
Switch:1>show fa

Optionally, configure an FA authentication key with the value dual-homed-smlt. Ensure that you
configure the same value on both switches BEB A and BEB B.
Switch:1(config)#interface mlt 1
Switch:1(config-mlt)#fa authentication-key dual-homed-smlt

Enable FA on the MLT:

Switch:1(config-mlt)#fa enable
Switch:1(config-mlt)#exit
Switch:1(config)#show fa interface

====================================================================
Fabric Attach Interfaces
====================================================================
INTERFACE SERVER MGMT MGMT MSG AUTH MSG AUTH ORIGIN
STATUS ISID CVID STATUS KEY
--------------------------------------------------------------------
Mlt1 enabled 0 0 enabled ****

--------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
--------------------------------------------------------------------

Verify discovery of the FA Proxy:

Switch:1(config)#show fa elements

================================================================================
Fabric Attach Discovery Elements
================================================================================
MGMT ELEM ASGN
PORT TYPE VLAN STATE SYSTEM ID AUTH AUTH
--------------------------------------------------------------------------------
3/21 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP
3/22 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP
3/23 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP

================================================================================
Fabric Attach Authentication Detail
================================================================================
ELEM OPER ASGN OPER
PORT AUTH STATUS AUTH STATUS
--------------------------------------------------------------------------------
3/21 successAuth successAuth
3/22 successAuth successAuth
3/23 successAuth successAuth

VOSS User Guide for version 8.7 1261

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

State Legend: (Tagging/AutoConfig)

T= Tagged, U= Untagged, D= Disabled, S= Spbm, V= Vlan, I= Invalid

Auth Legend:
AP= Authentication Pass, AF= Authentication Fail,
NA= Not Authenticated, N= None

--------------------------------------------------------------------------------

3 out of 3 Total Num of fabric attach discovery elements displayed

The FA Proxy advertises I-SID-to-VLAN assignment mappings to BEB A, on MLT ports 3/21 to 3/23.
View the FA I-SID-to-VLAN assignments on BEB-A:

All ports in the MLT receive the FA assignment mappings, as shown in the following output.
Switch:1(config)#show fa assignment

===================================================
Fabric Attach Assignment Map
==================================================
Interface I-SID Vlan State Origin
---------------------------------------------------
3/21 2 2 active proxy
3/21 3 3 active proxy
3/21 4 4 active proxy
3/22 2 2 active proxy
3/22 3 3 active proxy
3/22 4 4 active proxy
3/23 2 2 active proxy
3/23 3 3 active proxy
3/23 4 4 active proxy

FA configuration on BEB B:

Enable FA globally and on the MLT:

Switch:2(config)#fa enable
Switch:2(config)#show fa
========================================================================
Fabric Attach Configuration
========================================================================
FA Service : enabled
FA Element Type : server
FA Assignment Timeout : 240
FA Discovery Timeout : 240
FA Provision Mode : spbm

Configure the FA authentication key dual-homed-smlt. Ensure that you configure the same value as
on BEB A.
Switch:2(config)#interface mlt 1
Switch:2(config-mlt)#fa authentication-key dual-homed-smlt

Enable FA on the MLT:

Switch:2(config-mlt)#fa enable
Switch:2(config-mlt)#exit

1262 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

Switch:2(config)#show fa interface

--------------------------------------------------------------------
1 out of 1 Total Num of fabric attach interfaces displayed
--------------------------------------------------------------------

Verify discovery of FA Proxy:

Switch:2(config)#show fa elements

================================================================================
Fabric Attach Discovery Elements
================================================================================
MGMT ELEM ASGN
PORT TYPE VLAN STATE SYSTEM ID AUTH AUTH
--------------------------------------------------------------------------------
3/17 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP
3/18 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP
3/19 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP
3/20 proxy 2 T / S 10:cd:ae:09:40:00:20:00:00:01 AP AP

================================================================================
Fabric Attach Authentication Detail
================================================================================
ELEM OPER ASGN OPER
PORT AUTH STATUS AUTH STATUS
--------------------------------------------------------------------------------
3/17 successAuth successAuth
3/18 successAuth successAuth
3/19 successAuth successAuth
3/20 successAuth successAuth

State Legend: (Tagging/AutoConfig)

T= Tagged, U= Untagged, D= Disabled, S= Spbm, V= Vlan, I= Invalid

Auth Legend:
AP= Authentication Pass, AF= Authentication Fail,
NA= Not Authenticated, N= None

--------------------------------------------------------------------------------

4 out of 4 Total Num of fabric attach discovery elements displayed

The FA Proxy device advertises I-SID-to-VLAN assignment mapping requests to BEB B on MLT ports
3/17 to 3/20.

View FA I-SID-to-VLAN assignments on BEB-B:

Switch:2(config)#show fa assignment 3/17

===================================================
Fabric Attach Assignment Map
==================================================

VOSS User Guide for version 8.7 1263

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

Interface I-SID Vlan State Origin

---------------------------------------------------
3/17 2 2 active proxy
3/17 3 3 active proxy
3/17 4 4 active proxy

Verify creation of FA Switched UNI (ELAN) I-SIDs on BEB A and BEB B:

Verify the creation of FA Switched UNI (ELAN) I-SIDs on BEB A and BEB B.

On BEB A:
Switch:1(config)#show i-sid elan
===================================================================================
Isid Info
===================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
-----------------------------------------------------------------------------------
2 ELAN N/A - c2:1 - --- - -lr - ISID-2
3 ELAN N/A - c3:1 - --- - -lr - ISID-3
4 ELAN N/A - c4:1 - --- - -lr - ISID-4

View the I-SID information for MLT 1 on BEB A.

Switch:1(config)#show mlt i-sid 1

================================================================================
MLT Isid Info
================================================================================
ISID ISID
MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN ISID BPDU
NAME
--------------------------------------------------------------------------------
1 6144 2 N/A 2 ELAN - --- - -lr - ISID-2
1 6144 3 N/A 3 ELAN - --- - -lr - ISID-3
1 6144 4 N/A 4 ELAN - --- - -lr - ISID-4
--------------------------------------------------------------------------------

3 out of 3 Total Num of i-sid endpoints displayed

On BEB B:
Switch:2(config)#show i-sid elan
===================================================================================
Isid Info
===================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
------------------------------------------------------------------------------------

1264 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

2 ELAN N/A - c2:1 - --- - -lr - ISID-2

3 ELAN N/A - c3:1 - --- - -lr - ISID-3
4 ELAN N/A - c4:1 - --- - -lr - ISID-4

View the I-SID information for MLT 1 on BEB B.

Switch:1(config)#show mlt i-sid 1

3 out of 3 Total Num of i-sid endpoints displayed

The following section describes the behavior if, for example, a link failure occurs between the FA Proxy
and BEB B, as shown in the following figure.

VOSS User Guide for version 8.7 1265

Fabric Attach configuration examples Fabric Basics and Layer 2 Services

Figure 96: FA behavior in dual-homed SMLT during a link failure

View the I-SID-to-VLAN assignments on BEB A:
Switch:1(config)#show fa assignment 3/21

View the Switched UNI (ELAN) I-SIDs created on BEB A.

Switch:1(config)#show i-sid elan
======================================================================================
Isid Info
======================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
-------------------------------------------------------------------------------------
2 ELAN N/A - c2:1 - --- - -l- - ISID-2
3 ELAN N/A - c3:1 - --- - -l- - ISID-3
4 ELAN N/A - c4:1 - --- - -l- - ISID-4

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense

1266 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Fabric Attach configuration examples

l: discover by local switch r: discover by remote VIST switch

8k_fanout:1(config-if)#shlw mlt i-sid

View the I-SID information for MLT 1 on BEB A.

Switch:1(config)#show mlt i-sid 1

================================================================================
MLT Isid Info
================================================================================
ISID ISID
MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN ISID BPDU
NAME
--------------------------------------------------------------------------------
1 6144 2 N/A 2 ELAN - --- - -l- - ISID-2
1 6144 3 N/A 3 ELAN - --- - -l- - ISID-3
1 6144 4 N/A 4 ELAN - --- - -l- - ISID-4
--------------------------------------------------------------------------------

3 out of 3 Total Num of i-sid endpoints displayed

View the Switched UNI (ELAN) I-SIDs created on BEB B.

BEB-B:1(config-mlt)#show i-sid elan
======================================================================================
Isid Info
======================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
--------------------------------------------------------------------------------------
2 ELAN N/A - c2:1 - --- - --r - ISID-2
3 ELAN N/A - c3:1 - --- - --r - ISID-3
4 ELAN N/A - c4:1 - --- - --r - ISID-4

View the I-SID information for MLT 1 on BEB B.

Switch:1(config)#show mlt i-sid 1

================================================================================
MLT Isid Info
================================================================================
ISID ISID
MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN ISID BPDU
NAME
--------------------------------------------------------------------------------
1 6144 2 N/A 2 ELAN - --- - --r - ISID-2
1 6144 3 N/A 3 ELAN - --- - --r - ISID-3
1 6144 4 N/A 4 ELAN - --- - --r - ISID-4
--------------------------------------------------------------------------------

3 out of 3 Total Num of i-sid endpoints displayed

VOSS User Guide for version 8.7 1267

Multi-area SPB Configuration Example Fabric Basics and Layer 2 Services

Multi-area SPB Configuration Example

The following figure is an example of the devices connecting to each other in the Multi-area SPB
network.

Figure 97: Multi-area SPB network example

The following sections display an example to configure the two boundary nodes in the Multi-area SPB
network (BG1 and BG2), to enable remote Intermediate-System-to-Intermediate-System (IS-IS), and to
configure the layer 2 and layer 3 unicast redistribution.

Note
You must first configure basic SPBM and IS-IS infrastructure. For more information, see SPBM
configuration examples on page 1231.

Boundary Node BG1 Configuration

enable
configure terminal
router isis remote
manual-area 49.0050
spbm 1 nick-name 1.21.15
exit
router isis remote enable
show isis area-vnode
=================================================================================================
ISIS SPBM Multi-Area VNode Info
=================================================================================================
VNODE VNODE VNODE REPRESENTED REPRESENTED VNODE
SYSTEM-ID NICK-NAME HOST-NAME AREA-ADDRESS AREA USED-IN-AREA
-------------------------------------------------------------------------------------------------
9200.30ff.fff0 9.00.30 vn-30 49.0030 HOME REMOTE
9200.50ff.fff0 9.00.50 vn-50 49.0050 REMOTE HOME
-------------------------------------------------------------------------------------------------
show isis remote
======================================================================================
ISIS Remote Area Info
======================================================================================
AdminState : enabled
System ID : d887.66f6.e486
Num of Interfaces : 0
Num of Area Addresses : 1

1268 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Multi-area SPB Configuration Example

Dynamically Learned Area :

Multi-Area OperState : disabled

interface gigabitEthernet 1/4,1/9

isis remote
isis remote spbm 1
isis remote enable
exit
show isis adjacencies
====================================================================================================================
ISIS Adjacencies
====================================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
--------------------------------------------------------------------------------------------------------------------
Port1/3 1 UP 20:33:27 127 19 b0ad.aa4d.b884 2118-50 ACTIVE HOME area-9.00.30
PortVirtual 1 UP 20:33:27 127 0 9200.50ff.fff0 area-9.00.50 ACTIVE HOME area-9.00.30
Port1/9 1 UP 00:01:16 127 27 d884.66f6.e484 BN2116 ACTIVE HOME area-9.00.30
Port1/4 1 UP 20:33:27 127 20 b0ad.aa40.1484 2119-50 ACTIVE REMOTE area-9.00.50
PortVirtual 1 UP 20:33:27 127 0 9200.30ff.fff0 area-9.00.30 ACTIVE REMOTE area-9.00.50
Port1/9 1 UP 00:01:00 127 21 d884.66f6.e486 BN2116 ACTIVE REMOTE area-9.00.50
--------------------------------------------------------------------------------------------------------------------
Home: 3 out of 3 interfaces have formed an adjacency
Remote: 3 out of 3 interfaces have formed an adjacency
--------------------------------------------------------------------------------------------------------------------

router isis
multi-area l2 redistribute i-sid permit-all
exit
isis multi-area l2 apply redistribute i-sid
show isis multi-area l2 redistribute i-sid
========================================================================================
MULTI AREA L2 ISID REDIST POLICY
========================================================================================
Permit Except List Name
----------------------------------------------------------------------------------------
permit-all -
----------------------------------------------------------------------------------------

router isis
multi-area ip redistribute unicast
exit
isis multi-area ip apply redistribute unicast
show isis multi-area ip redistribute unicast
========================================================================================
ISIS Multiarea Redistribute List for ip unicast - GlobalRouter
========================================================================================
DIRECTION ENABLE RPOLICY
----------------------------------------------------------------------------------------
home-to-remote TRUE
remote-to-home TRUE
----------------------------------------------------------------------------------------

Boundary Node BG2 Configuration

enable
configure terminal
router isis remote
manual-area 49.0050
spbm 1 nick-name 1.21.16
exit
router isis remote enable
show isis area-vnode
=================================================================================================
ISIS SPBM Multi-Area VNode Info
=================================================================================================
VNODE VNODE VNODE REPRESENTED REPRESENTED VNODE
SYSTEM-ID NICK-NAME HOST-NAME AREA-ADDRESS AREA USED-IN-AREA
-------------------------------------------------------------------------------------------------
9200.02ff.fff0 0.00.10 vn-area-0.00.10 10.0010 HOME REMOTE
9200.01ff.fff0 0.00.20 vn-area-0.00.20 20.0020 REMOTE HOME
-------------------------------------------------------------------------------------------------
show isis remote
=========================================================================================
ISIS Remote Area Info
=========================================================================================
AdminState : enabled
System ID : d884.66f6.e486
Num of Interfaces : 0
Num of Area Addresses : 1
Dynamically Learned Area :
Multi-Area OperState : disabled

interface gigabitEthernet 1/4,1/9

VOSS User Guide for version 8.7 1269

Layer 2 VSN configuration Fabric Basics and Layer 2 Services

isis remote
isis remote spbm 1
isis remote enable
exit
show isis adjacencies
====================================================================================================================
ISIS Adjacencies
====================================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME STATUS AREA AREA-NAME
--------------------------------------------------------------------------------------------------------------------
Port1/3 1 UP 20:33:27 127 19 b0ad.aa4d.b884 2118-50 ACTIVE HOME area-9.00.30
PortVirtual 1 UP 20:33:27 127 0 9200.50ff.fff0 area-9.00.50 ACTIVE HOME area-9.00.30
Port1/9 1 UP 00:01:16 127 27 d887.66f6.e484 BN2117 ACTIVE HOME area-9.00.30
Port1/4 1 UP 20:33:27 127 20 b0ad.aa40.1484 2119-50 ACTIVE REMOTE area-9.00.50
PortVirtual 1 UP 20:33:27 127 0 9200.30ff.fff0 area-9.00.30 ACTIVE REMOTE area-9.00.50
Port1/9 1 UP 00:01:00 127 21 d887.66f6.e486 BN2117 ACTIVE REMOTE area-9.00.50

--------------------------------------------------------------------------------------------------------------------
Home: 3 out of 3 interfaces have formed an adjacency
Remote: 3 out of 3 interfaces have formed an adjacency
--------------------------------------------------------------------------------------------------------------------

router isis
multi-area l2 redistribute i-sid permit-all
exit
isis multi-area l2 apply redistribute i-sid
show isis multi-area l2 redistribute i-sid
======================================================================================
MULTI AREA L2 ISID REDIST POLICY
======================================================================================
Permit Except List Name
--------------------------------------------------------------------------------------
permit-all -
--------------------------------------------------------------------------------------

multi-area ip redistribute unicast

exit
isis multi-area ip apply redistribute unicast
show isis multi-area ip redistribute unicast
======================================================================================
ISIS Multiarea Redistribute List for ip unicast - GlobalRouter
======================================================================================
DIRECTION ENABLE RPOLICY
--------------------------------------------------------------------------------------
home-to-remote TRUE
remote-to-home TRUE
--------------------------------------------------------------------------------------

Layer 2 VSN configuration

Table 108: Layer 2 VSN product support

Feature Product Release introduced
Equal Cost Trees (ECT) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50

1270 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

Table 108: Layer 2 VSN product support (continued)

Feature Product Release introduced
Layer 2 Virtual Service Network VSP 4450 Series VSP 4000 4.0
(VSN)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series VOSS 8.0.50
Switched UNI VSP 4450 Series VOSS 5.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.0
VSP 8400 Series VOSS 5.0
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Supported
Transparent Port UNI (T-UNI) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.2.1
VSP 8400 Series VOSS 4.2.1
VSP 8600 Series VSP 8600 6.3
XA1400 Series Not Supported

Layer 2 VSN configuration fundamentals

This section provides fundamentals concepts for Layer 2 VSN.

SPBM Layer 2 VSN

SPBM supports Layer 2 VSN functionality where customer VLANs (C-VLANs) are bridged over the
SPBM core infrastructure.

At the Backbone Edge Bridges (BEBs), customer VLANs (C-VLAN) are mapped to I-SIDs based on
the local service provisioning. Outgoing frames are encapsulated in a MAC-in-MAC header, and then
forwarded across the core to the far-end BEB, which strips off the encapsulation and forwards the
frame to the destination network based on the I-SID-to-C-VLAN provisioning.

VOSS User Guide for version 8.7 1271

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

In the backbone VLAN (B-VLAN), Backbone Core Bridges (BCBs) forward the encapsulated traffic
based on the BMAC-DA, using the shortest path topology learned using IS-IS.

The following figure shows a sample campus SPBM Layer 2 VSN network.

Figure 98: SPBM L2 VSN in a campus

One of the key advantages of the SPBM Layer 2 VSN is that network virtualization provisioning is
achieved by configuring only the edge of the network (BEBs). As a result, the intrusive core provisioning
that other Layer 2 virtualization technologies require is not needed when new connectivity services are
added to the SPBM network. For example, when new virtual server instances are created and need their
own VLAN instances, they are provisioned at the network edge only and do not need to be configured
throughout the rest of the network infrastructure.

Based on its I-SID scalability, this solution can scale much higher than any 802.1Q tagging based
solution. Also, due to the fact that there is no need for Spanning Tree in the core, this solution does not
need any core link provisioning for normal operation.

1272 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

Redundant connectivity between the C-VLAN domain and the SPBM infrastructure can be achieved by
operating two SPBM switches in switch clustering (SMLT) mode. This allows the dual homing of any
traditional link aggregation capable device into an SPBM network.

Configuration difference from ERS 8800

One major difference between this switch and the ERS 8800 is how they connect to two SMLT devices.

The ERS 8800 uses an interswitch trunk (IST). The IST connects directly to two SMLT devices with a
dedicated MLT and runs IS-IS over it. The dedicated MLT carries the IST control traffic and data traffic
during an SMLT failover. This feature dramatically improves resiliency over other methods. However, if
the dedicated MLT breaks, then there is no way to communicate between the IST peers, which causes
traffic loss.

This switch uses a virtual IST (vIST) that eliminates this single point of failure. The vIST feature creates
a virtualized IST channel in the SPBM cloud. With vIST, the IST tunnel is always up as long as there
is SPBM connectivity between the vIST peers. vIST also interoperates between any two devices that
support vIST, and the devices do not have to be the same type of device.

Before you can create a vIST, you must do the following:

• Enable SPBM and IS-IS globally.
• Configure SPBM and IS-IS.
• Create a VLAN (that is not used anywhere else) for each peer.
• Create an I-SID that is not used anywhere else.
• Configure an IP address for the vIST VLAN.
• Configure an Layer 2 VSN by assigning an I-SID to the C-VLAN, which is used by the vIST.

Important
• An I-SID must be assigned to every VLAN that is a member of an Layer 2 VSN.
• For proper traffic flow, if an Layer 2 VSN is created on one vIST peer, it must also be
created on the other vIST peer.
• For Simplified vIST deployment, if a VLAN is part of an SMLT it must be configured on
both the IST peers.

For information about vIST, see MultiLink Trunking and Split MultiLink Trunking on page 2357.

Fabric Connect Service Types

The Fabric Connect technology delivers Layer 2 and Layer 3 virtualization. These virtualized Layer 2 and
Layer 3 instances are referred to as Virtual Service Networks (VSNs). A Service Identifier (I-SID) is used
to uniquely distinguish these service instances network-wide, and a User Network Interface (UNI) is the
boundary or demarcation point between the “service layer” of traditional networks, that is VLANs and
VRFs, and the Fabric Connect “service layer”, that is Layer 2 & Layer 3 VSNs.
• Layer 2 VSNs are virtual broadcast domains interconnecting UNI members that share the same
Layer 2 VSN I-SID. MAC learning/aging is applied to all Layer 2 VSNs.
• Layer 3 VSNs are virtual routed Layer 3 networks (Layer 3 VPN) leveraging IS-IS as the routing
protocol between VRFs that share the same Layer 3 VSN I-SID.

VOSS User Guide for version 8.7 1273

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

Fabric Connect uses the User-Network-Interface (UNI) to denote the capabilities and attributes of the
service interfaces. Fabric connect devices support the following UNI types:
• VLAN UNI (C-VLAN) — a device-specific VLAN-ID maps to a Layer 2 VSN I-SID – all device physical
ports that are associated with the VLAN are therefore associated with the UNI.
• Flex UNI — it has the following sub-types:
◦ Switched UNI — a VLAN-ID and a given port (VID, port) maps to a Layer 2 VSN I-SID. With this
UNI type, VLAN-IDs can be reused on other ports and therefore mapped to different I-SIDs.
◦ Transparent Port UNI — a physical port maps to a Layer 2 VSN I-SID (all traffic through that port,
802.1Q tagged or untagged, ingress and egress is mapped to the I-SID). Note: All VLANs on a
Transparent Port UNI interface now share the same single MAC learning table of the Transparent
Port UNI I-SID.

• E-Tree UNI — it extends Private VLANs beyond one Switch to form a network-wide E-Tree service
infrastructure. An E-Tree UNI is a Layer 2 VSN where broadcast traffic flows from Hub sites to Spokes
sites, and from Spokes to Hubs, but not between Spoke sites. E-Tree Hubs can be formed with any
VLAN UNI, while E-Tree Spokes must be configured as Private VLAN UNIs.
• Layer 3 VSN UNI — a device-specific VRF maps to an I-SID, and the control plane exchanges the
Layer 3 routes belonging to the same I-SID. All VRFs in a network sharing the same Layer 3 I-SID
effectively form an Layer 3 VPN. Layer 3 VSNs can be configured to simultaneously support both IP
Unicast and IP Multicast.

Transparent Port UNI

Use a Transparent Port User-Network-Interface (Transparent Port UNI or T-UNI) to map an entire port or
an MLT to an I-SID. CMAC learning is done against the I-SID. T-UNI configures a transparent port where
all traffic is MAC switched on an internal virtual port using the assigned I-SID. No VLAN is involved in
this process. Devices switch tagged and untagged traffic in the assigned I-SID regardless of the VLAN
ID. The T-UNI port or MLT can be either static or LACP and is not a member of any VLAN or Spanning
Tree Group (STG). The T-UNI port or MLT is always in the forwarding state.

You can map multiple ports to a T-UNI I-SID. Multiple ports on the same switch and on other BEBs can
use the common I-SID to switch traffic.

T-UNI is a point to point service and all traffic that ingress the UNI egress from the remote UNI
end-point

For information about QoS re-marking, see QoS re-marking on a Transparent Port UNI on page 2675.
Transparent

T-UNI is transparent because the MAC learning occurs within the I-SID, and packets that ingress from
any CVLAN are processed in an identical manner. Devices switch tagged and untagged traffic in the
assigned I-SID. Devices switch control protocols, such as BPDU, LACP, LLDP, and others, in the assigned
I-SID, rather than forwarding to the CP.

The service classification of packets that are received on a T-UNI port, is independent of the VLAN ID
values present in those packets. All data packets received on a T-UNI port are classified into the same
service. When data packets enter and exit the T-UNI service, no VLAN tag modifications are performed
on the data packets.
T-UNI based MAC learning

1274 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

When a packet ingresses a port or MLT associated with a T-UNI I-SID, the system performs MAC lookup
based on the I-SID. A packet that ingresses a T-UNI port on a BEB can transfer through the SPB
network, or can egress out another T-UNI port configured to the same I-SID.

When a packet ingresses a network-to-network interface (NNI) port, before egressing a T-UNI port, the
system performs a MAC Destination Address (DA) lookup based on the I-SID. If the DA lookup fails, the
packet floods to all T-UNI ports.
Considerations

Consider the following design requirements when you configure a T-UNI:

• Only E-LAN based T-UNI is supported. All T-UNI I-SID end points for a given I-SID become members
of the same shared E-LAN service. If an E-LINE type of service is required, provision T-UNI at the two
end points comprising the point-to-point service.
• You cannot configure a T-UNI on the same I-SID as a C-VLAN.
• A port or MLT associated with a T-UNI I-SID cannot be part of any VLAN and does not belong to any
STG.
• Ensure that you always associate a T-UNI LACP MLT with a VLAN (even if it is the default VLAN)
before adding it to a T-UNI I-SID. Otherwise, traffic is not forwarded on the T-UNI LACP MLT.
• No Layer 3 processing takes place on packets ingressing on a T-UNI port.
• Pause frames do not switch through the T-UNI I-SID.
• Multiple ports or MLTs can be associated with same T-UNI I-SID.
• One port or MLT cannot be part of multiple T-UNI I-SIDs.
• An I-SID mapped to a T-UNI service must not be mapped to any other service, such as Layer 2 VSN
and Layer 3 VSN, on any of the remote BEBs in the SPBM network.
• Any Spanning Tree Protocol implementation is disabled on the port or MLT associated with the
T-UNI I-SID. The port will always be in a Forwarding state.
• No additional IS-IS TLVs are added to advertise or withdraw T-UNI I-SID services. Extreme Networks
makes use of the existing IS-IS TLV-144 and sub TLV-3 to carry I-SID information.
• MACs are learned against the combination of the I-SID and port or MLT.
• The MAC address limit is supported on a per-I-SID basis. For example, the MAC addresses learned on
the T-UNI I-SID can be limited.

Note
MAC learning limit for T-UNI service is not supported on all hardware platforms.

• Static MAC is not supported for a T-UNI port.

• IP traffic and control packets are transparently bridged over T-UNI endpoints.
• Untagged traffic ingressing on the T-UNI port will use COS 0. B-TAG and I-TAG priorities are derived
from the best effort queue that is assigned. If the T-UNI port is set as a Layer 2 untrusted port, a
best-effort queue is assigned.
• The 802.1p bits of the incoming traffic are used to derive the B-TAG and I-TAG priorities for tagged
traffic.
• LACP, VLACP and LLDP PDUs are extracted to the CP and all other control packets are transparently
bridged over the T-UNI port or MLT.

This feature handles control PDUs in the following manner:

VOSS User Guide for version 8.7 1275

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

All the Layer 2 and Layer 3 control packets are transparently bridged over the T-UNI port or MLT with
the exception of LACP, VLACP and LLDP PDUs. LACP PDUs, VLACP PDUs and LLDP PDUs are not
transparently bridged over the T-UNI port or MLT if LACP, VLACP or LLDP is enabled on the port or MLT.
• If an LACP MLT is associated with a T-UNI I-SID, LACP PDUs are extracted to CP and processed
locally.
• If LACP is not enabled globally and LACP MLT is not associated with the T-UNI I-SID, LACP PDUs are
transparently bridged across the T-UNI port or MLT.
• If a VLACP enabled port is added to a T-UNI I-SID, VLACP PDUs are extracted to the CP for local
processing. If a port that is not VLACP enabled is added to the T-UNI I-SID, VLACP PDUs are
transparently bridged across T-UNI port.
• If a LLDP enabled port is added to a T-UNI I-SID, LLDP PDUs are extracted to the CP for local
processing.
• If LLDP is not enabled on the port or MLT interface associated to TUNI I-SID , LLDP PDUs are
transparently bridged across the T-UNI port or MLT.

The following list of control packet types are transparently bridged across the T-UNI I-SID:
• SLPP
• VRRP
• OSPF
• RIP
• BGP
• ISIS
• CFM
• STP
• SONMP

Use T-UNI when either of the following apply:

• All tagged and untagged traffic on a port must be classified into the same broadcast domain.
• You want to offer a transparent provider solution.

An example of an application for T-UNI is a typical Ethernet provider deployment with port-based
classification and transparent forwarding.

Transparent Port UNI over vIST

Virtual IST (vIST) provides the ability to dual-home hosts, servers and other network devices to a pair
of Multi-Chassis Link Aggregation (MC-LAG) enabled devices. The system displays the MC-LAG nodes
to the connected devices as one link-aggregated group. So, although the physical connection is spread
between two individual network nodes, logically the system displays them as a single connection.

Transparent Port UNI (T-UNI) over vIST peers extends the capability of dual-home hosts on the SPB
cloud to achieve higher network resiliency. The MACs learnt on the T-UNI interface of any one vIST peer
is synchronized with the other peer through MAC synchronization.

In the following figure, the T-UNI access switch ACCESS-1 is dual-homed into vIST peer hosts VIST-PEER
1 and VIST-PEER 2. At ACCESS-1, a link aggregation is created to connect to the SPBM cluster. On the
VIST peers, an SMLT is created towards ACCESS-1. Depending on the link aggregation hashing logic,

1276 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

traffic is hashed on to VIST-PEER 1 and VIST-PEER 2. The MACs learnt on the T-UNI interfaces of either
host is synchronized with the other host.

Figure 99: Example of Transparent Port UNI over vIST

If one of the links between ACCESS-1 and the vIST cluster goes down, all traffic is serviced through the
other link. The same applies when any of the vIST peers go down. Since MAC learning on both peers are
synchronized, both peers can switch traffic with the same efficiency.
Single-homed T-UNI service on a vIST-enabled node

If you configure a T-UNI service as a single-homed service on a vIST-enabled node, you must configure
the same I-SID service without port/MLT being mapped to I-SID, on the other vIST peer node. Failure
to perform this configuration on the vIST peer node can result in the loss of traffic to the single-homed
T-UNI service in various scenarios.

Switched UNI

Switched User Network Interface (S-UNI) allows the association of local endpoints to I-SIDs based on
local port and VLAN together. With Switched UNI, the same VLAN can be used on one port to create an
endpoint to one I-SID, and on another port to create an endpoint to another I-SID.

Switched UNI summary:

• Switched UNI is a VLAN and ports associated with I-SIDs.
• Local significance on the ports.
• You can re-use the same VLAN to associate different ports with different I-SIDs.
• You can use a different VLAN to the same ports, or you can assign different ports to the same I-SID.
• Supports VLAN mapping on the local switch.
• To accept untagged traffic, the port needs to be configured as untagged-traffic in the I-SID.

Use Switched UNI when either of the following apply:

• Vlan ID (VID) reuse is required. The same VID is used on different broadcast domains (multi-tenant
applications).
• Multiple VLANs must be part of the same broadcast domain.
• VID translation is required.

An example of an application for Switched UNI is a typical host and provider deployment, with a port
and VID-based classification.
Switched UNI based MAC learning

VOSS User Guide for version 8.7 1277

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

MAC learning is done on I-SID MAC. When a packet ingresses on a port or MLT which is associated
with Switched UNI I-SID, the system performs MAC look up based on the I-SID. Switched UNI operates
on Any-To-Any (ELAN) mode, there can be one or more ports associated to a Switched UNI I-SID. A
packet that ingresses to a Switched UNI port on a BEB can transfer through the SPBM cloud, or can
egress out another Switched UNI port configured to the same I-SID.

When a packet ingresses an network-to-network interface (NNI) port, before egressing a Switched UNI
port, the system performs a MAC Destination Address (DA) lookup based on the I-SID. If the DA lookup
fails, the packet floods to all Switched UNI ports in the I-SID.
Considerations

Consider the following when you configure a Switched UNI:

• The VLAN tag is removed before the traffic egresses out on the untagged-traffic port or MLT.
• VLAN priority received on the packet is maintained across VLAN IDs.
• Spanning tree is disabled on all Switched UNI ports, and the ports remain in forwarding state.
• The Switched UNI I-SID is advertised to the SPBM cloud.
• The Broadcast and unknown Unicast packets are flooded to all ports in the I-SID.

Limitations

• You cannot change from one UNI type to another dynamically. The I-SID has to be deleted and
created with new UNI type (Customer VLAN (C-VLAN), Transparent port user-network-interface
(T-UNI), ELAN).
• I-SID cannot be used by IPVPN, MVPN, SPBM dynamic multicast range, or Transparent Port UNI.
• If the port is a member of MLT, the entire MLT has to be added to the VID.
• The port is always in the forwarding state.
• The same VID, port, or MLT cannot be member of more than one I-SID.
• Static MAC, Static ARP and static IGMP group are not supported on Switched UNI enabled ports.
• For a Switched UNI endpoint without a platform VLAN on the VSP 7400 Series, when MAC-in-MAC
terminated traffic is sent out to the UNI endpoint the packet is re-marked based on existing QoS
rules.
• On VSP 8600 Series, dynamically learned Fabric Attach announced VLAN:ISID bindings and
manually configured Switched-UNI end-points are not supported on the same interface.

BPDU handling on S-UNI port/MLT

The switch handles Bridge Protocol Data Units (BPDUs) according to whether or not you configure a
platform VLAN.
• When you configure a platform VLAN:
◦ BPDUs are forwarded to the CPU by default.
◦ For both the ingress and egress ports, BPDUs are not flooded in the S-UNI I-SID associated with
the platform VLAN.

Note
If the platform VLAN is configured for the S-UNI port, you cannot enable BDPU
forwarding.

1278 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

• When you DO NOT configure a platform VLAN:

◦ BPDUs received on untagged-traffic ports are dropped by default.
◦ To flood BPDUs in its I-SID, enable BPDU forwarding under S-UNI I-SID using the command
untagged-traffic port <port no> bpdu enable.

SPBM sample operation—L2 VSN

The following section shows how a SPBM network is established, in this case, a Layer 2 VSN.

1. Discover network topology

Figure 100: SPBM topology discover

IS-IS runs on all nodes of the SPBM domain. Since IS-IS is the basis of SPBM, the IS-IS adjacency
must be formed first. After the neighboring nodes see hellos from each other they look for the
same Level (Level 1) and the same area (for example, Area 2f.8700.0000.00). After the hellos are
confirmed both nodes send Link State Protocol Data Units, which contain connectivity information
for the SPBM node. These nodes also send copies of all other LSPs they have in their databases. This

VOSS User Guide for version 8.7 1279

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

establishes a network of connectivity providing the necessary information for each node to find the
best and proper path to all destinations in the network.

Each node has a system ID, which is used in the topology announcement. This same System ID also
serves as the switch Backbone MAC address (B-MAC), which is used as the source and destination
MAC address in the SPBM network.
2. Each IS-IS node automatically builds trees from itself to all other nodes

When the network topology is discovered and stored in the IS-IS link state database (LSDB), each
node calculates shortest path trees for each source node. A unicast path now exists from every node
to every other node

With this information, each node populates unicast information received from SPBM into the FIB for
forwarding purposes. Multicast FIB is not produced until Layer 2 VSN services are configured and
learned.
3. IS-IS advertises new service communities of interest

When a new service is provisioned, its membership is flooded throughout the topology with an IS-IS
advertisement.

Figure 101: SPBM BMAC and I-SID population

1280 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

BMAC and I-SID information is flooded throughout the network to announce new I-SID
memberships. In this case, VLAN 20 is mapped to I-SID 100.

Note
I-SIDs are only used for virtual services (Layer 2 and Layer 3 VSNs). If IP Shortcuts only is
enabled on the BEBs, I-SIDs are never exchanged in the network as IP Shortcuts allow for
IP networks to be transported across IS-IS.

Each node populates its FDB with the BMAC information derived from the IS-IS shortest path tree
calculations. Thus there is no traditional flooding and learning mechanism in place for the B-VLAN,
but FDBs are programmed by the IS-IS protocol.
4. When a node receives notice of a new service AND is on the shortest path, it updates the FDB

In this scenario, where there are three source nodes having a membership on I-SID 100, there are
three shortest path trees calculated (not counting the Equal Cost Trees (ECTs).

Figure 102: Shortest path tree for source node A

VOSS User Guide for version 8.7 1281

Layer 2 VSN configuration fundamentals Fabric Basics and Layer 2 Services

Figure 103: Shortest path tree for source node B

1282 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration fundamentals

Figure 104: Shortest path tree for source node C

The paths between any two nodes are always the shortest paths. Also, the paths in either direction
are congruent, thus a bidirectional communication stream can be monitored easily by mirroring
ingress and egress on a link to a network analyzer.

VLAN traffic arriving on switch A and VLAN 20 is forwarded following the blue path, traffic arriving
on switch B and VLAN 20 the orange path and on switch C VLAN 20 traffic is following the green
path.

If the destination CMAC is unknown at the SPBM ingress node or the traffic is of type broadcast or
multicast, then it is flooded to all members of the topology which spans VLAN 20. If the destination
CMAC is already known, then the traffic is only forwarded as a unicast to the appropriate destination.
In the SPBM domain, the traffic is switched on the BMAC header only. The bridge filtering database
(FDB) at the VLAN to I-SID boundary (backbone edge bridge BEB), maintains a mapping between
CMACs and corresponding BMACs.

For example, Switch B learns all CMACs which are on VLAN 20 connected to switch A with the
BMAC of A in its FDB and the CMACs which are behind C are learned with the BMAC of C.

VOSS User Guide for version 8.7 1283

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

Layer 2 VSN configuration using the CLI

This section provides procedures to configure Layer 2 VSNs using the CLI.

Configure SPBM Layer 2 VSN

SPBM supports Layer 2 Virtual Service Network (VSN) functionality where customer VLANs (C-VLANs)
are bridged over the SPBM core infrastructure.

At the BEBs, customer VLANs (C-VLAN) are mapped to I-SIDs based on the local service provisioning.
Outgoing frames are encapsulated in a MAC-in-MAC header, and then forwarded across the core to
the far-end BEB, which strips off the encapsulation and forwards the frame to the destination network
based on the I-SID-to-C-VLAN provisioning.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the customer VLANs (C-VLANs) and add slots/ports.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Map a customer VLAN (C-VLAN) to a Service Instance Identifier (I-SID):
vlan i-sid <1-4059> <0–16777215> [force]

Important
When a protocol VLAN is created, all ports are added to the VLAN including SPBM
ports. To configure a protocol-based VLAN as a C-VLAN, you must first remove the SPBM-
enabled ports from the protocol based VLAN, and then configure the protocol-based
VLAN as a C-VLAN.
The switch reserves I-SID 0x00ffffff. The switch uses this I-SID to advertise the virtual
B-MAC in an SMLT dual-homing environment. The platform clears the receive and transmit
bit of this I-SID, therefore I-SID 0x00ffffff cannot be used for any other service.

3. Display C-VLAN information:

show vlan i-sid

Example

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#vlan i-sid 10 100
Switch:1(config)#show vlan i-sid
Switch:1>show vlan i-sid
===============================================================================
Vlan I-SID
===============================================================================
VLAN_ID I-SID I-SID NAME
-------------------------------------------------------------------------------

1284 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

1
10 100 Hospital-Server-10
90 1000 ISID-1000

3 out of 3 Total Num of Vlans displayed

Variable Definitions

The following table defines parameters for the vlan i-sid command.

Note:
The switch reserves I-SID 0x00ffffff. The switch uses this
I-SID to advertise the virtual B-MAC in an SMLT dual-homing
environment. The platform clears the receive and transmit bit
of this I-SID, therefore I-SID 0x00ffffff cannot be used for any
other service.

This value is the same for the primary and secondary VLANs.
force Specifies the software must replace the existing VLAN-to-I-
SID mapping, if one exists.

Configure a Global I-SID Name

Use this procedure to provide a descriptive name for the Service Identifier (I-SID).

Note
Product Notice: This procedure does not apply to VSP 8600 Series.

You can configure a service name for I-SIDs, loopback interfaces, and static routes. You can configure
the service name can before or after you create the I-SID for the following services:
• Layer 2 VSN
• Layer 3 VSN
• ELAN I-SID or Switched UNI I-SID
• ELAN transparent I-SID or Transparent UNI I-SID
• IPv4 and IPv6 static routes
• IPv4 and IPv6 loopback CLIP interface

Note
The service name for I-SIDs does not support the following special characters: “ ” # $ % ‘ / [ \ ]
^ { | } ~ @.

VOSS User Guide for version 8.7 1285

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

By default, the service name is ISID-x, where x correlates to the I-SID number of the service.

Note
Product Notice: For XA1400 Series, you can configure a service name for IPv4 static routes
and IPv4 loopback CLIP interfaces only.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enter a name for the global I-SID.
i-sid name <1-6777215> WORD<1-64>
3. Display I-SID names for all configured I-SIDs.
show i-sid name
4. Display I-SID name by I-SID.
show i-sid name <1-6777215>

Example

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#i-sid name 1 ExtremeServer1
Switch:1(config)#i-sid name 20 ExtremeServer7

View the configured I-SID names:

Switch:1(config)#show i-sid name
=========================================================================
I-SID Name
=========================================================================
I-SID I-SID NAME TYPE
-------------------------------------------------------------------------
1 ExtremeServer1 adminName
2 ExtremeServer2 adminName
3 ExtremeServer3 config adminName
4 ISID-4 config
23 ISID-23 config
25 ExtremeServer4 config adminName

Total number of I-SID Name entries: 6.

View the configured I-SID by number:

Switch:1#show i-sid name 1

=======================================================================
I-SID Name
=======================================================================
I-SID I-SID NAME TYPE
-----------------------------------------------------------------------
1 ExtremeServer1 adminName

Switch:1#show i-sid name 20

=======================================================================
I-SID Name

1286 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

=======================================================================
I-SID I-SID NAME TYPE
-----------------------------------------------------------------------
20 ExtremeServer7 adminName

Variable Definitions

Use the data in the following table to use the i-sid name command.

Variable Value
<1-6777215> Specifies the I-SID number.
WORD<1-64> Specifies the name of the I-SID. The I-SID can be named before or
after the I-SID is created.
Note: By default, for an I-SID in use, the service is named ISID-x, where x
This parameter does not apply to correlates to the I-SID number of the service.
all hardware platforms.

Displaying C-VLAN I-SID information

Use the following procedure to display C-VLAN I-SID information.

Procedure
1. Display the C-VLAN to I-SID associations:
show vlan i-sid <1-4059>
2. Display the IS-IS SPBM multicast-FIB calculation results by I-SID:
show isis spbm i-sid {all|config|discover} [vlan <1-4059>] [id <1–
16777215>] [nick-name <x.xx.xx>]
3. Discover where entries are learned:
show vlan mac-address-entry [spbm-tunnel-as-mac]
4. Display the VLAN remote MAC table for a C-VLAN:
show vlan remote-mac-table <1-4059>

Example
Switch:1>show vlan i-sid
===============================================================================
Vlan I-SID
===============================================================================
VLAN_ID I-SID I-SID NAME
-------------------------------------------------------------------------------
1
10 100 Hospital-Server-10
90 1000 ISID-1000

3 out of 3 Total Num of Vlans displayed

Switch# show isis spbm i-sid all
====================================================================================================================================
SPBM ISID INFO
====================================================================================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME ISID NAME AREA AREA NAME
------------------------------------------------------------------------------------------------------------------------------------
101001 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101001 HOME area-0.00.20
101003 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101003 HOME area-0.00.20
101005 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101005 HOME area-0.00.20
101007 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101007 HOME area-0.00.20
101009 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101009 HOME area-0.00.20
101011 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101011 HOME area-0.00.20

VOSS User Guide for version 8.7 1287

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries configed: 0
-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries discovered: 6
-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries: 6
-----------------------------------------------------------------------------------------------------------------------------------

Switch:# show vlan mac-address-entry

================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
1 learned 00:1d:42:6b:10:03 Port-1/9 false SwitchB
1 learned 00:80:2d:22:ac:46 Port-1/15 false SwitchB
2 self a4:25:1b:51:48:84 103.103.103.103 false -
2 self 02:01:03:ff:ff:ff Tunnel_to_HQ false -
5 learned 00:00:00:00:00:1a access false SwitchB
10 self 00:00:00:00:49:50 Port-1/9 false -
10 self 00:00:00:50:00:50 Port-1/9 false -
Switch# show vlan remote-mac-table 100
====================================================================================================
Vlan Remote Mac Table
====================================================================================================
VLAN STATUS MAC-ADDRESS DEST-MAC BVLAN DEST-SYSNAME PORTS SMLTREMOTE
----------------------------------------------------------------------------------------------------
100 learned 00:15:40:af:d2:00 00:74:00:00:00:00 20 Switch-6005 MLT-2 false
100 learned b4:a9:5a:04:c8:83 b4:a9:5a:04:c8:65 3 Switch-174 103.103.103.103 true
100 learned b4:a9:5a:04:c8:84 b4:a9:5a:04:c8:66 3 Switch-175 Tunnel_to_HQ true
---------------------------------------------------------------------------------------------------
3 of 3 matching entries out of total of 3 Remote Mac entries in all fdb(s) displayed.
---------------------------------------------------------------------------------------------------

Variable definitions

The following table defines parameters for the show vlan commands.

Variable Value
i-sid <1-4059> Displays I-SID information for the specified C-VLAN.
mac-address-entry [spbm- Displays the bridging forwarding database.
tunnel-as-mac] Use the optional parameter, spbm-tunnel-as-mac to
display the BMAC in the TUNNEL column. If you do not use
this optional parameter, the TUNNEL column displays the
host name. If an entry is not learned in the SPBM network,
the TUNNEL column will be empty (–).
remote-mac-table <1-4059> Displays C-VLAN remote-mac-table information.

The following table defines parameters for the show isis commands.

Variable Value
spbm i-sid {all|config| • all: displays all I-SID entries
discover} • config: displays configured I-SID entries
• discover: displayes discovered I-SID entries

vlan <1-4059> Displays I-SID information for the specified SPBM VLAN.

1288 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

Variable Value
id <1–16777215> Displays I-SID information for the specified I-SID.
nick-name <x.xx.xx> Displays I-SID information for the specified nickname.

Configuring an SPBM Layer 2 Transparent Port UNI

Use this procedure to configure a Transparent Port UNI or E-LAN Transparent service.

Note
If you are configuring a T-UNI to terminate on a port or MLT on a switch in a vIST switch
cluster, you must also configure the T-UNI I-SID on the other switch of the vIST switch cluster.
You must configure the T-UNI I-SID on both switches of a vIST pair. It is not necessary to
assign an actual port or MLT to the T-UNI on the second switch.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes creating the SPBM
B-VLANs.
• You must associate a T-UNI LACP MLT with a VLAN before mapping the LACP MLT to a T-UNI I-SID.

Caution
In the case of T-UNI LACP SMLT, before you configure SMLT on switch peers, ensure that
the T-UNI LACP MLT on each peer is always associated with a VLAN, even if it is the
default VLAN, and that it is added to a T-UNI I-SID. Otherwise, traffic is not forwarded on
the T-UNI LACP MLT.

About This Task

You can configure Transparent Port UNI when either of the following apply:
• You want all tagged and untagged traffic on a port to be classified into the same broadcast domain.
• You want to offer a transparent provider solution.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure a Transparent Port UNI (Elan-Transparent based service). Enter:
i-sid <1-16777215> elan-transparent

This command automatically takes you to the Elan-Transparent I-SID Configuration mode.
3. Add ports to the Elan-Transparent based service. Enter:
port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

A warning message displays indicating that adding a port to a T-UNI I-SID removes the port from all
VLANs. Click y when prompted, to continue.

VOSS User Guide for version 8.7 1289

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

4. Add an MLT to the Elan-Transparent based service. Enter:

mlt <1–512>

A warning message displays indicating that adding an MLT to a Transparent Port UNI I-SID removes
the MLT from all VLANs. Click y when prompted, to continue.
5. To verify the Transparent Port UNI configuration, enter:
show i-sid <1–16777215>
6. To remove ports or MLT from the Elan-Transparent based service, enter one of the following
commands:
no port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

no mlt <1–512>
7. To delete the Elan-Transparent based service, enter:
no i-sid <1-16777215>

Example

Configure a Transparent Port UNI I-SID (elan-transparent based service).

Switch:1(config)#i-sid 3 elan-transparent

Switch:1(elan-tp:3)#port 1/25
Adding Ports to Transparent UNI i-sid removes it from all VLANS.
Do you wish to continue (y/n) ? y
Switch:1(elan-tp:3)#

Switch:1(elan-tp:3)#mlt 1
Adding MLTs to Transparent UNI i-sid removes it from all VLANS.
Do you wish to continue (y/n) ? y
Switch:1(elan-tp:3)#

Verify Transparent Port UNI or Elan-Transparent based service configuration.

Switch:1(config)#show i-sid 3
===============================================================================
Isid Info
================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
--------------------------------------------------------------------------------
3 ELAN_TR N/A - - CONFIG ISID-3

1290 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

Variable definitions

The following table defines parameters for the i-sid command.

Note
When SPB is enabled, I-SID IDs 16000000 (0xF42400) and greater, up to 16,777,215
(0xFFFFFF), are reserved for dynamic i-sid allocation and used to support IP Multicast traffic
over SPB and other advanced Fabric services.

Variable Value
i-sid <1–16777215> elan- Creates an Elan-Transparent based service. The service
transparent interface identifier (I-SID) range is 1 to 16777215.
port {slot/port[/sub-port][- Add ports to the Elan-Transparent based service.
slot/port[/sub-port]][,...]}
mlt<1–512> Add MLTs to the Elan-Transparent based service. The MLT
range is 1 to 512.

View all Configured I-SIDs

Perform this procedure to view all the configured I-SIDs including their types, ports, and MLTs.

About This Task

View all configured I-SIDs (both CVLAN and T-UNI). View also the I-SID types and the ports or MLTs that
are assigned to each I-SID.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View all configured I-SIDs. This command displays both CVLAN and T-UNI based I-SIDs.
show i-sid
3. View all T-UNI (Elan-Transparent) I-SIDs.
show i-sid [elan-transparent]
4. View information for a particular T-UNI I-SID.
show i-sid [<1–16777215>]
5. View all IS-IS SPBM I-SID information by I-SID ID:
show isis spbm i-sid {all|config|discover} [vlan <2-4059>] [id <1–
16777215>] [nick-name <x.xx.xx>]

Example

View all configured I-SIDs.

Switch:1(config)#show i-sid
====================================================================================================
Isid Info
====================================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------------------
15999999 ELAN 4048 - - C --- - --- - - Onboarding I-SID
16777001 ELAN N/A - - C --- - --- - - FAN-ISID

c: customer vid u: untagged-traffic

VOSS User Guide for version 8.7 1291

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

All 2 out of 2 Total Num of i-sids displayed

View T-UNI (ELAN Transparent) I-SIDs.

Switch:1 (config)#show i-sid elan-transparent
=================================================================================
Isid Info
=================================================================================
ISID ISID PORT MLT ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
---------------------------------------------------------------------------------
2 ELAN_TR N/A - - ExtremeServer2
25 ELAN_TR N/A 1/2-1/8,8/11 25 ExtremeServer4

All 1 out of 1 Total Num of elan-tp i-sids displayed

View MLT or port information for a particular T-UNI I-SID.

Switch:1(config)#show i-sid 111

================================================================================
Isid Info
================================================================================

ISID ISID PORT MLT ORIGIN ISID

ID TYPE VLANID INTERFACES INTERFACES NAME
---------------------------------------------------------------------------------
111 ELAN_TR N/A 1/2-1/8,8/11 111 CONFIG ISID-111

View all IS-IS SPBM I-SID information:

View all IS-IS SPBM I-SID information by I-SID ID:

Switch:1#show isis spbm i-sid all id 300

==================================================================================================
SPBM ISID INFO
==================================================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME ISID NAME AREA AREA NAME
--------------------------------------------------------------------------------------------------
300 7.15.16 20 a425.1b51.9484 config Switch1 ISID-300 HOME area-0.00.20
300 4.01.18 10 b4a9.5a2a.d065 discover Switch2 ISID-300 HOME area-0.00.20

--------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries configured: 1
--------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries discovered: 1
--------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries: 2
--------------------------------------------------------------------------------------------------

1292 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

Variable Definitions

Note
When SPB is enabled, I-SID IDs 16777216 and greater are reserved for internal I-SID and SPB
multicast.

The following table defines parameters for the show i-sid command.

Variable Value
<1–16777215> Specifies the service interface identifier (I-SID).
elan-transparent Displays only all the Elan-Transparent (T-UNI based) I-SIDs.

The following table defines parameters for the show isis spbm i-sid command.

Variable Value
{all|config|discover} • all: displays all I-SID entries
• config: displays configured I-SID entries
• discover: displayes discovered I-SID entries

vlan <2-4059> Displays I-SID information for the specified SPBM VLAN.
id <1–16777215> Displays I-SID information for the specified I-SID.
nick-name <x.xx.xx> Displays I-SID information for the specified nickname.

View C-MACs Learned on T-UNI Ports for an I-SID

Perform this procedure to view the I-SID bridge forwarding database.

About This Task

The show i-sid mac-address-entry command displays the C-MACs learned on T-UNI I-SIDs. It
also displays the C-MACs learned on T-UNI I-SIDs for a specific I-SID, MAC address, port or port list or
remote MAC address.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. View C-MACs learned on the T-UNI I-SIDs:
show i-sid mac-address-entry [<1-16777215>] [home] [mac
<0x00:0x00:0x00:0x00:0x00:0x00>] [non-local] [port {slot/port[/sub-
port] [-slot/port[/sub-port]] [,...]}] [remote]

Example

View C-MACs learned on all T-UNI I-SIDs.

Switch:1#show i-sid mac-address-entry

========================================================================================================================================
I-SID Fdb Table
========================================================================================================================================
I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
----------------------------------------------------------------------------------------------------------------------------------------
100 learned cc:f9:54:ae:28:81 Port-1/16 LOCAL 00:00:00:00:00:00 0 HOME area-20.0020
4 learned cc:f9:54:ae:2c:18 mlt-6 LOCAL 00:00:00:00:00:00 0 HOME area-20.0020

VOSS User Guide for version 8.7 1293

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

252 learned cc:f9:54:ae:38:64 Port-1/15 NON-LOCAL 00:13:0a:0c:d3:e0 128 DIST-1B REMOTE area-30.0030

All 3 out of 3 Total Num of i-sid FDB Entries displayed

View C-MACs learned on a specific T-UNI I-SID.

Switch:1#show i-sid mac-address-entry 100

All 1 out of 1 Total Num of i-sid FDB Entries displayed

Switch:1#show i-sid mac-address-entry 252

=======================================================================================================================
I-SID Fdb Table
=======================================================================================================================
I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
-----------------------------------------------------------------------------------------------------------------------
252 learned cc:f9:54:ae:38:64 Port-1/15 NON-LOCAL 00:13:0a:0c:d3:e0 128 DIST-1B REMOTE area-30.0030

All 1 out of 1 Total Num of i-sid FDB Entries displayed

View C-MACs learned on a T-UNI I-SID for a specific MAC address.

Switch:1#show i-sid mac-address-entry mac cc:f9:54:ae:38:64

All 1 out of 1 Total Num of i-sid FDB Entries displayed

View C-MACs learned on aT-UNI I-SID for a specific port.

Switch:1#show i-sid mac-address-entry port 1/15

========================================================================================================================
I-SID Fdb Table
========================================================================================================================
I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
------------------------------------------------------------------------------------------------------------------------
252 learned cc:f9:54:ae:38:64 Port-1/15 NON-LOCAL 00:13:0a:0c:d3:e0 128 DIST-1B REMOTE area-30.0030

All 1 out of 1 Total Num of i-sid FDB Entries displayed

View C-MACs learned on a T-UNI I-SID as a remote MAC address.

Switch:1#show i-sid mac-address-entry remote

All 1 out of 1 Total Num of i-sid FDB Entries displayed

View C-MACs learned on a T-UNI I-SID as a home MAC address.

Switch:1#show i-sid mac-address-entry home
==========================================================================================================================
I-SID Fdb Table
==========================================================================================================================
I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
--------------------------------------------------------------------------------------------------------------------------
100 learned cc:f9:54:ae:28:81 Port-1/16 LOCAL 00:00:00:00:00:00 0 HOME area-20.0020

All 1 out of 1 Total Num of i-sid FDB Entries displayed

1294 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

View C-MACs learned on a T-UNI I-SID as a non-local MAC address.

Switch:1#show i-sid mac-address-entry non-local
===========================================================================================================================================
=
I-SID Fdb Table
===========================================================================================================================================
=

I-SID STATUS MAC-ADDRESS INTERFACE TYPE DEST-MAC BVLAN DEST-SYSNAME AREA-ROLE AREA-NAME
--------------------------------------------------------------------------------------------------------------------------
252 learned cc:f9:54:ae:38:64 Port-1/15 NON-LOCAL 00:13:0a:0c:d3:e0 128 DIST-1B REMOTE area-30.0030

All 1 out of 1 Total Num of i-sid FDB Entries displayed

Variable Definitions

The following table defines parameters for the show i-sid mac-address-entry command.

Variable Value
<1-16777215> Displays the MAC address learned on the
service interface identifier (I-SID).
home Filters the command output to show only
MAC addresses learned in the home area.
mac <0x00:0x00:0x00:0x00:0x00:0x00> Displays the I-SID FDB details for the
specified MAC address.
non-local Filters the command output to show only
MAC addresses learned from other nodes; not
local nodes.
port {slot/port[/sub-port] [-slot/ Displays the MAC address learned on the
port[/sub-port]] [,...]} specified port or port list.
remote Filters the command output to show only
MAC addresses learned in the remote area.

Viewing I-SID maximum MAC-limit

Perform this procedure to view the maximum MAC learning limit information for an I-SID.

Important
The command show i-sid limit-fdb-learning is supported only on the VSP 4450
Series.

About This Task

The total MAC learning limit per switch is 32000. MAC learning on I-SID stops when the maximum limit
is reached.

Procedure
View the maximum MAC learning limit configured for an I-SID:
show i-sid limit-fdb-learning <1-16777215>

VOSS User Guide for version 8.7 1295

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

Example

View maximum MAC learning limit for all I-SIDs.

Switch:1#show i-sid limit-fdb-learning

=========================================
Isid MAC-Limit Info
=========================================
ISID MAC-LIMIT MAXMAC
ID STATUS COUNT
-----------------------------------------
10 disabled 32000
11 disabled 32000
12 disabled 32000
15 disabled 32000
101 disabled 32000

All 5 out of 5 Total Num of i-sid Info displayed

View maximum MAC learning limit for a specific I-SID.

Switch:1#show i-sid limit-fdb-learning 10

All 1 out of 1 Total Num of i-sid Info displayed

Variable definitions

The following table defines parameters for the show i-sid limit-fdb-learning command.

Important
The command show i-sid limit-fdb-learning is supported only on the VSP 4450
Series.

Variable Value
limit-fdb-learning Displays the I-SID-based maximum MAC limit information.
<1–6777215> Displays the service interface identifier (I-SID). The I-SID range is 1 to
16777215.

Configure an SPBM Layer 2 Switched UNI on an MLT

Shortest Path Bridging MAC (SPBM) supports Layer 2 Virtual Service Network (VSN) functionality
where Switched UNIs are bridged over the SPBM core infrastructure.

1296 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

About This Task

To configure a Switched UNI on an MLT, you must create a Switched UNI I-SID, and map an MLT to the
Switched UNI I-SID.

Note
When you configure Switched UNI, Spanning tree is disabled on all the Switched UNI ports.

Procedure

1. Enter MLT Interface Configuration mode:

enable

configure terminal

interface mlt <1-512>

2. Enable S-UNI on MLT:
flex-uni enable

Note
You cannot enable Switched UNI on EAPoL enabled interface.

3. Configure a Switched UNI Service Instance Identifier (I-SID):

i-sid <1–16777215> [elan]

This command automatically takes you to the Elan I-SID Configuration mode.
4. Add an MLT to a Switched UNI I-SID:
c-vid <c-vid> mlt <1–512>

Note
You can run this command again to map a Switched UNI MLT to multiple I-SIDs.

5. Add untagged traffic to a Switched UNI I-SID:

untagged—traffic mlt <1–512> [bpdu enable]
6. Display the Switched UNI information:
show mlt i-sid

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#mlt 10
Switch:1(config)#interface mlt 10
Switch:1(config-mlt)#flex-uni enable
Switch:1(config-mlt)#i-sid 100
Switch:1(elan:100)#c-vid 20 mlt 10

VOSS User Guide for version 8.7 1297

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

Switch:1(elan:100)#untagged-traffic mlt 10 bpdu enable

Switch:1(elan:100)#show mlt i-sid

================================================================================

MLT Isid Info

================================================================================

ISID ISID ISID

MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU
--------------------------------------------------------------------------------
10 6153 100 N/A 20 ELAN C --- - --- - EXTR
11 6154 100 N/A 11 ELAN C --- - --- - ISID-100
--------------------------------------------------------------------------------

2 out of 2 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Variable definitions

The following table defines parameters for the i-sid command to configure a Switched UNI.

Variable Value
i-sid <1–16777215> elan Creates an Elan based service. The service interface identifier
(I-SID) range is 1 to 16777215.
c-vid <c-vid> mlt <mlt-id> Specifies the customer VLAN ID. Different hardware
platforms support different customer VLAN ID ranges. Use
the CLI Help to see the available range for the switch.
untagged-traffic mlt <mlt-id> [bpdu Add untagged traffic to the Elan-based service.
enable]

Configuring an SPBM Layer 2 Switched UNI on a Port

Shortest Path Bridging MAC (SPBM) supports Layer 2 Virtual Service Network (VSN) functionality
where Switched UNIs are bridged over the SPBM core infrastructure.

Note
EAP and FA can coexist on the same port. EAP and FA can be enabled in any order; however,
EAP must have Flex UNI enabled in order to function on an FA-enabled port. If EAP is
currently enabled, FA can only be enabled if the port is a Flex UNI-enabled port.
VSP 4450 Series, VSP 8600 Series, and XA1400 Series do not support EAP and FA on the
same port.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

1298 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

About This Task

To configure a Switched UNI on a port, you must create a Switched UNI I-SID, and map the port to the
Switched UNI I-SID.

Note
When you configure Switched UNI, Spanning tree is disabled on all the Switched UNI ports.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable Switched UNI on a port:

flex-uni enable

Note
You cannot enable enable EAP on a Switched UNI (S-UNI) on the VSP 4450 Series, VSP
8600 Series, or XA1400 Series.

3. Configure a Switched UNI Service Instance Identifier (I-SID):

i-sid <1–16777215> [elan]

This command automatically takes you to the Elan I-SID Configuration mode.
4. Add ports to a Switched UNI I-SID:
c-vid <c-vid> port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
5. Add untagged traffic to a Switched UNI I-SID:
untagged—traffic port {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]} [bpdu enable]
6. Display the Switched UNI information:
show interface gigabitethernet i-sid {slot/port[/sub-port][-slot/
port[/sub-port]][,...]}

Examples
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitethernet 1/1,1/2
Switch:1(config-if)#flex-uni enable
Switch:1(config-if)#i-sid 100

VOSS User Guide for version 8.7 1299

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

Switch:1(elan:100)#c-vid 10 port 1/1,1/2

Switch:1(elan:100)#untagged—traffic port 1/1,1/2 bpdu enable

Switch:1#show interface gigabitEthernet i-sid

13 out of 152 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Variable definitions

The following table defines parameters for the i-sid command to configure a Switched UNI.

Variable Value
i-sid <1–16777215> elan Creates an Elan based service. The service interface identifier
(I-SID) range is 1 to 16777215.
c-vid <c-vid> port {slot/port[/ Specifies the customer VLAN ID. Different hardware
sub-port] [-slot/port[/sub- platforms support different customer VLAN ID ranges. Use
port]] [,...]} the CLI Help to see the available range for the switch.
untagged-traffic < port {slot/ Add untagged traffic to the Elan-based service.
port[/sub-port] [-slot/
port[/sub-port]] [,...]}>
[bpdu enable]

View All Configured Switched UNI I-SIDs

Perform this procedure to view all the configured Switched UNI I-SIDs including their types, ports, and
MLTs.

Procedure
1. Enter Privileged EXEC mode:
enable
2. View all configured CVLAN, T-UNI, and S-UNI based I-SIDs:
show i-sid

1300 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

3. View all S-UNI I-SIDs.

show i-sid [elan]
4. View all associated MLT on the S-UNI I-SID.
show mlt i-sid [MLT ID <1–512>]
5. View all associated ports on the S-UNI I-SID.
show interface gigabitethernet i-sid {slot/port[/sub-port][-slot/
port[/sub-port]][,...]}
6. View all IS-IS SPBM multicast FIB entries.
show isis spbm multicast-fib detail

Examples

View all configured I-SIDs.

Switch:1#show i-sid
===========================================================================================================
Isid Info
===========================================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
-----------------------------------------------------------------------------------------------------------
15999999 ELAN 4048 - - C --- - --- - - Onboarding I-SID
16777001 ELAN N/A - - C --- - --- - - FAN-ISID

c: customer vid u: untagged-traffic

All 2 out of 2 Total Num of i-sids displayed

View all S-UNI I-SIDs.

Switch:1>show i-sid elan

==============================================================================================
Isid Info
==============================================================================================
ISID ISID PORT MLT ORIGIN ISID
ID TYPE VLANID INTERFACES INTERFACES NAME
----------------------------------------------------------------------------------------------
27 ELAN N/A c4000:1/1,2/11 - C --- - --- - ISID-27
38 ELAN N/A c4000:1/2,2/22 - C --- - --- - ISID-38
270 ELAN N/A c4001:1/1,2/11 - C --- - --- - ISID-270
307 ELAN N/A c307:1/5,2/5 - C --- - --- - ISID-307
308 ELAN N/A c308:1/6,2/6 - C --- - --- - ISID-308
309 ELAN N/A c309:1/1,2/1 - C --- - --- - ISID-309
310 ELAN N/A c310:1/2,2/2 - C --- - --- - ISID-310
311 ELAN N/A c311:1/3,2/3 - C --- - --- - ISID-311
312 ELAN N/A c312:1/4,2/4 - C --- - --- - ISID-312
317 ELAN N/A c317:1/7,2/7 - C --- - --- - ISID-317
318 ELAN N/A c318:1/8,2/8 - C --- - --- - ISID-318
319 ELAN N/A c319:1/9,2/9 - C --- - --- - ISID-319
320 ELAN N/A c320:1/10,2/10 - C --- - --- - ISID-320

--More-- (q = quit)

c: customer vid u: untagged-traffic

13 out of 77 Total Num of Elan displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT

VOSS User Guide for version 8.7 1301

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

M: FA management; E: discovered by EAP; A: auto-sense

l: discover by local switch r: discover by remote VIST switch

View all associated MLT on the S-UNI I-SID.

Switch:1>show mlt i-sid
=====================================================================================
MLT Isid Info
=====================================================================================
ISID ISID ISID
MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU
-------------------------------------------------------------------------------------
3 6146 3 N/A 33 ELAN C --- - --- - ISID-3
-------------------------------------------------------------------------------------
1 out of 1 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

View all associated ports on the S-UNI I-SID.

Switch:1#show interface gigabitEthernet i-sid

13 out of 152 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

View all IS-IS SPBM multicast FIB entries.

Switch:1#show isis spbm multicast-fib detail
==============================================================================================
SPBM MULTICAST FIB ENTRY DETAIL INFO
==============================================================================================
MCAST DA ISID BVLAN SYSID HOST- OUTGOING- INCOMING CVLAN
NAME INTERFACES INTERFACE
----------------------------------------------------------------------------------------------
03:77:77:00:0b:b8 3000 1001 0000.beb0.0007 BEB-07 MLT-1 1/2 0
c30:1/3
c31:MLT-1

1302 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using the CLI

c32:MLT-2
03:77:77:00:0f:a0 4000 1001 0000.beb0.0007 BEB-07 c40:1/3 1/2 400
c41:MLT-1
c42:MLT-2
03:77:77:00:13:92 5010 1001 0000.beb0.0007 BEB-07 c50:1/3 1/2 500
c51:MLT-1
c52:MLT-2
03:88:88:00:0b:b8 3000 1001 0000.beb0.0008 BEB-08 MLT-1 1/2 0
c30:1/3
c31:MLT-1
c32:MLT-2
03:88:88:00:0f:a0 4000 1001 0000.beb0.0008 BEB-08 c40:1/3 1/2 400
c41:MLT-1

-----------------------------------------------------------------------------------------------
Total number of SPBM MULTICAST FIB entries 157
------------------------------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the i-sid command.

Variable Value
elan Displays only all the Elan (S-UNI based) I-SIDs.
MLT ID <1–512> Specifies the MLT associated with the Switched UNI I-SID.
{slot/port[/sub-port][-slot/port[/sub- Specifies the ports associated with the Switched UNI I-SID.
port]][,...]}

Display C-VLAN and Switched UNI I-SID Information

Use the following procedure to display C-VLAN and Switched UNI (S-UNI) I-SID information.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display the C-VLAN to I-SID associations:
show vlan i-sid <1-4059>
3. Display I-SID information and Switched UNI to I-SID associations:
show i-sid <1–16777215>
4. Display the IS-IS SPBM multicast-FIB calculation results by I-SID:
show isis spbm i-sid {all|config|discover} [vlan <1-4059>] [id <1–
16777215>] [nick-name <x.xx.xx>]
5. Display all elan I-SID:
• show i-sid elan
6. Display I-SID configured on MLT:
• show mlt i-sid
7. Display I-SID configured on port:
• show interfaces gigabitethernet i-sid

Examples
Switch# show isis spbm i-sid all
====================================================================================================================================

VOSS User Guide for version 8.7 1303

Layer 2 VSN configuration using the CLI Fabric Basics and Layer 2 Services

SPBM ISID INFO

====================================================================================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME ISID NAME AREA AREA NAME
------------------------------------------------------------------------------------------------------------------------------------
101001 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101001 HOME area-0.00.20
101003 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101003 HOME area-0.00.20
101005 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101005 HOME area-0.00.20
101007 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101007 HOME area-0.00.20
101009 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101009 HOME area-0.00.20
101011 1.11.16 4051 0200.10ff.fff0 discover area-0.00.10 ISID-101011 HOME area-0.00.20

Switch:1>show i-sid elan

--More-- (q = quit)

c: customer vid u: untagged-traffic

13 out of 77 Total Num of Elan displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch
Switch:1>show mlt i-sid
=====================================================================================
MLT Isid Info
=====================================================================================
ISID ISID ISID
MLTID IFINDEX ID VLANID C-VID TYPE ORIGIN NAME BPDU
-------------------------------------------------------------------------------------
3 6146 3 N/A 33 ELAN C --- - --- - ISID-3
-------------------------------------------------------------------------------------
1 out of 1 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Switch:1#show interface gigabitEthernet i-sid

1304 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using EDM

13 out of 152 Total Num of i-sid endpoints displayed

ORIGIN Legend:
C: manually configured; D: discovered by FA or EPT
M: FA management; E: discovered by EAP; A: auto-sense
l: discover by local switch r: discover by remote VIST switch

Variable Definitions

The following table defines parameters for the show vlan i-sid commands.

Variable Value
<1-4059> Displays I-SID information for the specified C-VLAN. You can
specify the VLAN ID.

The following table defines parameters for the show i-sid commands.

Variable Value
<1–16777215> Displays I-SID information. You can specify the I-SID ID.

The following table defines parameters for the show isis commands.

Variable Value
spbm i-sid {all|config| • all: displays all I-SID entries
discover} • config: displays configured I-SID entries
• discover: displays discovered I-SID entries

Layer 2 VSN configuration using EDM

This section provides procedures to configure Layer 2 Virtual Services Networks (VSNs) using
Enterprise Device Manager (EDM).

VOSS User Guide for version 8.7 1305

Layer 2 VSN configuration using EDM Fabric Basics and Layer 2 Services

Configuring SPBM Layer 2 VSN

After you have configured the SPBM infrastructure, you can enable the SPBM Layer 2 Virtual Service
Network (VSN) using the following procedure.

SPBM supports Layer 2 VSN functionality where customer VLANs (C-VLANs) are bridged over the
SPBM core infrastructure.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the customer VLANs (C-VLANs) and add slots/ports.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Click VLANs.
3. Click the Advanced tab.
4. To map a C-VLAN to a Service instance identifier (I-SID), in the I-sid field, specify the I-SID to
associate with the specified VLAN.
5. Click Apply.

Important
• When a protocol VLAN is created, all ports are added to the VLAN including SPBM
ports. To configure a protocol-based VLAN as a C-VLAN, you must first remove the
SPBM-enabled ports from the protocol based VLAN, and then configure the protocol-
based VLAN as a C-VLAN.
• The switch reserves I-SID 0x00ffffff. The switch uses this I-SID to advertise the virtual
B-MAC in an SMLT dual-homing environment. The platform clears the receive and
transmit bit of this I-SID, therefore I-SID 0x00ffffff cannot be used for any other
service.

Displaying the remote MAC table for a C-VLAN

Use the following procedure to view a the remote MAC table for a C-VLAN.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Click VLANs.
3. Click the Remote MAC tab.

Remote MAC field descriptions

Use the data in the following table to use the Remote MAC tab.

1306 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using EDM

Name Description
VlanId Indicates the VLAN ID for this MAC address.
Addr Indicates the customer MAC address for which the bridge has
forwarding and/or filtering information
DestAddr Indicates the provider MAC address for which the bridge has
forwarding and/or filtering information.
PrimaryBVlanId Indicates the primary B-VLAN ID for this MAC address.
PrimaryDestSysName Indicates the primary system name of the node where the
MAC address entry comes from.
PrimaryPort Either displays the value 0, or indicates the primary port on
which a frame came from.
SecondaryBVlanId Indicates the secondary B-VLAN ID for this MAC address
SecondaryDestSysName Indicates the secondary system name of the node where the
MAC address entry comes from.
SecondaryPort Either displays the value 0, or indicates the secondary port
on which a frame came from.
SmltRemote Indicates the MAC address entry for the remote vIST peer.
Status Indicates the status of this entry:
• other
• invalid
• learned
• self
• mgmt

Configure UNI
Use the following procedure to configure a Transparent Port UNI or Switched UNI by mapping an I-SID
to a port or MLT and VLAN together.

Before You Begin

You must enable Flex UNI to create a Switched UNI service.

About This Task

You must first create a type of service instance identifier (I-SID) to create the different types of services
available. After you create an I-SID you can add members (ports or MLTs) to the I-SID to create
end-points for the service.

VOSS User Guide for version 8.7 1307

Layer 2 VSN configuration using EDM Fabric Basics and Layer 2 Services

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. Select the Service tab.
4. To create a Transparent Port UNI service:
a. Select Insert.
b. Select elan Transparent in the Type field.
c. Enter the I-SID in the Id field.
5. To create a Switched UNI service:
a. Select Insert.
b. Select elan in the Type field.
c. Enter the I-SID in the Id field.
6. Select Insert.

Service Field Descriptions

Use the data in the following table to use the Service tab.

Name Description
ID Specifies a unique value to identify the service
associated with this entry.
Type Specifies the type of service associated with this
entry.
MacLimitEnable Indicates whether the MAC limit is enabled (true)
or disabled (false).
MaxMacLimit Indicates the maximum learned value of the MAC
address for each service I-SID.
Action Specifies I-SID related actions.
OriginBitMap Specifies the origin of the I-SID.
VnId Identifies the VXLAN service associated with this
I-SID.
Name Specifies the name of the I-SID.

Note:
This field does not apply to all hardware platforms.

Associate a Port and MLT with an I-SID for Elan Transparent

Transparent Port UNI (T-UNI) maps a port or MLT to an I-SID. Transparent Port UNI configures a
transparent port where all traffic is MAC switched on an internal virtual port using the assigned I-SID.
Multiple ports on the same unit and on other Backbone Edge Bridges (BEBs) are switched on a
common I-SID. No VLAN is involved in this process. The T-UNI port is not a member of any VLAN or
STG.

Use the following procedure to associate a port and MLT with an I-SID.

1308 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using EDM

Before You Begin

• You must configure Transparent Port UNI. For more information, see Configuring Transparent UNI.
• You must associate a T-UNI LACP MLT with a VLAN before mapping the LACP MLT to a T-UNI I-SID.

Caution
Ensure that a T-UNI LACP MLT is always associated with a VLAN (even if it is the default
VLAN) before adding it to a T-UNI I-SID. Otherwise, traffic is not forwarded on the T-UNI
LACP MLT.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. On the Service tab, select a row with the type configured as elanTransparent.
4. Select ELAN.
5. Select port members.
6. Select MLT Ids.
7. Select Apply.

Elan Transparent field descriptions

Use the data in the following table to use the Elan Transparent tab.

Name Description
PortMembers The set of ports that are members of the elanTransparent service type. From the ports
available, you can select single or multiple ports.
MltIds The set of bits that represent the MLT Ids. From the MLTs available, you can select any,
or all of the MLTs to be a part of elan transparent i-sid .

Viewing the I-SID forwarding database

View the I-SID forwarding database (FDB).

Note
To view the T-UNI I-SID FDB entries filtered on a port that is part of an MLT, you must mention
the MLT ID in the option for the port.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. Select the FDB tab.
4. (Optional) Select the Filter button to filter rows based on specific filter criteria.

VOSS User Guide for version 8.7 1309

Layer 2 VSN configuration using EDM Fabric Basics and Layer 2 Services

FDB Field Descriptions

Use data in the following table to use the FDB tab.

Name Description
IsidId Specifies the service interface identifier (I-SID).
Address Specifies the MAC address of the port assigned to the specific I-SID or
C-MAC learned on the particular I-SID.
Status Specifies the learning status of the associated MAC.
Port Specifies the port on which the MAC is learned for the specific I-SID.
PortType Specifies if the MAC address is learned locally or on an network-to-
network interface (NNI) port from a remote destination.
RemoteMacDestAddr Specifies the virtual BMAC address or system-ID of the remote destination.
RemoteMacBVlanId Specifies the B-VLAN ID on which the remote destination was discovered.
RemoteMacDestSysName Specifies the remote destination system name.
Cvid Specifies the customer VLAN ID of the associated Switched UNI port.

Associate a Port and MLT with an I-SID for Elan

Shortest Path Bridging MAC (SPBM) supports Layer 2 Virtual Service Network (VSN) functionality
where Switched UNIs are bridged over the SPBM core infrastructure.

Switched User Network Interface (S-UNI) allows the association of local endpoints to I-SIDs based on
local port and VLAN together. With switched UNI, the same VLAN can be used on one port to create an
endpoint to one I-SID, and on another port to create an endpoint to another I-SID.

Use the following procedure to associate a port and MLT with an I-SID.

About This Task

You must configure Switched UNI.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. On the Service tab, select a row with the type configured as elan.
4. Select Switched Uni.
5. Select Insert.
6. Enter the VLAN ID in the Cvid field.
7. Select Port or Mlt to update the interface index in the IfIndex field.
8. Select Insert.

Switched Uni field descriptions

Use the data in the following table to use the Switched Uni tab.

1310 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration using EDM

Name Description
Isid Displays the I-SID.
Cvid Specifies the customer VLAN identifier.
IfIndex Specifies the interface index of the Elan end point.
Bpdu Enables or disables for an untagged end point.
The default is disabled.
OriginBitmap Specifies the origin information of the service
associated with the I-SID Elan end point.
MacBased Shows if the current entry is associated to a MAC-
based Switched User Network Interface (S-UNI).

Viewing the I-SID interface

View the I-SID interface.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. Select the Interface tab.
Select Filter to filter rows on specific filter criteria.

Interface field descriptions

Use the data in the following table to use the Interface tab.

Name Description
IfIndex Specifies the interface index
Isid Specifies the service interface identifier (I-SID).
Isid Name Specifies the service interface identifier name.
Vlan Specifies the platform VLAN.
Cvid Specifies the customer VID.
Type Specifies the type of service associated with the
I-SID interface.
OriginBitMap Specifies the origin of the service associated with
the I-SID interface.
Bpdu Specifies the BPDU forward option for the
untagged traffic port.
MacBased Specifies the Switched UNI MAC address.

Modify Global I-SID Name

Note
This procedure does not apply to VSP 8600 Series.

VOSS User Guide for version 8.7 1311

Layer 2 VSN configuration examples Fabric Basics and Layer 2 Services

About This Task

Use this procedure to modify the assigned name for the Service Identifier (I-SID).

Note
Product Notice: For XA1400 Series, you can modify a service name for IPv4 static routes and
IPv4 loopback CLIP interfaces only. For information about feature support, see VOSS Feature
Support Matrix.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select ISID.
3. Select Global Name.
4. View the name of the I-SID in the ISID Name field. To modify, double-click the name of the I-SID and
type a new name.
5. Select Apply.

Global Name Field Descriptions

Use the data in the following table to use the Global Name tab.

Name Description
ISID Id Specifies the index number that uniquely identifies the I-SID.
ISID Name Specifies the name of the I-SID, which can be up to 64 characters.
This field is not supported on all hardware platforms.
UsedByType Specifies the I-SIDs that are in use as services. An I-SID can have
one base type or a combination of base types so that multiple
services can use the same I-SID at the same time.

Layer 2 VSN configuration examples

This section provides configuration examples to configure Layer 2 VSNs.

Examples and network illustrations in this document may illustrate only one of the supported platforms.
Unless otherwise noted, the concept illustrated applies to all supported platforms.

Layer 2 VSN Configuration Example

The following figure shows a sample Layer 2 VSN deployment.

1312 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration examples

Figure 105: Layer 2 VSN

The following sections show the steps required to configure the Layer 2 VSN parameters in this
example. You must first configure basic SPBM and IS-IS infrastructure. For more information, see: SPBM
configuration examples on page 1231.

SwitchC
VLAN CONFIGURATION

vlan create 10 type port-mstprstp 1

vlan members 10 1/1 portmember
vlan i-sid 10 12990010

SwitchD
VLAN CONFIGURATION

vlan create 10 type port-mstprstp 1

vlan members 10 1/1 portmember
vlan i-sid 10 12990010

Verifying Layer 2 VSN operation

The following sections show how to verify the Layer 2 VSN operation in this example.

SwitchC

Switch# show isis spbm i-sid all

====================================================================================================================================
SPBM ISID INFO
====================================================================================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME ISID NAME AREA AREA NAME
------------------------------------------------------------------------------------------------------------------------------------
101001 1.11.16 4051 0200.10ff.fff0 discover SWITCHD ISID-101001 HOME area-0.00.20
101003 1.11.16 4051 0015.e89f.e3df config SWITCHC ISID-101003 HOME area-0.00.20

-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries configed: 1
-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries discovered: 1
-----------------------------------------------------------------------------------------------------------------------------------
Total number of SPBM ISID entries: 2
-----------------------------------------------------------------------------------------------------------------------------------

SwitchC:1# show isis spbm multicast-fib

================================================================================
SPBM MULTICAST FIB ENTRY INFO
================================================================================
MCAST DA ISID BVLAN SYSID HOST-NAME OUTGOING-INTERFACES
--------------------------------------------------------------------------------
f3:30:14:c6:36:3a 101001 4000 0200.10ff.fff0 SwitchD 1/1
f3:30:13:c6:36:3a 101003 4000 0015.e89f.e3df SwitchC 1/30,1/1

VOSS User Guide for version 8.7 1313

Layer 2 VSN configuration examples Fabric Basics and Layer 2 Services

SwitchD
SwitchD:1# show isis spbm i-sid all
======================================================================================================================
SPBM ISID INFO
======================================================================================================================
ISID SOURCE NAME VLAN SYSID TYPE HOST_NAME ISID NAME AREA AREA NAME
----------------------------------------------------------------------------------------------------------------------
12990010 f.30.14 4000 0014.0da0.13df config SwitchD ISID-12990010 HOME area-0.00.20
12990010 f.30.13 4000 0015.e89f.e3df discover SwitchC ISID-12990010 HOME area-0.00.20

SwitchD:1# show isis spbm multicast-fib

======================================================================================================================
SPBM MULTICAST FIB ENTRY INFO
======================================================================================================================
MCAST DA ISID BVLAN SYSID HOST-NAME OUTGOING-INTERFACES
----------------------------------------------------------------------------------------------------------------------
f3:30:14:c6:36:3a 12990010 4000 0014.0da0.13df SwitchD MLT-1,1/1
f3:30:13:c6:36:3a 12990010 4000 0015.e89f.e3df SwitchC 1/1

SwitchC — verifying with CFM

SwitchC:1# l2 tracetree 4000 12990010

Please wait for l2tracetree to complete or press any key to abort

l2tracetree to f3:30:13:c6:36:3a, vlan 4000 i-sid 12990010 nickname f.30.13 hops 64

1 SwitchC 00:15:e8:9f:e3:df -> SwitchG 00:0e:62:25:a3:df
2 SwitchG 00:0e:62:25:a3:df -> SwitchD 00:14:0d:a0:13:df

SwitchD — verifying with CFM

SwitchD:1# l2 tracetree 4000 12990010

Please wait for l2tracetree to complete or press any key to abort

l2tracetree to f3:30:14:c6:36:3a, vlan 4000 i-sid 12990010 nickname f.30.14 hops 64

1 SwitchD 00:14:0d:a0:13:df -> SwitchG 00:0e:62:25:a3:df
2 SwitchG 00:0e:62:25:a3:df -> SwitchC 00:15:e8:9f:e3:df

SwitchC — verifying FDB

SwitchC:1# show vlan mac-address-entry 10
================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
10 learned 00:00:00:00:00:01 Port-1/1 false SwitchD
10 learned 00:00:00:00:00:02 Port-1/1 false SwitchD

2 out of 4 entries in all fdb(s) displayed.

SwitchC:1# show vlan remote-mac-table 10

================================================================================
Vlan Remote Mac Table
================================================================================
VLAN STATUS MAC-ADDRESS DEST-MAC BVLAN DEST-SYSNAME PORTS
--------------------------------------------------------------------------------
10 learned 00:00:00:00:00:02 00:14:0d:a0:13:df 0014.0da0.13df SwitchD 1/30
--------------------------------------------------------------------------------
Total number of VLAN Remote MAC entries 1
--------------------------------------------------------------------------------

1314 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Layer 2 VSN configuration examples

SwitchD — verifying FDB

SwitchD:1# show vlan mac-address-entry 10
================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
10 learned 00:00:00:00:00:01 Port-1/1 false SwitchC
10 learned 00:00:00:00:00:02 Port-1/1 false SwitchC

2 out of 4 entries in all fdb(s) displayed.

SwitchD:1# show vlan remote-mac-table 10

================================================================================
Vlan Remote Mac Table
================================================================================
VLAN STATUS MAC-ADDRESS DEST-MAC DEST-SYSID DEST-SYSNAME PORTS
--------------------------------------------------------------------------------
10 learned 00:00:00:00:00:01 00:15:e8:9f:e3:df 0015.e89f.e3df SwitchC MLT-1
--------------------------------------------------------------------------------
Total number of VLAN Remote MAC entries 1
--------------------------------------------------------------------------------

Layer 2 VSN Example with VLAN ID Translation

The following figure shows a sample Layer 2 VSN deployment where the C- VLAN IDs are different at
each end. You must first configure basic SPBM and IS-IS infrastructure. For more information, see SPBM
configuration examples on page 1231.

Figure 106: Layer 2 VSN with different VLAN IDs

The following sections show the steps required to configure the Layer 2 VSN parameters in this
example.

SwitchC
VLAN CONFIGURATION

vlan create 9 type port 1

vlan members 9 1/1 portmember
vlan i-sid 9 9

SwitchD
VLAN CONFIGURATION

VOSS User Guide for version 8.7 1315

Inter-VSN Routing Configuration Fabric Basics and Layer 2 Services

vlan create 19 type port 1

vlan members 19 1/1 portmember
vlan i-sid 19 9

Inter-VSN Routing Configuration

Table 109: Inter-VSN Routing product support

Feature Product Release introduced
Inter-VSN routing (IPv4) VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
Inter-VSN routing (IPv6) VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

Inter-VSN routing configuration fundamentals

This section provides fundamental concepts on Inter-VSN Routing.

Inter-VSN routing
Inter-VSN routing with SPBM allows routing between Layer 2 VLANs with different I-SIDs.

1316 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Inter-VSN routing configuration using the CLI

Figure 107: Inter-VSN routing

Inter-VSN routing provides a routing hub for Layer 2 Virtual Services Network edge devices, Layer 3
devices, routers, or hosts connected to the SPBM cloud using the SPBM Layer 2 VSN service. To go
between a routed network, a Layer 2 VSN termination point provides the routing services to hop onto
another Layer 2 VSN, using I-SID.

Note
The Layer 2 VLANs must be in the same VRF. You cannot route traffic between two different
VRFs with Inter-VSN routing.

In this example, the C-VLANs are associated with I-SIDs on the BEBs using SPBM Layer 2 VSN. With
Inter-VSN routing enabled, BCB C can route traffic between VLAN 11 (I-SID 2011) and VLAN 12 (I-SID
2012).

IP interfaces are where the routing instance exists. In this case, on Switch-20.

Note
The switch does not support IP multicast over Fabric Connect routing on inter-VSN routing
interfaces.

Inter-VSN routing configuration using the CLI

This section provides a procedure to configure Inter-VSN routing using the CLI.

Configure SPBM Inter-VSN Routing

Inter-VSN allows you to route between IP networks on Layer 2 VLANs with different I-SIDs. Inter-VSN
routing is typically used only when you have to extend a VLAN as a Layer 2 Virtual Services Network
(VSN) for applications such as vMotion. As a best practice, use IP Shortcuts or Layer 3 VSNs to route
traffic. You must configure both the Backbone Edge Bridges (BEBs) and the Backbone Core Bridge
(BCB).

Note
To enable inter-VSN routing, you must configure IP interface where the routing instance
exists.

VOSS User Guide for version 8.7 1317

Inter-VSN routing configuration using the CLI Fabric Basics and Layer 2 Services

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Follow the procedures below on the Backbone Edge Bridges (BEBs) containing the VSNs you want
to route traffic between.
a. Create a customer VLAN (C-VLAN) by port:
vlan create <2-4059> type port-mstprstp <0–63>
b. Add ports in the C-VLAN:
vlan members add <1-4059> {slot/port[/sub-port][-slot/port[/sub-
port]][,...]}
c. Map a customer VLAN (C-VLAN) to a Service Instance Identifier (I-SID):
vlan i-sid <1-4059> <0–16777215> [force]

3. On the Backbone Core Bridge (BCB), create a VRF and add a VLAN for each VSN:
a. Create a VRF:
ip vrf WORD<1–16> vrfid <1–511>
b. Create a VLAN to associate with each VSN:
vlan create <2-4059> type port-mstprstp <0–63>
c. Enter VLAN Interface Configuration mode:
interface vlan <1-4059>
d. Add a VLAN to the VRF you created in step a:
vrf WORD<1–16>

1318 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Inter-VSN routing configuration using the CLI

e. Associate an I-SID with the VLAN:

vlan i-sid <1-4059> <0–16777215> [force]

Important
When a protocol VLAN is created, all ports are added to the VLAN including SPBM
ports. To configure a protocol-based VLAN as a C-VLAN, you must first remove the
SPBM-enabled ports from the protocol based VLAN, and then configure the protocol-
based VLAN as a C-VLAN.
The switch reserves I-SID 0x00ffffff. The switch uses this I-SID to advertise the virtual
B-MAC in an SMLT dual-homing environment. The platform clears the receive and
transmit bit of this I-SID, therefore I-SID 0x00ffffff cannot be used for any other
service.

f. Configure an IP address for the VLAN:

ip address {A.B.C.D/X}
g. Repeat steps b to f for every VLAN you want to route traffic between.

Variable Definitions

The following table defines parameters for the vlan create command.

Variable Value
<2-4059> Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1
is the default VLAN and you cannot create or delete VLAN
ID 1. By default, the system reserves VLAN IDs 4060 to 4094
for internal use. On switches that support the vrf-scaling
and spbm-config-mode boot configuration flags, if you
enable these flags, the system also reserves VLAN IDs 3500
to 3998.
type port-mstprstp <0–63> Creates a VLAN by port:
[color <0–32> ] • <0–63> is the STP instance ID.
• color <0–32> is the color of the VLAN.

The following table defines parameters for the vlan members add command.

VOSS User Guide for version 8.7 1319

Inter-VSN routing configuration using EDM Fabric Basics and Layer 2 Services

The following table defines parameters for the vlan i-sid command.

Variable Value
<1-4059> Specifies the primary VLAN ID.
Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system reserves
VLAN IDs 4060 to 4094 for internal use. On switches that
support the vrf-scaling and spbm-config-mode boot
configuration flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
<0-16777215> Specifies the service instance identifier (I-SID). You cannot
use I-SID 0x00ffffff. The system reserves this I-SID to
advertise the virtual BMAC in an SMLT dual-homing
environment.
This value is the same for the primary and secondary VLANs.
force Specifies the software must replace the existing VLAN-to-I-
SID mapping, if one exists.

The following table defines parameters for the ip vrf command.

Variable Value
WORD <1–16> Create the VRF and specify the name of the VRF instance.
vrfid <1–511> Specifies the VRF instance by number.

The following table defines parameters for the vrf command.

Variable Value
WORD <1–16> Specifies the VRF name. Associates a port to a VRF.

The following table defines parameters for the ip address command.

Variable Value
{A.B.C.D/X} Configures an IP address for the VLAN.

Inter-VSN routing configuration using EDM

This section provides procedures to configure Inter-VSN routing using Enterprise Device Manager
(EDM).

Configure BEBs for Inter-VSN Routing

Use Inter-VSN routing to route between IP networks on Layer 2 VLANs with different I-SIDs. Inter-VSN
routing is typically used only to extend a VLAN as a Layer 2 Virtual Services Network (VSN) for

1320 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Inter-VSN routing configuration using EDM

applications such as vMotion. Use IP Shortcuts or Layer 3 VSNs to route traffic. You must configure both
the Backbone Edge Bridges (BEBs) and the Backbone Core Bridge (BCB).

Note
To enable inter-VSN routing, you must configure the IP interface where the routing instance
exists.

Before You Begin

You must configure the required SPBM and IS-IS infrastructure.

About This Task

Follow these steps on the BEBs that contain the VSNs you want to route traffic between.

Procedure

1. Create a customer VLAN (C-VLAN) by port and add ports in the C-VLAN:
a. In the navigation pane, expand Configuration > VLAN.
b. Select VLANs.
c. On the Basic tab, select Insert.
d. For Id, type an unused VLAN ID, or use the ID provided.
e. For Name, type the VLAN name, or use the name provided.
f. For Color Identifier, select a color from the list, or use the color provided.
g. For Type, select byPort.
h. For PortMembers, select the ellipsis (...).
i. Select the ports to add as member ports.
The ports that are selected are recessed, while the nonselected ports are not recessed. Port
numbers that are dimmed cannot be selected as VLAN port members.
j. Select OK.
k. Select Insert.
2. Map a C-VLAN to an I-SID:
a. From the same Configuration > VLAN > VLANs navigation path, select the Advanced tab.
b. For Isid, specify the I-SID to associate with the specified VLAN.
The switch reserves I-SID 0x00ffffff. The switch uses this I-SID to advertise the virtual B-MAC in
a SMLT dual-homing environment. The platform clears the receive and transmit bit of this I-SID,
therefore I-SID 0x00ffffff cannot be used for any other service.
c. Select Apply.

3. Configure the Backbone Core Bridge (BCB) for Inter-VSN Routing. For more information, see
Configure BCBs for Inter-VSN Routing on page 1322.

VOSS User Guide for version 8.7 1321

Inter-VSN routing configuration using EDM Fabric Basics and Layer 2 Services

Configure BCBs for Inter-VSN Routing

Inter-VSN allows you to route between IP networks on Layer 2 VLANs with different I-SIDs. Inter-VSN
routing is typically used only when you have to extend a VLAN as a Layer 2 Virtual Services Network
(VSN) for applications such as vMotion. Use IP Shortcuts to route traffic. You must configure both the
Backbone Edge Bridges (BEBs) and the Backbone Core Bridge (BCB).

Note
To enable inter-VSN routing, you must configure the IP interface where the routing instance
exists.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure.

• You must configure the BEBs that contain the VSNs you want to route traffic between. For more
information, see Configure BEBs for Inter-VSN Routing on page 1320.

About This Task

Follow these steps to configure the BCB for inter-VSN routing.

Procedure

1. On the BCB, create a VRF:

a. In the navigation pane, expand Configuration > VRF.
b. Select VRF.
c. Select Insert.
d. For Id, specify the VRF ID.
e. Name the VRF instance.
f. Configure the other parameters as required.
g. Select Insert.
2. Create a VLAN to associate with each VSN:
a. In the navigation pane, expand Configuration > VLAN.
b. Select VLANs.
c. On the Basic tab, select Insert.
d. For Id, type an unused VLAN ID, or use the ID provided.
e. For Name, type the VLAN name, or use the name provided.
f. For Color Identifier, select a color from the list, or use the color provided.
g. For Type, select byPort.
h. For PortMembers, select the ellipsis (...).
i. Select the ports to add as member ports.
The ports that are selected are recessed, while the nonselected ports are not recessed. Port
numbers that are dimmed cannot be selected as VLAN port members.
j. Select OK.
k. Select Insert.
3. Associate the VLAN with an I-SID:
a. From the same Configuration > VLAN > VLANs navigation path, select the Advanced tab.

1322 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Inter-VSN Routing Configuration Example

b. For Isid, specify the I-SID to associate with the specified VLAN.
c. Select Apply.
4. Configure a circuitless IP interface (CLIP):
a. In the navigation pane, expand Configuration > IP.
b. Select IP.
c. Select the Circuitless IP tab.
d. Select Insert.
e. For Interface, type a CLIP interface number.
f. Provide the IP address.
g. Provide the network mask.
h. Select Insert.

Inter-VSN Routing Configuration Example

The following topics provide a configuration example for Inter-VSN routing.

Examples and network illustrations in this document may illustrate only one of the supported platforms.
Unless otherwise noted, the concept illustrated applies to all supported platforms.

Inter-VSN Routing with SPBM Configuration Example

The following figure shows a sample Inter-VSN deployment.

Figure 108: Inter-VSN routing configuration

The following sections show the steps required to configure the Inter-VSN parameters in this example.
You must first configure basic SPBM and IS-IS infrastructure. For more information, see: SPBM
configuration examples on page 1231.

Note that the IP interfaces are configured where the routing instance exists, namely, on SwitchG.

SwitchC
VLAN CONFIGURATION

vlan create 11 type port-mstprstp 1

vlan members 11 1/2 portmember
vlan i-sid 11 12990011

VOSS User Guide for version 8.7 1323

Inter-VSN Routing Configuration Example Fabric Basics and Layer 2 Services

SwitchG

VRF CONFIGURATION

ip vrf blue vrfid 100

VLAN CONFIGURATION

vlan create 11 type port-mstprstp 1

vlan i-sid 11 12990011
interface Vlan 11
vrf blue
ip address 203.0.113.2 255.255.255.0
exit

VLAN CONFIGURATION

vlan create 12 type port-mstprstp 1

vlan i-sid 12 12990012
interface Vlan 12
vrf blue
ip address 203.0.113.3 255.255.255.0
exit

SwitchD
VLAN CONFIGURATION

vlan create 12 type port-mstprstp 1

vlan members 12 1/2 portmember
vlan i-sid 12 12990012

Verifying Inter-VSN Routing operation

The following sections show how to verify Inter-VSN Routing operation in this example.

SwitchG
SwitchG:1# show ip route vrf blue
================================================================================
IP Route - VRF blue
================================================================================
NH INTER
DST MASK NEXT VRF COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
203.0.113.0 255.255.255.0 203.0.113.2 - 1 11 LOC 0 DB 0
203.0.113.1 255.255.255.0 203.0.113.3 - 1 12 LOC 0 DB 0

SwitchG:1# show ip arp vrf blue

================================================================================
IP Arp - VRF blue
================================================================================
IP_ADDRESS MAC_ADDRESS VLAN PORT TYPE TTL(10 Sec) TUNNEL
--------------------------------------------------------------------------------
203.0.113.2 00:0e:62:25:a2:00 11 - LOCAL 2160
203.0.113.255 ff:ff:ff:ff:ff:ff 11 - LOCAL 2160
203.0.113.3 00:0e:62:25:a2:01 12 - LOCAL 2160
203.0.113.255 ff:ff:ff:ff:ff:ff 12 - LOCAL 2160

================================================================================
IP Arp Extn - VRF blue
================================================================================

1324 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Inter-VSN Routing Configuration Example

MULTICAST-MAC-FLOODING AGING(Minutes) ARP-THRESHOLD

--------------------------------------------------------------------------------
disable 360 500

4 out of 50 ARP entries displayed

SwitchG
SwitchG:1# show vlan mac-address-entry 11
================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
11 learned 00:00:00:00:01:02 Port-1/2 false SwitchC
11 self 00:0e:62:25:a2:00 Port-cpp false -

2 out of 4 entries in all fdb(s) displayed.

SwitchG:1# show vlan mac-address-entry 12

2 out of 4 entries in all fdb(s) displayed.

SwitchC
SwitchC:1# show vlan mac-address-entry 11
================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
11 learned 00:00:00:00:01:02 Port-1/2 false SwitchD
11 learned 00:0e:62:25:a2:00 Port-1/2 false SwitchD

2 out of 2 entries in all fdb(s) displayed.

SwitchD
SwitchD:1# show vlan mac-address-entry 12
================================================================================
Vlan Fdb
================================================================================
VLAN MAC SMLT
ID STATUS ADDRESS INTERFACE REMOTE TUNNEL
--------------------------------------------------------------------------------
12 learned 00:00:00:00:02:02 Port-1/2 false SwitchC
12 learned 00:0e:62:25:a2:01 Port-1/2 false SwitchC

2 out of 2 entries in all fdb(s) displayed.

VOSS User Guide for version 8.7 1325

SBPM Reference Architectures Fabric Basics and Layer 2 Services

SBPM Reference Architectures

SPBM has a straightforward architecture that simply forwards encapsulated C-MACs across the
backbone. Because the B-MAC header stays the same across the network, there is no need to swap
a label or perform a route lookup at each node. This architecture allows the frame to follow the most
efficient forwarding path from end to end.

The following reference architectures illustrate SPBM with multiple switches in a network.

For information about solution-specific architectures like Video Surveillance or Data Center
implementation using the switch, see Solution-Specific Reference Architectures on page 1335.

The following figure shows the MAC-in-MAC SPBM domain with BEBs on the boundary and BCBs in the
core.

The following figure illustrates an existing edge that connects to an SPBM core.

The boundary between the MAC-in-MAC SPBM domain and the 802.1Q domain is handled by the BEBs.
At the BEBs, VLANs or VRFs are mapped into I-SIDs based on the local service provisioning. Services
(whether Layer 2 or Layer 3 VSNs) only need to be configured at the edge of the SPBM backbone (on
the BEBs). There is no provisioning needed on the core SPBM nodes.

Provisioning an SPBM core is as simple as enabling SPBM and IS-IS globally on all the nodes and on the
core facing links. To migrate an existing edge configuration into an SPBM network is just as simple.

Figure 109: SPBM basic architecture

1326 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Campus Architecture

Figure 110: Access to the SPBM Core

All BEBs that have the same I-SID configured can participate in the same VSN. That completes the
configuration part of the migration and all the traffic flows return to normal operation.

For Layer 3 virtualized routing (Layer 3 VSN), map IPv4-enabled VLANs to VRFs, create an IP VPN
instance on the VRF, assign an I-SID to the VRF, and then configure the desired IP redistribution of IP
routes into IS-IS.

For Layer 2 virtualized bridging (Layer 2 VSN), identify all the VLANs that you want to migrate into
SPBM and assign them to an I-SID on the BEB.

Campus Architecture

For migration purposes, you can add SPBM to an existing network that has SMLT configured. In fact,
if there are other protocols already running in the network, such as Open Shortest Path First (OSPF),
you can leave them in place too. SPBM uses IS-IS, and operates independently from other protocols.
However, as a best practice, eliminate SMLT in the core and eliminate other unnecessary protocols. This
reduces the complexity of the network and makes it much simpler to maintain and troubleshoot.

Whether you configure SMLT in the core, the main point to remember is that SPBM separates services
from the infrastructure. For example, in a large campus, a user may need access to other sites or
data centers. With SPBM you can grant that access by associating the user to a specific I-SID. With
this mechanism, the user can work without getting access to confidential information of another
department.

VOSS User Guide for version 8.7 1327

Campus Architecture Fabric Basics and Layer 2 Services

The following figure depicts a topology where the BEBs in the edge and data center distribution nodes
are configured in SMLT clusters. Prior to implementing SPBM, the core nodes would also have been
configured as SMLT clusters. When migrating SPBM onto this network design, it is important to note
that you can deploy SPBM over the existing SMLT topology without network interruption. After the
SPBM infrastructure is in place, you can create VSN services over SPBM or migrate them from the
previous end-to-end SMLT-based design.

Figure 111: SPBM campus without SMLT

After you migrate all services to SPBM, the customer VLANs (C-VLANs) will exist only on the BEB SMLT
clusters at the edge of the SPBM network. The C-VLANs will be assigned to an I-SID instance and then
associated with either a VLAN in an Layer 2 VSN or terminated into a VRF in an Layer 3 VSN. You can
also terminate the C-VLAN into the default router, which uses IP shortcuts to IP route over the SPBM
core.

In an SPBM network design, the only nodes where it makes sense to have an SMLT cluster configuration
is on the BEB nodes where VSN services terminate. These are the SPBM nodes where C-VLANs exist
and these C-VLANs need to be redundantly extended to non-SPBM devices such as Layer 2 edge
stackable switches. On the BCB core nodes where no VSNs are terminated and no Layer 2 edge
stackables are connected, there is no longer any use for the SMLT clustering functionality. Therefore, in
the depicted SPBM design, the SMLT/vIST configuration can be removed from the core nodes because
they now act as pure BCBs that simply transport VSN traffic and the only control plane protocol they
need to run is IS-IS.

1328 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Campus Architecture

Because SMLT BEB nodes exist in this design (the edge BEBs) and it is desirable to use equal cost paths
to load balance VSN traffic across the SPBM core, all SPBM nodes in the network are configured with
the same two B-VIDs.

Where the above figure shows the physical topology, the following two figures illustrate a logical
rendition of the same topology. In both of the following figures, you can see that the core is almost
identical. Because the SPBM core just serves as a transport mechanism that transmits traffic to the
destination BEB, all the provisioning is performed at the edge.

In the data center, VLANs are attached to Inter-VSNs that transmit the traffic across the SPBM core
between the data center on the left and the data center on the right. A common application of this
service is VMotion moving VMs from one data center to another.

The following figure uses IP shortcuts that route VLANs. There is no I-SID configuration and no Layer 3
virtualization between the edge distribution and the core. This is normal IP forwarding to the BEB.

Figure 112: IP shortcut scenario to move traffic between data centers

The following figure uses Layer 3 VSNs to route VRFs between the edge distribution and the core. The
VRFs are attached to I-SIDs and use Layer 3 virtualization.

VOSS User Guide for version 8.7 1329

Large data center architecture Fabric Basics and Layer 2 Services

Figure 113: VRF scenario to move traffic between data centers

Large data center architecture

SPBM supports data centers with IP shortcuts, Layer 2 VSNs, or Layer 3 VSNs. If you use vMotion, you
must use Layer 2 between data centers (Layer 2 VSN). With Layer 2 VSNs, you can add IP addresses to
the VLAN on both data centers and run Virtual Router Redundancy Protocol (VRRP) between them to
allow the ESX server to route to the rest of the network.

The following figure shows an SPBM topology of a large data center. This figure represents a full-mesh
data center fabric using SPBM for storage over Ethernet. This topology is optimized for storage
transport because traffic never travels more than two hops.

Note
As a best practice, use a two-tier, full-mesh topology for large data centers.

1330 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Large data center architecture

Figure 114: SPBM data center—full mesh

Traditional data center routing of VMs

In a traditional data center configuration, the traffic flows into the network to a VM and out of the
network in almost a direct path.

The following figure shows an example of a traditional data center with VRRP configured. Because end
stations are often configured with a static default gateway IP address, a loss of the default gateway
router causes a loss of connectivity to the remote networks. VRRP eliminates the single point of failure
that can occur when the single static default gateway router for an end station is lost.

VOSS User Guide for version 8.7 1331

Large data center architecture Fabric Basics and Layer 2 Services

Figure 115: Traditional routing before moving VMs

A VM is a virtual server. When you move a VM, the virtual server is moved as is. This action means that
the IP addresses of that server remain the same after the server is moved from one data center to the
other. This in turn dictates that the same IP subnet (and hence VLAN) exist in both data centers.

In the following figure, the VM moved from the data center on the left to the data center on the right.
To ensure a seamless transition that is transparent to the user, the VM retains its network connections
through the default gateway. This method works, but it adds more hops to all traffic. As you can see in
the figure, one VM move results in a complicated traffic path. Multiply this with many moves and soon
the network look like a tangled mess that is very inefficient, difficult to maintain, and almost impossible
to troubleshoot.

1332 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Large data center architecture

Figure 116: Traditional routing after moving VMs

Optimized data center routing of VMs

Two features make a data center optimized:
• VLAN routers in the Layer 2 domain (green icons)
• VRRP BackupMaster

The VLAN routers use lookup tables to determine the best path to route incoming traffic (red dots) to
the destination VM.

VRRP BackupMaster solves the problem of traffic congestion on the vIST. Because there can be only
one VRRP Master, all other interfaces are in backup mode. In this case, all traffic is forwarded over
the vIST link towards the primary VRRP switch. All traffic that arrives at the VRRP backup interface is
forwarded, so there is not enough bandwidth on the vIST link to carry all the aggregated riser traffic.
VRRP BackupMaster overcomes this issue by ensuring that the vIST trunk is not used in such a case
for primary data forwarding. The VRRP BackupMaster acts as an IP router for packets destined for the
logical VRRP IP address. All traffic is directly routed to the destined subnetwork and not through Layer
2 switches to the VRRP Master. This avoids potential limitation in the available vIST bandwidth.

The following figure shows a solution that optimizes your network for bidirectional traffic flows.
However, this solution turns two SPBM BCB nodes into BEBs where MAC and ARP learning will be
enabled on the Inter-VSN routing interfaces. If you do not care about top-down traffic flows, you
can omit the Inter-VSN routing interfaces on the SPBM BCB nodes. This makes the IP routed paths
top-down less optimal, but the BCBs remain pure BCBs, thus simplifying core switch configurations.

VOSS User Guide for version 8.7 1333

Large data center architecture Fabric Basics and Layer 2 Services

Figure 117: Optimized routing before moving VMs

In the traditional data center, chaos resulted after many VMs were moved. In an optimized data center
as shown in the following figure, the incoming traffic enters the Layer 2 domain where an edge switch
uses Inter-VSN routing to attach an I-SID to a VLAN. The I-SID bridges traffic directly to the destination.
With VRRP BackupMaster, the traffic no longer goes through the default gateway; it takes the most
direct route in and out of the network.

1334 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Solution-Specific Reference Architectures

Figure 118: Optimized routing after moving VMs

Solution-Specific Reference Architectures

The following sections describe solution-specific reference architectures, like for example for Video
Surveillance or Data Center implementation, using the VSP 4450 Series.

Multi-tenant — fabric connect

This fabric connect-based solution leverages the fabric capabilities of the VSP platforms: a VSP 7000
core and a VSP 4450 Series edge. This solution provides the ability to run, by default, up to 24 VRFs for
each wiring closet and is well suited for multi-tenant applications. The zero-touch core is enabled by the
fabric connect endpoint provisioning capabilities.

Note
You can increase VRF scaling to run more than 24 VRFs. The maximum number of supported
VRFs and Layer 3 VSNs differs depending on the hardware platform. For more information
about maximum scaling numbers, see VOSS Release Notes.

If this solution must support IPv6, then a central router-pair routes all IPv6 traffic. The IPv6 traffic is
tunneled from each wiring closet to the IPv6 routers by extending Layer 2 VSNs to the q-tagged router
interfaces.

VOSS User Guide for version 8.7 1335

Solution-Specific Reference Architectures Fabric Basics and Layer 2 Services

Figure 119: Small core — multi-tenant

The following list outlines the benefits of the fabric connect-based solution:
• Endpoint provisioning
• Fast failover
• Simple to configure
• Layer 2 and Layer 3 virtualized

Hosted data center management solution — E-Tree

In some hosted data center solutions, the hosting center operating company takes responsibility for
managing customer servers. For this shared management, shown in the following figure, servers that
control the operating system level of the production servers, such as the patch level, are deployed.
Because customer production servers do not communicate with each other, a distributed private VLAN
solution based on fabric connect is deployed to manage all production servers. This solution builds a
distributed set of E-Trees for each management domain.

The VSP switches as access, provide an elegant network-wide E-Tree solution. Spokes, or managed
servers, cannot communicate to each other over this network, but the shared management servers on
the hub ports can access all spokes. Because of the Layer 2 – E-Tree nature of this setup, the managed
servers do not require any route entries, and only require one IP interface in this management private
VLAN. This solution supports tagged and untagged physical and virtual (VM) servers.

1336 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Solution-Specific Reference Architectures

Figure 120: Data center hosting private VLAN

The following list outlines the benefits of the hosted data center management solution:
• Easy endpoint provisioning
• Optimal resiliency
• Secure tenant separation

Video surveillance — bridged

VOSS User Guide for version 8.7 1337

Solution-Specific Reference Architectures Fabric Basics and Layer 2 Services

Figure 121: Deployment scenario — bridged video surveillance and IP camera deployment for
transportation, airports, and government
The following list outlines the benefits of the bridged video surveillance solution:
• Easy end-point provisioning
• sub second resiliency and mc forwarding
• secure tenant separation
• quick camera switching

Video surveillance — routed

In a video surveillance solution, optimal traffic forwarding is a key requirement to ensure proper
operation of the camera and recorder solutions. However, signaling is also important to ensure quick
channel switching. This is achieved by deploying an IP multicast infrastructure that is optimized for
multicast transport, so that the cameras can be selected quickly, and so that there is no unnecessary
traffic sent across the backbone. In the topology shown in the following figure, each camera is attached
to its own IP subnet. In a larger topology, this can reduce network overhead. To increase network
scalability, you can attach a set of cameras to a Layer 2 switch that has IGMP, and then connect the
cameras to the fabric edge (BEB) which has a routing instance.

In many customer scenarios, surveillance must be separated from the rest of the infrastructure. This
can be achieved by deploying a Layer 3 VSN for the surveillance traffic to keep the surveillance traffic
isolated from any other tenant.

1338 VOSS User Guide for version 8.7

Fabric Basics and Layer 2 Services Solution-Specific Reference Architectures

Figure 122: Deployment scenario — Routed video surveillance and IP camera deployment for
transportation, airports, and government
The following list outlines the benefits of the routed video surveillance solution:
• Easy endpoint provisioning
• Optimal resiliency and mc forwarding
• Secure tenant separation
• Rapid channel/camera switching

Metro-Ethernet Provider solution

VOSS switches provide an end-to-end Metro-Ethernet Provider solution. Leveraging fabric connect
throughout the infrastructure enables a scalable and flexible wholesale provider infrastructure.

This use case extends the Transparent Port UNI functionality to transparently forward any customer
VLAN across the services.

VOSS User Guide for version 8.7 1339

Solution-Specific Reference Architectures Fabric Basics and Layer 2 Services

Figure 123: Metro ring access solution

The following list outlines the benefits of the Metro-Ethernet Provider solution:
• Easy endpoint provisioning
• Optimal resiliency
• Secure tenant separation

1340 VOSS User Guide for version 8.7

Fabric Layer 3 Services
IP Shortcuts Configuration on page 1341
Layer 3 VSN Configuration on page 1410
Layer 3 Video Surveillance on page 1428

IP Shortcuts Configuration

Table 110: IP Shortcuts product support

Feature Product Release introduced
IP Shortcut routing including VSP 4450 Series VSP 4000 4.0
ECMP
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
IPv6 Shortcut routing VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

VOSS User Guide for version 8.7 1341

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

Table 110: IP Shortcuts product support (continued)

Feature Product Release introduced
IPv4 IS-IS accept policies VSP 4450 Series VOSS 4.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50
IPv6 IS-IS accept policies VSP 4450 Series VOSS 8.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 8.0
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 8.0
VSP 8400 Series VOSS 8.0
VSP 8600 Series VSP 8600 8.0
XA1400 Series Not Supported

IP Shortcuts configuration fundamentals

This section provides fundamental concepts for IP Shortcuts.

Fabric Connect supports both IPv4 Shortcuts and IPv6 Shortcuts. Because IPv6 Shortcuts depend
on IPv4 Shortcuts, you should understand how IPv4 Shortcuts work (see SPBM IP shortcuts) before
jumping to the IPv6 section.

SPBM IP Shortcuts
In addition to Layer 2 virtualization, the SPBM model is extended to also support Routed SPBM,
otherwise called SPBM IP Shortcuts.

Unlike Layer 2 VSN, with SPBM IP shortcuts, no I-SID configuration is required. Instead, SPBM nodes
propagate Layer 3 reachability as “leaf” information in the IS-IS LSPs using Extended IP reachability
TLVs (TLV 135), which contain routing information such as neighbors and locally configured subnets.
SPBM nodes receiving the reachability information can use this information to populate the routes to
the announcing nodes. All TLVs announced in the IS-IS LSPs are grafted onto the shortest path tree
(SPT) as leaf nodes.

The following figure shows a network running SPBM IP shortcuts.

1342 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

Figure 124: SPBM IP Shortcuts

In this example, BEB A receives a packet with a destination IP address in the subnet of VLAN 14 and
knows to forward the packet to BEB D based on the IP route propagation within IS-IS. After a route
lookup, BEB A knows that BEB D is the destination for the subnet and constructs a new B-MAC header
with destination B-MAC: D. BCBs B and C need only perform normal Ethernet switching to forward the
packet to BEB D. A route lookup is only required once, at the source BEB, to identify BEB D as the node
that is closest to the destination subnet.

In contrast to IP routing or Multiprotocol Label Switching (MPLS), SPBM IP shortcuts provide a simpler
method of forwarding IP packets in an Ethernet network using the preestablished Ethernet FIBs on the
BEBs. SPBM allows a network to make the best use of routing and forwarding techniques, where only
the BEBs perform an IP route lookup and all other nodes perform standard Ethernet switching based
on the existing SPT. This allows for end to end IP-over-Ethernet forwarding without the need for ARP,
flooding, or reverse learning.

In the above example, the SPBM nodes in the core that are not enabled with IP shortcuts can be
involved in the forwarding of IP traffic. Since SPBM nodes only forward on the MAC addresses that
comprise the B-MAC header, and since unknown TLVs in IS-IS are relayed to the next hop but ignored
locally, SPBM nodes need not be aware of IP subnets to forward IP traffic.

With IP shortcuts, there is only one IP routing hop, as the SPBM backbone acts as a virtualized switching
backplane.

The following figure shows a sample campus network implementing SPBM IP shortcuts.

VOSS User Guide for version 8.7 1343

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

Figure 125: SPBM IP shortcuts in a campus

To enable IP shortcuts on the BEBs, you can configure a circuitless IP address (loopback address) and
specify this address as the IS-IS source address. This source address is automatically advertised into
IS-IS using TLV 135.

In addition, to advertise routes from the BEBs into the SPBM network, you must enable route
redistribution of direct, static, OSPF, RIP, or BGP routes into IS-IS. To advertise IPv6 routes from the
BEBs into the SPBM network, you must enable route redistribution of IPv6 direct, IPv6 static, and
OSPFv3 routes into IS-IS.

SPBM IPv6 Shortcuts

Both IPv4 and IPv6 Shortcuts use IS-IS as the Interior Gateway Protocol (IGP) and the link state packet
(LSP) for reachability information. However, IPv4 Shortcuts use TLV 135 and IPv6 Shortcuts use TLV 236.
All TLVs announced in the IS-IS LSPs are grafted onto the shortest path tree (SPT) as leaf nodes. IS-IS

1344 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

transports the IPv6 reachability information to remote BEBs and uses the shortest path, calculated by
SPBM, for data forwarding.

Note
You only configure the IPv6 address information on the edges. There is no IPv6 in the SPBM
cloud.

IS-IS transports the IPv6 routes through TLV 236 in the LSP advertisements. These routes are installed
in the Global Routing Table (GRT) with the node from which the LSPs carrying the IPv6 routes are
received as the next hop.

IPv6 Shortcuts Dependency on IPv4 Shortcuts

IPv6 Shortcuts function in a very similar manner to IPv4 Shortcuts and depends on IPv4 Shortcuts for
some functions. For example, IPv6 Shortcuts use the BMAC (local and remote) information created by
IPv4 Shortcuts.

Important
IPv4 Shortcuts must be enabled before you enable IPv6 Shortcuts.
An error is displayed if you try to enable IPv6 Shortcuts but do not have IPv4 Shortcuts
already enabled.
IPv6 Shortcuts alone can be disabled while leaving IPv4 Shortcuts enabled. When IPv4
Shortcuts is disabled without disabling IPv6 Shortcuts disabled first, a warning or error
message is displayed indicating that IPv6 should be disabled first.

Circuitless IPv6 (CLIPv6)

To enable IPv6 Shortcuts on the BEBs and to advertise the local BEB to other IS-IS nodes, you must
configure a circuitless IPv6 address (loopback address) and specify this address as the IS-IS source
address. This source address is automatically advertised into IS-IS using TLV 236.

IPv6 Shortcuts support Circuitless IPv6 (CLIPv6), which ensures uninterrupted connectivity to the
switch as long as there is an actual path to reach it. This route always exists and the circuit is always up
because there is no physical attachment.

Migrating the GRT to IPv6 Shortcuts

Use the following steps to migrate the Global Router Table (GRT) to use IPv6 Shortcuts over the SPBM
core:
• Identify the nodes that should be enabled with IPv6 Shortcuts. Apply these steps to all of these
nodes.
• Activate and validate basic IPv6 Shortcuts. For information, see SPBM IPv6 Shortcuts on page 1344.
• Configure IS-IS route preference to ensure that the IPv6 IGP protocol currently being used in the
SPBM core is preferred over the IS-IS routes.
• Enable redistribution of direct and static IPv6 routes into IS-IS.
• Create route policies to permit only IPv6 IGP routes from the access side of the SPBM network.
• Configure redistribution of routes from the IPv6 route table from each of the IPv6 IGP protocols into
IS-IS along with the appropriate route policy.

VOSS User Guide for version 8.7 1345

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

• Use the show isis spbm ipv6-unicast-fib command to check the IS-IS LSDB, IS-IS routes,
and to verify that all the desired IPv6 routes are now in IS-IS.
• Configure redistribution of IS-IS routes from the IPv6 route table into each of the IPv6 IGP protocols
in use. This redistribution does not require a route policy since IS-IS is only supported in the SPBM
core.
• Change IS-IS route-preference to ensure that IS-IS routes are preferred over other IPv6 IGP routes.
• Disable/delete old IPv6 IGP in the SPBM core.

Important

Use only one IPv6 routing protocol in the SPBM core to prevent the possibility of routing loops.

IPv6 Shortcut Restrictions and Considerations

The following features are not supported:

• Disabling and enabling alternate routes for IPv6 routes
• Redistribution of RIP into IS-IS
• 6-in-4 tunnels are not supported when the tunnel destination IP is reachable via IPv4 Shortcuts
route.

Keep the following considerations in mind when configuring IPv6 Shortcuts:

• IPv4 Shortcuts must be enabled before enabling IPv6 Shortcuts.
• IPv6 Shortcuts support Circuitless IPv6 (CLIPv6) with the following limitations:
◦ Stateless address autoconfiguration (SLAAC) is not supported on IPv6 CLIP interfaces.
◦ IPv6 CLIP does not support link-local address configuration.
◦ To configure an IPv6 address with a prefix length from 65 to 127 on a CLIP interface, you must
enable the IPv6 mode flag.

Note
This restriction does not apply to VSP 4450 Series switches.

◦ Neighbor discovery (ND) does not run on an IPv6 CLIP interface. Therefore, the system does not
detect when you configure a duplicate IPv6 address.
◦ Multiple IPv6 address configuration on an IPv6 CLIP interface is not supported.
◦ You can configure a maximum of 64 IPv6 CLIP interfaces.
◦ IPv6 CLIP interface is enabled by default and it cannot be disabled.
• IPv6 with vIST provides the same support as IPv4 with vIST.
• To help with debugging, CFM provides full support for both IPv4 and IPv6 addresses for the l2ping
and l2traceroute commands.

ECMP with IS-IS

The Equal Cost Multipath (ECMP) feature supports and complements the IS-IS protocol.

With ECMP, the switch can determine multiple equal-cost paths to the same destination prefix.

1346 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

The number of multiple paths a switch can support differs by hardware platform. For more information
about feature support, see VOSS Release Notes.

ECMP within IS-IS routes

Equal Cost Multipath (ECMP) allows the device to determine up to eight equal cost paths to the
same destination prefix. The maximum number of equal cost paths you can configure depends on the
hardware platform. For more information, see VOSS Release Notes.

If the device learns the same route from multiple sources, the information is ECMP only if the routes:
• are from the same VSN
• have the same SPBM cost
• have the same prefix cost
• have the same IP route preference

Multiple BEBs can announce the same route, either because the Layer 2 LAN connects to multiple BEBs
for redundancy, or because segments of the LAN are Layer 2 bridged. In Layer 2, if the device has to
tie-break between multiple sources, the tie-breaking is based on cost and hop count.

In Layer 3, hop count is not used for tie-breaking. Instead, the device uses the following precedence
rules to tie-break. In the following order, the device prefers:

1. Routes that do not include nodes with the overload bit set.

When a router node runs out of system resources (memory or CPU), it alerts the other routers in
the network by setting the overload bit in its link-state packets (LSPs). When this bit is set, the node
is not used for transit traffic but only for traffic packets destined to the node's directly connected
networks and IP prefixes.
2. Local routes over remote routes.

If a route is learned locally, for example, through inter-VRF route leaking, it is most preferred.
3. Routes with the lowest route preference.

By default, IS-IS routes within the same VSN are added to the LSDB with a default preference of 7.
Inter-VSN routes are added to the LSDB with a route preference of 200. You can however, change
the route preference using IS-IS accept policies.
4. Metric type internal (type 1) over metric type external (type 2).
5. Routes with the lowest SPBM cost.
6. Routes with the lowest prefix cost.

If the metric type is internal, then the tie-break is on SPB cost first, and then on the prefix cost.
Otherwise the tie-break is only on the prefix cost.

You can either change this using a route-map on the remote advertising node with the
redistribute command, or using a route-map on the local node with the IS-IS accept policy.
7. Routes within a VSN with a lower Layer 3 VSN I-SID.

VOSS User Guide for version 8.7 1347

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

The device considers the Global Routing Table (GRT) to have an I-SID equal to zero.

When you use multiple B-VLANs in the SPBM core, multiple paths exist to reach a particular SPBM
node, one on each B-VLAN; therefore, any IP prefix or IPv6 prefix that the device receives from a BEB
results in multiple ECMP paths. These paths may or may not be physically diverse. SPBM supports up to
two B-VLANs; a primary B-VLAN and a secondary B-VLAN.

If more ECMP paths are available than the configured number of paths, then the device adds the routes
using the following order: The device selects all routes from the primary B-VLAN and orders the routes
learned through that B-VLAN from lowest system ID to the highest IS-IS system ID, then the device
moves on to select all routes from the secondary B-VLAN, ordering those routes from lowest IS-IS
system ID to the highest IS-IS system ID until you reach the number of equal paths configured.

For example, consider an SPB core configured with two B-VLANs (primary B-VLAN 1000 and
secondary B-VLAN 2000), and the device learns routes from two BEBs called BEB-A (with a lower
IS-IS system ID) and BEB-B (with a higher IS-IS system ID, then the order in which the next-hop is
chosen for those routes are as follows.

If a route is learned only from BEB-A with the maximum number of allowed ECMP paths configured as 8
(default), then the order in which the next-hop is chosen for that route is:

1. BEB-A B-VLAN 1000

2. BEB-A B-VLAN 2000

If routes are learned from both BEB-A and BEB-B with maximum number of allowed ECMP paths
configured as 8 (default), then the order in which the next-hop is chosen for those routes are:

1. BEB-A B-VLAN 1000

2. BEB-B B-VLAN 1000
3. BEB-A B-VLAN 2000
4. BEB-B B-VLAN 2000

If ECMP is disabled, the maximum number of allowed ECMP paths is 1 and the device adds the route
from the lowest system ID with the primary B-VLAN. In this example, the device adds BEB-A B-VLAN
1000.

Note
• ECMP is supported for IPv6 Shortcut routes.
• To add IS-IS equal cost paths in the routing table, you must enable IPv6 ECMP feature
globally.

ECMP Impact on IS-IS Route Selection for Inter-VRF Routes with vIST

This section illustrates the impact ECMP can have on a configuration that implements user-defined
VRFs in a vIST cluster and how to avoid incorrect route selection.
Understanding the Configuration

1348 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

Imagine the following configuration:

• A vIST cluster exists with multiple VRF contexts.
• On both nodes, VRF A redistributes routes into IS-IS as external. VRF B uses an IS-IS accept policy to
accept these routes.
• Each node learns three paths to the route:
◦ The nodes learn one path using local inter-VRF redistribution.
◦ The nodes learn the other two paths from the IST peer.
• The routes are treated as ECMP paths because the preference, metric-type, and metric are equal.

IS-IS sorts paths for the same route by source-BEB B-MAC and B-VLAN ID. The primary B-VLAN ID is
first installed for each B-MAC, followed by the secondary B-VLAN ID for each B-MAC, as long as the
ECMP max-path value is not reached. On the node with the lowest B-MAC, the first path listed is its own
local inter-vrf route, while on the other node, the MIM path across the vIST is listed first.

If you disable ECMP, all but the first path is removed. Because IS-IS orders the paths by B-MAC, each
node in the vIST cluster selects the same B-MAC as the nexthop. This configuration leads one of the
nodes to select itself, the local inter-vrf route, while the other node selects the MIM path across the vIST
to get to the inter-vrf route. This situation results in an incorrect route selection.
Avoiding Incorrect Route Selection

To avoid this situation, create a policy to prevent IS-IS from determining that the MIM path across the
vIST and the local inter-VRF route are ECMP paths. Configure the local inter-VRF path as the preferred
path, and the vIST path as the backup. The following list identifies way that you can accomplish this:
• Redistribute the VRF route into IS-IS using the internal metric-type. IS-IS will always select the local
inter-VRF route. For more information about the metric type for IS-IS routes, see Fabric Basics and
Layer 2 Services on page 923.
• If an IS-IS internal metric-type is not an option, configure an IS-IS accept policy to change the
preference of inter-VRF routes learned from the IST peer. The local inter-VRF route is preferred over
the inter-VRF routes learned from the IST peer.

IS-IS IP Redistribution Policies

When you connect an SPBM core using IP shortcuts to existing networks running a routing protocol
such as OSPF or RIP, a redundant configuration requires two switches:
• One router redistributes IP routes from Routing Information Protocol (RIP)/Open Shortest Path First
(OSPF) into IS-IS (IP).
• The second router redistributes from IS-IS (IP) into RIP or OSPF.

The following figure illustrates this configuration.

VOSS User Guide for version 8.7 1349

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

Figure 126: Redundant OSPF or RIP Network

In this scenario it is necessary to take extra care when redistributing through both switches. By default
the preference value for IP routes generated by SPBM-IP (IS-IS) is 7. This is a higher preference than
OSPF (20 for intra-area, 25 for inter-area, 120 for ext type1, 125 for ext type2) or RIP (100).

Important
The lower numerical value determines the higher preference.

In the preceding diagram both nodes (SwitchG and SwitchD) have an OSPF or a RIP route to
192.168.10.0/24 with the next-hop to SwitchA.

As soon as the SwitchG node redistributes that IP route into IS-IS, the SwitchD node learns the same
route through IS-IS from SwitchG. (The SwitchG node already has the route through OSPF or RIP).
Because IS-IS has a higher preference, SwitchD replaces its 192.168.10.0 OSPF route with an IS-IS one
that points at SwitchG as the next-hop. The following figure illustrates this scenario.

1350 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

Figure 127: Redistributing Routes into IS-IS

Clearly this is undesirable and care needs to be taken to ensure that the two redistributing nodes
(SwitchG and SwitchD) do not accept redistributed routes from each other. With IS-IS accept policies,
you can associate an IS-IS accept policy on SwitchD to reject all redistributed IP routes received from
SwitchG, and SwitchG to reject all redistribute IP routes from SwitchD.

An alternate way to solve the preceding problem with existing functionality is to reverse the problem
by lowering the SPBM-IP (IS-IS) preference by configuring it to a value greater than RIP (100) or OSPF
(20,25,120,125). For example, log on to Global Configuration mode and use the following command to
configure a preference of 130:

ip route preference protocol spbm-level1 130

Note
For IPv6, the command is ipv6 route preference protocol spbm-level1 130

Now that the OSPF or RIP routes have a higher preference than SPBM-IP (IS-IS), the above problem is
temporarily solved. However, the same issue resurfaces when the IS-IS IP routes are redistributed into
OSPF or RIP in the reverse direction as shown in the following figure for OSPF:

VOSS User Guide for version 8.7 1351

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

Figure 128: Redistributing Routes into OSPF

In the preceding figure, both SwitchG and SwitchD have an IS-IS IP route for 172.16.0.0/16 with the next
hop as SwitchC. As soon as SwitchG redistributes the IS-IS route into OSPF, the SwitchD node learns
that same route through OSPF from SwitchG. (The SwitchG node already has the route through IS-IS).

Because OSPF has a higher preference, SwitchD replaces its 172.16.0.0/16 IS-IS route with an OSPF
one. (Note that the 172.16.0.0/16 route will be redistributed into OSPF as an AS external route, hence
with preference 120 or 125 depending on whether type1 or type2 was used). In this case, however, you
can leverage OSPF Accept policies, which can be configured to prevent SwitchD from accepting any
AS External (LSA5) routes from SwitchG and prevent SwitchG from accepting any AS External (LSA5)
routes from SwitchD. The following is a sample configuration:
enable
configure terminal
route-map

IP ROUTE MAP CONFIGURATION - GlobalRouter

OSPF CONFIGURATION - GlobalRouter

router ospf enable

OSPF ACCEPT CONFIGURATION - GlobalRouter

router ospf
accept adv-rtr {A.B.C.D}

1352 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

accept adv-rtr {A.B.C.D} enable route-map "reject"

exit

Note
Disable alternative routes by issuing the command no ip alternative-route to avoid
routing loops on the SMLT Backbone Edge Bridges (BEBs).

In the preceding figure, if SwitchA advertises 25000 OSPF routes to SwitchG and SwitchD, then both
SwitchG and SwitchD install the 25000 routes as OSPF routes. Since SwitchD and SwitchG have OSPF
to IS-IS redistribution enabled, they also learn these 25000 routes as IS-IS routes. IS-IS route preference
is configured with a higher numerical value (130) than the OSPF route preference (125), so SwitchD and
SwitchG keep IS-IS learned routes as alternative routes.

If SwitchA withdraws its 25000 OSPF routes, SwitchG and SwitchD remove the OSPF routes. While
the OSPF routes are removed the routing tables of SwitchG and SwitchD activate the alternative IS-IS
routes for the same prefix. Since SwitchG and SwitchD have IS-IS to OSPF redistribution enabled,
SwitchA learns these routes as OSPF and this causes a routing loop. Use the no ip alternative-
route command to disable alternative routes on SwitchG and SwitchD to avoid routing loops.

In the preceding figure, you leveraged OSPF Accept policies, which can be configured to prevent
SwitchD from accepting any AS External (LSA5) routes from SwitchG and prevent SwitchG from
accepting any AS External (LSA5) routes from SwitchD. In the case of a RIP access network, the
preceding solution is not possible because RIP has no concept of external routes and no equivalent of
accept policies. However, if you assume that a RIP network acts as an access network to an SPBM core,
then it is sufficient to ensure that when IS-IS IP routes are redistributed into RIP they are aggregated
into a single default route at the same time. The following figure and sample configuration example
illustrates this scenario:

VOSS User Guide for version 8.7 1353

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

Figure 129: Redistributing Routes into RIP

SwitchG
IP PREFIX LIST CONFIGURATION - GlobalRouter

ip prefix-list "default" 0.0.0.0/0 ge 0 le 32

IP ROUTE MAP CONFIGURATION - GlobalRouter

RIP PORT CONFIGURATION

interface gigabitethernet 1/11

ip rip default-supply enable
exit

IP REDISTRIBUTION CONFIGURATION - GlobalRouter

1354 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

router rip
redistribute isis
redistribute isis metric 1
redistribute isis route-map "inject-default"
redistribute isis enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

ip rip apply redistribute isis

SwitchA
RIP PORT CONFIGURATION

interface gigabitethernet 1/2

ip rip default-listen enable
exit
interface gigabitethernet 1/3
ip rip default-listen enable
exit

SwitchD
IP PREFIX LIST CONFIGURATION - GlobalRouter

ip prefix-list "default" 0.0.0.0/0 ge 0 le 32

IP ROUTE MAP CONFIGURATION - GlobalRouter

RIP PORT CONFIGURATION

interface gigabitethernet 2/11

ip rip default-supply enable
exit

IP REDISTRIBUTION CONFIGURATION - GlobalRouter

router rip
redistribute isis
redistribute isis metric 1
redistribute isis route-map "inject-default"
redistribute isis enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

VOSS User Guide for version 8.7 1355

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

ip rip apply redistribute isis

You can control the propagation of the default route on the RIP network so that both SwitchG and
SwitchD supply the default route on their relevant interfaces, and not accept it on the same interfaces.
Likewise, SwitchA will accept the default route on its interfaces to both SwitchG and SwitchD but it will
not supply the default route back to them. This will prevent the default route advertised by SwitchG
from being installed by SwitchD, and vice-versa.

The preceding example where IS-IS IP routes are aggregated into a single default route when
redistributed into the RIP network also applies when redistributing IS-IS IP routes into OSPF if that
OSPF network is an access network to an SPBM core. In this case use the following redistribution policy
configuration as an example for injecting IS-IS IP routes into OSPF:

IP PREFIX LIST CONFIGURATION - GlobalRouter

ip prefix-list "default" 0.0.0.0/0 ge 0 le 32

IP ROUTE MAP CONFIGURATION - GlobalRouter

OSPF CONFIGURATION - GlobalRouter

router ospf enable

router ospf
as-boundary-router enable
exit

IP REDISTRIBUTION CONFIGURATION - GlobalRouter

router ospf
redistribute isis
redistribute isis route-map "inject-default"
redistribute isis enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

ip ospf apply redistribute isis

1356 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

IS-IS Accept Policies

You can use Intermediate-System-to-Intermediate-System (IS-IS) accept policies (for IPv4 and IPv6) to
filter incoming IS-IS routes over the SPBM cloud and apply route policies to the incoming IS-IS routes.
IS-IS accept policies enable the device to determine whether to add an incoming route to the routing
table.

IS-IS Accept Policies and DvR

Note
IPv6 IS-IS accept policies for DvR are not supported.

When you configure DvR in an SPB network, you can leverage IS-IS accept policies to control the DvR
routes learned from the DvR backbone. The DvR backbone contains the master list of all the host routes
learned from various DvR domains.

You can configure accept policies on a DvR Controller or a non-DvR BEB as a filter to determine which
DvR host routes to accept into the routing table, from the DvR backbone. Accept policies apply to only
those backbone (or inter-domain) host routes that are not part of the Controller's own DvR enabled
subnets and do not have the same domain ID as that of the Controller.

For non-DvR BEBs, all the routes present in the backbone are learned, but you can still use the accept
policies to filter specific routes.

For information on DvR, see Distributed Virtual Routing on page 688.

IS-IS Accept Policy Filters

You can filter traffic with IS-IS accept policies by:

• advertising BEB
• I-SID or I-SID list
• route-map
• backbone-route-map for IPv4 only
• a combination of route-map and backbone-route-map for IPv4 only

You can use IS-IS accept policies to apply at a global default level for all advertising Backbone Edge
Bridges (BEBs) or for a specific advertising BEB.

IS-IS accept policies also allow you to use either a service instance identifier (I-SID) or an I-SID list
to filter routes. The switch uses I-SIDs to define Virtual Services Networks (VSNs). I-SIDs identify and
transmit virtualized traffic in an encapsulated SPBM frame. IS-IS accept policies can use I-SIDs or I-SID
lists to filter the incoming virtualized traffic.

IS-IS accept policies can also apply route policies to determine what incoming traffic to accept into the
routing table. With route policies the device can determine which routes to accept into the routing table
based on the criteria you configure. You can match on the network or the route metric.

On DvR Controllers in a DvR domain, you can configure a backbone route policy to determine what host
routes to accept from the DvR backbone, into the routing table. Also, just like on the route policy, you
can configure match criteria, and set preferences on the backbone route policy.

VOSS User Guide for version 8.7 1357

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

To accept both IS-IS routes and host routes from the DvR backbone, you can configure both a route
policy and a backbone route policy in the accept policy instance.

For more information on configuring route policies:

• For IPv4, see IP routing operations fundamentals on page 1836.
• For IPv6, see IPv6 Routing Basics on page 1904.

The following table describes IPv4 IS-IS accept policy filters.

Filters into Filter Description

Global Routing Table accept route-map By default, the device accepts all routes
(GRT) WORD<1-64> into the GRT and VRF routing table.
This is the default accept policy.
accept route-map This is the default accept policy with
WORD<1-64> backbone- configuration to accept specific DvR
route-map WORD<1–64> host routes from the DvR backbone.
accept adv-rtr The device filters based on the specific
<x.xx.xx> route-map advertising BEB defined by the SPBM
WORD<1-64> backbone- nickname.
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
accept i-sid The device filters based on the I-SID,
<1-16777215> route-map which represents a local or remote
WORD<1-64> backbone- Layer 3 VSN.
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
accept adv-rtr The device filters based on the specific
<x.xx.xx> i-sid advertising BEB and the I-SID, which
<1-16777215> route-map represents a local or remote Layer 3
WORD<1-64> backbone- VSN.
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
accept isid-list The device filters based on the list of
WORD<1-32> route-map I-SIDs.
WORD<1-64> backbone- The device, if DvR enabled, also filters
route-map WORD<1-64> the DvR host routes to accept from the
DvR backbone. This is an optional filter.
accept adv-rtr The device filters based on the specific
<x.xx.xx> isid-list advertising BEB and the list of I-SIDs.
WORD<1-32> route-map The number 0 represents the Global
WORD<1-64> backbone- Routing Table (GRT).
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.

1358 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

Filters into Filter Description

Virtual Routing and isis accept adv- The device filters based on the specific
Forwarding (VRF) routing rtr <x.xx.xx> route- advertising BEB defined by the SPBM
table map WORD<1-64> backbone- nickname.
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
isis accept i-sid The device filters based on the I-SID,
<0-16777215> route-map which represents a local or remote
WORD<1-64> backbone- Layer 3 VSN. The number 0 represents
route-map WORD<1-64> the Global Routing Table (GRT).
The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
isis accept adv- The device filters based on the specific
rtr <x.xx.xx> i-sid advertising BEB and the I-SID, which
<0-16777215> route-map represents a local or remote Layer 3
WORD<1-64> backbone- VSN. The number 0 represents the
route-map WORD<1-64> Global Routing Table (GRT).
The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
isis accept isid- The device filters based on the list of
list WORD<1-32> route- I-SIDs to which the IS-IS accept policy
map WORD<1-64> backbone- applies. The number 0 represents the
route-map WORD<1-64> Global Routing Table (GRT).
The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
isis accept adv- The device filters based on the specific
rtr <x.xx.xx> isid- advertising BEB and the list of I-SIDs.
list WORD<1-32> route- The number 0 represents the Global
map WORD<1-64> backbone- Routing Table (GRT).
route-map WORD<1-64> The device, if DvR enabled, also filters
the DvR host routes to accept from the
DvR backbone. This is an optional filter.
isis accept route- The device filters based on the route
map WORD<1-64> routepolicy.
map WORD<1-64> backbone- The device, if DvR enabled, also filters
route-map WORD<1-64> the DvR host routes to accept from the
DvR backbone. This is an optional filter.

VOSS User Guide for version 8.7 1359

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

The following table describes the IPv6 IS-IS accept policy filters:

Filters into Filter Description

Global Routing Table ipv6 accept route-map By default, the device accepts all routes
(GRT) WORD<1-64> advertised. This is the default accept
policy.
ipv6 accept adv-rtr The device filters based on the specific
<x.xx.xx> route-map advertising BEB defined by the SPBM
WORD<1-64> nickname.
ipv6 accept i-sid The device filters based on the I-SID,
<1-16777215> route-map which represents a local or remote
WORD<1-64> Layer 3 VSN.
ipv6 accept adv- The device filters based on the specific
rtr <x.xx.xx> i-sid advertising BEB and the I-SID, which
<1-16777215> route-map represents a local or remote Layer 3
WORD<1-64> VSN.
ipv6 accept isid-list The device filters based on the list of
WORD<1-32> route-map I-SIDs.
WORD<1-64>
ipv6 accept adv-rtr The device filters based on the specific
<x.xx.xx> isid-list advertising BEB and the list of I-SIDs.
WORD<1-32> route-map The number 0 represents the Global
WORD<1-64> Routing Table (GRT).
Virtual Routing and ipv6 isis accept route- The device filters based on the route
Forwarding (VRF) routing map WORD<1-64> route-map policy.
table WORD<1-64>
ipv6 isis accept adv- The device filters based on the specific
rtr <x.xx.xx> route-map advertising BEB defined by the SPBM
WORD<1-64> nickname.
ipv6 isis accept i-sid The device filters based on the I-SID,
<0-16777215> route-map which represents a local or remote
WORD<1-64> Layer 3 VSN. The number 0 represents
the Global Routing Table (GRT).
ipv6 isis accept adv- The device filters based on the specific
rtr <x.xx.xx> i-sid advertising BEB and the I-SID, which
<0-16777215> route-map represents a local or remote Layer 3
WORD<1-64> VSN. The number 0 represents the
Global Routing Table (GRT).
ipv6 isis accept isid- The device filters based on the list of
list WORD<1-32> route- I-SIDs to which the IS-IS accept policy
map WORD<1-64> applies. The number 0 represents the
Global Routing Table (GRT).
ipv6 isis accept adv- The device filters based on the specific
rtr <x.xx.xx> isid-list advertising BEB and the list of I-SIDs.
WORD<1-32> route-map The number 0 represents the Global
WORD<1-64> Routing Table (GRT).

1360 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration fundamentals

IS-IS Accept Policies for the GRT and VRFs

You can create an IS-IS accept policy for incoming routes for the Global Routing Table (GRT), which
accepts routes into the routing table, or for a Virtual Routing and Forwarding (VRF) instance, which
accepts incoming routes to the routing table of the VRF.

If you create an IS-IS accept policy on the switch for either the GRT or a VRF that operates at a global
default level, the accept policy applies to all routes for all BEBs in the GRT or VRF.

If you create an IS-IS accept policy on the switch for a specific advertising BEB for either the GRT or a
VRF, the IS-IS accept policy instance applies for that specific advertising BEB. If you use a more specific
filter, the system gives preference to the specific filter over the global default level.

IS-IS Accept Policies for Inter-VRF Route Redistribution

You can also use the filter mechanism for IS-IS accept policies to redistribute routes between different
VRFs, or between a VRF and the GRT. For inter-VRF route redistribution, you match the filter based on
the I-SID, which represents the Layer 3 VSN context.

You can apply the filter at the global default level, where the IS-IS accept policy applies to all routes for
that I-SID from all BEBs, or at a specific advertising BEB level, where the filter only applies to a specific
advertising BEB. The device gives preference to a specific filter for a specific advertising BEB over the
global default filter.

For inter-VRF route redistribution, an I-SID value of 0 represents the GRT. For inter-VRF route
redistribution between VRFs, the I-SID is the source VRF (or remote VRF).

Note
If the primary B-VLAN is down either because you did not configure at least one network-to-
network interface (NNI) or all configured NNIs are down, the switch does not redistribute
inter-VRF routes through IS-IS accept policies.

IS-IS Accept Policy Considerations

Consider the following when you configure IS-IS accept policies:

• If a VRF uses a different protocol to redistribute routes from another VRF, the IS-IS accept policy
feature cannot be used. You can only use the IS-IS accept policy for inter-VSN route redistribution
between VRFs.
• IPv4 and IPv6 IS-IS accept policies can exist on the same VRF and GRT; The I-SID list configuration is
shared across both protocol versions.

Precedence rules in the same VSN

The following precedence rules apply for IS-IS accept policies used in the same VSN:
• You can only apply one configured IS-IS accept policy for each route.
• You can apply either a default filter for all advertising BEBs or a filter for a specific advertising BEB.
• If you disable the accept filter, the system ignores the filter and the filter with the next highest
precedence applies.
• The device prefers the accept adv-rtr filter, which filters based on a specific advertising BEB,
over the default filter for all advertising BEBs.

VOSS User Guide for version 8.7 1361

IP Shortcuts configuration fundamentals Fabric Layer 3 Services

• The device accepts all routes within the same VSN by default. You can apply a route policy to filter or
change the characteristics of the route by metric or preference.
• The i-sid or isid-list filters are not valid for routes within the same VSN.

Precedence rules for inter-VSN route redistribution

The following precedence rules apply for IS-IS accept policies used for inter-VSN route redistribution:
• You can only apply one configured IS-IS accept policy for each route.
• You can apply filters at a global default level for all BEBs for a specific I-SID or I-SID list, or you can
apply filters for a specific advertising BEB for a specific I-SID or I-SID list.
• If you disable the accept filter, the system ignores the filter and the filter with the next highest
precedence applies.
• The device requires a specific filter to redistribute routes between VSNs through the use of the
i-sid or isid-list filters.
• The i-sid filter takes precedence over the isid-list filter.
• The adv-rtr filter for a specific advertising BEB takes precedence over a filter with the same
i-sid filter without the adv-rtr filter.
• The i-sid or isid-list filters only apply to routes for inter-VSN route redistribution.
• If multiple isid-list filters have the same I-SID within the list, the first on the list alphabetically
has the higher precedence.

Route Preference

The relative value of the route preference among different protocols determines which protocol the
device prefers. If multiple protocols are in the routing table, the device prefers the route with the lower
value. You can change the value at the protocol level, and you can also change the preference of
incoming IS-IS routes using the route-map with the IS-IS Accept policy filter for IPv4 only.

Route Metric

Use route-map to change the metric of a route when you accept a remote IS-IS route with IS-IS accept
policies.

You can use route-map to change the metric of a route when you redistribute the route from another
protocol to IS-IS through the route redistribution mechanism.

You can also configure the route metric with the base redistribute command without the use of
route-map.

Note
For both IPv4 and IPv6 IS-IS accept policies, if there is a mismatch in the route-map (inbound
filtering) configured, all routes are accepted by default. Unlike the redistribute route-map
(outbound filtering), where if there is a mismatch, all routes are denied by default. For more
information, see IP routing operations fundamentals on page 1836.

For more information on the configuration of route-map:

• For IPv4, see IP routing operations fundamentals on page 1836.
• For IPv6, see IPv6 Routing Basics on page 1904.

1362 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

IP Shortcuts configuration using the CLI

This section provides procedures to configure IP Shortcuts using the CLI.

Configuring SPBM IPv4 Shortcuts

In addition to Layer 2 virtualization, the SPBM model is extended to also support Routed SPBM,
otherwise called SPBM IP Shortcuts.

SPBM allows a network to make the best use of routing and forwarding techniques, where only the
BEBs perform an IP route lookup and all other nodes perform standard Ethernet switching based on the
existing shortest path tree. This allows for end to end IP-over-Ethernet forwarding without the need for
ARP, flooding, or reverse learning.

To enable IP shortcuts on the BEBs, you can configure a circuitless IP (CLIP) address (loopback
address), and specify this address as the IS-IS source address. This source address is automatically
advertised into IS-IS using TLV 135. In addition, to advertise routes from the BEBs into the SPBM
network, you must enable route redistribution of direct and static routes into IS-IS.

Note
The loopback address on each switch or BEB must all be in different subnets to ensure
connectivity between them. To do this, use a 32-bit mask with the CLIP address.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• Before redistributing routes into IS-IS, you must create the Customer VLANs, add slots/ports, and
add the IP addresses and network masks.

Procedure
1. Enter Loopback Interface Configuration mode
enable

configure terminal

interface Loopback <1-256>

2. Configure a CLIP interface to use as the source address for SPBM IP shortcuts:
ip address [<1-256>] <A.B.C.D/X>
3. Exit the Loopback Interface Configuration mode to Global Configuration mode:
exit
4. Log on to IS-IS Router Configuration mode:
router isis
5. Specify the CLIP interface as the source address for SPBM IP shortcuts:
ip-source-address <A.B.C.D>
6. Configure SPBM IP shortcuts:
spbm <1–100> ip enable
7. Display the status of SPBM IP shortcuts on the switch:
show isis spbm

VOSS User Guide for version 8.7 1363

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

8. Identify routes on the local switch to be announced into the SPBM network:
redistribute {bgp | direct | ospf | rip | static}
9. Enable routes to be announced into the SPBM network
redistribute {bgp | direct | ospf | rip | static} enable
10. If you want to delete the configuration, use the no option:
no redistribute {bgp | direct | ospf | rip | static}

no redistribute {bgp | direct | ospf | rip | static} enable

11. Exit to Global Configuration mode:
exit
12. Apply the configured redistribution:
isis apply redistribute {bgp | direct | ospf | rip | static | vrf
WORD<1-16>}

Example

Switch:1> enable

Switch:1# configure terminal

Switch:1(config)# interface loopback 1

Switch:1(config-if)# ip address 192.0.2.2/8

Switch:1(config-if)# exit

Switch:1(config)# router isis

Switch:1(config-isis)# ip-source-address 192.0.2.2

Switch:1(config-isis)# spbm 1 ip enable

Switch:1(config-isis)# show isis spbm

show isis spbm

================================================================================
ISIS SPBM Info
================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST
INSTANCE VLAN NAME TRAP
--------------------------------------------------------------------------------
1 4086-4087 4086 3.03.01 disable enable enable disable

================================================================================
ISIS SPBM SMLT Info
================================================================================
SPBM SMLT-SPLIT-BEB SMLT-VIRTUAL-BMAC SMLT-PEER-SYSTEM-ID
INSTANCE
--------------------------------------------------------------------------------
1 primary 00:00:03:03:03:03 0000.0303.0302

--------------------------------------------------------------------------------

1364 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

Total Num of SPBM instances: 1

--------------------------------------------------------------------------------

Switch:1(config-isis)# redistribute rip

Switch:1(config-isis)# redistribute rip enable

Switch:1(config-isis)# exit

Switch:1(config)# isis apply redistribute rip

Variable definitions

The following table defines parameters for the ip address command.

Variable Value
<1–256> Specifies an interface ID value. This value is optional.
<A.B.C.D/X> Specifies an IP address and subnet mask. Use the no option to delete the specified IP
address.
<A.B.C.D> Specifies an IP address. Use the no option to delete the specified IP address.

The following table defines parameters for the ip-source-address command.

Variable Value
<A.B.C.D> Specifies the CLIP interface to use as the source address for SPBM IP shortcuts.

The following table defines parameters for the spbm command.

Variable Value
<1–100> ip enable Enables or disables SPBM IP shortcut state.
The default is disabled. Use the no or default options to disable SPBM IP
shortcuts.

The following table defines parameters for the redistribute command.

Variable Value
{bgp | direct | ospf Specifies the protocol.
| rip | static}
enable Enables the redistribution of the specified protocol into the SPBM
network.
The default is disabled. Use the no option to disable the redistribution.
metric <0–65535> Configures the metric (cost) to apply to redistributed routes. The
default is 1.
metric-type Configures the type of route to import into the protocol. The default is
{external|internal} internal.

VOSS User Guide for version 8.7 1365

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Variable Value
route-map WORD<0–64> Configures the route policy to apply to redistributed routes. Type a
name between 0 to 64 characters in length.
subnets {allow| Indicates whether the subnets are advertised individually or aggregated
suppress} to their classful subnet. Choose suppress to advertise subnets
aggregated to their classful subnet. Choose allow to advertise the
subnets individually with the learned or configured mask of the subnet.
The default is allow.

The following table defines parameters for the isis apply redistribute command.

Variable Value
{bgp | direct | ospf | rip | static} Specifies the protocol.

Configure SPBM IPv6 Shortcuts

Important
You must enable IPv4 Shortcuts before you enable IPv6 Shortcuts because IPv6 Shortcuts
depend on IPv4 Shortcuts for some functions.

Configuring IPv6 Shortcuts is essentially the same as the IPv4 procedure except you use the following
IPv6 commands instead of their IPv4 equivalents:
• Use ipv6 interface address to create a CLIPv6 interface with an IPv6 address.
• Use ipv6 ipv6–source-address to specify the CLIPv6 interface as the source address for IPv6
Shortcuts.
• Use spbm ipv6 enable to enable IPv6 Shortcuts.
• Use ipv6 redistribute {bgp | direct | isis | rip | ospf | static}
enable to control the redistribution of GRT IPv6 routes into the SPBM IS-IS domain.
• Use ipv6 route preference protocol spbm–level1 to change route preference values
for IPv6 Shortcut routes learned through IS-IS.

To enable IPv6 Shortcuts on the BEBs, you must configure a circuitless IPv6 (CLIPv6) address (loopback
address), and specify this address as the IS-IS source address. This source address is automatically
advertised into IS-IS using TLV 236. In addition, to advertise routes from the BEBs into the SPBM
network, you must enable route redistribution of direct and static routes into IS-IS.

Note
The loopback address on each switch or BEB must all be in different subnets to ensure
connectivity between them. To do this, use a 32-bit mask with the CLIP address, and the
CLIPv6 address prefix must be 128.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.

1366 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

• Before redistributing routes into IS-IS, you must create the Customer VLANs, add slots/ports, and
add the IPv6 addresses and network masks.

Procedure
1. Enter Loopback Interface Configuration mode
enable

configure terminal

interface Loopback <1-256>

2. Configure a CLIPv6 interface to use as the source address for SPBM IPv6 Shortcuts:
ipv6 interface address WORD<0-255>
3. Exit the Loopback Interface Configuration mode to Global Configuration mode:
exit
4. Log on to IS-IS Router Configuration mode:
router isis
5. Specify the CLIPv6 interface as the source address for SPBM IPv6 Shortcuts:
ipv6-source-address WORD<0-46>
6. Enable SPBM IPv6 Shortcuts:
spbm <1–100> ipv6 enable
7. Display the status of SPBM IPv6 Shortcuts on the switch:
show isis spbm
8. Identify IPv6 routes on the local switch to be announced into the SPBM network.
ipv6 redistribute {bgp | direct | ospf | rip | static}
9. Enable the IPv6 routes to be announced into the SPBM network:
ipv6 redistribute {bgp | direct | ospf | rip | static} enable
10. Exit to Global Configuration mode:
exit
11. (Optional) Change route preference values for IPv6 Shortcut routes learned through IS-IS:
ipv6 route preference protocol spbm–level1 <0–255>
12. Apply the configured redistribution:
ipv6 isis apply redistribute {bgp | direct | ospf | rip | static |}
[vrf WORD<1-16>]

Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface loopback 123
Switch:1(config-if)#ipv6 interface address 123::1/128
Switch:1(config-if)#exit
Switch:1(config)#router isis
Switch:1(config-isis)#ipv6 ipv6-source-address <non-link-local ipv6–address>
Switch:1(config-isis)#spbm 1 ipv6 enable
Switch:1(config-isis)#show isis spbm
==============================================================================================================
SPBM B-VID PRIMARY NICK LSDB IP IPV6 MULTICAST SPB-PIM-GW STP-MULTI
INSTANCE VLAN NAME TRAP HOMING
--------------------------------------------------------------------------------------------------------------
1 10 1.11.16 disable disable disable disable disable enable

==============================================================================================================
ISIS SPBM SMLT Info

VOSS User Guide for version 8.7 1367

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

--------------------------------------------------------------------------------------------------------------
Total Num of SPBM instances: 1
--------------------------------------------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the IPv6 Shortcuts commands.

Variable Value
ipv6-source-address Specifies the source IPv6 address for locally generated IPv6
WORD<0-46> packets whose egress port is an SPBM NNI port. The WORD<0-46>
value must be a locally configured loopback IPv6 address (CLIPv6).
Use the no option to delete the specified IPv6 address.
spbm<1–100> ipv6 enable Enables or disables SPBM IPv6 Shortcuts.
The default is disabled. Use the no or default options to disable
SPBM IPv6 Shortcuts.
ipv6 route preference Sets the route preference value for IPv6 Shortcut routes learned
protocol spbm–level1 <0– through IS-IS. The default preference is 7.
255>
ipv6 redistribute {bgp Specifies the GRT IPv6 route that you want to redistribute into the
| direct | static | SPBM IS-IS domain.
ospf | rip} enable The default is disabled. Use the no option to disable the
redistribution.

Configuring inter-VRF IPv4 Accept Policies on VRFs

Configure IS-IS accept policies on a VRF to use inter-VRF accept policies in the SPB cloud. You can use
IS-IS accept policies to redistribute routes between different VRFs, including the global routing table
(GRT). First you apply the filter, and then you match the filter based on the I-SID, which represents the
Layer 3 VSN context.

Note
• The isis apply accept [vrf WORD<1-16>] command can disrupt traffic and
cause temporary traffic loss. After you apply isis apply accept [vrf<1-16>], the
command reapplies the accept policies, which deletes all of the IS-IS route,s and adds the
IS-IS routes again. You should make all the relevant accept policy changes, and then apply
isis apply accept [vrf WORD<1-16>] at the end.
• If you use the accept command for inter-VRF routes based on the remote I-SID, the
device only accepts routes coming from remote BEBs. For instance, if a local Layer 3 VSN
exists with the same I-SID, the device does not add the local routes. The assumption is
that the device uses existent methods, either through use of another protocol or static
configuration, to obtain those routes.
• If the route policy changes, you must reapply the IS-IS accept policy, unless it was the last
sequence in the configuration.

1368 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

Before You Begin

• Enable IS-IS globally.
• Ensure that a route policy exists.
• Ensure that the VRFs exist.
• You must configure a route-map to apply.

Procedure
1. Enter VRF Router Configuration mode for a specific VRF context:
enable

configure terminal

router vrf WORD<1-16>

2. (Optional) If you want to accept routes from a variety of I-SIDs, create an I-SID list before you create
an IS-IS accept policy for the I-SID list:
ip isid-list WORD<1–32> [<0–16777215>][list WORD<1–1024>]

Note
When creating an I-SID list, you can add I-SID entries until the maximum limit for
supported Layer 3 I-SIDs is reached. The system truncates any additional I-SID entries.
The maximum limit includes the I-SIDs for locally configured Layer 3 VSNs and the I-SIDs
specified for IS-IS accept policy filters.
Use the command show ip isid-list vrf WORD<1-16> to view the list of
truncated I-SIDs.

3. Create an IS-IS accept policy instance to apply to routes from all Backbone Edge Bridges (BEBs):
isis accept [i-sid <0-16777215>][isid-list WORD<1-32>]
4. Create an IS-IS accept policy instance to apply to routes for a specific BEB:
isis accept [adv-rtr <x.xx.xx>][i-sid <0-16777215>][isid-list
WORD<1-32>]
5. (Optional) Delete an IS-IS accept policy instance:
no isis accept [adv-rtr <x.xx.xx>][i-sid <0-16777215>][isid-list
WORD<1-32>]
6. Specify an IS-IS route policy to apply to routes from all BEBs:
isis accept route-map WORD<1–64>
7. Specify an IS-IS route policy to apply for a specific BEB:
isis accept adv-rtr <x.xx.xx> route-map WORD<1–64>
8. (Optional) Delete an IS-IS route policy:
no isis accept [adv-rtr <x.xx.xx>] [route-map]
9. Enable a configured IS-IS accept policy instance:
isis accept [adv-rtr <x.xx.xx>][i-sid <0-16777215>][isid-list
WORD<1-32>] [enable]
10. (Optional) Disable a configured IS-IS accept policy instance:
no isis accept [adv-rtr <x.xx.xx>][i-sid <0-16777215>][isid-list
WORD<1-32>] [enable]

VOSS User Guide for version 8.7 1369

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

11. Exit VRF Router Configuration mode:

exit

You are in Global Configuration mode.

12. Apply the IS-IS accept policy changes, which removes and re-adds all routes with updated filters:
isis apply accept [vrf WORD<1–16>]

Example

Configure Inter-VRF accept policies on a VRF:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf green
Switch:1(router-vrf)#isis accept i-sid 100
Switch:1(router-vrf)#isis accept i-sid 100 enable
Switch:1(router-vrf)#exit
Switch:1(config)#isis apply accept vrf green

Variable definitions

The following table defines parameters for the ip isid-list command.

Variable Value
WORD<1-32> Creates a name for your I-SID list.
<0-16777215> Specifies an I-SID value.
list WORD<1-1024> Specifies a list of I-SID values. For example, in the format 1,3,5,8-10.

The following table defines parameters for the isis accept command.

Variable Value
adv-rtr <x.xx.xx> Specifies a specific advertising BEB in which to apply the IS-IS accept
policy to routes for a specific advertising BEB. x.xx.xx specifies an SPBM
nickname.
The system uses the default global filter unless a filter for a specific
advertising BEB exists, in which case the system applies a more specific
filter.
The system requires an explicit filter to redistribute routes from a particular
VSN. If the default global filter or the filter for a specific advertising BEB
does not exist, the system does not redistribute the routes from the remote
VSN.
enable Enables the IS-IS accept policy.
i-sid <0-16777215> Configures the I-SID to which the IS-IS accept policy applies.
An I-SID value of 0 represents the global routing table (GRT).
isid-list Configures a list of I-SIDs to which the IS-IS accept policy applies.
WORD<1-32> An I-SID value of 0 represents the global routing table (GRT).
route-map WORD Specifies a route policy.
<1-64> You must configure a route policy earlier in a separate procedure.

1370 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

The following table defines parameters for the isis apply accept command.

Variable Value
vrf WORD<1-16> Specifies a specific VRF instance.

Configuring Inter-VRF IPv6 Accept Policies on VRFs

Configure IPv6 IS-IS accept policies on a VRF to use inter-VRF accept policies in the SPB cloud. You can
use IPv6 IS-IS accept policies to redistribute routes between different VRFs, including the global routing
table (GRT). First you apply the filter, and then you match the filter based on the I-SID, which represents
the Layer 3 VSN context.

Note
• The ipv6 isis apply accept [vrf WORD<1-16>] command can disrupt
traffic and cause temporary traffic loss. After you apply ipv6 isis apply accept
[vrf<1-16>], the command reapplies the accept policies, which deletes all of the IS-IS
routes, and adds the IS-IS routes again. You should make all the relevant accept policy
changes, and then apply ipv6 isis apply accept [vrf WORD<1-16>] at the
end.
• If you use the ipv6 accept command for inter-VRF routes based on the remote I-SID,
the device accepts routes form other local VRFs to the current VRF, therefore if the
accepted I-SID is configured on the local BEB, the device accepts its own IPv6 routes
advertised under the accepted I-SID.
• If the route policy changes, you must reapply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Configure IPv6 Shortcuts. For more information, see Configure SPBM IPv6 Shortcuts on page 1366.
• You must configure IPv6 IPVPN.
• Ensure that a route policy exists.
• Ensure that the VRFs exist.
• You must configure a route-map.

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

VOSS User Guide for version 8.7 1371

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

2. (Optional) If you want to accept routes from a variety of I-SIDs, create an I-SID list before you create
an IPv6 IS-IS accept policy for the I-SID list:
ip isid-list WORD<1–32> {<0–16777215> | list WORD<1–1024>}

3. Configure an IPv6 IS-IS accept policy instance with a route policy.

Use one of the following options:

a. Configure an IPv6 IS-IS accept policy based on a specific advertising BEB:

ipv6 isis accept adv-rtr <x.xx.xx> [enable][i-sid <0-16777215>]
[isid-list WORD<1-32>] [route-map WORD<1–64>]
b. Configure an IPv6 IS-IS accept policy based on a particular I-SID:
ipv6 isis accept i-sid <0-16777215> [enable] [route-map WORD<1–64>]
c. Configure an IPv6 IS-IS accept policy based on a particular I-SID list:
ipv6 isis accept isid-list WORD<1-32> [enable] [route-map WORD<1–
64>]
4. Enable the configured IPv6 IS-IS accept policies:
ipv6 isis accept [adv-rtr <x.xx.xx>] [i-sid <0-16777215>] [isid-list
WORD<1-32>] enable
5. Exit to Global Configuration mode:
exit
6. Apply the IPv6 IS-IS accept policy changes, which removes and re-adds all routes with updated
filters:
ipv6 isis apply accept [vrf WORD<1–16>]

Example

Configure Inter-VRF accept policies on a VRF:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf red
Switch:1(router-vrf)#ipv6 isis accept i-sid 100 enable
Switch:1(router-vrf)#exit
Switch:1(config)#ipv6 isis apply accept vrf red

1372 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

Variable Definitions

The following table defines parameters for the ip isid-list command.

Note
The I-SID lists created can be associated with both IPv4 or IPv6 routes.

Variable Value
WORD<1-32> Creates a name for your I-SID list.
<0-16777215> Specifies an I-SID value.
list WORD<1-1024> Specifies a list of I-SID values. For example, in the format 1,3,5,8-10.

The following table defines parameters for the ipv6 isis accept command.

Variable Value
adv-rtr Specifies the SPBM nickname for each advertising BEB to allow you to apply
<x.xx.xx> the IPv6 IS-IS accept policy to routes for a specific advertising BEB. The
system first uses the default filter, but if a more specific filter for a specific
advertising BEB is present the device applies the specific filter.

Note:
An IPv6 IS-IS accept policy that specifies the adv-rtr without an I-SID or I-SID
list will filter routes coming from the I-SID on which the policy is configured
and from the specified BEB.

enable Enables an IPv6 IS-IS accept policy.

i-sid Specifies an I-SID number to represent a local or remote Layer 3 VSN to which
<0-16777215> the IPv6 IS-IS accept policy applies.
Use the parameter to apply a filter for routes from specific I-SIDs that
represent the remote VSN. Based on the routing policy the system applies,
the system can redistribute the remote VSN to the VSN where you applied the
filter.
An I-SID value of 0 represents the global routing table (GRT).
isid-list Specifies the I-SID list name that represents the local or remote Layer 3 VSNs
WORD<1-32> to which the IPv6 IS-IS accept policy applies.
Use the parameter to apply a default filter for all routes from specific I-SIDs,
that represent the remote VSN. Based on the routing policy the system
applies, the system redistributes the remote VSN to the VSN where you
applied the filter.
An I-SID value of 0 represents the global routing table (GRT).
route-map WORD Specifies a route policy.
<1-64> You must configure a route policy earlier in a separate procedure.

The following table defines parameters for the ipv6 isis apply accept command.

Variable Value
vrf WORD<1-16> Specifies a specific VRF instance.

VOSS User Guide for version 8.7 1373

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Configuring IS-IS Accept Policies

Use the following procedure to create and enable IS-IS accept policies to apply to routes from all
Backbone Edge Bridges (BEBs) or to all routes from a specific BEB.

Use IS-IS accept policies to filter incoming IS-IS routes the device receives over the SPBM cloud. Accept
policies apply to incoming traffic and determine whether to add the route to the routing table.

If DvR is enabled on your switch, and the switch is either a DvR Controller or a non-DvR BEB within the
domain, you can configure IS-IS accept policies to accept specific host routes from the DvR backbone.
For information on DvR, see Distributed Virtual Routing on page 688.

IS-IS accept policies are disabled by default.

Note
• The isis apply accept [vrf WORD<1-16>] command can disrupt traffic and
cause temporary traffic loss. After you apply isis apply accept [vrf <1-16>],
the command reapplies the accept policies, which deletes all of the IS-IS routes, and adds
the IS-IS routes again. You should make all the relevant accept policy changes, and then
apply isis apply accept [vrf WORD<1-16>] at the end.
• If the route policy changes, you must reapply the IS-IS accept policy, unless the IS-IS
accept policy was the last sequence in the configuration.
• The isis apply accept [vrf WORD<1-16>] command is not saved in the
configuration file. If you use a saved configuration file for IS-IS accept policy configuration,
you must apply the isis apply accept [vrf WORD<1-16>] command at the end.
• The number of unique Layer 3 VSN I-SIDs used on a BEB is limited to the number of VRFs
supported on the switch. This includes the I-SID values used for Layer 3 VSNs and the
I-SID values specified for the ISIS accept policy filters, which can be configured using the
ip isid-list [ISID#], accept i-sid <value>, or accept adv-rtr <isis
nn> i-sid <value> commands.

The switch supports 24 VRFs by default, so, in a default configuration, you cannot create
an ip isid-list or accept policy with more than 24 unique I-SID entries. However, the
configured VRFs take up an entry, so the formula to calculate the limit is: [24 VRF Limit
– (currently configured VRFs)]. This gives the number of unique I-SIDs that can be used
directly in the IS-IS accept policy filters, which you implement with the ip isid-list
or accept policy command. The I-SIDs used for Layer 3 VSNs can be reused in IS-IS
accept policy filters without affecting the limit.

If you increase the VRF scaling, you can create more Layer 3 VSNs. For more information
about how to increase the number of supported VRFs, see Configure the Maximum
Number of VRFs on page 3846. The maximum number of supported VRFs and Layer 3
VSNs differs depending on the hardware platform. For more information about maximum
scaling numbers, see VOSS Release Notes.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.

1374 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

• You must configure a route-map to apply.

• Ensure that DvR is enabled on the switch before you configure an IS-IS accept policy with a
backbone route policy, to accept host routes from the DvR backbone.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. (Optional) If you want to accept routes from a variety of I-SIDs, create an I-SID list before you create
an IS-IS accept policy for the I-SID list:
ip isid-list WORD<1–32> [<1–16777215>][list WORD<1–1024>]

3. (Optional) Delete an I-SID list:

no ip isid-list WORD<1–32> [<1–16777215>][list WORD<1–1024>]

Note
When deleting an I-SID list, ensure that the I-SID list is not associated with an IS-IS accept
policy. Otherwise the deletion fails. An I-SID list associated with an accept policy cannot be
deleted because it must contain at least one constituent I-SID.

4. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
Configure IS-IS accept policies with a route policy or a backbone route policy or a combination of both,
to determine which routes the IS-IS accept policy applies to.

Configure one of the following types of IS-IS accept policies.

• An IS-IS accept policy with only the route policy:

The IS-IS routes are selectively accepted based on the route policy. Since the backbone route policy
is not configured, all host routes from the DvR backbone are denied.

If you do not configure a route policy, by default, all IS-IS routes are accepted.
• An IS-IS accept policy with only the backbone route policy:

The DvR host routes from the DvR backbone are selectively accepted based on the backbone route
policy. Since the route policy is not configured, all IS-IS host routes are accepted.

VOSS User Guide for version 8.7 1375

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

If you do not configure a backbone route policy, all host routes from the DvR backbone are denied.
• An IS-IS accept policy with both route policy and backbone route policy:

IS-IS routes are selectively accepted based on the route policy and host routes from the DvR
backbone are selectively accepted based on the backbone route policy.
5. Configure an IS-IS accept policy instance with a route policy.
Use one of the following options:
a. Create an IS-IS accept policy instance to apply to all BEBs for a specific I-SID or I-SID list:
accept [i-sid <1-16777215>][isid-list WORD <1-32>]
b. Create an IS-IS accept policy instance to apply to a specific advertising BEB:
accept adv-rtr <x.xx.xx> [i-sid <1-16777215>][isid-list WORD <1-32>]
c. (Optional) Delete an IS-IS accept policy instance:
no accept [adv-rtr <x.xx.xx>][i-sid <1-16777215>][isid-list WORD
<1-32>]
d. Specify an IS-IS route policy to apply to routes from all BEBs:
accept route-map WORD<1–64>
e. Specify an IS-IS route policy to apply to a specific advertising BEB:
accept adv-rtr <x.xx.xx>[route-map WORD<1–64>]
f. (Optional) Delete an IS-IS route policy:
no accept [adv-rtr <x.xx.xx>] [route-map]
g. Enable an IS-IS route accept instance:
accept [adv-rtr <x.xx.xx>][enable][i-sid <1-16777215>][i-sid-list
WORD<1-32>]
h. (Optional) Disable an IS-IS route accept instance:
no accept [adv-rtr <x.xx.xx>][enable][i-sid <1-16777215>][i-sid-list
WORD<1-32>]
6. Configure an IS-IS accept policy instance with a backbone route policy to accept host routes from
the DvR backbone:

Note
IS-IS accept policies typically apply to all IS-IS routes. However, to accept DvR host routes
from the DvR backbone, you must explicitly configure the IS-IS accept policy with a
backbone route policy.

Use one of the following options:

a. Create the default IS-IS accept policy instance to accept host routes from the DvR backbone:
accept backbone-route-map WORD <1-64>
b. (Optional) Delete the default IS-IS accept policy instance with backbone route policy
configuration:
no accept backbone-route-map
c. Create an IS-IS accept policy instance to accept host routes from the DvR backbone, and apply
to all BEBs for a specific I-SID or I-SID list:
accept [i-sid <1-16777215>][isid-list WORD <1-32>] backbone-route-
map WORD<1-64>

1376 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

d. (Optional) Delete an IS-IS accept policy instance with backbone route policy configuration, which
applies to all BEBs for a specific I-SID or I-SID list:
no accept [i-sid <1-16777215>][isid-list WORD <1-32>] backbone-
route-map
e. Create an IS-IS accept policy instance to accept host routes from the DvR backbone and apply to
a specific advertising BEB:
accept adv-rtr <x.xx.xx> backbone-route-map WORD <1-64>
f. (Optional) Delete an IS-IS accept policy instance with backbone route policy configuration, which
applies to a specific advertising BEB
no accept adv-rtr <x.xx.xx> backbone-route-map
7. Configure an IS-IS accept policy with both route policy and backbone route policy, to selectively
accept IS-IS routes as well as host routes from the DvR backbone.
a. Create the default IS-IS accept policy instance with a route policy to accept IS-IS routes and a
backbone route policy to accept host routes from the DvR backbone:
accept route-map WORD<1–32> backbone-route-map WORD <1-64>
b. (Optional) Delete the default IS-IS accept policy with route policy and backbone route policy
configuration:
no accept route-map backbone-route-map
c. Create an accept policy instance to selectively accept IS-IS routes and host routes from the DvR
backbone, and apply to all BEBs for a specific I-SID or I-SID list:
accept [i-sid <1-16777215>][isid-list WORD <1-32>] route-map WORD<1–
32> backbone-route-map WORD<1-64>
d. (Optional) Delete an accept policy instance with route policy and backbone route policy
configuration, which applies to all BEBs for a specific I-SID or I-SID list:
no accept [i-sid <1-16777215>][isid-list WORD <1-32>] route-map
backbone-route-map
e. Create an IS-IS accept policy instance to selectively accept IS-IS routes and host routes from the
DvR backbone, and apply to a specific advertising BEB:
accept adv-rtr <x.xx.xx> route-map WORD<1–32> backbone-route-map
WORD <1-64>
f. (Optional) Delete an IS-IS accept policy instance with route policy and backbone route policy
configuration, which applies to a specific advertising BEB:
no accept adv-rtr <x.xx.xx> route-map backbone-route-map
8. Apply the IS-IS accept policy changes, which removes and re-adds all routes with updated filters:
isis apply accept [vrf WORD <1–16>]
9. Exit IS-IS Router Configuration mode:
exit

You are in Global Configuration mode.

Example

Configure an I-SID based IS-IS accept policy with the route policy test:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

VOSS User Guide for version 8.7 1377

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Switch:1(config)#route-map test 1
Switch:1(route-map)#enable
Switch:1(route-map)#exit

Switch:1(config)#router isis
Switch:1(config-isis)#accept i-sid 101
Switch:1(config-isis)#accept i-sid 101 route-map test
Switch:1(config-isis)#accept i-sid 101 enable
Switch:1#exit
Switch:1(config)#isis apply accept

The following examples show the configuration of an IS-IS accept policy to accept host routes from the
DvR backbone

Example 1:

To accept host routes from the DvR backbone, you must configure a backbone route policy and apply it
to the IS-IS accept policy.

1. Configure a route policy for DvR:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#route-map dvrmap1 1
Switch:1(route-map)#enable

2. Configure an IS-IS accept policy for I-SID 10, and apply the route policy as a backbone route policy:
Switch:1(route-map)#exit
Switch:1(config)#router isis
Switch:1(config-isis)#accept i-sid 10 backbone-route-map dvrmap1
Switch:1(config-isis)#accept i-sid 10 enable
Switch:1(config-isis)#exit

Configure the default accept policy for IS-IS and DvR, and apply the route policy as a backbone
route policy:
Switch:1(config)#route-map isismap1 1
Switch:1(route-map)#enable
Switch:1(route-map)#exit
Switch:1(config)#router isis
Switch:1(config-isis)#accept route-map isismap1 backbone-route-map dvrmap1

3. Apply the IS-IS accept policy:

Switch:1(config-isis)#exit
Switch:1(config)#isis apply accept
Switch:1(config)#exit

4. Verify the configuration:

Switch:1#show ip isis accept

==================================================================================
Isis Accept - GlobalRouter
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
-----------------------------------------------------------------------------------
- 10 - TRUE dvrmap1

1378 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

- - - isismap1 dvrmap1

2 out of 2 Total Num of Isis Accept Policies displayed

Example 2:

Configure an IS-IS accept policy for I–SID 10 that accepts DvR host routes in a subnet, for example,
subnet 126.1.1.0/24.

1. Configure an IP prefix list:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip prefix-list listPrefix 126.1.1.0/24

2. Create the route policy dvrmap2 to match the IP prefix list:

Switch:1(config)#route-map dvrmap2 1
Switch:1(route-map)#match network listPrefix
Switch:1(route-map)#enable

3. Create an IS-IS accept policy with I-SID 10 and apply the route policy as a backbone route policy:
Switch:1(route-map)#exit
Switch:1(config)#router isis
Switch:1(config-isis)#accept i-sid 10 backbone-route-map dvrmap2
Switch:1(config-isis)#accept i-sid 10 enable

4. Apply the IS-IS accept policy:

Switch:1(config-isis)#exit
Switch:1(config)#isis apply accept

The above command causes IS-IS to accept all routes with I-SID 10. To deny IS-IS routes and accept
only DvR host routes, you can configure an additional IS-IS route policy as follows:
Switch:1(config)#route-map isismap2 1
Switch:1(route-map)#no permit
Switch:1(route-map)#enable

Switch:1(route-map)#exit
Switch:1(config)#router isis
Switch:1(config-isis)#accept i-sid 10 route-map isismap2 backbone-route-map dvrmap2
Switch:1(config-isis)#accept i-sid 10 enable
Switch:1(config-isis)#exit
Switch:1(config)#isis apply accept

5. Verify the configuration:

Switch:1(config)#exit
Switch:1#show ip isis accept

==================================================================================
Isis Accept - GlobalRouter
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
-----------------------------------------------------------------------------------
- 10 - TRUE isismap2 dvrmap2

1 out of 1 Total Num of Isis Accept Policies displayed

The following examples show the configuration of IS-IS accept policies for a specific VRF instance.

VOSS User Guide for version 8.7 1379

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Example 1:

Configure IS-IS accept policies to accept host routes from the DvR backbone, for a specific VRF
instance.

1. In the VRF green context, configure the route policy dvrmap3 for DvR:
Switch:1(config)#router vrf green
Switch:1(router-vrf)#route-map dvrmap3 1
Switch:1(router-vrf-routemap)#enable

2. Use one of the following options to configure an IS-IS accept policy, and apply the route policy as a
backbone route policy:

Configure an IS-IS accept policy for a specific advertising BEB with nickname 1.11.11:
Switch:1(router-vrf-routemap)#isis accept adv-rtr 1.11.11 backbone-route-map dvrmap3
Switch:1(router-vrf-routemap)#exit
Switch:1(router-vrf)#isis accept adv-rtr 1.11.11 enable
Switch:1(router-vrf)#show ip isis accept vrf green

==================================================================================
Isis Accept - VRF green
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
----------------------------------------------------------------------------------
1.11.11 - - TRUE dvrmap3

1 out of 1 Total Num of Isis Accept Policies displayed

Switch:1(config)#show ip isis accept vrfids 2

==================================================================================
Isis Accept - VRF green
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
----------------------------------------------------------------------------------
1.11.11 - - TRUE dvrmap3

1 out of 1 Total Num of Isis Accept Policies displayed

Configure an accept policy for I-SID 10:

Switch:1(router-vrf)#isis accept i-sid 10 backbone-route-map dvrmap3
Switch:1(router-vrf)#show ip isis accept vrf green

==================================================================================
Isis Accept - VRF green
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
----------------------------------------------------------------------------------
- 10 - TRUE dvrmap3
1 out of 1 Total Num of Isis Accept Policies displayed

Configure an accept policy for the I-SID list listisids:

Switch:1(router-vrf)#isis accept isid-list listisids backbone-route-map dvrmap3
Switch:1(router-vrf)#show ip isis accept vrf green

1380 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

==================================================================================
Isis Accept - VRF green
==================================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
----------------------------------------------------------------------------------
- 10 listisids TRUE dvrmap3
1 out of 1 Total Num of Isis Accept Policies displayed

Configure the default accept policy for IS-IS and DvR:

Switch:1(router-vrf)#route-map isismap3 1
Switch:1(router-vrf-routemap)#
Switch:1(router-vrf-routemap)#enable
Switch:1(router-vrf-routemap)#
Switch:1(router-vrf-routemap)#isis accept route-map isismap3 backbone-route-map dvrmap3
Switch:1(router-vrf)#
Switch:1(router-vrf)#show ip isis accept vrf green

==============================================================================
Isis Accept - VRF green
==============================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
------------------------------------------------------------------------------
- - - TRUE isismap3 dvrmap3

1 out of 1 Total Num of Isis Accept Policies displayed

Configure the default accept policy for DvR:

Switch:1(router-vrf)#isis accept backbone-route-map dvrmap3
Switch:1(router-vrf)#show ip isis accept vrf green

===============================================================================
Isis Accept - VRF green
===============================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
--------------------------------------------------------------------------------
- - - TRUE dvrmap3

1 out of 1 Total Num of Isis Accept Policies displayed

Example 2:

Configure an accept policy for I–SID 10 that accepts DvR host routes in a subnet, for example, subnet
126.1.1.0/24.

1. Configure an IP prefix list:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip prefix-list listPrefix 126.1.1.0/24

2. For a specific VRF instance, create a route policy to match the IP prefix list:
Switch:1(config)#router vrf green
Switch:1(router-vrf)#route-map dvrmap4 1
Switch:1(router-vrf-routemap)#match network listPrefix

VOSS User Guide for version 8.7 1381

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Switch:1(router-vrf-routemap)#enable
Switch:1(router-vrf-routemap)#exit
Switch:1(router-vrf)#

3. Create an IS-IS accept policy with I-SID 10, and apply the route policy as the backbone route policy:
Switch:1(router-vrf)#accept i-sid 10 backbone-route-map dvrmap4
Switch:1(router-vrf)#accept i-sid 10 enable

4. Apply the IS-IS accept policy:

Switch:1(router-vrf)#exit
Switch:1(config)#isis apply accept

5. Verify the configuration:

Switch:1(config)#exit
Switch:1(router-vrf)#show ip isis accept vrf green

===============================================================================
Isis Accept - VRF green
===============================================================================

ADV_RTR I-SID ISID-LIST ENABLE POLICY

BACKBONE
POLICY
--------------------------------------------------------------------------------
- - - TRUE dvrmap4

1 out of 1 Total Num of Isis Accept Policies displayed

Variable definitions

The following table defines parameters for the ip isid-list command.

Variable Value
WORD<1-32> Creates a name for your I-SID list.
<1-16777215> Specifies an I-SID number.
list WORD<1-1024> Specifies a list of I-SID values. For example, in the format 1,3,5,8-10.

The following table defines parameters for the accept command.

Variable Value
adv-rtr <x.xx.xx> Specifies the SPBM nickname for each advertising BEB to allow you to
apply the IS-IS accept policy to routes for a specific advertising BEB. The
system first uses the default filter, but if a more specific filter for a specific
advertising BEB is present the device applies the specific filter.
backbone-route- Specifies the DvR backbone route map.
map WORD<1-64>
enable Enables an IS-IS accept policy.
i-sid Specifies an I-SID number to represent a local or remote Layer 3 VSN to
<1-16777215> which the IS-IS accept policy applies.
Use the parameter to apply a filter for routes from specific I-SIDs that
represent the remote VSN. Based on the routing policy the system applies,
the system can redistribute the remote VSN to the VSN where you applied
the filter.
An I-SID value of 0 represents the global routing table (GRT).

1382 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

Variable Value
isid-list Specifies the I-SID list name that represents the local or remote Layer 3
WORD<1-32> VSNs to which the IS-IS accept policy applies.
Use the parameter to apply a default filter for all routes from specific I-SIDs
that represent the remote VSN. Based on the routing policy the system
applies, the system redistributes the remote VSN to the VSN where you
applied the filter.
An I-SID value of 0 represents the global routing table (GRT).
route-map Specifies a route policy by name.
WORD<1-64> You must configure the route policy earlier in a separate procedure.

The following table defines parameters for the isis apply accept command.

Variable Value
vrf WORD<1-16> Specifies a specific VRF instance.

View IS-IS Accept Policy Information

Use the following procedure to view IS-IS accept policy information on the switch.

Procedure
1. Display IS-IS accept policy information:
show ip isis accept [vrf WORD<1–16>][vrfids WORD<0–512>]
2. Display I-SID list information:
show ip isid-list [vrf WORD<1–16>][vrfids WORD<0–512>][WORD<1–32>]
3. Display route information:
show ip route [vrf WORD<1–16>]

The NH VRF/ISID column displays the I-SID for inter-Virtual Services Network (VSN) routes
redistributed with IS-IS accept policies, only if the I-SID redistributed does not have an IP VSN
associated with it. If an IP VSN exists for that I-SID, the VRF name displays. If the I-SID is 0, the
column represents and displays as the GlobalRouter.

The existing IS-IS routes for Layer 3 VSNs continue to display as the VRF name of the IP VSN.
4. Display the SPBM IP unicast Forwarding Information Base (FIB):
show isis spbm ip-unicast-fib [all] [id <1–16777215>][spbm-nh-as-mac]
[home|remote]

Example

View IS-IS accept policy information:

Switch:1#show ip route vrf test
============================================================================
IP Route - VRF test
============================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
----------------------------------------------------------------------------
1.1.1.5 255.255.255.255 1.1.1.5 GlobalRouter 0 0 ISIS 0 IB 200
1.1.1.13 255.255.255.255 Switch13 GRT 10 1000 ISIS 0 IBSV 7
1.1.1.200 255.255.255.255 Switch200 GRT 10 1000 ISIS 0 IBSV 7
5.7.1.0 255.255.255.0 5.7.1.1 - 1 7 LOC 0 DB 0
13.7.1.0 255.255.255.0 Switch13 GlobalRouter 10 1000 ISIS 0 IBSV 7

VOSS User Guide for version 8.7 1383

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

100.0.0.0 255.255.255.0 100.0.0.1 GlobalRouter 0 100 ISIS 0 IB 200

111.1.1.0 255.255.255.0 111.1.1.1 hub 0 111 ISIS 0 IB 200

Switch:1(config)#show isis spbm ip-unicast-fib

=========================================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
=========================================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE AREA AREA-NAME
---------------------------------------------------------------------------------------------------------
GRT - 101 1.1.1.13/32 Switch13 1000 1/7 10 44 7 HOME area-9.00.02
GRT - 101 1.1.1.13/32 Switch13 1001 1/7 10 44 7 HOME area-9.00.02
---------------------------------------------------------------------------------------------------------
Home : Total number of SPBM IP-UNICAST FIB entries 2
Remote: Total number of SPBM IP-UNICAST FIB entries 0
---------------------------------------------------------------------------------------------------------

Switch:1(config)#show ip isid-list test

================================================================================
IP ISID LIST
================================================================================
List Name I-SID VRF
--------------------------------------------------------------------------------
test 1 GlobalRouter
3 GlobalRouter
4 GlobalRouter
5 GlobalRouter
10 GlobalRouter
22 GlobalRouter

All 6 out of 6 Total Num of Isid Lists displayed

Switch:1(router-vrf)#show ip isid-list vrf red

================================================================================
IP ISID LIST red
================================================================================
List Name I-SID VRF
--------------------------------------------------------------------------------
test1 11 1
12 1
13 1
14 1
15 1

Variable Definitions

The following table defines parameters for the show ip isis accept command.

Variable Value
vrf WORD<1-16> Displays I-SID list information for a particular VRF by name.
vrfids WORD<0-512> Displays I-SID list information for a particular VRF ID.

The following table defines parameters for the show ip isid-list command.

Variable Value
vrf WORD<1-16> Displays I-SID list information for a particular VRF by name.
vrfids WORD<0-512> Displays I-SID list information for a particular VRF ID.
WORD<1-32> Displays I-SID list information for a particular I-SID list name.

The following table defines parameters for the show ip route command.

Variable Value
vrf WORD<1-16> Displays I-SID list information for a particular VRF by name.

1384 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

The following table defines parameters for the show isis spbm ip-unicast-fib command.

Variable Value
all Displays all IS-IS SPBM IP unicast Fowarding Information Base (FIB) information.
home Displays the IS-IS SPBM IP unicast FIB information that the system configures in
the home area.
id <1-16777215> Displays IS-IS SPBM IP unicast FIB information by I-SID ID.
remote Displays the IS-IS SPBM IP unicast FIB information that the system configures in
the remote area.
spbm-nh-as-mac Displays the next hop B-MAC of the IP unicast FIB entry.

Configuring IPv6 IS-IS Accept Policies

Perform the following procedure to create and enable IPv6 IS-IS accept policies based on a particular
Backbone Edge Bridge (BEB), I-SID, or I-SID list. IPv6 IS-IS accept policies filter incoming IS-IS routes
that the device receives over the SPBM cloud. IPv6 IS-IS accept policies apply to incoming traffic and
determine whether to add the route to the routing table.

VOSS User Guide for version 8.7 1385

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

IPv6 IS-IS accept policies are disabled by default.

Note
• IPv6 IS-IS accept policies are not supported for DvR.
• The I-SID lists created can be associated with both IPv4 or IPv6 routes.
• The ipv6 isis apply accept [vrf WORD<1-16>] command can disrupt traffic
and cause temporary traffic loss. After you apply ipv6 isis apply accept [vrf
<1-16>], the command reapplies the accept policies, which deletes all of the IS-IS routes,
and adds the IS-IS routes again. You should make all the relevant accept policy changes,
and then apply ipv6 isis apply accept [vrf WORD<1-16>] at the end.
• If the route policy associated with an accept policy changes, you must reapply the IPv6
IS-IS accept policy, unless the IPv6 IS-IS accept policy was the last sequence in the
configuration.
• The ipv6 isis apply accept [vrf WORD<1-16>] command is not saved in
the configuration file. If you use a saved configuration file for IPv6 IS-IS accept policy
configuration, you must apply the ipv6 isis apply accept [vrf WORD<1-16>]
command at the end.

The number of unique Layer 3 VSN I-SIDs used on a BEB is limited to the number of VRFs
supported on the switch. This includes the I-SID values used for Layer 3 VSNs and the
I-SID values specified for the IPv6 IS-IS accept policy filters.

The switch supports 24 VRFs by default, so, in a default configuration, you cannot
create an I-SID list or accept policy with more than 24 unique I-SID entries. However,
the configured VRFs take up an entry, so the formula to calculate the limit is: [24 VRF
Limit – (currently configured VRFs)]. This gives the number of unique I-SIDs that can
be used directly in the IPv6 IS-IS accept policy filters, which you implement with the
ip isid-list or ipv6 accept command. The I-SIDs used for Layer 3 VSNs can be
reused in IPv6 IS-IS accept policy filters without affecting the limit.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• Configure IPv6 Shortcuts. For more information, see Configure SPBM IPv6 Shortcuts on page 1366.
• You must configure a route-map.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

1386 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using the CLI

3. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

4. Configure an IPv6 IS-IS accept policy instance with a route policy.
Use one of the following options:
a. Configure an IPv6 IS-IS accept policy based on a specific advertising BEB:
ipv6 isis accept adv-rtr <x.xx.xx> [enable] [i-sid <0-16777215>]
[isid-list WORD<1-32>] [ [route-map WORD<1–64>]
b. Configure an IPv6 IS-IS accept policy based on a particular I-SID:
ipv6 isis accept i-sid <0-16777215> [enable] [route-map WORD<1–64>]
c. Configure an IPv6 IS-IS accept policy based on a particular I-SID list:
ipv6 isis accept isid-list WORD<1-32> [enable] [route-map WORD<1–
64>]
d. Specify a particular route-map to use for all IS-IS routes from all BEBs unless a more specific filter
exists for the advertising BEB. :
ipv6 isis accept route-map WORD<1–64>
5. Enable the configured IPv6 IS-IS accept policies:
ipv6 isis accept [adv-rtr <x.xx.xx>] [i-sid <0-16777215>] [isid-list
WORD<1-32>] enable
6. Exit to Global Configuration mode:
exit
7. Apply the IPv6 IS-IS accept policy changes, which removes and re-adds all routes with updated
filters:
ipv6 isis apply accept [vrf WORD <1–16>]

Example

Configure an IPv6 IS-IS accept policy based on a particular I-SID:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf vrftest

VOSS User Guide for version 8.7 1387

IP Shortcuts configuration using the CLI Fabric Layer 3 Services

Switch:1(config-isis)#ipv6 isis accept i-sid 101 route-map test

Switch:1(config-isis)#ipv6 isis accept i-sid 101 enable
Switch:1#exit
Switch:1(config)#ipv6 isis apply accept

Variable Definitions

The following table defines parameters for the ip isid-list command.

Note
The I-SID lists created can be associated with both IPv4 or IPv6 routes.

Variable Value
WORD<1-32> Creates a name for your I-SID list.
<1-16777215> Specifies an I-SID number.
list WORD<1-1024> Specifies a list of I-SID values. For example, in the format 1,3,5,8-10.

The following table defines parameters for the ipv6 isis accept command.

Note:
An IPv6 IS-IS accept policy that specifies the adv-rtr without an I-SID or I-SID
list will filter routes coming from the I-SID on which the policy is configured
and from the specified BEB.

enable Enables an IPv6 IS-IS accept policy.

i-sid Specifies an I-SID number to represent a local or remote Layer 3 VSN to which
<0-16777215> the IPv6 IS-IS accept policy applies.
Use the parameter to apply a filter for routes from specific I-SIDs that
represent the remote VSN. Based on the routing policy the system applies,
the system can redistribute the remote VSN to the VSN where you applied the
filter.
An I-SID value of 0 represents the global routing table (GRT).
isid-list Specifies the I-SID list name that represents the local or remote Layer 3 VSNs
WORD<1-32> to which the IPv6 IS-IS accept policy applies.
Use the parameter to apply a default filter for all routes from specific I-SIDs
that represent the remote VSN. Based on the routing policy the system applies,
the system redistributes the remote VSN to the VSN where you applied the
filter.
An I-SID value of 0 represents the global routing table (GRT).
route-map Specifies a route policy by name.
WORD<1–64> You must configure the route policy earlier in a separate procedure.

1388 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

The following table defines parameters for the ipv6 isis apply accept command.

Variable Value
vrf WORD<1-16> Specifies a VRF instance.

Displaying IPv6 IS-IS Accept Policy Information

Perform the following procedure to view IPv6 IS-IS accept policy information on the switch.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display IPv6 IS-IS accept policy information:
show ipv6 isis accept [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example

Display IPv6 IS-IS accept policy information for vrfRED:

Switch:1>enable
Switch:1#show ipv6 isis accept vrf vrfRED
=============================================================================
Isis Accept - VRF vrfRED
=============================================================================
ADV_RTR I-SID ISID-LIST ENABLE POLICY

-----------------------------------------------------------------------------
1.11.11 1001 - TRUE

1 out of 1 Total Num of Isis Accept Policies displayed

IP Shortcuts configuration using EDM

This section provides procedures to configure IP Shortcuts using Enterprise Device Manager (EDM).

Configure SPBM IP Shortcuts

In addition to Layer 2 virtualization, the SPBM model is extended to also support Routed SPBM,
otherwise called SPBM IP Shortcuts.

To enable IP shortcuts on the BEBs, you can configure a circuitless IP address (loopback address) and
specify this adress as the IS-IS source address. This source address is automatically advertised into IS-IS
using TLV 135. In addition, to advertise routes from the BEBs into the SPBM network, you must enable
route redistribution of direct and static routes into IS-IS.

After you have configured the SPBM infrastructure, you can enable SPBM IP shortcuts to advertise IP
routes across the SPBM network using the following procedure.

VOSS User Guide for version 8.7 1389

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Before You Begin

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select IS-IS.
3. From the Globals tab, in IpSourceAddress, specify the CLIP interface to use as the source address
for SBPM IP Shortcuts.

Note
For IPv6 Shortcuts, select ipv6 in Ipv6SourceAddressType, and then use
Ipv6SourceAddress to specify the CLIPv6 interface to use as the source address for SBPM
IPv6 Shortcuts.

4. Select Apply.
5. In the navigation pane, expand Configuration > Fabric > SPBM.
6. Select the SPBM tab.
7. In IpShortcut, select enable.

Note
For IPv6 Shortcuts, select enable in Ipv6Shortcut.

8. Select Apply.
9. In the navigation pane, expand Configuration > IP.
10. Select Policy.
11. Select the Route Redistribution tab.
12. Select Insert to identify routes on the local switch to be announced into the SPBM network.
13. Using the fields provided, specify the source protocols to redistribute into IS-IS. In Protocol, ensure
you specify isis as the destination protocol.
14. Select Insert.

Configuring IPv4 IS-IS redistribution

Use this procedure to configure IS-IS redistribution. In the Virtual Routing and Forwarding (VRF), just
like in the Global Router, the routes are not redistributed into IS-IS automatically. To advertise the VRF
routes, you must explicitly redistribute one of the following protocols into IS-IS: direct, static, RIP, OSPF,
or BGP, within the context of a VRF. Routing between VRFs is also possible by using redistribution
policies and injecting routes from the other protocols.

The VRF specific routes are transported in TLV 184 with the I-SID assigned to the VPNs. After extracting
the IP VPN IP reachability information, the routes are installed in the route tables of the appropriate
VRFs based on the I-SID association.

1390 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Redistribute tab.
4. Click Insert.
5. Complete the fields as required.
6. Click Insert.

IS-IS Redistribute field descriptions

Use the data in the following table to configure the IS-IS Redistribute tab.

Name Description
DstVrfId Specifies the destination Virtual Routing and Forwarding
(VRF) ID used in the redistribution.
Protocol Specifies the protocols that receive the redistributed routes.
SrcVrfId Specifies the source VRF ID used in the redistribution. For
IS-IS, the source VRF ID must be the same as the destination
VRF ID.
RouteSource Specifies the source protocol for the route redistribution
entry.
Enable Enables or disables a redistribution entry. The default is
disable.
RoutePolicy Specifies the route policy to be used for the detailed
redistribution of external routes from a specified source into
the IS-IS domain.
Metric Specifies the metric for the redistributed route. The value can
be a range between 0 to 65535. The default value is 0. Use a
value that is consistent with the destination protocol.
MetricType Specifies the metric type. Specifies a type1 or a type2 metric.
For metric type1, the cost of the external routes is equal to
the sum of all internal costs and the external cost. For metric
type2, the cost of the external routes is equal to the external
cost alone. The default is type2.
Subnets Indicates whether the subnets are advertised individually
or aggregated to their classful subnet. Choose suppress
to advertise subnets aggregated to their classful subnet.
Choose allow to advertise the subnets individually with the
learned or configured mask of the subnet. The default is
allow.

Configure IPv6 IS-IS Redistribution

Use this procedure to configure IS-IS redistribution for IPv6. In the Virtual Routing and Forwarding
(VRF), just like in the Global Router, the IPv6 routes are not redistributed into IS-IS automatically. To
advertise the VRF routes, you must explicitly redistribute one of the following protocols into IS-IS:

VOSS User Guide for version 8.7 1391

IP Shortcuts configuration using EDM Fabric Layer 3 Services

v6direct, v6static, RIPng, OSPFv3, or BGPv6, within the context of a VRF. Routing between VRFs is also
possible by using redistribution policies and injecting routes from the other protocols.

Note
RIPng is supported only on the Global Router.

The VRF specific routes are transported in TLV 184 with the I-SID assigned to the VPNs. After
extracting the IPv6 VPN reachability information, the IPv6 routes are installed in the route tables of
the appropriate VRFs based on the I-SID association.

Before You Begin

Change the VRF instance as required to configure IPv6 IS-IS redistribution on a specific VRF instance.
Not all parameters are configurable on non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Redistribute tab.
4. Click Insert.
5. Complete the fields as required.
6. Click Insert.
7. Click Apply.

Redistribute Field Descriptions

Use the data in the following table to configure the Redistribute tab.

Name Description
DstVrfId Specifies the destination Virtual Routing and
Forwarding (VRF) ID used in redistribution.
Protocol Specifies the protocols that receive the
redistributed routes.
SrcVrfId Specifies the source Virtual Routing and
Forwarding (VRF) ID used in redistribution.
RouteSource Specifies the source protocol for the route
redistribution entry.
Enable Enables or disables a redistribution entry. The
default is disabled.
RoutePolicy Specifies the route policy to be used for the
detailed redistribution of external routes from a
specified source into the IS-IS domain.

1392 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Name Description
Metric Specifies the metric for the redistributed route.
The default value is 0. Use a value that is
consistent with the destination protocol.
MetricType Specifies the metric type. Specifies a type1 or a
type2 metric. For metric type1, the cost of the
external routes is equal to the sum of all internal
costs and the external cost. For metric type2, the
cost of the external routes is equal to the external
cost alone. The default is type2.

Applying IPv4 IS-IS accept policies globally

Apply IS-IS accept policies globally. Use IS-IS accept policies to filter incoming IS-IS routes the device
receives over the SPBM cloud. Accept policies apply to incoming traffic and determine whether to add
the route to the routing table.

After you apply the IS-IS accept filters, the device removes and re-adds all routes with updated filters.

IS-IS accept policies are disabled by default.

Note
• After you apply IS-IS accept policies globally the application can disrupt traffic and cause
temporary traffic loss. After you configure the IS-IS accept policies value to Apply, the
device reapplies the accept policies, which deletes all of the IS-IS routes, and adds the
IS-IS routes again. You should make all the relevant accept policy changes, and then apply
IS-IS accept policies globally at the end.
• If the route policy changes, you must reapply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• Ensure the IP IS-IS filter exists.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Accept Global tab.
4. Select a name from the list or enter name in the DefaultPolicyName field, to specify the route policy
name for the default filter.
5. Select Apply to apply the default policy.

Accept Global field descriptions

Use the data in the following table to configure the Accept Global tab.

VOSS User Guide for version 8.7 1393

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Name Description
DefaultPolicyName Specifies the route policy name for the default
filter.
DefaultBackbonePolicyName Specifies the backbone host route policy name for
the default filter.
Apply Applies the default policy when you configure the
field to apply. The device only activates the default
policy if the route map (the default policy name)
has a value. If you do not select apply, the device
takes no action. The GRT always returns no action.

Configure an IPv4 IS-IS Accept Policy for a Specific Advertising BEB

Configure an IS-IS accept policy to apply to a specific advertising Backbone Edge Bridge (BEB). Specify
the SPBM nickname and the IS-IS accept policy name to allow you to apply the IS-IS accept policy.

The system uses the default global filter unless a filter for a specific advertising BEB exists, in which case
the system applies a more specific filter.

Note
If the route policy changes, you must re-apply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map to apply.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IS-IS.
3. Select the Accept Nick Name tab.
4. Select Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. Select enable in the Enable check box to enable the filter.
7. In the PolicyName field, specify the route-map name.
8. Select Insert.

Accept Nick Name field descriptions

Use the data in the following table to configure the Accept Nick Name tab.

1394 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Name Description
AdvertisingRtr Specifies the SPBM nickname to allow you to
apply the IS-IS accept policy to routes for a
specific advertising BEB. The system first uses
the default filter, but if a more specific filter for
a specific advertising BEB is present the device
applies the specific filter.
The value is 2.5 bytes in the format <x.xx.xx>.
Enable Enables or disables the SPBM nickname
advertising router entry. You must enable the
value to filter. The default is disabled.
PolicyName Specifies a route policy.
You must configure a policy earlier in a separate
procedure.
BackbonePolicyName Specifies the route policy for the backbone routes.
You must configure a policy earlier in a separate
procedure.

Configure an IS-IS Accept Policy to Apply for a Specific I-SID

Configure an IS-IS accept policy for a specific I-SID number to represent a local or remote Layer 3 VSN,
which allows the system to redistribute the remote VSN to the VSN where you applied the filter. An
I-SID value of 0 represents the global routing table (GRT).

Note
If the route policy changes, you must re-apply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map to apply.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Accept Isid tab.
4. Click Insert.
5. In the Isid field, specify the SPBM nickname.
6. Select enable in the Enable check box to enable the filter.
7. In the PolicyName field, specify the route-map name.
8. Click Insert.

Accept Isid field descriptions

Use the data in the following table to configure the Accept Isid tab.

VOSS User Guide for version 8.7 1395

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Name Description
Isid Configures a specific I-SID number to represent a
local or remote Layer 3 VSN to which the IS-IS
accept policy applies.
Based on the routing policy the system applies,
the system redistributes the remote VSN to the
VSN where you applied the filter.
An I-SID value of 0 represents the global routing
table (GRT).
Enable Enables or disables the I-SID entry. You must
enable the value to filter. The default is disabled.
PolicyName Specifies the route map name. You must configure
a policy earlier in a separate procedure.
BackbonePolicyName Specifies the backbone route map name. You
must configure a policy earlier in a separate
procedure.

Configure an IPv4 IS-IS Accept Policy for a Specific Advertising BEB and I-SID
Configures a specific advertising Backbone Edge Bridge (BEB) with a specific I-SID to allow you to
apply the IS-IS accept policy to routes for a specific advertising BEB.

Note
If the route policy changes, you must re-apply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map to apply.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Accept Nick-Name Isid tab.
4. Click Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. In the Isid field, specify an I-SID number.
7. Select enable in the Enable check box to enable the filter.
8. In the PolicyName field, specify the route-map name.
9. Click Insert.

Accept Nick-Name Isid descriptions

Use the data in the following table to configure the Accept Nick-Name Isid tab.

1396 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Name Description
AdvertisingRtr Specifies the SPBM nickname to allow you to
apply the IS-IS accept policy to routes for a
specific advertising BEB.
The value is 2.5 bytes in the format <x.xx.xx>.
Isid Specifies an I-SID used to filter. The value 0 is used
for the Global Router.
Enable Enables or disables the I-SID entry. The default is
disabled.
PolicyName Specifies the route policy name. You must
configure a policy earlier in a separate procedure.
BackBonePolicyName Specifies the backbone route policy name. You
must configure a policy earlier in a separate
procedure.

Configuring an I-SID list for an IPv4 IS-IS accept policy

Configures a list of I-SID numbers that represent local or remote Layer 3 VSNs to which the IS-IS accept
policy applies. After you create the list of I-SID numbers, you must then create, configure, and enable
the IS-IS accept policy.

Note
When creating an I-SID list, you can add I-SID entries until the maximum limit for supported
Layer 3 I-SIDs is reached. The system truncates any additional I-SID entries. The maximum
limit includes the I-SIDs for locally configured Layer 3 VSNs and the I-SIDs specified for IS-IS
accept policy filters.
Refresh the EDM tab to view the actual list of I-SIDs in the I-SID list.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Isid-List tab.
4. Click Insert.
5. In the Name field, specify a name for the I-SID list.
6. Select Isid or Isid-List.
7. Specify an I-SID number or a list of I-SID numbers.
8. Click Insert.

Isid-List field descriptions

Use the data in the following table to configure the Isid-List tab.

VOSS User Guide for version 8.7 1397

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Name Description
Name Specifies the name of the I-SID list.
Isid or Isid-List Specifies that you either want to add a particular
I-SID or a list of I-SID numbers.
Isid Specifies a particular I-SID number or a list of I-SID
numbers that represent local or remote Layer 3
VSNs to which the IS-IS accept policy applies.
An I-SID value of 0 represents the global routing
table (GRT).

Configure an IPv4 IS-IS Accept Policy for a Specific I-SID List

Configure an IS-IS accept policy for a specific I-SID list to represent local or remote Layer 3 VSNs, which
allows the system to redistribute the remote VSNs to the VSN where you applied the filter.

Note
If the route policy changes, you must re-apply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map to apply.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Accept Isid-List tab.
4. Click Insert.
5. In the Name field, specify the I-SID list name.
6. Select enable in the Enable check box to enable the filter.
7. In the PolicyName field, specify the route-map name.
8. Click Insert.

Accept Isid–List field descriptions

Use the data in the following table to configure Accept Isid-List tab.

Name Description
Name Specifies the name of I-SID list.
Enable Enables or disables the I-SID list entry. The value
must be enabled to filter. The default is disabled.
PolicyName Specifies the route policy name.
BackBonePolicyName Specifies the backbone route policy name.

1398 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Configure an IPv4 IS-IS Accept Policy for a Specific Advertising BEB and I-SID-list
Configure an IS-IS accept policy to apply to a specific advertising Backbone Edge Bridge (BEB) for a
specific I-SID list to represent local or remote Layer 3 VSNs, which allows the system to redistribute the
remote VSNs to the VSN where you applied the filter.

Note
If the route policy changes, you must reapply the IS-IS accept policy, unless it was the last
sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map to apply.

About This Task

The system uses the default global filter unless a filter for a specific advertising BEB exists, in which case
the system applies a more specific filter.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IS-IS.
3. Click the Accept Nick-Name Isid-List tab.
4. Click Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. In the Name field, specify an I-SID list name.
7. Select enable in the Enable check box to enable the filter.
8. In the PolicyName field, specify the route-map name.
9. Click Insert.

Accept Nick–Name Isid-List field descriptions

Use the data in the following table to configure the Accept Nick-Name Isid-List tab.

Name Description
AdvertisingRtr Specifies the SPBM nickname to allow you to
apply the IS-IS accept policy to routes for a
specific advertising BEB. The system first uses the
default filter, but if a more specific filter is present
the device applies the specific filter.
The value is 2.5 bytes in the format <x.xx.xx>.
Name Specifies the name of the I-SID list used to filter.
Enable Enables or disables the SPBM nickanme
advertising router entry. You must enable the
value to filter. The default is disabled.
PolicyName Specifies a route policy name.
BackBonePolicyName Specifies a backbone route policy name.

VOSS User Guide for version 8.7 1399

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Apply IPv6 IS-IS Accept Policies Globally

Apply IPv6 IS-IS accept policies globally. Use IPv6 IS-IS accept policies to filter incoming IS-IS routes the
device receives over the SPBM cloud.

After you apply the IPv6 IS-IS accept policy filters, the device removes and re-adds all IPv6 routes with
updated filters.

IPv6 IS-IS accept policies are disabled by default.

Note
• After you apply IPv6 IS-IS accept policies globally the application can disrupt traffic and
cause temporary traffic loss. After you configure the IPv6 IS-IS accept policies value to
Apply, the device reapplies the accept policies, which deletes all of the IPv6 IS-IS routes,
and adds the IPv6 IS-IS routes again. You should make all the relevant accept policy
changes, and then apply IPv6 IS-IS accept policies globally at the end.
• If the route policy changes, you must reapply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• Ensure the IPv6 IS-IS filter exists.
• Change the VRF instance as required to apply IPv6 IS-IS accept policies on a specific VRF instance.
Not all parameters are configurable on non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Select IS-IS.
3. Select the Accept Global tab.
4. (Optional) Select a name from the list or enter name in the DefaultPolicyName field, to specify the
route policy name for the default filter.
5. Select Apply to apply the default policy.
6. Select Apply.

Accept Global Field Descriptions

Use the data in the following table to configure the Accept Global tab.

Name Description
DefaultPolicyName Specifies the route policy name for the default
filter.
Apply Applies the default policy when you select apply.
The device only activates the default policy if the
route map (the default policy name) has a value.
If you do not select apply, the device takes no
action. The GRT always returns no action.
NickNameTableSize Shows the IPv6 IS-IS In Filter Nick Name table size.

1400 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Name Description
IsidTableSize Shows the IPv6 IS-IS In Filter I-SID table size.
NickNameIsidTableSize Shows the IPv6 IS-IS In Filter Nick Name I-SID
table size.
IsidListTableSize Shows the IPv6 IS-IS In Filter I-SID List table size.
NickNameIsidListTableSize Shows the IPv6 IS-IS In Filter Nick Name I-SID List
table size.

Configuring an IPv6 IS-IS Accept Policy for a specific Advertising BEB

Configure an IPv6 IS-IS accept policy to apply to a specific advertising Backbone Edge Bridge (BEB).
Specify the SPBM nickname and the IS-IS accept policy name to allow you to apply the IPv6 IS-IS
accept policy.

The system uses the default global filter unless a filter for a specific advertising BEB exists, in which case
the system applies a more specific filter.

Note
If the route policy changes, you must re-apply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map.
• Change the VRF instance as required to configure an IPv6 IS-IS accept policy for a particular
advertising BEB on a specific VRF instance. Not all parameters are configurable on non-default
VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Accept Nick Name tab.
4. Click Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. Select Enable to apply the filter.
7. (Optional) In the PolicyName field, specify the route-map name.
8. Click Insert.

VOSS User Guide for version 8.7 1401

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Accept Nick Name Field Descriptions

Use the data in the following table to configure the Accept Nick Name tab.

Name Description
AdvertisingRtr Specifies the SPBM nickname to apply the IS-IS
accept policy to routes for a specific advertising
BEB. The system first uses the default filter, but if a
more specific filter for a specific advertising BEB is
present the device applies the specific filter.
Enable Enables the SPBM nickname advertising router
entry. The default is disabled.
PolicyName Specifies a route policy.

Configuring an IPv6 IS-IS Accept Policy for a specific I-SID

Configure an IPv6 IS-IS accept policy for a specific I-SID to represent local or remote Layer 3 VSNs,
which allows the system to redistribute the remote VSNs to the VSN where you applied the filter.

Note
If the route policy changes, you must re-apply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map.
• Change the VRF instance as required to configure an IPv6 IS-IS accept policy for a particular I-SID
on a specific VRF instance. Not all parameters are configurable on non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Accept Isid tab.
4. Click Insert.
5. In the Isid field, specify the I-SID value.
6. Select Enable to apply the filter.
7. (Optional) In the PolicyName field, specify the route-map name.
8. Click Insert.

1402 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Accept Isid Field Descriptions

Use the data in the following table to configure the Accept Isid tab.

Name Description
Isid Specifies a particular I-SID number that represents
local or remote Layer 3 VSNs to which the IPv6
IS-IS accept policy applies. An I-SID value of 0
represents the global routing table (GRT).
Enable Enables or disables the I-SID entry. The default is
disabled.
PolicyName Specifies the route policy name.

Configuring an IPv6 IS-IS accept policy for a specific advertising BEB and I-SID
Configures a specific advertising Backbone Edge Bridge (BEB) with a specific I-SID to allow you to
apply the IPv6 IS-IS accept policy to routes for a specific advertising BEB.

Note
If the route policy changes, you must re-apply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map.
• Change the VRF instance as required to configure an IPv6 IS-IS accept policy for a particular
advertising BED and I-SID on a specific VRF instance. Not all parameters are configurable on
non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Accept Nick-Name Isid tab.
4. Click Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. In the Isid field, specify an I-SID number.
7. Select Enable to apply the filter.
8. (Optional) In the PolicyName field, specify the route-map name.
9. Click Insert.

VOSS User Guide for version 8.7 1403

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Accept Nick-Name Isid Field Descriptions

Use the data in the following table to configure the Accept Nick-Name Isid tab.

Name Description
AdvertisingRtr Specifies the SPBM nickname to apply the IS-IS
accept policy to routes for a specific advertising
BEB.
Isid Specifies the I-SID value. The value 0 is used for
the Global Router.
Enable Enables or disables the I-SID entry. The default is
disabled.
PolicyName Specifies the route policy name. You must
configure a policy earlier in a separate procedure.

Configuring an I-SID List for an IPv6 IS-IS Accept Policy

Configures a list of I-SID numbers that represent local or remote Layer 3 VSNs to which the IPv6 IS-IS
accept policy applies. After you create the list of I-SID numbers, you must then create, configure, and
enable the IPv6 IS-IS accept policy.

Note
When creating an I-SID list, you can add I-SID entries until the maximum limit for supported
Layer 3 I-SIDs is reached. The system truncates any additional I-SID entries. The maximum
limit includes the I-SIDs for locally configured Layer 3 VSNs and the I-SIDs specified for IS-IS
accept policy filters.
Refresh the EDM tab to view the actual list of I-SIDs in the I-SID list.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• Change the VRF instance as required to configure an I-SID list for an IPv6 IS-IS accept policy on a
specific VRF instance. Not all parameters are configurable on non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

1404 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts configuration using EDM

Isid-List Field Descriptions

Use the data in the following table to configure the Isid-List tab.

Name Description
Name Specifies the name of the I-SID list.
Isid Specifies a particular I-SID number or a list of I-SID
numbers that represent local or remote Layer 3
VSNs to which the IPv6 IS-IS accept policy applies.
An I-SID value of 0 represents the global routing
table (GRT).

Configuring an IPv6 IS-IS Accept Policy for a specific I-SID List

Configure an IPv6 IS-IS accept policy for a specific I-SID list to represent local or remote Layer 3 VSNs,
which allows the system to redistribute the remote VSNs to the VSN where you applied the filter.

Note
If the route policy changes, you must re-apply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map.
• Change the VRF instance as required to configure an IPv6 IS-IS accept policy for a particular I-SID
list on a specific VRF instance. Not all parameters are configurable on non-default VRFs.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Accept Isid-List tab.
4. Click Insert.
5. In the Name field, specify the I-SID list name.
6. Select Enable to apply the filter.
7. (Optional) In the PolicyName field, specify the route-map name.
8. Click Insert.

Accept Isid-List Field Descriptions

Use the data in the following table to configure Accept Isid-List tab.

Name Description
Name Specifies the name of I-SID list.
Enable Enables or disables the I-SID list entry. The default
is disabled.
PolicyName Specifies the route policy name.

VOSS User Guide for version 8.7 1405

IP Shortcuts configuration using EDM Fabric Layer 3 Services

Configuring an IPv6 IS-IS Accept Policy for a specific Advertising BEB and I-SID List
Configure an IPv6 IS-IS accept policy to apply to a specific advertising Backbone Edge Bridge (BEB) for
a specific I-SID list to represent local or remote Layer 3 VSNs, which allows the system to redistribute
the remote VSNs to the VSN where you applied the filter.

Note
If the route policy changes, you must reapply the IPv6 IS-IS accept policy, unless it was the
last sequence in the configuration.

Before You Begin

• Enable IS-IS globally.
• Ensure the manual area exists.
• You must configure a route-map.
• Change the VRF instance as required to configure an IPv6 IS-IS accept policy for a particular
advertising BEB and I-SID list on a specific VRF instance. Not all parameters are configurable on
non-default VRFs.

About This Task

The system uses the default global filter unless a filter for a specific advertising BEB exists, in which case
the system applies a more specific filter.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IS-IS.
3. Click the Accept Nick-Name Isid-List tab.
4. Click Insert.
5. In the AdvertisingRtr field, specify the SPBM nickname.
6. In the Name field, specify an I-SID list name.
7. Select Enable to apply the filter.
8. (Optional) In the PolicyName field, specify the route-map name.
9. Click Insert.

Accept Nick-Name Isid-List Field Descriptions

Use the data in the following table to configure the Accept Nick-Name Isid-List tab.

Name Description
AdvertisingRtr Specifies the SPBM nickname to apply the IS-IS
accept policy to routes for a specific advertising
BEB. The system first uses the default filter, but if
a more specific filter is present the device applies
the specific filter.
Name Specifies the I-SID list name.
Enable Enables or disables the SPBM nickanme
advertising router entry. The default is disabled.
PolicyName Specifies a route policy name.

1406 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts SPBM Configuration Example

IP Shortcuts SPBM Configuration Example

The following figure shows a sample IP Shortcuts over SPBM deployment.

Examples and network illustrations in this document may illustrate only one of the supported platforms.
Unless otherwise noted, the concept illustrated applies to all supported platforms.

Figure 130: SPBM IP Shortcuts

The following sections show the steps required to configure the SPBM IP Shortcuts parameters in this
example. You must first configure basic SPBM and IS-IS infrastructure. For more information, see SPBM
and IS-IS Infrastructure Configuration on page 923.

Note the following:

• IP IS-IS redistribution needs to be configured to inject IP shortcuts routes into IS-IS. The one
exception is the circuitless IP address configured as the IS-IS ip-source-address. This address is
automatically advertised without the need for a redistribution rule.
• In the displayed configuration, only direct routes are injected (the same configuration is possible for
static routes). To inject IPv6 routes, you must enable route redistribution of IPv6 direct, IPv6 static,
and OSPFv3 routes into IS-IS.
• No IP address needs to be configured on SwitchG.

The following sections show the steps required to configure the SPBM IP Shortcuts parameters in this
example.

SwitchC
CIRCUITLESS INTERFACE CONFIGURATION - GlobalRouter

interface loopback 1
ip address 1 10.0.0.1/255.255.255.255
exit

ISIS CONFIGURATION

router isis
ip-source-address 10.0.0.1

ISIS SPBM CONFIGURATION

spbm 1 ip enable
exit

VLAN CONFIGURATION

VOSS User Guide for version 8.7 1407

IP Shortcuts SPBM Configuration Example Fabric Layer 3 Services

vlan create 13 type port-mstprstp 0

vlan members 13 1/2 portmember
interface Vlan 13
ip address 10.0.13.1 255.255.255.0
exit

IP REDISTRIBUTION CONFIGURATION - GlobalRouter

router isis
redistribute direct
redistribute direct metric 1
redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct

SwitchD
CIRCUITLESS INTERFACE CONFIGURATION - GlobalRouter

interface loopback 1
ip address 1 10.0.0.2/255.255.255.255
exit

ISIS CONFIGURATION

router isis
ip-source-address 10.0.0.2

ISIS SPBM CONFIGURATION

spbm 1 ip enable
exit

VLAN CONFIGURATION

vlan create 14 type port-mstprstp 0

vlan member add 14 1/2
interface Vlan 14
ip address 10.0.14.1 255.255.255.0
exit

IP REDISTRIBUTION CONFIGURATION - GlobalRouter

router isis
redistribute direct
redistribute direct metric 1
redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct

Verifying Operation — SwitchC

SwitchC:1# show isis spbm ip-unicast-fib
===============================================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
===============================================================================================================
OUTGOING SPBM PREFIX PREFIX IP ROUTE
VRF ISID Destination NH BEB VLAN INTERFACE COST COST TYPE PREFERENCE AREA AREA-NAME
----------------------------------------------------------------------------------------------------------------
GRT - 10.0.0.2/32 SwitchD 4000 1/30 20 1 Internal 7 HOME area-9.00.02

1408 VOSS User Guide for version 8.7

Fabric Layer 3 Services IP Shortcuts SPBM Configuration Example

GRT - 10.0.14.1/24 SwitchD 4000 1/30 20 1 Internal 7 HOME area-9.00.02

----------------------------------------------------------------------------------------------------------------
Home : Total number of SPBM IP-UNICAST FIB entries 2
Remote: Total number of SPBM IP-UNICAST FIB entries 0
----------------------------------------------------------------------------------------------------------------

SwitchC:1# show ip route

================================================================================
IP Route - GlobalRouter
================================================================================
NH INTER
DST MASK NEXT VRF COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.0.0.1 255.255.255.255 10.0.0.1 - 1 0 LOC 0 DB 0
10.0.0.2 255.255.255.255 SwitchD Glob~ 20 4000 ISIS 0 IBS 7
10.0.13.1 255.255.255.0 10.0.13.1 - 1 13 LOC 0 DB 0
10.0.14.1 255.255.255.0 SwitchD Glob~ 20 4000 ISIS 0 IBS 7

4 out of 4 Total Num of Route Entries, 4 Total Num of Dest Networks displayed.
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout
e,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed

Verifying operation — SwitchD

SwitchD:1# show isis spbm ip-unicast-fib
======================================================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
======================================================================================================================
OUTGOING SPBM PREFIX PREFIX IP ROUTE
VRF ISID Destination NH BEB VLAN INTERFACE COST COST TYPE PREFERENCE AREA AREA-NAME
----------------------------------------------------------------------------------------------------------------------
GRT - 10.0.0.1/32 SwitchC 4000 1/20 20 1 Internal 7 HOME area-9.00.02
GRT - 10.0.13.1/24 SwitchC 4000 1/20 20 1 Internal 7 HOME area-9.00.02
-----------------------------------------------------------------------------------------------------------------------
Home : Total number of SPBM IP-UNICAST FIB entries 2
Remote: Total number of SPBM IP-UNICAST FIB entries 0
--------------------------------------------------------------------------------

SwitchD:1# show ip route

================================================================================
IP Route - GlobalRouter
================================================================================
NH INTER
DST MASK NEXT VRF COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.0.0.1 255.255.255.255 SwitchC Glob~ 20 4000 ISIS 0 IBS 7
10.0.0.2 255.255.255.255 10.0.0.2 - 1 0 LOC 0 DB 0
10.0.13.1 255.255.255.0 SwitchC Glob~ 20 4000 ISIS 0 IBS 7
10.0.14.1 255.255.255.0 10.0.14.1 - 1 14 LOC 0 DB 0

VOSS User Guide for version 8.7 1409

Layer 3 VSN Configuration Fabric Layer 3 Services

Layer 3 VSN Configuration

Table 111: Layer 3 VSN product support

Feature Product Release introduced
Layer 3 VSN VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.1
XA1400 Series VOSS 8.0.50

Layer 3 VSN Configuration Fundamentals

This section provides fundamental concepts on Layer 3 VSN.

For information about supported service types, see Fabric Connect Service Types on page 1273.

SPBM Layer 3 VSN

The SPBM Layer 3 VSN feature is a mechanism to provide IP connectivity over SPBM for VRFs. SPBM
Layer 3 VSN uses IS-IS to exchange the routing information for each VRF.

Figure 131: SPBM Layer 3 VSN

In the preceding figure, the BEBs are connected over the SPBM cloud running IS-IS. VRF red and green
are configured on the BEBs. VRF red on BEB A has to send and receive routes from VRF red on BEB D.
Similar operations are required for VRF green on BEB A and BEB D.

IS-IS TLV 184 is used to advertise SPBM Layer 3 VSN route information across the SPBM cloud. To
associate advertised routes with the appropriate VRF, each VRF is associated with an I-SID. All VRFs in
the network that share the same I-SID participate in the same VSN.

Note
IPv4 Layer 3 VSN and IPv6 Layer 3 VSN coexist and share the same I-SID. You need to
configure I-SID only once. The advantage of having two separate VPNs, one for IPv4 and one
for IPv6 is because it gives user an option to enable them separately.

1410 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN Configuration Fundamentals

In this example, I-SID 101 is associated with VRF green and I-SID 102 is associated with VRF red. The
I-SID is used to tie the advertised routes to a particular VRF. This identifier has to be the same on all
edge nodes for a particular VRF, and has to be unique across all the VRFs on the same node

When IS-IS receives an update from an edge node, it looks for the Layer 3 VSN TLV, and if one exists, it
looks at the I-SID identifier. If that identifier is mapped to a local VRF, extracts the IPv4 or IPv6 routes
and add them to the RTM of that VRF.

With SPBM Layer 3 VSN, the packet forwarding works in a similar fashion as the IP Shortcuts on the
Global Router, with the difference that the encapsulation includes the I-SID to identify the VRF that the
packet belongs to. The following figure shows the packet forwarding for VRF red.

Figure 132: Packet forwarding in SPBM Layer 3 VSN

When BEB A receives traffic from VRF red that must be forwarded to the far-end location, it performs
a lookup and determines that VRF red is associated with I-SID 102 and that BEB D is the destination for
I-SID 102. BEB A then encapsulates the IP data into a new B-MAC header, using destination B-MAC: D.

Note
With SPBM Layer 3 VSN, the CMAC header is all null. This header does not have any
significance in the backbone. It is included to maintain the same 802.1ah format for ease
of implementation.

VOSS User Guide for version 8.7 1411

Layer 3 VSN configuration using the CLI Fabric Layer 3 Services

At BEB D, the node strips off the B-MAC encapsulation, and performs a lookup to determine the
destination for traffic with I-SID 102. After identifying the destination as VRF red, the node forwards the
packet to the destination VRF.

Note
IPv4 Layer 3 VSN and IPv6 Layer 3 VSN coexist and share the same I-SID. The advantage of
having two separate VPNs, one for IPv4 and one for IPv6 is because it gives user an option to
enable them separately.

IPv6 Layer 3 VSN limitations and considerations

Consider the following when you configure the IPv6 Layer 3 VSN :
• You can enable IPv6 Layer3 VSN only when spbm boot config flag is true.
• IPv4 Shortcuts and IPv6 Shortcuts must be enabled.

Enable/disable ICMP Response on VRFs/Layer 3 VSNs

This feature supports VRFs/Layer 3 VSNs to operate in stealth mode by disabling ICMP responses on
specific VRFs/Layer 3 VSNs.

If the ICMP response is disabled, the switch does not respond to any ICMP requests received on the
VRFs/Layer 3 VSNs.

If the ICMP response is enabled, the switch responds to ICMP requests received on the VRF/Layer 3
VSNs.

Layer 3 VSN configuration using the CLI

This section provides a procedure to configure Layer 3 VSNs using the command line interface (CLI).

Configure SPBM IPv4 Layer 3 VSN

After you have configured the SPBM infrastructure, you can enable SPBM Layer 3 VSN to advertise IPv4
routes across the SPBM network from one VRF to another using the following procedure.

SPBM Layer 3 VSN uses IS-IS to exchange the routing information for each VRF. In the VRF, just like
in the Global Router (VRF 0), the routes are not redistributed into IS-IS automatically. To advertise
the VRF routes, you must explicitly redistribute one of the following protocols into IS-IS: direct, static,
RIP, OSPF, or BGP. Routing between VRFs is also possible by using redistribution policies and injecting
routes from the other protocols.

Before You Begin

• You must configure the required SPBM IS-IS infrastructure.
• You must configure a VRF on the switch. For more information, see VRF Lite configuration using the
CLI on page 3838.
• You must create the Customer VLANs and add slots/ports.

1412 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration using the CLI

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Create an IPv4 VPN instance on the VRF:
ipvpn
3. Configure SPBM Layer 3 VSN:
i-sid <0–16777215>
4. Enable IPv4 VPN on the VRF:
ipvpn enable

By default, a new IPv4 VPN instance is disabled.

5. Display all IPv4 VPNs:
show ip ipvpn [vrf WORD<1–16>] [vrfids WORD<0–512>]
6. Identify routes on the local switch to be announced into the SPBM network:
isis redistribute {direct | bgp | ospf | rip | static}
7. Enable routes on the local switch to be announced into the SPBM network:
isis redistribute {direct | bgp | ospf | rip | static} enable
8. If you want to delete or disable the configuration, use the no option:
no isis redistribute {direct | bgp | ospf | rip | static}

no isis redistribute {direct | bgp | ospf | rip | static} enable

9. Identify other routing protocols to which to redistribute IS-IS routes:
ip {bgp | ospf | rip} redistribute isis
10. Enable IS-IS redistribution to other routing protocols::
ip {bgp | ospf | rip} redistribute isis enable
11. Exit Privileged EXEC mode:
exit
12. Apply the configured redistribution:
isis apply redistribute {direct | bgp | ospf | rip | static} vrf
WORD<1–16>

ip bgp apply redistribute isis vrf WORD<1–16>

ip ospf apply redistribute isis vrf WORD<1–16>

ip rip apply redistribute isis vrf WORD<1–16>

13. Display the redistribution configuration:
show ip isis redistribute [vrf WORD<1–16>] [vrfids WORD<0–512>]

VOSS User Guide for version 8.7 1413

Layer 3 VSN configuration using the CLI Fabric Layer 3 Services

Example

Create the IPv4 VPN instance:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf green
Switch:1(config)#ipvpn
Switch:1(config)#i-sid 109
Switch:1(config)#ipvpn enable
Switch:1(config)#show ip ipvpn
==========================================================================================
IPv4 IPVPN
==========================================================================================
VRF Name VRF ID IPv4 IPVPN IPv6 IPVPN I-SID I-SID Name
------------------------------------------------------------------------------------------
green 1 enabled disabled 109 ExtremeServer1
------------------------------------------------------------------------------------------
1 out of 1 Total IPv4 L3 VSN, 1 active IPv4 and 0 active IPv6 displayed.
Switch:1(config)#isis redistribute ospf
Switch:1(config)#isis redistribute ospf enable
Switch:1(config)#isis redistribute ospf enable
Switch:1(config)#end
Switch:1(config)#isis apply redistribute ospf vrf vrfred
Switch:1(config)#show ip isis redistribute vrf vrfred
================================================================================
ISIS Redistribute List - VRF vrfred
================================================================================

SOURCE MET MTYPE SUBNET ENABLE LEVEL RPOLICY

--------------------------------------------------------------------------------
LOC 1 internal allow FALSE l1

Variable Definitions

The following table defines parameters for the show ip ipvpn command.

Variable Value
vrf WORD<1–16> Specifies the VRF name.
vrfids WORD<0–512> Specifies the VRF ID.

The following table defines parameters for the i-sid command.

Variable Value
<0–16777215> Assigns an I-SID to the VRF being configured.
Use the no or default option to remove the I-SID to VRF allocation for this VRF.

1414 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration using the CLI

The following table defines parameters for the isis redistribute command.

Variable Value
{direct | bgp | ospf Specifies the protocol.
| rip | static}
enable Enables the redistribution of the specified protocol into the SPBM
network.
The default is disabled. Use the no or default options to disable the
redistribution.
metric <0–65535> Configures the metric (cost) to apply to redistributed routes. The
default is 1.
metric-type Configures the type of route to import into the protocol. The default is
{external|internal} internal.
route-map WORD<0–64> Configures the route policy to apply to redistributed routes. Specifies a
name.
subnets {allow| Indicates whether the subnets are advertised individually or
suppress} aggregated to their classful subnet. Choose suppress to advertise
subnets aggregated to their classful subnet. Choose allow to advertise
the subnets individually with the learned or configured mask of the
subnet. The default is allow.

The following table defines parameters for the isis apply redistribute command.

Variable Value
{direct | bgp | ospf | rip | Specifies the protocol.
static}
vrf WORD<1–16> Applies IS-IS redistribute for a particular VRF.
Specifies the VRF name.

Configure SPBM IPv6 Layer 3 VSN using CLI

Before You Begin
• You must enable IPv6 Shortcuts.
• You must configure the required SPBM IS-IS infrastructure.
• You must configure a VRF instance on the switch. For more information, see VRF Lite configuration
using the CLI on page 3838.

About This Task

After you have configured the SPBM infrastructure, you can enable SPBM Layer 3 VSN to advertise IPv6
routes across the SPBM network using the following procedure.

VOSS User Guide for version 8.7 1415

Layer 3 VSN configuration using the CLI Fabric Layer 3 Services

Procedure
1. Enter VRF Router Configuration mode for a specific VRF context:
enable

configure terminal

router vrf WORD<1-16>

2. Create an IPv6 VPN instance on the VRF:
ipv6 ipvpn
3. Configure SPBM Layer 3 VSN:
i-sid <0–16777215>
4. Enable IPv6 VPN on the VRF:
ipv6 ipvpn enable
5. Display all IPv6 VPNs:
show ipv6 ipvpn [vrf WORD<1–16> | vrfids WORD<0–512>]
6. Identify routes on the local switch to be announced into the SPBM network:
ipv6 isis redistribute {bgp | direct | ospf | static}
7. Enable routes on the local switch to be announced into the SPBM network:
ipv6 isis redistribute {direct | bgp | ospf | rip | static} enable
8. Identify the routing protocol to which to redistribute IS-IS routes:
ipv6 ospf redistribute isis
9. Enable IS-IS redistribution to OSPF:
ipv6 ospf redistribute isis enable
10. Return to Privileged EXEC mode:
end
11. Apply the configured redistribution to a specific VRF:
ipv6 isis apply redistribute {direct | bgp | ospf | rip | static} vrf
WORD<1–16>
12. Apply the OSPF configuration to a specific VRF:
ipv6 ospf apply redistribute isis vrf WORD<1-16>
13. Display the redistribution configuration:
show ipv6 isis redistribute [vrf WORD<1–16> | vrfids WORD<0–512>]
14. Verify IPv6 IS-IS routes:
show ipv6 route vrf WORD<1-16>

Examples

Create the IPv6 VPN instance:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf vrfred
Switch:1(router-vrf)#ipv6 ipvpn
Switch:1(router-vrf)#i-sid 100
Switch:1(router-vrf)#ipv6 ipvpn enable
Switch:1(router-vrf)#show ipv6 ipvpn
==========================================================================================

1416 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration using the CLI

IPv6 IPVPN
==========================================================================================
VRF Name VRF ID IPv6 IPVPN IPv4 IPVPN I-SID I-SID Name
------------------------------------------------------------------------------------------
vrfred 2 enabled disabled 100 ISID-100
------------------------------------------------------------------------------------------
1 out of 1 Total IPv6 L3 VSN, 1 active IPv6 and 0 active IPv4 displayed.
Switch:1(router-vrf)#ipv6 isis redistribute direct enable
Switch:1(router-vrf)#ipv6 ospf redistribute isis enable
Switch:1(router-vrf)#ipv6 ospf apply redistribute isis vrf vrfred

Switch:1(router-vrf)#show ipv6 route vrfred

=========================================================================================================
IPv6 Routing Table Information - VRF vrfred
=========================================================================================================
Destination Address/PrefixLen NEXT HOP VID/BID/TID PROTO COST AGE TYPE PREF
---------------------------------------------------------------------------------------------------------
55:0:0:0:0:0:0:0/64 Switch V-2 ISIS 10 0 B 7
---------------------------------------------------------------------------------------------------------
1 out of 1 Total Num of Route Entries displayed.
---------------------------------------------------------------------------------------------------------
TYPE Legend:
A=Alternative Route, B=Best Route, E=Ecmp Route

Variable Definitions

The following table defines parameters for the ipv6 ipvpn command.

Variable Value
enable Enables IPv6 IPVPN. The default is disabled.

The following table defines parameters for the show ipv6 ipvpn command.

Variable Value
vrf WORD<1–16> Specifies the VRF name.
vrfids WORD<0–512> Specifies the VRF ID.

The following table defines parameters for the i-sid command.

Variable Value
<0–16777215> Assigns an I-SID to the VRF being configured.

The following table defines parameters for the isis redistribute command.

Variable Value
{bgp | direct | ospf | Specifies the protocol.
static}
enable Enables the redistribution of the specified protocol into the
SPBM network.
The default is disabled.

VOSS User Guide for version 8.7 1417

Layer 3 VSN configuration using the CLI Fabric Layer 3 Services

Display SPBM IPv6 Unicast Forwarding Information Base

About This Task

Perform this procedure to display SPBM IPv6 unicast Forwarding Information Base (FIB).

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display SPBM IPv6 unicast FIB:
show isis spbm ipv6-unicast-fib [all] [id <1-16777215>] [spbm-nh-as-
mac] [home|remote]

Example

Switch:1>show isis spbm ipv6-unicast-fib

====================================================================================================================
SPBM IPv6-UNICAST FIB ENTRY INFO
====================================================================================================================
VRF Dest OUTGOING SPBM PREFIX METRIC IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST TYPE PREFERENCE AREA AREA-NAME
--------------------------------------------------------------------------------------------------------------------
GRT - - 00:16:ca:23:73:df el2 10 10/22 10 1 Internal 7 HOME area-9.00.02
GRT - 11 00:16:ca:23:73:df esp 20 10/22 10 1 Internal 7 HOME area-9.00.02
vrf1 11 100 00:18:b0:bb:b3:df el2 10 10/22 10 1 External 7 HOME area-9.00.02
vrf1 11 11 00:14:c7:e1:33:e0 ess 20 10/22 10 1 External 7 HOME area-9.00.02

-------------------------------------------------------------------------------------------------------------------
Home: Total number of SPBM IPv6-UNICAST FIB entries 4
Remote: Total number of SPBM IPv6-UNICAST FIB entries 0
--------------------------------------------------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the show isis spbm ipv6-unicast-fib command.

Variable Value
all Displays all IS-IS SPBM IPv6 unicast Fowarding Information Base (FIB)
information for all VRFs.
home Displays the IS-IS SPBM IPv6 unicast FIB information that the system configures
in the home area.
id <1-16777215> Displays IS-IS SPBM IPv6 unicast FIB information by I-SID ID.
remote Displays the IS-IS SPBM IPv6 unicast FIB information that the system configures
in the remote area.
spbm-nh-as-mac Displays the next hop B-MAC of the IPv6 unicast FIB entry.

Display IS-IS Link State Database Information

Perform the following procedure to display the IS-IS link state database related information on the
switch.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display IS-IS link state database information:
show isis lsdb ipv6-unicast [i-sid <0-16777215>] [lspid
xxxx.xxxx.xxxx.xx-xx] [sysid xxxx.xxxx.xxxx] [home|remote]

1418 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration using EDM

Example

Switch:1>show isis lsdb ipv6-unicast

====================================================================================
ISIS IPv6-UNICAST-ROUTE SUMMARY
====================================================================================
PREFIX METRIC TLV LSP HOST
I-SID ADDRESS LENGTH METRIC TYPE TYPE FRAG NAME AREA
-----------------------------------------------------------------------------------
4 2222:0:0:0:0:0:0:0 64 1 Internal 184 0x2 4210 HOME
4 2222:0:0:0:0:0:0:0 64 1 Internal 184 0x2 4210
REMOTE
-----------------------------------------------------------------------------------
2 out of 2 Total Num of Entries

Layer 3 VSN configuration using EDM

Configure SPBM IPv4 Layer 3 VSN
After you have configured the SPBM infrastructure, you can enable SPBM Layer 3 Virtual Services
Network (VSN) to advertise IPv4 routes across the SPBM network from one VRF to another using the
following procedure.

Before You Begin

• You must configure the required SPBM IS-IS infrastructure.

• You must configure a VRF and IP VPN instance on the switch. For more information about how to
configure a VRF, see VRF Lite configuration using Enterprise Device Manager on page 3849.
• You must create the Customer VLANs and add slots/ports.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IP-VPN.
3. Select the VPN tab.
4. To create an IP VPN instance, select Insert.
5. Select the ellipsis button (...), select a VRF to associate with the IP VPN, and click Ok.
6. Select Insert.
7. In the Enable column, select enable to enable the IP VPN on the VRF.
8. In the IsidNumber column, specify an I-SID to associate with the VPN.
9. Select Apply.
10. In the navigation pane, expand Configuration > IP.
11. Select Policy.
12. To identify routes on the local switch to be announced into the SPBM network, select the Route
Redistribution tab.

VOSS User Guide for version 8.7 1419

Layer 3 VSN configuration using EDM Fabric Layer 3 Services

13. Select Insert.

14. In the DstVrfId box, select the ellipsis (...), and then select the destination VRF ID and select Ok.
15. In the Protocol box, select isis as the route destination.
16. In the SrcVrfId box, select (...) button, select the source VRF ID and click Ok.
17. In the RouteSource box, select the source protocol.
18. In the Enable box, select enable.
19. In the RoutePolicy box, select the ellipsis (...), choose the route policy to apply to the redistributed
routes and select Ok.
20.Configure the other parameters as required.
21. Select Insert.
22. To apply the redistribution configuration, select the Applying Policy tab.
23. Select RedistributeApply, and then select Apply.

Configuring SPBM IPv6 Layer 3 VSN using EDM

About This Task

After you have configured the SPBM infrastructure, you can enable SPBM Layer 3 Virtual Services
Network (VSN) to advertise IPv6 routes across the SPBM network from one VRF to another using the
following procedure.

SPBM Layer 3 VSN uses IS-IS to exchange the routing information for each VRF.

Before You Begin

• You must enable IPv6 Shortcuts.

• You must configure the required SPBM IS-IS infrastructure.
• You must configure a VRF and IPv6 VPN instance on the switch. For more information, see VRF Lite
configuration using Enterprise Device Manager on page 3849.

Procedure

1. In the navigation pane, expand Configuration > IPv6.

2. Click IPv6-VPN.
3. Click the VPN tab.
4. Click Insert.
5. Click the ellipsis [...], and select a VRF.
6. Click Ok.
7. Click Insert.
8. In the IsidNumber column, double-click the 0 value, and then enter the service instance identifier
(I-SID) to assign to the IPv6-VPN.
9. Click Apply.
10. In the Enable column, select true or false.
11. Click Apply.
12. In the navigation pane, expand Configuration > VRF Context View.
13. Click Set VRF Context View.
14. Click the VRF tab.

1420 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration example

15. Select a context to view.

16. Click Launch VRF Context view.
A new browser tab opens containing the selected VRF view
17. In the navigation pane, expand Configuration > IPv6.
18. Click IS-IS.
19. Click the Redistribute tab.
20.Click Insert.
21. Configure the parameters as required.
22. Click Insert.
23. Click Apply.

Layer 3 VSN configuration example

The following figure shows a sample Layer 3 VSN deployment.

Figure 133: Layer 3 VSN

The following sections show the steps required to configure the Layer 3 VSN parameters in this
example.

Note that IP IS-IS redistribution needs to be configured to inject the VRF routes into IS-IS.

You must first configure basic SPBM and IS-IS infrastructure.

VRF green configuration

The following figure shows the green VRF in this Layer 3 VSN example.

VOSS User Guide for version 8.7 1421

Layer 3 VSN configuration example Fabric Layer 3 Services

Figure 134: Layer 3 VSN — VRF green

The following sections show the steps required to configure the green VRF parameters in this example.

VRF green – Switch-C

VRF CONFIGURATION

ip vrf green vrfid 1

VLAN CONFIGURATION

vlan create 101 type port-mstprstp 0

vlan mlt 101 1
vlan members 101 1/2 portmember
interface Vlan 101
vrf green
ip address 10.1.101.1 255.255.255.0 1
exit

ISIS PLSB IPVPN CONFIGURATION

router vrf green

ipvpn
i-sid 13990001
ipvpn enable
exit

IP REDISTRIBUTION CONFIGURATION - VRF

router vrf green

isis redistribute direct
isis redistribute direct metric 1
isis redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct vrf green

VRF green – Switch-D

VRF CONFIGURATION

ip vrf green vrfid 1

VLAN CONFIGURATION

1422 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration example

vlan create 102 type port-mstprstp 0

vlan mlt 102 1
vlan members add 102 1/2 portmember
interface vlan 102
vrf green
ip address 10.1.102.1 255.255.255.0 1
exit

ISIS PLSB IPVPN CONFIGURATION

router vrf green

ipvpn
i-sid 13990001
ipvpn enable
exit

IP REDISTRIBUTION CONFIGURATION - VRF

router vrf green

isis redistribute direct
isis redistribute direct metric 1
isis redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct vrf green

VRF red configuration

The following figure shows the red VRF in this Layer 3 VSN example.

Figure 135: Layer 3 VSN — VRF red

The following sections show the steps required to configure the red VRF parameters in this example.

VRF red – Switch-C

VRF CONFIGURATION

ip vrf red vrfid 2

VLAN CONFIGURATION

vlan create 201 type port-mstprstp 0

vlan mlt 201 1
vlan members 201 1/2 portmember
interface Vlan 201
vrf red
ip address 10.2.201.1 255.255.255.0 1
exit

VOSS User Guide for version 8.7 1423

Layer 3 VSN configuration example Fabric Layer 3 Services

ISIS PLSB IPVPN CONFIGURATION

router vrf red

ipvpn
i-sid 13990002
ipvpn enable
exit

IP REDISTRIBUTION CONFIGURATION - VRF

router vrf red

isis redistribute direct
isis redistribute direct metric 1
isis redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct vrf red

VRF red – Switch-D

VRF CONFIGURATION

ip vrf red vrfid 2

VLAN CONFIGURATION

vlan create 202 type port-mstprstp 0

vlan mlt 101 1
vlan members 202 1/2 portmember
interface Vlan 202
vrf red
ip address 10.3.202.1 255.255.255.0 1
exit

ISIS PLSB IPVPN CONFIGURATION

router vrf red

ipvpn
i-sid 13990002
ipvpn enable
exit

IP REDISTRIBUTION CONFIGURATION - VRF

router vrf red

isis redistribute direct
isis redistribute direct metric 1
isis redistribute direct enable
exit

IP REDISTRIBUTE APPLY CONFIGURATIONS

isis apply redistribute direct vrf red

Verifying Layer 3 VSN operation

The following sections show the steps required to verify the Layer 3 VSN configuration in this example.

1424 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration example

Switch-C
Switch-C:1# show isis spbm ip-unicast-fib
================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
--------------------------------------------------------------------------------
GRT - - 10.0.0.2/32 Switch-D 4000 1/3 20 1 7
GRT - - 10.0.14.0/24 Switch-D 4000 1/3 20 1 7
--------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 2
--------------------------------------------------------------------------------
Switch-C:1# show isis spbm ip-unicast-fib id 13990001
================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
====================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
------------------------------------------------------------------------------------
green - 13990001 10.1.101.0/24 Switch-D 4000 1/2 20 1 7
------------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 1
------------------------------------------------------------------------------------

Switch-C:1# show isis spbm ip-unicast-fib id 13990002

------------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 1
------------------------------------------------------------------------------------
Switch-C:1# show isis spbm ip-unicast-fib id all
===================================================================================
SPBM IP-UNICAST FIB ENTRY INFO

===================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
-----------------------------------------------------------------------------------
GRT - - 10.0.0.2/32 Switch-D 4000 1/3 20 1 7
GRT - - 10.0.14.0/24 Switch-D 4000 1/3 20 1 7
green - 13990001 10.1.102.0/24 Switch-D 4000 1/3 20 1 7
red - 13990002 10.2.202.0/24 Switch-D 4000 1/3 20 1 7

-----------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 4
-----------------------------------------------------------------------------------

Switch-D
Switch-D:1# show isis spbm ip-unicast-fib
================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
--------------------------------------------------------------------------------
GRT - - 10.0.0.1/32 Switch-C 4000 1/2 20 1 7

VOSS User Guide for version 8.7 1425

Layer 3 VSN configuration example Fabric Layer 3 Services

GRT - - 10.0.13.0/24 Switch-C 4000 1/2 20 1 7

--------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 2
--------------------------------------------------------------------------------
Switch-D:1# show isis spbm ip-unicast-fib id 13990001
================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
====================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
------------------------------------------------------------------------------------
green - 13990001 10.1.101.0/24 Switch-C 4000 1/2 20 1 7
------------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 1
------------------------------------------------------------------------------------

Switch-D:1# show isis spbm ip-unicast-fib id 13990002

================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
====================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
------------------------------------------------------------------------------------
red - 13990002 10.2.201.0/24 Switch-C 4000 1/2 20 1 7
------------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 1
------------------------------------------------------------------------------------
Switch-D:1# show isis spbm ip-unicast-fib id all
================================================================================
SPBM IP-UNICAST FIB ENTRY INFO
====================================================================================
VRF DEST OUTGOING SPBM PREFIX IP ROUTE
VRF ISID ISID Destination NH BEB VLAN INTERFACE COST COST PREFERENCE
------------------------------------------------------------------------------------
GRT - - 10.0.0.1/32 Switch-C 4000 1/2 20 1 7
GRT - - 10.0.13.0/24 Switch-C 4000 1/2 20 1 7
green - 13990001 10.1.101.0/24 Switch-C 4000 1/2 20 1 7
red - 13990002 10.2.201.0/24 Switch-C 4000 1/2 20 1 7
------------------------------------------------------------------------------------
Total number of SPBM IP-UNICAST FIB entries 4
-------------------------------------------------------------------------------------

VRF green—Switch-C
Switch-C:1# show ip route vrf green
================================================================================
IP Route - VRF green
================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.1.101.0 255.255.255.0 10.1.101.1 - 1 101 LOC 0 DB 0
10.1.102.0 255.255.255.0 Switch-D vrf green 20 4000 ISIS 0 IBSV 7

2 out of 2 Total Num of Route Entries, 0 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout
e,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed

1426 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 VSN configuration example

VRF green—Switch-D
Switch-D:1# show ip route vrf green
================================================================================
IP Route - VRF green
================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.1.101.0 255.255.255.0 Switch-C vrf green 20 4000 ISIS 0 IBSV 7
10.1.102.0 255.255.255.0 10.1.102.1 - 1 102 LOC 0 DB 0

VRF red—Switch-C
Switch-C:1# show ip route vrf red
================================================================================
IP Route - VRF red
================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.2.201.0 255.255.255.0 10.2.201.1 - 1 201 LOC 0 DB 0
10.2.202.0 255.255.255.0 Switch-D vrf red 20 4000 ISIS 0 IBSV 7

VRF red—Switch-D
Switch-D:1# show ip route vrf red
================================================================================
IP Route - VRF red
================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
--------------------------------------------------------------------------------
10.2.201.0 255.255.255.0 Switch-C vrf red 20 4000 ISIS 0 IBSV 7
10.2.202.0 255.255.255.0 10.2.202.1 - 1 202 LOC 0 DB 0
2 out of 2 Total Num of Route Entries, 0 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout
e,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed

VOSS User Guide for version 8.7 1427

Layer 3 Video Surveillance Fabric Layer 3 Services

Layer 3 Video Surveillance

Table 112: Layer 3 Video Surveillance install script product support

Feature Product Release introduced
Layer 3 Video Surveillance install VSP 4450 Series VOSS 4.1
script (formerly known as the
run vms endura script) VSP 4900 Series VOSS 8.1
To support this feature, VIM
installation is mandatory in
VSP4900-48P.
VSP 7200 Series Not Supported
VSP 7400 Series Not Supported
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Layer 3 Video Surveillance install script

Note
The Layer 3 Video Surveillance install script performs the same function as the run vms
endura script. However, the switch continues to support the run vms endura script for
backward compatibility.

The run vms layer-3 switch command runs the Layer 3 Video Surveillance install script that
pre-configures basic and common configuration parameters to deploy a video surveillance network. Use
this script to quickly and easily deploy a video surveillance network in accordance with best practices,
using networking equipment.

Use this script to use a single command on a switch to configure the core switch where the video
surveillance management and operation systems reside. Similarly, using the same command, you can
configure each edge switch where the IP cameras connect.

The switch must be in a factory-default state, to ensure correct operation of the configuration.

The Layer 3 Video Surveillance install script performs the following tasks:
• Creates a Shortest Path Bridging (SPB) network core solution with IP Shortcuts to connect IP subnet
zones between the core and edge IP subnets.
• Configures all network edge IP subnet areas containing IP cameras with an IP gateway address, that
is redistributed over the SPB fabric. This enables the fabric core to act as a single IP routing entity for
the solution.

1428 VOSS User Guide for version 8.7

Fabric Layer 3 Services Layer 3 Video Surveillance install script

• Relays DHCP services between each IP subnet area and the central server, for IP camera address
allocation.
• Enables IP multicast over Fabric Connect virtualization, to support and enable efficient IP multicast
communication over the fabric core from IP cameras to central Video Management System (VMS)
servers, for viewing and recording video streams.

CLI Command Switch Value

You must specify a value for the switch in the install script command, and the value must be between 5
and 99. Use the value 5 for a core switch where the VMS core systems are connected.

Use the range 6–99 for switch values when you run the script on edge or access layer switches. Ensure
that the switch value is unique for each additional switch that is part of the solution.

For example, the first edge or access switch with the IP Cameras connected would use a value of switch
6. For additional edge or access switches, use switch 7, switch 8, and so on, for each IP subnet and IP
camera zone. You can connect up to 48 IP cameras to a switch within an IP subnet zone.

Switch Parameters Configured by the Script

The following list identifies the major parameters configured by the run vms layer-3 command:
• SNMP-Server switch hostname
• SPB parameters such as System ID, Nickname, SPB Area ID, Backbone VLAN IDs (4051 and 4052),
Multicast virtualization, and Connectivity Fault Management (CFM)
• IP loopback interface addresses
• IP redistribution over IS-IS (IP Shortcuts)
• All SFP ports as SPB NNI ports
• All copper RJ-45 ports as end device ports with Spanning Tree enabled
• Spanning Tree mstprstp mode
• VLAN port memberships
• VLAN IP address (Gateway IP for VLAN)
• DHCP Relay

Note
DHCP Relay parameters are configured only when you run the script on VSP4900-48P
switches.

Configuration File
After successful completion of the Layer 3 Video Surveillance install script, the switch saves the
configuration with a filename based on the switch value provided when you ran the script. The switch
updates the primary boot configuration file flags with the new filename.

For example, running the command run vms layer-3 switch 5 results in a switch configuration
filename of spb-switch-5.cfg.

VOSS User Guide for version 8.7 1429

Run the Layer 3 Video Surveillance install script Fabric Layer 3 Services

Hardware Considerations
The following list identifies which switches to configure as either a core or edge switch in a VMS
solution:
• Core switch:
◦ VSP 4450GSX-PWR+

Ports 13 to 50 are NNI ports. All other ports are untagged access ports.
◦ VSP4900-12MXU-12XE

Ports 1 to 12 and the Extreme Integrated Application Hosting (IAH) ports are untagged access
ports. Ports 13 to 24, and optional Versatile Interface Module (VIM) ports, are NNI ports.
◦ VSP4900-24S

Ports 1 to 12 are untagged access ports. Ports 13 to 24, and optional VIM ports, are NNI ports.
◦ VSP4900-24XE

Ports 1 to 12 and the IAH ports are untagged access ports. Ports 13 to 24, and optional VIM ports,
are NNI ports.
• Edge switch:
◦ VSP4900-48P

Note
To support this feature, VIM installation is mandatory in VSP4900-48P. The VIM ports
are configured as NNI ports while all fixed ports are untagged access ports.

Modes
The run vms layer-3 command can run in one of two modes:
• Non-verbose mode: This mode is a fully-automated configuration. The command runs the script
with all of the variable defined values without user intervention. This mode is the default mode.
• Verbose mode: This mode prompts you to accept or change the default parameters.

Note
Product Notice: Verbose mode only applies to VSP 4900 Series.

Run the Layer 3 Video Surveillance install script

Use the following procedure to run the Layer 3 Video Surveillance install script.

Note
The run vms layer-3 switch command performs the same function as the run
vms endura switch command. The switch supports the run vms endura switch
command only for backward compatibility.

Before You Begin

The switch must be in a factory default state; the switch prompts you to confirm this.

1430 VOSS User Guide for version 8.7

Fabric Layer 3 Services Run the Layer 3 Video Surveillance install script

About This Task

Use a switch value of 5 for a switch in the network core where the Video Management System (VMS)
servers connect. Use a switch value of 6 onwards (until and including 99) for all switches that connect IP
Cameras at the network edge/access layer.

For each additional area and switch, increment the switch number by one. For example, use switch 7
for the second edge switch. The configuration uses the number you specify to customize the IP subnet,
loopback addresses, and SPB information.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Run the Layer 3 Video Surveillance install script:
run vms Layer—3 switch <5-99> [syntax | verbose]

Examples
The following example shows the configuration of a switch in the VMS core and shows the configuration
file created by the script.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Switch:1(config)#run vms layer-3 switch 5

Do you want to execute the run vms script? Device needs to be in factory default state.
(y/n) ? y
CP1 [05/05/17 07:48:33.760:IST] 0x000045e3 00000000 GlobalRouter SNMP INFO Save config
successful.
CP1 [05/05/17 07:48:37.951:IST] 0x000045e3 00000000 GlobalRouter SNMP INFO Save config
successful.

Previous configurations stored in pre_vms_install.cfg

**New VMS configurations stored in new primary config file spb-switch-5.cfg**

* VMS script execution complete *

Switch:1(config)#exit
Switch:1#

The following example shows the configuration of a switch at the edge, and shows the configuration file
created by the script.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

switch:1(config)#run vms layer-3 switch 6

Do you want to execute the run vms script? Device needs to be in factory default state.
(y/n) ? y
CP1 [05/05/17 07:54:04.046:IST] 0x000045e3 00000000 GlobalRouter SNMP INFO Save config
successful.
CP1 [05/05/17 07:54:05.760:IST] 0x000045e3 00000000 GlobalRouter SNMP INFO Save config
successful.

Previous configurations stored in pre_vms_install.cfg

**New VMS configurations stored in new primary config file spb-switch-6.cfg**

VOSS User Guide for version 8.7 1431

Run the Layer 3 Video Surveillance install script Fabric Layer 3 Services

* VMS script execution complete *

Switch:1(config)#exit
Switch:1#

Variable Definitions
The following table defines parameters for the run vms Layer-3 switch command.

Variable Value
<5-99> Specifies the numeric switch value used as a common
element to configure switch parameters such as name, VLAN
ID, SPB, and IP parameters.

Note:
Use a switch value of 5 for a switch in the network core
where the Video Management System (VMS) servers are
connected. Use a value of 6 onwards (until and including
99) for all switches used for connecting IP Cameras at the
network edge/access layer.

syntax Species that the switch displays all the commands run by the
script on the console. Use this parameter to see errors that
the script encounters.

Note:
The script does not stop if it encounters errors. To verify that
the script runs without errors, use the syntax parameter to
display errors or conflicting configurations on the switch.

verbose Specifies that the switch prompts you to accept or change

the default configuration values. If you do not use this
optional parameter, the script runs without user intervention.

1432 VOSS User Guide for version 8.7

Internet Key Exchange
IKEv2 on page 1436
Using IKE for Secure AAA Server Communication on page 1437
Restrictions on page 1438
IKE Configuration using CLI on page 1439
IKE Configuration using EDM on page 1450

Table 113: Internet Key Exchange product support

Feature Product Release introduced
Internet Key Exchange (IKE) v2 VSP 4450 Series VOSS 5.1.2

Note: VSP 4900 Series VOSS 8.1

Internet Key Exchange (IKE) protocol creates a Security Association (SA) in IPsec. The SA is the
relationship between two network devices that define attributes such as authentication mechanism,
encryption and hash algorithms, exchange mode, and key length for secured communications. The SA
should be agreed by both devices.

The IKE protocol is based on Internet Security Association and Key Management Protocol (ISAKMP)
which helps in building a secured connection between two or more hosts using the following concepts:
• authentication
• encryption
• key management
• security association (SA)
• policy

IKE uses a key exchange mechanism based on the Diffie-Hellman encryption key exchange protocol.
IKE provides periodic automatic key renegotiation, pre-shared and public key infrastructures, and anti-

VOSS User Guide for version 8.7 1433

IKE Phases Internet Key Exchange

replay defense. It is layered on top of the UDP protocol and uses UDP port 500 to exchange information
between peers.

IKE Phases
A switch negotiates with a peer using IKE in two phases.
• In phase 1, the switch negotiates the IKE SA to protect the negotiations that take place in phase
2. The SAs negotiated in phase 1 are bi-directional, and are applicable to traffic originating in both
directions.
• In phase 2, the peers negotiate and establish the SAs for IPsec and session keys through quick
mode. A Diffie-Hellman key exchange is done to achieve perfect forward secrecy, which ensures that
the compromise of a single key does not permit access to data other than that protected by that
compromised key. The SAs in phase 2 are uni-directional. They are used according to the direction of
the traffic. The quick mode is initiated by either of the peer endpoints irrespective of who initiated
phase 1.

IKE Modes
There are two modes of exchanging messages in Phase 1:
• Main mode

This is a secure mode of exchanging messages. It allows protection of the confidentiality of the peers
during negotiation. This mode provides more flexibility in proposals compared to aggressive mode.
As the main mode requires a total of 6 messages to be exchanged between peers, it is more time
consuming.
• Aggressive mode

This mode is less secure than the main mode. It does not protect the confidentiality of the peers.
However, it requires only a total of 3 messages to be exchanged for phase 1, which makes this mode
faster than the main mode. The number of total message exchange is reduced in this mode because
some messages are embedded in other messages.

The mode of message exchange in phase 2 is called quick mode. In this mode a total of 3 messages are
exchanged between the peers. This mode is used to establish IPsec SA. The negotiations in the quick
mode are protected during the phase 1 negotiations in main mode.

IKE Policies
A combination of security parameters used during the IKE SA negotiation is called a policy. The policies
must be configured on both the peers and at least one of the policies should match on both ends to
have a successful negotiation for. If a policy is not configured on both peers or if a policy does not
match on both ends, an SA cannot be setup and data cannot be exchanged.

The following are the attributes of an IKE policy:

• Encryption — This is the cryptographic algorithm that is sent in the proposal by the initiator or
responder during the phase 1 negotiation. This cryptographic algorithm is used to encrypt phase 2
negotiation messages. The supported encryption algorithms are:
◦ DES
◦ 3DES

1434 VOSS User Guide for version 8.7

Internet Key Exchange IKE Authentication

◦ AES
• Hash function — This function is used as part of the authentication mechanism during the
authentication of peers in phase 1. It is always used with the authentication algorithm. The supported
values are:
◦ MD5
◦ SHA1
◦ SHA256
• Authentication — This process authenticates the peers. Following are the supported authentication
modes:
◦ Digital Signatures — The digital signatures use digital certificate which is signed by the certificate
authority (CA) for authentication.
◦ Pre-shared keys (PSK) — The PSKs are shared out-of-band between the peers before hand.
Using PSK in main mode exchange limits identifying the peer to an IP address (and not host
name).
• Diffe-Hellman (DH) Group — This is an algorithm used by two peers that are unknown to each
other to establish a shared secret key. This key that is decided during phase 1 is used to encrypt
subsequent message exchanges during phase 2 to establish security associations (SA) and security
policies (SP) for IPsec sessions. The supported DH Groups are as follows:
◦ Group 1 (MODP768)
◦ Group 2 (MODP1024)
◦ Group 14 (MODP2048)
• Lifetime — This is a time and data limit agreed by peers to protect an SA from getting compromised.
It ensures that the peers renegotiate the SAs just before the lifetime value expires, that is, when the
time limit is reached.
• Dead-peer detection – This is a process in which the switch waits for a response from peer for a
limited number of seconds before declaring the peer as dead. It is a keep-alive mechanism required
to perform IKE peer fail-over and to reclaim lost resources by freeing up SAs that are no longer in
use.

IKE Authentication
The security gateway of a peer must authenticate the security gateway of the peer it intends to
communicate with. This ensures that IKE SAs are established between the peers. The switch supports
the following two authentication methods:
• Digital certificates (using RSA algorithms)

For digital certificate authentication, the initiator signs the message interchange data using the
private key. The responder uses the public key of the initiator to verify the signature. The public key
is exchanged by messages containing an X.509v3 certificate. This certificate provides an assurance
that the identity of a peer, as represented in the certificate, is associated with a particular public key.
• Pre-shared keys

Pre-shared key authentication, the same secret must be configured on both security gateways
before the gateways can authenticate each other.

VOSS User Guide for version 8.7 1435

Signature Authentication Internet Key Exchange

Signature Authentication
The switch receives the digital signature of its peer in a message exchange. The switch verifies the
digital signature by using the public key of the peer. The certificate of the peer, received during the IKE
negotiation, contains the public key. To ensure that the peer certificate is valid, the switch verifies its
digital signature by using the certificate authority (CA) public key contained in the root CA certificate.
The switch and its IKE peer require at least one common trusted root CA for authentication to work.

When IKE is configured to use digital certificates for authentication, the certificates are retrieved from
the trusted certificate store in the switch, based on the provided distinguished name. The certificates
received from the peer are verified with the public key.

IKEv2

The software supports IKEv2, which is an enhancement of the IKEv1 protocol. All IKEv2 communications
consist of pairs of messages: a request and a response. The IKEv2 protocol uses a non-reliable transport
protocol (UDP using ports 500). The pairs of exchanges allows ensuring of reliability to the IKEv2
protocol, as there is an expected response for each request.

IKEv2 provides a number of improvements over IKEv1, including the following:

• A simplified initial exchange of messages that reduces latency and increases connection
establishment speed.
◦ IKEv2 makes use of a single four-message exchange instead of the eight different initial
exchanges of IKEv1.

1436 VOSS User Guide for version 8.7

Internet Key Exchange IKEv2 OCSP Validation

◦ It improves upon IKEv1's latency by making the initial exchange to be of two round trips of four
messages, and allows the ability to add setup of a child SA on that exchange.
• Improved reliability through the use of sequence numbers, and acknowledgments.
◦ IKEv2 reduces the number of possible error states by making the protocol reliable as all
messages are acknowledged and sequenced.
• IKE SA integrity algorithms are supported only in IKEv2.
• Traffic Selectors are specified in IKEv2 by their own payloads type and not by overloading ID
payloads. This makes the Traffic Selectors more flexible.
• No lifetime negotiations for IKEv2, but in IKEv1 SA lifetimes are negotiated.

IKEv2 OCSP Validation

Confirmation of certificate reliability is essential to achieve the security assurances public key
cryptography provides. One fundamental element of such confirmation is reference to certificate
revocation status. IKEv2 enables the use of Online Certificate Status Protocol (OCSP) for in-band
signaling of certificate revocation status. The IKEv2 supports the authentication methods as pre shared
key and digital certificate. It allows the verification of the digital certificate sent by the peer whether it is
revoked or not. This is done through a method by sending the digital certificate to the OCSP server. The
OCSP server in turn verifies the certificate status and sends the response back. Based on the response
from OCSP server, the device validates the certificate.

Using IKE for Secure AAA Server Communication

Note
Secure AAA server communication is only supported on VSP 8600 Series, and only as a
demonstration feature. Demonstration features are for lab use only and are not for use in a
production environment.

The VSP 8600 Series supports IP Security (IPsec) for the AAA server communication. IPsec provides
the ability to secure RADIUS and TACACS+ servers against unwanted traffic by filtering on specific
network adapters, by allowing or blocking specific protocols and enabling the server to selectively allow
traffic from specific source IP addresses.

An AAA server program deals with requests for access to computer resources and
provides authentication, authorization, and accounting (AAA) services. The switch communicates with
AAA servers using Remote Authorization Dial-in User Service (RADIUS) and Terminal Access Controller
Access Control System Plus (TACACS+). It is not sufficient to protect authentication information with
only RADIUS or TACACS+.

The following diagram shows the communication between AAA client and AAA server. The IPsec
module on the client encrypts the packets to the AAA server and decrypts the packets from the AAA
server. Similarly, the IPsec module on the server encrypts or decrypts the packets to or from the client.

VOSS User Guide for version 8.7 1437

Restrictions Internet Key Exchange

To implement secure AAA server communication, the VSP 8600 Series software supports the following:
• IPsec with Internet Key Exchange (IKE) protocol for both IPv4 and IPv6.
• IPv4 implementation of IPsec is mainly for protocols involved in communication with AAA servers,
that is, RADIUS and TACACS+. However, it supports all UDP and TCP protocols.
• Digital signature as authentication method for IKE, in addition to the pre-shared key authentication
method.
• Automatic and manual keying for session establishment. IKE is the default automated key
management protocol for IPsec.
• IKEv1 and IKEv2 protocol.

Restrictions
This section describes the restrictions associated with this feature.
• AAA server protection is provided only for SSH/CLI/web/Telnet/Console Access Protection.
• FQDN (Fully Qualified Domain Names) is not supported to identify endpoints. This is because, the
user configures the IP address for the AAA servers in the switch.
• XAUTH ( 2-factor authentication ) is not supported.
• Domain of Interpretation is not supported other than for IPsec.
• NAT Traversal is not supported.
• Custom IKE messages and vendor ID for the messages are not supported.

1438 VOSS User Guide for version 8.7

Internet Key Exchange IKE Configuration using CLI

• IKE fragmentation is not supported.

• IKE and IPsec are not supported on the Segmented Management Instance interfaces, or with
management applications such as RADIUS and TACACS+. You can configure RADIUS security with
RADsec on supported devices.

Note
Exception: VSP 8600 Series supports IKE on Segmented Management Instance and
RADIUS with IPsec as a DEMO FEATURE.

IKE Configuration using CLI

The topics in this section provide the IKE CLI configuration.

Configure an IKE Phase 1 Profile

About This Task

Use the following procedure to configure an IKE Phase 1 profile.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Create an IKE phase 1 profile:
ike profile WORD<1–32>
3. Configure the IKE phase 1 profile hash algorithm:
ike profile WORD<1–32> hash-algo <md5|sha|sha256|any>
4. Configure the IKE phase 1 profile encryption algorithm:
ike profile WORD<1–32> encrypt-algo <desCbc|3DesCbc|aesCbc|any>
5. Configure the IKE phase 1 profile Diffie-Hellman group:
ike profile WORD<1–32> dh-group <modp768|modp1024|modp2048|any>
6. Configure the IKE phase 1 encryption key length:
ike profile WORD<1–32> encrypt-key-len <128|192|256>
7. Configure the IKE phase 1 lifetime, in seconds:
ike profile WORD<1–32> lifetime-sec <0-4294967295>
8. (Optional) Delete the IKE Phase 1 profile:
no ike profile WORD<1–32>

Variable Definition
The following table defines parameters for the ike profile commands.

VOSS User Guide for version 8.7 1439

Create an IKE Phase 1 Policy Internet Key Exchange

Variable Value
profile WORD<1–32> Specifies the IKE profile name.
hash-algo <md5| Specifies the type of hash algorithm. The default value is sha256. To set this
sha|sha256|any> option to the default value, use the default operator with the command:
default ike profile WORD<1–32> hash-algo
encrypt-algo Specifies the type of encryption algorithm. The default value is aesCbc.
<desCbc|3DesCbc| To set this option to the default value, use the default operator with the
aesCbc|any> command: default ike profile WORD<1–32> encrypt-algo
dh-group <modp768| Specifies the Diffie-Hellman (DH) group. DH groups categorize the key
modp1024|modp2048| used in the key exchange process, by its strength. The key from a higher
any> group number is more secure. The default value is modp2048. To set this
option to the default value, use the default operator with the command:
default ike profile WORD<1–32> dh-group
encrypt-key-len Specifies the length of the encryption key. The default is 256. To set this
<128|192|256> option to the default value, use the default operator with the command:
default ike profile WORD<1–32> encrypt-key-len
lifetime-sec Specifies the lifetime value in seconds. The lifetime ensures that the peers
<0-4294967295> renegotiate the SAs just before the expiry of the lifetime value, to ensure
that Security Associations are not compromised. The default value is
86400 seconds. To set this option to the default value, use the default
operator with the command: default ike profile WORD<1–32>
lifetime-sec

Create an IKE Phase 1 Policy

IKE policy establishes Security Associations (SA) and message exchanges with IKE peers to successfully
set up secured channels.

About This Task

Use the following procedure to create the IKE Phase 1 policy.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Create an IKE Phase 1 profile:
ike policy WORD<1–32> laddr WORD<1–256> raddr WORD<1–256>
3. (Optional) Delete the IKE Phase 1 profile:
no ike policy WORD<1-32>

Variable Definition
The following table defines parameters for the ike policy <1–320> laddr command.

1440 VOSS User Guide for version 8.7

Internet Key Exchange Configuring profile to be used for IKE Phase 1 policy

Variable Value
policy WORD<1–32> Specifies the name of the IKE Phase 1 policy.
laddr WORD<1–256> Specifies the local IPv4 or IPv6 address.
raddr WORD<1–256> Specifies the remote IPv4 or IPv6 address.

Configuring profile to be used for IKE Phase 1 policy

Use the following procedure to configure the IKE Phase1 profile to be used for the IKE Phase 1 policy.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the profile name to be used for IKE Phase 1 policy:
ike policy WORD<1–32> profile WORD<1–32>

Variable Definition
The following table defines parameters for the ike policy WORD<1–32> profile WORD<1–32>
command.

Variable Value
policy WORD<1–32> Specifies the name of the IKE Phase 1 policy.
profile WORD<1–32> Specifies the name of the IKE Phase 1 profile to be used for the policy.
To set this option to the default value, use the default operator with the
command: default ike policy WORD<1-32> profile

Configure IKE Phase 2 Perfect Forward Secrecy

Use the following procedure to configure IKE Phase 2 perfect forward secrecy (PFS).

About This Task

A Diffie-Hellman key exchange is done to achieve perfect forward secrecy. This ensures that the
compromise of even a single key does not permit access to data other than that protected by that key.

Procedure

1. Enter Global Configuration mode:

enable

VOSS User Guide for version 8.7 1441

Configure the IKE Authentication Method Internet Key Exchange

3. (Optional) Disable Phase 2 perfect forward secrecy:

no ike policy <1–32> p2–pfs

Variable Definition
The following table defines parameters for the ike policy WORD<1–32> p2–pfs command.

Variable Value
policy WORD<1–32> Specifies the name of the IKE Phase 1 policy.
p2–pfs Enables the Phase 2 perfect forward secrecy.
dh-group <modp768| Configures the Diffie-Hellman (DH) group to be used for Phase 2 perfect
modp1024|modp2048| forward secrecy (PFS). The default value is modp2048. To configure this
any> option to the default value, use the default operator with the command:
default ike policy WORD<1–32> p2–pfs dh-group.

Note:
For Federal Information Processing Standards (FIPS) compliance, only the
default value modp2048 is supported.

use-ike-group Specifies whether to use the IKE Phase 1 DH group for Phase 2 PFS or
<enable|disable> not to use it. The default is enable. To set this option to the default value,
use the default operator with the command: default ike policy
WORD<1–32> p2–pfs use-ike-group

Configure the IKE Authentication Method

Use the following procedure to configure the IKE authentication method. The default is pre-shared key.

About This Task

As part of the IKE protocol, one security gateway must authenticate another security gateway to make
sure that IKE SAs are established with the intended party. The switch supports two authentication
methods:
• Digital certificates

Configure peer identity name for IKE phase 1 and revocation check method.
• Pre-shared keys

Configure the same secret on both security gateways before the gateways can authenticate each
other.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

1442 VOSS User Guide for version 8.7

Internet Key Exchange Configure Dead-Peer Detection Timeout

2. Configure the IKE authentication method using one of the following:

• To use a digital certificate:

ike policy WORD<1–32> auth-method digital-certificate [peer-name

WORD <1-64> | revocation-check-method <crl|none|ocsp>]
• To use a pre-shared key:

ike policy WORD<1–32> auth-method pre-shared-key

ike policy WORD<1–32> pre-shared-key WORD<0-32>

Variable Definitions
The following table defines parameters for the ike policy WORD<1–32> auth-method
command.

Variable Value
pre-shared-key Specifies the authentication method as pre-shared key.
digital- Specifies peer identity name for IKE phase 1.
certificate peer-
name WORD <1-64>
digital- Specifies the revocation check method. To set this option to the default
certificate value, use the default operator with the command: default ike
revocation-check- policy WORD<1–32> revocation-check-method
method<crl|none|
ocsp>

The following table defines parameters for the ike policy WORD<1–32> pre-shared-key
command.

Variable Value
pre-shared-key Specifies the pre-shared key. For Federal Information Processing Standards
WORD<0–32> (FIPS) compliance, the minimum length is 14 characters.

Configure Dead-Peer Detection Timeout

Use the following procedure to configure the dead-peer detection (DPD) timeout for the IKE Phase 1
policy.

About This Task

Dead Peer Detection (DPD) timeout is the interval for which the system sends messages to a peer to
confirm its availability.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

VOSS User Guide for version 8.7 1443

Enable the Admin State of IKE Phase 1 Policy Internet Key Exchange

2. Configure the DPD timeout:

ike policy WORD<1–32> dpd-timeout <1–4294967295>

Variable Definition
The following table defines parameters for the ike policy WORD<1–32> dpd-timeout
command.

Variable Value
policy WORD<1–32> Specifies the name of the IKE Phase 1 policy.
dpd-timeout <1– Specifies the dead peer detection timeout in seconds for the IKE Phase 1
4294967295> policy. The default is 300 seconds. To set this option to the default value,
use the default operator with the command: default ike policy
WORD<1–32> dpd-timeout

Enable the Admin State of IKE Phase 1 Policy

Use the following procedure to enable admin state of IKE Phase 1 policy.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable admin state of IKE Phase 1 policy:
ike policy WORD<1–32> enable
3. (Optional) Disable IKE Phase 1 policy:
no ike policy WORD<1–32> enable

Display IKE Profiles

Use the following procedure to display the configured IKE profiles:

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IKE profiles:
show ike profile
3. Display a specific ike profile:
show ike profile WORD<1–32>

Example
Switch:1#show ike profile
==========================================================================================
IKE Profile

==========================================================================================
Hash Encrypt Encrypt DH Exchange Lifetime

1444 VOSS User Guide for version 8.7

Internet Key Exchange Display IKE Policies

Name Algo Algo Key Len Group Mode seconds

------------------------------------------------------------------------------------------
DFLT_IKE_PROFILE sha256 aesCbc 256 modp2048 main 86400
ikePRO sha256 aesCbc 256 modp2048 main 180
test sha256 aesCbc 256 modp2048 main 86400

Variable Definition
The following table defines parameters for the show ike profile command.

Variable Value
profile WORD<1–32> Specifies the name of the profile to be displayed.

Display IKE Policies

Use the following procedure to display the configured IKE policies.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IKE policies:
show ike policy
3. Display a specific IKE policy:
show ike policy WORD<1–32>
4. Display a specific IKE policy at local address.
show ike policy WORD<1–32> laddr WORD<1–256>
5. Display a specific IKE policy at remote address.
show ike policy WORD<1–32> laddr WORD<1–256> raddr WORD<1–256>

Example
Switch:1#show ike policy
==========================================================================================
IKE Policy
==========================================================================================
Policy Addr Profile
Name Type Local Address Remote Address Name
------------------------------------------------------------------------------------------
iketest3 IPv4 192.168.152.104 192.168.149.207 test
v1pol IPv4 192.168.152.104 192.168.152.152 ikepro

==========================================================================================
IKE Policy
==========================================================================================
Policy Profile Revocation-Check peer-
identity
Name Version Auth-Method Pre-Shared Key Method
name
-------------------------------------------------------------------------------------------
iketest3 2 digital-cert ocsp
v1pol 1 digital-cert ocsp

==========================================================================================
IKE Policy
==========================================================================================
Policy DPD Admin Oper Use IKE
Name Timeout State State P2 PFS DH Grp DH Group IntfId
------------------------------------------------------------------------------------------

VOSS User Guide for version 8.7 1445

Display IKE Security Association Internet Key Exchange

iketest3 300 enable up disable enable modp1024 3047

v1pol 300 enable up disable enable modp1024 3047

Variable Definition
The following table defines parameters for the show ike policy command.

Variable Value
policy WORD<1–32> Specifies the name of the policy to be displayed.
laddr WORD<1–256> Specifies the local IPv4 or IPv6 address.
raddr WORD<1–256> Specifies the remote IPv4 or IPv6 address.

Display IKE Security Association

Use the following procedure to display the configured IKE Phase 1 for version 1 and 2 security
associations (SA).

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display all the security associations:
show ike sa
3. Display security associations for IKE Phase 1 for version 1:
show ike sa version v1 WORD<1-32> laddr WORD<1-256> raddr WORD<1-256>
4. Display security associations for IKE Phase 1 for version 2:
show ike sa version v2 WORD<1-32> laddr WORD<1-256> raddr WORD<1-256>

Example
Switch:1(config)#show ike sa version v1

==========================================================================================
IKE V1 Phase 1 Security Association

==========================================================================================
Policy Addr Initiator/
Name Type Local Address Remote Address Responder
------------------------------------------------------------------------------------------
ikepsk IPv4 192.0.2.5 198.51.100.15 Initiator

==========================================================================================
IKE V1 Phase 1 Security Association

==========================================================================================
DPD Hash Encrypt DH Lifetime
Name Timeout Algo Algo Group seconds Status
------------------------------------------------------------------------------------------
ikepsk 300 sha aesCbc modp2048 3600 active

Switch:1(config)#show ike sa version v2

==========================================================================================
IKE V2 Phase 1 Security Association

1446 VOSS User Guide for version 8.7

Internet Key Exchange Configure an IKEv2 Profile

==========================================================================================
IKE V2 Phase 1 Security Association

==========================================================================================
DPD Hash Encrypt Integrity DH Lifetime
Name Timeout Algo Algo Algo Group seconds Status
------------------------------------------------------------------------------------------
v2policy 300 sha256 aesCbc modp2048 86400 active

Variable Definition
The following table defines parameters for the show ike sa command.

Variable Value
sa Specifies the IKE security association identifier.
version v1 Specifies the local IPv4 or IPv6 address for IKE Phase 1, version 1 SA.
WORD<1-32> laddr
WORD<1-256> raddr
WORD<1-256>
version v2 Specifies the local IPv4 or IPv6 address for IKE Phase 1, version 2 SA.
WORD<1-32> laddr
WORD<1-256> raddr
WORD<1-256>

Configure an IKEv2 Profile

About This Task

Use the following procedure to configure an IKEv2 profile.

Procedure
1. Enter Global Configuration mode:
enable

VOSS User Guide for version 8.7 1447

Display IKEv2 Profiles Internet Key Exchange

6. Configure the IKEv2 profile dh group

ike v2-profile WORD<1–32> dh-group <modp768|modp1024|modp2048|any
7. Configure the IKEv2 profile encryption key length:
ike v2-profile WORD<1–32> encrypt-key-len <128|192|256>
8. Configure the IKEv2 profile lifetime, in seconds:
ike v2-profile WORD<1–32> lifetime-sec <0-4294967295>
9. (Optional) Delete the IKEv2 profile:
no ike v2-profile WORD<1–32>

Variable Definition
The following table defines parameters for the ike v2–profile commands.

Variable Value
profile WORD<1–32> Specifies the IKE v2–profile name.
hash-algo <md5| Specifies the type of hash algorithm. The default value is sha256. To set this
sha|sha256|any> option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> hash-algo
encrypt-algo Specifies the type of encryption algorithm. The default value is aesCbc.
<desCbc|3DesCbc| To set this option to the default value, use the default operator with
aesCbc|any> the command: default ike v2–profile WORD<1–32> encrypt-
algo
integrity-algomd5| Specifies the type of integrity algorithm. The default is sha256. To set this
sha-1|sha-256|aes- option to the default value, use the default operator with the command:
xcbc default ike v2–profile WORD<1–32> integrity-algo
dh-group <modp768| Specifies the Diffie-Hellman (DH) group. DH groups categorize the key
modp1024|modp2048| used in the key exchange process, by its strength. The key from a higher
any> group number is more secure. The default value is modp2048. To set this
option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> dh-group
encrypt-key-len Specifies the length of the encryption key. The default is 256. To set this
<128|192|256> option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> encrypt-key-len
lifetime-sec Specifies the lifetime value in seconds. The lifetime ensures that the peers
<0-4294967295> renegotiate the SAs just before the expiry of the lifetime value, to ensure
that Security Associations are not compromised. The default value is
86400 seconds. To set this option to the default value, use the default
operator with the command: default ike v2–profile WORD<1–
32> lifetime-sec

Display IKEv2 Profiles

Use the following procedure to display the configured IKEv2 profiles.

Procedure

1. Enter Privileged EXEC mode:

enable

1448 VOSS User Guide for version 8.7

Internet Key Exchange Configure x509 Certificate Identity

2. Display all IKEv2 profiles:

show ike v2-profile
3. Display a specific IKEv2 profile:
show ike v2-profile WORD<1–32>

Example
Switch:1#show ike v2-profile test
==========================================================================================
IKE2 Profile

==========================================================================================
Hash Encrypt
Encrypt Exchange
Name Algo Algo Key
Length Mode
------------------------------------------------------------------------------------------
test sha256 aesCbc
256 main

==========================================================================================
IKE2 Profile

==========================================================================================
DH Integrity
Lifetime
Name Group Algorithm
seconds
------------------------------------------------------------------------------------------
test modp2048 sha256
180

Variable Definitions
The following table defines parameters for the show ike v-2profile command.

Variable Value
WORD<1–32> Specifies the name of the policy.

Configure x509 Certificate Identity

About This Task

Use the following procedure to bind a certificate identity to the IKE certificate store.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the certificate subject name:
ike certificate-identity cert-subject-name WORD<1-45>

VOSS User Guide for version 8.7 1449

IKE Configuration using EDM Internet Key Exchange

Variable Definitions
The following table defines parameters for the ike certificate-identity command.

Variable Value
cert-subject-name WORD<1-45> Specifies the digital certificate subject name to be
used as the identity certificate. If a subject name is
not specified, the default subject name is Global.

IKE Configuration using EDM

The topics in this section provide the IKE EDM configuration.

Configure Digital Certificate Subject Name

1452 VOSS User Guide for version 8.7

Internet Key Exchange Configure IKE Phase 1 Policy

11. Complete the remaining optional configuration to customize the policy.

12. Click Insert.

Policy field descriptions

Use the data in the following table to use the Policy tab.

Name Description
LocalIfIndex Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
LocalAddrType Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr Specifies the address of the local peer.
RemoteAddrType Specifies whether the remote address is an IPv4
or IPv6 address.
RemoteAddr Specifies the address of the remote peer.
Name Specifies the name given to the policy. The name
should be assigned while creating the policy.
You cannot change the name after the policy is
created.
ProfileName Specifies the name of the profile that should be
used for this policy.
ProfileVersion Specifies the profile version used for the policy.
PeerName Specifies the peer name.
AuthenticationMethod Specifies the proposed authentication method for
the Phase 1 security association.
The default authentication method is pre-shared
key.
PSKValue Specifies the value of the Pre-Shared Key if the
authentication method is set to PSK.
DPDTimeout Specifies the Dead Peer Detection timeout in
seconds.
Default value is 300 seconds.
P2PFS Specifies whether or not the perfect forward
secrecy (PFS) is used when refreshing keys. To use
PFS, select enable.
The default value is disable.
P2PfsUseIkeGroup Specifies whether or not to use the same GroupId
(Diffie-Hellman Group) for phase 2 as was used in
phase 1. Ignore this entry if P2PFS is disabled.
The default value is enable.
P2PfsDHGroup Specifies the Diffie-Hellman group to use
for phase 2 when P2PFS is enabled and
P2PfsUseIkeGroup is disabled.
The default value is mod1024.
AdminState Specifies whether the policy is administratively
enabled or disabled.
The default value is disable.

VOSS User Guide for version 8.7 1453

Display IKE Phase 1 Security Association Internet Key Exchange

Name Description
OperStatus Shows is the policy is operationally up or down.
RevocationCheckMethod Specifies the revocation check method as OCSP,
CRL or none.

Display IKE Phase 1 Security Association

Use the following procedure to view the IKE Phase 1 security association.

Procedure

1. In the navigation pane, expand Configuration > Security > Control Path.
2. Click IKE.
3. Click the SA tab.

IKE SA field descriptions

Use the data in the following table to use the IKE > SA tab.

Name Description
Id Specifies the profile ID.
LocalIfIndex Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
LocalAddrType Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr Specifies the address of the local peer.
RemoteAddrType Specifies whether the remote address is an IPv4
or IPv6 address.
RemoteAddr Specifies the address of the remote peer.
Name Specifies the name given to the SA.
AuthenticationMethod Specifies the proposed authentication method for
the Phase 1 security association.
The default authentication method is pre-shared
key.
DPDTimeout Specifies the Dead Peer Detection timeout in
seconds.
HashAlgorithm Specifies the hash algorithm negotiated for this
IKE Phase 1 SA.
EncryptionAlgorithm Specifies the encryption algorithm negotiated for
this IKE Phase 1 SA.
EncryptKeyLen Specifies the encryption key length negotiated for
this IKE Phase 1 SA.
DHGroup Specifies the Diffie-Hellman group negotiated for
this IKE Phase 1 SA.
ExchangeMode Specifies the IKE Phase 1 SA mode.

1454 VOSS User Guide for version 8.7

Internet Key Exchange Display IKE V2 Security Association

Name Description
LifetimeSeconds Specifies the amount of time for which an IKE
Phase 1 SA can remain valid during IKE Phase 1
negotiation. A value of 0 means no the SA always
remains valid.
Status Specifies whether the SA is active or inactive.
Initiator Specifies whether specifies the whether the SA is
created by an initiator or a responder.

Display IKE V2 Security Association

Use the following procedure to view the IKE version 2 security association.

Procedure

1. In the navigation pane, expand Configuration > Security > Control Path.
2. Click IKE.
3. Click the V2 SA tab.

V2 SA field descriptions
Use the data in the following table to use the IKE > V2 SA tab.

Name Description
Id Specifies the profile ID.
LocalIfIndex Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
LocalAddrType Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr Specifies the address of the local peer.
RemoteAddrType Specifies whether the remote address is an IPv4
or IPv6 address.
RemoteAddr Specifies the address of the remote peer.
Name Specifies the name given to the SA.
AuthenticationMethod Specifies the proposed authentication method for
theVersion 2 security association.
The default authentication method is pre-shared
key.
DPDTimeout Specifies the Dead Peer Detection timeout in
seconds.
HashAlgorithm Specifies the hash algorithm negotiated for this
IKE Version 2 SA.
EncryptionAlgorithm Specifies the encryption algorithm negotiated for
this IKE Version 2 SA.
EncryptKeyLen Specifies the encryption key length negotiated for
this IKE Version 2 SA.

VOSS User Guide for version 8.7 1455

Display IKE V2 Security Association Internet Key Exchange

Name Description
DHGroup Specifies the Diffie-Hellman group negotiated for
this IKE Version 2 SA.
ExchangeMode Specifies the IKE Version 2 SA mode.
LifetimeSeconds Specifies the amount of time for which an IKE
Version 2 SA can remain valid during IKE Version 2
negotiation. A value of 0 means no the SA always
remains valid.
Status Specifies whether the SA is active or inactive.
Initiator Specifies whether specifies the whether the SA is
created by an initiator or a responder.
IntegrityAlgorithm Specifies the type of integrity algorithm.

1456 VOSS User Guide for version 8.7

IP Multicast
IP multicast fundamentals on page 1457
IP multicast basic configuration using CLI on page 1529
IP multicast basic configuration using EDM on page 1550
Multicast Listener Discovery on page 1566
PIM Configuration Using the CLI on page 1590
PIM Configuration Using EDM on page 1600
IGMP Configuration Using the CLI on page 1617
IGMP configuration using EDM on page 1634
Route management using the CLI on page 1653
Route management using EDM on page 1661
Multicast route statistics configuration using the CLI on page 1669
Multicast route statistics configuration using EDM on page 1679

This section describes how to administer and configure IP Multicast Routing protocols.

The topics in this section provide conceptual background, as well as CLI and EDM configuration
procedures.

IP multicast fundamentals
IP multicast extends the benefits of Layer 2 multicasting on LANs to WANs. Use multicasting techniques
on LANs to help clients and servers find each other. With IP multicast, a source can send information to
multiple destinations in a WAN with a single transmission. IP multicast results in efficiency at the source
and saves a significant amount of bandwidth.

Enabling multicast on the switch

Shortest Path Bridging (SPB) and Protocol Independent Multicast (PIM) cannot interoperate with each
other on the switch at the same time. To ensure that SPB and PIM stay mutually exclusive, use the boot
flag called spbm-config-mode:
• The spbm-config-mode boot flag is enabled by default. This configuration enables you to
configure SPB and IS-IS, but you cannot configure PIM either globally or on an interface.

VOSS User Guide for version 8.7 1457

Enabling multicast on the switch IP Multicast

• If you disable the boot flag, you can configure PIM and IGMP Snooping, but you cannot configure
SPB or IS-IS.

Important
• Any change to the spbm-config-mode boot flag requires a reboot for the change to
take effect.
• If you plan to disable the boot flag, remove all SPB configurations first.
• If you plan to use the default (enabled) setting, remove all PIM configurations first.

Simplified Virtual-IST
Simplified Virtual-IST (vIST) is for conventional network deployments that use SMLT and not SPB. The
Simplified vIST feature provides a single CLI command to enable the virtual IST for SMLT deployments.
• Simplified vIST is available ONLY for conventional multicast deployments with PIM and IGMP when
the boot flag (spbm-config-mode) is disabled.
• When the boot flag is enabled (default setting), Simplified vIST is not available. This means that you
continue to configure SPB/IS-IS for vIST.
• Simplified VIST requires that the two vIST devices be directly connected.

Note
• PIM is supported with Simplified vIST only, not SPB vIST. However, you do not have to
configure Simplified vIST to run PIM or IGMP Snooping in a non-SMLT topology.
• Do not configure LACP on SPB NNI MLT links or on the Simplified Virtual IST.
• Do not configure ECMP in PIM Simplified vIST scenarios. Running PIM in a Simplified
vIST environment with ECMP enabled may lead to incorrect behavior since there are
multiple options in terms of choosing the upstream node towards a host or source. For
example, since the path chosen cannot be predicted (it is determined by the downstream
PIM neighbor), we may end up not adding the Virtual IST MLT port in the PIM mroute’s
outgoing port list on the joined interface if the PIM Join Prune Message was received on
an alternative path, different from the interface the local router considers to be the correct
upstream to the source.

Traffic loss can occur in such an environment. Do not enable ECMP in PIM vIST scenarios.

After you disable the spbm-config-mode boot flag, you can configure PIM or IGMP Snooping on any
VLAN including the vIST VLAN.

To configure the boot flag and Simplified vIST, see Configuring IP multicast in SMLT topologies on page
1529 or Configuring multicast on the switch on page 1550.

vIST VLAN IP addresses

Do not configure an RP or BSR on the vIST VLAN because you cannot ping them outside of the vIST
VLAN subnet. When you enter the ip pim enable command on the vIST VLAN, the following message
displays:

WARNING: Please do not use virtual IST VLAN IP address for BSR and
RP related configurations, as unicast packets to virtual IST vlan

1458 VOSS User Guide for version 8.7

IP Multicast Overview of IP multicast

IP address from outside of virtual IST vlan subnet will be dropped.

Use Loopback or CLIP interface IP address for BSR and RP related
configurations.

Overview of IP multicast
IP multicast transmits messages to multiple recipients at the same time. This one-to-many delivery
mechanism is similar to broadcasting, except that multicasting transmits to specific groups and
broadcasting transmits to all receivers on a network. Because IP multicast transmits only one stream of
data to the network where it replicates to many receivers, multicasting saves a considerable amount of
bandwidth.

IP multicast services benefit applications such as video conferencing, dissemination of datagram

information, and dissemination of mail or news to a large number of recipients.

Multicast protocols use different techniques to discover delivery paths.

A distribution tree is a set of multicast routers and subnetworks that permit the members of a group
to receive traffic from a source. The source of the tree depends on the algorithm used by the multicast
protocol. The following diagram is an example of a simple distribution tree where S is the multicast
source and the arrows indicate the multicast broadcast procedure.

VOSS User Guide for version 8.7 1459

Overview of IP multicast IP Multicast

Figure 136: Multicast distribution tree and broadcasting

Broadcast and prune methods use multicast traffic to build the distribution tree. Periodically, the source
sends or broadcasts data to the extremities of the internetwork to search for active group members. If
no local members of the group exist, the router sends a message to the host, removing itself from the
distribution tree, and thus pruning the router.

The following diagram illustrates how the host prunes routers from the distribution tree. First, the router
sends a message to the source, after which the pruned routers do not receive multicast data.

1460 VOSS User Guide for version 8.7

IP Multicast Overview of IP multicast

Figure 137: Pruning routers from a distribution tree

Reverse path multicast is based on the concept that a multicast distribution tree is built on the shortest
path from the source to each subnetwork that contains active receivers. After a datagram arrives on
an interface, the router determines the reverse path to the source of the datagram by examining the
routing table of known network sources. If the datagram is not on the optimal delivery tree, the router
discards it.

Multicast host groups and their group members enable the IP multicast router to transmit just to
those groups interested in receiving the traffic. The switch uses the Internet Group Membership
Protocol (IGMP) to learn the existence of host group members on their directly attached subnets. A
router communicates with the hosts on a local network by sending IGMP queries. Hosts respond by
issuing IGMP reports. For more information about host groups, see Multicast host groups and Multicast
addresses on page 1462. For more information about IGMP, see Internet Group Management Protocol.

Multicast traffic forwarding transmits frames to all interfaces or subnets for which it receives IGMP
reports for the multicast group indicated in the destination IP address. Multicast packets forwarded
within the same virtual LAN (VLAN) remain unchanged. The switch does not forward packets to
networks that do not use members of the multicast group indicated in the destination IP address.

Multicast host groups

IP multicast is a method for addressing, routing, and delivering a datagram to a collection of receivers
called a host group.

Host groups are permanent or transient, with the following characteristics:

• A permanent host group uses a well-known, administratively assigned IP multicast group address.
This address is permanent and defines the group. A permanent host group can consist of zero or
more members.

VOSS User Guide for version 8.7 1461

Overview of IP multicast IP Multicast

• A transient host group exists only as long as members need its services. IP addresses in the
multicast range that are not reserved for permanent groups are available for dynamic assignment to
transient host groups.

A host system on an IP network sends a message to a multicast group by using the IP multicast
address for the group. To receive a message addressed to a multicast group, however, the host must
be a member of the group and must reside on a network where that group is registered with a local
multicast router.

An IP multicast host group can consist of zero or more members and places no restrictions on its
membership. Host members can reside anywhere, they can join and leave the group at any time, and
they can be members of more than one group at the same time.

In general, hosts that are members of the same group reside on different networks. However, a range
of multicast addresses (224.0.0.x) is reserved for locally-scoped groups. All message traffic for these
hosts typically remains on the local network. Hosts that belong to a group in this address range and that
reside in different networks do not receive message traffic for each other.

Important
You can apply a special set of filters (global filters) to multicast packets. You can also create,
deny, or accept filters to configure the sources that can receive and send data. For more
information about how to configure filters, see Traffic filtering fundamentals on page 3394.

Multicast addresses
Each host group uses a unique multicast address. To reach all members of the group, a sender uses the
multicast address as the destination address of the datagram.

An IP version 4 multicast address is a Class D address (the high-order bits are 1110) from 224.0.0.0 to
239.255.255.255. These addresses are assigned statically for use by permanent groups and dynamically
for use by transient groups.

The block of addresses from 224.0.0.1 to 224.0.0.255 is reserved for routing protocols and other
low-level protocols. Multicast routers do not forward datagrams with addresses in this range because
the time-to-live (TTL) value for the packet is usually 1.

Multicast protocols
You can use the following protocols to enable multicast routing on a switch:
• Internet Group Management Protocol (IGMP)—learns the existence of host group members on
directly attached subnets.
• Multicast Router Discovery (MRDISC) protocol—discovers multicast routers in a Layer 2 bridged
domain configured for IGMP snoop.
• Protocol Independent Multicast (PIM)
◦ Sparse Mode (PIM-SM) protocol—suitable for implementation on networks sparsely populated by
receivers.
◦ Source Specific Multicast (PIM-SSM) protocol—uses a one-to-many model where members can
receive traffic from one or more specific sources. This protocol is suitable for television channels
and other content-distribution applications.

1462 VOSS User Guide for version 8.7

IP Multicast Overview of IP multicast

Static source groups

Use static source groups to configure static source-group entries in the PIM-SM, or PIM-SSM multicast
routing table. PIM cannot prune these entries from the distribution tree. In other words, even if no
receivers for the group exist, the multicast stream for a static source-group entry stays active. PIM never
prunes static forwarding entries. If you no longer need the entries, you must manually delete them.

To configure static source groups, you must first globally enable PIM. If you disable PIM, the switch saves
all of the configured static source-group entries and deactivates them. After you re-enable PIM, the
switch reactivates the static source groups.

Static source groups ensure that the multicast route (mroute) records remain in the distribution tree.
After receivers join the group, they do not experience a delay in receiving multicast data because they
do not need to graft onto the group, or start a join process in the case of PIM. This timing is essential for
applications where the multicast data must send to a receiver as soon as the receiver joins the group,
for example, when a switch delivers television channels to receivers. After the receiver turns the channel,
which is equivalent to joining a group, the receiver can view the channel immediately.

Static entries result in continuous traffic if the source is active, even if no receivers exist. However, the
system does not forward traffic with a static entry if no receivers exist, but forwards it continuously to
the switch where the entry is programmed and crosses intermediate switches on the path.

You can configure static source-group entries for a specific source or subnet. If several sources on the
same subnet send traffic to the same group, traffic for all these sources flows continuously when using
the subnet configuration.

After you configure static source groups, keep the following points in mind:
• If you disable PIM, the switch deactivates all of the static source groups. After you re-enable PIM, the
switch activates the static source groups.
• In PIM-SM configuration, the static source-group feature works for both specific source addresses
and subnet addresses by using the SrcSubnetMask field.

When the network mask is 255.255.255.255, the full source address is used to match the (S,G) which
is the specific source case. When the network mask field is a subnet mask for the source, only the
source subnet is used to match (S,G)s.
• In PIM-SSM configurations, static source groups have the following limitations:

◦ Subnets: SSM static source groups work only with specific IP addresses. Static source groups
cannot work with source subnets, so the mask must use a full 32-bit mask, 255.255.255.255, and
the source must use a host address.

IP Multicast over Fabric Connect

IP Multicast over Fabric Connect introduces extensions to the SPBM IS-IS control plane to exchange IP
multicast stream advertisement and membership information. These extensions, combined with the use
of IGMP snooping and querier functions at the edge of the SPBM cloud, efficiently transport IP multicast
data by using sub-trees of the VSN shortest path tree per IP multicast group.

VOSS User Guide for version 8.7 1463

Internet Group Management Protocol IP Multicast

Internet Group Management Protocol

Table 114: Internet Group Management Protocol product support

Feature Product Release introduced
Internet Group Management VSP 4450 Series VSP 4000 4.0
Protocol (IGMP), including
virtualization VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VSP 8200 4.0.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Supported

A host uses IGMP to register group memberships with the local querier router to receive datagrams sent
to this router targeted to a group with a specific IP multicast address.

A router uses IGMP to learn the existence of group members on networks to which it directly attaches.
The router periodically sends a general query message to each of its local networks. A host that is a
member of a multicasting group identifies itself by sending a response.

IGMP queries
When multiple IGMP routers operate on a network, one router is elected to send queries. This elected
querier periodically sends host membership queries (also known as general queries) to the attached
local subnets. The switch supports queries from all three versions of IGMP.

IGMP host reports

A host that receives a membership query from a local router can respond with a host membership
report, one for each multicast group that joins. A host that receives a query delays its reply by a random
interval and listens for a reply from other hosts in the same host group. For example, consider a network
that includes two host members—host A and host B—of the same multicast group. The router sends out
a host membership query on the local network. Both host A and host B receive the query and listen on
the network for a host membership report. The delay timer for host B expires first, so it responds to the
query with a membership report. Hearing the response, host A does not send a report of its own for the
same group.

Each query from a router to a host includes a maximum response time field. IGMP inserts a value n into
this field specifying the maximum time in tenths of a second within which the host must issue a reply.
The host uses this value to calculate a random value between 0 and n tenths of a second for the period
that it waits before sending a response. This calculation is true for IGMP versions 2 and 3. For IGMP
version 1, this field is 0 but defaults to a value of 100, that is, 10 seconds.

If at least one host on the local network specifies that it is a member of a group, the router forwards to
that network all datagrams that bear the multicast address for the group.

Upon initialization, the host can immediately issue a report for each of its supported multicast groups.
The router accepts and processes these asynchronous reports the same as requested reports.

1464 VOSS User Guide for version 8.7

IP Multicast Internet Group Management Protocol

After hosts and routers are in a steady state, they communicate in a way that minimizes the exchange
of queries and reports. The designated routers establish a path between the IP multicast stream source
and the end stations and periodically query the end stations about whether to continue participation.
As long as a client continues to participate, all clients, including nonparticipating end stations on the
switch port, receive the IP multicast stream.

Host leave messages

If an IGMPv2 host leaves a group and it is the host that issues the most recent report, it also issues a
leave group message. The multicast router on the network issues a group-specific query to determine
whether other group members exist on the network. If no host responds to the query, the router
assumes that no members belonging to that group exist on that interface.

Fast leave feature

The switch supports a fast leave feature that is useful for multicast-based television distribution
applications. Fast leave relies on an alternative leave process where the switch stops sending traffic
for the group immediately after it receives a leave message, without issuing a query to check if other
group members exist on the network. Fast leave alleviates the network from additional bandwidth
demand after a customer changes television channels.

The switch provides several fast leave processes for IP multicast:

• immediate leave with one user for each interface
• immediate leave with several users for each interface
• standard IGMP leave based on a Last Member Query Interval (LMQI), which you can configure in
tenths of seconds

Fast leave modifies the IGMP leave processing mechanism on an IGMP interface. After the system
receives an IGMP leave message on a fast leave enabled interface, the switch does not send a group-
specific query and immediately stops sending traffic to the leaving member (IGMP host) port. Without
fast leave, traffic continues to forward until the group times out. This situation wastes bandwidth if no
receiver that requires the group traffic exists.

Fast leave mode provides two options of the fast leave mechanism—single-user mode and multiple-
users mode:
• Single-user mode: In this mode, the port stops receiving traffic immediately after a group member
on that port sends a leave message. Use the single-user mode if each interface port connects to only
one IGMP host.
• Multiple-users mode: Use this mode if the interface port connects to multiple IGMP hosts. In this
case, the port stops receiving traffic after all members leave the IGMP group. The switch removes the
leaving IGMP member and, if more group members exist on that port, the switch continues sending
traffic to the port.

When operating in multiple-users mode, the switch must use the correct membership information.
To support multiple-users mode, multicast receivers on the same interface cannot use IGMP report
suppression. If you must use IGMP report suppression, do not use this mode. Instead, use the LMQI
(configurable in units of 1/10ths of seconds) to provide a faster leave process while still sending
group-specific queries after the interface receives a leave message.

Fast leave mode applies to all fast-leave enabled IGMP interfaces.

VOSS User Guide for version 8.7 1465

Internet Group Management Protocol IP Multicast

IGMP snoop
The switch provides IP multicast capability and can support all three versions of IGMP to prune group
membership for each port within a VLAN. This feature is IGMP snoop.

Use the IGMP snoop feature to optimize the multicast data flow, for a group within a VLAN, to only
those ports that are members of the group. The switch builds a database of group members by listening
to IGMP reports from each port. The switch suppresses the reports heard by not forwarding them to
ports other than the one receiving the report, thus forcing the members to continuously send their
own reports. The switch relays group membership from the hosts to the multicast routers and forwards
queries from multicast routers to all port members of the VLAN. Furthermore, the switch forwards
multicast data only to the participating group members and to the multicast routers within the VLAN.

The multicast routing functionality can coexist with IGMP snoop on the same switch, but you can
configure only one of IGMP snoop or an IP multicast routing protocol, excluding IGMP, on the same
VLAN.

Multicast group trace for IGMP snoop

Use this feature to monitor the multicast group trace for an IGMP snoop-enabled switch . You can view
the multicast group trace from CLI.

Multicast group trace tracks the data flow path of the multicast streams. Group trace tracks information
such as the multicast group address, the source address, ingress VLAN and port, and egress VLAN and
port.

IGMP proxy
If a switch receives multiple reports for the same multicast group, it does not transmit each report
to the multicast upstream router. Instead, the switch consolidates the reports into a single report and
forwards the one report. If you add another multicast group or the system receives a query since it last
transmitted the report upstream, the system forwards the report onto the multicast router ports. This
feature is IGMP proxy.

IGMP versions
The switch supports IGMPv1, IGMPv2, and IGMPv3. IGMPv1 and IGMPv2 are backward compatible and
can exist together on a multicast network. The following list describes the purpose for each version:
• IGMPv1 provides the support for IP multicast routing. IGMPv1 specifies the mechanism to
communicate IP multicast group membership requests from a host to its locally attached routers.
For more information, see RFC1112.
• IGMPv2 extends the features in IGMPv1 by quickly reporting group membership termination to
the routing protocol. This feature is important for multicast groups with highly volatile group
membership. For more information, see RFC2236.
• IGMPv3 supports the PIM Source Specific Multicast (SSM) protocol, PIM-SM, and snooping. A host
can selectively request or filter traffic from individual sources within a multicast group or from

1466 VOSS User Guide for version 8.7

IP Multicast Internet Group Management Protocol

specific source addresses sent to a particular multicast group. Multicast routing protocols use this
information to avoid delivering multicast packets from specific sources to networks where there are
no interested receivers. For more information, see RFC3376.

For the switch implementation of PIM-SSM, each group can use multiple sources.

The following list identifies group records that a report message includes:
• current-state record
• source-list-change record
• filter-mode-change record

A current-state record is sent by a system in response to a query received on an interface. It reports the
current reception state of that interface, with respect to a single multicast address.

The Record Type of a current-state record has one of the following two values:
• MODE_IS_INCLUDE — Indicates that the interface has a filter mode of include for the specified
multicast address. The source address fields in this group record contain the source list of the
interface for the specified multicast address.
• MODE_IS_EXCLUDE — Indicates that the interface has a filter mode of exclude for the specified
multicast address. The source address fields in this group record contain the source list of the
interface for the specified multicast address.

Source-List Change Record — The system sends a source-list-change record after a change of source
list occurs that does not coincide with a filter-mode change on the interface for a particular multicast
address. The interface on which the change occurs sends a report that includes the record. The record
type of a source-list-change record can be one of the following two values:
• ALLOW_NEW_SOURCES — Indicates that the source address [i] fields in this group record contain
a list of the additional sources that the system wishes to hear from, for packets sent to the specified
multicast address. If the change was to an include source list, these are the addresses that were
added to the list. If the change was to an exclude source list, these are the addresses that were
deleted from the list.
• BLOCK_OLD_SOURCES — Indicates that the source address [i] fields in this group record contain a
list of the sources that the system no longer wishes to hear from, for packets sent to the specified
multicast address. If the change was to an include source list, these are the addresses that were
deleted from the list; if the change was to an exclude source list, these are the addresses that were
added to the list.

If a change of source list results in both allowing new sources and blocking old sources, then two
group records are sent for the same multicast address, one of type ALLOW_NEW_SOURCES and
one of type BLOCK_OLD_SOURCES.

Filter Mode — The switch implements the filter-mode-change record. The system sends a filter-mode-
change record whenever the filter mode changes (during a change from include to exclude, or from
exclude to include) for a particular multicast address. The interface on which the change occurs sends
a report that includes the record. The record type of a filter-mode-change record can be one of the
following two values:
• CHANGE_TO_INCLUDE_MODE — Indicates that the interface has changed to include filter mode for
the specified multicast address. The source address [i] fields in this group record contain the new
source list of the interface for the specified multicast address.

VOSS User Guide for version 8.7 1467

Internet Group Management Protocol IP Multicast

• CHANGE_TO_EXCLUDE_MODE — Indicates that the interface has changed to exclude filter mode
for the specified multicast address. The source address [i] fields in this group record contain the new
source list of the interface for the specified multicast address.

After you enable IGMPv3, the following actions occur:

• After you change the version on an interface to or from IGMPv3, the switch experiences a disruption
to existing multicast traffic on that interface but traffic does recover. Do not make this change when
the system passes multicast traffic.

IGMP states
Multicast routers implementing IGMPv3 keep one state for each group for every port in every attached
network. This group state consists of a filter-mode, a list of sources, and various timers. For each
attached network running IGMP, a multicast router records the desired reception state for that network.
This state consists of a set of records of the following form:
• multicast address
• group timer
• filter mode (source records)

Each source record is of the form source address or source timer. If all sources within a given group are
desired, an empty source record list is kept with filter-mode set to EXCLUDE. This means hosts on this
network want all sources for this group to be forwarded. This is the IGMPv3 equivalent to a IGMPv1 or
IGMPv2 group join.

Group timer
A group timer represents the time for the filter-mode to expire and switch to INCLUDE mode and is
used only when a group is in EXCLUDE mode.

Group timers are updated according to the types of group records received. If a group timer is expiring
when a router filter-mode for the group is EXCLUDE means, there are no listeners on the attached
network in EXCLUDE mode. At this point, a router will transition to INCLUDE filter-mode.

Source timer
A source timer is maintained for every source record. Source timers are updated according to:
• the type and filter-mode of the group record received
• whenever the source is present in a received record for that group.

If a source timer expires with a router filter-mode for the group of INCLUDE, the router concludes
that traffic from this particular source is no longer desired on the attached network, and deletes the
associated source record.

If a source record has a running timer with a router filter-mode for the group of EXCLUDE, it means that
at least one system desires the source. It should therefore be forwarded by a router on the network. If a
source timer expires with a router filter-mode for the group of EXCLUDE, the router informs the routing
protocol that there is no receiver on the network interested in traffic from this source. The records are
deleted when the group timer expires in the EXCLUDE router filter-mode.

1468 VOSS User Guide for version 8.7

IP Multicast Internet Group Management Protocol

Processing IGMP messages for groups in SSM range

IGMP messages are processed for groups in SSM range in the following scenarios:

1. IGMPv3 interface enabled; PIM-sparse or snooping enabled

• IGMPv3 reports that contain group records with groups within SSM range are processed with no
restrictions.
• IGMPv2 reports for groups within SSM range translate to IGMPv3 reports with one group record
and type IS_EXCLUDE{NULL}. These reports are processed with no restriction as an IGMPv3
report.
• IGMPv2 leave for groups within SSM range translate to IGMPv3 reports with one group record
and type TO_INCLUDE{NULL}. These reports are processed with no restriction as an IGMPv3
report.
2. IGMPv3 interface enabled; PIM-SSM or ssm-snooping enabled
• IGMPv3 reports that contain group records with groups within SSM range received from
members in the EXCLUDE mode are discarded (eg. IS_EXCLUDE and TO_EXCLUDE messages).
• IGMPv2 reports for groups within SSM range translate to IGMPv3 reports with one group record
and type ALLOW{S1,S2,...}. The source list is obtained from the global ssm-map. If there are no
sources in the global ssm-map, the message is discarded. These reports are processed with no
restriction as an IGMPv3 report.
• IGMPv2 leave for groups within SSM range translate to IGMPv3 reports with one group record
and type BLOCK{S1,S2,...}. The source list is obtained from the global ssm-map. If there are no
sources in the global ssm-map, the message is discarded. These reports are processed with no
restriction as an IGMPv3 report.

Note
In order to accept v2 messages, you must enable the compatibility mode on the IGMPv3
interface.

IGMPv3 source-specific forwarding rules

After a multicast router receives a datagram from a source destined to a particular group, the router
must decide to forward the datagram to the attached network. The multicast routing protocol uses
IGMPv3 information to forward datagrams to all required sources or groups on a subnetwork.

The following table describes the forwarding suggestions that IGMPv3 makes to the routing protocol.
The table also identifies the action taken after the source timer expires, based on the filter mode of the
group.

Group filter-mode Source-timer value Action

INCLUDE TIMER > 0 Forward the traffic from the source.
INCLUDE TIMER = 0 Stop forwarding the traffic from the source, and
remove the source record. If no more source
records exist for the group, delete the group
record.
INCLUDE No source elements Do not forward the source.
EXCLUDE TIMER > 0 Forward the traffic from the source.

VOSS User Guide for version 8.7 1469

Internet Group Management Protocol IP Multicast

Group filter-mode Source-timer value Action

EXCLUDE TIMER = 0 Do not forward the traffic from the source. If no
more source records exist for the group, delete the
group record.
EXCLUDE No source elements Forward the traffic from the source.

IGMPv3 explicit host tracking

IGMPv3 explicit host tracking enables the IGMP to track all the source and group members. To track all
the source and group members, the sources that are in the include mode hold a list of members who
want to receive traffic from that source.

The members that are in the exclude mode are on hold on the reporter list under the port data. By
default, IGMPv3 explicit host tracking is disabled.

Important
If explicit host tracking is enabled, you cannot downgrade the IGMPv3 interface to IGMPv1 or
IGMPv2.

IGMPv3 fast leave

When a BLOCK message is received for a source, you must check if the member that sent this message
is the last reporter for the source. If it is the last reporter, delete the source. Else, delete the member. No
group and source specific queries are sent.

When a LEAVE message is received, you must check if the member that sent this message is the last
reporter for the group. If it is the last reporter, switch to INCLUDE mode if sources are available (if no
sources are available the port is deleted). Else, delete the member. No group and source specific queries
or group specific queries are sent.

Important
To use the IGMPv3 fast leave feature, you must first enable the explicit host tracking feature.

Synchronization of IGMPv3 over SMLT

The implementation of IGMPv3 offers support for IGMPv3 over SMLT. The Virtual-IST (vIST) peers must
be in sync with the IGMPv3 reports received over SMLT links to ensure effective performance. The vIST
protocol ensures the infrastructure to send such information from one vIST peer to the other.

The synchronization of IGMPv3 members and their advertised sources is different from IGMPv1 and
IGMPv2. Because of IGMPv3 compatibility mode, you must consider the IGMP member version. If you
have version 1 or 2 members, you must synchronize the IGMP information as IGMPv1 or IGMPv2 reports,
so the peer can build an accurate database. In particular, if members with version 1 or 2 exist, the group
filter mode is exclude and the exclude source list is empty. Also no v1 or v2 member will be present on
any source from include list.

Each member sends IGMP reports in the same manner for all IGMP versions. The sending mechanism
depends on the SMLT state.

1470 VOSS User Guide for version 8.7

IP Multicast Internet Group Management Protocol

After a vIST peer receives an IGMPv3 report over an SMLT link, it must pass the message to its peer. If
the SMLT state is up, the vIST peer sends the message encapsulated in an vIST IGMPv3 message. If the
SMLT state is down, the vIST peer sends the message as a plain IGMPv3 report.

In both cases the IGMPv3 message is not altered and the receiving vIST peer processes it as expected in
SMLT conditions (translating the receiving port to SMLT port if applicable).

Note
If you enable compatibility mode and the member sends an IGMPv1 or IGMPv2 report, the
message is either a vIST IGMPv1 or v2 encapsulated Message or a plain IGMPv1 or IGMPv2
report.

After SMLT up or down events occur, the vIST peer must synchronize its IGMPv3 database to its peer,
taking into account the new state of the SMLT link.

If you enable IGMP explicit host tracking, each include source stores information for each member that
advertises that particular source in an include list. This information is synchronized with the vIST peer.

If you do not enable explicit host tracking, each source from include list contains only information
related to the last member that sent an IGMPv3 report. Only this information is synchronized with the
vIST peer.

Backward compatibility
IGMPv3 for PIM-SSM is backward compatible with IGMPv2. You can configure the switch to operate
in v3-only mode or in v2-v3 compatibility mode. If you configure the switch to use v3-only mode, it
ignores all v2 and v1 messages except the query message.

If you configure the switch to operate in v2-v3 compatibility mode, the switch supports all IGMPv1, v2,
and v3 messages. The switch parses the group address of the messages. If the group address is out of
SSM range and it is a v3 message, the switch drops the message; if it is a v2 message, PIM-SM or IGMP
snoop processes handle the message.

After the switch receives an IGMPv2 leave message and the group address in it is within SSM range, the
switch sends the group-and-source specific query. If the group address is not within the SSM range, the
switch sends the group specific query.

According to RFC3376, the multicast router with IGMPv3 can use one of two methods to handle older
query messages:
• If an older version of IGMP is present on the router, the querier must use the lowest version of IGMP
present on the network.
• If a router that is not explicitly configured to use IGMPv1 or IGMPv2 hears an IGMPv1 query or
IGMPv2 general query, it logs a rate-limited warning.

You can configure if the switch dynamically downgrades the version of IGMP to handle older query
messages. If the switch downgrades, the host with IGMPv3 only capability does not work. If you do not
configure the switch to downgrade the version of IGMP, the switch logs a warning.

In v2-v3 compatibility mode, an IGMPv2 host can only join if you configure a static entry in SSM map
and if the interface operates in PIM-SSM mode or IGMP SSM-Snoop mode.

VOSS User Guide for version 8.7 1471

IGMP Layer 2 Querier IP Multicast

You can use the compatibility mode with Split MultiLink Trunking (SMLT). One core switch sends an
SMLT message to the other core switch after it receives an IGMPv3 message. This action synchronizes
the IGMP host information.

Implementation of IGMP
You can enable and disable multicast routing on an interface basis. If you disable multicast routing on
an interface, the interface does not generate IGMP queries. If the switch or interface is in IGMP router
behavior mode, for example, PIM enabled, you cannot configure IGMP snoop. The switch still learns the
group membership and snoops multicast receivers on the switch VLAN or ports.

IGMP Layer 2 Querier

In a Layer 2 multicast network, you can enable Layer 2 querier on one of the switches in the VLAN. IGMP
Layer 2 querier provides the IGMP querier function so that the switch can provide the recurring queries
that maintain IGMP groups when you do not use multicast routing for multicast traffic.

Overview
In a multicast network, if you only need to use Layer 2 switching for the multicast traffic, you do not
need multicast routing. However, you must have an IGMP querier on the network for multicast traffic to
flow from sources to receivers. A multicast router provides the IGMP querier function. You can also use
the IGMP Layer 2 Querier feature to provide a querier on a Layer 2 network without a multicast router.

The Layer 2 querier function originates queries for multicast receivers, and processes the responses
accordingly. On the connected Layer 2 VLANs, IGMP snoop continues to provide services as normal.
IGMP snoop responds to queries and identifies receivers for the multicast traffic.

You must enable Layer 2 querier and configure an IP address for the querier before it can originate IGMP
query messages. If a multicast router exists on the network, the switch automatically disables the Layer
2 querier.

In a Layer 2 multicast network, enable Layer 2 querier on only one of the switches in the VLAN. A Layer
2 multicast domain supports only one Layer 2 querier. No querier election exists.

IGMP Snooping
IGMP Snooping enables Layer 2 switches in the network to examine IGMP control protocol packets
exchanged between downstream hosts and upstream routers.

When Layer 2 switches examine the IGMP control protocol packets, they:
• Generate the Layer 2 MAC forwarding tables used for further switching sessions
• Regulate the multicast traffic to prevent it from flooding the Layer 2 segment of the network

IGMP Layer 2 Querier and IGMP interaction

IGMP Layer 2 Querier uses IGMP to learn which groups have members on each of the attached physical
networks, and it maintains a list of multicast group memberships for each attached network and a timer
for each membership. In this case, multicast group memberships means the presence of at least one
member of a multicast group on a given attached network, not a list of all of the members.

1472 VOSS User Guide for version 8.7

IP Multicast Multicast access control

IGMP Layer 2 Querier can assume one of two roles for each of the attached networks:
• Querier
• Non-Querier

After you enable IGMP Layer 2 Querier, the system assumes it is a multicast router, so it sends the
General Query, Group Specific/Group, and Source Specific Query when Leave/BLOCK messages are
received. IGMP queries are required to maintain an IGMP group.

Note
Group Specific When Leave does not apply to IGMPv1.

IGMP Layer 2 Querier limitations

The following limitations apply to IGMP Layer 2 Querier.
• IGMP Layer 2 Querier is based on IGMP Snoop. If you disable IGMP Snoop, IGMP Layer 2 Querier
does not work until you enable IGMP Snoop and IGMP Layer 2 Querier.
• After you enable IGMP Snoop and IGMP Layer 2 Querier on an interface, if the system receives no
IGMP query messages, it becomes the querier.

IGMP Layer 2 Querier limitations and DvR

The following limitations apply when you configure IGMP Layer 2 Querier on DvR enabled nodes.
• You can configure IGMP Layer 2 Querier only on the DvR Controllers in a DvR domain. When you
configure the following parameters on the Controllers, the configuration is automatically pushed to
the DvR Leaf nodes within the domain.
◦ IGMP version
◦ IGMP query interval
◦ IGMP query maximum response time
◦ IGMP robustness value
◦ IGMP last member query interval
◦ IGMP compatibility mode
• You cannot configure IGMP snooping on DvR enabled Layer 2 VSNs.

For more information on DvR, see Distributed Virtual Routing Fundamentals on page 690 .

Multicast access control

Multicast access control is a set of features that operate with standard existing multicast protocols. You
can configure multicast access control for an IP multicast-enabled port or VLAN with an access control
policy that consists of several IP multicast groups.

You can use this feature to restrict access to certain multicast streams and to protect multicast
streams from spoofing (injecting data to the existing streams). For example, in a television distribution
application, instead of applying a filter to each channel (multicast group), you can apply a multicast
access policy to a range of channels (groups), thereby reducing the total number of filters and providing
a more efficient and scalable configuration. Also, if you want to add or remove television channels from
a package, you can modify the multicast access policy; you do not need to change filters for individual

VOSS User Guide for version 8.7 1473

Multicast access control IP Multicast

VLANs or ports. Multicast access policies contain an ID and a name (for example, PremiumChannels),
the list of IP multicast addresses, and the subnet mask.

Multicast access control is not a regular filtering configuration. Multicast access control is for multicast
streams and relies on handling multicast control and initial data to prevent hosts from sending or
receiving specified multicast streams; it does not use filters. Also, multicast access control provides a
list of multicast groups in one configuration using the same routing policy prefix list configuration. For
information about prefix lists, see Configuring prefix lists on page 2911. You can configure multicast
access control and change it dynamically to support changes in the configuration without restarting the
protocol. You can change the access capabilities of a user or service subscriber without loss of service.

The following paragraph describes a typical application.

The local cable television company offers three packages; each one includes 35 channels (35 multicast
groups). The company configures each package in an access control policy. This policy applies to a
set of VLANs or ports to prevent users from viewing the channels on those VLANs. Use the same
policy to prevent users from sending traffic to those groups (also known as spoofing) by specifying
the deny-tx option for that port. After you define the packages, you can use them for access policy
configuration. You can easily change the package by changing the group range, without changing all
the port configurations.

The multicast access control functionality applies to an IP multicast application where you must control
user access. You can use it in financial-type applications and other enterprise applications, such as
multicast-based video conferencing.

Six types of multicast access control policies exist:

• deny-tx
• deny-rx
• deny-both
• allow-only-tx
• allow-only rx
• allow-only-both

The tx policies control the sender and ingress interface for a group; the rx policies control the receivers
and egress interface for a group.

deny-tx
Use the deny-tx access policy to prevent a matching source from sending multicast traffic to the
matching group on the interface where you configure the deny-tx access policy. Configure this policy on
the ingress interface to the multicast source. The deny-tx access policy performs the opposite function
of the allow-only-tx access policy. Therefore, the deny-tx access policy and the allow-only-tx access
policy cannot exist on the same interface at the same time.

For example, in Figure 138, a VLAN 1, the ingress VLAN, uses a deny-tx access policy. This policy
prevents multicast traffic sent by Sender from forwarding from VLAN 1 to a receiver, consequently
preventing Receiver 1 and Receiver 2 from receiving data from the multicast group. You can create
receive-only VLANs, such as VLAN 1, with the deny-tx policy.

1474 VOSS User Guide for version 8.7

IP Multicast Multicast access control

Figure 138: Data flow using deny-tx policy

deny-rx
Use the deny-rx access policy to prevent a matching group from receiving IGMP reports from the
matching receiver on the interface where you configure the deny-rx access policy. The deny-rx access
policy performs the opposite function of the allow-only-rx access policy. Therefore, the deny-rx access
policy and the allow-only-rx access policy cannot exist on the same interface at the same time.

For example, in Figure 139, a VLAN 2 uses a deny-rx access policy, preventing IGMP reports sent by
Receiver 1 from receiving on VLAN 2. You can deny a multicast group access to a specific VLAN or
receiver using the deny-rx policy.

Figure 139: Data flow using deny-rx policy

deny-both
Use the deny-both access policy to prevent a matching IP address from both sending multicast traffic
to, and receiving IGMP reports from, a matching receiver on an interface where you configure the
deny-both policy. You can use this policy to eliminate all multicast activity for a receiver or source
in a specific multicast group. The deny-both access policy performs the opposite function of the
allow-only-both access policy. Therefore, the deny-both access policy and the allow-only-both access
policy cannot exist on the same interface at the same time.

For example, in Figure 140, a VLAN 2 uses a deny-both access policy, preventing VLAN 2 from receiving
IGMP reports sent by Receiver 2, and preventing multicast traffic sent by Sender 2 from forwarding
from VLAN 2. You can prevent certain VLANs from participating in an activity involving the specified
multicast groups with the deny-both policy.

VOSS User Guide for version 8.7 1475

Multicast stream limitation feature IP Multicast

Figure 140: Data flow using deny-both policy

allow-only-tx
Use the allow-only-tx policy to allow only the matching source to send multicast traffic to the matching
group on the interface where you configure the allow-only-tx policy. The interface discards all other
multicast data it receives. The allow-only-tx access policy performs the opposite function of the deny-tx
access policy. Therefore, the allow-only-tx access policy and the deny-tx access policy cannot exist on
the same interface at the same time.

allow-only-rx
Use the allow-only-rx policy to allow only the matching group to receive IGMP reports from the
matching receiver on the interface where you configure the allow-only-rx access policy. The interface
discards all other multicast data it receives. The allow-only-rx access policy performs the opposite
function of the deny-rx access policy. Therefore, the allow-only-rx access policy and the deny-rx access
policy cannot exist on the same interface at the same time.

allow-only-both
Use the allow-only-both policy to allow only the matching IP address to both send multicast traffic
to, and receive IGMP reports from, the matching receiver on the interface where you configure the
allow-only-both access policy. The interface discards all other multicast data and IGMP reports. The
allow-only-both access policy performs the opposite function of the deny-both access policy. Therefore,
the allow-only-both access policy and the deny-both access policy cannot exist on the same interface at
the same time.

Host addresses and masks

When you configure multicast access policies, you must specify the host (IP) address and host (subnet)
mask of the host to filter (the host that sends multicast traffic).

You can use the host subnet mask to restrict access to a portion of the host network. For example, if you
configure the host subnet mask as 255.255.255.255, you use the full host address. To restrict access to a
portion of the network of a host, use a subnet mask such as 255.255.255.0. Access control applies to the
specified subnet only.

Multicast stream limitation feature

You can configure the multicast stream limitation feature to limit the number of multicast groups that
can join a VLAN. By limiting the number of concurrent multicast streams, a service provider can, for
example, protect the bandwidth on a specific interface and control access to multicast streams.

1476 VOSS User Guide for version 8.7

IP Multicast Multicast Router Discovery protocol

Use multicast stream limitation in an environment where you want to limit users to a certain number
of multicast streams simultaneously. For example, a television service provider can limit the number
of television channels a user can watch at a time. (To a television service provider, a multicast stream
is synonymous with a television channel.) If a user purchases a service contract for two single-tuner
television receivers, they can use two channels flowing at the same time, but not a third. The service
provider can control the bandwidth usage in addition to preventing users from watching more than the
allowed number of channels at a point in time.

You can enable the multicast stream limitation feature on the switch by using one of the following
methods:
• for each interface—This limitation controls the total number of streams for all clients on this brouter
port.
• for each VLAN—This limitation controls the total number of streams for all clients on this VLAN. This
method is equivalent to the interface stream limitation.
• for each VLAN port—This limitation controls the number of streams for all clients on this VLAN port.
This method is equivalent to the interface port stream limitation.

You can configure the maximum number of streams for each limit independently. After the number
of streams meets the limit, the interface drops additional join reports for new streams. The maximum
number of streams for each limit is 65535 and the default is 4.

Multicast Router Discovery protocol

The Multicast Router Discovery (MRDISC) protocol can automatically discover multicast-capable
routers. By listening to multicast router discovery messages, Layer 2 devices can determine where
to send multicast source data and IGMP host membership reports. This feature is useful in a Layer 2
bridging domain that you configure for IGMP snoop.

IGMP multicast router discovery consists of three message types that discover multicast routers on the
network:
• Multicast router advertisements: routers advertise that IP multicast forwarding is enabled on an
interface.
• Multicast router solicitations: routers solicit a response of multicast router advertisements from all
multicast routers on a subnet.
• Multicast router termination messages: a router terminates its multicast routing functions.

Multicast routers send multicast router advertisements periodically on all interfaces where you enable
multicast forwarding. Multicast routers also send advertisements in response to multicast router
solicitations.

Multicast router solicitations transmit to the IGMP-MRDISC all-routers multicast group that uses a
multicast address of 224.0.0.2. Multicast router solicitations do not transmit if a router needs to discover
multicast routers on a directly attached subnet.

Multicast router termination messages transmit after a router terminates its multicast routing functions.
Other non-IP forwarding devices, such as Layer 2 switches, can send multicast router solicitations to
solicit multicast router advertisements.

VOSS User Guide for version 8.7 1477

Multicast flow distribution over MLT IP Multicast

To function MRDISC on IGMP snoop interface, you must explicitly enable MRDISC. The Solicitation
messages are sent only if IGMP snoop and MRDISC are enabled on the switch.

Multicast flow distribution over MLT

MultiLink Trunking (MLT) is a mechanism to distribute multicast streams over a multilink trunk
and achieve an even distribution of the streams. The distribution is based on source-subnet and
group addresses. In applications like television distribution, multicast traffic distribution is particularly
important because the bandwidth requirements are substantial when you use a large number of
television streams.

The switch enables this feature by default and you can not change the configuration.

Traffic distribution
Traffic distribution distributes the streams on the multilink trunk links if an MLT configuration change
occurs. For example, you can add or delete ports.

This feature distributes active streams according to the distribution algorithm on the multilink trunk
links. This distribution can cause minor traffic interruptions. To minimize the effect of distribution
of multicast traffic on the multilink trunks, the implementation does not move the streams to the
appropriate links at the same time. Instead, it distributes a few streams at every time tick of the system.

To that end, after a multilink trunk port becomes inactive, this feature distributes all the streams on the
multilink trunk ports based on the assignment provided by the distribution algorithm.

By default, distribution is enabled and you can not change the configuration.

For more information about MLT, see MultiLink Trunking on page 2360 .

Multicast virtualization
Multicast provides simplified extension of internal video and data delivery to remote locations.

Virtualized multicast enables multiple VPN routing instances on devices and supports various unicast
routing protocols so that you can provide the services of many virtual routers from one physical device.

You can configure multicast routing support with the Virtual Routing and Forwarding (VRF) Lite feature
and you can use VRF Lite to emulate many virtual routers with one router.

Multicast virtualization support includes:

• IGMP snooping
• IGMP in Layer 2 virtual services networks (VSN)
• IGMP in Layer 3 VSNs

To implement multicast virtualization, you must perform the following tasks:

1. Create a VRF. For more information about how to create and configure a VRF, see Create a VRF
Instance on page 3839.
2. Create a VLAN and associate it with the VRF.
3. Enable one of the following: IGMP snooping on the VLAN, Layer 2 VSN, or Layer 3 VSN.

1478 VOSS User Guide for version 8.7

IP Multicast Protocol Independent Multicast-Sparse Mode

If you use IGMP snooping on the VLAN, ensure the IGMP version on the multicast hosts or other
network devices is either the same as the version on the VLAN, or enable compatibility mode.

Multicast virtualization does not support PIM. The switch supports IGMP with PIM only in the Global
Router.

VRF Lite background

VRF Lite provides independent IPv4 forwarding instances and independent routing instances
(contexts), which can reside on the same or different VLANs and ports.

While forwarding and routing instances are mapped to IP interfaces, incoming traffic is classified into a
VLAN and IP interface and, depending on the IP interface, routed context traffic is forwarded.

Protocol Independent Multicast-Sparse Mode

Table 115: Protocol Independent Multicast - Sparse Mode product support

Feature Product Release introduced
Protocol Independent Multicast- VSP 4450 Series VOSS 4.1
Sparse Mode (PIM-SM) for IPv4
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.0.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Supported
PIM Infinite Threshold for IPv4 VSP 4450 Series VOSS 8.5
and IPv6
VSP 4900 Series VOSS 8.5
VSP 7200 Series VOSS 8.5
VSP 7400 Series VOSS 8.5
VSP 8200 Series VOSS 8.5
VSP 8400 Series VOSS 8.5
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Note
PIM is supported in Global Routing Table (GRT) only.

PIM-SM, as defined in RFC2362, supports multicast groups spread out across large areas of a company
or the Internet. PIM-SM sends multicast traffic only to routers that specifically join a multicast group.
This technique reduces traffic flow over WAN links and overhead costs for processing unwanted
multicast packets.

VOSS User Guide for version 8.7 1479

Protocol Independent Multicast-Sparse Mode IP Multicast

Dense-mode protocols use a flood-and-prune technique, which is efficient with densely-populated

receivers. However, for sparsely populated networks, PIM-SM is more efficient because it sends
multicast traffic only to those routers that belong to a specific multicast group and that choose to
receive the traffic.

PIM-SM is independent of a specific unicast routing protocol, but it does require the presence of
a unicast routing protocol, such as Routing Information Protocol (RIP) or Open Shortest Path First
(OSPF). PIM-SM uses the information from the unicast routing table to create and maintain multicast
trees that enable PIM-enabled routers to communicate.

Typically, a PIM-SM network consists of several multipoint data streams, each targeted to a small
number of LANs in the internetwork. For example, customers whose networks consist of multiple
hosts on different LANs can use PIM-SM to simultaneously access a video data stream, such as video
conferencing, on a different subnet.

Important
In some cases, PIM stream initialization can take several seconds.

Hosts
A host is a source, a receiver, or both:
• A source, also known as a sender, sends multicast data to a multicast group.
• A receiver receives multicast data from one or several sources that sends data to a multicast group.

PIM-SM domain
PIM-SM operates in a domain of contiguous routers on which PIM-SM is enabled.

Each PIM-SM domain requires the following routers:

• designated router (DR)
• rendezvous point (RP) router
• bootstrap router (BSR)

Although a PIM-SM domain can use only one active RP router and one active BSR, you can configure
additional routers as a candidate RP (C-RP) router and as a candidate BSR (C-BSR). Candidate routers
provide backup protection in case the primary RP router or BSR fails.

As a redundancy option, you can configure several RPs for the same group in a PIM domain. As a load
sharing option, you can have several RPs in a PIM-SM domain map to different groups. The switch
devices use the hash function defined in the PIM-SM standard to elect the active RP.

Designated router
The designated router (DR), the router with the highest IP address on a LAN, performs the following
tasks:
• sends register messages to the RP router on behalf of directly connected sources
• sends join and prune messages to the RP router on behalf of directly connected receivers

1480 VOSS User Guide for version 8.7

IP Multicast Protocol Independent Multicast-Sparse Mode

• maintains information about the status of the active RP router for local sources in each multicast
group

Important
The DR is not a required configuration. Switches act automatically as the DR for directly
attached sources and receivers.

Rendezvous point router

PIM-SM builds a shared multicast distribution tree within each domain, and the RP router is at the root
of this shared tree. Although you can physically locate the RP anywhere on the network, it must be as
close to the source as possible. Only one active RP router exists for a multicast group.

At the RP router, receivers meet new sources. Sources use the RP to identify themselves to other
routers on the network; receivers use the RP to learn about new sources.

The RP performs the following tasks:

• registers a source that wants to announce itself and send data to group members
• joins a receiver that wants to receive data for the group
• forwards data to group

Candidate rendezvous point router

You can configure a set of routers as C-RP routers that serve as backup to the RP router. If an RP
fails, all the routers in the domain apply the same algorithm to elect a new RP from the group of C-RP
routers. To make sure that the routers use a complete list of C-RP routers, the C-RP router periodically
sends unicast advertisement messages to the BSR. The most common implementation is to configure a
PIM-SM router as both a C-RP router and a C-BSR.

The switch devices use the hash function defined in the PIM-SM standard to elect the active RP.

Static rendezvous point router

You can configure a static entry for an RP router with static RP. This feature avoids the process of
selecting an active RP from the list of candidate RPs and dynamically learning about RPs through the
BSR mechanism. Static RP-enabled switches cannot learn about RPs through the BSR because the
switch loses all dynamically learned BSR information and ignores BSR messages. After you configure
static RP entries, the switch adds them to the RP set as if they were learned through the BSR.

Important
In a PIM domain with both static and dynamic RP switches, the static RP switches cannot use
a local interface configured as an RP.

When you configure a PIM static RP in a switch, the next hop of the unicast route toward the PIM static
RP must be a PIM neighbor. The PIM protocol fails to work, due to a route change, if the next hop
toward an already configured static RP becomes a non-PIM neighbor. If a PIM neighbor cannot reach
the configured RP, the RP does not activate and its state remains invalid.

A static RP-enabled switch can communicate with switches from other vendors that do not use the BSR
mechanism. Some vendors use either early implementations of PIM-SM v1 that do not support the BSR

VOSS User Guide for version 8.7 1481

Protocol Independent Multicast-Sparse Mode IP Multicast

or proprietary mechanisms like the Cisco Auto-RP. For a network to work properly with static RP, you
must map all the switches in the network (including switches from other vendors) to the same RP or
RPs, if several RPs exist in the network.

To avoid a single point of failure, you can also configure redundant static RPs.

Use the static RP feature when you do not need dynamic learning mode, typically in small networks, or
for security reasons, where RPs are forced to devices in the network so that they do not learn other RPs.

Static RP configuration considerations

Before you can configure a static RP, you must enable PIM-SM and enable static RP.

After you meet these prerequisites, keep in mind the following configuration considerations:
• You cannot configure a static RP-enabled switch as a BSR or as a C-RP router.
• All dynamically learned BSR information is lost. However, if you disable static RP, the switch loses the
static RP information and regains the BSR functionality.
• Static RPs do not age, that is, they cannot time out.
• Switches do not advertise static RPs, so, if a new PIM neighbor joins the network, it does not know
about the static RP unless you configure it with that static RP.
• Configure all the switches in the network (including switches from other vendors) to map to the
same RP.
• In a PIM domain with both static and dynamic RP switches, the static RP switches cannot use a local
interfaces configured as an RP.
• To avoid a single point of failure, you can configure redundant static RPs for the same group prefix. If
you use a mix of vendor switches across the network, you must ensure that all switches and routers
use the same active RP because other vendors can use different algorithms to elect the active RP.
The switch devices use the hash function defined in the PIM-SM standard to elect the active RP;
other vendors can use the lowest IP address to elect the RP.

Important
To reduce convergence times, create only one static RP for each group. The more static
RPs you configure for redundancy, the more time PIM requires to rebuild the mroute table
and associate RPs.

• Static RP configured on the switch is active as long as the switch uses a unicast route to the static
RP network. If the switch loses this route, the static RP is invalidated and the hash algorithm remaps
all affected groups. If the switch regains this route, the static RP is validated and the hash algorithm
remaps the affected groups.

Bootstrap router
The BSR receives RP router advertisement messages from the candidate RPs. The BSR adds the RP
router with its group prefix to the RP set. Only one BSR exists for each PIM-SM domain.

The BSR periodically sends bootstrap messages containing the complete RP set to all routers in the
domain. The BSR ensures that all PIM-SM routers send join, prune, and register packets.

1482 VOSS User Guide for version 8.7

IP Multicast Protocol Independent Multicast-Sparse Mode

Within a PIM-SM domain, you can configure a small set of routers as C-BSRs. The C-BSR with the
highest configured priority becomes the BSR for the domain. If two C-BSRs use equal priority, the
candidate with the higher IP address becomes the BSR. If you add a new C-BSR with a higher priority to
the domain, it automatically becomes the new BSR.

Important
Configure C-BSRs on routers that are central to all candidate RPs.

Shared trees and shortest-path trees

A PIM-SM domain uses shared trees and shortest-path trees to deliver data packets to group members.
This section describes both trees.

Shared trees

Group members in a PIM-SM domain receive the first packet of data from sources across a shared tree.
A shared tree consists of a set of paths that connect all members of a multicast group to the RP. PIM
creates a shared tree when sources and receivers send messages toward the RP.

Shortest-path trees

After receiving a certain number of packets from the RP, the DR changes from a shared tree to an SPT.
Switching to an SPT creates a direct route between the receiver and the source. The switch changes to
the SPT after it receives the first packet from the RP.

Figure 141 shows a shared tree and an SPT.

Figure 141: Shared tree and shortest-path tree

VOSS User Guide for version 8.7 1483

Protocol Independent Multicast-Sparse Mode IP Multicast

Receiver Joining a Group

The following steps describe how a receiver joins a multicast group:

1. A receiver multicasts an IGMP host membership message to the group that it wants to join.
2. After the last-hop router (the DR), normally the PIM router with the highest IP address for that
VLAN, receives the IGMP message for a new group join, the router looks up the associated elected
RP with responsibility for the group.
3. After it determines the RP router for the group, the last-hop router creates a (*,G) route entry in
the multicast forwarding table and sends a (*,G) join message to the RP. After the last-hop router
receives data packets from the RP, if the multicast packet arrival rate exceeds the DR threshold, the
last-hop router switches to the SPT by sending an (S,G) join message to the source. (S denotes the
source unicast IP address, and G denotes the multicast group address.)
4. If the last-hop router switches to the SPT, the following actions occur:
• All intermediate PIM routers along the path to the source create the (S,G) entry.
• To trim the shared tree, the router sends an (S,G) prune message to the RP.

You can enable the PIM Infinite Threshold Policy feature to prevent the SPT switchover. Multicast traffic
follows the shared tree path through a Rendezvous Point (RP) instead of switching over to SPT.

Note
PIM Infinite Threshold Policy for IPv4 and IPv6 is not supported on VSP 8600 Series or
XA1400 Series.

Receiver leaving a group

Before it leaves a multicast group, a receiver sends an IGMP leave message to the DR. If all directly
connected members of a multicast group leave or time out, and no downstream members remain, the
DR sends a prune message upstream and PIM-SM deletes the route entry after that entry times out.

When the system ages PIM mroutes, it does not clear the (S,G) entry for an inactive route immediately
after the expiration period. Topology and hardware conditions can affect the polling interval and cause
an inactive route to remain for up to 12-15 minutes.

Source sending packets to a group

The following steps describe how a source sends multicast packets to a group:

1. A source directly attached to a VLAN bridges the multicast data to the DR. The DR for the VLAN
(the router with the highest IP address) encapsulates each packet in a register message and sends a
unicast message directly to the RP router to distribute to the multicast group.
2. If a downstream group member chooses to receive multicast traffic, the RP router sends a join or
prune message toward the source DR and forwards the data down the RP tree after it obtains the
data natively.
3. After the receiver DR obtains the first packet, it switches to the shortest-path tree (SPT) and
continues receiving data through the SPT path.
4. If no downstream members want to receive multicast traffic, the RP router sends a register-stop
message (for the source) to the DR.

1484 VOSS User Guide for version 8.7

IP Multicast Protocol Independent Multicast-Sparse Mode

The DR starts the register suppression timer after it receives the first register-stop message. During
the register suppression timeout period (the default is 60 seconds), the following events occur:
• The DR for the source sends a probe packet to the RP router before the register suppression
timer expires. The probe packet prompts the RP router to determine whether new downstream
receivers joined the group.
• If no new receivers joined the group, the RP router sends another register-stop message to the
DR for the source, and its register suppression timer restarts.
• After the RP router no longer responds with a register-stop message to the source DR probe
message, the register suppression timer expires and the DR sends encapsulated multicast
packets to the RP router. The RP router uses this method to tell the DR that new members
joined the group.

The RP sends a register-stop message to the DR immediately after it receives the first multicast data
packet.

Required elements for PIM-SM operation

For PIM-SM to operate, the following elements must exist in the PIM-SM domain:
• You must enable an underlying unicast routing protocol for the switch to provide routing table
information to PIM-SM.
• You must configure an active BSR to send bootstrap messages to all PIM-v2 configured switches and
routers to enable them to learn group-to-RP mapping. If you configure several BSRs in a network, an
active BSR is elected based on priority and IP address (if priority is equal, the BSR with the higher IP
address is elected).
• You must include an RP to perform the following tasks:
◦ manage one or several IP multicast groups
◦ become the root for the shared tree to these groups
◦ accept join messages from receiver switches for groups that it manages
◦ elect an active RP based on priority and IP address (if priority is equal, the RP with the higher IP
address is elected)

PIM-SM simplified example

Figure 142 shows a simplified example of a PIM-SM configuration.

VOSS User Guide for version 8.7 1485

Protocol Independent Multicast-Sparse Mode IP Multicast

Figure 142: PIM-SM simplified example

In the sample configuration, the following events occur:

1. The BSR distributes RP information to all switches in the network.

2. R sends an IGMP membership report to S4.
3. Acting on this report, S4 sends a (*,G) join message to RP.
4. S sends data to G.
5. The DR (S1 in this example) encapsulates the data that it unicasts to RP (S2) in register messages.
6. S2 decapsulates the data, which it forwards to S4.
7. S4 forwards the data to R.
8. If the packet rate exceeds the DR threshold, S4 sends S1 an (S,G) join message.
9. S1 forwards data to S4. After S4 receives data from S1, it prunes the stream from the RP.

Important
Figure 142 on page 1486 is a simplified example and is not the best design for a network if
you locate the source and receiver as shown. In general, place RPs as close as possible to
sources.

PIM-SM Static Source Groups

You can configure static source groups as static source-group entries in the PIM-SM multicast routing
table. PIM-SM cannot prune these entries from the distribution tree. For more information about static
source groups, see Static source groups on page 1463.

1486 VOSS User Guide for version 8.7

IP Multicast Join and prune messages

Join and prune messages

The DR sends join and prune messages from a receiver toward an RP for the group to either join the
shared tree or remove (prune) a branch from it. A single message contains both a join and a prune list.
This list includes a set of source addresses that indicate the shortest-path trees or the shared trees that
the host wants to join. The DR sends join and prune messages hop-by-hop to each PIM router on the
path to the source or the RP.

Register and register-stop messages

The DR sends register messages to the RP for a directly connected source. The register message
informs the RP of a new source, causing the RP to send join or prune messages back toward the DR
of the source, which forwards the data down the RP tree after it obtains the data natively. After the
receiver DR obtains the first packet, it switches to the shortest-path tree (SPT) and continues receiving
data through the SPT path.

The DR stops sending encapsulated packets to the RP after it receives a register-stop message. This
traffic stops without delay because the RP sends a register-stop message immediately after it receives
the first multicast data packet, and joins the shortest-path tree.

PIM-SMLT
IP multicast routing support with Split MultiLink Trunking (SMLT) builds a virtual switch that represents
the two switches of the split multilink trunk core.

When switches use PIM in the core, they need to exchange protocol-related updates as part of the
interswitch trunking (IST) protocol. IST hides the fact that the edge switch attaches to two physical
switches.

PIM-SMLT can work in triangular, square, and full mesh configurations with Layer 3 IP multicast.
However, PIM-SSM in square or full mesh SMLT topologies is not supported.

The following rules apply:

• If a VLAN receives traffic from the IST link, it cannot forward on the split multilink trunk link or the
edge for the same VLAN.
• If one side of the SMLT link toward the receiver is down, such that the traffic cannot be forwarded
directly down the SMLT link from the router on which traffic is ingressing, the IST Peer MUST forward
that traffic it receives over the IST link down its side of the SMLT toward the receiver. The decision of
whether the IST Peer needs to forward traffic received over the IST to SMLT receivers is made in the
datapath, which has full knowledge of the remote SMLT link state.
• Traffic can use the IST to route between VLANs if the forwarding decision for the multicast protocol
requires that the other side of the core forwards the multicast traffic (follow the IP multicast routing
and forwarding rules for routed traffic). Other VLANs that are not part of SMLT continue to behave
in the same way.
• To create a temporary default route pointing to a peer IST, you must enable PIM on the IST VLAN.
• In a scaled multicast environment, if you must reconfigure the members of an MLT link, either SMLT
or IST, by removing the ports from the MLT membership list, you must first shutdown the port by
using the shutdown command at the port configuration level. Let the unicast and multicast traffic
subside, and then remove the port from the MLT membership list. If you reconfigure the MLT without

VOSS User Guide for version 8.7 1487

PIM-SMLT IP Multicast

first shutting down the port, it can lead to excessive hardware updates to multicast forwarding
records and can result in high utilization of the CPU.

Note
In a scaled PIM over Simplified vIST deployment, disabling all the PIM interfaces (no ip
routing) causes the VLACP ports to bounce. With no user intervention, the packets start
getting processed again in approximately 10 seconds. VLACP enables the ports and full
functionality is restored.

SMLT provides for fast failover in all cases, but does not provide a functionality similar to Routed SMLT
(RSMLT).

Important
You must enable square SMLT globally before you configure square or full-mesh
configurations.

Traffic delay with PIM while restarting peer SMLT switches

If you restart peer SMLT switches, you can lose, or experience a delay in, PIM traffic. The local and
remote SMLT links must be up to forward traffic. If a remote SMLT link is down, you can experience a
traffic delay.

PIM uses a DR to forward data to receivers on a VLAN. If you restart the DR in an SMLT VLAN, you can
lose data because of the following actions:
• If the DR is down, the non-DR switch assumes the role and starts forwarding data.
• After the DR comes back up, it takes priority (higher IP address) to forward data so the non-DR
switch stops forwarding data.
• The DR is not ready to forward traffic due to protocol convergence and because it takes time to
learn the RP set and create the forwarding path. This situation can result in a traffic delay of 2 to 3
minutes because the DR learns the RP set after Open Shortest Path First (OSPF) converges.

A workaround to this delay is to a configure the static RP router on the peer SMLT switches. This feature
avoids the process of selecting an active RP router from the list of candidate RPs and dynamically
learning about RPs through the BSR mechanism. After the DR comes back up, traffic resumes as soon
as OSPF converges. This workaround reduces the traffic delay to approximately 15 to 65 seconds.

1488 VOSS User Guide for version 8.7

Protocol Independent Multicast-Source Specific
IP Multicast Multicast

Protocol Independent Multicast-Source Specific Multicast

Table 116: Protocol Independent Multicast-Source Specific Mode product support

Feature Product Release introduced
PIM-Source Specific Mode (PIM- VSP 4450 Series VOSS 4.1
SSM) for IPv4
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.0.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 4.5
XA1400 Series Not Supported

Note
PIM is supported in Global Routing Table (GRT) only.

Source Specific Multicast optimizes PIM-SM by simplifying the many-to-many model. Because most
multicast applications distribute content to a group in one direction, SSM uses a one-to-many model
that uses only a subset of the PIM-SM features. This model is more efficient and reduces the load on
multicast routing devices.

SSM only builds source-based SPTs. Whereas PIM-SM always joins a shared tree first, and then switches
to the source tree, SSM eliminates the need to start with a shared tree by immediately joining a source
through the SPT. SSM avoids using an RP and RP-based shared trees, which can be a potential problem.

Until now only one channel for one group was allowed to exist in ssm map. From now on multiple
channels for the members of the SSM group are allowed to be configured in this map.

This configuration is ideal for applications like television channel distribution and other content-
distribution businesses. Banking and trade applications can also use SSM as it provides more control
over the hosts receiving and sending data over their networks.

When a v2 report in SSM range is received it is translated to an igmpv3 report message with one
group record with type ALLOW and the source lists copied from the igmp ssm map static entries and
passed to igmpv3 module. When a v2 leave in SSM range is received it is translated to an igmpv3 report
message with one group record with type BLOCK and the source lists copied from the igmp ssm map
static entries and passed to igmpv3 module. This behaviour is displayed only when PIM-SSM mode is
enabled.

SSM applications use IP addresses reserved by the Internet Assigned Numbers Authority (IANA) in
the 232/8 range (232.0.0.0 to 232.255.255.255). SSM recognizes packets in this range and controls the
behavior of multicast routing devices and hosts that use these addresses. When a source (S) transmits
IP datagrams to an SSM destination address (G), a receiver can receive these datagrams by subscribing
to the (S,G) channel.

A channel is a source-group (S,G) pair where S is the source that sends to the multicast group and
G is an SSM group address. SSM defines channels on an individual or multiple source basis, which

VOSS User Guide for version 8.7 1489

Protocol Independent Multicast-Source Specific
Multicast IP Multicast

enforces the one-to-many concept of SSM applications. In an SSM channel, each group is associated
with multiple sources.

SSM features
PIM-SM requires a unicast protocol to forward multicast traffic within the network to perform the
Reverse Path Forwarding (RPF) check. PIM-SM uses the information from the unicast routing table
to create and maintain the shared and shortest multicast tree that PIM-enabled routers use to
communicate. The unicast routing table must contain a route to every multicast source in the network
as well as routes to PIM entities like the RPs and BSR.

SSM uses only a subset of the PIM-SM features such as the SPT, DR, and some messages (hello,
join, prune, and assert). However, some features are unique to SSM. These features, described in the
following sections, are extensions of the IGMP and PIM protocols.

PIM-SSM architecture
The following diagram illustrates how the PIM-SSM architecture requires routers to perform the
following actions:
• support IGMPv3 source-specific host membership reports and queries at the edge routers
• initiate PIM-SSM (S,G) joins directly and immediately after receiving an IGMPv3 join report from the
designated router
• restrict forwarding to SPTs within the SSM address range by all PIM-SSM routers

1490 VOSS User Guide for version 8.7

Protocol Independent Multicast-Source Specific
IP Multicast Multicast

Figure 143: PIM-SSM architecture

The following rules apply to Layer 3 devices with SSM enabled:
• Receive IGMPv3 membership join reports in the SSM range and, if no entry (S,G) exists in the SSM
channel table, create one.
• Receive IGMPv2 membership join reports, but only for groups that already use a static (S,G) entry in
the SSM channel table.
• Send periodic join messages to maintain a steady SSM tree state.
• Use standard PIM-SM SPT procedures for unicast routing changes, but ignore rules associated with
the SPT for the (S,G) route entry.
• Receive prune messages and use standard PIM-SM procedures to remove interfaces from the source
tree.
• Forward data packets to interfaces from the downstream neighbors that sent an SSM join, or to
interfaces with locally attached SSM group members.
• Drop data packets that do not use an exact-match lookup (S,G) in their forwarding database for S
and G.

VOSS User Guide for version 8.7 1491

Protocol Independent Multicast-Source Specific
Multicast IP Multicast

PIM-SSM Static Source Groups

You can configure static source group entries in the PIM-SSM multicast routing table with static source
groups. PIM-SSM cannot prune these entries from the distribution tree. For more information about
static source groups, see Static source groups on page 1463.

Implementation of SSM and IGMP

The following sections describe how the switch implements PIM-SSM and IGMP.

SSM range

The standard SSM range is 232/8, but you can extend the range to include an IP multicast address.
Although you can configure the SSM range, you cannot configure it for all multicast groups (224/4 or
224.0.0.0/240.0.0.0 or 224.0.0.0/255.0.0.0).

You can extend the SSM range to configure existing applications without changing their group
configurations.

SSM channel table

You can use the SSM channel to manually configure (S,G) entries that map existing groups to their
sending source. These table entries apply to the whole switch, not for each interface, and both IGMPv2
and IGMPv3 hosts use the SSM channel table.

The following rule applies to an SSM channel table for an individual switch:
• You can map one source to multiple groups.
• You can allow multiple sources to the same group.

Important
Different switches can use different mappings for groups to sources, for example, different
channels map differently even if they are on the same network.

SSM and IGMPv2

SSM-configured switches can accept reports from IGMPv2 hosts on IGMPv2 interfaces if the group uses
an SSM channel table entry. However, the IGMPv2 host groups must exist in the SSM range defined on
the switch, which is 232/8 by default.
• After the SSM switch receives an IGMPv2 report for a group that is in the SSM channel table, it joins
the specified source immediately.
• After the SSM switch receives an IGMPv2 report for a group that uses an enabled static SSM channel
table entry, it triggers PIM-SSM processing as if it received an equivalent IGMPv3 report.
• After the SSM switch receives an IGMPv2 report for a group out of the SSM range, it processes the
report as if it is in PIM-SM mode.

Deleting or Disabling an ssm-map with IGMPv1 or IGMPv2

Before you disable or delete an ssm-map, always send IGMPv1 or IGMPv2 leave messages from hosts
that operate using IGMPv1 or IGMPv2. If you do not perform this action, receiving and processing
reports in SSM range on an IGMP interface enabled with IGMPv1 or IGMPv2 can lead to unexpected
behavior.

1492 VOSS User Guide for version 8.7

Protocol Independent Multicast-Source Specific
IP Multicast Multicast

Consider the following configuration scenario:

• A device is PIM-enabled, running in SSM mode, with IGMPv1 or IGMPv2 configured on the interface.
• IGMPv1 and IGMPv2 hosts send IGMPv1 or IGMPv2 reports for groups in SSM range.

The following table identifies the expected behaviors in this scenario.

Table 117: Expected behaviors for ssm-map configuration

Action Expected behavior
You do not configure an ssm-map for the group in IGMPv1 and IGMPv2 reports are not processed.
SSM range.
You do configure an ssm-map for the group in IGMPv1 and IGMPv2 reports are processed and the
SSM range. group in SSM range is learned.

SSM and IGMPv3

The switch supports IGMPv3 for SSM. With IGMPv3, a host can selectively request or filter traffic from
sources within the multicast group. IGMPv3 is an interface-level configuration.

Important
IGMPv3 works without PIM-SSM or SSM-snoop enabled on the interface.

The following rules apply to IGMPv3-enabled interfaces:

• Send only IGMPv3 (source-specific) reports for addresses in the SSM range.
• Accept IGMPv3 reports.
• Drop IGMPv2 reports.

The IGMPv2 report mentioned in SSM and IGMPv2 on page 1492 is processed because it is an
IGMPv2 report received on an IGMPv2 interface. If an IGMPv2 interface receives an IGMPv3 report,
it drops the report even if PIM-SSM is enabled and the entry is in the SSM channel table. The IGMP
versions must match.
• Discard IGMP packets with a group address out of the SSM range.

The switch implements IGMPv3 in one of two modes: dynamic and static.

In dynamic mode, the switch learns about new (S,G) pairs from IGMPv3 reports and adds them to the
SSM channel table. If you do not enable dynamic mode and an IGMPv3-enabled interface receives a
report that includes a group not listed in the SSM channel table, it ignores the report.

In static mode, you can statically configure (S,G) entries in the SSM channel table. If an IGMPv3-enabled
interface receives a report that includes a group not listed in the SSM channel table, it ignores the
report. The interface also ignores the report if the group is in the table, but the source or mask does not
match what is in the table.

Important
After you enable IGMPv3, changes to the query interval and robustness values on the querier
switch propagate to other switches on the same VLAN through IGMP query.

VOSS User Guide for version 8.7 1493

Protocol Independent Multicast-Source Specific
Multicast IP Multicast

Both IGMPv2 and IGMPv3 hosts use the SSM channel table:
• An IGMPv2 host (with an IGMPv2 VLAN) must use an existing SSM channel entry if the group is in
the SSM range.
• If you enable dynamic learning for an IGMPv3 host, the SSM channel automatically learns the group.
Otherwise, the SSM channel also needs a static entry.

The following table summarizes how a switch in PIM-SSM mode works with IGMP if you disable IGMPv3
compatibility. In the following table, references to matching a static SSM channel entry assumes that the
entry is enabled. If an entry is disabled, it is treated as though it is disallowed.

Table 118: PIM-SSM interaction with IGMPv2 and v3 with IGMPv3 compatibility disabled
Host VLAN SSM range Action
IGMPv2 host IGMPv3 VLAN In or out of range Drop report.
IGMPv3 host IGMPv2 VLAN In or out of range Drop report.
IGMPv2 host IGMPv2 VLAN In range If the report matches an existing static
SSM channel entry, create (S,G).
If the report does not match an existing
static SSM channel entry, drop it.
IGMPv2 host IGMPv2 VLAN Out of range Ignore the SSM channel table and
process the report as if it is in PIM-SM
mode.
IGMPv3 host IGMPv3 VLAN Out of range Process the report.
IGMPv3 host IGMPv3 VLAN In range Dynamic enabled. Create (S,G).
IGMPv3 host IGMPv3 VLAN In range Dynamic disabled and matches an
existing SSM channel entry. Create (S,G).
IGMPv3 host IGMPv3 VLAN In range Dynamic disabled and does not match
an existing SSM channel entry. Drop
report.

The following table summarizes how a switch in PIM-SSM mode works with IGMP if you enable IGMPv3
compatibility.

Table 119: PIM-SSM interaction with IGMPv2 and v3 with IGMPv3 compatibility enabled
Host VLAN SSM range Action
IGMPv2 Host IGMPv3 VLAN In range If the report matches
an existing static SSM
channel entry, create
(S,G).
If the report does not
match an existing static
SSM channel entry, drop
it.
IGMPv2 Host IGMPv3 VLAN Out of range Process the report as in
PIM-SM mode.

1494 VOSS User Guide for version 8.7

IP Multicast PIM passive interfaces

If an IGMPv3 group report enters the VLAN port and the port must discard one or more of the groups in
that packet after the application of IGMP access controls, the port drops the entire packet and does not
forward it on to other ports of the VLAN.

If an IGMPv3 interface receives an IGMPv2 or v1 query, the interface backs down to IGMPv2 or v1. As a
result, the interface flushes all senders and receivers on the interface.

Configuration limitations
Run PIM-SSM on either all switches in the domain or only on the edge routers. If you use a mix of
PIM-SSM and PIM-SM switches in the domain, run PIM-SSM on all the edge routers and run PIM-SM on
all the core routers.

Important
A PIM domain with edge routers running PIM-SM and core routers running PIM-SSM does
not operate properly. If you prefer or require a mixed PIM-SM and PIM-SSM topology, run
PIM-SSM on the edge switches and PIM-SM in the core. Ensure a valid RP configuration exists
for groups that exist outside of the SSM range. If a valid RP configuration exists, the SSM
switches process the joins in SM mode. If no RP exists, the SSM switches drop the reports.

Static source groups cannot conflict with SSM channels. If you configure a static source group or an
SSM channel, the switch performs a consistency check to make sure no conflicts exist. You can map one
group (G) to different sources or multiple groups to a single source for both static source group and an
SSM channel.

PIM passive interfaces

You can configure the PIM interface as active or passive. The default is active. With an active interface,
you can configure transmit and receive PIM control traffic. A passive interface drops all PIM control
traffic, thereby reducing the load on the system. This feature is useful when you use a high number of
PIM interfaces and these interfaces connect to end users, not to other switches.

A PIM passive interface does not transmit and drops messages of the following type:
• hello
• join
• prune
• register
• register-stop
• assert
• candidate-RP-advertisement
• bootstrap

If a PIM passive interface receives these types of messages, it drops them and the switch logs a
message, detailing the type of protocol message and the IP address of the sending device. These log

VOSS User Guide for version 8.7 1495

Multicast route statistics IP Multicast

messages help to identify the device that performs routing on the interface, which is useful if you must
disable a device that does not operate correctly.

Important
A device can send register and register-stop messages to a PIM passive interface, but these
messages cannot be sent out of that interface.

The PIM passive interface maintains information about hosts, through IGMP, that are related to senders
and receivers, but the interface does not maintain information about PIM neighbors. You can configure a
BSR or an RP on a PIM passive interface.

You can also use the PIM passive interface feature as a security measure to prevent routing devices from
becoming attached and participating in the multicast routing of the network.

Important
Before you change the state (active or passive) of a PIM interface, disable PIM on that
interface. This action prevents instability in the PIM operations, especially when neighbors
exists or the interface receives streams. After you disable PIM, the switch loses traffic for
approximately 80 seconds.

Multicast route statistics

Table 120: Mroute statistics product support

Feature Product Release introduced
Multicast route (mroute) VSP 4450 Series Not Supported
statistics for IPv4 and IPv6
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported

The multicast route statistics feature provides statistics for multicast streams through the switch. Using
the Command Line Interface (CLI), Simple Network Management Protocol (SNMP) or Enterprise Device
Manager (EDM), you can track the number of senders sending multicast streams to a particular group
address. You can also obtain a count of the packets or bytes being received for a particular multicast
group address and the average size of the frames. Multicast route statistics are supported for both IPv4
and IPv6 group addresses.

Determining the route statistics is especially useful when debugging a multicast network and also when
administering the network.

1496 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

Multicast route statistics and DvR

When you enable or clear IP multicast route statistics on the Controller node of a DvR domain, the
configuration is automatically pushed to the Leaf nodes within the domain.

For more information on DvR, see Distributed Virtual Routing Fundamentals on page 690.

IP multicast network design

Use multicast routing protocols to efficiently distribute a single data source among multiple users in
the network. This section provides information about how to design networks that support IP multicast
routing.

For more design guidelines, conceptual, and configuration information about IP Multicast over Fabric
Connect, see IP Multicast over Fabric Connect on page 1463.

Multicast scalability design rules

The following section lists the design rules to increase multicast route scaling.

Important
The switch does not support High Availability (HA).
The switch software supports the following:
• Protocol-Independent Multicast (PIM)
• Split MultiLink Trunking (SMLT) and Routed-SMLT (RSMLT)

Multicast scalability design rules

1. Whenever possible, use simple network designs that do not use VLANs that span several switches.
Instead, use routed links to connect switches.
2. Whenever possible, group sources sending to the same group in the same subnet. The switch uses
a single egress forwarding pointer for all sources in the same subnet sending to the same group. Be
aware that these streams have separate hardware forwarding records on the ingress side.
3. Do not configure multicast routing on edge switch interfaces that do not contain multicast senders
or receivers. By following this rule, you:
• Provide secure control over multicast traffic that enters or exits the interface.
• Reduce the load on the switch, as well as the number of routes. This improves overall
performance and scalability.
4. Avoid initializing many (several hundred) multicast streams simultaneously. Initial stream setup is a
resource-intensive task, and initializing a large number can increase the setup time. In some cases,
this delay can result in stream loss.
5. Whenever possible, do not connect IP multicast sources and receivers by using VLANs that
interconnect switches (see the following figure). In some cases, this can result in excessive hardware
record use. By placing the source on the interconnected VLAN, traffic takes two paths to the
destination, depending on the reverse path forwarding (RPF) checks and the shortest path to the
source.

For example, if a receiver is on VLAN 1 on switch S1 and another receiver is on VLAN 2 on switch S1,
traffic can be received from two different paths to the two receivers, which results in the use of two

VOSS User Guide for version 8.7 1497

IP multicast network design IP Multicast

forwarding records. If the source on switch S2 is on a different VLAN than VLAN 3, traffic takes a
single path to switch S1 where the receivers are located.

Figure 144: IP multicast sources and receivers on interconnected VLANs

IP multicast address range restrictions

IP multicast routers use D class addresses, which range from 224.0.0.0 to 239.255.255.255. Although
you can use subnet masks to configure IP multicast address ranges, the concept of subnets does not
exist for multicast group addresses. Consequently, the usual unicast conventions—where you reserve
the all 0s subnets, all 1s subnets, all 0s host addresses, and all 1s host addresses—do not apply.

Internet Assigned Numbers Authority (IANA) reserves addresses from 224.0.0.0 through 224.0.0.255
for link-local network applications. Multicast-capable routers do not forward packets with an address
in this range. For example, Open Shortest Path First (OSPF) uses 224.0.0.5 and 224.0.0.6, and Virtual
Router Redundancy Protocol (VRRP) uses 224.0.0.18 to communicate across local broadcast network
segments.

IANA also reserves the range of 224.0.1.0 through 224.0.1.255 for well-known applications. IANA assigns
these addresses to specific network applications. For example, the Network Time Protocol (NTP) uses
224.0.1.1, and Mtrace uses 224.0.1.32. RFC1700 contains a complete list of these reserved addresses.

Multicast addresses in the 232.0.0.0/8 (232.0.0.0 to 232.255.255.255) range are reserved only for
source-specific multicast (SSM) applications, such as one-to-many applications. While this range is the
publicly reserved range for SSM applications, private networks can use other address ranges for SSM.

Finally, addresses in the range 239.0.0.0/8 (239.0.0.0 to 239.255.255.255) are administratively scoped
addresses; they are reserved for use in private domains. Do not advertise these addresses outside the
private domain. This multicast range is analogous to the 10.0.0.0/8, 172.16.0.0/20, and 192.168.0.0/16
private address ranges in the unicast IP space.

In a private network, only assign multicast addresses from 224.0.2.0 through 238.255.255.255 to
applications that are publicly accessible on the Internet. Assign addresses in the 239.0.0.0/8 range
to multicast applications that are not publicly accessible.

Although you can use a multicast address you choose on your own private network, it is generally
not good design practice to allocate public addresses to private network entities. Do not use public
addresses for unicast host or multicast group addresses on private networks.

1498 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

Multicast MAC Address Mapping Considerations

Like IP, Ethernet has a range of multicast MAC addresses that natively support Layer 2 multicast
capabilities. While IP has a total of 28 addressing bits available for multicast addresses, Ethernet has
only 23 addressing bits assigned to IP multicast. The Ethernet multicast MAC address space is much
larger than 23 bits, but only a subrange of that larger space is allocated to IP multicast. Because of this
difference, 32 IP multicast addresses map to one Ethernet multicast MAC address.

IP multicast addresses map to Ethernet multicast MAC addresses by placing the low-order 23 bits of
the IP address into the low-order 23 bits of the Ethernet multicast address 01:00:5E:00:00:00. Thus,
more than one multicast address maps to the same Ethernet address (see the following figure). For
example, all 32 addresses 224.1.1.1, 224.129.1.1, 225.1.1.1, 225.129.1.1, 239.1.1.1, 239.129.1.1 map to the same
01:00:5E:01:01:01 multicast MAC address.

Figure 145: Multicast IP address to MAC address mapping

Most Ethernet switches handle Ethernet multicast by mapping a multicast MAC address to multiple
switch ports in the MAC address table. Therefore, when you design the group addresses for multicast
applications, take care to efficiently distribute streams only to hosts that are receivers.

The VSP 4450 Series devices switch IP multicast data based on the IP multicast address, not the MAC
address, and thus, do not have this issue.

As an example, consider two active multicast streams using addresses 239.1.1.1 and 239.129.1.1. Suppose
that two Ethernet hosts, receiver A and receiver B, connect to ports on the same switch and only want
the stream addressed to 239.1.1.1. Suppose also that two other Ethernet hosts, receiver C and receiver
D, also connect to the ports on the same switch as receiver A and B, and want to receive the stream
addressed to 239.129.1.1. If the switch uses the Ethernet multicast MAC address to make forwarding
decisions, then all four receivers receive both streams—even though each host only wants one stream.
This transmission increases the load on both the hosts and the switch. To avoid this extra load, ensure
that you manage the IP multicast group addresses used on the network.

VOSS User Guide for version 8.7 1499

IP multicast network design IP Multicast

The VSP 4450 Series devices do not forward IP multicast packets based on multicast MAC addresses—
even when bridging VLANs at Layer 2. Thus, the platform does not encounter this problem. Instead, the
platform internally maps IP multicast group addresses to the ports that contain group members.

When an IP multicast packet is received, the lookup is based on the IP group address, regardless of
whether the VLAN is bridged or routed. While the problem described in the previous example does
not affect the VSP 4450 Series devices, other switches in the network can be affected. This problem is
particularly true of pure Layer 2 switches.

In a network that includes multiple hardware platforms, the easiest way to ensure that this issue does
not arise is to use only a consecutive range of IP multicast addresses that correspond to the lower-order
23 bits of that range. For example, use an address range from 239.0.0.0 through 239.127.255.255. A
group address range of this size can still easily accommodate the needs of even the largest private
enterprise.

Dynamic multicast configuration changes

You must not perform dynamic multicast configuration changes when multicast streams flow in a
network. For example, do not change the routing protocol that runs on an interface, or the IP address,
or the subnet mask for an interface until multicast traffic ceases.

For such changes, ensure that you temporarily stop all multicast traffic. If the changes are necessary
and you have no control over the applications that send multicast data, you can disable the multicast
routing protocols before you perform the change. For example, consider disabling multicast routing
before making interface address changes. In all cases, these changes result in traffic interruptions
because they affect neighbor-state machines and stream-state machines.

In addition, when removing port members of an MLT group you must first disable the ports. Changing
the group set without first shutting the ports down can result in high-CPU utilization and processing in a
scaled multicast environment due to the necessary hardware reprogramming on the multicast records.

IGMPv3 backward compatibility

IGMPv3 for PIM is backward compatible with IGMPv1/v2. According to RFC3376, the multicast router
with IGMPv3 can use one of two methods to handle older query messages:
• If an older version of IGMP is present on the router, the querier must use the lowest version of IGMP
present on the network.
• If a router that is not explicitly configured to use IGMPv1 or IGMPv2, detects an IGMPv1 query or
IGMPv2 general query, it logs a rate-limited warning.

You can configure the IGMP version of an interface to version 3 regardless of the PIM or snooping mode.

You can configure whether the switch downgrades the version of IGMP to handle older query messages.
If the switch downgrades, the host with IGMPv3 only capability does not work. If you do not configure
the switch to downgrade the version of IGMP, the switch logs a warning.

Note
If you enable the explicit host tracking option on an IGMPv3 interface, you cannot downgrade
to IGMPv1 or IGMPv2. You must disable explicit host tracking to downgrade the IGMP version.

1500 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

TTL in IP multicast packets

The switch treats multicast data packets with a time-to-live (TTL) of 1 as expired packets and sends
them to the CPU before dropping them. To avoid this issue, ensure that the originating application
uses a hop count large enough to enable the multicast stream to traverse the network and reach all
destinations without reaching a TTL of 1. Ensure that you use a TTL value of 33 or 34 to minimize the
effect of looping in an unstable network.

Multicast MAC filtering

Certain network applications require multiple hosts to share a multicast MAC address. Instead of
flooding all ports in the VLAN with this multicast traffic, you can use Multicast MAC filtering to forward
traffic to a configured subset of the ports in the VLAN. This multicast MAC address is not an IP multicast
MAC address.

At a minimum, map the multicast MAC address to a set of ports within the VLAN. In addition, if traffic
is routed on the local host, you must configure an Address Resolution Protocol (ARP) entry to map
the shared unicast IP address to the shared multicast MAC address. You must configure an ARP entry
because the hosts can also share a virtual IP address, and packets addressed to the virtual IP address
need to reach each host.

Ensure that you limit the number of such configured multicast MAC addresses to a maximum of 100.
This number is related to the maximum number of possible VLANs you can configure, because for every
multicast MAC filter that you configure the maximum number of configurable VLANs reduces by one.
Similarly, configuring large numbers of VLANs reduces the maximum number of configurable multicast
MAC filters downward from 100.

Although you can configure addresses starting with 01.00.5E, which are reserved for IP multicast
address mapping, do not enable IP multicast with streams that match the configured addresses. This
configuration can result in incorrect IP multicast forwarding and incorrect multicast MAC filtering.

Guidelines for multicast access policies

Use the following guidelines when you configure multicast access policies:
• Use masks to specify a range of hosts. For example, 10.177.10.8 with a mask of 255.255.255.248
matches hosts addresses 10.177.10.8 through 10.177.10.15. The host subnet address and the host mask
must be equal to the host subnet address. An easy way to determine this is to ensure that the
mask has an equal or fewer number of trailing zeros than the host subnet address. For example,
3.3.0.0/255.255.0.0 and 3.3.0.0/255.255.255.0 are valid. However, 3.3.0.0/255.0.0.0 is not.
• Apply receive-access policies to all eligible receivers on a segment. Otherwise, one host joining a
group makes that multicast stream available to all.
• Receive access policies are initiated after the switch receives reports with addresses that match the
filter criteria.
• Transmit access policies apply after the switch receives the first packet of a multicast stream.

Multicast access policies can apply to a routed PIM interface if Internet Group Management Protocol
(IGMP) reports the reception of multicast traffic.

VOSS User Guide for version 8.7 1501

IP multicast network design IP Multicast

The following rules and limitations apply to IGMP access policy parameters when you use them with
IGMP instead of PIM:
• The static member parameter applies to IGMP snooping and PIM on both interconnected links and
edge ports.
• The Static Not Allowed to Join parameter applies to IGMP snooping and PIM on both interconnected
links and edge ports.
• For multicast access control, the denyRx parameter applies to IGMP snooping and PIM. The DenyTx
and DenyBoth parameters apply only to IGMP snooping.

Split-subnet and multicast

The split-subnet issue arises when you divide a subnet into two unconnected sections in a network. This
division results in the production of erroneous routing information about how to reach the hosts on that
subnet. The split-subnet problem applies to all types of traffic, but it has a larger impact on a PIM-SM
network.

To avoid the split-subnet problem in PIM networks, ensure that the RP router is not in a subnet that can
become a split subnet. Also, avoid having receivers on this subnet. Because the RP is an entity that must
be reached by all PIM-enabled switches with receivers in a network, placing the RP on a split-subnet can
impact the whole multicast traffic flow. Traffic can be affected even for receivers and senders that are
not part of the split-subnet.

Protocol Independent Multicast-Sparse Mode guidelines

Protocol Independent Multicast-Sparse Mode (PIM-SM) uses an underlying unicast routing information
base to perform multicast routing. PIM-SM builds unidirectional shared trees rooted at a RP router for
each group and can also create shortest-path trees for each source.

PIM-SM and PIM-SSM Scalability

For more information on interface scaling, see the VOSS Release Notes.

The software does not support virtualized PIM. PIM is supported in the Global Routing Table only.

Interfaces that run PIM must also use a unicast routing protocol (PIM uses the unicast routing table),
which puts stringent requirements on the system. With a high number of interfaces, take special care to
reduce the load on the system.

Use few active IP routed interfaces. You can use IP forwarding without a routing protocol enabled on
the interfaces, and enable only one or two with a routing protocol. You can configure proper routing by
using IP routing policies to announce and accept routes on the switch. Use PIM passive interfaces on the
majority of interfaces.

Important
For information on the maximum values for total PIM interfaces and active interfaces, see the
VOSS Release Notes. If you configure the maximum number of active interfaces, all remaining
interfaces must be passive.

When you use PIM-SM, the number of routes can scale up to the unicast route limit because PIM uses
the unicast routing table to make forwarding decisions. For higher route scaling, use OSPF instead of
Routing Information Protocol (RIP).

1502 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

As a general rule, a well-designed network does not have many routes in the routing table. For PIM
to work properly, ensure that all subnets configured with PIM are reachable and that PIM uses the
information in the unicast routing table. For the RPF check, to correctly reach the source of any
multicast traffic, PIM requires the unicast routing table.

PIM General Requirements

Design simple PIM networks where VLANs do not span several switches.

PIM relies on unicast routing protocols to perform its multicast forwarding. As a result, include in your
PIM network design, a unicast design where the unicast routing table has a route to every source and
receiver of multicast traffic, as well as a route to the RP router and Bootstrap router (BSR) in the
network. Ensure that the path between a sender and receiver contains PIM-enabled interfaces. Receiver
subnets are not always required in the routing table.

Use the following guidelines:

• Ensure that every PIM-SM domain is configured with an RP, either by static definition or via BSR.
• Ensure that every group address used in multicast applications has an RP in the network.
• As a redundancy option, you can configure several RPs for the same group in a PIM domain.
• As a load sharing option, you can have several RPs in a PIM-SM domain map to different groups.
• In order to configure an RP to cover the entire multicast range, configure an RP to use the IP address
of 224.0.0.0 and the mask of 240.0.0.0.
• Configure an RP to handle a range of multicast groups by using the mask parameter. For example,
an entry for group value of 224.1.1.0 with a mask of 255.255.255.192 covers groups 224.1.1.0 to
224.1.1.63.
• In a PIM domain with both static and dynamic RP switches, you cannot configure one of the (local)
interfaces for the static RP switches as the RP. For example, in the following scenario:

(static RP switch) Sw1 ------ Sw2 (BSR/Cand-RP1) -----Sw3

You cannot configure one of the interfaces on switch Sw1 as static RP because the BSR cannot
learn this information and propagate it to Sw2 and Sw3. PIM requires that you consistently configure
RP on all the routers of the PIM domain, so you can only add the remote interface Candidate-RP1
(Cand-RP) to the static RP table on Sw1.
• If a switch needs to learn an RP-set, and has a unicast route to reach the BSR through this switch,
you cannot enable or configure static RP on a switch in a mixed mode of candidate RP and static RP
switches. For examples, see the following two figures.

VOSS User Guide for version 8.7 1503

IP multicast network design IP Multicast

PIM and Shared Tree to Shortest Path Tree Switchover

When an IGMP receiver joins a multicast group, PIM on the leaf router first joins the shared tree. After
the first packet is received on the shared tree, the router uses the source address information in the
packet to immediately switch over to the shortest path tree (SPT). If you enable PIM Infinite Threshold
Policy for IPv4 and IPv6, multicast traffic follows the shared tree path through a Rendezvous Point (RP)
instead of switching immediately over to the SPT.

Note
PIM Infinite Threshold Policy for IPv4 and IPv6 is not supported on VSP 8600 Series or
XA1400 Series.

1504 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

PIM Traffic Delay and SMLT Peer Reboot

PIM uses a designated router (DR) to forward data to receivers on the DR VLAN. The DR is the router
with the highest IP address on a LAN. If this router is down, the router with the next highest IP address
becomes the DR. However, if the VLAN is an SMLT VLAN, the DR is not a factor in determining which
switch forwards the data down to the receiver. Either aggregate switch can forward data to the receiver,
because the switches act as one. The switch that forwards depends on where the source is located (on
another SMLT/vIST link or on a non-SMLT/non-vIST link) and whether either side of the receiver SMLT
link is up or down. If the forwarder switch is rebooted, traffic loss occurs until protocol convergence is
completed.

Consider the following cases:

• If the source is on an SMLT link that is not the receiver SMLT, the switch that directly received the
data on its side of the source SMLT link forwards it down to the receiver on the receiver SMLT
regardless of which switch is the DR for the receiver VLAN. The forwarding switch sends a copy
of the data over the vIST link to the peer switch, which drops the data because it knows that the
remote SMLT is up and therefore the remote peer has already forwarded the data. If the forwarding
switch goes down, the other switch receives the data directly over its source SMLT link and takes
over forwarding to the receivers. After the original switch comes back up, the original switch again
receives the data directly over its source SMLT. The original switch may not be ready to forward the
data because of the protocol reconvergence, so the original switch loses traffic until reconvergence
is complete.
• If the source is not learned on another SMLT link or the vIST link on each aggregate switch; they
have a route to the source which is not on an SMLT or across the vIST. The switches must choose
which one forwards the data down the receiver SMLT link; which one is the designated forwarder,
so that duplicate data does not occur. The highest IP address is the designated forwarder. If the
designated forwarder becomes disabled, the other takes over. When it is reenabled, the other switch
sees that it is no longer the highest IP address and it sees that the remote SMLT link comes up. The
other switch then assumes that the vIST peer is capable of being the designated forwarder and it
stops forwarding down to the receivers. If the original switch is not ready to forward the data due to
reconvergence, traffic loss occurs.

In either case, configuring a static RP helps the situation. To avoid this traffic delay, a workaround is
to configure a static RP on the peer SMLT switches. This configuration avoids the process of selecting
an active RP router from the list of candidate RPs, and also of dynamically learning about RPs through
the BSR mechanism. Then, when the DR comes back, traffic resumes as soon as OSPF converges. This
workaround reduces the traffic delay.

Circuitless IP for PIM-SM

Use CLIP to configure a resilient RP and BSR for a PIM network. When you configure an RP or BSR on a
regular interface, if it becomes nonoperational, the RP and BSR also become nonoperational. This status
results in the election of other redundant RPs and BSRs, and can disrupt IP multicast traffic flow in the
network. As a best practice for multicast networks design, always configure the RP and BSR on a CLIP
interface to prevent a single interface failure from causing these entities to fail.

Also, configure redundant RPs and BSRs on different switches such that these entities are on CLIP
interfaces. For the successful setup of multicast streams, ensure that a unicast route exists to all CLIP
interfaces from all locations in the network. A unicast route is mandatory because, for proper RP
learning and stream setup on the shared RP tree, every switch in the network needs to reach the RP and

VOSS User Guide for version 8.7 1505

IP multicast network design IP Multicast

BSR. You can use PIM-SM CLIP interfaces only for RP and BSR configurations, and are not intended for
other purposes.

Do not configure non-SMLT IGMP leaf ports on a router to be one of the redundant RP CLIP devices. It is
possible that these IGMP hosts can become isolated from the multicast data stream(s).

If you configure dual-redundant RPs (vIST peers with the same CLIP interface IP address used for the
RP), the topology in the following figure does not work in link-failure scenarios. Use caution if you
design a network with this topology where the vIST peers are PIM enabled, and the source and receiver
edges are Layer 2.

Consider an example where one of the peers, vIST-A, is the PIM DR for the source VLAN, and the source
data is hashed to vIST-A from the Layer 2 source edge. vIST-A forwards traffic to the receiver edge
using the SMLT link from vIST-A to the receiver edge. If the SMLT link fails, vIST-A does not forward
traffic over the vIST link to vIST-B, and the receiver edge does receive the data.

In this topology, the receiver edge sends an IGMP membership report for a group, which is recorded on
both vIST peers as an IGMP LEAF on the receiver SMLT port on the receiver VLAN.

Because both of the vIST peers are the RP for the group, they do not send a (*,g) PIM JOIN message
toward the other RP. The (*,g) PIM mroute does not record the vIST port as a JOIN port on either vIST
device. The PIM (*,g) mroute records only a LEAF on the SMLT receiver port.

Because the source is local (Layer 2 edge), there is no PIM (s,g) JOIN message toward the source and
the (s,g) PIM mroute does not record the vIST port as a JOIN port on either vIST device. The PIM (s,g)
mroute records only a LEAF on the SMLT receiver port.

If the source is hashed to vIST-A, the PIM DR for the incoming VLAN, traffic is forwarded to the receiver
correctly. vIST-A does not forward traffic over the vIST to vIST-B, because no JOIN exists on the vIST
port. If the receiver SMLT link from the vIST-A peer is down, the traffic is not forwarded to vIST-B, and is
not received by the receiver edge. Traffic resumes after the link is restored. If the source data hashes to
the non-DR peer, vIST-B, no problem occurs because the non-DR always forwards traffic to the DR.

1506 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

A similar situation exists in this topology when vIST-A is both the RP and the DR for the Layer 2 receiver
edge. The vIST port is not in the outgoing port list because there is no JOIN message from the peer
toward the source (which is not PIM enabled). Therefore, if the SMLT link from vIST-A to the receiver
edge is down, the system does not forward traffic to the peer vIST-B and down to the receiver.

You can avoid the preceding problems with this topology by performing one of the following actions:
• Enable PIM on the source edge.

The vIST peers send PIM joins toward the source and the JOIN is recorded on the vIST port for the
(s,g). Data is forwarded to the peer.
• Do not configure dual redundant RPs.

One vIST peer is the RP for a group.

• Do not configure one vIST peer as both the DR for the source VLAN and the RP for the receiver
group.

The system forwards the traffic to the RP or to the DR, depending on which peer receives the source,
and, if the SMLT link to the receiver goes down there will be no data loss.

PIM-SM and Static RP

Use static RP to provide security, interoperability, and redundancy for PIM-SM multicast networks.
Consider if the administrative ease derived from using dynamic RP assignment is worth the security
risks involved. For example, if an unauthorized user connects a PIM-SM router that advertises itself as a
candidate RP (C-RP), it can possibly take over new multicast streams that otherwise distribute through
an authorized RP. If security is important, use static RP assignment.

You can use the static RP feature in a PIM environment with devices that run legacy PIM-SMv1 and
Cisco Auto-RP. For faster convergence, you can also use static RP in a PIM-SMv2 environment. If you
configure static RP with PIM-SMv2, the BSR is not active.

Static RP and Auto-RP

Some legacy PIM-SMv1 networks use the auto-RP protocol. Auto-RP is a Cisco proprietary protocol that
provides equivalent functionality to the legacy platform supported PIM-SM RP and BSR. You can use
the static RP feature to interoperate in this environment. For example, in a mixed-vendor network, you
can use auto-RP among routers that support the protocol, while other routers use static RP. In such a
network, ensure that the static RP configuration mimics the information that is dynamically distributed
to guarantee that multicast traffic is delivered to all parts of the network.

In a mixed auto-RP and static RP network, ensure that the legacy platform does not serve as an RP
because it does not support the auto-RP protocol. In this type of network, the RP must support the
auto-RP protocol.

Static RP and RP Redundancy

You can provide RP redundancy through static RPs. To ensure consistency of RP selection, implement
the same static RP configuration on all PIM-SM routers in the network. In a mixed vendor network,
ensure that the same RP selection criteria is used among all routers. For example, to select the active
RP for each group address, the switch uses a hash algorithm defined in the PIM-SMv2 standard. If a
router from another vendor selects the active RP based on the lowest IP address, then the inconsistency
prevents stream delivery to certain routers in the network.

VOSS User Guide for version 8.7 1507

IP multicast network design IP Multicast

If a group address-to-RP discrepancy occurs among PIM-SM routers, network outages occur. Routers
that are unaware of the true RP cannot join the shared tree and cannot receive the multicast stream.

Failure detection of the active RP is determined by the unicast routing table. As long as the RP is
considered reachable from a unicast routing perspective, the local router assumes that the RP is fully
functional and attempts to join the shared tree of that RP.

The following figure shows a hierarchical OSPF network where a receiver is in a totally stubby area. If RP
B fails, PIM-SM router A does not switch over to RP C because the injected default route in the unicast
routing table indicates that RP B is still reachable.

Because failover is determined by unicast routing behavior, carefully consider the unicast routing
design, as well as the IP address you select for the RP. Static RP failover performance depends on the
convergence time of the unicast routing protocol. For quick convergence, ensure that you use a link
state protocol, such as OSPF. For example, if you use RIP as the routing protocol, an RP failure can take
minutes to detect. Depending on the application, this situation can be unacceptable.

Static RP failover time does not affect routers that have already switched over to the SPT; failover time
only affects newly-joining routers.

Unsupported Static RP Configurations

If you use static RP, you disable dynamic RP learning. The following figure shows an unsupported
configuration for static RP. In this example because of inter-operation between static RP and dynamic
RP, no RP exists at switch 2. However, (S,G) creation and deletion occurs every 210 seconds at switch 16.

1508 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

Switches 10, 15, and 16 use static RP, whereas switch 2 uses dynamic RP. The source is at switch 10, and
the receivers are switches 15 and 16. The RP is at switch 15 locally. The receiver on switch 16 cannot
receive packets because its SPT goes through switch 2.

Switch 2 is in a dynamic RP domain, so it cannot learn about the RP on switch 15. However, (S, G)
records are created and deleted on switch 16 every 210 seconds.

Rendezvous Point Router Considerations

You can place an RP on a switch when VLANs extend over several switches. However, when you use
PIM-SM, ensure that you do not span VLANs on more than two switches.

Use static group-range-to-RP mappings in an SMLT topology as opposed to RP set learning using the
Bootstrap Router (BSR) mechanism. Static RP allows for faster convergence in box failure, reset and HA
failover scenarios, whereas there are inherent delays in the BSR mechanism as follows:
• When a router comes back up after a failover or reset, to accept and propagate (*,g) join requests
from surrounding routers (either PIM join messages or local IGMP membership reports) to the RP, a
PIM router must determine the address of the RP for each group for which they desire (*,g) state.
The PIM router must know the unicast route to the RP address. The route to the RP address is
learned by using a unicast routing protocol such as OSPF, and the RP address is either statically
configured or dynamically learned using the BSR mechanism.
• When a box comes up after a reset, if the RP is not statically configured, it must wait for the BSR
to select the RP from candidate RP routers, and then propagate the RP set hop-by-hop to all PIM
routers. This must be done before a join message can be processed. If the PIM router receives
a join message before it learns the RP set, it drops the join message, and the router waits for
another join or prune message to arrive before it creates the multicast route and propagates the
join message to the RP. The default Join/Prune timer is 60 seconds, and because of this and the
delays inherent in BSR RP-set learning, significant multicast traffic interruptions can occur. If the RP
is statically configured, the only delay is in the unicast routing table convergence and the arrival of
the Join/Prune messages from surrounding boxes.

VOSS User Guide for version 8.7 1509

IP multicast network design IP Multicast

Layer 3 Multicast Extended VLANS

Avoid using a Layer 3 multicast extended VLAN topology without SMLT.

Do not connect non-SMLT PIM routers in a linear fashion on the same VLAN. This topology is called an
extended VLAN. Unlike a shared VLAN topology where all routers on the same VLAN are physically one
hop away from each other, a VLAN router at one end of the extended VLAN has one or more routers in
between it and the router at the far end of the extended VLAN. The following figure shows an extended
VLAN.

1510 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

In the preceding figure, all routers use PIM-SSM. The source connects to Router A on VLAN 10. All
routers and receiver hosts connect on the same extended VLAN, VLAN 20. All routers have a receiver in
VLAN 20. Router D is the PIM DR for VLAN 20 and the source host is not on VLAN 20. PIM-SSM does
not require a Rendezvous Point (RP).

In this topology, each router receives an IGMP membership report from its local receiver host, and then
sends a PIM SG join message towards the source on VLAN 20. VLAN flooding propagates the PIM SG
join message through to Router A, the PIM DR for the source VLAN 10. Each router from Router D to
Router A records a PIM join on the port on which the join message was received, and then sends out its
own join message toward the source. Data then flows from the source to the receiver, as long as a join
exists on those ports.

Because all routers are in the same VLAN 20, they receive joins from one another due to flooding in
the VLAN. For example, Router D receives join messages from Router C on its port ‘b’, and Router C
receives join messages from Router B on its port toward Router B. In accordance with the PIM protocol
rules, suppression causes Router D to stop sending a join towards the source because it receives a join
for the same group and same RP on the port (port b) of the upstream neighbor (the router towards the
source). Router D does not need to send a redundant join on the same VLAN. Router D stops sending
a join, and the join that is recorded on port c of Router C eventually times out and is removed from
the egress list of the (s,g) multicast route entry on Router C. This removal causes Router C to stop
forwarding multicast traffic to Router D, and to the receiver (R1).

The purpose of join suppression is to suppress joins on a shared VLAN, such that if all routers on the
shared VLAN want to receive data from the same RP and group, then only one of them needs to send
the join on the VLAN. One join is enough to pull the data from the source router to the shared VLAN
for all routers to receive. The other routers can suppress sending their own joins when they see such a
join on the port toward the upstream router. In this way, less protocol message congestion exists in the
shared VLAN. In the following figure, Router D sends the initial join message, which is seen by Router B
and Router C. Router B and Router C suppress their own join messages. Router A (the PIM DR for the
source VLAN 10) sends the data to VLAN 20, which is received by Routers B, C, and D due to the shared
(non-extended) VLAN topology, and traffic is forwarded to all receiver hosts.

VOSS User Guide for version 8.7 1511

IP multicast network design IP Multicast

The extended VLAN topology looks exactly like the non-extended shared VLAN topology to the router,
which cannot distinguish between the two.

In the current release, you cannot disable join suppression on a router. This enhancement will be added
in a future release. Until this enhancement is included, you can perform the following actions:
1. Avoid this type of extended VLAN topology, and instead use Layer 3 routing between the routers.
Do not extend VLAN 20 throughout, but rather, create a different VLAN between each router.
2. Configure the PIM DR for VLAN 20 to be the router closer to the source (Router B) so that any
join received on the VLAN 20 DR (Router B) will be recorded as an IGMP local leaf on VLAN 20
as opposed to a PIM join, which does not time out until the receiver host stops sending IGMP
membership reports.

PIM-SM Design and the BSR Hash Algorithm

To optimize the flow of traffic down the shared trees in a network that uses a BSR to dynamically
advertise candidate RPs, consider the hash function. The BSR uses the hash function to assign multicast
group addresses to each C-RP.

The BSR distributes the hash mask used to compute the RP assignment. For example, if two RPs are
candidates for the range 239.0.0.0 through 239.0.0.127, and the hash mask is 255.255.255.252, that
range of addresses is divided into groups of four consecutive addresses and assigned to one or the
other C-RP.

The following figure illustrates a suboptimal design where Router A sends traffic to a group address
assigned to RP D. Router B sends traffic assigned to RP C. RP C and RP D serve as backups for each
other for those group addresses. To distribute traffic, it is desirable that traffic from Router A use RP C
and that traffic from Router B use RP D.

While still providing redundancy in the case of an RP failure, you can ensure that the optimal shared tree
is used by using the following methods.
1. Use the hash algorithm to proactively plan the group-address-to-RP assignment.

Use this information to select the multicast group address for each multicast sender on the network
and to ensure optimal traffic flows. This method is helpful for modeling more complex redundancy
and failure scenarios, where each group address has three or more C-RPs.

1512 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

2. Allow the hash algorithm to assign the blocks of addresses on the network, and then view the results
using the command show ip pim active-rp .

Use the command output to assign multicast group addresses to senders that are located near the
indicated RP. The limitation to this approach is that while you can easily determine the current RP
for a group address, the backup RP is not shown. If more than one backup for a group address
exists, the secondary RP is not obvious. In this case, use the hash algorithm to reveal which of the
remaining C-RPs take over for a particular group address in the event of primary RP failure.

The hash algorithm works as follows:

1. For each C-RP router with matching group address ranges, a hash value is calculated according to
the formula:

Hash value [G, M, C(i)] = {1 103 515 245 * [(1 103 515245 * (G&M) +12 345) XOR C(i)] + 12 345} mod
2^31

The hash value is a function of the group address (G), the hash mask (M), and the IP address of the
C-RP C(i). The expression (G&M) guarantees that blocks of group addresses hash to the same value
for each C-RP, and that the size of the block is determined by the hash mask.

For example, if the hash mask is 255.255.255.248, the group addresses 239.0.0.0 through 239.0.0.7
yield the same hash value for a given C-RP. Thus, the block of eight addresses are assigned to the
same RP.
2. The C-RP with the highest resulting hash value is chosen as the RP for the group. In the event of a
tie, the C-RP with the highest IP address is chosen.

This algorithm runs independently on all PIM-SM routers so that every router has a consistent view
of the group-to-RP mappings.

Candidate RP Considerations

The C-RP priority parameter determines an active RP for a group. The hash values for different RPs are
only compared for RPs with the highest priority. Among the RPs with the highest priority value and the
same hash value, the C-RP with the highest RP IP address is chosen as the active RP.

You cannot configure the C-RP priority. Each RP has a default C-RP priority value of 0, and the
algorithm uses the RP if the group address maps to the grp-prefix that you configure for that RP. If a
different router in the network has a C-RP priority value greater than 0, the switch uses this part of the
algorithm in the RP election process.

Currently, you cannot configure the hash mask used in the hash algorithm. Unless you configure
a different PIM BSR in the network with a nondefault hash mask value, the default hash mask of
255.255.255.252 is used. Static RP configurations do not use the BSR hash mask; they use the default
hash mask.

For example:

RP1 = 128.10.0.54 and RP2 = 128.10.0.56. The group prefix for both RPs is 238.0.0.0/255.0.0.0. Hash
mask = 255.255.255.252.

The hash function assigns the groups to RPs in the following manner:

VOSS User Guide for version 8.7 1513

IP multicast network design IP Multicast

The group range 238.1.1.40 to 238.1.1.51 (12 consecutive groups) maps to 128.10.0.56. The group range
238.1.1.52 to 238.1.1.55 (4 consecutive groups) maps to 128.10.0.54. The group range 238.1.1.56 to
238.1.1.63 (8 consecutive groups) maps to 128.10.0.56.

PIM-SM RP Selection Algorithm Inconsistency Between Platforms

In topologies where this switch interoperates with ERS or VSP 9000 Series platforms, the selection of
the RP from multiple candidate RPs can produce different results on this switch than it does on ERS or
VSP 9000 Series. This switch conforms to PIM RFC 4601, while ERS and VSP 9000 Series platforms
conform to RFC 2362.

RFC 4601 is not backward compatible with RFC 2362 regarding how it defines the selection algorithm
for an RP, specifically when there are several candidate RPs for the same group, but with different prefix
lengths. Both RFCs have the RP selection mechanism based on a specific hash function, common to all
routers in PIM domain, however there are differences in determining the pool of candidate RPs to which
the hash function will be applied. In RFC 4601, only the RP of the group range with the longest prefix
match for the group range will be chosen to apply the hash function and thus participate in the actual
election. In RFC 2362, longest prefix match is not part of the selection criteria, and therefore ERS and
VSP 9000 Series could potentially choose a different RP, because they apply the hash function on a
different pool of candidate RPs. This would cause inconsistencies in the PIM-SM network.

To work around this issue, define RP group ranges with the same prefix length, such that the next
RFC-defined match rule applies equally across all platforms in the network.

PIM-SM Receivers and VLANs

Some designs cause unnecessary traffic flow on links in a PIM-SM domain. In these cases, traffic is not
duplicated to the receivers, but wastes bandwidth.

The following figure shows such a situation. Switch B is the DR between switches A and B. Switch C is
the RP. A receiver R is on the VLAN (V1) that connects switches A and B. A source sends multicast data
to the receiver.

1514 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

IGMP reports that the messages that the receiver sends are forwarded to the DR, and both A and B
create (*,G) records. Switch A receives duplicate data through the path from C to A, and through the
second path from C to B to A. Switch A discards the data on the second path (assuming the upstream
source is A to C).

To avoid this waste of resources, do not place receivers on V1. This configuration guarantees that no
traffic flows between B and A for receivers attached to A. In this case, the existence of the receivers is
only learned through PIM join messages to the RP [for (*,G)] and of the source through SPT joins.

PIM Network with Non-PIM Interfaces

For proper multicast traffic flow in a PIM-SM domain, as a general rule, enable PIM-SM on all interfaces
in the network (even if paths exist between all PIM interfaces). Enable PIM on all interfaces because
PIM-SM relies on the unicast routing table to determine the path to the RP, BSR, and multicast sources.
Ensure that all routers on these paths have PIM-SM enabled interfaces.

The following figure provides an example of this situation. If A is the RP, then initially the receiver
receives data from the shared tree path (that is, through switch A).

If the shortest path from C to the source is through switch B, and the interface between C and B does
not have PIM-SM enabled, then C cannot switch to the SPT. C discards data that comes through the

VOSS User Guide for version 8.7 1515

IP multicast network design IP Multicast

shared path tree (that is, through A). The simple workaround is to enable PIM on VLAN1 between C and
B.

Source Filtering

The system can report interest in receiving packets from only a specific source address (INCLUDE), from
all but specific source addresses (EXCLUDE), or sent to specific multicast addresses. IGMPv3 interacts
with PIM-SM, PIM-SSM, and snooping to provide source filtering.

Protocol Independent Multicast-Source Specific Multicast guidelines

PIM-Source Specific Multicast (SSM) is a one-to-many model that uses a subset of the PIM-SM features.
In this model, members of an SSM group can only receive multicast traffic from a specific source or
sources, which is more efficient and puts less load on multicast routing devices.

IGMPv3 supports PIM-SSM by enabling a host to selectively request traffic from individual sources
within a multicast group. The system can report interest in receiving packets from only specific
source addresses (INCLUDE). IGMPv3 interacts with PIM-SM, PIM-SSM, and snooping to provide source
filtering.

1516 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

IGMPv2 SSM extensions

VSP 4450 Series processes messages according to the following rules:

• After IGMPv3 receives an IGMPv2 report in the SSM range, the system translates the report to an
IGMPv3 report message.
• After an IGMPv2 router sends queries on an IGMPv3 interface, the switch downgrades this interface
to IGMPv2 (backward compatibility).

This can cause traffic interruption, but the switch recovers quickly.

PIM-SSM design considerations

Use the following information when you design an SSM network:

• If you configure SSM, it affects SSM groups only. The switch handles other groups in sparse mode
(SM) if a valid RP exists on the network.
• You can configure PIM-SSM only on switches at the edge of the network. Core switches use PIM-SM
if they do not have receivers for SSM groups.
• For networks where group addresses are already in use, you can change the SSM range to match the
groups.
• One switch has a single SSM range.
• You can have different SSM ranges on different switches.

Configure the core switches that relay multicast traffic so that they cover all of these groups in their
SSM range, or use PIM-SM.
• One group in the SSM range can have multiple sources for a given SSM group.

Multicast for Multimedia

The switch provides a flexible and scalable multicast implementation for multimedia applications.
Several features are dedicated to multimedia applications and in particular to television distribution.

Join and leave performance

For TV applications, you can attach several TVs directly to the switch, or through an IGMP-capable
Ethernet switch. Base this implementation on IGMP; the set-top boxes use IGMP reports to join a
TV channel and IGMP leaves to exit the channel. After a viewer changes channels, the switch issues
an IGMPv2 leave for the old channel (multicast group), and sends a membership report for the new
channel. If viewers change channels continuously, the number of joins and leaves can become large,
particularly if many viewers attach to the switch.

The switch supports more than a thousand joins and leaves per second, which is well adapted to TV
applications.

Important
For IGMPv3, ensure a join rate of 1000 per second or less. This ensures the timely processing
of join requests.

If you use the IGMP proxy functionality at the receiver edge, you reduce the number of IGMP reports
received by switch. This provides better overall performance and scalability.

VOSS User Guide for version 8.7 1517

IP multicast network design IP Multicast

Fast Leave

IGMP Fast Leave supports two modes of operation: single-user mode and multiple-user mode.

In single-user mode, if more than one member of a group is on the port and one of the group members
leaves the group, everyone stops receiving traffic for this group. Single-user mode does not send a
group-specific query before the effective leave takes place.

Multiple-user mode allows several users on the same port or VLAN. If one user leaves the group and
other receivers exist for the same stream, the stream continues. The switch tracks the number of
receivers that join a given group. For multiple-user mode to operate properly, do not suppress reports.
This ensures that the switch properly tracks the correct number of receivers on an interface.

The Fast Leave feature is particularly useful in IGMP-based TV distribution where only one receiver of a
TV channel connects to a port. If a viewer changes channels quickly, you create considerable bandwidth
savings if you use Fast Leave.

You can implement Fast Leave on a VLAN and port combination; a port that belongs to two different
VLANs can have Fast Leave enabled on one VLAN (but not on the other). Thus, with the Fast Leave
feature enabled, you can connect several devices on different VLANs to the same port. This strategy
does not affect traffic after one device leaves a group to which another device subscribes. For example,
you can use this feature when two TVs connect to a port through two set-top boxes, even if you use the
single-user mode.

To use Fast Leave, you must first enable explicit host tracking. IGMP uses explicit host tracking to
track all source and group members. Explicit host tracking is disabled by default. For configuration
information, see Configuring Fast Leave Mode on page 1630.

Last member query interval tuning

If an IGMPv2 host leaves a group, it notifies the router by using a leave message. Because of the IGMPv2
report suppression mechanism, the router cannot access information of other hosts that require the
stream. Thus, the router broadcasts a group-specific query message with a maximum response time
equal to the last member query interval (LMQI).

Because this timer affects the latency between the time that the last member leaves and the time
the stream actually stops, you must properly tune this parameter. This timer can especially affect TV
delivery or other large-scale, high-bandwidth multimedia applications. For instance, if you assign a
value that is too low, this can lead to a storm of membership reports if a large number of hosts are
subscribed. Similarly, assigning a value that is too high can cause unwanted high-bandwidth stream
propagation across the network if users change channels rapidly. Leave latency also depends on the
robustness value, so a value of 2 equates to a leave latency of twice the LMQI.

Determine the proper LMQI value for your particular network through testing. If a very large number
of users connect to a port, assigning a value of 3 can lead to a storm of report messages after a
group-specific query is sent. Conversely, if streams frequently start and stop in short intervals, as in a TV
delivery network, assigning a value of 10 can lead to frequent congestion in the core network.

Another performance-affecting factor that you need to be aware of is the error rate of the physical
medium. For links that have high packet loss, you can find it necessary to adjust the robustness variable
to a higher value to compensate for the possible loss of IGMP queries and reports.

1518 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

In such cases, leave latency is adversely affected as numerous group-specific queries are unanswered
before the stream is pruned. The number of unanswered queries is equal to the robustness variable
(default 2). The assignment of a lower LMQI can counterbalance this effect. However, if you configure
the LMQI too low, it can actually exacerbate the problem by inducing storms of reports on the network.
LMQI values of 3 and 10, with a robustness value of 2, translate to leave latencies of 6/10 of a second
and 2 seconds, respectively.

When you choose an LMQI, consider all of these factors to determine the best configuration for the
given application and network. Test that value to ensure that it provides the best performance.

Important
In networks that have only one user connected to each port, use the Fast Leave feature
instead of LMQI, because no wait is required before the stream stops. Similarly, the robustness
variable does not affect the Fast Leave feature, which is an additional benefit for links with
high loss.

Layer 3 switch clustering and multicast SMLT

Switch clustering is the logical aggregation of two nodes to form one logical entity known as the switch
cluster. The two peer nodes in a switch cluster connect using a virtual interswitch trunk (vIST). The vIST
exchanges forwarding and routing information between the two peer nodes in the cluster. This section
provides guidelines for switch clusters that use multicast and Split Multilink Trunking (SMLT).

General guidelines

The following list identifies general guidelines to follow if you use multicast and switch clustering:
• Enable Protocol Independent Multicast - Sparse Mode (PIM-SM) on the vIST VLAN for fast recovery
of multicast. A unicast routing protocol is not required.
• Enable Internet Group Management Protocol (IGMP) snooping and proxy on the edge switches.

The following figure shows multicast behavior in an SMLT environment. The configuration in the
following figure provides fast failover if the switch or rendezvous point (RP) fails.

VOSS User Guide for version 8.7 1519

IP multicast network design IP Multicast

Figure 146: Multicast behavior in SMLT environment

In Multicast behavior in SMLT environment the following actions occur:

1. The multicast server sends multicast data towards the source designated router (DR).
2. The source DR sends register messages with encapsulated multicast data towards the RP.
3. After the client sends IGMP membership reports towards the multicast router, the router creates a
(*,G) entry.
4. The RP sends join messages towards the source DR on the reverse path.
5. After the source DR receives the join messages, it sends native multicast traffic.
6. After SW_B or SW_D receives multicast traffic from upstream, it forwards the traffic on the vIST as
well as on the SMLT link. Other aggregation switches drop multicast traffic received over the vIST at

1520 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

egress. This action provides fast failover for multicast traffic. Both SW_D and SW_E (Aggregation
switches) have similar (S,G) records.
7. In case of SW_D or RP failure, SW_B changes only the next-hop interface towards SW_E. Because
the circuitless IP (CLIP) RP address is the same, SW_B does not flush (S,G) entries and achieves fast
failover.

Multicast triangle topology

A triangle design is an SMLT configuration that connects edge switches or SMLT clients to two
aggregation switches. Connect the aggregation switches together with a vIST that carries all the SMLT
trunks configured on the switches.

The switch supports the following triangle configurations:

• a configuration with Layer 3 PIM-SM routing on both the edge and aggregation switches
• a configuration with Layer 2 snooping on the client switches and Layer 3 routing with PIM-SM on the
aggregation switches

To avoid using an external query device to provide correct handling and routing of multicast traffic to
the rest of the network, use the triangle design with IGMP Snoop at the client switches. Use multicast
routing at the aggregation switches as shown in the following figure.

Figure 147: Multicast routing using PIM-SM

Client switches run IGMP Snoop or PIM-SM, and the aggregation switches run PIM-SM. This design
is simple and, for the rest of the network, PIM-SM performs IP multicast routing. The aggregation
switches are the query devices for IGMP, so an external query device is not required to activate IGMP
membership. These switches also act as redundant switches for IP multicast.

Multicast data flows through the vIST link when receivers are learned on the client switch and senders
are located on the aggregation switches, or when sourced data comes through the aggregation
switches. This data is destined for potential receivers attached to the other side of the vIST. The data

VOSS User Guide for version 8.7 1521

IP multicast network design IP Multicast

does not reach the client switches through the two aggregation switches because only the originating
switch forwards the data to the client switch receivers.

Note
Always place multicast receivers and senders on the core switches on VLANs different from
those that span the vIST.

The following figure shows a switch clustering configuration with a single switch cluster core and
dual-connected edge devices. This topology represents different VLANs spanning from each edge
device and those VLANs routed at the switch cluster core. You can configure multiple VLANs on the
edge devices, 802.1Q tagged to the switch cluster core.

Figure 148: Multicast SMLT triangle

Use an edge device that supports a form of link aggregation. Disable spanning tree on the link
aggregation group on the edge devices. Enable either Virtual Router Redundancy Protocol (VRRP)
BackupMaster or Routed SMLT (RSMLT) Layer 2 Edge on the switch cluster core.

Square and full-mesh topology multicast guidelines

A square design connects a pair of aggregation switches to another pair of aggregation switches. A
square design becomes a full-mesh design if the aggregation switches are connected in a full-mesh. The
switch supports Layer 3 IP multicast (PIM-SM only) over a full-mesh SMLT or RSMLT configuration.

In a square design, configure all switches with PIM-SM. Place the bootstrap router (BSR) and RP in one
of the four core switches; and place the RP closest to the source. If using PIM-SM over a square or
full-mesh configuration, enable the multicast smlt-square flag.

The following three figures show switch clustering configurations with two-switch cluster cores and
dual-connected edge devices.

1522 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

Figure 149: Multicast SMLT square 1

In the preceding figure, only one of the switch cluster cores performs Layer 3 multicast routing while
the other is strictly Layer 2. Configure multiple VLANs on the edge devices, 802.1Q tagged to the switch
cluster cores.

Use an edge device that supports a form of link aggregation. Disable spanning tree on the link
aggregation group on the edge devices. Enable either the VRRP BackupMaster or RSMLT Layer 2
Edge on the switch cluster core.

VOSS User Guide for version 8.7 1523

IP multicast network design IP Multicast

Figure 150: Multicast SMLT square 2

In the preceding figure, both of the switch cluster cores performs Layer 3 multicast routing, while the
edge devices are Layer 2 IGMP.

1524 VOSS User Guide for version 8.7

IP Multicast IP multicast network design

Figure 151: Multicast SMLT square 3

In the preceding figure, both of the switch cluster cores and the edge devices perform Layer 3 multicast
routing.

SMLT and multicast traffic issues

If PIM-SM or other multicast protocols are used in an SMLT environment, enable the protocol on the
vIST. Routing protocols in general are not run over an vIST but multicast routing protocols are an
exception. When using PIM-SM and a unicast routing protocol, ensure the unicast route to the BSR and
RP has PIM-SM active and enabled. If multiple OSPF paths exist and PIM-SM is not active on each pair,
the BSR is learned on a path that does not have PIM-SM active. The following figure demonstrates this
issue.

VOSS User Guide for version 8.7 1525

IP multicast network design IP Multicast

Figure 152: Unicast route example

The network configuration in the preceding figure is as follows:
• 5510A is on VLAN 101.
• 5510B is on VLAN 102.
• Switch B is the BSR.
• Switch A and Switch B have OSPF enabled.
• PIM is enabled and active on VLAN 101.
• PIM is either disabled or passive on VLAN 102.

In this example, the unicast route table on Switch A learns the BSR on Switch B through VLAN 102 using
OSPF. The BSR is either not learned or does not provide the RP to Switch A.

1526 VOSS User Guide for version 8.7

IP Multicast Protocol Independent Multicast over IPv6

Protocol Independent Multicast over IPv6

Table 121: PIM over IPv6 product support

Feature Product Release introduced
PIM over IPv6 VSP 4450 Series VOSS 5.1
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported

Note
PIM is supported in Global Routing Table (GRT) only.

Several multicast protocols are used to enable IP multicast.

Hosts use the Internet Group Management Protocol (IGMP) for IPv4 and Multicast Listener Discovery
(MLD v1/v2) for IPv6 to report multicast group memberships of directly attached multicast listeners to
neighboring multicast routers. MLD is the direct IPv6 replacement for the IGMP protocol used in IPv4.

Routers use Protocol Independent Multicast-Sparse Mode (PIM-SM) and PIM source Specific Mode
(SSM) to exchange multicast routing information. The PIM-SM protocol is the multicast routing protocol
that uses the underlying unicast routing information base to build unidirectional shared trees to group
members rooted at the RP per group, and creates shortest-path trees (SPT) per source. The router
forwards multicast packets along these trees. PIM-SSM does not require RP and only supports SPT.

PIM over IPv6 uses the IPv6 unicast routing table for reverse path information about source and RP.

Note
IPv4 and IPv6 multicast streams cannot interact. To configure an end-to-end PIM IPv6
network, all nodes from sender to receiver must support PIM IPv6.

PIM-SM over IPv6 features

The following are features of PIM-SM over IPv6:
• Compliant with RFC 4601
• Multicast networks built by PIM IPv4 and PIM IPv6 do not overlap
• IPv4 receiver hosts cannot receive data from IPv6 source hosts and vice versa
• IPv4 and IPv6 multicast protocols can be enabled at the same time on the same VLAN
• PIM IPv4 and PIM IPv6 can be configured on the same VLAN
• PIM IPv4 and PIM IPv6 must be configured separately
• Supports sparse and ssm modes

VOSS User Guide for version 8.7 1527

IP multicast configuration and DvR IP Multicast

Operational note for PIM-SM over IPv6

The following are operational considerations when deploying PIM-SM over IPv6:
• You can only configure PIM-SM if you configure the spbm_config_mode boot flag to false.
• The following HELLO messages options are not supported:
◦ GENid
◦ DR priority
◦ LAN-PRUNE delay
◦ T-bit
• IPv6 multicast is not supported over SPBM
• IPv6 multicast routing is not virtualized, it is supported only on GRT
• IPv6 multicast configuration on SMLT VLAN is not supported. vIST peers cannot form PIM-SM over
IPv6 neighbor adjacencies. Senders and receivers on the vIST peers (SMLT and non-SMLT) cannot
communicate. MLT and LACP is supported.
• The switch does not support the following features:
◦ Static entries
◦ Bootstrap message (BSR)
◦ Anycast RP
◦ Virtual PIM neighbors
◦ Fast join prune
◦ Software forwarding
◦ Passive PIM interfaces
◦ IP mroute stream limit
◦ Bidirectional PIM
◦ Multicast Border Router (PMBR)
◦ VRF support for PIM (GRT only)
◦ IGMP and PIM mtrace capability
◦ High Availability (HA)

IPv6 interface multiple addresses

IPv6 interfaces can have multiple addresses associated with them. A router running PIM for IPv6 has
a network unique domain-wide reachable IPv6 VLAN address used for multiple hop messages. A link
local address is associated with the VLAN. The link local address is a non-routable unicast IPv6 address
used as source address (primary interface address) for transmitting different types of PIM messages.

IP multicast configuration and DvR

Configuration of IPv4 multicast is supported only on the Controller nodes of a DvR domain. You cannot
configure IP multicast on the DvR Leaf nodes. The following sections detail IP multicast configuration
support on DvR enabled nodes (Controllers or Leaf nodes).

For more information on DvR, see Distributed Virtual Routing Fundamentals on page 690.

1528 VOSS User Guide for version 8.7

IP Multicast IP multicast basic configuration using CLI

Multicast configuration that is pushed from DvR Controllers to DvR Leaf nodes
When you perform the following multicast configuration on the DvR enabled interface of a DvR
Controller, the configuration is automatically pushed to the Leaf nodes within the domain.
• IP multicast over Fabric Connect
• IGMP Layer 2 Querier parameters, such as the IGMP Layer 2 Querier version, query interval, query
maximum response time, robustness value, last member query interval and compatibility mode
• Enabling and clearing of multicast route statistics

Multicast configuration that is not supported on DvR enabled Layer 2 VSNs

• IGMP Snooping on DvR enabled Layer 2 VSNs
• SPB-PIM Gateway

For more information on SPB-PIM Gateway, see SPB-PIM Gateway configuration on page 3187.

IP multicast basic configuration using CLI

To provide multicasting services, you need a host membership protocol and a multicast routing
protocol. Hosts subscribe to multicast services using a host membership protocol. The Internet Group
Management Protocol (IGMP) is an example of an IPv4 host membership protocol.

A multicast routing protocol optimizes the routing of multicast information to avoid loops and restrict
multicast traffic to networks that use host membership. Examples of multicast routing protocols include
Protocol Independent Multicast–Sparse Mode (PIM–SM) and Protocol Independent Multicast–Source
Specific Multicast (PIM–SSM).

Configuring IP multicast in SMLT topologies

This procedure shows how to configure PIM and IGMP Snooping in an SMLT environment. The
configuration steps show how to enable multicast, and then configure the usual PIM and IGMP Snooping
related VLANs and global attributes. It includes steps to configure the following:
• Setting the boot config flag
• Configuring the vIST peer
• Enabling Simplified vIST

Before You Begin

SPBM must not be enabled on the vIST peers or any router that participates in the PIM network.

About This Task

The switch supports configurable VLANs in the range of 1 to 4059. VLAN 0 is invalid. VLAN ID 1 is the
default VLAN and you cannot create or delete VLAN ID 1. VLAN IDs on the switch range from 2 to 4094
but, by default, the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support
the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998.

VOSS User Guide for version 8.7 1529

Configuring IP multicast in SMLT topologies IP Multicast

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Disable the boot flag:
no boot config flags spbm-config-mode

The system responds with these messages:

Warning: Please save the configuration and reboot the switch for this
to take effect.

Warning: Please carefully save your configuration file before

rebooting the switch. Saving configuration file when spbm-config-
mode is changed to disable, removes SPBM configurations from the
configuration file.
3. Save the configuration and, then reboot the switch.

Important
Any change to the spbm-config-mode boot flag requires a reboot for the change to
take effect.

4. Create the vIST VLAN:

vlan create <2-4059> type port-mstprstp <0–63>

interface vlan <1-4059>

ip address <A.B.C.D/X>
5. Configure the vIST peer address and VLAN:
virtual-ist peer-ip <A.B.C.D> vlan <1-4059>
6. Configure the SMLT MLT:
mlt <1-512> enable

mlt <1-512> member {slot/port[/sub-port] [-slot/port[/sub-port]]

[,...]}

interface mlt <1-512>

smlt

1530 VOSS User Guide for version 8.7

IP Multicast Configuring IP multicast in SMLT topologies

7. Configure the vIST MLT:

mlt <1-512> enable

mlt <1-512> member {slot/port[/sub-port] [-slot/port[/sub-port]]

[,...]}

mlt <1-512> encapsulation dot1q

interface mlt <1-512>

virtual-ist enable

Note
The virtual-ist enable command enables Simplified vIST and is only available
when the spbm-config-mode boot flag is disabled.

8. Create a customer VLAN and assign the SMLT MLT ID:

vlan create <2-4059>

vlan mlt <1-4059> <1-512>

interface vlan <1-4059>

ip address <A.B.C.D/X>
9. Configure PIM or IGMP Snooping on the SMLT VLAN:
interface vlan <1-4059>

ip pim enable or ip igmp snooping

10. Configure PIM on the vIST VLAN:
interface vlan <1-4059>

ip pim enable
11. Enable PIM globally:
ip pim enable

Note
You can also configure other global PIM attributes such as ip pim join-prune-
interval.

Example
enable
configure terminal
no boot config flags spbm-config-mode

Save the configuration and reboot the switch.

virtual-ist peer-ip 198.51.100.0 vlan 50

mlt 3 enable
mlt 3 member 1/35,1/36
interface mlt 3
smlt

VOSS User Guide for version 8.7 1531

Configure PIM-SM Globally IP Multicast

exit
mlt 5 enable
mlt 5 member 2/15,2/17
mlt 5 encapsulation dot1q
interface mlt 5
virtual-ist enable
exit
vlan create 50 type port-mstprstp 0
interface vlan 50
ip address 198.51.100.0 255.255.255.0 1
exit
vlan create 100
vlan mlt 100 3
interface vlan 100
ip address 192.0.2.0 255.255.255.0 2
exit
interface vlan 100
ip pim enable (or ip igmp snooping)
exit
interface vlan 50
ip pim enable
exit
ip pim enable

Configure PIM-SM Globally

Configure PIM-SM to enable or disable PIM-SM globally on the switch and change default global
parameters.

Before You Begin

Note
Before you can enable the PIM Infinite Threshold Policy feature, you must first disable the
following:
• PIM-SM
• PIM-SSM
• Simplified vIST

About This Task

PIM-SM is the default mode so you do not need to configure the PIM mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable PIM-SM:
ip pim enable
3. Configure the time between bootstrap messages:
ip pim bootstrap-period <5–32757>
4. Configure the timeout to discard data:
ip pim disc-data-timeout <5–65535>

1532 VOSS User Guide for version 8.7

IP Multicast Configure PIM-SM Globally

5. Enable the fast join prune interval:

ip pim fast-joinprune
6. Configure the forward cache timeout:
ip pim fwd-cache-timeout <10–86400>
7. Configure the interval for join and prune messages:
ip pim join-prune-interval <1–18724>
8. Specify how long to suppress register messages:
ip pim register-suppression-timeout <6–65535>
9. Specify how often the candidate-rendezvous point (C-RP) sends advertisements:
ip pim rp-c-adv-timeout <5–26214>
10. Configure PIM Infinite Threshold Policy:
a. Disable PIM-SM.
no pim enable
b. Enable PIM Infinite Threshold Policy:
ip pim spt-infinite-threshold
c. Enable PIM-SM:
ip pim enable
11. Configure the polling interval for the routing table manager (RTM):
ip pim unicast-route-change-timeout <2–65535>
12. Verify the configuration changes:
show ip pim

Example

Verify the configuration changes:

Switch:1(config)#show ip pim
Switch:1#show ip pim
==========================================================================================
Pim General Group - GlobalRouter
==========================================================================================
PimStat : disabled
Mode : sparse
StaticRP : disabled
FastJoinPrune : disabled
SptInfiniteThreshold : enabled
BootstrapPeriod : 60
CRPAdvTimeout : 60
DiscDataTimeout : 60
FwdCacheTimeout : 210
RegSupprTimeout : 60
UniRouteChangeTimeout : 5
JoinPruneInt : 60

VOSS User Guide for version 8.7 1533

Configure PIM-SM Globally IP Multicast

Variable Definitions
The following table describes the variables for the ip pim command.

Variable Value
disc-data-timeout <5-65535> Specifies the duration in seconds to discard data
until the switch receives the join message from
the rendezvous point (RP). An IP multicast discard
record is created after a register packet is sent,
until the timer expires or the switch receives a join
message.
The default value is 60.
bootstrap-period Specifies the interval (in seconds) that the
elected BSR waits between originating bootstrap
messages. The range is from 5–32757 and the
default is 60 seconds.
enable Enables PIM globally on the switch.
The default is disabled.
fast-joinprune Enables or disables the PIM fast join prune feature.
fwd-cache-timeout <10-86400> Specifies the forward cache timeout value.
The default value is 120.
join-prune-interval <1-18724> Specifies the duration in seconds before the PIM
router sends out the next join or prune message to
its upstream neighbors.
The default value is 60.
mode <sparse> <ssm> Configures PIM mode on the switch.
The default value is sparse.
register-suppression-timeout <10-65535> Specifies the duration in seconds the designated
router (DR) suppresses sending registers to the
RP. The timer starts after the DR receives a
register-stop message from the RP.
The default value is 60.
rp-c-adv-timeout Specifies how often (in seconds) a router
configured as a candidate rendezvous point router
(C-RP) sends advertisement messages. After
this timer expires, the C-RP router sends an
advertisement message to the elected bootstrap
router (BSR).
The range is from 5–26214 and the default is 60
seconds.
spt-infinite-threshold Enables PIM Infinite Threshold Policy for IPv4,
so that multicast traffic follows the shared tree
path through a Rendezvous Point (RP) instead of
automatically switching over to shortest path tree
(SPT).
The default is disabled.
static-rp Enables or disables the static RP feature. You
can use static RP to configure a static entry for
an RP. A static RP permits communication with
switches from other vendors that do not use the
BSR mechanism.

1534 VOSS User Guide for version 8.7

IP Multicast Enable IPv6 PIM-SM Globally

Variable Value
unicast-route-change-timeout <2-65535> Specifies the duration in seconds the switch polls
the RTM for unicast routing information updates
for PIM.
The default value is 5.
virtual-neighbor Specifies to enter virtual neighbor IP to an
interface globally.

Enable IPv6 PIM-SM Globally

About This Task

Use this procedure to enable IPv6 PIM-SM globally. By default, IPv6 PIM-SM is disabled.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable IPv6 PIM-SM:
ipv6 pim enable

Configure Global IPv6 PIM-SM Properties

Before You Begin

Note
Before you can enable the PIM Infinite Threshold Policy feature, you must first disable the
following:
• PIM-SM
• PIM-SSM

About This Task

Use this procedure to configure the global IPv6 PIM-SM parameters on the switch.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the timeout to discard data:
ipv6 pim disc-data-timeout <5-65535>
3. Configure the forward cache timeout:
ipv6 pim fwd-cache-timeout <10-86400>

VOSS User Guide for version 8.7 1535

Configure Global IPv6 PIM-SM Properties IP Multicast

4. Configure the interval for join and prune messages:

ipv6 pim join-prune-interval <1-18724>
5. Specify how long to suppress register messages:
ipv6 pim register-suppression-timeout <10-65535>
6. Configure PIM Infinite Threshold Policy:
ipv6 pim spt-infinite-threshold
7. Configure the polling interval for the routing table manager (RTM):
ipv6 pim unicast-route-change-timeout <2-65535>
8. Configure the PIM mode:
ipv6 pim mode <sparse> <ssm>
9. Verify the configuration changes:
show ipv6 pim

Example

Verify the configuration changes:

Switch:1#show ipv6 pim

==========================================================================================
Pim General Group - GlobalRouter
==========================================================================================
PimStat : enabled
Mode : sparse
StaticRP : disabled
SptInfiniteThreshold : enabled
FwdCacheTimeout : 210
DiscDataTimeout : 60
RegSupprTimeout : 60
UniRouteChangeTimeout : 5
JoinPruneInt : 60

Variable Definitions
The following table describes the variables for the ipv6 pim command.

1536 VOSS User Guide for version 8.7

IP Multicast Configure PIM on a VLAN

Variable Value
mode <sparse> <ssm> Configures PIM mode on the switch.
The default value is sparse.
register-suppression-timeout <10-65535> Specifies the duration in seconds the designated
router (DR) suppresses sending registers to the
RP. The timer starts after the DR receives a
register-stop message from the RP.
The default value is 60.
spt-infinite-threshold Enables PIM Infinite Threshold Policy for IPv6,
so that multicast traffic follows the shared tree
path through a Rendezvous Point (RP) instead of
automatically switching over to shortest path tree
(SPT).
The default is disabled.
static-rp Add new static-rp entries and enable static-rp.
unicast-route-change-timeout <2-65535> Specifies the duration in seconds the switch polls
the RTM for unicast routing information updates
for PIM.
The default value is 5.

Configure PIM on a VLAN

Configure PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• You must enable PIM globally before you configure PIM on a VLAN.
• The interface uses a valid IP address.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Create a PIM interface on a VLAN:
ip pim enable

This command creates an active interface, by default.

3. Configure the interval for join and prune messages:
ip pim join-prune-interval <1–18724>
4. Configure the time between hello messages:
ip pim hello-interval <0–18724>
5. Verify the configuration:
show ip pim interface vlan [<1-4059>]

VOSS User Guide for version 8.7 1537

Configuring PIM on a port IP Multicast

Example

Configure the interval for join and prune messages, the time between hello messages, and then verify
the configuration.
Switch:1(config-if)#ip pim join-prune-interval 60
Switch:1(config-if)#ip pim hello-interval 30
Switch:1>show ip pim interface vlan 10
========================================================================
Vlan Ip Pim
========================================================================

VLAN-ID PIM-ENABLE MODE HELLOINT JPINT CBSRPREF INTF TYPE

------------------------------------------------------------------------
10 enable sparse 30 60 -1 (disabled) active

Configuring PIM on a port

Configure PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• You must enable PIM globally before you configure it on an interface.
• The interface uses a valid IP address.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Create a PIM interface on a port:

ip pim enable

This command creates an active interface, by default.

3. Configure the interval for join and prune messages:
ip pim join-prune-interval <1–18724>
4. Configure the time between hello messages:
ip pim hello-interval <0–18724>

Example

Configure the interval for join and prune messages and the time between hello messages:
Switch(config-if)#ip pim join-prune-interval 60
Switch(config-if)#ip pim hello-interval 30

1538 VOSS User Guide for version 8.7

IP Multicast Configuring IPv6 PIM on a port or VLAN

Configuring IPv6 PIM on a port or VLAN

Configure PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• Enable IPv6 interface.

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Create a PIM interface on a port or VLAN:

ipv6 pim enable

This command creates an active interface, by default.

3. Configure the interval for join and prune messages:
ipv6 pim join-prune-interval <1–18724>
4. Configure the time between hello messages:
ipv6 pim hello-interval <0–18724>

Example
Switch:1(config-if)#ipv6 pim join-prune-interval 60
Switch:1(config-if)#ipv6 pim hello-interval 30

Variable Definitions
The following table describes the variables for the ipv6 pim command.

Variable Value
hello-interval <0-18724> Specifies the duration in seconds before the
PIM router sends out the next hello message to
neighboring switches.
The default value is 30 seconds.
join-prune-interval <1-18724> Specifies the duration in seconds before the PIM
router sends out the next join or prune message to
its upstream neighbors.
The default value is 60 seconds.

Configuring SSM globally

Configure SSM to optimize PIM-SM by simplifying the many-to-many model (servers-to-receivers).

VOSS User Guide for version 8.7 1539

Configuring IPv6 SSM globally IP Multicast

Before You Begin

• Configure a unicast protocol, for example, Routing Information Protocol (RIP) or Open Shortest Path
First (OSPF), globally and on the interfaces where you want to configure PIM. For more information
about RIP, see RIP configuration using CLI on page 2809. For more information about OSPF, see
OSPF configuration using CLI on page 2468.
• Enable PIM globally.

About This Task

Because most multicast applications distribute content to a group in one direction, SSM uses a one-to-
many model that uses only a subset of the PIM-SM features. This model is more efficient and reduces
the load on multicast routing devices.

SSM is a global configuration. After you enable SSM on a switch, it is enabled on all interfaces that run
PIM. On an SSM-enabled switch, SSM behavior is limited to the SSM group range.

For non-SSM groups, the protocol behavior is PIM-SM.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure PIM-SSM:
ip pim mode ssm

Configuring IPv6 SSM globally

Configure IPv6 SSM to optimize IPv6 PIM-SM by simplifying the many-to-many model (servers-to-
receivers).

Before You Begin

• Configure an IPv6 unicast protocol, for example, Routing Information Protocol Next Generation
(RIPng) or Open Shortest Path First Version 3 (OSPFv3), globally and on the interfaces where you
want to configure PIM.

For more information about RIPng, see RIPng Configuration using CLI on page 2819. For more
information about OSPFv3, see OSPFv3 Configuration using CLI on page 2511.
• Enable IPv6 PIM globally.

About This Task

Because most multicast applications distribute content to a group in one direction, SSM uses a one-to-
many model which requires only a subset of the PIM-SM features. This model is more efficient and
reduces the load on multicast routing devices.

SSM is a global configuration. After you enable SSM on a switch, it is enabled on all interfaces that run
PIM. On a SSM-enabled switch, SSM behavior is limited to the SSM group range.

For non-SSM groups, the protocol behavior is PIM-SM.

1540 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP on a VLAN

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Configure IPv6 PIM-SSM:
ipv6 pim mode ssm

Configuring IGMP on a VLAN

Configure IGMP for each interface to change default multicasting operations.

Note
When you configure the following IGMP parameters on the DvR enabled interface of a DvR
Controller, the configuration is automatically pushed to the Leaf nodes within the domain.
• ip igmp version
• ip igmp query-interval
• ip igmp query-max-response
• ip igmp robust-value
• ip igmp last-member-query-interval
• ip igmp compatibility-mode

IGMP snooping is not supported on DvR enabled Layer 2 VSNs.

For more information on DvR, see .

Before You Begin

• For PIM interfaces, you must enable PIM globally and on the VLAN. For snooping interfaces, do not
enable PIM.

Procedure
1. Enter VLAN Interface Configuration mode:
enable

configure terminal

interface vlan <1–4059>

2. Enable IGMP v2-v3 compatibility mode:
ip igmp compatibility-mode
3. Configure the system to downgrade the version of IGMP:
ip igmp dynamic-downgrade-version
4. Configure message intervals and response times:
ip igmp last-member-query-interval <0–255> [query-interval <1–65535>]
[query-max-response <0–255>]
5. Configure expected packet loss and IGMP version:
ip igmp robust-value <2–255> [version <1–3>]

VOSS User Guide for version 8.7 1541

Configuring IGMP on a VLAN IP Multicast

6. Add multicast router ports:

ip igmp mrouter {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
7. Enable proxy-snoop:
ip igmp proxy
8. Enable router alert:
ip igmp router-alert
9. Enable snooping:
ip igmp snooping
10. Enable SSM-snooping:
ip igmp ssm-snoop

Example

Enter VLAN Interface Configuration Mode for VLAN 10:

Switch:1(config)# interface vlan 10

Configure the last member query interval to 15 tenths of a second (equal to 1.5 seconds).
Switch:1(config-if)# ip igmp last-member-query-interval 15

Configure the query interval to 100 seconds.

Switch:1(config-if)# ip igmp query-interval 100

Configure the query maximum response time to 15 tenths of a second (equal to 1.5 seconds).
Switch:1(config-if)# ip igmp query-max-response 15

Configure the robustness value to 4 seconds.

Switch:1(config-if)# ip igmp robust-value 4

Enable proxy snoop for the VLAN.

Switch:1(config-if)# ip igmp proxy

Enable snoop for the VLAN.

Switch:1(config-if)# ip igmp snooping

Enable support for SSM on the snoop interface.

Switch:1(config-if)# ip igmp ssm-snoop

Enable IGMPv3.
Switch:1(config-if)# ip igmp version 3

1542 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP on a VLAN

Variable Definitions
Use the definitions in the following table to use the ip igmp command.

Variable Value
access-list WORD<1– Specifies the name of the access list from 1–64 characters.
64> {A.B.C.D/X} <eny- Creates an access control group entry for a specific IGMP
tx|deny-rx|deny-both|allow- interface. Specify the IP address of the host and the subnet
only-tx|allow-only-rx|allow- mask used to determine the host or hosts covered by this
only-both> configuration. You can use the host subnet mask to restrict
access to a portion of the network for the host.
Indicates the action for the specified IGMP interface. For
example, if you specify deny-both, the interface denies both
transmitted and received traffic
compatibility-mode Activates v2-v3 compatibility mode. The default value is
disabled, which means IGMPv3 is not compatible with
IGMPv2. To use the default configuration, use the default
option in the command:
default ip igmp compatibility-mode
, or use the no option to disable compatibility mode:
no ip igmp compatibility-mode
dynamic-downgrade-version Configures the version of IGMP to handle older query
messages if the system downgrades. If the system
downgrades, the host with IGMPv3 only capability does not
work. If you do not configure the system to downgrade the
version of IGMP, the system logs a warning. The system
downgrades to the oldest version of IGMP on the network
by default. To use the default configuration, use the default
option in the command:
default ip igmp dynamic-downgrade-version
or use the no option to disable downgrade:
no ip igmp dynamic-downgrade-version
igmpv3-explicit-host- Enables explicit host tracking on IGMPv3. The default state is
tracking disabled.
immediate-leave Enables fast leave on a VLAN.
immediate-leave-members Configures IGMP fast leave members on a VLAN to specify
{slot/port[/sub-port] [- fast-leave-capable ports.
slot/port[/sub-port]] Identifies the slot and port in one of the following
[,...]} formats: a single slot and port (slot/port), a range of slots
and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
last-member-query-interval Configures the maximum response time (in tenths of a
<0–255> second) inserted into group-specific queries sent in response
to leave group messages. This value is also the time between
group-specific query messages. You cannot configure this
value for IGMPv1.
Decreasing the value reduces the time to detect the loss of
the last member of a group. The default is 10 tenths of a
second. You should configure this value between 3–10 (equal
to 0.3 – 1.0 seconds).

VOSS User Guide for version 8.7 1543

Configuring IGMP on a VLAN IP Multicast

Variable Value
mrdisc [maxadvertinterval Configures the multicast router discovery options to enable
<2–180>] the automatic discovery of multicast capable routers. The
[maxinitadvertinterval <2– default parameter values are:
180>] [maxinitadvertisements • maxadvertinterval: 20 seconds
<2–15>] [minadvertinterval • maxinitadvertinterval: 2 seconds
<3–180>] [neighdeadinterval
<2–180>] • maxinitadvertisements: 3
• minadvertinterval: 15 seconds
• neighdeadinterval: 60 seconds

mrouter {slot/port[/sub- Adds multicast router ports.

port] [-slot/port[/sub- Identifies the slot and port in one of the following
port]] [,...]} formats: a single slot and port (slot/port), a range of slots
and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
proxy Activates the proxy-snoop option globally for the VLAN.
query-interval <1–65535> Configures the frequency (in seconds) at which the VLAN
transmits host query packets. The default value is 125
seconds.
query-max-response <0–255> Configures the maximum response time (in tenths of a
second) advertised in IGMPv2 general queries on this
interface. You cannot configure this value for IGMPv1. Smaller
values enable a router to prune groups faster. The default is
100 tenths of a second (equal to 10 seconds).

Important:
You must configure this value lower than the query-interval.

robust-value <2–255> Configures the expected packet loss of a network. The

default value is 2 seconds. Increase the value if you expect
the network to experience packet loss.
router-alert Instructs the router to ignore IGMP packets that do not
contain the router alert IP option. When disabled (default
configuration), the router processes IGMP packets regardless
of the status of the router alert IP option.

Important:
To maximize network performance, configure this parameter
according to the version of IGMP currently in use:
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

snoop-querier Enables the IGMP Layer 2 Querier feature on the VLAN. The
default is disabled.
snoop-querier-addr {A.B.C.D} Specifies the IGMP Layer 2 Querier source IP address.
snooping Activates the snoop option for the VLAN.
ssm-snoop Activates support for PIM-SSM on the snoop interface.

1544 VOSS User Guide for version 8.7

IP Multicast Configure IGMP Ports

Variable Value
static-group Configures IGMP static members to add members to a snoop
{A.B.C.D} {A.B.C.D}{slot/ group.
port[/sub-port] [-slot/ {A.B.C.D} {A.B.C.D} indicates the IP address range of
port[/sub-port]] [,...]} the selected multicast group.
[static|blocked] {slot/port[/sub-port] [-slot/port[/sub-
port]] [,...]} adds ports to a static group entry.
[static|blocked] configures the route to static or
blocked.
stream-limit stream-limit- Configures multicast stream limitation on a VLAN to limit the
max-streams <0-65535> number of concurrent multicast streams on the VLAN. The
default is 4.
stream-limit-group {slot/ Configures multicast stream limitation members on ports of
port[/sub-port] [-slot/ a specific VLAN to limit the number of multicast groups that
port[/sub-port]] [,...]} can join a VLAN. The default max-streams value is 4.
enable max-streams <0-65535>
version <1–3> Configures the version of IGMP for this interface. For IGMP
to function correctly, all routers on a LAN must use the same
version. The default value is 2 (IGMPv2).

Configure IGMP Ports

Configure IGMP for each interface to change default multicasting operations.

For more information on DvR, see Distributed Virtual Routing on page 688.

VOSS User Guide for version 8.7 1545

Configure IGMP Ports IP Multicast

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable IGMP v2-v3 compatibility mode:

ip igmp compatibility-mode
3. Configure the system to downgrade the version of IGMP:
ip igmp dynamic-downgrade-version
4. Configure message intervals and response times:
ip igmp last-member-query-interval <0–255> [query-interval <1–65535>]
[query-max-response <0–255>]
5. Configure expected packet loss and IGMP version:
ip igmp robust-value <2–255> [version <1–3>]
6. Configure IGMP for a specific port:
ip igmp port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
7. Enable router alert:
ip igmp router-alert

Example

Configure message intervals and response times:

Switch(config-if)#ip igmp last-member-query-interval 30 query-interval 60 query-max-
response 90

Configure expected packet loss and IGMP version:

Switch(config-if)#ip igmp robust-value 2 version 3

Configure IGMP for a specific port:

Switch(config-if)#ip igmp port 1/4

Enable router alert:

Switch(config-if)#ip igmp router-alert

1546 VOSS User Guide for version 8.7

IP Multicast Configure IGMP Ports

Variable definitions
Use the definitions in the following table to use the ip igmp command.

Variable Value
access-list WORD<1– Specifies the name of the access list from 1–64 characters.
64> {A.B.C.D/X} <eny- Creates an access control group entry for a specific IGMP
tx|deny-rx|deny-both|allow- interface. Specify the IP address of the host and the subnet
only-tx|allow-only-rx|allow- mask used to determine the host or hosts covered by this
only-both> configuration. You can use the host subnet mask to restrict
access to a portion of the network for the host.
Indicates the action for the specified IGMP interface. For
example, if you specify deny-both, the interface denies both
transmitted and received traffic
compatibility-mode Activates v2-v3 compatibility mode. The default value is
disabled, which means IGMPv3 is not compatible with
IGMPv2. To use the default configuration, use the default
option in the command:
default ip igmp compatibility-mode
, or use the no option to disable compatibility mode:
no ip igmp compatibility-mode
dynamic-downgrade-version Configures if the system downgrades the version of IGMP
to handle older query messages. If the system downgrades,
the host with IGMPv3 only capability does not work. If you
do not configure the system to downgrade the version of
IGMP, the system logs a warning. The system downgrades
to the oldest version of IGMP on the network by default. To
use the default configuration, use the default option in the
command:
default ip igmp dynamic-downgrade-version
or use the no option to disable downgrade:
no ip igmp dynamic-downgrade-version
igmpv3-explicit-host- Enables explicit host tracking on IGMPv3. The default state is
tracking disabled.
immediate-leave Enables fast leave on a port.
last-member-query-interval Configures the maximum response time (in tenths of a
<0–255> second) inserted into group-specific queries sent in response
to leave group messages. This value is also the time between
group-specific query messages. You cannot configure this
value for IGMPv1.
Decreasing the value reduces the time to detect the loss of
the last member of a group. The default is 10 tenths of a
second. You should configure this value between 3–10 (equal
to 0.3 – 1.0 seconds).
port {slot/port[/sub-port] Configures IGMP for a specific port.
[-slot/port[/sub-port]] Identifies the slot and port in one of the following
[,...]} formats: a single slot and port (slot/port), a range of slots
and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.

VOSS User Guide for version 8.7 1547

Configuring IGMP on a VRF IP Multicast

Variable Value
query-interval <1–65535> Configures the frequency (in seconds) at which the VLAN
transmits host query packets. The default value is 125
seconds.
query-max-response <0–255> Configures the maximum response time (in tenths of a
second) advertised in IGMPv2 general queries on this
interface. You cannot configure this value for IGMPv1. Smaller
values enable a router to prune groups faster. The default is
100 tenths of a second (equal to 10 seconds).

Important:
You must configure this value lower than the query-interval.

robust-value <2–255> Configures the expected packet loss of a network. The

Important:
To maximize network performance, configure this parameter
according to the version of IGMP currently in use:
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

stream-limit stream-limit- Configures multicast stream limitation on a port to limit the

max-streams <0-65535> number of concurrent multicast streams on the port. The
default is 4.
version <1–3> Configures the version of IGMP for this interface. For IGMP
to function correctly, all routers on a LAN must use the same
version. The default value is 2 (IGMPv2).

Configuring IGMP on a VRF

You configure IGMP on a VRF instance the same way you configure IGMP for the Global Router, except
that you must use VRF Router Configuration mode.

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Enable SSM dynamic learning:
ip igmp ssm dynamic-learning

1548 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP on a VRF

3. Configure the range group:

ip igmp ssm group-range {A.B.C.D/X}

The system displays the following message:.

Warning: Changing the SSM range will cause all spb-multicast and spb-
pim-gw enabled interfaces to be internally bounced. Do you wish to
continue? (y/n) ? (y/n)?

Enter y to continue.
4. Enable the SSM map table for all static entries:
ip igmp ssm-map all
5. Create a static entry for a specific group:
ip igmp ssm-map {A.B.C.D} {A.B.C.D} enable
6. Enable the generation of IGMP traps:
ip igmp generate-trap
7. Enable the generation of IGMP log messages:
ip igmp generate-log
8. Configure the fast leave mode:
ip igmp immediate-leave-mode {multiple-user|one-user}

Example

For the VRF Red context, configure a new IP multicast group address and create an SSM map table
entry for the multicast group and the source at 192.32.99.151. Configure the administrative state to
enable all the static SSM map table entries.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#router vrf red
Switch:1(router-vrf)#ip igmp ssm group-range 232.1.1.10/32

WARNING: Changing the SSM range will cause all spb-multicast and spb-pim-gw enabled
interfaces to be internally bounced. Do you wish to continue? (y/n) ? (y/n)? y
Switch:1(router-vrf)#ip igmp ssm-map 232.1.1.10 192.32.99.151
Switch:1(router-vrf)#ip igmp ssm-map all

Variable definitions
Use the definitions in the following table to use the ip igmp command on a VRF.

Variable Value
generate-log Enables the generation of IGMP log messages. The default is disabled.
generate-trap Enables the generation of IGMP traps. The default is disabled.
immediate-leave- • multiple-user: Removes (from the group) the IGMP member who sent the
mode {multiple- leave message. The default is multiple-user.
user|one-user} • one-user: Removes all group members on a fast leave enabled interface
port after receiving the first leave message from a member.

VOSS User Guide for version 8.7 1549

View IP Multicast Threshold Exceeded Statistics IP Multicast

Variable Value
ssm dynamic- Enables dynamic learning from IGMPv3 reports. The default is enabled.
learning
ssm group-range Changes the SSM range group to define the SSM range. The SSM range
{A.B.C.D/X} parameter extends the default SSM range of 232/8 to include an IP multicast
address.
This parameter specifies an IP multicast address within the range of 224.0.0.0
and 239.255.255.255. The default is 232.0.0.0. The address mask is the IP
address mask of the multicast group. The default is 255.0.0.0.
ssm-map <all Creates a static SSM channel table entry by specifying the group and source
| {A.B.C.D} IP addresses. The IP address is an IP multicast address within the SSM range.
{A.B.C.D} enable The source IP address is an IP host address that sends traffic to the group.
Enables the administrative state for a specific entry (group). This variable does
not affect the dynamically learned entries. This state determines whether the
switch uses the static entry or saves it for future use. The default is enable for
each entry.

View IP Multicast Threshold Exceeded Statistics

This procedure does not apply to XA1400 Series or VSP 8600 Series.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View statistics:
show sys stats ipmc-threshold-exceeded-cnt

Example
Switch:1>show sys stats ipmc-threshold-exceeded-cnt
SourceGroupThresholdExceeded : 7372
EgressStreamThresholdExceeded : 7331

IP multicast basic configuration using EDM

To provide multicasting services, you need a host membership protocol and a multicast routing
protocol. Hosts use a host membership protocol to subscribe to multicast services. The Internet Group
Management Protocol (IGMP) is an example of an IPv4 host membership protocol.

Configuring multicast on the switch

1550 VOSS User Guide for version 8.7

IP Multicast Configuring multicast on the switch

• Configuring the vIST peer

• Enabling Simplified vIST

Before You Begin

SPBM must not be enabled on the vIST peers or any router participating in the PIM network.

Procedure

1. In the navigation pane, expand the Configuration > Edit > Chassis folders.
2. Click the Boot Config tab.
3. Clear the EnableSpbmConfigMode to disable the boot flag.
The system responds with these messages:

Warning: Please save the configuration and reboot the switch for this
to take effect.

Warning: Please carefully save your configuration file before

rebooting the switch. Saving configuration file when spbm-config-
mode is changed to disable, removes SPBM configurations from the
configuration file.
4. Click Apply.
5. Save the configuration, and then reboot the switch.

Important
Any change to the EnableSpbmConfigMode boot flag requires a reboot for the change to
take effect.

6. Configure the SMLT MLT:

a. Expand the following folders: Configuration > VLAN > MLT/LACP.
b. Click the MultiLink/LACP Trunks tab.
c. Click Insert.
d. In the Id box, type the ID number of the MLT.
e. In the PortMembers box, click the (...) button.
f. In the Port Editor: PortMembers dialog box, select the desired ports.
g. Click Ok
h. Click Insert.
The switch adds the SMLT MLT to the MultiLink/LACP Trunks tab in the MLT_LACP box.
7. Configure the vIST MLT:
a. Repeat steps 6a to 6g to configure the MLT.
b. Click MltVistEnable to enable Simplified vIST.

Note
The MltVistEnable field enables Simplified vIST and is only available when the
EnableSpbmConfigMode boot flag is disabled.

c. Click Insert.

VOSS User Guide for version 8.7 1551

Enable IPv4 PIM-SM Globally IP Multicast

8. Create the vIST VLAN:

a. Expand the following folders: Configuration > VLAN > VLANs
b. In the Basic tab, click Insert.
c. In the Id box, enter an unused VLAN ID, or use the ID provided.
d. In the MstpInstance box, click the down arrow, and then choose an MSTI instance from the list.
e. In the Type box, select byPort.
f. Click OK.
g. Click Insert.
h. Select the vIST VLAN from the list of VLANs, and then click IP.
i. Click Insert.
j. Configure the IP address for the vIST VLAN.
9. Repeat Step 8 to create an SMLT VLAN and assign the SMLT MLT ID to it. Do not use the vIST MLT ID.
10. Configure PIM or IGMP Snooping on the SMLT VLAN:
a. To enable PIM, select the SMLT VLAN from the list of VLANs and click IP > PIM. Select Enable and
click Apply.
b. To enable IGMP Snooping, select the SMLT VLAN from the list of VLANs and click IP > IGMP.
Select SnoopEnable and click Apply.
11. Configure PIM on the SMLT VLAN:
a. To enable PIM, select the SMLT VLAN from the list of VLANs and click IP > PIM. Select Enable and
click Apply.
12. Click IP > PIM > Globals to enable PIM globally.
13. Select the Enable check box, and then click Apply.

Enable IPv4 PIM-SM Globally

Enable PIM-SM to offer multicasting services. After you enable PIM-SM globally and on a particular
interface, the IGMP parameters take effect.

Before You Begin

Note
Before you can enable the PIM Infinite Threshold Policy feature, you must first disable the
following:
• PIM-SM
• PIM-SSM
• Simplified vIST

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Select PIM.
3. Select the Globals tab.
4. Select sm (sparse mode).
5. Select the Enable check box.
6. Select Apply.

1552 VOSS User Guide for version 8.7

IP Multicast Enable IPv4 PIM-SM Globally

7. Configure PIM Infinite Threshold Policy:

a. To disable PIM, clear the Enable check box, and then click Apply.
b. Select enable, and then click Apply
c. To enable PIM, select the Enable check box, and then click Apply.

Globals field descriptions

Use the descriptions in the following table to use the Globals tab.

Name Description
Mode Configures the mode on the routing switch: sm (Sparse Mode) or ssm
(Source Specific Multicast).
Enable Enables or disables PIM.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router sends out
the next join or prune message to its upstream neighbors.
The range is from 1–18724 and the default is 60 seconds.
RegisterSuppTimer Specifies how long (in seconds) the designated router suppresses
sending registers to the rendezvous point (RP). The timer starts after
the designated router receives a register-stop message from the RP.
The range is from 6–65535 and the default is 60 seconds.
UniRouteChgTimeOut Specifies how often (in seconds) the switch polls the routing table
manager for unicast routing information updates for PIM.
The range is from 2–65535 and the default is 5 seconds.

Important:
If you lower this value, it increases how often the switch polls the
routing table manager. This value can affect the performance of the
switch, especially if a high volume of traffic flows through the switch.

DiscardDataTimeOut Specifies how long (in seconds) to discard data until the switch
receives a join message from the RP. An IP multicast discard record
is created after a register packet is sent, until the timer expires or the
switch receives a join message.
The range is from 5–65535 and the default is 60 seconds.
CRPADVTimeOut Specifies how often (in seconds) a router configured as a candidate
rendezvous point router (C-RP) sends advertisement messages. After
this timer expires, the C-RP router sends an advertisement message to
the elected bootstrap router (BSR).
The range is from 5–26214 and the default is 60 seconds.
BootStrapPeriod Specifies the interval (in seconds) that the elected BSR waits between
originating bootstrap messages.
The range is from 5–32757 and the default is 60 seconds.
StaticRP Enables or disables the static RP feature. You can use static RP to
configure a static entry for an RP. A static RP permits communication
with switches from other vendors that do not use the BSR mechanism.
FwdCacheTimeOut Specifies the PIM forward cache expiry value in seconds. This value
ages PIM mroutes in seconds. The range is from 10–86400 and the
default value is 210. Topology and hardware conditions can affect the
polling interval and cause an inactive route to remain for up to 12-15
minutes.

VOSS User Guide for version 8.7 1553

Enable IPv6 PIM-SM Globally IP Multicast

Name Description
FastJoinPrune Enables or disables the PIM fast join prune feature.
SptInfiniteThreshold Enables or disables PIM Infinite Threshold Policy, so that multicast
traffic follows the shared tree path through a Rendezvous Point (RP)
Note: Exception: not instead of automatically switching over to shortest path tree (SPT).
supported on XA1400 Series The default value is disabled, which means that multicast traffic is
or VSP 8600 Series. automatically switched over to SPT.

Enable IPv6 PIM-SM Globally

Enable IPv6 PIM-SM to offer multicasting services. After you enable IPv6 PIM-SM globally and on a
particular interface, the MLD parameters take effect.

Before You Begin

Note
Before you can enable the PIM Infinite Threshold Policy feature, you must first disable the
following:
• PIM-SM
• PIM-SSM
• Simplified vIST

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Select IPv6 PIM.
3. Select the Globals tab.
4. Select the Enable check box.
5. Select sm (sparse mode).
6. Select Apply.
7. Configure PIM Infinite Threshold Policy:
a. To disable PIM, clear the Enable check box, and then click Apply.
b. Select enable, and then click Apply
c. To enable PIM, select the Enable check box, and then click Apply.

Globals field descriptions

Use the descriptions in the following table to use the Globals tab.

Name Description
Enable Enables or disables PIM.
Mode Configures the mode on the routing switch: sm (Sparse Mode) or ssm
(Source Specific Multicast).

1554 VOSS User Guide for version 8.7

IP Multicast Enabling PIM on a port

Name Description
RegisterSuppTimer Specifies how long (in seconds) the designated router suppresses
sending registers to the rendezvous point (RP). The timer starts after
the designated router receives a register-stop message from the RP.
The range is from 10–65535 and the default is 60 seconds.
UniRouteChgTimeOut Specifies how often (in seconds) the switch polls the routing table
manager for unicast routing information updates for PIM.
The range is from 2–65535 and the default is 5 seconds.

DiscardDataTimeOut Specifies how long (in seconds) to discard data until the switch
receives a join message from the RP. An IP multicast discard record
is created after a register packet is sent, until the timer expires or the
switch receives a join message.
The range is from 5–65535 and the default is 60 seconds.
StaticRP Enables or disables the static RP feature. You can use static RP to
configure a static entry for an RP. A static RP permits communication
with switches from other vendors that do not use the BSR mechanism.
FwdCacheTimeOut Specifies the PIM forward cache expiry value in seconds. This value
ages PIM mroutes in seconds. The range is from 10–86400 and the
default value is 210. Topology and hardware conditions can affect the
polling interval and cause an inactive route to remain for up to 12-15
minutes.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router sends out
the next join or prune message to its upstream neighbors.
The range is from 1–18724 and the default is 60 seconds.
SptInfiniteThreshold Enables or disables PIM Infinite Threshold Policy, so that multicast
traffic follows the shared tree path through a Rendezvous Point (RP)
Note: Exception: not instead of automatically switching over to shortest path tree (SPT).
supported on XA1400 Series The default value is disabled, which means that multicast traffic is
or VSP 8600 Series. automatically switched over to SPT.

Enabling PIM on a port

Enable PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• You must enable PIM globally before you enable it on an interface.
• The interface uses a valid IP address.

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.
3. Click IP.
4. Click the PIM tab.

VOSS User Guide for version 8.7 1555

Enabling IPv6 PIM on a port IP Multicast

5. Select the Enable check box.

6. Click Apply.

PIM field descriptions

Use the data in the following table to use the PIM tab.

Name Description
Enable Enables (true) or disables (false) PIM for the specified port.
Mode Displays the mode currently running on the routing switch.
IntfType Indicates the interface type as active or passive.
HelloInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next hello message to neighboring routers. The
default is 30 seconds. The range is 0-18724 seconds.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next join or prune message to its upstream
neighbors. The default is 60 seconds. The range is 1-18724
seconds.
CBSRPreference Configures the preference for this local interface to become a
candidate BSR (C-BSR). The C-BSR with the highest BSR priority
and address is the preferred BSR. The default is –1, which indicates
that the current interface is not a C-BSR. The range is -1-255.

Enabling IPv6 PIM on a port

Enable IPv6 PIM for each interface to enable the interface to perform multicasting operations.

About This Task

You can also right-click the port and use the Edit IPv6 shortcut menu to reach this same tab.

Before You Begin

• You must enable IPv6 interface before you enable PIM on a port.

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the Configuration > Edit > Port folders.
3. Click IPv6.
4. Click the PIM tab.
5. Select Enable.
6. Click Apply.

1556 VOSS User Guide for version 8.7

IP Multicast Enable SSM Globally

PIM field descriptions

Use the data in the following table to use the PIM tab.

Name Description
Address Specifies the IPv6 address of the PIM interface.
NetMask Specifies the network mask for the IPv6 address of the PIM
interface.
Enable Enables (true) or disables (false) PIM for the specified port.
Mode Displays the mode currently running on the routing switch.
DR Specifies the designated router on this PIM interface.
HelloInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next hello message to neighboring routers. The
default is 30 seconds. The range is 0-18724 seconds.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next join or prune message to its upstream
neighbors. The default is 60 seconds. The range is 1-18724
seconds.
OperState Specifies the current operational state of this PIM interface.
Type Specifies the type of interface.

Enable SSM Globally

Enable Source Specific Multicast (SSM) to optimize PIM-SM by simplifying the many-to-many model
(servers-to-receivers). Because most multicast applications distribute content to a group in one
direction, SSM uses a one-to-many model that uses only a subset of the PIM-SM features. This model is
more efficient and reduces the load on multicast routing devices.

Before You Begin

• Configure a unicast protocol, such as Routing Information Protocol (RIP) or Open Shortest Path First
(OSPF), globally and on the interfaces where you want to configure PIM. For more information about
RIP, see RIP configuration using EDM on page 2824. For more information about OSPF, see OSPF
configuration using EDM on page 2538.
• Enable PIM globally.

Important
After you enable PIM in SSM mode, the IGMP parameters take effect. To take full
advantage of SSM, enable IGMPv3 if hosts that attach to the switch run IGMPv3 or
configure the SSM table.

About This Task

SSM is a global configuration. After you enable SSM on a switch, it is enabled on all interfaces that run
PIM. On an SSM-enabled switch, SSM behavior is limited to the SSM group range. For non-SSM groups,
the protocol behavior is PIM-SM.

VOSS User Guide for version 8.7 1557

Enable IPv6 SSM globally IP Multicast

Procedure

1. In the navigation pane, expand the Configuration > IP folders.

2. Select PIM.
3. Select the Globals tab.
4. Select ssm (source specific multicast).
5. Select the Enable check box.
6. Select Apply.
The system displays the following message:

Are you sure you want to change the PIM mode? The traffic will not be
stopped immediately. All Static Source Group entries in the SSM range
will be deleted. Do you wish to continue?
7. Select Yes.

Enable IPv6 SSM globally

Enable Source Specific Multicast (SSM) to optimize IPv6 PIM-SM by simplifying the many-to-many
model (servers-to-receivers). Because most multicast applications distribute content to a group in one
direction, SSM uses a one-to-many model that uses only a subset of the IPv6 PIM-SM features. This
model is more efficient and reduces the load on multicast routing devices.

Before You Begin

For more information about RIPng, see RIPng Configuration using EDM on page 2834. For more
information about OSPFv3, OSPFv3 Configuration using EDM on page 2575.
• Enable PIM globally.

Important
After you enable IPv6 PIM in SSM mode, the MLD parameters take effect. To take full
advantage of SSM, enable MLDv2 if hosts that attach to the switch run MLDv2.

About This Task

SSM is a global configuration. After you enable SSM on a switch, it is enabled on all interfaces that run
PIM. On a SSM-enabled switch, SSM behavior is limited to the SSM group range. For non-SSM groups,
the protocol behavior is PIM-SM.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Select IPv6 PIM.
3. Select the Globals tab.
4. Select the Enable check box.
5. Select ssm (source specific multicast).

1558 VOSS User Guide for version 8.7

IP Multicast Enabling PIM on a VLAN interface

6. Select Apply.
The system displays the following message:

Warning: RP entries in the SSM range will be deleted

Do you wish to continue? (y/n)?

7. Click Yes.

Enabling PIM on a VLAN interface

Configure PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• You must enable PIM globally before you enable it on an interface.

Procedure

1. In the navigation pane, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select the VLAN ID that you want to configure with PIM.
5. Click IP.
6. Click the PIM tab.
7. Select the Enable check box.
8. Click Apply.

PIM field descriptions

Use the descriptions in the following table to use the PIM tab.

Name Description
Enable Enables (true) or disables (false) PIM.
Mode Displays the mode that currently runs on the switch. The valid
modes are SSM and Sparse. This variable is a read-only field.
IntfType Specifies the type of interface: active or passive.
HelloInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next hello message to neighboring routers. The
default is 30 seconds. The range is 0-18724.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next join or prune message to its upstream
neighbors. The default is 60 seconds. The range is 1-18724.
CBSRPreference Configures the preference for this local interface to become a C-
BSR. The C-BSR with the highest BSR priority and address is the
preferred BSR. The default is –1, which indicates that the current
interface is not a C-BSR. The range is -1-255.

VOSS User Guide for version 8.7 1559

Enabling IPv6 PIM on a VLAN interface IP Multicast

Enabling IPv6 PIM on a VLAN interface

Configure IPv6 PIM for each interface to enable the interface to perform multicasting operations.

Before You Begin

• You must enable IPv6 PIM globally before you enable it on an interface.

Procedure

1. In the navigation pane, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select the VLAN ID that you want to configure with PIM.
5. Click IPv6.
6. Click the PIM tab.
7. Select the Enable check box.
8. Click Apply.

PIM field descriptions

Use the descriptions in the following table to use the PIM tab.

Name Description
IfIndex Specifies the interface index for PIM.
Address Specifies the IPv6 address of the PIM interface.
Netmask Specifies the network mask for the IPv6 address of the PIM
interface.
Enable Enables (true) or disables (false) PIM.
Mode Displays the mode that currently runs on the switch. The valid
modes are SSM and Sparse. This variable is a read-only field.
DR Specifies the designated router on this PIM interface.
HelloInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next hello message to neighboring routers. The
default is 30 seconds. The range is 0-18724.
JoinPruneInterval Specifies how long to wait (in seconds) before the PIM router
sends out the next join or prune message to its upstream
neighbors. The default is 60 seconds. The range is 1-18724.
OperState Specifies the current operational state of this PIM interface.
Type Specifies the type of interface.

Configuring IGMP parameters on a port

Configure IGMP for each interface to enable the interface to perform multicasting operations.

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.

1560 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP parameters on a port

3. Click IP.
4. Click the IGMP tab.
5. Edit the appropriate values.

Note
When you configure the following IGMP parameters on the DvR Controllers in a DvR
domain, the configuration is automatically pushed to the Leaf nodes within the domain.
• Version
• QueryInterval
• QueryMaxResponseTime
• Robustness
• LastMembQueryIntvl
• CompatibilityModeEnable
For information on DvR, see .

Note
To use the fast leave feature on IGMP, enable explicit-host-tracking.

6. Click Apply.

IGMP field descriptions

Use the data in the following table to use the IGMP tab.

Name Description
QueryInterval Configures the frequency (in seconds) at which the interface
transmits IGMP host query packets. The range is from 1–65535
and the default is 125.
QueryMaxResponseTime Configures the maximum response time (in tenths of a second)
advertised in IGMPv2 general queries on this interface. You cannot
configure this value for IGMPv1.
Smaller values allow a router to prune groups faster. The range is
from 0–255 and the default is 100 tenths of a second (equal to 10
seconds).

Important:
You must configure this value lower than the QueryInterval.

VOSS User Guide for version 8.7 1561

Configuring IGMP parameters on a port IP Multicast

Name Description
LastMembQueryIntvl Configures the maximum response time (in 1/10 seconds) inserted
into group-specific queries sent in response to leave group
messages. This value is also the time between group-specific
query messages. You cannot configure this value for IGMPv1.
Decrease the value to reduce the time to detect the loss of the
last member of a group. The range is from 0–255 and the default
is 10 tenths of a second. Configure this parameter to values
greater than 3. If you do not require a fast leave process, Use
values greater than 10. (The value 3 is equal to 0.3 seconds and 10
is equal to 1 second.)
SnoopEnable Enables snoop on the interface. The default is disabled.
SsmSnoopEnable Enables SSM snoop. The default is disabled.
ProxySnoopEnable Enables proxy snoop on the interface. The default is disabled.
Version Configures the version of IGMP (1, 2 or 3) that you want to use on
this interface. For IGMP to function correctly, all routers on a LAN
must use the same version. The default is version 2.
FastLeaveEnable Enables fast leave on the interface.
StreamLimitEnable Enables or disables stream limitation on this port.
Maximum Number Of Stream Configures the maximum number of streams this port permits.
The range is from 0–65535 and the default is 4.
Current Number Of Stream Displays the current number of streams. This variable is a read-
only value.
FastLeavePortMembers Lists ports that are enabled for fast leave.
SnoopMRouterPorts Shows the configuration of ports as multicast router ports. Such
ports attach to a multicast router, and forward multicast data and
group reports to the router.

Important:
Configure this variable only if you use multiple multicast routers
that do not attach to one another, but attach to the VLAN
(technically, an invalid configuration). If multicast routers use a
route between them (the valid configuration) and you configure
this variable, a multicast loop forms.

RouterAlertEnable Instructs the router to ignore IGMP packets that do not contain
the router alert IP option. If you disable this variable (default
configuration), the router processes IGMP packets regardless of
the status of the router alert IP option.
To maximize network performance, configure this parameter
according to the version of IGMP currently in use:
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

1562 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP parameters on a VLAN

Name Description
DynamicDowngradeEnable Configures if the switch downgrades the version of IGMP to
handle older query messages. If the switch downgrades, the
host with IGMPv3 only capability does not work. If you do not
configure the switch to downgrade the version of IGMP, the switch
logs a warning. The default value is selected (enabled), which
means the switch downgrades to the oldest version of IGMP on
the network.
CompatibilityModeEnable Enables or disables v2-v3 compatibility mode. The default value
is clear (disabled), which means IGMPv3 is not compatible with
IGMPv2.
ExplicitHostTrackingEnable Enables or disables IGMPv3 to track hosts per channel or group.
The default is disabled. You must select this field if you want to
use fast leave for IGMPv3.

Configuring IGMP parameters on a VLAN

Configure IGMP for each interface to enable the interface to perform multicasting operations.

Procedure

1. In the navigation pane, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select a VLAN.
5. Click IP.
6. Select IGMP.
7. Configure the relevant variables.

8. Click Apply.

VOSS User Guide for version 8.7 1563

Configuring IGMP parameters on a VLAN IP Multicast

IGMP field descriptions

Use the data in the following table to use the IGMP tab.

Name Description
QueryInterval Configures the frequency (in seconds) at which the IGMP host
query packets transmit on the interface. The range is from 1–
65535 and the default is 125.
QueryMaxResponseTime Configures the maximum response time (in tenths of a second)
advertised in IGMPv2 general queries on this interface. You cannot
configure this value for IGMPv1.
Smaller values allow a router to prune groups faster. The range is
from 0–255 and the default is 100 tenths of a second (equal to 10
seconds.)

Important:
You must configure this value lower than the QueryInterval.

Robustness Configure this parameter to tune for the expected packet loss of
a network. This value is equal to the number of expected query
packet losses for each serial query interval, plus 1. If you expect
the network to lose query packets, increase the robustness value.
The range is from 2–255 and the default is 2. The default value of
2 means that the switch drops one query for each query interval
without the querier aging out.
LastMembQueryIntvl Configures the maximum response time (in tenths of a second)
inserted into group-specific queries sent in response to leave
group messages. This value is also the time between group-
specific query messages. You cannot configure this value for
IGMPv1.
Decreasing the value reduces the time to detect the loss of the
last member of a group. The range is from 0–255 and the default
is 10 tenths of a second. Configure this parameter to values
greater than 3. If you do not require a fast leave process, use
values greater than 10. (The value 3 is equal to 0.3 seconds, and 10
is equal to 1 second.)
SnoopEnable Enables snoop on the interface. The default is disabled.
SsmSnoopEnable Enables SSM snoop. The default is disabled.
ProxySnoopEnable Enables proxy snoop on the interface. The default is disabled.
Version Configures the version of IGMP (1, 2, or 3) that you want to use on
this interface. For IGMP to function correctly, all routers on a LAN
must use the same version. The default is version 2.
FastLeaveEnable Enables or disables fast leave on the interface.
StreamLimitEnable Enables or disables stream limitation on this VLAN.
Maximum Number Of Stream Configures the maximum number of streams allowed on this
VLAN. The range is from 0–65535 and the default is 4.
Current Number Of Stream Displays the current number of streams. This value is a read-only
value.
FastLeavePortMembers Lists ports that are enabled for fast leave.

1564 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP parameters on a VLAN

Name Description
SnoopMRouterPorts Shows the configuration of ports as multicast router ports. Such
ports attach to a multicast router, and forward multicast data and
group reports to the router.

Important:
Configure this field only if you use multiple multicast routers that
do not attach to one another, but attach to the VLAN (technically,
an invalid configuration). If multicast routers use a route between
them (the valid configuration) and you configure this variable, a
multicast loop forms.

DynamicDowngradeEnable Configures if the switch downgrades the version of IGMP to

handle older query messages. If the switch downgrades, the
host with IGMPv3 only capability does not work. If you do not
configure the switch to downgrade the version of IGMP, the switch
logs a warning. The default value is selected (enabled), which
means the switch downgrades to the oldest version of IGMP on
the network.
CompatibilityModeEnable Enables or disables v2-v3 compatibility mode. The default value
is clear (disabled), which means IGMPv3 is not compatible with
IGMPv2.
ExplicitHostTrackingEnable Enables or disables IGMPv3 to track hosts per channel or group.
The default is disabled. You must select this field if you want to
use fast leave for IGMPv3.
SnoopQuerierEnable Enables snoop querier. The default is disabled.
When you enable IGMP Layer 2 Querier, Layer 2 switches in
your network can snoop IGMP control packets exchanged with
downstream hosts and upstream routers. The Layer 2 switches
then generate the Layer 2 MAC forwarding table, used for
switching sessions and multicast traffic regulation, and provide
the recurring queries required to maintain IGMP groups.
Enable Layer 2 Querier on only one node in the VLAN.
SnoopQuerierAddr Specifies the pseudo IP address of the IGMP snoop querier. The
default IP address is 0.0.0.0.

VOSS User Guide for version 8.7 1565

Multicast Listener Discovery IP Multicast

Multicast Listener Discovery

Table 122: Multicast Listener Discovery product support

Feature Product Release introduced
Multicast Listener Discovery VSP 4450 Series VOSS 5.1
(MLD)
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 5.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 5.1
VSP 8400 Series VOSS 5.1
VSP 8600 Series Not Supported
XA1400 Series Not Supported

MLD Fundamentals
MLD is an asymmetric protocol. It specifies separate behaviors for multicast address listeners (that is,
hosts or routers that listen to multicast packets) and multicast routers. Each multicast router learns, for
each directly attached link, which multicast addresses and which sources have listeners on that link. The
information that MLD gathers is provided to the multicast routing protocols that the router uses. This
information ensures that multicast packets arrive at all links where listeners require such packets.

A multicast router can itself be a listener of one or more multicast addresses; that is, the router
performs both the multicast router role and the multicast address listener part of the protocol. The
router collects the multicast listener information needed by the multicast routing protocol and informs
itself and other neighboring multicast routers of the listening state.

IPv6 routers use MLD to discover:

• The presence of multicast listeners on directly attached links
• Multicast addresses required by neighboring nodes

MLD versions
The purpose of the MLD protocol in the IPv6 multicast architecture is to allow an IPv6 router to discover
the presence of multicast listeners on directly-attached links and to discover which multicast addresses
are of interest to neighboring nodes. MLD is the direct IPv6 replacement for the IGMP protocol used in
IPv4. The MLD implementation described in this document is based on the MLDv2 standard, which is a
backward-compatible update to the MLDv1 standard.

There are three versions of IGMP, and two versions of MLD. IGMPv2 is equivalent in function to MLDv1
and IGMPv3 is equivalent to MLDv2.

1566 VOSS User Guide for version 8.7

IP Multicast MLD Fundamentals

MLD Querier
MLD Querier is similar to IGMP querier. A multicast query router communicates with hosts on a local
network by sending MLD queries. This router periodically sends a general query message to each local
network of the router. This is standard multicast behavior.

Note
Queries are sent only if PIM is enabled globally and on the interface. PIM and snooping cannot
be enabled at the same time.

Each VLAN using MLD multicast must have a router performing multicast queries. Networks with no
stand-alone devices currently have no capability for implementing the pruning of multicast traffic. A
dedicated querier must be available on the network.

There are several behavioral differences between a traditional query router and a switch or stack using
the MLD Querier functionality. The following are the differences:
• There is no election process. When a switch or stack restarts, queries are sent as part of MLD startup.
This process stops other devices from sending queries while they detect the new device starting up.
The last active device sending queries on the network is the active one. This is not the case with
Layer 3 MLD behavior.
• If the current active device stops sending queries, a timeout period must elapse before another
device takes over. This can result in an ageout of groups, and subsequent flooding, before a new
query is sent and the pruning process restarts. This occurs only during the transition between active
query devices. Once the new device is established, queries are sent as configured in the Query
Interval and Robust Values fields.
• Multiple active query devices are not supported. Enabling multiple devices establishes one active
device and other devices listening to take over should the active device fail.

The querier version is determined by the received query version and establishes the interface
operational version. By default, the interface operational version is MLDv1. If the interface operational
version is downgraded from MLDv2 to MLDv1 (when operational version is MLDv2 and a MLDv1 query is
received), then all MLDv2 listeners (registered by MLDv2 reports) are removed and all incoming MLDv2
reports are dropped.

MLD snooping
MLD snooping is an IPv6 multicast constraining mechanism running on Layer 2 devices. When MLD
snooping is enabled on a VLAN, the switch examines the MLD messages between hosts and multicast
routers and learns which hosts are interested in receiving traffic for a multicast group. Based on the
learning, the switch forwards multicast traffic only to those interfaces in the VLAN that are connected to
the interested receivers instead of flooding traffic to all the interfaces.

The following figure shows an example of this scenario. On the left side of the figure, IPv6 multicast
packets are transmitted when MLD snooping is not enabled. All the hosts that are interested and not
interested receive the IP Multicast traffic consuming bandwidth. Whereas, on the right side of the figure,
when MLD snooping is enabled and IPv6 multicast packets are transmitted, only the interested hosts
receive the IP multicast packets.

VOSS User Guide for version 8.7 1567

MLD Fundamentals IP Multicast

Figure 153: IPv6 multicast packet transmission when MLD snooping is enabled and not enabled
The following figure shows IPv6 multicast packets transmitted when MLD v2 snooping is enabled and
not enabled.

1568 VOSS User Guide for version 8.7

IP Multicast MLD Fundamentals

Figure 154: IPv6 multicast packet transmission when MLD v2 snooping is enabled and not enabled

MLD snooping configuration guidelines and restrictions

You can perform the following configurations to manage and control IPv6 multicast groups using the
MLD snooping feature:
• Enable or disable MLD snooping on each VLAN. MLD snooping can be enabled on a maximum of 512
VLANs.
• Enable IGMP snooping and MLD snooping on the same VLAN.

Limitations

Following are the limitations for MLD snooping configuration:

• The maximum (S,G,V) entries supported in the IPv6 multicast routing table
(L3_ENTRY_IPV6_MULTICAST) is 512.

MLD snooping shares the (S,G,V) entries with IGMP snooping, where the (S,G,V) entries number =
(G,V) MLD_V1 type entries number + (S,G,V) MLD_V2 type entries number + (*,G,V) MLD_V2 type
entries number + number of groups without (*,G,V) registered listeners.
• IPv6 MLD proxy functionality is not supported.
• Multicast Flood Control (MFC) is not supported.

VOSS User Guide for version 8.7 1569

MLD Configuration Using the CLI IP Multicast

• Static mrouter ports cannot be configured.

• IPv6 MLD send query functionality is not supported.
• Configure static router ports is not supported.

MLD Configuration Using the CLI

Configuring MLD trap generation

About This Task

Use this procedure to enable MLD traps.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable MLD trap generation:
ipv6 mld generate-trap
3. Disable MLD trap generation:
no ipv6 mld generate-trap
4. Set MLD trap enable status to default:
default ipv6 mld generate-trap

Configuring MLD log status

About This Task

Use this procedure to enable MLD traps.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable MLD log status:
ipv6 mld generate-log
3. Disable MLD log status:
no ipv6 mld generate-log
4. Set MLD log enable status to default:
default ipv6 mld generate-log

Configuring MLD version

1570 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using the CLI

About This Task

Use this procedure to configure MLD version.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure MLD version:

ipv6 mld version <1-2>

Note
For MLD to function correctly, the MLD version must be the same on all routers in the
network.

3. Set MLD version to default:

default ipv6 mld version

Variable Definitions

The following table describes the variables for the ipv6 mld version command.

Variable Value
<1–2> Indicates the version of MLD that runs on this
interface.

Configuring the MLD last listener query interval

About This Task

Use this procedure to configure the last listener query interval in seconds for the MLD interface.

VOSS User Guide for version 8.7 1571

MLD Configuration Using the CLI IP Multicast

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the last listener query interval:

ipv6 mld last-listener-query-interval <0-60>
3. Set the last listener query interval to its default value:
default ipv6 mld last-listener-query-interval

Variable Definitions

The following table describes the variables for the ipv6 mld last-listener-query-interval
command.

Variable Value
<0–60> Indicates the last listener query interval in
seconds.

Configuring the MLD query interval

About This Task

Use this procedure to configure the query interval for the MLD interface.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the query interval for the MLD interface:

ipv6 mld query-interval <1-65535>

1572 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using the CLI

3. Set the query interval to its default value:

default ipv6 mld query-interval

Variable Definitions

The following table describes the variables for the ipv6 mld query-interval command.

Variable Value
<1-65535> Indicates the frequency at which MLD host query
packets transmit on this interface.

Configuring the MLD query maximum response time

About This Task

Use this procedure to configure the query maximum response time for mld interface.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the query maximum response time for mld interface:

ipv6 mld query-max-response-time <0–60>
3. Set the query maximum response time to its default value:
default ipv6 mld query-max-response-time

Variable Definitions

The following table describes the variables for the ipv6 mld query-max-response-time
command.

Variable Value
<0–60> Indicates the query maximum response interval
time in seconds.

Configuring the MLD robustness

VOSS User Guide for version 8.7 1573

MLD Configuration Using the CLI IP Multicast

About This Task

The robustness value allows the tuning for the expected packet loss on a link. If a link expects packet
loss, increase the robustness variable value.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure the MLD robustness:

ipv6 mld robust-value <2-255>
3. Set the MLD robustness to its default value:
default ipv6 mld robust-value

Variable Definitions

The following table describes the variables for the ipv6 mld robust-value command.

Variable Value
<2–255> Specifies a numerical value for MLD snooping
robustness.

Enabling MLD snooping on a VLAN

About This Task

Use this procedure to enable MLD snooping on a VLAN.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Enable MLD snooping:
ipv6 mld snooping
3. Set the MLD snooping to its default value:
default ipv6 mld snooping

1574 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using the CLI

Enabling MLD ssm-snooping on a VLAN

About This Task

Use this procedure to enable IPv6 MLD ssm-snooping on a VLAN.

Procedure
1. Enter VLAN Interface Configuration mode:
enable

configure terminal

interface vlan <1–4059>

2. Enable MLD snooping:
ipv6 mld ssm-snoop
3. Set the MLD snooping to its default value:
default ipv6 mld ssm-snoop

Display MLD Snooping Configuration Status

About This Task

Use this procedure to display information about the MLD snooping configuration for the switch.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the switch MLD snooping configuration status:
show ipv6 mld snooping

Example
Switch:1#show ipv6 mld snooping
================================================================================
Mld Snooping - GlobalRouter
================================================================================
IFINDEX SNOOP SSM ACTIVE MROUTER
ENABLE SNOOP MROUTER EXPIRATION
ENABLE PORTS TIME
--------------------------------------------------------------------------------
V666 False False NONE 0
1 out of 1 entries displayed

Display MLD Snooping Tracing Information

About This Task

Use this procedure to display MLD snooping tracing information.

Procedure
1. Enter Privileged EXEC mode:
enable

VOSS User Guide for version 8.7 1575

MLD Configuration Using the CLI IP Multicast

2. Display the MLD snooping tracing information:

show ipv6 mld snoop-trace

Example
Switch:1#show ipv6 mld snoop-trace
============================================================
Mld Snoop Trace - GlobalRouter

============================================================
GROUP/
SOURCE IN IN OUT OUT TYPE
ADDRESS VLAN PORT VLAN PORT
------------------------------------------------------------
ff10:0:0:0:0:0:0:1/ 10 2/15 10 3/16 ACCESS
5051:0:0:0:0:1:84:51

Display MLD Interface Information

About This Task

Use this procedure to display MLD snooping interface parameters.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display MLD interface information:
show ipv6 mld interface [gigabitethernet {slot/port[/sub-port]}] [vlan
<1-4059>]

Examples
Switch:1#show ipv6 mld interface
==========================================================================================
Mld Interface - GlobalRouter
==========================================================================================
IF STATUS VERS OPER VERS QUERIER Wrong Query JOINS MODE
------------------------------------------------------------------------------------------
P6/3 inact 2 2 2001:0db8:3c4d:0015:0000:0000:1a2f:1aaa 0 0 pim
V666 inact 2 2 2001:0db8:3c4d:0015:0000:0000:1a2f:1bbb 0 0 pim

Switch:1#show ipv6 mld interface vlan 10

================================================================================
Vlan IPv6 Mld
================================================================================
VLAN QUERY QUERY ROBUST VERSION LAST SNOOP SSM DYNAMIC
ID INTVL MAX LIST ENABLE SNOOP DOWNGRADE
RESP QUERY ENABLE
--------------------------------------------------------------------------------
10 125 10 2 1 1 false false enabled

Switch(config)#show ipv6 mld interface gigabitethernet 1/11

================================================================================
Port IPv6 MLD

================================================================================
PORT QUERY QUERY ROBUST VERSION LAST DYNAMIC
NUM INTVL MAX LIST DOWNGRADE
RESP QUERY

1576 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using the CLI

--------------------------------------------------------------------------------
1/11 125 10 2 1 1 enabled

1 out of 1 entries displayed

Variable Definitions

The following table describes the variables for the show ipv6 mld interface command.

Variable Value
vlan <1-4059> Displays MLD snooping information for the
configured VLANs.
gigabitEthernet {slot/port[/sub-port]} Displays MLD snooping information on a specific
interface.

Displaying MLD system parameters

About This Task

Use this procedure to display information about the MLD traps and logs.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the system parameters:
show ipv6 mld sys

Example
Switch:1#show ipv6 mld sys
================================================================================
Mld System Parameters - GlobalRouter
================================================================================
generate-trap : disable
generate-log : disable

Display MLD Cache Information

About This Task

Use this procedure to display the learned multicast groups in the cache.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the learned multicast groups in the cache:
show ipv6 mld cache

Example
Switch:1#show ipv6 mld cache
==========================================================================================
MLD Cache Information

==========================================================================================

VOSS User Guide for version 8.7 1577

MLD Configuration Using the CLI IP Multicast

==========================================================================================
GRPADDRESS/LASTREPORTER INTERFACE EXPIRATION
------------------------------------------------------------------------------------------
ff03:0:0:0:0:0:0:0/ Vlan10 0 day(s), 00h:04m:12s
fe80:0:0:0:200:9aff:fe68:3dd5

1 out of 1 entries displayed

Display the MLD Group Information

About This Task

Use this procedure to display the MLD group information to show the learned multicast groups and the
attached ports.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display the MLD group information:
show ipv6 mld group [count] [group] [member-subnet]

Examples
Switch:1#show ipv6 mld group
================================================================================
Mld Group - GlobalRouter
================================================================================
GRPADDR/MEMBER INPORT EXPIRATION
--------------------------------------------------------------------------------
ff1e:0000:0000:0000:0000:0000:0002:4444/ V666-6/41 0
2001:0db8:3c4d:0015:0000:0000:1a2f:1a2c

1 out of 1 group Receivers displayed

Total number of unique groups 1 text

Switch:1#show ipv6 mld group group ff1e:0000:0000:0000:0000:0000:0002:4444 detail

================================================================================
Mld Group Detail - GlobalRouter
================================================================================

Interface: Vlan666-6/41
MLDv2 Group: ff1e:0000:0000:0000:0000:0000:0002:4444
Interface Group Mode: EXCLUDE
Interface Compatibility Mode: MLD_V2
Interface Group Timer: 258
V1 Host Timer: Not Running
Interface Group Include Source List:
Source Address Expires
2001:0db8:3c4d:0015:0000:0000:1a2f:1aaa 258
Interface Group Exclude Source List :
Source Address Expires
2001:0db8:3c4d:0015:0000:0000:1a2f:1bbb N/A

View IPv6 MLD Host Cache

View the learned multicast group addresses in the host cache.

1578 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

Procedure

1. To enter User EXEC mode, log on to the switch.

2. View IPv6 MLD host cache:
show ipv6 mld-host-cache
3. View IPv6 MLD host cache for a management interface:
show ipv6 mld-host-cache mgmtEthernet [mgmt]

Note
This step only applies to VSP 8600 Series.

Example

Switch:1#show ipv6 mld-host-cache

======================================================
MLD Cache Information
======================================================
PORT/VID GRPADDRESS SELF
------------------------------------------------------
mgmt ff02::1:ff00:3 enabled
mgmt ff02::1:ff4c:9400 enabled
mgmt ff02::1 enabled

MLD Configuration Using EDM

Configuring MLD globally

About This Task

Use the following procedure to configure MLD parameters for the switch.

Procedure

1. In the navigation pane, expand Configuration > IPv6 folders.

2. Click IPv6 MLD.
3. Click the Globals tab.
4. Configure the MLD global parameters as required.
5. On the toolbar, click Apply to save the changes.
6. On the toolbar, click Refresh to update the changes.

Globals field description

Use the data in the following table to use the Globals tab.

Field Description
GenerateTrap Enables MLD to generate traps.
GenerateLog Enables MLD to generate logs.

VOSS User Guide for version 8.7 1579

MLD Configuration Using EDM IP Multicast

Viewing the MLD SSM global information

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Ssm Globals tab.

Ssm Globals field description

Use the data in the following table to use the Ssm Globals tab.

Field Description
RangeGroup Specifies the ssm range.
RangeMask Specifies the ssm range mask.

MLD interface configuration

Configure the interfaces so that the switch forwards multicast traffic only to those interfaces in the
VLAN that are connected to the interested receivers instead of flooding traffic to all the interfaces.

Configuring an MLD interface

Perform this procedure to change the configuration of existing MLD interfaces.

Procedure

1. In the navigation pane, expand the Configuration > IPv6 folders.

2. Click IPv6 MLD.
3. Click the Interfaces tab.
4. On the toolbar, click Insert.
5. Configure the MLD interface parameters.
6. Click Insert.
7. On the toolbar, click Apply to save the changes.
8. On the toolbar, click Refresh to update the changes.

MLD interfaces field description

Use the data in the following table to use the Interfaces tab.

Field Description
IfIndex Specifies the internetwork layer interface value of
the interface for which MLD is enabled.
QueryInterval Specifies the frequency at which MLD host-query
packets are transmitted on this interface. Values
range from 1 to 65535.
Version Indicates the MLD version.
Querier Specifies the address of the MLD Querier on the
IPv6 subnet to which this interface is attached.

1580 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

Field Description
QueryMaxResponseDelay Specifies the maximum query response time
advertised in MLD queries on this interface. Values
range from 0 to 60.
Joins Specifies the number of times a group
membership has been added on this interface.
Groups Specifies the current number of entries for this
interface in the cache table.
Robustness Specifies the robustness variable tuning for the
expected packet loss on a subnet. If a subnet
is expected to experience loss, the robustness
variable can be increased. Values range from 2 to
255.
LastListenQueryIntvl Specifies the maximum response delay inserted
into the group-specific queries sent in response
to the leave group messages. It also indicates
the amount of time between group-specific query
messages. Values range from 0 to 60.
This value can be tuned to modify the leave
latency of the network. A reduced value results
in reduced time to detect the loss of the last
member of a group.
SnoopEnable Indicates if snooping is enabled.
FlushAction Specifies the MLD flush action as one of the
following:
• flushGrpMember
• flushMrouter
• flushSender

SsmEnable Indicates if ssm is enabled.

NewQuerier Specifies the IPv6 address of the new MLD querier.
DynamicDowngradeEnable Enables dynamic downgrade of the MLD version
when older version query message is received.
OperVersion Specifies the operational version of the MLD
running on this interface.
McastMode Specifies the MLD interface mode as one of the
following:
• snoop
• pim
• snoopSpb
• routerSpb
• dvmrp
• none

Configuring MLD on a port

Configure the MLD on a port.

VOSS User Guide for version 8.7 1581

MLD Configuration Using EDM IP Multicast

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the Configuration > Edit > Port folders.
3. Click IPv6.
4. Click the MLD tab.
5. Configure the MLD interface parameters.
6. On the toolbar, click Apply to save the changes.
7. On the toolbar, click Refresh to update the changes.

MLD field description

Use the data in the following table to use the MLD tab.

Field Description
QueryInterval Specifies the frequency at which MLD host-query
packets are transmitted on this interface. Values
range from 1 to 65535.
Version Indicates the MLD version.
Querier Specifies the address of the MLD Querier on the
IPv6 subnet to which this interface is attached.
QueryMaxResponseDelay Specifies the maximum query response time
advertised in MLD queries on this interface. Values
range from 0 to 60.
Joins Specifies the number of times a group
membership has been added on this interface.
Groups Specifies the current number of entries for this
interface in the cache table.
Robustness Specifies the robustness variable tuning for the
expected packet loss on a subnet. If a subnet
is expected to experience loss, the robustness
variable can be increased. Values range from 2 to
255.
LastListenQueryIntvl Specifies the maximum response delay inserted
into the group-specific queries sent in response
to the leave group messages. It also indicates
the amount of time between group-specific query
messages. Values range from 0 to 60.
This value can be tuned to modify the leave
latency of the network. A reduced value results
in reduced time to detect the loss of the last
member of a group.
SnoopEnable Indicates if snooping is enabled.
FlushAction Specifies the MLD flush action as one of the
following:
• flushGrpMember
• flushMrouter
• flushSender

1582 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

Field Description
SsmEnable Indicates if ssm is enabled.
NewQuerier Specifies the IPv6 address of the new MLD querier.
DynamicDowngradeEnable Enables dynamic downgrade of the MLD version
when older version query message is received.
OperVersion Specifies the operational version of the MLD
running on this interface.
McastMode Specifies the MLD interface mode as one of the
following:
• snoop
• pim
• snoopSpb
• routerSpb
• dvmrp
• none

Configuring MLD on a VLAN

About This Task

Configure MLD on a VLAN.

Procedure

1. In the navigation pane, expand the Configuration > VLAN folders.

2. Click VLANs.
3. Select a VLAN from the list.
4. Click the IPv6 tab.
5. Click the MLD tab.
6. Configure the MLD interface parameters.
7. On the toolbar, click Apply to save the changes.
8. On the toolbar, click Refresh to update the changes.

MLD field description

Use the data in the following table to use the MLD tab.

VOSS User Guide for version 8.7 1583

MLD Configuration Using EDM IP Multicast

Field Description
Joins Specifies the number of times a group
membership has been added on this interface.
Groups Specifies the current number of entries for this
interface in the cache table.
Robustness Specifies the robustness variable tuning for the
expected packet loss on a subnet. If a subnet
is expected to experience loss, the robustness
variable can be increased. Values range from 2 to
255.
LastListenQueryIntvl Specifies the maximum response delay inserted
into the group-specific queries sent in response
to the leave group messages. It also indicates
the amount of time between group-specific query
messages. Values range from 0 to 60.
This value can be tuned to modify the leave
latency of the network. A reduced value results
in reduced time to detect the loss of the last
member of a group.
SnoopEnable Indicates if snooping is enabled.
FlushAction Specifies the MLD flush action as one of the
following:
• flushGrpMember
• flushMrouter
• flushSender

SsmEnable Indicates if ssm is enabled.

Configuring MLD snooping

About This Task

Use the following procedure to enable MLD snooping on the switch.

1584 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click Snooping tab.
4. Select a value, double-click the cell in SnoopEnable column, select True or False.
5. Select a value, double-click the cell in SsmEnable column, select True or False.
6. Click Apply.

Snooping field description

Use the data in the following table to use the Snooping tab.

Field Description
IfIndex Specifies the interface on which you enabled MLD
snooping. It specifies the port number if the
interface is a brouter port or the VLAN number
if the interface is a VLAN.
SnoopEnable Indicates the status of MLD snooping on the
specified interface:
• True – MLD snooping is enabled
• False – MLD snooping is disabled

SsmEnable Indicates the status of SSM on the specified

interface:
• True – SSM is enabled
• False – SSM is disabled

Viewing the MLD snoop trace information

About This Task

Use this procedure to display information about the multicast groups traversing the snoop enabled
router.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Snoop Trace tab.

Snoop Trace field description

Use the data in the following table to use the Snoop Trace tab.

Field Description
GrpAddr Specifies the IP multicast address of the group
traversing the router.
SrcAddr Specifies the IP source address of the multicast
group address.

VOSS User Guide for version 8.7 1585

MLD Configuration Using EDM IP Multicast

Field Description
OutVlan Specifies the egress VLAN ID for the multicast
group.
OutPort Specifies the egress port of the multicast group.
InVlan Specfies the ingress VLAN ID for the multicast
source.
InPort Specifies the ingress port for the multicast group.
Type Specifies the port type on which the snoop entry
is learnt.

Viewing the MLD cache information

About This Task

Use this procedure to display information about the learned multicast groups in the cache.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Cache tab.

MLD cache field description

Use the data in the following table to use the Cache tab.

Field Description
Address The IPv6 multicast group address for which this
entry contains information.
IfIndex Indicates the internetwork-layer interface for
which this entry contains information for an IPv6
multicast group address.
LastReporter Indicates the source IPv6 address of the last
membership report received for this IPv6 Multicast
group address on this interface. If membership
report is not received, the value is 0::0
ExpiryTime Indicates the minimum amount of time remaining
before the entry ages out.

Viewing the MLD V2 cache information

About This Task

Use this procedure to display information about the MLDv2 corresponding to each interface, port and
multicast group paired on a router.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.

1586 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

3. Click the V2 Cache tab.

V2 Cache field description

Use the data in the following table to use the V2 Cache tab.

Field Description
GroupAddress Specifies the multicast group address that others
want to join. A group address can be the same for
many incoming ports.
Ifindex Identifies a physical interface or a logical interface
(VLAN), which has received group reports from
various sources.
InPort Identifies a physical interface or a logical interface
(VLAN), which has received group reports from
various sources.
Version1HostTimer Specifies the time remaining until the local router
assumes that there are no more MLDv1 members
on the IP subnet attached to the interface. This is
applicable only for MLDv1 hosts. Upon receiving
an MLDv1 report, this value is reset to the group
membership timer.
SourceFilterMode Specifies the current group state applicable on
MLDv2 compatible nodes.

Viewing IPv6 MLD host cache

View the learned multicast group addresses in the host cache.

Procedure

1. In the navigation tree, expand the Configuration > IPv6 folders.

2. Click IPv6 MLD.
3. Click the Host Cache tab.

MLD host cache field descriptions

Use the data in the following table to use the Host Cache tab.

Name Description
IfIndex Shows the index value that uniquely identifies the
interface to which this entry applies.
GrpAddress Shows the IP address for the multicast group.
GrpLocallyRegistered Shows the Group Locally Registered for an IPv6
MLD host-cache entry.
GrpLastReporter Shows the Group Last Reporter address for an
IPv6 MLD host-cache entry.
GrpUpTime Shows the Group Uptime for an IPv6 MLD host-
cache entry.

VOSS User Guide for version 8.7 1587

MLD Configuration Using EDM IP Multicast

Name Description
GrpExpiryTime Shows the Group Expiry Time for an IPv6 MLD
host-cache entry.
GrpFilterMode Shows the Group Filter Mode for an IPv6 MLD
host-cache entry.

Viewing the MLD source information

About This Task

Use this procedure to display information about the MLD source.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Source tab.

Source field description

Use the data in the following table to use the Source tab.

Field Description
GroupAddress Specifies the IPv6 multicast group address for
which this entry contains information.
Ifindex Specifies the interface for which this entry
contains information for an IP multicast group
address.
InPort Identifies a physical interface or logical interface
(VLAN), which has received group reports for this
source.
HostAddress Specifies the host address to which this entry
corresponds.
MemberAddress Specifies the IPv6 address of a member that has
sent source specific report wishing to join this
source.
Expire Specifies the state of this entry.
Mode Specifies the current member state. This is
applicable to MLDv2 compatible nodes.
MemberExpire Specifies the time until the member for this source
expires.

Viewing the MLD sender information

About This Task

Use this procedure to display information about the multicast senders.

1588 VOSS User Guide for version 8.7

IP Multicast MLD Configuration Using EDM

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Sender tab.

Source field description

Use the data in the following table to use the Sender tab.

Field Description
GrpAddr Specifies the IPv6 multicast group address.
Ifindex Specifies the interface index of the sender.
MemberAddr Specifies the IPv6 host address.
Action Specifies the MLD action as one of the following:
• none
• flushEntry
• flushGrp

Port Specifies the MLD sender port.

Viewing the MLD group information

About This Task

Use this procedure to display information about the groups configured in this device.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 MLD.
3. Click the Group tab.

Group field description

Use the data in the following table to use the Group tab.

Field Description
IPv6Address Specifies the multicast group address that others
want to join to. A group address can be the same
for many incoming ports.
Members Specifies the IP address of a source that has sent
group report whishing to join this group.
InPort Identifies a physical interface or a logical interface
which has received group reports from various
sources.

VOSS User Guide for version 8.7 1589

PIM Configuration Using the CLI IP Multicast

Field Description
Expiration Specifies the time left before group report expires
on this port. This is updated upon receiving a
group report.
IfIndex Identifies a physical interface or a logical interface
which has received group reports from various
sources.

PIM Configuration Using the CLI

The switch supports two modes of Protocol Independent Multicast (PIM): Sparse Mode (SM) and Source
Specific Multicast (SSM).
• PIM-SM supports multicast groups spread out across large areas of a company or the Internet.
• PIM-SSM optimizes PIM-SM by simplifying the many-to-many model (servers-to-receivers).

Important
The spbm-config-mode boot flag must be disabled before you can configure PIM or IGMP.
To verify the setting, enter show boot config flags in Privileged EXEC mode.

Before You Begin

For an IPv4 PIM configuration using the CLI:

• Configure an IPv4 interface.

For more information, see IP routing configuration using the CLI on page 1848.
• Configure a unicast protocol, for example, Routing Information Protocol (RIP) or Open Shortest Path
First (OSPF), globally and on the interfaces where you want to configure PIM-SM.

For more information about RIP, see RIP configuration using CLI on page 2809. For more
information about OSPF, see OSPF configuration using CLI on page 2468.
• Enable PIM-SM globally.
• Enable PIM-SM on individual interfaces.
• You must first configure and enable PIM on an IP interface, which can be circuitless, before you
can utilize that interface as a candidate rendezvous point (RP). To configure PIM-SM RP for an IP
interface, see Configuring a candidate rendezvous point on page 1595.
• Configure one or more bootstrap routers (BSR) to propagate RP information to all switches in the
network.

For an IPv6 PIM configuration using the CLI:

• Configure an IPv6 interface.

For more information, see Configure an IPv6 Interface on page 1928.

1590 VOSS User Guide for version 8.7

IP Multicast Changing the interface status to passive

For more information about RIPng, see RIPng Configuration using CLI on page 2819. For more
information about OSPFv3, see OSPFv3 Configuration using CLI on page 2511.
• Enable IPv6 PIM-SM globally
• Enable IPv6 PIM-SM on individual interfaces.

Changing the interface status to passive

Change the PIM interface status to passive to deny PIM control traffic on the interface.

Before You Begin

• The PIM interface is disabled.

About This Task

The command you use depends on the required administrative state of the interface (enable or disable).

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Create a passive interface and enable it simultaneously:

ip pim passive
3. Create a passive interface in the disabled state:
ip pim interface-type passive

You must manually enable the interface.

4. Enable a disabled interface:
ip pim enable

VOSS User Guide for version 8.7 1591

Changing the interface status to active IP Multicast

Variable definitions
Use the data in the following table to use the ip pim command.

Variable Value
active Configures the selected interface. You can change
the state of a PIM interface after you create
the interface but only if you first disable PIM
on the interface. An active interface permits
PIM control transmitted and received traffic. A
passive interface prevents PIM control traffic from
transmitting or receiving, thereby reducing the
load on a system. This feature is useful if a high
number of PIM interfaces exist and connect to end
users, not to other switches. The default is active.
To configure this option to the default value, use
the default operator with the command.
passive Configures the selected interface. You can change
the state of a PIM interface after you create
the interface but only if you first disable PIM
on the interface. An active interface permits
PIM control transmitted and received traffic. A
passive interface prevents PIM control traffic from
transmitting or receiving, thereby reducing the
load on a system. This feature is useful if a high
number of PIM interfaces exist and connect to end
users, not to other switches. The default is active.
To configure this option to the default value, use
the default operator with the command.

Changing the interface status to active

Change the PIM interface status to active to allow PIM control traffic on the interface.

Before You Begin

• The PIM interface is disabled.

About This Task

The command you use depends on the required administrative state of the interface (enable or disable).

1592 VOSS User Guide for version 8.7

IP Multicast Changing the interface status to active

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Create an active interface in the disabled state:

ip pim interface-type active

You must manually enable the interface.

3. Create an active interface and enable it simultaneously:
ip pim active

ip pim enable

The second command enables an active interface only if this is the first PIM interface you create on
the port or VLAN or you created an active interface in the disabled state. If you already created a
passive interface in the disabled state, the second command enables that passive interface.

VOSS User Guide for version 8.7 1593

Configuring the PIM virtual neighbor IP Multicast

Variable definitions
Use the data in the following table to use the ip pim command.

Configuring the PIM virtual neighbor

Configure a PIM virtual neighbor if the next hop for a static route cannot run PIM, such as the Virtual
Router Redundancy Protocol (VRRP) address on an adjacent device.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the PIM virtual neighbor:
ip pim virtual-neighbor <A.B.C.D> <A.B.C.D>

Example

Configure the PIM virtual neighbor:

Switch:1(config)#ip pim virtual-neighbor 192.0.2.0 198.51.100.0

1594 VOSS User Guide for version 8.7

IP Multicast Configuring a candidate rendezvous point

Variable definitions
Use the definitions in the following table to use the ip pim virtual-neighbor command.

Variable Value
{A.B.C.D} {A.B.C.D} The first IP address indicates the IP address of the selected
interface. The second IP address indicates the IP address of the
neighbor.

Configuring a candidate rendezvous point

Configure a candidate rendezvous point (C-RP) to serve as backup to the RP router.

About This Task

You can configure only one interface on the switch for multiple groups. You cannot configure multiple
interfaces for multiple groups.

With the mask value, you can configure a C-RP router for several groups in one configuration.

For example, if you use a C-RP configuration with a group address of 224.0.0.0 and a group mask of
240.0.0.0, you can configure the C-RP router for a multicast range from 224.0.0.0 to 239.255.255.255.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Add a candidate rendezvous point:
ip pim rp-candidate group <A.B.C.D> <A.B.C.D> rp <A.B.C.D>
3. Remove a candidate rendezvous point:
no ip pim rp-candidate group <A.B.C.D> <A.B.C.D>
4. Display information about the candidate rendezvous points for the PIM-SM domain:
show ip pim rp-candidate

Example

Add a candidate rendezvous point:

Switch:1(config)#ip pim rp-candidate group 224.1.1.0 255.255.255.0 rp 198.51.100.0

VOSS User Guide for version 8.7 1595

Configuring static RP IP Multicast

Variable definitions
Use the definitions in the following table to use the ip pim rp-candidate command.

Variable Value
group {A.B.C.D} Specifies the IP address and the address mask of the multicast
{A.B.C.D} group. After the IP address and group mask are combined, it
identifies the prefix that the local router uses to advertise itself as
a C-RP router.
rp {A.B.C.D} Specifies the IP address of the C-RP router. This address must be
one of the local PIM-SM enabled interfaces.

Configuring static RP
Configure a static RP to ignore the bootstrap router (BSR) mechanism and use the statically configured
RPs.

Before You Begin

• Enable PIM-SM globally.

About This Task

Static RP-enabled switches use this feature to communicate with switches from other vendors that do
not use the BSR.

Important
You cannot configure a static RP-enabled switch as a BSR or as a C-RP router.
All dynamically learned BSR information is lost. However, if you disable static RP, the switch
loses the static RP information and regains the BSR functionality.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable static RP:
ip pim static-rp

The system displays the following message:

WARNING: RP information learnt dynamically through BSR functionality will be lost.

Do you wish to enable Static RP? (y/n) ?

3. Enter y.
4. Configure a static RP entry:
ip pim static-rp {A.B.C.D/X} {A.B.C.D}
5. Configure all the switches in the network (including switches from other vendors) to map to the
same RP.

1596 VOSS User Guide for version 8.7

IP Multicast Configuring IPv6 PIM static RP

6. Display information about the candidate rendezvous points for the PIM-SM domain:
show ip pim static-rp

Example

Configure a static RP:

Switch:1(config)# ip pim static-rp 239.255.0.0/255.255.0.0 198.51.100.0

Variable definitions
Use the definitions in the following table to use the ip pim static-rp command.

Variable Value
{A.B.C.D/X} Specifies the IP address and address mask of the multicast
group. When combined, the IP address and address mask
identify the range of the multicast addresses that the RP
handles.
{A.B.C.D} Specifies the IP address of the static RP.

Configuring IPv6 PIM static RP

On IPv6 PIM BSR mechanism is not supported so static RP must be configured.

Before You Begin

Enable IPv6 PIM-SM globally.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable static RP:
ipv6 pim static-rp
3. Configure an IPv6 static RP entry:
ipv6 pim static-rp WORD<0-255> WORD<0-255>
4. Configure all the switches in the network (including switches from other vendors) to map to the
same RP.
5. Display information about the candidate rendezvous points for the PIM-SM domain:
show ipv6 pim static-rp

Variable Definitions
The following table describes the variables for the ipv6 pim static-rp command.

VOSS User Guide for version 8.7 1597

Configuring a candidate BSR on a port IP Multicast

Variable Value
WORD<0-255> Specifies the IPv6 address and address mask of
the multicast group. When combined, the IPv6
address and address mask identify the range of
the multicast addresses that the RP handles.
WORD<0-255> Specifies the IPv6 address of the static RP.

Configuring a candidate BSR on a port

Configure additional routers as candidate BSRs (C-BSR) to provide backup protection in the event that
the primary BSR fails. PIM-SM cannot run without a BSR.

Before You Begin

• Static RP is disabled.

About This Task

The C-BSR with the highest configured preference becomes the BSR for the domain. If two C-BSRs use
equal preference, the candidate with the higher IP address becomes the BSR. If you add a new C-BSR
with a higher preference to the domain, it automatically becomes the new BSR.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure a candidate BSR:

ip pim bsr-candidate preference <0–255>

Example

Configure a candidate BSR:

Switch:1(config-if)#ip pim bsr-candidate preference 2

1598 VOSS User Guide for version 8.7

IP Multicast Configuring a candidate BSR on a VLAN

Variable definitions
Use the definitions in the following table to use the ip pim bsr-candidate command.

Variable Value
preference <0–255> Activates the C-BSR on this interface and configures its
preference value, from 0–255, to become a BSR. The C-BSR
with the highest BSR preference and address is the preferred
BSR. The default is –1, which indicates that the current
interface is not a C-BSR. To set this option to the default
value, use the default operator with the command.

Configuring a candidate BSR on a VLAN

Configure additional routers as candidate BSRs (C-BSR) to provide backup protection in the event that
the primary BSR fails. PIM-SM cannot run without a BSR.

Before You Begin

• Static RP is disabled.

About This Task

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Configure a candidate BSR on a VLAN:
ip pim bsr-candidate preference <0–255>

Example

Configure a candidate BSR on a VLAN:

Switch:1(config-if)#ip pim bsr-candidate preference 5

VOSS User Guide for version 8.7 1599

Enabling square-SMLT globally IP Multicast

Variable definitions
Use the definitions in the following table to use the ip pim bsr-candidate command.

Variable Value
preference <0–255> Activates the C-BSR on this interface and configures its
preference value, from 0–255, to become a BSR. The C-BSR
with the highest BSR preference and address is the preferred
BSR. The default is –1, which indicates that the current
interface is not a C-BSR. To configure this option to the
default value, use the default operator with the command.

Enabling square-SMLT globally

Use square-Split MultiLink Trunking (SMLT) to form an SMLT aggregation group. In a square
configuration, enable square-SMLT globally on each of the four switches.

About This Task

Important
The following command also activates full-mesh configurations.

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable square-SMLT:
multicast smlt-square

PIM Configuration Using EDM

Important
The EnableSpbmConfigMode boot flag must be disabled before you can configure PIM or
IGMP. To verify the setting, navigate to Configuration > Edit > Chassis and click on the Boot
Config tab.

1600 VOSS User Guide for version 8.7

IP Multicast Enabling static RP

Before You Begin

For an IPv4 PIM configuration using EDM:

• Configure an IP interface.

For more information, see IP routing configuration using Enterprise Device Manager on page 1876.
• Configure a unicast protocol, for example, Routing Information Protocol (RIP) or Open Shortest Path
First (OSPF), globally and on the interfaces where you want to configure PIM-SM.

For more information about RIP, see RIP configuration using EDM on page 2824. For more
information about OSPF, see OSPF configuration using EDM on page 2538.
• Enable PIM-SM globally.
• Enable PIM-SM on individual interfaces.
• Configure one or more rendezvous points (RP) for the groups that multicast applications use in the
network.

Important
If you configure the rendezvous point (RP) to be the address of a circuitless IP (CLIP)
interface, then you must first configure and enable PIM on the CLIP interface before you
can utilize that interface as a candidate RP. To configure a PIM-SM RP for a circuitless IP
interface, see Configuring a candidate RP on page 1611.

• Configure one or more bootstrap routers (BSR) to propagate RP information to all switches in the
network.

For an IPv6 PIM configuration using EDM:

• Configure an IPv6 interface. For more information, see Configure an IPv6 Interface on page 1963.
• Configure an IPv6 unicast protocol, for example, Routing Information Protocol Next Generation
(RIPng) or Open Shortest Path First Version 3 (OSPFv3), globally and on the interfaces where you
want to configure PIM. For more information about RIPng, see RIPng Configuration using EDM on
page 2834. For more information about OSPFv3, see OSPFv3 Configuration using EDM on page 2575.
• Enable IPv6 PIM-SM globally.
• Enable IPv6 PIM-SM on individual interfaces.

Enabling static RP
Enable static RP to avoid the process of selecting an active RP from the list of candidate RPs and
dynamically learning about RPs through the BSR mechanism.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the Globals tab.
4. Select sm (sparse mode).
5. Select Enable.
6. Select Static RP.

VOSS User Guide for version 8.7 1601

Enabling IPv6 static RP IP Multicast

7. Click Apply.
The system displays the following message:

RP information learnt dynamically through BSR functionality will be

lost. Do you wish to enable Static RP?
8. Click Yes.

Enabling IPv6 static RP

Use this procedure to enable IPv6 static RP.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 PIM.
3. Click the Globals tab.
4. Select sm (sparse mode).
5. Select Enable.
6. Select Static RP.
7. Click Apply.
8. Click Yes.

Configuring a static RP
Configure a static RP to ignore the BSR mechanism and use the statically configured RPs only. A static
RP-enabled switch uses this feature to communicate with switches from other vendors that do not use
the BSR mechanism.

Before You Begin

• Before you can configure a static RP, you must enable the following:
◦ PIM-SM
◦ static RP

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the Static RP tab.
4. Click Insert.
5. Type the required information in each box.
6. Click Insert.

1602 VOSS User Guide for version 8.7

IP Multicast Configuring an IPv6 static RP entry

Static RP field descriptions

Use the descriptions in the following table to use the Static RP tab.

Name Description
GroupAddress Configures the IP address of the multicast group. When combined
with the group mask, this value identifies the range of the
multicast addresses that the RP handles.
GroupMask Configures the address mask of the multicast group. When
combined with the group address, this value identifies the range
of the multicast addresses that the RP handles.
Address Configures the IP address of the static RP.
Status Shows the current status of the static RP entry. The status is valid
if the switch uses a unicast route to the network for the static RP
and is invalid otherwise.

Job aid
Keep in mind the following configuration considerations:
• Static RPs do not age; they cannot time out.
• Switches do not advertise static RPs, so, if a new PIM neighbor joins the network, it does not know
about the static RP unless you configure it with that static RP.
• Configure all the switches in the network (including switches from other vendors) to map to the
same RP for certain group range.
• To avoid a single point of failure, you can configure redundant static RPs for the same group prefix.
If you use a mix of vendor switches across the network, ensure that all switches or routers use the
same active RP because vendors use different algorithms to elect the active RP. This switch uses
the hash function defined in the PIM-SM standard to elect the active RP; other vendors can use the
lowest IP address to elect the RP.
• Static RP on the switch is active as long as the switch uses a unicast route to the network for the
static RP. If the switch loses this route, the static RP is invalidated, and the hash algorithm is invoked
to remap all affected groups. If the switch regains this route, the static RP is validated and the hash
algorithm is invoked to remap the affected groups.

Configuring an IPv6 static RP entry

Configure an IPv6 static RP to use the statically configured RPs. A static RP-enabled switch uses this
feature to elect the active RP only from the statistically configured switches, without any relation to the
RP information of other switches.

Before You Begin

• Before you can configure a static RP, you must enable the following:
◦ IPv6 PIM-SM
◦ IPv6 static RP

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.

VOSS User Guide for version 8.7 1603

Viewing the active RP IP Multicast

2. Click IPv6 PIM.

3. Click the Static RP tab.
4. Click Insert.
5. Type the required information in each box.
6. Click Insert.

Static RP field descriptions

Use the descriptions in the following table to use the Static RP tab.

Name Description
GroupAddress Configures the IPv6 address of the multicast group. When
combined with the group mask, this value identifies the range
of the multicast addresses that the RP handles.
GroupMask Configures the address mask of the multicast group. When
combined with the group address, this value identifies the range
of the multicast addresses that the RP handles.
Address Configures the global IPv6 address of the static RP.
Status Shows the current status of the static RP entry. The status is valid
if the switch uses a unicast route to the network for the static RP.

Viewing the active RP

Perform this procedure to show information about the active RP for all the running multicast groups on
the switch.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.

1604 VOSS User Guide for version 8.7

IP Multicast Viewing the IPv6 active RP

3. Click the Active RP tab.

Active RP field descriptions

Use the data in the following table to use the Active RP tab.

Name Description
GroupAddress Shows the IP address of the multicast group.
Address Shows the IP address of the RP router. This
address must be one of the local PIM-SM enabled
interfaces.
Priority Shows the priority of the RP.

Viewing the IPv6 active RP

Perform this procedure to show information about the IPv6 active RP for all the running multicast
groups on the switch.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 PIM.
3. Click the Active RP tab.

Active RP field descriptions

Use the data in the following table to use the Active RP tab.

Name Description
GroupAddress Shows the IPv6 address of the multicast group.
Address Shows the IPv6 address of the RP router. This
address can be one of the local PIM-SM enabled
interfaces or any reachable global IPv6 address
configured using the static-rp CLI command.

Note:
IPv6 link local address is always used as the PIM
interface address.

Priority Shows the priority of the RP.

Configuring a candidate bootstrap router

Configure routers as candidate bootstrap routers (C-BSR) to provide backup protection in case the
primary BSR fails. PIM-SM cannot operate without a BSR. A PIM-SM domain can use only one active
BSR.

VOSS User Guide for version 8.7 1605

Viewing current BSR information IP Multicast

About This Task

The C-BSR with the highest configured priority becomes the BSR for the domain. If two C-BSRs use
equal priority, the candidate with the higher IP address becomes the BSR. If you add a new C-BSR with
a higher priority to the domain, it automatically becomes the new BSR.

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.
3. Click IP.
4. Click the PIM tab.
5. Click Enable.
6. In the CBSRPreference box, type the preference.
The C-BSR with the highest BSR-preference and address becomes the active BSR. The default is –1,
which indicates that the current interface is not a C-BSR.
7. Click Apply.

Viewing current BSR information

View the current BSR information to review the configuration.

Before You Begin

• You must disable static RP.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the Current BSR tab.

Current BSR field descriptions

Use the descriptions in the following table to use the Current BSR tab.

Name Description
Address Shows the IP address of the current BSR for the local PIM domain.
FragmentTag Shows a randomly generated number that distinguishes fragments that
belong to different bootstrap messages. Fragments that belong to the same
bootstrap message carry the same fragment tag.
HashMask Shows the mask used in the hash function to map a group to one of the
C-RPs from the RP set. The hashmask allows a small number of consecutive
groups to always hash to the same RP.
Priority Shows the priority of the current BSR. The C-BSR with the highest BSR
priority and address (referred to as the preferred BSR) is elected as the BSR
for the domain.
BootStrapTimer Shows the bootstrap timer. After the bootstrap timer expires, the BSR sends
out bootstrap messages.

1606 VOSS User Guide for version 8.7

IP Multicast Changing VLAN interface type

Changing VLAN interface type

Change the state (active or passive) of PIM on a VLAN interface.

Before You Begin

• Before you change the state of PIM on a VLAN interface, you must first disable PIM to prevent
instability in the PIM operations, especially when neighbors exist or when the interface receives
streams.

Procedure
1. In the navigation pane, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select the VLAN ID that you want to configure with PIM.
5. Click IP.
6. Click the PIM tab.
7. Clear the Enable check box.
8. Click Apply.
9. Select active or passive.
10. Reenable PIM on the VLAN interface.
11. Click Apply.

View PIM-SM neighbor parameters to troubleshoot connection problems or review the configuration.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the Neighbors tab.

VOSS User Guide for version 8.7 1609

Viewing IPv6 PIM-SM neighbor parameters IP Multicast

Neighbors field descriptions

Use the descriptions in the following table to use the Neighbors tab.

Name Description
Address Shows the IP address of the PIM neighbor.
IfIndex Shows the slot and port number or VLAN ID of the interface used to
reach this PIM neighbor.
UpTime Shows the time since this neighbor became a neighbor of the local
router.
ExpiryTime Shows the time remaining before the neighbor expires.

Viewing IPv6 PIM-SM neighbor parameters

View IPv6 PIM-SM neighbor parameters to troubleshoot connection problems or review the
configuration.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 PIM.
3. Click the Neighbors tab.

Neighbors field descriptions

Use the descriptions in the following table to use the Neighbors tab.

Name Description
Address Shows the IPv6 address of the PIM neighbor.
IfIndex Shows the slot and port number or VLAN ID of the interface used to
reach this PIM neighbor.
UpTime Shows the time since this neighbor became a neighbor of the local
router.
ExpiryTime Shows the time remaining before the neighbor expires.

Viewing IPv6 Neighbor Secondary Address

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 PIM.
3. Click the Neighbor Secondary Address tab.

1610 VOSS User Guide for version 8.7

IP Multicast Viewing RP set parameters

Neighbor Secondary Address field descriptions

Use the descriptions in the following table to use the Neighbor Secondary Address tab.

Name Description
IfIndex Shows the slot and port number or VLAN ID of the interface used to reach
this PIM neighbor.
Type Shows the address type of this PIM neighbor.
Primary The primary IPv6 address of this PIM neighbor.
SecAddress The secondary IPv6 address of this PIM neighbor.

Viewing RP set parameters

View the RP set to see a list of rendezvous point addresses. The BSR constructs this list from C-RP
advertisements, and then distributes it to all PIM routers in the PIM domain for the BSR. View the
parameters for troubleshooting purposes.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the RP Set tab.

RP Set field descriptions

Use the descriptions in the following table to use the RP Set tab.

Name Description
GroupAddress Shows the IP address of the multicast group. When combined with the
group mask, this value identifies the prefix that the local router uses to
advertise itself as a C-RP router.
GroupMask Shows the address mask of the multicast group. When combined with the
group address, this value identifies the prefix that the local router uses to
advertise itself as a C-RP router.
Address Shows the IP address of the C-RP router.
HoldTime Shows the time specified in a C-RP advertisement that the BSR uses to time
out the RP. After the BSR receives an advertisement for the RP, it restarts the
timer. If no advertisement arrives before the timer expires, the BSR removes
that RP from the RP set.
ExpiryTime Shows the time remaining before this C-RP router times out.

Configuring a candidate RP
Configure a C-RP router to add it to the RP Set.

VOSS User Guide for version 8.7 1611

Enabling square-SMLT globally IP Multicast

About This Task

You can configure only one interface on a switch for multiple groups; that is, you cannot configure
multiple interfaces for multiple groups.

Using the GroupMask value, you can configure a candidate RP for several groups in one configuration.
For example, if you use a C-RP configuration with a GroupAddress value of 224.0.0.0 and a
GroupMask of 240.0.0.0, you can configure the C-RP router for a multicast range from 224.0.0.0 to
239.255.255.255.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click PIM.
3. Click the Candidate RP tab.
4. Click Insert.
5. Type the required information in each box.
6. Click Insert.

Candidate RP field descriptions

Use the descriptions in the following table to use the Candidate RP tab.

Name Description
GroupAddress Configures the IP address of the multicast group. When combined with the
group mask, this value identifies the prefix that the local router uses to
advertise itself as a C-RP router.
GroupMask Configures the address mask of the multicast group. When combined with
the group address, this value identifies the prefix that the local router uses to
advertise itself as a C-RP router.
InterfaceAddress Configures the IP address of the C-RP router. This address must be one of
the local PIM-SM enabled interfaces.

Enabling square-SMLT globally

Use square-Split MultiLink Trunking (SMLT) to form an SMLT aggregation group. In a square
configuration, enable square-SMLT globally on each of the four switches.

About This Task

Important
The following configuration also activates full-mesh configurations.

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP

1612 VOSS User Guide for version 8.7

IP Multicast Viewing IPv6 RP set parameters

2. Click Multicast.
3. Click the Globals tab.
4. Select MulticastSquareSmltEnable.
Clear this check box if you want to disable square-SMLT globally.
5. Click Apply.

Viewing IPv6 RP set parameters

View the IPv6 RP set to see a list of rendezvous point addresses. View the parameters for
troubleshooting purposes.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 PIM.
3. Click the RP Set tab.

RP Set field descriptions

Use the descriptions in the following table to use the RP Set tab.

Name Description
GroupAddress Specifies the IPv6 address of the multicast group. When combined with the
group mask, this value identifies a group prefix for which the address is a
static RP.
GroupMask Specifies the address mask of the multicast group. When combined with the
group address, this value identifies a group prefix for which the address is a
static RP.
Address Specifies the IPv6 address of the static RP.
HoldTime Specifies the hold time of the static RP. The value is 0.
ExpiryTime Specifies the minimum time remaining before the static RP is down. The
value is 0.

Viewing IPv6 Mroute interface information

Use the following procedure to view IPv6 Mroute information for an interface.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Interfaces tab.

VOSS User Guide for version 8.7 1613

Viewing IPv6 Mroute next hop information IP Multicast

Interfaces field descriptions

Use the data in the following table to use the Interfaces tab.

Name Description
IfIndex Displays the slot and port number or VLAN ID for this entry.
Ttl Displays the datagram time-to-live (TTL) threshold for the interface.
IPv6 multicast datagrams with a TTL less than this threshold are not
forwarded out of the interface. The default value of 0 means that all
multicast packets are forwarded out of the interface.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb

Viewing IPv6 Mroute next hop information

Use the following procedure to view IPv6 Mroute next hop information.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Next Hop tab.

Next Hop field descriptions

Use the data in the following table to use the Next Hop tab.

Name Description
Group Displays the IPv6 multicast group for this entry that specifies a next
hop on an outgoing interface.
Source Displays the network address that, when combined with the
corresponding next hop SourceMask value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
SourceMask Displays the network mask that, when combined with the
corresponding next hop Source value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
IfIndex Displays the slot and port number or VLAN ID for this entry.
Address Displays the address of the next hop specific to this entry. For
most interfaces, it is identical to the next-hop group. Non Broadcast
Multiple Access (NBMA) interfaces, however, can use multiple next hop
addresses out of a single outgoing interface.

1614 VOSS User Guide for version 8.7

IP Multicast Configuring resource usage counter for IPv6 Mroute

Name Description
State Displays whether the outgoing interface and next hop represented by
this entry currently forward IPv6 datagrams. A value of forwarding
indicates the information is currently used; pruned indicates it is not
used.
ExpiryTime Displays the minimum amount of time that remains before this entry
ages out. The value 0 indicates that the entry is not subject to aging.
ClosestMemberHops Displays the minimum number of hops between this router and
members of the IPv6 multicast group reached through the next hop
on this outgoing interface. IPv6 multicast datagrams for the group that
use a time-to-live less than this number of hops are not forwarded to
the next hop.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb

Configuring resource usage counter for IPv6 Mroute

Configure the resource usage counters to query the number of ingress and egress IPv6 multicast
streams traversing the switch. After you configure the counter thresholds for ingress and egress records,
if the record usage goes beyond the threshold, you receive notification through a trap on the console, a
logged message, or both.

Important
If you do not configure the thresholds, EDM displays only the ingress and egress records that
are currently in use.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Resource Usage tab.
4. Configure the ingress and egress thresholds.
5. Configure the notification methods.
6. Click Apply.

VOSS User Guide for version 8.7 1615

Viewing IPv6 multicast route information IP Multicast

Resource Usage field descriptions

Use the data in the following table to use the Resource Usage tab.

Name Description
Ingress Records In-Use Displays the number of ingress records (source or group) traversing the
switch.
Egress Records In-Use Displays the number of egress records traversing the switch.
Ingress Threshold Configures the ingress threshold level (0–32767).
Egress Threshold Configures the egress threshold level (0–32767).
SendTrapAndLog Sends both trap and log notification messages after the number of
streams exceeds a threshold level.
SendTrapOnly Sends only trap notification messages after the number of streams
exceeds a threshold level. You can configure only one notification type.
LogMsgOnly Sends only log notification messages after the number of streams
exceeds a threshold level.

Viewing IPv6 multicast route information

Use the following procedure to view IPv6 Mroute route information.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Route tab.

IPv6 Multicast Route field descriptions

Use the data in the following table to use the Route tab.

Name Description
Group Displays the IPv6 multicast group for this entry that specifies a next
hop on an outgoing interface.
Source Displays the network address that, when combined with the
corresponding next hop SourceMask value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
SourceMask Displays the network mask that, when combined with the
corresponding next hop Source value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
UpStreamNeighbor Shows the address of the upstream neighbor from which the IPv6
datagrams from these sources are received.
IfIndex Displays the slot and port number or VLAN ID for this entry.

1616 VOSS User Guide for version 8.7

IP Multicast IGMP Configuration Using the CLI

Name Description
ExpiryTime Displays the minimum amount of time that remains before this entry
ages out. The value 0 indicates that the entry is not subject to aging.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb

IGMP Configuration Using the CLI

Hosts use the Internet Group Management Protocol (IGMP) to report their IP multicast group
memberships to neighboring multicast routers. Configure IGMP on an individual interface basis.

Important
The spbm-config-mode boot flag must be disabled before you can configure PIM or IGMP.
To verify the setting, enter show boot config flags in Privileged EXEC mode.

Before You Begin

• Complete one of the following tasks:
◦ Configure IGMP on a Layer 2 interface by enabling IGMP snoop.
◦ Configure IGMP on a Layer 3 interface by enabling multicast routing, for example, Protocol
Independent Multicast-Sparse Mode (PIM-SM) or Protocol Independent Multicast-Source Specific
Multicast (PIM-SSM).

Important
To configure and use IGMP on a VRF instance you must first select and launch the VRF
context.
To select and launch the VRF context, see Configuring IGMP on a VRF on page 1548.

Configuring multicast stream limitation on an Ethernet port

Configure multicast stream limitation on an Ethernet port to limit the number of concurrent multicast
streams on the port. By limiting the number of concurrent multicast streams, providers can protect the
bandwidth on a specific interface and control access to multicast streams.

About This Task

You can configure the maximum number of streams independently. After the number of streams
reaches the limit, the port drops joins to new streams. A service provider uses this feature to control the

VOSS User Guide for version 8.7 1617

Configuring multicast stream limitation on a VLAN IP Multicast

overall bandwidth usage in addition to restricting users from attaching more than the allowed television
sets to a link.

Note
Configuration of multicast stream limitation is not supported on a node configured as the DvR
Leaf within a DvR domain.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable multicast stream limitation and configure the maximum number of allowed streams:
ip igmp stream-limit stream-limit-max-streams <0-65535>
3. If stream-limit is already enabled on the interface, change the maximum number of allowed streams:
ip igmp stream-limit stream-limit-max-streams <0-65535>
4. Display multicast stream limitation information for the ports on a specific interface:
show ip igmp stream-limit interface

Example

Enable multicast stream limitation on the Ethernet port and configure the maximum number of allowed
streams to 8.
Switch:1(config-if)# ip igmp stream-limit
Switch:1(config-if)# ip igmp stream-limit stream-limit-max-streams 8

Variable definitions
Use the data in the following table to use the ip igmp stream-limit-max-streams command.

Variable Value
<0-65535> Configures the maximum number of allowed streams
on this port. The range is from 0–65535 and the default
is 4.

Configuring multicast stream limitation on a VLAN

Configure multicast stream limitation on a VLAN to limit the number of concurrent multicast streams on
the VLAN. By limiting the number of concurrent multicast streams, providers can protect the bandwidth
on a specific interface and control access to multicast streams.

1618 VOSS User Guide for version 8.7

IP Multicast Configuring VLAN multicast stream limitation members

About This Task

You can configure the maximum number of streams independently. After the number of streams
reaches the limit, the VLAN drops joins to new streams. A service provider uses this feature to control
the overall bandwidth usage in addition to restricting users from attaching more than the allowed
television sets to a link.

Note
Configuration of multicast stream limitation is not supported on a node configured as the DvR
Leaf within a DvR domain.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Enable multicast stream limitation and configure the maximum number of allowed streams:
ip igmp stream-limit stream-limit-max-streams <0-65535>
3. If stream-limit is already enabled on the VLAN, change the maximum number of allowed streams:
ip igmp stream-limit stream-limit-max-streams <0-65535>
4. Display multicast stream limitation information for the ports on a specific interface:
show ip igmp stream-limit port

Example

Enable multicast stream limitation and configure the maximum number of allowed streams to 8.
Switch:1(config-if)# ip igmp stream-limit
Switch:1(config-if)# ip igmp stream-limit stream-limit-max-streams 8

Variable definitions
Use the data in the following table to use the ip igmp stream-limit command.

Variable Value
<0-65535> Configures the maximum number of allowed streams
on this VLAN. The range is from 0–65535 and the
default is 4.

Configuring VLAN multicast stream limitation members

Configure multicast stream limitation members on ports of a specific VLAN to limit the number of
multicast groups that can join a VLAN.

VOSS User Guide for version 8.7 1619

Configuring multicast router discovery options IP Multicast

Procedure
1. Enter VLAN Interface Configuration mode:
enable

configure terminal

interface vlan <1–4059>

2. Configure multicast stream limitation members on a VLAN:
ip igmp stream-limit-group {slot/port[/sub-port][-slot/port[/sub-
port]][,...]} enable max-streams <0–65535>

Example

Enable multicast stream limitation on ports 2/3 to 2/8 and configure the maximum allowed number of
streams to 6 for this interface.
Switch:1(config-if)# ip igmp stream-limit-group 2/3-2/8 max-streams 6

Variable definitions
Use the data in the following table to use the ip igmp stream-limit-group command.

Variable Value
<0–65535> Configures the maximum number of allowed streams for the
specified ports on this VLAN. The range is from 0–65535 and the
default is 4.
{slot/port[/sub-port] [- Identifies the slot and port in one of the following formats:
slot/port[/sub-port]] a single slot and port (slot/port), a range of slots and ports
[,...]} (slot/port-slot/port), or a series of slots and ports (slot/port,slot/
port,slot/port). If the platform supports channelization and the
port is channelized, you must also specify the sub-port in the
format slot/port/sub-port.

Configuring multicast router discovery options

Configure the multicast router discovery options to enable the automatic discovery of multicast-
capable routers.

About This Task

Important
The switch does not support the Multicast Router Discovery (MRDISC) protocol on brouter
ports.

Procedure
1. Enter VLAN Interface Configuration mode:
enable

configure terminal

interface vlan <1–4059>

1620 VOSS User Guide for version 8.7

IP Multicast Configuring multicast router discovery options

2. Enable multicast router discovery:

ip igmp mrdisc
3. Configure the maximum advertisement intervals between successive advertisements:
ip igmp mrdisc maxadvertinterval <2–180> maxinitadvertinterval <2–180>
4. Configure the maximum advertisements after initialization:
ip igmp mrdisc maxinitadvertisements <2–15>
5. Configure the minimum advertisement interval between successive advertisements:
ip igmp mrdisc minadvertinterval <3–180>
6. Configure the time allowed before a neighbor is declared dead:
ip igmp mrdisc neighdeadinterval <2–180>

Example

Configure the maximum advertisement intervals between successive advertisements:

Switch:1(config-if)#ip igmp mrdisc maxadvertinterval 30 maxinitadvertinterval 5

Configure the maximum advertisements after initialization:

Switch:1(config-if)#ip igmp mrdisc maxinitadvertisements 8

Configure the minimum advertisement interval between successive advertisements:

Switch:1(config-if)#ip igmp mrdisc minadvertinterval 30

Configure the time allowed before a neighbor is declared dead:

Switch:1(config-if)#ip igmp mrdisc neighdeadinterval 60

Variable definitions
Use the data in the following table to use the ip igmp mrdisc command.

Variable Value
maxadvertinterval <2–180> Configures the maximum number (in seconds) between
successive advertisements.
For this change to take effect, you must save the
configuration, and then reset the switch.
To configure this option to the default value, use the
default operator with the command. The default is
20.
maxinitadvertinterval <2–180> Configures the maximum number (in seconds) between
successive initial advertisements.
For this change to take effect, you must save the
configuration, and then reset the switch.
To configure this option to the default value, use the
default operator with the command. The default is 2.

VOSS User Guide for version 8.7 1621

Configure Explicit Host Tracking IP Multicast

Variable Value
maxinitadvertisements <2–15> Configures the maximum number of initial multicast
advertisements after initialization.
For this change to take effect, you must save the
configuration, and then reset the switch.
To configure this option to the default value, use the
default operator with the command. The default is 3.
minadvertinterval <3–180> Configures the minimum number (in seconds) between
successive advertisements.
For this change to take effect, you must save the
configuration, and then reset the switch.
To configure this option to the default value, use the
default operator with the command. The default is
15.
neighdeadinterval <2–180> Configures the multicast router discovery dead interval
—the number of seconds the multicast route neighbors
for the switch must wait before assuming that the
multicast router is down.
To configure this option to the default value, use the
default operator with the command. The default is
60.

Configure Explicit Host Tracking

Configure explicit host tracking to track all the source and group members.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure explicit host tracking:

ip igmp igmpv3–explicit-host-tracking
3. Display all the tracked members for a specific group:
show ip igmp group group <A.B.C.D> tracked-members [member-subnet
<A.B.C.D/X>] [source-subnet <A.B.C.D/X>] [port {slot/port[/sub-port][-
slot/port[/sub-port]][,...]}] [vlan <1-4059>]
4. Display the IGMPv3 specific data:
show ip igmp group group <A.B.C.D> detail port {{slot/port[/sub-port]
[-slot/port[/sub-port]][,...]}} vlan <1-4059>

1622 VOSS User Guide for version 8.7

IP Multicast Configure Explicit Host Tracking

Examples
Configure explicit host tracking:
Switch:1(config-if)#ip igmp igmpv3–explicit-host-tracking

Display all the tracked members:

Switch:1#show ip igmp group

================================================================================
Igmp Group - GlobalRouter
================================================================================
GRPADDR INPORT MEMBER EXPIRATION TYPE L2ISID
--------------------------------------------------------------------------------
224.5.2.1 V701-1/4 62.0.1.1 214 Dynamic 40400
224.5.2.2 V702-1/4 62.0.2.1 221 Dynamic 40400
224.5.2.3 V703-1/4 62.0.3.1 217 Dynamic 40400
224.5.2.4 V704-1/4 62.0.4.1 223 Dynamic 40400

4 out of 4 group Receivers displayed

Total number of unique groups 2

Display all the tracked members for a specific group:

Switch:1(config-if)#show ip igmp group group 232.1.1.1 tracked-members
================================================================================
Members of Channels/Groups - GlobalRouter
================================================================================
INTERFACE CHANNEL/GROUP MEMBER MEMBER_MODE EXP
--------------------------------------------------------------------------------
Vlan333-2/30 */232.1.1.1 133.133.133.200 IS_EXCLUDE 205

Note:
The "*" attached to the interface (if any) indicates that the interface has explicit host
tracking disabled.

Display IGMPv3 specific data:

Switch:1(config-if)#show ip igmp group group 232.32.32.10 detail
================================================================================
Igmp Group Detail - GlobalRouter
================================================================================
Interface: Vlan222-1/10
IGMPv3 Group: 232.32.32.10
Interface Group Mode: INCLUDE
Interface Compatibility Mode: IGMP_V3
V2 Host Timer: Not Running
V1 Host Timer: Not Running
Interface Group Include Source List:
Source Address Expires
133.133.133.200 114

VOSS User Guide for version 8.7 1623

Configuring IGMP static members IP Multicast

Variable definitions
Use the data in the following table to use the ip igmp igmpv3–explicit-host-tracking
command.

Variable Value
explicit-host-tracking Enables explicit host tracking on IGMPv3. The default
state is disable.
<A.B.C.D> Specifies the IP address of the group of the tracked
member.

Configuring IGMP static members

Configure IGMP static members to add members to a snoop group. You can create a static entry to
forward multicast data streams to a particular set of ports within the VLAN. After you create the entry,
multicast data streams are always forwarded to the multicast router within the VLAN, in addition to the
ports in this static entry.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Configure interface static members:
ip igmp static-group {A.B.C.D} {A.B.C.D} {port {slot/port[/sub-port][-
slot/port[/sub-port]][,...]} [static|blocked]

Example

Configure interface static members:

Switch:1(config-if)#ip igmp static-group 239.1.1.1 239.1.2.1 port 2/1 static

Variable definitions
Use the data in the following table to use the ip igmp static-group command.

Variable Value
{A.B.C.D} {A.B.C.D} Indicates the IP address range of the selected multicast
group.
port Adds ports to a static group entry

1624 VOSS User Guide for version 8.7

IP Multicast Configuring SSM dynamic learning and range group

Variable Value
{slot/port[/sub-port] [- Creates a static group entry. Specifies the port or list of ports
slot/port[/sub-port]] that is a member of the VLAN interface being configured
[,...]} to which you want to redirect the multicast stream for this
multicast group.
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of slots
and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<static|blocked> Configures the route to static or blocked.

Configuring SSM dynamic learning and range group

Configure SSM dynamic learning and a range group to enable the IGMPv3 dynamic learning feature and
to extend the default SSM range of 232/8 to include an IP multicast address. As new SSM channels are
learned, the system displays them in the SSM channel table.

Before You Begin

• To define the range group, you must first disable PIM.

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must use VRF Router Configuration mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable SSM dynamic learning:
ip igmp ssm dynamic-learning
3. Configure the range group:
ip igmp ssm group-range <A.B.C.D/X>

The system displays the following message:

Warning: Changing the SSM range will cause all spb-multicast and spb-
pim-gw enabled interfaces to be internally bounced. Do you wish to
continue? (y/n) ? (y/n)?

Enter y to continue.

VOSS User Guide for version 8.7 1625

Changing the SSM range group IP Multicast

Example

Define the SSM range group address (234.0.0.0) and mask (255.0.0.0). Enable dynamic learning from
IGMPv3 reports.
Switch:1(config)#ip igmp ssm group-range 234.0.0.0/255.0.0.0

WARNING: Changing the SSM range will cause all spb-multicast and spb-pim-gw enabled
interfaces to be internally bounced. Do you wish to continue? (y/n) ? (y/n)? y
Switch:1(config)#ip igmp ssm dynamic-learning

Variable definitions
Use the data in the following table to use the ip igmp ssm command.

Variable Value
{A.B.C.D/X} Defines the SSM range. The SSM range parameter extends
the default SSM range of 232/8 to include an IP multicast
address. You can configure existing applications without
having to change their group configurations. This parameter
specifies an IP multicast address within the range of
224.0.0.0 and 239.255.255.255. The default is 232.0.0.0. The
address mask is the IP address mask of the multicast group.
The default is 255.0.0.0.

Changing the SSM range group

Change the SSM range group to define the SSM range. The SSM range parameter extends the default
SSM range of 232/8 to include an IP multicast address.

Before You Begin

Before you disable or delete an ssm-map, always send IGMPv1 or IGMPv2 leave messages from hosts
that operate in IGMPv1 or IGMPv2. If you do not perform this action, receiving and processing reports in
SSM range on an IGMP interface enabled with IGMPv1 or IGMPv2 can lead to unexpected behavior.

About This Task

Important
This procedure reinitializes PIM and temporarily stops all PIM traffic. For those multicast
groups out of SSM range (for example, under PIM-SM behavior), it also causes a rendezvous
point (RP) relearn delay of up to 60 seconds. This delay can be longer if the bootstrap router
(BSR) is local.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must use VRF Router Configuration mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

1626 VOSS User Guide for version 8.7

IP Multicast Configuring the SSM map table

2. Disable PIM:
no ip pim enable

If you forget to disable PIM, the system displays the following error message:

Error: PIM is enabled in SSM mode, disable PIM

3. Delete each entry in the SSM channel table:
no ip igmp ssm-map [all] [{A.B.C.D} enable]

If you forget to delete the SSM channels, the system displays the following error message:

Error: SSM source group table not empty

4. Configure the new IP multicast group address:
ip igmp ssm group-range {A.B.C.D/X}

The system displays the following message:

Warning: Changing the SSM range will cause all spb-multicast and spb-
pim-gw enabled interfaces to be internally bounced. Do you wish to
continue? (y/n) ? (y/n)?

Enter y to continue.
5. Enable PIM:
ip pim enable

Example

Configure the new IP multicast group address:

Switch:1(config)#ip igmp ssm group-range 232.0.0.0/16

WARNING: Changing the SSM range will cause all spb-multicast and spb-pim-gw enabled
interfaces to be internally bounced. Do you wish to continue? (y/n) ? (y/n)? y

Variable definitions
Use the data in the following table to use the ip igmp ssm group-range and ip igmp ssm
commands.

Configuring the SSM map table

Configure the SSM map table to map groups to their sending source. SSM maps cannot conflict with
static source groups. After you configure an SSM map or a static source group, the switch performs a

VOSS User Guide for version 8.7 1627

Configuring multicast access control for an IGMP
Ethernet port IP Multicast

consistency check to make sure no conflicts exist. You can map one group (G) to different sources or
multiple sources to the same group for both static source group and an SSM map.

About This Task

The consistency check applies to all SSM map entries, even if they are disabled. If you disable an entry, it
becomes inactive. If you do not delete the entry, you can reenable it later.

After you disable an SSM map, the switch stops multicast traffic from the specified source to the
specified group. You can use this static configuration as a security feature to block traffic from a certain
source to a specific group.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must use VRF Router Configuration mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the SSM map table for all static entries:
ip igmp ssm-map all
3. Create a static entry for a specific group:
ip igmp ssm-map {A.B.C.D} {A.B.C.D} enable

Example

Create an SSM map table entry for the multicast group 234.0.1.0 and the source at 192.32.99.151.
Configure the administrative state to enable all the static SSM map table entries.
Switch:1(config)#ip igmp ssm-map 234.0.1.0 192.32.99.151
Switch:1(config)#ip igmp ssm-map all

Variable definitions
Use the data in the following table to use the ip igmp ssm-map command.

Variable Value
{A.B.C.D} {A.B.C.D} Creates a static SSM channel table entry by specifying
the group and source IP addresses. The IP address is an
IP multicast address within the SSM range. The source IP
address is an IP host address that sends traffic to the group.
{A.B.C.D} enable Enables the administrative state for a specific entry (group).
This variable does not affect the dynamically learned entries.
This state determines whether the switch uses the static
entry or saves it for future use. The default is enable for each
entry.

Configuring multicast access control for an IGMP Ethernet port

Configure multicast access control for an IGMP Ethernet port to restrict access to certain multicast
streams and to protect multicast streams from spoofing (injecting data to the existing streams).

1628 VOSS User Guide for version 8.7

IP Multicast Configuring multicast access control for a VLAN

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Configure multicast access control:

ip igmp access-list WORD<1–64> {A.B.C.D/X} <deny-tx|deny-rx|deny-both|
allow-only-tx|allow-only-rx|allow-only-both>
3. Change an existing access list:
ip igmp access-list WORD<1–64>> {A.B.C.D/X} mode <deny-tx|deny-rx|
deny-both|allow-only-tx|allow-only-rx|allow-only-both>

Variable definitions
Use the data in the following table to use the ip igmp access-list command

Variable Value
{A.B.C.D/X} Creates an access control group entry for a specific IGMP
interface. Specify the IP address of the host and the subnet
mask used to determine the host or hosts covered by this
configuration. You can use the host subnet mask to restrict
access to a portion of the network for the host.
deny-tx|deny-rx|deny-both| Indicates the action for the specified IGMP interface. For
allow-only-tx|allow-only-rx| example, if you specify deny-both, the interface denies both
allow-only-both transmitted and received traffic
mode Changes the access control group configuration.
WORD<1–64> Specifies the name of the access list from 1–64 characters.

Configuring multicast access control for a VLAN

Configure multicast access control for an IGMP VLAN to restrict access to certain multicast streams and
to protect multicast streams from spoofing (injecting data to the existing streams).

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

VOSS User Guide for version 8.7 1629

Configuring Fast Leave Mode IP Multicast

2. Configure multicast access control:

Variable definitions
Use the data in the following table to use the ip igmp access-list command.

Configuring Fast Leave Mode

Configure fast (immediate) leave mode to alter the leave processing on fast leave enabled IGMPv2,
IGMPv3, and IGMP snoop interfaces. Normal IGMP behavior is skipped. Fast leave mode provides one
command that controls all IGMP fast leave enabled interfaces.

Before You Begin

• You must enable explicit-host-tracking before configuring fast-leave mode for IGMPv3. For more
information on enabling explicit-host-tracking, see Configure Explicit Host Tracking on page 1622.

About This Task

If a single user connects to an interface, you do not need to track if other users exist on the interface to
perform the fast leave. In cases like this, you must change the mode to one-user.

Important
Fast leave mode applies only to fast leave enabled IGMP interfaces.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must use VRF Router Configuration mode.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal

1630 VOSS User Guide for version 8.7

IP Multicast Enabling fast leave mode on a port

2. View the current fast leave mode:

show ip igmp sys

Note
This command is not supported on a node configured as the DvR Leaf within a DvR
domain.

3. Configure fast leave mode:

ip igmp immediate-leave-mode <multiple-user|one-user>

Example

Change the mode to one-user.

Switch:1(config)#ip igmp immediate-leave-mode one-user

Variable definitions
Use the data in the following table to use the ip igmp immediate-leave-mode command.

Variable Value
multiple-user|one-user multiple-user removes from the group only
the IGMP member who sent the leave message.
Traffic does not stop if other receivers exist on the
interface port. This configuration is the default.
one-user removes all group members on a fast
leave enabled interface port after receiving the
first leave message from a member. This behavior
is the same as the conventional fast leave process.

Enabling fast leave mode on a port

Enable fast (immediate) leave mode to specify if a port receives a leave message from a member of a
group. If you enable fast leave mode on a port, it uses the global fast leave mode configuration.

Procedure

1. Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]}

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable fast leave:

ip igmp immediate-leave

VOSS User Guide for version 8.7 1631

Configuring IGMP fast leave members on a VLAN IP Multicast

Configuring IGMP fast leave members on a VLAN

Configure IGMP fast leave members on a VLAN to specify fast leave capable ports.

Procedure
1. Enter VLAN Interface Configuration mode:
enable

configure terminal

interface vlan <1–4059>

2. Enable fast leave on the VLAN:
ip igmp immediate-leave
3. Configure fast leave members on a VLAN:
ip igmp immediate-leave-members {slot/port[/sub-port][-slot/port[/sub-
port]][,...]}

Variable definitions
Use the data in the following table to use the ip igmp immediate-leave-members command.

Variable Value
{slot/port[/sub-port] [- Identifies the slot and port in one of the following formats:
slot/port[/sub-port]] a single slot and port (slot/port), a range of slots and ports
[,...]} (slot/port-slot/port), or a series of slots and ports (slot/port,slot/
port,slot/port). If the platform supports channelization and the
port is channelized, you must also specify the sub-port in the
format slot/port/sub-port.

Enable IGMP Layer 2 Querier

When no multicast router exists in your network, you can use IGMP Layer 2 Querier to allow the Layer
2 switch to act as a multicast router so that the system can participate in multicast environments where
multicast routing is not required.

Before You Begin

• You must enable IGMP snooping.

About This Task

When you enable IGMP Layer 2 Querier, Layer 2 switches in your network can snoop IGMP control
packets exchanged with downstream hosts and upstream routers. The Layer 2 switches then generate
the Layer 2 MAC forwarding table, used for switching sessions and multicast traffic regulation, and
provide the recurring queries required to maintain IGMP groups.

By default, IGMP Layer 2 Querier is disabled.

Enable Layer 2 Querier on only one node in the VLAN.

On Shortest Path Bridging (SPB) Customer VLANs (CVLAN), IGMP Querier is enabled automatically
when you enable snooping on the VLAN.

1632 VOSS User Guide for version 8.7

IP Multicast Enable IGMP Layer 2 Querier Address

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Enable IGMP Layer 2 Querier:
ip igmp snoop-querier

What to Do Next

You must enable the IGMP Layer 2 Querier address. See EnablingIGMPLayer2QuerierAddress

Enable IGMP Layer 2 Querier Address

To use the IGMP Layer 2 Querier feature you must designate the IGMP Layer 2 Querier source IP
address, the address the system uses in the query message.

Before You Begin

• Enable IGMP Layer 2 Querier.

About This Task

You must configure the IGMP Layer 2 Querier address to an IP address in the IP subnet that IGMP hosts,
and to which IGMP snoopers in the VLAN belong.

The default IP address is 0.0.0.0 when the IGMP Layer 2 Querier is disabled.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Enable the IGMP Layer 2 Querier address:
ip igmp snoop-querier-addr {A.B.C.D}
3. Verify the configuration:
show ip igmp snooping [vrf WORD<1–16>] [vrfids WORD<0–512>

Example

Enable the IGMP Layer 2 Querier feature for VLAN 4, and configure the querier address. Verify the
configuration.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface vlan 4

VOSS User Guide for version 8.7 1633

IGMP configuration using EDM IP Multicast

Switch:1(config-if)#ip igmp snoop-querier

Switch:1(config-if)#ip igmp snoop-querier-addr 192.0.2.1
Switch:1#show ip igmp snooping

================================================================================
Igmp Snooping - GlobalRouter
================================================================================
IFINDEX SNOOP PROXY SSM STATIC ACTIVE MROUTER
ENABLE SNOOP SNOOP MROUTER MROUTER EXPIRATION
ENABLE ENABLE PORTS PORTS TIME
--------------------------------------------------------------------------------
V2 false false false 0
V3 false false false 0
V4 true false false 0
V200 false false false 0

IFINDEX SNOOP SNOOP DYNAMIC COMPATIBILITY

QUERIER QUERIER DOWNGRADE MODE
ENABLE ADDRESS VERSION
--------------------------------------------------------------------------------
V2 false 0.0.0.0 enable disable
V3 false 0.0.0.0 enable disable
V4 true 192.0.2.1 enable disable
V200 false 0.0.0.0 enable disable

4 out of 4 entries displayed

IGMP configuration using EDM

Hosts use the Internet Group Management Protocol (IGMP) to report their IP multicast group
memberships to neighboring multicast routers. Configure IGMP on an individual interface basis.

Important
The EnableSpbmConfigMode boot flag must be disabled before you can configure PIM or
IGMP. To verify the setting, navigate to Configuration > Edit > Chassis and click on the Boot
Config tab.

Before You Begin

• Configure IGMP on a Layer 2 interface by enabling IGMP snoop.
• Configure IGMP on a Layer 3 interface by enabling multicast routing, for example, Protocol
Independent Multicast-Sparse Mode (PIM-SM), or Protocol Independent Multicast-Source Specific
Multicast (PIM-SSM).

Important
To configure and use IGMP on a VRF instance you must first select and launch the VRF
context.
To select and launch the VRF context, see Select and Launch a VRF Context View on page
3856.

Enabling IGMP snoop on a VLAN

Enable IGMP snooping on a VLAN to optimize the multicast data flow for a group within a VLAN to only
those that are members of the group that uses IGMP snoop.

1634 VOSS User Guide for version 8.7

IP Multicast Configuring IGMP interface static members

About This Task

The switch listens to group reports from each port and builds a database of multicast group members
for each port. The switch suppresses the reports heard by not forwarding them to other hosts, forcing
the members to continuously send their own reports.

The switch relays group membership from the hosts to the multicast routers and forwards queries from
multicast routers to all port members of the VLAN. The switch multicasts data only to the participating
group members and to the multicast routers within the VLAN.

Procedure

1. In the navigation pane, expand the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the Basic tab.
4. Select a VLAN.
5. Click IP.
6. Click the IGMP tab.
7. Select the SnoopEnable check box.
8. Select the ProxySnoopEnable check box.
9. For SteamLimtEnable, select enable.
10. Click Apply.

Configuring IGMP interface static members

Configure IGMP interface static members to add members to a snoop group.

About This Task

You can create a static entry to forward multicast data streams to a particular set of ports within the
VLAN. After you create the entry, multicast data streams always forward to the multicast router within
the VLAN, in addition to the ports in this static entry.

Important
IGMP snoop can optimize only local multicast data flow. IGMP snoop does not manage the
forwarding state of the multicast tree. You cannot configure a port as a static receiver in an
IGMP snoop-enabled VLAN that does not contain at least one dynamic receiver port and
forward multicast data.
You can configure IGMP on a VRF instance the same way you configure the Global Router
except that you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Static tab.
4. Click Insert.
5. Type the appropriate information.
6. Click Insert.

VOSS User Guide for version 8.7 1635

Configuring the SSM map table IP Multicast

Static field descriptions

Use the data in the following table to use the Static tab.

Name Description
IfIndex Shows the interface where the IGMP entry is enabled.
GrpAddr Indicates the start of the IP multicast address range of the multicast stream.
Within the indicated valid range (224.0.0.0 to 239.255.255.255), the
following are invalid addresses: 244.0.0.x and the corresponding 31 multicast
addresses that map to the IP MAC addresses. If you try to select them, you
receive an invalid message.
ToGrpAddr Indicates the end of the IP multicast address range of the multicast stream.
If an address is not entered, the IP address in the GrpAddr field is the single
address.
MemberPorts Specifies the ports to which you want to redirect the multicast stream for
this multicast group. The ports must be member ports of the VLAN.
NotAllowedToJoin Specifies the ports that do not receive the multicast stream for this multicast
group.

Configuring the SSM map table

Configure the SSM map table to map groups to their sending source. SSM maps cannot conflict with
static source groups. After you configure an SSM map or a static source group, the switch performs a
consistency check to make sure no conflicts exist. You can map one group (G) or multiple groups to
different sources for both static source group and an SSM channel.

Before You Begin

About This Task

The consistency check applies to all SSM channel entries, even if they are disabled. If you disable an
entry, it becomes inactive. If you do not delete the entry, you can reenable it later.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Select IGMP.
3. Select the Ssm Map tab.
4. Select Insert.

1636 VOSS User Guide for version 8.7

IP Multicast Configure SSM Range and Global Parameters

5. Type the IP address for the multicast group and source.

6. Select Insert.
You can change the default status of an SSM map from enable to disable in the AdminState field.

Ssm Map field descriptions

Use the data in the following table to use the Ssm Map tab.

Name Description
IpMulticastGrp Specifies an IP multicast address that is within the SSM range.
IpSource Specifies the IP address of the source that sends traffic to the
group.
LearningMode Displays whether the entry is statically configured (Static) or
dynamically-learned from IGMPv3 (Dynamic). This variable a
read-only field.
Activity Displays the current activity of the selected (S,G) entry. True
indicates that traffic is flowing to the switch, otherwise, the
system displays it false. This variable a read-only field.
AdminState Configures the administrative state for the selected static entry.
This state determines whether the switch uses the static entries.
Configure this field to enable (default) to use the entry or disable
to save for future use.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.

VOSS User Guide for version 8.7 1639

Configuring multicast stream limitation members IP Multicast

3. Click IP.
4. Click the IGMP tab.
5. In the StreamLimitEnable field, select the Enable option button.
6. Configure the maximum number of streams.
7. Click Apply.

Configuring multicast stream limitation members

Configure multicast stream limitation members on ports of the specified interface to configure the
maximum number of streams on the interface.

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the StreamLimit Members tab.
4. Click Insert.
5. Type the number of the VLAN to which you want to add a member or click Vlan to select an ID from
the list.
6. Type the number of the slot and port that you want to add as a member or click Port, and then
select one from the graphic display. If your platform supports channelization for 40 Gbps ports and
the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

Important
You must select one of the ports in the VLAN that you selected in step 4.

7. Type a maximum number of streams or accept the default of 4.

8. Click Insert.

StreamLimit Members field descriptions

Use the data in the following table to use the StreamLimit Members tab.

Name Description
IfIndex Displays the ID of the VLAN.
Port Lists each slot and port number for this interface with stream
limitation enabled.
Identifies the slot and port in one of the following formats:
a single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/port,slot/
port,slot/port). If the platform supports channelization and the
port is channelized, you must also specify the sub-port in the
format slot/port/sub-port.

1640 VOSS User Guide for version 8.7

IP Multicast Deleting multicast stream limitation member

Name Description
MaxStreams Configures the maximum number of allowed streams for this
specific port. The number of allowed streams cannot exceed the
maximum number for the interface. The range is from 0–65535
and the default is 4.
NumStreams Displays the current number of streams received on this interface.
This value is a read-only value.

Deleting multicast stream limitation member

Delete a multicast stream limitation member from an interface to remove it from the configuration.

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the StreamLimit Members tab.
4. Click on the row that lists the member you want to delete.
5. Click Delete.

Configuring the IGMP interface

Configure the IGMP interface to change global IGMP values for the interface. Use the Interface tab to
view or edit the IGMP interface table.

About This Task

If an interface does not use an IP address, the system does not display it in the IGMP table. If
an interface uses an IP address, but PIM-SM is not enabled, the system displays the interface as
notInService in the Status field.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP

2. Click IGMP.
3. Click the Interface tab.
4. Edit the appropriate information.
5. Click Apply.

VOSS User Guide for version 8.7 1641

Configuring the IGMP interface IP Multicast

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Name Description
IfIndex Shows the interface where IGMP is enabled.
QueryInterval Configures the frequency (in seconds) at which the interface
transmits IGMP host query packets. The default is 125.
Status Shows the IGMP row status. If an interface uses an IP address
and PIM-SM is enabled, the status is active. Otherwise, it is
notInService.
Version Configures the version of IGMP (1, 2, or 3) that you want to
configure on this interface. For IGMP to function correctly, all
routers on a LAN must use the same version. The default is
version 2.
OperVersion Shows the version of IGMP that currently runs on this interface.
Querier Shows the address of the IGMP querier on the IP subnet to which
this interface attaches.
QueryMaxResponseTime Configures the maximum response time (in tenths of a second)
advertised in IGMPv2 general queries on this interface. You cannot
configure this value for IGMPv1.
Smaller values allow a router to prune groups faster. The default is
100 tenths of a second (equal to 10 seconds.)

Important:
You must configure this value lower than the QueryInterval.

WrongVersionQueries Shows the number of queries received with an IGMP version that
does not match the interface. You must configure all routers on
a LAN to run the same version of IGMP. If the interface receives
queries with the wrong version, this value indicates a version
mismatch.
Joins Shows the number of times this interface added a group
membership, which is the same as the number of times an entry
for this interface is added to the cache table. This number gives an
indication of the amount of IGMP activity over time.
Robustness Tunes for the expected packet loss of a network. This value is
equal to the number of expected query packet losses for each
serial query interval, plus 1. If you expect a network to lose query
packets, increase the robustness value.
The default value of 2 means that the switch drops one query for
each query interval without the querier aging out.

1642 VOSS User Guide for version 8.7

IP Multicast Configuring the IGMP interface

Name Description
LastMembQueryIntvl Configures the maximum response time (in tenths of a second)
inserted into group-specific queries sent in response to leave
group messages. This value is also the time between group-
specific query messages. You cannot configure this value for
IGMPv1.
Decrease the value to reduce the time to detect the loss of the
last member of a group. The range is from 0–255 and the default
is 10 tenths of second. As a best practice, configure this parameter
to values greater than 3. If you do not need a fast leave process,
you can configure values greater than 10. (The value 3 is equal to
0.3 seconds and 10 is equal to 1 second.)
OtherQuerierPresent Timeout Shows the length of time that must pass before a multicast router
determines that no other querier exists. If the local router is the
querier, the value is 0.
FlushAction Configures the flush action to one of the following:
• none
• flushGrpMem
• flushMrouter
• flushSender

Important:
To maximize network performance, configure this parameter
according to the version of IGMP currently in use.
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

SsmSnoopEnable Enables SSM snoop.

SnoopQuerierEnable Enables IGMP Layer 2 Querier.
SnoopQuerierAddr Specifies the pseudo address of the IGMP snoop querier.
ExplicitHostTrackingEnable Enables or disables IGMPv3 to track hosts for each channel or
group. The default is disabled. You must select this field if you
want to use fast leave for IGMPv3.
McastMode Indicates the protocol configured on the VLAN.
• snoop — Indicates IGMP snooping is enabled on a VLAN.
• snoop-spb — Indicates IGMP is enabled on a VLAN with an
associated I-SID (IP multicast over Fabric Connect for a Layer 2
VSN).
• pim — Indicates PIM is enabled.
• routed-spb — Indicates IP multicast over Fabric Connect is
enabled on the Layer 3 VSN or for IP Shortcuts.

VOSS User Guide for version 8.7 1643

Configuring IGMP sender entries IP Multicast

Name Description
ExtnUpnpFilterEnable Enables Universal Plug and Play (uPnP) Filtering to filter multicast
packets destined for a specific range.
The default is disabled.
ExtnUpnpFilterAddress Indicates the multicast destination IP address to filter on an IGMP-
enabled interface.
The default is 239.255.255.250/32.
ExtnUpnpFilterAddressMask Indicates the IGMP uPnP Filtering IP subnet to which this interface
is attached.
SnoopOrigin Specifies the origin of IGMP Snooping configuration on the port.
The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication Dail-In User Service
(RADIUS) attribute.

Configuring IGMP sender entries

Configure IGMP sender entries to identify a source that sends multicast data to a multicast group.

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Sender tab.
4. Change the appropriate options.
5. Click Apply.

Sender field descriptions

Use the data in the following table to use the Sender tab.

Name Description
IfIndex Specifies the interface where you enabled the IGMP entry.
GrpAddr Specifies the multicast group address of the multicast stream.
Within the indicated valid range (224.0.0.0 to 239.255.255.255),
the following are invalid addresses: 244.0.0.x and the
corresponding 31 multicast addresses that map to the IP MAC
addresses. If you try to select them, you receive an invalid
message.
MemberAddr Specifies the IP address of a host.
Action Flushes an entry or a group.
TPort Identifies the T port.

1644 VOSS User Guide for version 8.7

IP Multicast Configuring Fast Leave Mode

Name Description
State Indicates whether a sender exists because of an IGMP access filter.
The options are filtered and not filtered.
L2Isid Specifies the Layer 2 I-SID of the C-VLAN.

Configuring Fast Leave Mode

Configure fast leave mode to control all IGMP fast leave enabled interfaces.

Before You Begin

• You must enable explicit-host-tracking before configuring fast-leave mode. To enable explicit-
host-tracking, see Configuring IGMP parameters on a port on page 1560 and Configuring IGMP
parameters on a VLAN on page 1563.

About This Task

Fast leave relies on an alternative leave process where the switch stops sending traffic for the group
immediately after it receives a leave message, without issuing a query to check if other group members
exist on the network. Use this global parameter to alter the leave processing on fast leave enabled
IGMPv2, IGMPv3, and IGMP snoop interfaces.

Important
Fast leave mode applies only to fast leave enabled IGMP interfaces.

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Global tab.
4. Select the mode.
5. Click Apply.

VOSS User Guide for version 8.7 1645

Configuring multicast access control for an interface IP Multicast

Global field descriptions

Use the data in the following table to use the Global tab.

Name Description
FastLeaveMode Configures the mode to one of the following values:
• multipleUser: Removes from the group only the IGMP member who
sent the leave message. Traffic does not stop if other receivers exist
on the interface port. This value is the default.
• oneUser: Removes all group members on a fast leave enabled
interface port after receiving the first leave message from a
member. This behavior is the same as the conventional fast leave
process.

GenerateTrap Generates a trap. The default is disable.

GenerateLog Generates a log message. The default is disable.

Configuring multicast access control for an interface

Configure multicast access control for a selected IGMP interface or VLAN to restrict access to certain
multicast streams and to protect multicast streams from spoofing (injecting data to the existing
streams).

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Access Control tab.
4. Click Insert.
5. Type the number of the slot and port or VLAN ID that you want to add as a member or click the
appropriate button, and then select one from the graphic display.
6. Click the ellipsis button (...) next to PrefixListId.
7. Select a prefix list ID.
8. Click OK.
9. Type the host address and host mask.
10. Select the action mode that you want for the specified host.
11. Click Insert.

Use the data in the following table to use the Multicast Router Discovery tab.

Name Description
Interface Shows the interface where IGMP is enabled.
MrdiscEnable Enables (true) or disables (false) the router interface to listen for
multicast router discovery messages to determine where to send
multicast source data and IGMPv2 reports. If you enable snoop,
you automatically enable multicast router discovery.

VOSS User Guide for version 8.7 1649

Viewing the IGMP router source list IP Multicast

Name Description
DiscoveredRouterPorts Lists ports that the Multicast Router Discovery (MRDISC) protocol
discovers.

Important:
The switch does not support the MRDISC protocol on brouter
ports.

MaxAdvertiseInterval Shows the maximum time allowed between sending router

advertisements from the interface, in seconds. The range is from
2–180 seconds. The default is 20 seconds.
MinAdvertiseInterval Shows the minimum time allowed between sending unsolicited
router advertisements from the interface, in seconds. This value
must be more than 3 seconds but no greater than the value
assigned to the MaxAdvertiseInterval value.
MaxInitialAdvertiseInterval Configures the maximum number (in seconds) of multicast
advertisement intervals that you can configure on the switch.
MaxInitialAdvertisements Configures the maximum number of initial multicast
advertisements that you can configure on the switch.
NeighborDeadInterval Shows the time interval (in seconds) before the router interface
drops traffic after a user leaves the multicast group.

Viewing the IGMP router source list

View the source list entries corresponding to each interface and multicast group pair on a router.

About This Task

You can view IGMP information on a VRF instance the same way you view the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Igmp Router Source List tab to view the IGMPv3 cache information.

Igmp router source list field descriptions

Use the data in the following table to use the Igmp Router Source List tab.

Name Description
GroupAddress Specifies the IP multicast group address for which this entry
contains information.
IfIndex Specifies the interface for which this entry contains
information for an IP multicast group address.
InPort Specifies a unique value to identify a physical interface or a
logical interface (VLAN), which has received Group reports
for this source.

1650 VOSS User Guide for version 8.7

IP Multicast Viewing IGMP snoop information

Name Description
HostAddress Specifies the host address to which this entry corresponds.
MemberAddress Specifies the IP Address of a member that has sent source
specific report wishing to join this source.
Expire This value indicates the relevance of the source list entry,
where a non-zero value indicates this is an INCLUDE state
value, and a zero value indicates this to be an EXCLUDE state
value.
Mode Specifies the current member state, applicable to IGMPv3-
compatible nodes. The value indicates whether the state is
INCLUDE or EXCLUDE.
MemberExpire This value indicates the time until the member for this source
expires.

Viewing IGMP snoop information

View information about IGMP snoop to see the current configuration.

About This Task

You can configure IGMP on a VRF instance the same way you configure the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click IGMP.
3. Click the Snoop tab.

Snoop field descriptions

Use the data in the following table to use the Snoop tab.

Name Description
Interface Shows the VLAN ID for the VLAN.
SnoopEnable Shows the status of IGMP snoop. IGMP snoop works only if a
multicast router exists in the VLAN.
SsmSnoopEnable Shows the status of SSM snoop.
ProxySnoopEnable Indicates whether the IGMP report proxy feature is enabled. If you
enable this feature, the switch forwards reports from hosts to the
multicast router once for each group for each query interval, or
after new group information is available. If you disable this feature,
the switch forwards all reports from different hosts to multicast
routers, and can forward more than one group report for the same
multicast group for each query interval. The default is enabled.
FastLeaveEnable Shows the status of fast leave for this port.
FastLeavePortMembers Lists ports that are enabled for fast leave.

VOSS User Guide for version 8.7 1651

View IGMP Snoop Trace Information IP Multicast

Name Description
SnoopMRouterPorts Shows the configuration of ports as multicast router ports. Such
ports attach to a multicast router, and forward multicast data and
group reports to the router.

SnoopActiveMRouterPorts Shows the active multicast router ports. Active multicast router
ports are ports that directly attach to a multicast router. These
ports include the querier port and all ports in the forwarding state
that you configure as well as those that were dynamically learned
through receiving queries.
SnoopMRouterExpiration Indicates the time that remains before the multicast router ages
out. If the switch does not receive queries before this time expires,
it flushes out all group memberships known to the VLAN. The
query maximum response interval (obtained from the queries
received) is used as the timer resolution.

View IGMP Snoop Trace Information

View the multicast group trace to track the data flow path of multicast streams.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IGMP.
3. Click the Snoop Trace tab.

Snoop Trace Field Descriptions

Use the data in the following table to use the Snoop Trace tab.

Name Description
GrpAddr Displays the IP multicast address of the group traversing the router.
SrcAddr Displays the IP source address of the multicast group.
OutVlan Displays the egress VLAN ID for the multicast group.
InPort Displays the ingress port for the multicast group.
InVlan Displays the ingress VLAN ID for the multicast group.
OutPort Displays the egress port of the multicast group.
Type Displays the port type on which the snoop entry is learned.

1652 VOSS User Guide for version 8.7

IP Multicast View IGMP Group Information

View IGMP Group Information

View information about IGMP groups to see the current group operation on the switch.

About This Task

Note
The following procedure displays the dynamically learned IGMP groups. IP > IGMP > Static
displays statically configured IGMP groups. This is in contrast to the CLI command show
ip igmp group, which displays both dynamically learned and statically configured IGMP
groups, and the CLI command show ip igmp static, which displays only the statically
configured groups.

You can view IGMP information on a VRF instance the same way you view the Global Router except that
you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IGMP.
3. Select the Groups tab.

Groups Field Descriptions

Use the data in the following table to use the Groups tab.

Name Description
IpAddress Shows the multicast group address (Class D). A group address
can be the same for many incoming ports.
Members Shows the IP address of the host that issues the membership
report to this group.
InPort Shows the port that receives the group membership report.
IfIndex Shows a unique value that identifies a physical interface or a
logical interface (VLAN) that receives the membership report.
Expiration Shows the time left before the group report expires on this port.
This variable is updated after the port receives a group report.

Route management using the CLI

With multicast route commands, you can configure and view IP multicast routing parameters on the
switch.

Configuring multicast stream limits

Limit the number of multicast streams to protect the CPU from multicast data packet bursts generated
by malicious applications, such as viruses that cause the CPU to reach 100 percent utilization or that
prevent the CPU from processing protocol packets or management requests. If more than a certain
number of multicast streams ingress to a CPU through a port during a sampling interval, the port shuts
down until you take appropriate action.

VOSS User Guide for version 8.7 1653

Configuring multicast stream limits IP Multicast

About This Task

You can enable or disable the mroute stream limit for the entire device or for individual ports when the
switch is operating. If you enable the mroute stream limit for the device and for an individual port, only
the periodic check is performed for that port.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable stream limitation globally:
ip mroute stream-limit
3. Enter GigabitEthernet Interface Configuration mode.
interface gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}
4. Enable stream limits:
ip mroute stream-limit
5. For Gigabit Ethernet interfaces, configure the maximum number of streams and the interval at which
to sample:
ip mroute max-allowed-streams <1–32768> max-allowed-streams-timer-
check <1–3600>
6. Show the mroute stream limit configuration:
show ip mroute interface gigabitethernet [{slot/port[/sub-port][-slot/
port[/sub-port]][,...]}]

Example
Switch:1(config)#ip mroute stream-limit
Switch:1(config)#interface gigabitethernet 3/6
Switch:1(config-if)#ip mroute stream-limit
Switch:1(config-if)#ip mroute max-allowed streams 1000 max-allowed-streams-timer-check 20

1654 VOSS User Guide for version 8.7

IP Multicast Configuring multicast static source groups

Variable definitions
Use the data in the following table to use the interface command.

Use the data in the following table to use the ip mroute command.

Variable Value
max-allowed-streams <1– Configures the maximum number of streams on the
32768> specified port. The port is shut down if the number of
streams exceeds this limit. The value is a number between
1–32768. The default value is 1984 streams. To configure this
option to the default value, use the default operator with
the command.
max-allowed-streams-timer- Configures the sampling interval, which checks if the number
check <1–3600> of ingress multicast streams to the CPU is under a configured
limit or if the port needs to shut down. The range is between
1–3600. The default value is 10 seconds. To configure this
option to the default value, use the default operator with
the command.

Configuring multicast static source groups

Configure static source group entries in the Protocol Independent Multicast (PIM) multicast routing
table. The PIM cannot prune these entries from the distribution tree.

Before You Begin

• Before you can configure a static source group, you must globally enable one of the following
protocols:
◦ PIM-Sparse Mode (SM)
◦ PIM-Source Specific Multicast (SSM)

About This Task

Even if no receivers exist in the group, the multicast stream for a static source group entry remains
active.

VOSS User Guide for version 8.7 1655

Configuring IP multicast software forwarding IP Multicast

The maximum number of static source groups must not exceed 1024.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure a static source group entry:
ip mroute static-source-group <A.B.C.D> <A.B.C.D/X>

Example

Create a static source group for two multicast groups: 224.32.2.1 and 226.50.2.2. The static source group
for group 224.32.2.1 is for a source subnet 10.10.10.0/24. The static source group for group 226.50.2.2 is
for the host 20.20.20.100/32.
Switch:1(config)# ip mroute static-source-group 224.32.2.1 10.10.10.0/24
Switch:1(config)# ip mroute static-source-group 226.50.2.2 20.20.20.100/32

Variable definitions
Use the definitions in the following table to use the ip mroute static-source-group command.

Variable Value
A.B.C.D Specifies the IP address of the multicast group. Use the no
operator to later remove this configuration.
A.B.C.D/X Specifies the multicast source IP address and subnet
mask for the static source group entry. You cannot create
duplicate groups. How you configure the source address
depends on the protocol and mode you use.
Use the no operator to later remove this configuration.

Configuring IP multicast software forwarding

When you use the IP multicast software forwarding feature you can avoid initial data loss experienced
by multicast applications; this is suitable for low bandwidth conditions.

When you configure the IP multicast software forwarding feature the system forwards the initial packets
of an IP multicast data stream it receives and creates a corresponding hardware record for subsequent
packets.

By default, multicast software forwarding is disabled.

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

IP multicast software forwarding is a global system configuration feature that is only applicable to
traditional PIM protocol and IGMP Snooping protocols, not SPB-PIM Gateway or Layer 3 VSN SPB

1656 VOSS User Guide for version 8.7

Configuring the resource usage counter for multicast
IP Multicast streams

Multicast. If you enable IP multicast software forwarding, the hardware continues to forward IP multicast
traffic. The software only forwards initial data traffic.

If you enable software forwarding, all initial packets received before hardware programming is complete
are sent to the CPU for forwarding and packet suppression by the hardware is disabled.

If you do not enable software forwarding, only the first data packet is sent to the CPU and subsequent
packets are suppressed by the hardware so that the CPU is not overwhelmed with traffic. During this
time, packets suppressed by the hardware are dropped.

Important
To avoid overloading the CPU, ensure that you do not use the IP multicast software
forwarding feature for video multicast applications.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable software forwarding:
multicast software-forwarding
3. Show the software forwarding configuration:
show multicast software-forwarding

Example
Switch:1#show multicast software-forwarding

================================================================================
Mcast Software Forwarding - GlobalRouter
================================================================================
McastSoftwareForwarding :enabled

Configuring the resource usage counter for multicast streams

Configure the resource usage counters to query the number of ingress and egress IP multicast streams
traversing the switch.

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

After you configure the counter thresholds for ingress and egress records, if the record usage exceeds
the threshold, you receive notification by a trap on the console, a logged message, or both.

VOSS User Guide for version 8.7 1657

Configuring the resource usage counter for multicast
streams IP Multicast

If you do not configure the thresholds, the system displays only the ingress and egress records currently
in use.

You can configure the resource usage counter on a VRF instance the same way you configure the
Global Router except that you must use VRF Router Configuration mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure the thresholds:
ip mroute resource-usage egress-threshold <0–32767> ingress-threshold
<0–32767>
3. Configure one of the following notification methods:
• Configure a log-only notification method:

ip mroute resource-usage log-msg

• Configure a trap-only notification method:

ip mroute resource-usage trap-msg

• Configure both notification methods:

ip mroute resource-usage log-msg trap-msg

Example

Configure the egress threshold to 200.

Switch:1(config)# ip mroute resource-usage egress-threshold 200

Configure the ingress threshold to 100.

Switch:1(config)# ip mroute resource-usage ingress-threshold 100

Enable the log message notification method.

Switch:1(config)# ip mroute resource-usage log-msg

1658 VOSS User Guide for version 8.7

IP Multicast Configuring prefix lists

Variable definitions
Use the data in the following table to use the ip mroute resource-usage command.

Variable Value
egress-threshold <0–32767> Configures the egress record threshold (S,G). The
system sends a notification message after the number
of streams exceeds a threshold level.
To configure this option to the default value, use the
default operator with the command. The default is 0.
ingress-threshold <0–32767> Configures the ingress record threshold. The system
sends a notification message after the number of
streams exceeds a threshold level.
To configure this option to the default value, use the
default operator with the command. The default is 0.

Configuring prefix lists

Configure a prefix list to allow or deny specific route updates. A prefix list policy specifies route prefixes
to match. After a match occurs, the system uses the route.

The prefix list contains a set of contiguous or noncontiguous routes. Reference prefix lists by name from
within a routing policy.

About This Task

Important
When you configure a prefix list for a route policy, add the prefix as a.b.c.d/32. You must enter
the full 32-bit mask to exact a full match of a specific IP address.

You configure prefix lists on a VRF instance the same way you configure the GlobalRouter, except that
you must use VRF Router Configuration mode.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Configure a prefix list:
ip prefix-list WORD<1-64> {A.B.C.D/X} [ge <0–32>] [le <0–32>]
3. (Optional) Rename an existing prefix list:
ip prefix-list WORD<1-64> name WORD<1-64>
4. Display the prefix list:
show ip prefix-list [prefix {A.B.C.D}] [vrf WORD<1-16>] [vrfids
WORD<0-512>] [WORD <1-64>]

VOSS User Guide for version 8.7 1659

Configuring prefix lists IP Multicast

Example

Configure a prefix-list. Display the prefix list.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip prefix-list LIST1 47.17.121.50/255.255.255.0
Switch:1(config)#show ip prefix-list LIST1
================================================================================
Prefix List - GlobalRouter
================================================================================

PREFIX MASKLEN FROM TO

--------------------------------------------------------------------------------

List 1 LIST1:
47.17.121.50 24 24 24
1 Total Prefix List entries configured
--------------------------------------------------------------------------------
Name Appendix for Lists Converted from Old Config:
@A=conv addr list, @N=conv net list, @NR=conv net list modified as range

Variable definitions
The following table defines parameters for the ip prefix-list command.

Variable Value
{A.B.C.D/X} Specifies the IP address and the mask in one of the following
formats:
• a.b.c.d/x
• a.b.c.d/x.x.x.x
• default

ge <0–32> Specifies the minimum length to match.

Lower bound and higher bound mask lengths together can
define a range of networks.
le <0–32> Specifies the maximum length to match.
Lower bound and higher bound mask lengths together can
define a range of networks.
name WORD<1-64> Renames the specified prefix list. The name length is 1–64
characters.
WORD<1-64> Specifies the name for a new prefix list.

The following table defines parameters for the show ip prefix-list command.

Variable Value
{A.B.C.D} Specifies the prefix to include in the command output.
vrf WORD<1-16> Specifies the name of the VRF.

1660 VOSS User Guide for version 8.7

IP Multicast Route management using EDM

Variable Value
vrfids WORD<0-512> Specifies the ID of the VRF and is an integer in the range of
0–512.
WORD<1-64> Specifies a prefix list, by name, to use for the command
output.

The following table defines parameters for the show ip prefix-list command output.

Variable Value
PREFIX Indicates the member of a specific prefix list.
MASKLEN Indicates the prefix mask length in bits.
FROM Indicates the prefix mask starting point in bits.
TO Indicates the prefix mask endpoint in bits.

Route management using EDM

View or edit interface configuration information for Layer 3 IP multicast protocols on the switch.

View Multicast Route Information

View multicast route information for troubleshooting purposes.

This tab shows multicast routing information for IP datagrams from a particular source and addressed
to a particular IP multicast group address.

About This Task

Note
This procedure is supported on a DvR Controller; it is not supported on a DvR Leaf node.

You can view the multicast routes for a Layer 3 Virtual Services Network (VSN) the same way you view
the Global Router except that you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand Configuration > IP > Multicast.

2. Select the Routes tab.

VOSS User Guide for version 8.7 1661

View Multicast Next-Hop Information IP Multicast

Routes field descriptions

Use the data in the following table to use the Routes tab.

Name Description
Group Displays the IP multicast group address for this entry that contains
multicast routing information.
Source Displays the network address that, when combined with the
corresponding route SourceMask value, identifies the source that
contains multicast routing information.
SourceMask Displays the network mask that, when combined with the
corresponding route Source value, identifies the multicast source.
UpstreamNeighbor Shows the address of the upstream neighbor from which the IP
datagrams from these sources are received. The address is 0.0.0.0 if
the network is local.
Interface Displays the interface, slot and portnumber, or VLAN ID where IP
datagrams sent by these multicast sourcesto this multicast address are
received.
ExpiryTime Displays the amount of time that remains before this entry ages out.
The value 0 indicates that the entry is not subject to aging.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb (12)
• spbpimgw(13)

View Multicast Next-Hop Information

View all multicast next-hop information.

This tab shows information about the next hops used by outgoing interfaces to route IP multicast
datagrams. Each entry is one in a list of next hops on outgoing interfaces for particular sources that
send to a particular multicast group address.

About This Task

You can view the multicast routes for a Layer 3 Virtual Services Network (VSN) the same way you view
the Global Router except that you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select Multicast.
3. Select the Next Hops tab.

1662 VOSS User Guide for version 8.7

IP Multicast View Multicast Interface Information

Next Hops field descriptions

Use the data in the following table to use the Next Hops tab.

Name Description
Group Displays the IP multicast group for this entry that specifies a next hop
on an outgoing interface.
Source Displays the network address that, when combined with the
corresponding next hop SourceMask value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
SourceMask Displays the network mask that, when combined with the
corresponding next hop Source value, identifies the source for this
entry that specifies a next hop on an outgoing interface.
ReceiverPort Displays the receiver port for this next hop.
OutInterface Displays the interface slot and portnumber or VLAN ID for the
outgoing interface for this next hop.
Address Displays the address of the next hop specific to this entry. For
most interfaces, it is identical to the next-hop group. Non Broadcast
Multiple Access (NBMA) interfaces, however, can use multiple next hop
addresses out of a single outgoing interface.
State Displays whether the outgoing interface and next hop represented
by this entry currently forward IP datagrams. A value of forwarding
indicates the information is currently used; pruned indicates it is not
used.
UpTime Displays the up time for this entry.
ExpiryTime Displays the minimum amount of time that remains before this entry
ages out. The value 0 indicates that the entry is not subject to aging.
ClosestMemberHops Displays the minimum number of hops between this router and
members of the IP multicast group reached through the next hop on
this outgoing interface. IP multicast datagrams for the group that use
a time-to-live less than this number of hops are not forwarded to the
next hop.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb

Pkts Displays the number of next hop packets.

View Multicast Interface Information

View multicast interface information to verify the multicast configuration.

This tab shows multicast routing information specific to interfaces.

VOSS User Guide for version 8.7 1663

Adding new static source groups IP Multicast

About This Task

You can view multicast interface information for a Layer 3 VSN the same way you view the Global
Router except that you must first launch the appropriate VRF context.

Note
This procedure is supported on a DvR Controller; it is not supported on a DvR Leaf node.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select Multicast.
3. Select the Interfaces tab.

Interfaces field descriptions

Use the data in the following table to use the Interfaces tab.

Name Description
Interface Displays the slot and port number or VLAN ID for this entry.
Ttl Displays the datagram time-to-live (TTL) threshold for the interface. IP multicast
datagrams with a TTL less than this threshold are not forwarded out of the
interface. The default value of 0 means that all multicast packets are forwarded
out of the interface.
Protocol Displays the protocol as one of the following:
• other(1): none of the following
• local(2): manually configured
• netmgmt(3): configured by a network management protocol
• pimSparseMode(8): PIM-SMv2
• igmpOnly(10)
• pimSsmMode(11)
• spb

Adding new static source groups

Add a new static source group to create an entry that the switch cannot prune from the distribution
tree. An attempt to add a duplicate of an existing source-group entry results in an error message.

Before You Begin

• Before you can configure a static source group, you must globally enable one of the following
protocols:
◦ PIM-SM
◦ PIM-SSM

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

1664 VOSS User Guide for version 8.7

IP Multicast Editing static source groups

The switch supports PIM only in the Global Router. You cannot configure static source groups for
specific VRF contexts.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click Multicast.
3. Click the Static Source Group tab.
4. Click Insert.
5. Complete the information in the dialog box.
6. Click Insert.

Editing static source groups

Configure static source-group entries in the PIM multicast routing table. PIM cannot prune these entries
from the distribution tree. In other words, even if no receivers exist in the group, the multicast stream for
a static source-group entry stays active.

Before You Begin

• Before you can configure a static source group, you must globally enable one of the following
protocols:
◦ PIM-Sparse Mode (SM)
◦ PIM-Source Specific Multicast (SSM)

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

The maximum number of static source groups must not exceed 1024.

The switch supports PIM only in the Global Router. You cannot configure static source groups for
specific VRF contexts.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click Multicast.
3. Click the Static Source Group tab.
4. Edit the required information.
5. Click Apply.

VOSS User Guide for version 8.7 1665

Configuring IP multicast software forwarding IP Multicast

Static Source Group field descriptions

Use the data in the following table to use the Static Source Group tab.

Name Description
GroupAddress Configures the multicast group IP address for this static source-group entry.
SourceSubnet Configures the multicast source address for this static source-group entry.
How you configure the source address depends on the protocol and mode
you use.
SrcSubnetMask Configures the subnet mask of the source for this static source-group entry.

Configuring IP multicast software forwarding

Configure IP multicast software forwarding to enable the system to initially forward IP multicast data
until a hardware record is created. The system forwards the initial packets of a stream it receives and
creates a corresponding hardware record for subsequent packets. The advantage of this feature is that
it avoids initial data loss experienced by multicast applications and is most suited for low bandwidth.

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

IP multicast software forwarding is a global system configuration feature that is only applicable to
traditional PIM protocol and IGMP Snooping protocols, not SPB-PIM Gateway or Layer 3 VSN SPB
Multicast. If you enable IP multicast software forwarding, the hardware still forwards IP multicast traffic.
The software forwards only initial data traffic.

After a new data stream arrives, the first data packet is sent to the CPU, which programs the
multicast route in hardware, and all packets that arrive subsequent to this programming are forwarded
by hardware only. If you enable software forwarding, all initial packets received before hardware
programming is complete are sent to the CPU for forwarding. If you enable software forwarding, packet
suppression by the hardware is disabled. If you do not enable software forwarding, only the first data
packet is sent to the CPU and subsequent packets are suppressed by the hardware so that the CPU is
not overwhelmed with traffic. During this time, packets suppressed by the hardware are dropped.

By default, the feature is disabled.

Important
To avoid overloading the CPU, do not use the IP multicast software forwarding feature for
video multicast applications.

If you configure multicast software forwarding from within a VRF context, the configuration applies
to the Global Router and all VRF contexts. You cannot change the multicast software forwarding
configuration for individual VRF contexts.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.

1666 VOSS User Guide for version 8.7

IP Multicast Configuring mroute stream limit

2. Click Multicast.
3. Click the Globals tab.
4. Select the SWForwardingEnable check box.
5. Click Apply.

Globals field descriptions

Use the data in the following table to use the Globals tab.

Name Description
SWForwardingEnable Enables the system to initially forward IP multicast
data until a hardware record is created. The
default is disabled.
StatsEnabled Enables or disables multicast route statistics. The
default is disabled.
StatsClear Clears multicast route statistics.

Configuring mroute stream limit

Limit the number of multicast streams to protect a CPU from multicast data packet bursts generated
by malicious applications, such as viruses that cause the CPU to reach 100 percent utilization or that
prevent the CPU from processing protocol packets or management requests. If more than a certain
number of multicast streams ingress to a CPU through a port during a sampling interval, the port shuts
down until you take appropriate action.

Procedure

1. On the Device Physical View tab, select a port.

2. In the navigation pane, expand the following folders: Configuration > Edit > Port.
3. Click General.
4. Select the Mroute Stream Limit tab.
5. Select the StreamLimitEnable box.
6. Edit other fields as required.
7. Click Apply.

Mroute Stream Limit field descriptions

Use the data in the following table to use the Mroute Stream Limit tab.

Name Description
StreamLimitEnable Enables or disables mroute stream limit on the port.
StreamLimit Specifies the maximum number of multicast streams allowed to enter
the CPU through this port.
StreamTimerCheck Specifies the sampling period, in seconds, to check the number of
multicast streams that enter the CPU through this port.

VOSS User Guide for version 8.7 1667

Configuring Mroute Stream Limit on an Extreme
Integrated Application Hosting Port IP Multicast

Configuring Mroute Stream Limit on an Extreme Integrated Application Hosting Port

Note
This procedure only applies to VSP 4900 Series and VSP 7400 Series.

About This Task

Perform this procedure to limit the number of multicast streams to protect a Central Processing Unit
(CPU) from multicast data packet bursts generated by malicious applications, such as viruses that cause
the CPU to reach 100 percent utilization, or that prevent the CPU from processing protocol packets or
management requests. If more than a certain number of multicast streams ingress to a CPU through a
port during a sampling interval, the port shuts down until you take appropriate action.

Procedure

1. In the navigation pane, expand Configuration > Edit > Insight Port.
2. Select the Extreme Integrated Application Hosting (IAH) port you want to configure.
3. Select the Mroute Stream Limit tab.
4. Select StreamLimitEnable.
5. Configure other fields as required.
6. Select Apply.

Mroute Stream Limit Field Descriptions

Use data in the following table to configure the Mroute Stream Limit tab.

Name Description
StreamLimitEnable Enables or disables mroute stream limit on the
Extreme Integrated Application Hosting (IAH)
port. The default is disabled.
StreamLimit Specifies the maximum number of multicast
streams allowed to enter the CPU through the IAH
port. The default value is 1984.
StreamTimerCheck Specifies the sampling period, in seconds, to
check the number of multicast streams that enter
the CPU through the IAH port. The default is 10
seconds.

Configuring resource usage counter for multicast streams

Configure the resource usage counters to query the number of ingress and egress IP multicast streams
traversing the switch. After you configure the counter thresholds for ingress and egress records, if the
record usage goes beyond the threshold, you receive notification through a trap on the console, a
logged message, or both.

About This Task

Note
This procedure is supported only on a DvR Controller. It is not supported on a DvR Leaf node.

1668 VOSS User Guide for version 8.7

IP Multicast Multicast route statistics configuration using the CLI

Important
If you do not configure the thresholds, EDM displays only the ingress and egress records that
are currently in use.

You can configure the resource usage counter on a VRF instance the same way you configure the
Global Router except that you must first launch the appropriate VRF context.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click Multicast.
3. Select the Resource Usage tab.
4. Configure the ingress and egress thresholds.
5. Configure the notification methods.
6. Click Apply.

Resource Usage field descriptions

Use the data in the following table to use the Resource Usage tab.

Name Description
Egress Records In-Use Displays the number of egress records traversing the switch.
Ingress Records In-Use Displays the number of ingress records (source or group)
traversing the switch.
Egress Threshold Configures the egress threshold level (0–32767).
Ingress Threshold Configures the ingress threshold level (0–32767).
SendTrapOnly Sends only trap notification messages after the number of
streams exceeds a threshold level. Select disable if you select a
different notification type. You can configure only one notification
type.
SendTrapAndLog Sends both trap and log notification messages after the number
of streams exceeds a threshold level. Select disable if you select a
different notification type.
LogMsgOnly Sends only log notification messages after the number of streams
exceeds a threshold level. Select disable if you select a different
notification type.

Multicast route statistics configuration using the CLI

The following sections provide procedural information you can use to configure multicast route
statistics using the Command Line Interface (CLI).

Enabling IP multicast route statistics

Enable the collection and display of IP multicast route statistics.

VOSS User Guide for version 8.7 1669

Enabling IP multicast route statistics IP Multicast

These statistics are not related to the interface (port) statistics. Rather, the statistics are displayed based
on multicast group classification. By default, collection of multicast route statistics is disabled.

Note
When you enable IP multicast route statistics on the Controller node of a DvR domain, the
configuration is automatically pushed to the Leaf nodes within the domain.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable the collection of IP multicast route statistics.
ip mroute stats enable
3. (Optional) Set the IP multicast route statistics to default.
default ip mroute stats enable
4. (Optional) Disable the collection of IP multicast route statistics.
no ip mroute stats enable
5. View the IP multicast route statistics.
show ip mroute stats [WORD<3-160> {A.B.C.D[,E.F.G.H][,...]}]

Note
The maximum number of multicast group IP addresses is 10.

Example

Enable the collection of IP multicast route statistics:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#ip mroute stats enable

View the IP multicast route statistics:

Switch:1#show ip mroute stats

==========================================================================
Multicast Stats

==========================================================================
--------------------------------------------------------------------------
Statistics : Enabled

View the statistics for the multicast group IP address 225.0.0.1:

Switch:1#show ip mroute stats 225.0.0.1

==============================================================================
Multicast Stats - GlobalRouter

==============================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize

1670 VOSS User Guide for version 8.7

IP Multicast Clearing IP multicast route statistics

------------------------------------------------------------------------------
225.0.0.1 1 30452198 3897881344 128

View the statistics for multiple (up to a maximum of 10) group IP addresses.
Switch:1#show ip mroute stats
225.0.0.1,225.0.0.2,225.0.0.3,225.0.0.4,225.0.0.5,225.0.0.6,225.0.0.7,225.0.0.8,225.0.0.9,
225.0.0.10

================================================================================
Multicast Stats - GlobalRouter

================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
--------------------------------------------------------------------------------
225.0.0.1 1 32446194 4153112832 128
225.0.0.2 1 32446196 4153112960 127
225.0.0.3 1 32446197 4153113088 127
225.0.0.4 1 32446198 4153113216 127
225.0.0.5 1 32446199 4153113472 128
225.0.0.6 1 32446200 4153113600 128
225.0.0.7 1 32446201 4153113728 128
225.0.0.8 1 32446203 4153113856 127
225.0.0.9 1 32446203 4153113856 127
225.0.0.10 1 32446203 4153113984 128

Variable definitions
Use the data in the following table to use the show ip mroute stats command.

Variable Definition
WORD<3-160> Specifies the multicast group IP address for which to display
{A.B.C.D[,E.F.G.H][,...]} statistics.
The group IP address is in one of the following formats: a
single IP address or a series of IP addresses.
You can specify a maximum of 10 groups.

Clearing IP multicast route statistics

Use this procedure to clear the IP multicast route statistics. This resets the IP multicast statistics
counters.

Note
When you clear IP multicast route statistics on the Controller node of a DvR domain, the
configuration is automatically pushed to the Leaf nodes within the domain.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Clear the IP multicast route statistics:
clear ip mroute stats

VOSS User Guide for version 8.7 1671

Monitoring IP multicast route statistics IP Multicast

Example:
Clear the IP multicast route statistics:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#clear ip mroute stats

Monitoring IP multicast route statistics

Use this procedure to monitor the IP multicast route statistics at regular intervals.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Monitor the IP multicast route statistics:
monitor ip mroute stats WORD<7-160> {A.B.C.D[,E.F.G.H][,...]}

Note
You can monitor a maximum of 10 group IP addresses.

Example:
Monitor the IP multicast route statistics for the group IP address 225.0.0.1. In this example, the
statistics are monitored at intervals of 5 seconds for a duration of 300 seconds.

The output from monitoring three consecutive intervals is displayed below.

Switch:1>en
Switch:1#monitor ip mroute stats 225.0.0.1

MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:12:07 2015

======================================================================================
Multicast Stats - GlobalRouter

======================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
--------------------------------------------------------------------------------------
225.0.0.1 1 4716624 603727872 128
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:12:13 2015

=======================================================================================
Multicast Stats - GlobalRouter

=======================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
---------------------------------------------------------------------------------------
225.0.0.1 1 4767325 610217600 128
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:12:19 2015

1672 VOSS User Guide for version 8.7

IP Multicast Monitoring IP multicast route statistics

...
...
Switch:1#

Monitor the IP multicast route statistics for a maximum of 10 group IP addresses. The statistics are
monitored at intervals of 5 seconds for a duration of 300 seconds.

The output from monitoring three consecutive intervals is displayed below.

Switch:1#monitor ip mroute stats
225.0.0.1,225.0.0.2,225.0.0.3,225.0.0.4,225.0.0.5,225.0.0.6,225.0.0.7,225.0.0.8,225.0.0.9,
225.0.0.10
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:22:07 2015

========================================================================================
Multicast Stats - GlobalRouter

========================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
----------------------------------------------------------------------------------------
225.0.0.1 1 9532039 1220100992 128
225.0.0.2 1 9532041 1220101120 127
225.0.0.3 1 9532042 1220101248 127
225.0.0.4 1 9532043 1220101376 127
225.0.0.5 1 9532044 1220101632 128
225.0.0.6 1 9532045 1220101760 128
225.0.0.7 1 9532046 1220101888 128
225.0.0.8 1 9532047 1220101888 127
225.0.0.9 1 9532048 1220102016 127
225.0.0.10 1 9532048 1220102144 128
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:22:13 2015

========================================================================================
Multicast Stats - GlobalRouter

========================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
----------------------------------------------------------------------------------------
225.0.0.1 1 9582672 1226582016 128
225.0.0.2 1 9582674 1226582144 127
225.0.0.3 1 9582675 1226582272 127
225.0.0.4 1 9582676 1226582400 127
225.0.0.5 1 9582677 1226582656 128
225.0.0.6 1 9582678 1226582784 128
225.0.0.7 1 9582679 1226582912 128
225.0.0.8 1 9582681 1226583040 127
225.0.0.9 1 9582681 1226583040 127
225.0.0.10 1 9582681 1226583168 128
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Mon Dec 21 16:22:19 2015

========================================================================================
Multicast Stats - GlobalRouter

VOSS User Guide for version 8.7 1673

Enabling IPv6 multicast route statistics IP Multicast

225.0.0.3 1 9625012 1232001408 127

225.0.0.4 1 9625013 1232001536 127
225.0.0.5 1 9625014 1232001792 128
225.0.0.6 1 9625015 1232001920 128
225.0.0.7 1 9625016 1232002048 128
225.0.0.8 1 9625018 1232002176 127
225.0.0.9 1 9625019 1232002304 127
225.0.0.10 1 9625018 1232002304 128

...
...
Switch:1#

Variable definitions
Use the data in the following table to use the monitor ip mroute stats command.

Variable Definition
WORD<7-160> Specifies the multicast group IP address for which to monitor
{A.B.C.D[,E.F.G.H][,...]} statistics.
The group IP address is in one of the following formats: a
single IP address or a series of IP addresses, up to a maximum
of 10.

Enabling IPv6 multicast route statistics

Enable the collection of IPv6 multicast route statistics.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal
2. Enable the collection of IPv6 multicast route statistics.
ipv6 mroute stats enable
3. (Optional) Set the IPv6 multicast route statistics to default:
default ipv6 mroute stats
4. (Optional) Disable the collection of IPv6 multicast route statistics.
no ipv6 mroute stats
5. View the IPv6 multicast route statistics.
show ipv6 mroute stats [WORD<7-400> {Ipv6address[,Ipv6address][,...]}]

Note
The maximum number of multicast group IP addresses is 10.

1674 VOSS User Guide for version 8.7

IP Multicast Enabling IPv6 multicast route statistics

Example:
Enable collection of IPv6 multicast route statistics:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#ipv6 mroute stats enable

View the IPv6 multicast route statistics:

Switch:1#show ipv6 mroute stats

==========================================================================
Multicast Stats

==========================================================================
--------------------------------------------------------------------------
Statistics : Enabled

View the statistics for the multicast group IP address FF05::1:

Switch#show ipv6 mroute stats FF05::1

=====================================================================================
Multicast Stats - GlobalRouter

View the statistics for multiple group IP addresses (up to a maximum of 10).
Switch#show ipv6 mroute stats
FF05::1,FF05::2,FF05::3,FF05::4,FF05::5,FF05::6,FF05::7,FF05::8,FF05::9,FF05::a

=====================================================================================
Multicast Stats - GlobalRouter

=====================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes
AverageSize
-------------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2027508 2433009600 1200
ff05:0:0:0:0:0:0:2 1 2027507 2433008400 1200
ff05:0:0:0:0:0:0:3 1 2027507 2433008400 1200
ff05:0:0:0:0:0:0:4 1 2027507 2433008400 1200
ff05:0:0:0:0:0:0:5 1 2027507 2433008400 1200
ff05:0:0:0:0:0:0:6 1 2027505 2433006000 1200
ff05:0:0:0:0:0:0:7 1 2027505 2433006000 1200
ff05:0:0:0:0:0:0:8 1 2027505 2433006000 1200
ff05:0:0:0:0:0:0:9 1 2027505 2433006000 1200
ff05:0:0:0:0:0:0:a 1 2027505 2433006000 1200

VOSS User Guide for version 8.7 1675

Clearing IPv6 multicast route statistics IP Multicast

Variable definitions
Use the data in the following table to use the show ipv6 mroute stats command

Variable Definition
WORD<7-400> Specifies the multicast group IP address for which to display
{Ipv6address[,Ipv6address] statistics.
[,...]} The group IP address is in one of the following formats: a
single IP address or a series of IP addresses.
You can specify a maximum of 10 groups.

Clearing IPv6 multicast route statistics

Use this procedure to clear the IPv6 multicast route statistics. This resets the IP multicast statistics
counters.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Clear the IPv6 multicast route statistics:
clear ipv6 mroute stats

Example:
Clear the IPv6 multicast route statistics:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#clear ipv6 mroute stats

Monitoring IPv6 multicast route statistics

Use this procedure to monitor IPv6 multicast route statistics at regular intervals.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Monitor IPv6 multicast route statistics:
monitor ipv6 mroute stats WORD<7-400> {Ipv6address[,Ipv6address]
[,...]}

Note
You can monitor a maximum of 10 group IP addresses.

Example:
Monitor the IPv6 multicast route statistics for the group IPv6 address FF05::1. In this example, the
statistics are monitored at intervals of 5 seconds for a duration of 300 seconds.

1676 VOSS User Guide for version 8.7

IP Multicast Monitoring IPv6 multicast route statistics

The output from monitoring three consecutive intervals is displayed below.

Switch:1>enable
Switch:1#monitor IPv6 mroute stats FF05::1

MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 16:54:25 2015

=================================================================================
Multicast Stats - GlobalRouter

=================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
----------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2446250 2935500000 1200
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 16:54:31 2015

===================================================================================
Multicast Stats - GlobalRouter

===================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
-----------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2448947 2938736400 1200
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 16:54:37 2015

==================================================================================
Multicast Stats - GlobalRouter

==================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
----------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2452185 2942622000 1200

...
...
Switch:1#

Monitor the IPv6 multicast route statistics for a maximum of 10 group IPv6 addresses. The statistics are
monitored at intervals of 5 seconds for a duration of 300 seconds.

The output from monitoring three consecutive intervals is displayed below.

Switch:1#monitor IPv6 mroute stats
FF05::1,FF05::2,FF05::3,FF05::4,FF05::5,FF05::6,FF05::7,FF05::8,FF05::9,FF05::a
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 17:04:55 2015

===================================================================================
Multicast Stats - GlobalRouter

===================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
-----------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2768926 3322711200 1200
ff05:0:0:0:0:0:0:2 1 2768925 3322710000 1200
ff05:0:0:0:0:0:0:3 1 2768925 3322710000 1200
ff05:0:0:0:0:0:0:4 1 2768925 3322710000 1200

VOSS User Guide for version 8.7 1677

Monitoring IPv6 multicast route statistics IP Multicast

ff05:0:0:0:0:0:0:5 1 2768925 3322710000 1200

ff05:0:0:0:0:0:0:6 1 2768923 3322707600 1200
ff05:0:0:0:0:0:0:7 1 2768923 3322707600 1200
ff05:0:0:0:0:0:0:8 1 2768923 3322707600 1200
ff05:0:0:0:0:0:0:9 1 2768923 3322707600 1200
ff05:0:0:0:0:0:0:a 1 2768923 3322707600 1200
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 17:05:01 2015

====================================================================================
Multicast Stats - GlobalRouter

====================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
------------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2771625 3325950000 1200
ff05:0:0:0:0:0:0:2 1 2771625 3325950000 1200
ff05:0:0:0:0:0:0:3 1 2771625 3325950000 1200
ff05:0:0:0:0:0:0:4 1 2771624 3325948800 1200
ff05:0:0:0:0:0:0:5 1 2771624 3325948800 1200
ff05:0:0:0:0:0:0:6 1 2771622 3325946400 1200
ff05:0:0:0:0:0:0:7 1 2771622 3325946400 1200
ff05:0:0:0:0:0:0:8 1 2771622 3325946400 1200
ff05:0:0:0:0:0:0:9 1 2771622 3325946400 1200
ff05:0:0:0:0:0:0:a 1 2771622 3325946400 1200
MULTICAST STATISTIC
Monitor Interval: 5sec | Monitor Duration: 300sec Tue Dec 22 17:05:07 2015

====================================================================================
Multicast Stats - GlobalRouter

====================================================================================
GroupAddress SourceCounter IngressPackets IngressBytes AverageSize
------------------------------------------------------------------------------------
ff05:0:0:0:0:0:0:1 1 2774864 3329836800 1200
ff05:0:0:0:0:0:0:2 1 2774863 3329835600 1200
ff05:0:0:0:0:0:0:3 1 2774863 3329835600 1200
ff05:0:0:0:0:0:0:4 1 2774863 3329835600 1200
ff05:0:0:0:0:0:0:5 1 2774863 3329835600 1200
ff05:0:0:0:0:0:0:6 1 2774861 3329833200 1200
ff05:0:0:0:0:0:0:7 1 2774861 3329833200 1200
ff05:0:0:0:0:0:0:8 1 2774861 3329833200 1200
ff05:0:0:0:0:0:0:9 1 2774861 3329833200 1200
ff05:0:0:0:0:0:0:a 1 2774861 3329833200 1200

...
...

Switch:1#

1678 VOSS User Guide for version 8.7

IP Multicast Multicast route statistics configuration using EDM

Variable definitions
Use the data in the following table to use the monitor ipv6 mroute stats command:

Variable Definition
WORD<7-400> Specifies the multicast group IP address for which to monitor
{Ipv6address[,Ipv6address] statistics.
[,...]} The group IP address is in one of the following formats: a
single IP address or a series of IP addresses, up to a maximum
of 10.

Multicast route statistics configuration using EDM

The following sections provide procedural information you can use to configure multicast route
statistics using the Enterprise Device Manager (EDM).

Enabling IP multicast route statistics

Use this procedure to enable IP multicast route statistics.

Note
When you enable or clear IP multicast route statistics on the Controller node of a DvR domain,
the configuration is automatically pushed to the Leaf nodes within the domain.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP

2. Click Multicast.
3. Click the Globals tab.
4. In the StatsEnabled field, select the option to enable or disable the collection of statistics.
5. (Optional) To clear the statistics, click StatsClear.
6. Click Apply.

Globals Field Definitions

Use the data in the following table to use the Globals tab.

Field Description
StatsEnabled Displays whether the multicast route statistics is enabled.
StatsClear Clears the multicast route statistics.

Viewing IP multicast route statistics

Use this procedure to view IP multicast route statistics.

Before You Begin

• You must enable the collection of multicast statistics.

VOSS User Guide for version 8.7 1679

Enabling IPv6 multicast route statistics IP Multicast

Procedure

1. In the navigation pane, expand the following folders: Configuration > IP.
2. Click Multicast.
3. Click the Stats tab to view the statistics.

Stats Field Definitions

Use the data in the following table to use the Stats tab.

Field Description
GroupAddress Specifies the multicast group IP address for which to show
statistics.
SourceCounter Specifies the number of sources associated with the
multicast route record.
Pkts Specifies the number of packets received for the
associated IP address.
Bytes Specifies the number of bytes received for the associated
IP address.
AverageSizePerPkt Specifies the average packet length for the associated
group IP address. This information indicates only the
ingress packet length and is calculated using the following
formula: ingress packet/ingress byte.

Enabling IPv6 multicast route statistics

Enable the collection of IPv6 multicast route statistics.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Globals tab.
4. In the StatsEnabled field, select the option to enable or disable the collection of statistics.
5. (Optional) To clear the statistics, click StatsClear.
6. Click Apply.

Globals Field Definitions

Use the data in the following table to use the Globals tab.

Field Description
StatsEnabled Displays whether the multicast route statistics is enabled.
StatsClear Clears the multicast route statistics.

Viewing IPv6 multicast route statistics

Use this procedure to view IPv6 multicast route statistics.

1680 VOSS User Guide for version 8.7

IP Multicast Viewing IPv6 multicast route statistics

Before You Begin

• You must enable the collection of multicast statistics.

Procedure

1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click IPv6 Mroute.
3. Click the Stats tab to view the statistics.

Stats Field Definitions

Use the data in the following table to use the Stats tab.

VOSS User Guide for version 8.7 1681

IP Multicast over Fabric Connect
IP Multicast over Fabric Connect basic configuration on page 1682
IP Multicast over Fabric Connect Services Configuration on page 1704

IP Multicast over Fabric Connect basic configuration

Table 123: IP Multicast over Fabric Connect product support

Feature Product Release introduced
IP Multicast over Fabric Connect VSP 4450 Series VSP 4000 4.0
VSP 4900 Series VOSS 8.1
VSP 7200 Series VOSS 4.2.1
VSP 7400 Series VOSS 8.0
VSP 8200 Series VOSS 4.1
VSP 8400 Series VOSS 4.2
VSP 8600 Series VSP 8600 6.2
XA1400 Series Not Supported
Universal Plug and Play (uPnP) VSP 4450 Series VOSS 8.3
Filtering
VSP 4900 Series VOSS 8.3
VSP 7200 Series VOSS 8.3
VSP 7400 Series VOSS 8.3
VSP 8200 Series VOSS 8.3
VSP 8400 Series VOSS 8.3
VSP 8600 Series Not Supported
XA1400 Series Not Supported

IP Multicast over Fabric Connect Fundamentals

IP Multicast over Fabric Connect
Extreme Networks is leading the industry with a new approach to transporting IP multicast using IP
Multicast over Fabric Connect. IP Multicast over Fabric Connect greatly simplifies multicast deployment,
with no need for any multicast routing protocols such as Protocol Independent Multicast-Sparse Mode

1682 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect Fundamentals

(PIM-SM) or Protocol Independent Multicast-Source Specific Multicast (PIM-SSM). A BEB can forward
a multicast stream anywhere in an SPBM network where IS-IS advertises the stream to the rest of the
fabric.

The advantage of this solution over traditional approaches is the simplicity in provisioning and
deploying IP multicast bridging and routing. Also, due to the fact that only one control plane protocol
(IS-IS) exists, convergence times in the event of a network failure, are typically sub second.

You can compare the quick convergence times for IP Multicast over Fabric Connect to Interior Gateway
Protocols like Open Shortest Path First (OSPF) combined with PIM-SM or PIM-SSM. OSPF combined
with PIM-SM or PIM-SSM can have recovery times that are sub optimal with convergence times that
take tens of seconds. PIM experiences longer convergence times, in part, because unicast IP routing
protocols must converge before PIM can converge. PIM also maintains the network state for every
multicast group and uses a mechanism based on each hop to update the network about state changes,
which affects scalability.

IP Multicast over Fabric Connect is extremely scalable because you only apply the multicast bridging
and routing functionality at the SPBM fabric edge, with the streams mapped to SPBM multicast trees in
the fabric.

IP Multicast over Fabric Connect introduces extensions to the SPBM IS-IS control plane to exchange
IP multicast stream advertisement and membership information. IP Multicast over Fabric Connect uses
these extensions, along with the Internet Group Management Protocol (IGMP) Snooping and Querier
functions at the edge of the SPBM cloud, to create sub-trees of the VSN SPB for each multicast group
to transport IP multicast data.

With IP Multicast over Fabric Connect, the switch supports the following:
• Layer 2 Virtual Services Network with IGMP support on the access networks for optimized
forwarding of IP multicast traffic in a bridged network (Layer 2 VSN with IP Multicast over Fabric
Connect). Example application: Multicast in data centers.
• IP multicast routing support for IP Shortcuts using SPBM in the core and IGMP on the access
(IP Shortcuts with IP Multicast over Fabric Connect). Example applications: Video surveillance, TV/
Video/Ticker/Image distribution, VX-LAN.
• Layer 3 Virtual Services Network with VRF based routing support for IP Multicast over Fabric
Connect in the core and IGMP on the access (Layer 3 VSN with IP Multicast over Fabric Connect).
Example applications: Video surveillance, TV/Video/Ticker/Image Distribution, VX-LAN, Multi-tenant
IP multicast.

IP Multicast over Fabric Connect and Universal Plug and Play Filtering

When multicast packets are received on IGMP-enabled interfaces and the multicast group matches the
range of groups to be filtered, Universal Plug and Play (uPnP) Filtering drops them.

For more information, see Universal Plug and Play Filtering on page 1691.

How IP Multicast over Fabric Connect works

The BEBs act as the boundary between the multicast domain (currently only IGMP dynamic or static)
and the SPBM domain. Multicast senders (sources) and receivers connect directly or indirectly (using
Layer 2 switches) to the BEBs. You can enable IP Multicast over Fabric Connect services at the Layer 2
VSN level or the Layer 3 VSN level (including the GRT).

VOSS User Guide for version 8.7 1683

IP Multicast over Fabric Connect Fundamentals IP Multicast over Fabric Connect

The following figure shows how multicast senders and receivers connect to the SPBM cloud using BEBs.

Figure 155: IP Multicast over Fabric Connect streams

The following list describes how multicast senders and receivers connect to the SPBM cloud using BEBs
in the preceding diagram:

1. The sender transmits multicast traffic with group IP address 233.252.0.1.

2. After the BEB receives the IP multicast stream from the sender, the BEB allocates data I-SID
16000001 for the S,G multicast stream. The BEB sends an LSP with the TLV 185 (for Layer 2 VSN
multicast and Layer 3 VSN multicast) or TLV 186 (for IP Shortcuts multicast) with the transmit bit
set. The BEB also sends an IS-IS service identifier and unicast address sub-TLV (where the unicast
address has the multicast bit set and the I-SID is the Data I-SID).
3. The receiver sends a join request to Group 233.252.0.1.
4. The BEB (acting as the IGMP Querier) queries the IS-IS database to find all senders for group
233.252.0.1. If the group exists, the BEB sends an LSP with the IS-IS service identifier and unicast
address sub-TLV (where the unicast address has the multicast bit set and the nickname is the stream
transmitter BEB and the I-SID is the data I-SID).
5. The multicast tree is calculated for the data I-SID and the data starts flowing from the sender.

Scope level

IP Multicast over Fabric Connect constrains all multicast streams within the level in which they originate,
which is called the scope level. In other words, if a sender transmits a multicast stream to a BEB on a
C-VLAN (a VLAN that is mapped to an I-SID, for instance, a Layer 2 VSN) with IP Multicast over Fabric
Connect enabled, only receivers that are part of the same Layer 2 VSN can receive that stream. Similarly,
if a sender transmits a multicast stream to a BEB on a VLAN that is part of the GRT or a Layer 3 VSN

1684 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect Fundamentals

with IP Multicast over Fabric Connect enabled, only receivers that are part of the same Layer 3 instance
(GRT or L3 VSN) can receive that stream.

Note
In the context of IP Multicast over Fabric Connect, scope is either the Global Routing Table or
the I-SID value of the Layer 2 or Layer 3 VSN associated with the local VLAN on which the IP
multicast data was received.

Data I-SID

After the BEB receives the IP multicast stream from the sender, a BEB allocates a data Service Identifier
(I-SID) in the range of 16,000,000 to 16,512,000 for the stream. The stream is identified by the S,G, V
tuple, which is the source IP address, the group IP address, and the local VLAN the multicast stream is
received on.

The BEB propagates this information through the SPBM cloud by using IS-IS TLV updates in LSPs, which
results in the creation of a multicast tree for that stream. All BEBs now know what data I-SID to use for
that stream and its scope. The data I-SID is a child of the scope or VSN I-SID. If no receiver requests the
IP multicast stream, the ingress BEB does not forward the multicast stream.

IGMP

After a BEB receives an IGMP join message from a receiver, a BEB queries the IS-IS database to check if
a sender exists for the requested stream within the scope of the receiver. If the requested stream does
not exist, the IGMP information is kept, but no further action is taken. If the requested stream exists, the
BEB sends an IS-IS TLV update to its neighbors to inform them of the presence of a receiver, and this
information is propagated through the SPBM cloud.

IS-IS acts dynamically using the TLV information it receives from BEBs that connect to the sender and
the receivers to create a multicast tree between them. IS-IS creates very efficient multicast trees for
the data I-SID allocated at the sender edge of the SPBM cloud to transport data between the sender
and the receivers. The data I-SID uses Tx/Rx bits to signify whether the BEB uses the I-SID to transmit,
receive, or both transmit and receive data on that I-SID. After IS-IS creates the multicast tree, the sender
transports data to the receiver across the SPBM cloud using the data I-SID.

The trigger to send IS-IS updates to announce a multicast stream into the SPBM cloud is the multicast
traffic arriving at the BEB. Because the BEB only interacts with IGMP and not PIM, all multicast traffic
must be drawn towards the BEB for the stream to be announced, which SPBM accomplishes by making
the BEB an IGMP Querier. In a VLAN, the IGMP Querier sends out periodic IGMP queries.

Note
The BEB must be the only IGMP Querier in the VLAN. If the BEB receives an IGMP query from
any other device, it causes unexpected behavior, including traffic loss.

BEB as IGMP Querier

The BEB acts as the IGMP Querier and creates tables for links that need IP multicast streams. IGMP and
IGMP Snooping cannot work without an IGMP Querier that sends out periodic IGMP queries.

The BEB only interacts with IGMP messages and not PIM. All multicast traffic must enter the BEB for the
data stream to be announced.

VOSS User Guide for version 8.7 1685

IP Multicast over Fabric Connect Fundamentals IP Multicast over Fabric Connect

The BEB must be the only IGMP Querier in the VLAN. If the BEB receives an IGMP query from any other
device, unexpected behavior results, including traffic loss.

The IGMP query message is an IP packet and requires a source IP address. However, Layer 2 IGMP
Snooping with SPBM by default turns on the service without the configuration of an IP address on the
VLAN. By default, the BEB sends an IGMP query message with an IP source address of 0.0.0.0. If there
are interoperability issues with third party vendors as a result of the 0.0.0.0 IP address, then you can
configure the querier address under IGMP, without having to configure an IP address for the Layer 2
VSN VLAN.

IGMP Snooping, operating on the Layer 2 VSN, listens to conversations between hosts and routers, and
maintains a table for links that need IP multicast streams.

For IGMP Snooping, ensure that the IGMP version used by multicast hosts and other devices in the
network is the same as the IGMP version configured on the IGMP Snooping VLAN, or that you enable
compatibility mode.

For more conceptual and configuration information on IGMP, see IP Multicast on page 1457.

Switch Clustering at the Edge of the SPBM Network

Typical customer deployments require redundancy all the way to the access side of the network. IP
Multicast over Fabric Connect supports switch clustering, Split Multilink Trunking (SMLT) technology, at
the edge of the SPBM fabric, providing redundancy to the access Layer 2 switch where you can attach
multicast senders and receivers. Typical SPBM fabric deployments use two or more B-VLANs for Equal
Cost Multipath (ECMP) and resiliency. For simplicity in understanding how the SPBM network works,
assume that there are two B-VLANs (primary and secondary).

The following figure shows how multicast senders and receivers connect to the SPBM cloud using BEBs.

1686 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect Fundamentals

Figure 156: IP Multicast over Fabric Connect streams in an SMLT configuration

The following list describes the preceding diagram:
1. The edge switch hashes the sender multicast data to a specific MLT link.
2. A multicast stream received at the edge of the SPBM fabric is mapped to a dedicated multicast data
I-SID.
3. For the non-SMLT attached sender 2, the stream is hashed to the primary or secondary B-VLAN
based on whether the data I-SID is even or odd numbered. For the SMLT attached to sender 1, IS-IS
advertises the stream to the rest of the fabric on the primary B-VLAN and synchronizes information
to the vIST peer.
4. The edge switch hashes the receiver IGMP join to a specific MLT link.
5. Both BEBs on both B-VIDs advertise the IGMP join.
6. The multicast tree is built for (S1,G1), which is rooted in the primary sender BEB. The multicast tree is
built for (S1,G1), which is rooted in the secondary sender BEB.

IGMP Snooping is widely used on Layer 2 access switches to prune multicast traffic. In IP Multicast over
Fabric Connect, BEBs are the IGMP Queriers, therefore access switches forward multicast data from the
senders as well as IGMP control messages from receivers to the BEBs.

When a sender transmits multicast data to the Layer 2 access switch that has an MLT to the switch
cluster, it is hashed towards one or the other BEBs in the switch cluster. The receiving BEB allocates a
data I-SID and sends a TLV update on either the primary B-VLAN or the secondary B-VLAN, depending
on whether the BEB is the primary or secondary switch. The primary switch uses the primary B-VLAN,
whereas, the secondary switch uses the secondary B-VLAN. This information is propagated through the
SPBM fabric so all BEBs are aware of this stream availability.

The sender information is also synchronized over the vIST to the peer switch. Then the peer switch
allocates a data I-SID for the multicast stream and sends a TLV update on the appropriate B-VLAN to

VOSS User Guide for version 8.7 1687

IP Multicast over Fabric Connect Fundamentals IP Multicast over Fabric Connect

announce the availability of the stream. The data I-SIDs allocated by the primary and secondary switch
cluster peers may be the same or different, as they are allocated independently by each switch.

Note
If a sender attaches to only one BEB in a switch cluster, the sender information is not
synchronized over the vIST because it is not SMLT attached. The sender information is
advertised, and data is sent on either the primary or secondary B-VLAN. The odd-numbered
data I-SIDs use the primary B-VLAN, and the even-numbered data I-SIDs use the secondary
B-VLAN. The same hashing rules apply to the forwarding of multicast data.

When a receiver sends an IGMP join message to the Layer 2 access switch that has an MLT to the switch
cluster, it is hashed towards one or the other BEBs in the switch cluster. The receiving BEB queries the
IS-IS Link State Database (LSDB) to check if a sender exists for the requested stream within the scope
of the receiver.

If the requested stream does not exist, the BEB keeps the IGMP information but no further action is
taken. If the requested stream exists, the BEB sends an IS-IS Link State Packet (LSP), with TLV update
information, for both primary and secondary B-VLANs to its neighbors to inform them of the presence
of a receiver. The BEB propagates this information through LSPs through the SPBM cloud. The receiver
information is also synchronized over the vIST to the peer switch. The peer switch then queries its
IS-IS Link State Database (LSDB) and, if the requested stream exists, it sends an IS-IS LSP, with a TLV
update, for both primary and secondary B-VLANs to its neighbors to inform them of the presence of
the receiver.

IS-IS uses these TLV updates in LSPs to create multicast shortest path first trees in the SPBM fabric.
IS-IS creates a shortest path first tree for the primary and secondary B-VLANs, but only one of the
B-VLANs transports multicast data with the other in active standby in case of failures at the SPBM edge.
After IS-IS creates the trees, multicast data flows between senders and receivers.

IP Multicast over Fabric Connect and SMLT

The following section summarizes the IP Multicast over Fabric Connect actions in an SMLT environment.
The BEBs on the sender side behave as follows:
• Primary SMLT peer BEB always advertises the streams it receives, and sends data for them on the
primary B-VLAN.
• Secondary SMLT peer BEB always advertises the streams it receives, and sends data for them on the
secondary B-VLAN.
• Non-SMLT BEBs or SMLT BEBs with single attached senders advertise streams, and send data on
the primary or secondary B-VLAN based on hash criteria (odd-numbered data I-SIDs use primary
B-VLAN; even-numbered data I-SIDs use secondary B-VLAN).

The BEBs on the receiver side behave as follows:

• The primary SMLT peer BEB that receives multicast data on the primary B-VLAN sends it to both
SMLT and non-SMLT SPBM access (UNI) links.
• The primary SMLT peer BEB that receives multicast data on the secondary B-VLAN sends it to
non-SMLT SPBM access (UNI) links only.
• The secondary SMLT peer BEB that receives multicast data on primary B-VLAN sends it to non-
SMLT SPBM access (UNI) links only.

1688 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect Fundamentals

• The secondary SMLT peer BEB that receives multicast data on secondary B-VLAN sends data to
both SMLT and non-SMLT SPBM access (UNI) links.
• The non-SMLT BEB that receives multicast data on primary or secondary B-VLAN sends data to all
SPBM access (UNI) links.

Layer 2 Querier behavior for a switch cluster

For C-VLANs in an SMLT environment, the vIST ports are not part of the VLAN.

IGMP on a C-VLAN behaves as follows to account for the fact that vIST peers do not see the
membership queries of each other:
• The vIST peer with the higher IP address sends the queries out all SMLT and non-SMLT ports on
SPBM access links.
• The vIST peer with the lower IP address only sends out queries on its non-SMLT ports. This includes
SMLT ports whose remote ports are down (SMLT state of ‘norm’).
• With the existence of an vIST peer with a higher IP address and an vIST peer with a lower IP address,
it means two queriers exist within the C-VLAN. Having two queriers poses no problems in this SPB
environment, as all SMLT access devices see the vIST peer with the higher IP address as the querier,
and non-SMLT access devices see the directly connected vIST peer as the querier. Non-SMLT access
devices that connect on either side of the vIST peers can talk to each other using the SPBM cloud.

Considerations when you connect an IP Multicast over Fabric Connect network to a PIM network
IP Multicast over Fabric Connect does not integrate PIM functionality. Apply the following
considerations when you connect to a PIM network:
• You must configure static IGMP receivers on the BEB access interface that faces the PIM network
when the sender is on the SPBM access network and the receiver is on the PIM network.

Note
The PIM router must have a configuration option to accept streams with non-local sources
or the router drops the packets. The switch does not support a configuration option to
accept streams with non-local sources.

You must configure static IGMP receivers on the PIM interface that face the IP Multicast over Fabric
Connect network when the sender is on the PIM network and the receiver is on the SPBM access
network.

Note
For security reasons and to limit unnecessary multicast streams from being injected into
the SPBM domain, you should configure ACLs on the BEB facing the PIM network.

IP Multicast over Fabric Connect restrictions

Review the following restrictions for the IP Multicast over Fabric Connect feature.

IGMP

The BEB must be the only IGMP querier in the network. If the BEB receives an IGMP query from any
other device, it causes unpredictable behavior, including traffic loss.

VOSS User Guide for version 8.7 1689

IP Multicast over Fabric Connect Fundamentals IP Multicast over Fabric Connect

SPBM supports IGMP Snooping on a C-VLAN, but it does not support PIM on a C-VLAN. If you enable
IGMP Snooping on a C-VLAN, then its operating mode is Layer 2 VSN with IP Multicast over Fabric
Connect.

SPBM supports Network Load Balancing (NLB) unicast and multicast modes. SPBM does not support
NLB Multicast operation with IGMP.

Note
The NLB Multicast operation feature is not supported on all hardware platforms. For more
information about feature support, see VLAN Feature Support on page 3761.

You must enable SSM snoop before you configure IGMP version 3, and you must enable both ssm-
snoop and snooping for IGMPv3.

For IGMP Snooping, ensure that the IGMP version used by multicast hosts and other devices in the
network is either the same as the IGMP version configured on the IGMP Snooping VLAN, or that
compatibility mode is enabled.

SSM

If you delete any ssm-map in a static range group, the switch deletes the entire static range group. For
example, create an ssm-map for 232.122.122.122 to 232.122.122.122.128 and after that configure this same
range in a static group. If you delete any ssm-map between 232.122.122.122. to 232.122.122.128, the switch
deletes the entire static range group.

PIM

There can be no interaction with PIM and multicast routers on the access.

The BEB only interacts with IGMP messages and not PIM, so all multicast traffic must be drawn towards
the BEB, which acts as the IGMP querier, for the stream to be announced.

IP Multicast over Fabric Connect does not integrate PIM functionality so the following considerations
apply when connecting to a PIM network:
• You must configure static IGMP receivers on the BEB access interface facing the PIM network when
the sender is on the SPBM access network and the receiver is on the PIM network. Static IGMP
receivers make the PIM router accept streams and avoid a Reverse Path Forwarding (RPF) check
that can change the source of the stream.
• You must configure static IGMP receivers on the PIM interface facing the IP Multicast over Fabric
Connect network when the sender is on the PIM network and the receiver is on the SPBM access
network.
• You must configure Access Control Lists (ACLs) on the BEB facing the PIM network for security.

Data I-SID

The BEB matches a single multicast stream to a particular data I-SID. As a result there is a one-to-one
mapping between the S,G to data I-SID for each BEB.

Supported services

The switch does not support IP Multicast over Fabric Connect routing on inter-VSN routing interfaces.

1690 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect Fundamentals

The switch supports the following modes of IP Multicast over Fabric Connect:
• Layer 2 VSN multicast service — Multicast traffic remains within the same Layer 2 VSN across the
SPBM cloud.
• Layer 3 VSN multicast service — Multicast traffic remains within the same Layer 3 VSN across the
SPBM cloud.
• IP Shortcuts multicast service — Multicast traffic can cross VLAN boundaries but remains confined
to the subset of VLANs with the Global Routing Table that have IP Multicast over Fabric Connect
enabled.

SPBM Multicast FIB

Multicast FIB

SPBM runs all pair Dijkstras to produce the multicast FIB. The computing node loops through each node
to run Dijkstra using that node as the root, and then prunes paths to only keep the shortest paths. The
computing node then computes the intersection of the set of I-SIDs for which the root node transmits,
with the set of I-SIDs for which the path endpoints receive.

The multicast addresses are built out of two pieces: the SPBM Node Nickname and the I-SID ID
converted to hexadecimal format to form the multicast MAC address.
|----------------------------|---------------------------------|
nickname|0x30000 hexadecimal I-SID

For example, if the nickname is 0.00.10 and the I-SID is 100 (0x64), the multicast address is
03:00:10:00:00:64.

The following text shows an example of the multicast FIB.

Switch:1(config)#show isis spbm multicast-fib

==========================================================================================
SPBM MULTICAST FIB ENTRY INFO
==========================================================================================
MCAST DA ISID BVLAN SYSID HOST-NAME OUTGOING-INTERFACES INCOMING
INTERFACE
------------------------------------------------------------------------------------------
03:00:07:e4:e2:02 15000066 1001 0077.0077.0077 Switch-25 1/33 MLT-2
03:00:08:e4:e2:02 15000066 1001 0088.0088.0088 Switch-33 1/50,1/33 40.40.40.40
03:00:41:00:04:4d 1101 4058 00bb.0000.4100 Switch-1(*)1/3,1/49,0.0.0.0 Tunnel_to_HQ
03:00:41:00:04:4f 1103 4058 00bb.0000.4100 Switch-1(*)1/3,1/49,0.0.0.0 cpp
------------------------------------------------------------------------------------------
Total number of SPBM MULTICAST FIB entries 4
------------------------------------------------------------------------------------------

Universal Plug and Play Filtering

The switch can filter multicast packets destined for the Universal Plug and Play (uPnP) multicast IP
address with a Universal Plug and Play (uPnP) Filtering option. uPnP Filtering drops all incoming
multicast packets received by a switch on an IGMP-enabled interface if the destination multicast IP
address matches the configured range.

uPnP Filtering applies to both multicast receivers and multicast senders. If you want to use the uPnP
Filtering address range for actual multicast streaming, you must disable uPnP Filtering on the IGMP
interface.

VOSS User Guide for version 8.7 1691

IP Multicast over Fabric Connect Configuration using
the CLI IP Multicast over Fabric Connect

uPnP Filtering is disabled by default. If you create a new IGMP interface, uPnP Filtering is enabled
automatically on the interface for the destination multicast IP address range 239.255.255.250/32. If you
enable uPnP Filtering on an existing IGMP-enabled interface with senders and receivers already present,
the filter does not delete the existing senders or receivers; the filter begins to drop packets from that
point forward. Existing senders and receivers eventually expire and senders are not relearned.

You can use CLI or EDM to configure a different destination multicast IP address range.

uPnP Filtering functions in the following scenarios:

• IGMP snooping is enabled on a VLAN and IP Multicast over Fabric Connect on Layer 2 VSN is
configured.
• IP Multicast over Fabric Connect within the Global Routing Table (GRT) is configured.
• IP Multicast over Fabric Connect on a Layer 3 VSN is configured.

IP Multicast over Fabric Connect Configuration using the CLI

Enabling IP Multicast over Fabric Connect globally
Use this procedure to enable IP Multicast over Fabric Connect globally on the Backbone Edge Bridges
(BEBs) that directly or indirectly (using Layer 2 switches) connect to IP multicast senders or receivers.
By default, IP Multicast over Fabric Connect is disabled. There is no need to enable IP Multicast over
Fabric Connect on the Backbone Core Bridges (BCBs).

You must configure IP Multicast over Fabric Connect at the global level, and then enable it on the
service option or options you choose.

Note
IP Multicast over Fabric Connect uses I-SIDs starting at 16,000,000 and above. If Layer 2 or
Layer 3 I-SIDs are in this range, the system displays an error message and the switch does not
enable IP Multicast over Fabric Connect.

Note
You must enable IP multicast over Fabric Connect globally on all DvR enabled nodes
(Controllers and Leaf nodes) in a DvR domain.
You must enable IP multicast over Fabric Connect globally on all DvR enabled nodes
(Controllers and Leaf nodes) in a DvR domain.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the customer VLANs (C-VLANs) and add slots/ports.
• You must add IST slot/ports to the C-VLAN for an SMLT topology.

Procedure

1. To enter User EXEC mode, log on to the switch.

1692 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Configuration using
IP Multicast over Fabric Connect the CLI

2. Verify no I-SIDs exist in the default reserved range:

a. For Layer 2 use the following command:
show vlan i-sid
b. For Layer 3 use the following command:
show ip ipvpn vrf WORD<1–16>
3. Enter IS-IS Router Configuration mode:
enable

configure terminal

router isis
4. Enable IP Multiast over Fabric Connect globally:
spbm <1–100> multicast enable

Note

The switch only supports one SPBM instance.

5. (Optional) Disable IP Multicast over Fabric Connect globally:
no spbm <1–100> multicast enable

default spbm <1–100> multicast enable

Example

Enable IP Multicast over Fabric Connect globally:

Switch:1>show vlan i-sid

===============================================================================
Vlan I-SID
===============================================================================
VLAN_ID I-SID I-SID NAME
-------------------------------------------------------------------------------
1
10 100 Hospital-Server-10
90 1000 ISID-1000

3 out of 3 Total Num of Vlans displayed

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1 multicast enable

Variable definitions

The following table defines parameters for the spbm command.

Variable Value
<1–100> Enables IP Multicast over Fabric Connect globally. The default is disabled.
Specifies the SPBM instance. The switch only supports one instance.

VOSS User Guide for version 8.7 1693

IP Multicast over Fabric Connect Configuration using
the CLI IP Multicast over Fabric Connect

Display IP Multicast over Fabric Connect information

Use this procedure to display IP Multicast over Fabric Connect summary information.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display the status of the global IP Multicast over Fabric Connect configuration:
show isis spbm multicast
3. Display IP Multicast over Fabric Connect summary information for each S, G, V tuple:
show isis spb-mcast-summary [count][host-name WORD<0–255>][lspid
<xxxx.xxxx.xxxx.xx-xx>]
4. Display information about the multicast routes on the switch:
show ip mroute route [vrf WORD<1–32>][vrfids WORD<0–255>]

Example

Display IP Multicast over Fabric Connect global configuration information:

Switch:1>enable
Switch:1#show isis spbm multicast

multicast : enable
fwd-cache-timeout(seconds) : 210

Switch:1#show isis spb-mcast-summary

============================================================================
SPB multicast - Summary
============================================================================
SCOPE SOURCE GROUP DATA LSP HOST
I-SID ADDRESS ADDRESS I-SID BVID FRAG NAME
-----------------------------------------------------------------------------
GRT 192.0.2.102 233.252.0.1 16000001 63 0x0 DIST5A
Switch:1>show ip mroute route

================================================================================
Mroute Route - GlobalRouter
================================================================================
GROUP SOURCE SRCMASK UPSTREAM_NBR IF EXPIR PROT
--------------------------------------------------------------------------------
233.252.0.1 0.0.0.0 0.0.0.0 0.0.0.0 V3 30 spb-access
233.252.0.1 192.0.2.102 255.255.255.0 0.0.0.0 - 0 spb-network
233.252.0.2 0.0.0.0 0.0.0.0 0.0.0.0 V2 30 pimsm
225.1.1.1 198.51.100.99 255.255.255.0 0.0.0.0 V3 173 spb-pim-gw

Total 4

Variable Definitions

The following table defines parameters for the show isis spb-mcast-summary command.

1694 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Configuration using
IP Multicast over Fabric Connect the CLI

Variable Value
count Displays the total number of SPB multicast entries.
host-name WORD<0–255> Displays the IP Multicast over Fabric Connect summary
information for a specific host-name.
lspid <xxx.xxx.xxx.xx-xx> Displays the IP Multicast over Fabric Connect summary
information for the specified LSP ID that you enter in
xxx.xxx.xxx.xx-xx — 8 byte format.

The following table defines parameters for the show ip mroute route command.

Variable Value
vrf WORD<1–32> Specifies a VRF.
vrfids WORD<0–255> Specifies the VRF ID

Display the Multicast FIB

About This Task

The multicast FIB is not produced until virtual services are configured and learned.

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the SPBM multicast FIB:
show isis spbm multicast-fib [vlan <1-4059>] [i-sid <1–16777215>]
[nick-name <x.xx.xx>] [summary]

Example
Switch#show isis spbm multicast-fib

==========================================================================================
SPBM MULTICAST FIB ENTRY INFO
==========================================================================================
MCAST DA ISID BVLAN SYSID HOST-NAME OUTGOING-INTERFACES INCOMING
INTERFACE
------------------------------------------------------------------------------------------
03:00:07:e4:e2:02 15000066 1001 0077.0077.0077 Switch-25 1/33 MLT-2
03:00:08:e4:e2:02 15000066 1001 0088.0088.0088 Switch-33 1/50,1/33 40.40.40.40
03:00:41:00:04:4d 1101 4058 00bb.0000.4100 Switch-1(*) 1/3,1/49,0.0.0.0
Tunnel_to_HQ
03:00:41:00:04:4f 1103 4058 00bb.0000.4100 Switch-1(*) 1/3,1/49,0.0.0.0 cpp

VOSS User Guide for version 8.7 1695

IP Multicast over Fabric Connect Configuration using
the CLI IP Multicast over Fabric Connect

------------------------------------------------------------------------------------------
Total number of SPBM MULTICAST FIB entries 4
------------------------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the show isis spbm multicast-fib command.

Variable Value
vlan <1-4059> Displays the FIB for the specified SPBM VLAN.
i-sid <1–16777215> Displays the FIB for the specified I-SID.
nick-name <x.xx.xx> Displays the FIB for the specified nickname.
summary Displays a summary of the FIB.

Configure Universal Plug and Play (uPnP) Filtering

Before You Begin

Create a port-based VLAN.

About This Task

Use the following procedure to enable Universal Plug and Play (uPnP) Filtering on an IGMP-enabled
interface. uPnP Filtering is disabled by default.

The default uPnP Filtering multicast group address range is 239.255.255.250/32. If you do not configure
the multicast group range, uPnP Filtering filters multicast packets destined for the default multicast
group range.

Procedure

1. Enter Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Enable uPnP Filtering:

ip igmp upnp-filter [ip {A.B.C.D/X}]

Example

Enable uPnP Filtering on a VLAN using the default multicast group address range:

Switch:1(config-if)#ip igmp upnp-filter

1696 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Configuration using
IP Multicast over Fabric Connect the CLI

Enable uPnP Filtering on a VLAN with configured multicast group address range:

Switch:1(config-if)#ip igmp upnp-filter ip 233.252.0.0/24

Variable Definitions

The following table defines parameters for the ip igmp upnp-filter command.

View uPnP Filtering information on an IGMP-enabled interface

Use the following command to display uPnP Filtering information on an IGMP-enabled interface.

Procedure

1. Enter Privileged EXEC mode:

enable
2. Display information about the interfaces where IGMP is enabled:
show ip igmp interface [gigabitethernet {slot/port[/sub-port][-slot/
port[/sub-port]][,...]}][vlan <1-4059>[vrf WORD<1–16>][vrfids WORD<0–
512>]

Example

View the default uPnP Filtering information on an IGMP-enabled interface:

Switch:1#show ip igmp interface vlan 2
========================================================================================
Vlan Ip Igmp
========================================================================================
VLAN QUERY QUERY ROBUST VERSION LAST PROXY SNOOP SNOOP SSM UPnP FAST FAST
ID INTVL MAX MEMB SNOOP ENABLE ORIGIN SNOOP FILTER LEAVE LEAVE
RESP QUERY ENABLE ENABLE ENABLE ENABLE PORTS
----------------------------------------------------------------------------------------
2 125 100 2 2 10 false false RADIUS false false
false

VLAN SNOOP SNOOP DYNAMIC COMPATIBILITY EXPLICIT UPnP

VOSS User Guide for version 8.7 1697

IP Multicast over Fabric Connect configuration using the
EDM IP Multicast over Fabric Connect

View uPnP Filtering information on an IGMP-enabled interface when uPnP Filtering is enabled and a
non-default multicast group address is configured:
Switch:1(config)#show ip igmp interface vlan 2
=======================================================================================
Vlan Ip Igmp
=======================================================================================
VLAN QUERY QUERY ROBUST VERSION LAST PROXY SNOOP SNOOP SSM UPnP FAST FAST
ID INTVL MAX MEMB SNOOP ENABLE ORIGIN SNOOP FILTER LEAVE LEAVE
RESP QUERY ENABLE ENABLE ENABLE ENABLE PORTS
---------------------------------------------------------------------------------------
2 125 100 2 2 10 false false RADIUS false true false

VLAN SNOOP SNOOP DYNAMIC COMPATIBILITY EXPLICIT UPnP

Variable Definitions

The following table defines parameters for the show ip igmp interface command.

Variable Value
gigabitethernet {slot/ Identifies the slot and port in one of the following formats: a
port[/sub-port] [-slot/ single slot and port (slot/port), a range of slots and ports (slot/
port[/sub-port]] [,...]} port-slot/port), or a series of slots and ports (slot/port,slot/
port,slot/port). If the platform supports channelization and the
port is channelized, you must also specify the sub-port in the
format slot/port/sub-port.
vlan <1-4059> Specifies the VLAN.
vrf WORD<1–16> Specifies the VRF by name.
vrfids WORD<0–512> Specifies the VRF by VRF ID.

IP Multicast over Fabric Connect configuration using the EDM

Configure IP Multicast over Fabric Connect Globally
Use this procedure to globally enable IP Multicast over Fabric Connect on the Backbone Edge Bridges
(BEBs) that directly or indirectly (using Layer 2 switches) connect to IP multicast senders or receivers.
By default, IP Multicast over Fabric Connect is disabled. There is no need to enable IP Multicast over
Fabric Connect on the Backbone Core Bridges (BCBs).

You must configure IP Multicast over Fabric Connect at the global level, and then enable it on
the service option or options you choose.IP Multicast over Fabric Connect uses I-SIDs that start at

1698 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect configuration using the
IP Multicast over Fabric Connect EDM

16,000,000 and above. The device displays an error message if the Layer 2 and Layer 3 I-SIDs are within
this range and the system does not enable IP Multicast over Fabric Connect.

Important
IP Multicast over Fabric Connect uses I-SIDs that start at 16,000,000 and above. The device
displays an error message if the Layer 2 and Layer 3 I-SIDs are within this range and the
system does not enable IP Multicast over Fabric Connect.

Note
You must enable IP multicast over Fabric Connect globally on all DvR enabled nodes
(Controllers and Leaf nodes) in a DvR domain.

Before You Begin

The multicast FIB is not produced until virtual services are configured and learned.

Procedure

1. In the navigation pane, expand Configuration > Fabric.

2. Select SPBM.
3. Select the Multicast FIB tab.

1702 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Multicast over Fabric Connect configuration examples

Multicast FIB field descriptions

Use the data in the following table to use the Multicast FIB tab.

Name Description
SysId System ID of the node where the multicast FIB entry
originated.
Vlan VLAN of the multicast FIB entry.
McastDestMacAddr Multicast destination MAC Address of the multicast FIB entry
Isid I-SID of the multicast FIB entry.
Isid Name Name assigned to the I-SID.
HostName Host name of the node where the multicast FIB entry
originated.
OutgoingInterfaces Specifies the switched UNI port outgoing interface of
multicast FIB entry.
IncomingInterface Specifies the incoming interface (port or MLT) of the
multicast FIB entry.

IP Multicast over Fabric Connect configuration examples

IP multicast over Fabric Connect global configuration
The following sections show the steps required to configure IP multicast over Fabric Connect at a global
level

SwitchC
enable
configure terminal
prompt SwitchC

ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable
exit

SwitchG
enable
configure terminal
prompt SwitchG

ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable
exit

SwitchD
enable
configure terminal
prompt SwitchD

ISIS SPBM CONFIGURATION

VOSS User Guide for version 8.7 1703

IP Multicast over Fabric Connect Services Configuration IP Multicast over Fabric Connect

router isis
spbm 1 multicast enable
exit

IP Multicast over Fabric Connect Services Configuration

Layer 2 VSN Configuration Fundamentals

Layer 2 VSN IP Multicast over Fabric Connect
IP Multicast over Fabric Connect supports Layer 2 VSN functionality where multicast traffic is bridged
over the SPBM core infrastructure. An application for Layer 2 VSNs using IP Multicast over Fabric
Connect is multicast traffic in data centers.

For more information on Layer 2 VSN configuration, see Layer 2 VSN configuration on page 1270.

After you configure ip igmp snooping on a VLAN that has an I-SID configured (a C-VLAN), that
VLAN is automatically enabled for IP Multicast over Fabric Connect services. No explicit configuration
exists separate from that to enable Layer 2 VSN IP Multicast over Fabric Connect.

Multicast traffic remains in the same Layer 2 VSN across the SPBM cloud for Layer 2 VSN IP Multicast
over Fabric Connect. IP Multicast over Fabric Connect constrains all multicast streams within the scope
level in which they originate. If a sender transmits a multicast stream to a BEB on a Layer 2 VSN with IP
Multicast over Fabric Connect enabled, only receivers that are part of the same Layer 2 VSN can receive
that stream.

I-SIDs

After a BEB receives IP multicast data from a sender, the BEB allocates a data service instance identifier
(I-SID) in the range of 16,000,000 to 16,512,000 for the multicast stream. The stream is identified by
the S, G, V tuple, which is the source IP address, the group IP address and the local VLAN the multicast
stream is received on. The data I-SID uses Tx/Rx bits to signify whether the BEB uses the I-SID to
transmit, receive, or both transmit and receive data on that I-SID.

In the context of Layer 2 VSNs with IP Multicast over Fabric Connect, the scope is the I-SID value of the
Layer 2 VSN associated with the local VLAN on which the IP multicast data was received.

TLVs

This information is propagated through the SPBM cloud using IS-IS Link State Packets (LSPs), which
carry TLV updates, that result in the multicast tree creation for that stream. For Layer 2 VSNs, the LSPs
carry I-SID information and information about where IP multicast stream senders and receivers exist
using TLV 144 and TLV 185.

IS-IS acts dynamically using the TLV information received from BEBs that connect to the sender and the
receivers to create a multicast tree between them.

IGMP

1704 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

BEB sends an IS-IS TLV update to its neighbors to inform them of the presence of a receiver and this
information is propagated through the SPBM cloud.

Layer 2 VSN Configuration using the CLI

Configuring Layer 2 VSN IP Multicast over Fabric Connect

Use this procedure to configure IP Multicast over Fabric Connect for Layer 2 VSN functionality. With
Layer 2 VSN IP Multicast over Fabric Connect, multicast traffic remains in the same Layer 2 VSN across
the SPBM cloud.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the customer VLANs (C-VLANs) and add slots/ports.
• You must assign the same I-SID to the C-VLANs on all the BEBs where you configure the C-VLAN.
• You must enable IP Multicast over Fabric Connect globally.

About This Task

Traffic is only delivered to UNIs on the Layer 2 VSN where the switch receives IGMP joins and reports.
Traffic does not cross the Layer 2 VSN boundary.

Configuring ip igmp snooping on a VLAN that has an I-SID configured (a C-VLAN) automatically
enables that VLAN for IP Multicast over Fabric Connect services. No explicit configuration exists
separate from that to enable Layer 2 VSN IP Multicast over Fabric Connect.

SPBM supports enabling IGMP Snooping on a C-VLAN, but it does not support enabling Protocol
Independent Multicast (PIM) on a C-VLAN. If you enable IGMP snooping on a C-VLAN, then its
operating mode is Layer 2 Virtual Services Network with IGMP support on the access networks for
optimized forwarding of IP multicast traffic in a bridged network.

The switch only supports IPv4 multicast traffic.

Procedure

1. Enter VLAN Interface Configuration mode:

enable

configure terminal

interface vlan <1–4059>

2. Enable proxy snoop:
ip igmp proxy
3. Enable IGMP snooping:
ip igmp snooping

VOSS User Guide for version 8.7 1705

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

4. (Optional) If you want to configure an address for the IGMP queries, enter the following command:
ip igmp snoop-querier-addr <A.B.C.D>

This step is not always required. The IGMP Querier on the BEB uses a source address 0.0.0.0 by
default. When you do not configure this, a BEB sends IGMP queries on the UNI ports with 0.0.0.0 as
the source IP address. Some Layer 2 edge switches do not support a 0.0.0.0 querier. You can use a
fictitious IP address as the querier address, and use the same address on all BEBs in the network.
5. (Optional) Enable IGMPv3 at a VLAN level by enabling SSM-snooping and IGMPv3:
ip igmp ssm-snoop

ip igmp version 3

You must enable SSM snoop before you configure IGMP version 3 and both ssm-snoop and
snooping must be enabled for IGMPv3.

Example

Enable IGMPv2 at a VLAN level:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config-if)#interface vlan 501
Switch:1(config-if)#ip igmp proxy
Switch:1(config-if)#ip igmp snooping
Switch:1(config-if)#ip igmp snoop-querier-addr 192.0.2.1

Enable IGMPv3 at a VLAN level:

Switch:>enable
Switch:#configure terminal
Switch:1(config)#interface vlan 2256
Switch:1(config-if)#ip igmp proxy
Switch:1(config-if)#ip igmp snooping
Switch:1(config-if)#ip igmp snoop-querier-addr 192.0.2.1
Switch:1(config-if)#ip igmp version 3
Switch:1(config-if)#ip igmp ssm-snoop

View Layer 2 VSN IP Multicast over Fabric Connect information

Use the following options to display Layer 2 VSN information to confirm proper configuration.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display all IP Multicast over Fabric Connect route information:
show isis spbm ip-multicast-route [all]
3. Display detailed IP Multicast over Fabric Connect route information:
show isis spbm ip-multicast-route [detail]
4. Display IP multicast route information by VLAN:
show isis spbm ip-multicast-route [vlan <1-4059>]

1706 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

5. Display IP Multicast over Fabric Connect route information by VSN I-SID:

show isis spbm ip-multicast-route [vsn-isid <1–16777215>]
6. Display IP Multicast over Fabric Connect route information by group address:
show isis spbm ip-multicast-route [group {A.B.C.D}]
7. Display IP Multicast over Fabric Connect route information by source address:
show isis spbm ip-multicast-route [source {A.B.C.D}]

Important
When you use the command show isis spbm ip-multicast-route without
parameters or use the detail or group optional parameters without specifying a VLAN
ID or VSN I-SID, the command output displays Layer 3 context only. No Layer 2 context is
displayed.

8. Display summary information for each S, G, V tuple with the corresponding scope, data I-SID, and
the host name of the source:
show isis spb-mcast-summary [count][host-name WORD<0–255>][lspid
<xxxx.xxxx.xxxx.xx-xx>]

Example
Switch:1#show isis spbm ip-multicast-route all
===================================================================================
SPBM IP-MULTICAST ROUTE INFO ALL
===================================================================================
Type VrfName Vlan Source Group VSN-ISID Data ISID BVLAN Source-BEB
Id
-----------------------------------------------------------------------------------
snoop GRT 501 192.0.2.1 233.252.0.1 5010 16300001 10 el2
snoop GRT 501 192.0.2.1 233.252.0.2 5010 16300002 20 el2
snoop GRT 501 192.0.2.1 233.252.0.3 5010 16300003 10 el2
snoop GRT 501 192.0.2.1 233.252.0.4 5010 16300004 20 el2
snoop GRT 501 192.0.2.1 233.252.0.5 5010 16300005 10 el2
snoop GRT 501 192.0.2.1 233.252.0.6 5010 16300006 20 el2
snoop GRT 501 192.0.2.1 233.252.0.7 5010 16300007 10 el2
snoop GRT 501 192.0.2.1 233.252.0.8 5010 16300008 20 el2
snoop GRT 501 192.0.2.1 233.252.0.9 5010 16300009 10 el2
snoop GRT 501 192.0.2.1 233.252.0.10 5010 16300010 20 el2

-----------------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
-----------------------------------------------------------------------------------

Switch:1#show isis spbm ip-multicast-route vlan 501

==================================================================================
SPBM IP-MULTICAST ROUTE INFO ALL
==================================================================================
Type VrfName Vlan Source Group VSN-ISID Data ISID BVLAN Source-BEB
Id
----------------------------------------------------------------------------------
snoop GRT 501 192.0.2.1 233.252.0.1 5010 16300001 10 el2
snoop GRT 501 192.0.2.1 233.252.0.2 5010 16300002 20 el2
snoop GRT 501 192.0.2.1 233.252.0.3 5010 16300003 10 el2
snoop GRT 501 192.0.2.1 233.252.0.4 5010 16300004 20 el2
snoop GRT 501 192.0.2.1 233.252.0.5 5010 16300005 10 el2
snoop GRT 501 192.0.2.1 233.252.0.6 5010 16300006 20 el2
snoop GRT 501 192.0.2.1 233.252.0.7 5010 16300007 10 el2
snoop GRT 501 192.0.2.1 233.252.0.8 5010 16300008 20 el2

VOSS User Guide for version 8.7 1707

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

snoop GRT 501 192.0.2.1 233.252.0.9 5010 16300009 10 el2

snoop GRT 501 192.0.2.1 233.252.0.10 5010 16300010 20 el2

----------------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
----------------------------------------------------------------------------------

Switch:1# show isis spbm ip-multicast-route vsn-isid 5010

=========================================================================
SPBM IP-MULTICAST ROUTE INFO - VLAN ID : 501, VSN-ISID : 5010
========================================================================
Source Group Data ISID BVLAN Source-BEB
------------------------------------------------------------------------
192.0.2.1 233.252.0.1 16300001 10 el2
192.0.2.1 233.252.0.2 16300002 20 el2
192.0.2.1 233.252.0.3 16300003 10 el2
192.0.2.1 233.252.0.4 16300004 20 el2
192.0.2.1 233.252.0.5 16300005 10 el2
192.0.2.1 233.252.0.6 16300006 20 el2
192.0.2.1 233.252.0.7 16300007 10 el2
192.0.2.1 233.252.0.8 16300008 20 el2
192.0.2.1 233.252.0.9 16300009 10 el2
192.0.2.1 233.252.0.10 16300010 20 el2

------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
------------------------------------------------------------------------

Switch:1# show isis spbm ip-multicast-route vsn-isid 5010 detail

============================================================================
SPBM IP-MULTICAST ROUTE INFO - TYPE : SNOOP , VLAN ID : 501, VSN-ISID : 5010
============================================================================
Source Group Data ISID BVLAN NNI Rcvrs UNI Rcvrs Source-BEB
----------------------------------------------------------------------------
192.0.2.1 233.252.0.1 16300001 10 1/3 V501:9/38 el2
192.0.2.1 233.252.0.2 16300002 20 1/2,1/3 V501:9/38 el2
192.0.2.1 233.252.0.3 16300003 10 1/3 V501:9/38 el2
192.0.2.1 233.252.0.4 16300004 20 1/2,1/3 V501:9/38 el2
192.0.2.1 233.252.0.5 16300005 10 1/3 V501:9/38 el2
192.0.2.1 233.252.0.6 16300006 20 1/2,1/3 V501:9/38 el2
192.0.2.1 233.252.0.7 16300007 10 1/3 V501:9/38 el2
192.0.2.1 233.252.0.8 16300008 20 1/2,1/3 V501:9/38 el2
192.0.2.1 233.252.0.9 16300009 10 1/3 V501:9/38 el2
192.0.2.1 233.252.0.10 16300010 20 1/2,1/3 V501:9/38 el2
----------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
----------------------------------------------------------------------------

Switch:1# show isis spb-mcast-summary

======================================================================
SPB Multicast - Summary
======================================================================
SCOPE SOURCE GROUP DATA LSP HOST
I-SID ADDRESS ADDRESS I-SID BVID FRAG NAME
----------------------------------------------------------------------
5010 192.0.2.1 233.252.0.1 16300001 10 0x0 el2
5010 192.0.2.1 233.252.0.3 16300003 10 0x0 el2
5010 192.0.2.1 233.252.0.5 16300005 10 0x0 el2
5010 192.0.2.1 233.252.0.7 16300007 10 0x0 el2
5010 192.0.2.1 233.252.0.9 16300009 10 0x0 el2
5010 192.0.2.1 233.252.0.2 16300002 20 0x0 el2
5010 192.0.2.1 233.252.0.4 16300004 20 0x0 el2

1708 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

5010 192.0.2.1 233.252.0.6 16300006 20 0x0 el2

5010 192.0.2.1 233.252.0.8 16300008 20 0x0 el2
5010 192.0.2.1 233.252.0.10 16300010 20 0x0 el2

Switch:1# show isis spbm ip-multicast-route vsn-isid 5010 detail

============================================================================
SPBM IP-MULTICAST ROUTE INFO - TYPE : SNOOP , VLAN ID : 501, VSN-ISID : 5010
============================================================================
Source Group Data ISID BVLAN NNI Rcvrs UNI Rcvrs Source-BEB
----------------------------------------------------------------------------
192.0.2.1 233.252.0.1 16300001 10 1/4,MLT-35 V501:9/32-9/33 el2
192.0.2.1 233.252.0.3 16300002 20 - V501:9/32-9/33 el2
192.0.2.1 233.252.0.5 16300003 10 1/4,MLT-35 V501:9/32-9/33 el2
192.0.2.1 233.252.0.7 16300004 20 - V501:9/32-9/33 el2
192.0.2.1 233.252.0.9 16300005 10 1/4,MLT-35 V501:9/32-9/33 el2
192.0.2.1 233.252.0.2 16300006 20 - V501:9/32-9/33 el2
192.0.2.1 233.252.0.4 16300007 10 1/4,MLT-35 V501:9/32-9/33 el2
192.0.2.1 233.252.0.6 16300008 20 - V501:9/32-9/33 el2
192.0.2.1 233.252.0.8 16300009 10 1/4,MLT-35 V501:9/32-9/33 el2
192.0.2.1 233.252.0.10 16300010 20 - V501:9/32=9/33 el2
----------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
----------------------------------------------------------------------------
Variable definitions

The following table defines parameters for the show isis spbm ip-multicast-route
command.

Variable Value
all Displays all IP Multicast over Fabric Connect route information.
detail Displays detailed IP Multicast over Fabric Connect route information.
group {A.B.C.D} Displays information on the group IP address for the IP Multicast over
source {A.B.C.D} Fabric Connect route. If you select source it will also display the source
IP address.
vlan <0–4084> Displays IP Multicast over Fabric Connect route information by VLAN.
vrf WORD<1–16> Displays IP Multicast over Fabric Connect route information by VRF.
vsn-isid <1–16777215> Displays IP Multicast over Fabric Connect route information by I-SID.

The following table defines parameters for the show isis spb-mcast-summary command.

Variable Value
count Displays the total number of SPB multicast entries.
host-name WORD<0–255> Displays the IP Multicast over Fabric Connect summary for a
given host-name.
lspid <xxxx.xxxx.xxxx.xx-xx> Displays the IP Multicast over Fabric Connect summary for a
given LSP ID.

View IGMP Information for Layer 2 VSN Multicast

Use the following commands to display IGMP information.

VOSS User Guide for version 8.7 1709

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

Procedure
1. Enter Privileged EXEC mode:
enable
2. Display information about the interfaces where IGMP is enabled:
show ip igmp interface [gigabitethernet {slot/port[/sub-port][-slot/
port[/sub-port]][,...]}][vlan <1-4059>[vrf WORD<1–16>][vrfids WORD<0–
512>]

Ensure that the output displays snoop-spb under MODE.

3. Display information about the IGMP cache:
show ip igmp cache [vrf WORD<1–16>][vrfids WORD<0–512>]
4. Display information about the IGMP group:
show ip igmp group [count][group {A.B.C.D}][member-subnet {A.B.C.D/X}]
[vrf WORD<1–16>][vrfids WORD<0–512>]
5. Display information about the IGMP sender:
show ip igmp sender [count][group {A.B.C.D}][member-subnet {A.B.C.D/
X}][vrf WORD<1–16>][vrfids WORD<0–512>]
6. Display information about IGMP snoop-trace information:
show ip igmp snoop-trace [group {A.B.C.D}][source {A.B.C.D}][vrf
WORD<1–16>][vrfids WORD<0–512>]

Example
Switch:1#show ip igmp interface

=========================================================================================
Igmp Interface - GlobalRouter
=========================================================================================
QUERY OPER QUERY WRONG LASTMEM
IF INTVL STATUS VERS. VERS QUERIER MAXRSPT QUERY JOINS ROBUST QUERY MODE L2ISID
-----------------------------------------------------------------------------------------
V100 125 activ 2 2 0.0.0.0 100 0 0 2 10 snoop-spb 1100

1 out of 1 entries displayed

VLAN SNOOP SNOOP DYNAMIC COMPATIBILITY EXPLICIT UPnP

================================================================================
Igmp Group - GlobalRouter
================================================================================

1710 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

GRPADDR INPORT MEMBER EXPIRATION TYPE L2ISID

--------------------------------------------------------------------------------
224.5.2.1 V701-1/4 62.0.1.1 214 Dynamic 40400
224.5.2.2 V702-1/4 62.0.2.1 221 Dynamic 40400
224.5.2.3 V703-1/4 62.0.3.1 217 Dynamic 40400
224.5.2.4 V704-1/4 62.0.4.1 223 Dynamic 40400

4 out of 4 group Receivers displayed

Total number of unique groups 2

Switch:1#show ip igmp sender

=============================================================================
Igmp Sender - GlobalRouter
=============================================================================
PORT/
GRPADDR IFINDEX MEMBER MLT STATE L2ISID
-----------------------------------------------------------------------------
233.252.0.1 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.2 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.3 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.4 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.5 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.6 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.7 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.8 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.9 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.10 Vlan 501 192.2.0.1 spb NOTFILTERED

10 out of 10 entries displayed

Switch:1# show ip igmp snoop-trace

================================================================================
Snoop Trace - GlobalRouter
================================================================================
GROUP SOURCE IN IN OUT OUT TYPE
ADDRESS ADDRESS VLAN PORT VLAN PORT
--------------------------------------------------------------------------------
233.252.0.1 192.0.2.6 500 1/1 500 1/5 ACCESS
233.252.0.10 192.0.2.7 500 1/1 500 1/10 ACCESS
Variable Definitions

The following table defines parameters for the show ip igmp interface command.

VOSS User Guide for version 8.7 1711

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

The following table defines parameters for the show ip igmp cache command.

Variable Value
vrf WORD<1–16> Specifies the VRF by name.
vrfids WORD<0–512> Specifies the VRF by VRF ID.

The following table defines parameters for the show ip igmp group command.

Variable Value
count Specifies the number of entries.
group {A.B.C.D} Specifies the group address.
member-subnet {A.B.C.D/X} Specifies the IP address and network mask.
vrf WORD<1–16> Displays the multicast route configuration for a particular VRF by
name.
vrfids WORD<0–512> Displays the multicast route configuration for a particular VRF by
VRF ID.

The following table defines parameters for the show ip igmp sender command.

The following table defines parameters for the show ip igmp snoop-trace command.

Variable Value
group {A.B.C.D} Specifies the group address.
source {A.B.C.D} Specifies the source address.
vrf WORD<1–16> Displays the multicast route configuration for a particular VRF by name.
vrfids WORD<0–512> Displays the multicast route configuration for a particular VRF by VRF ID.

View TLV Information for Layer 2 VSN IP Multicast over Fabric Connect

Use the following commands to check TLV information.

For Layer 2 VSN with IP multicast over Fabric Connect, TLV 185 on the BEB where the source is located,
displays the multicast source and group addresses and has the Tx bit set. Each multicast group has
its own unique data I-SID with a value between 16,000,000 to 16,512,000. TLV 144 on the BEB bridge,

1712 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

where the sender is located, has the Tx bit set. All BEB bridges, where a receiver exists, have the Rx bit
set.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display IS-IS Link State Database information by Type-Length-Value (TLV):
show isis lsdb tlv <1–236> [sub-tlv <1–3>] [detail] [home|remote]
3. Display IS-IS Link State Database information by Link State Protocol ID:
show isis lsdb lspid <xxxx.xxxx.xxxx.xx-xx> tlv <1–236> [sub-tlv <1–
3>] [detail] [home|remote]

Example
Switch:1# show isis lsdb tlv 185 detail
================================================================================
ISIS LSDB (DETAIL)
================================================================================
--------------------------------------------------------------------------------
Level-1LspID: 000c.f803.83df.00-00 SeqNum: 0x000001ae Lifetime: 898
Chksum: 0xcebe PDU Length: 522
Host_name: Switch
Attributes: IS-Type 1
TLV:185 SPBM IPVPN :
VSN ISID:5010
BVID :10
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.1
Data ISID : 16300001
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.3
Data ISID : 16300003
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.5
Data ISID : 16300005
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.7
Data ISID : 16300007
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.9
Data ISID : 16300009
TX : 1
VSN ISID:5010
BVID :20
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.2
Data ISID : 16300002
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.4
Data ISID : 16300004

VOSS User Guide for version 8.7 1713

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.6
Data ISID : 16300006
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.8
Data ISID : 16300008
TX : 1
Metric:0
IP Source Address: 192.0.2.1
Group Address : 233.252.0.10
Data ISID : 16300010
TX : 1

Switch:1# show isis lsdb lspid 000c.f803.83df.00-05 tlv 144 detail

================================================================================
ISIS LSDB (DETAIL)
================================================================================
--------------------------------------------------------------------------------
Level-1 LspID: 000c.f803.83df.00-00 SeqNum: 0x00000477 Lifetime: 903
Chksum: 0x200b PDU Length: 522
Host_name: Switch
Attributes: IS-Type 1
Instance: 0
Metric: 0
B-MAC: 03-00-00-00-00-00
BVID:10
Number of ISID's:5
16000001(Tx),16000003(Tx),16000005(Tx),16000007 (Tx),16000009(Tx)
Instance: 0
Metric: 0
B-MAC: 03-00-00-00-00-00
BVID:20
Number of ISID's:5
16000002(Tx),16000004(Tx),16000006(Tx),16000008(Tx),16000010(Tx)
Variable Definitions

The following table defines parameters for the show isis lsdb command.

Variable Value
detail Displays detailed information about the IS-IS Link State
database.
home Displays the IS-IS LSDB information that the system configures
in the home area.
level {l1, l2, l12} Displays information on the IS-IS level. The IEEE 802.1aq
standard currently only defines the use of one hierarchy, Level
1. Level 2 and combined Level 1 and 2 (l12) function is disabled.
local Displays information on the local LSDB.
lspid<xxxx.xxxx.xxxx.xx-xx> Specifies information about the IS-IS Link State database by
LSP ID.
remote Displays the IS-IS LSDB information that the system configures
in the remote area.

1714 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

Variable Value
sub-tlv <1–3> Specifies information about the IS-IS Link State database by
sub-TLV.
sysid <xxxx.xxxx.xxxx> Specifies information about the IS-IS Link State database by
System ID.
tlv <1–236> Specifies information about the IS-IS Link State database by
TLV.

Layer 2 VSN Configuration using EDM

Viewing the IGMP interface table

Use the Interface tab to view the IGMP interface table. When an interface does not use an IP address,
the system does not display it in the IGMP table.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Click IGMP.
3. Click the Interface tab.

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Important:
You must configure this value lower than the QueryInterval.

VOSS User Guide for version 8.7 1715

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

Name Description
WrongVersionQueries Shows the number of queries received with an IGMP version that
does not match the interface. You must configure all routers on
a LAN to run the same version of IGMP. If the interface receives
queries with the wrong version, this value indicates a version
mismatch.
Joins Shows the number of times this interface added a group
membership, which is the same as the number of times an entry
for this interface is added to the cache table. This number gives an
indication of the amount of IGMP activity over time.
Robustness Tunes for the expected packet loss of a network. This value is
equal to the number of expected query packet losses for each
serial query interval, plus 1. If you expect a network to lose query
packets, increase the robustness value.
The default value of 2 means that the switch drops one query for
each query interval without the querier aging out.
LastMembQueryIntvl Configures the maximum response time (in tenths of a second)
inserted into group-specific queries sent in response to leave
group messages. This value is also the time between group-
specific query messages. You cannot configure this value for
IGMPv1.
Decrease the value to reduce the time to detect the loss of the
last member of a group. The range is from 0–255 and the default
is 10 tenths of second. As a best practice, configure this parameter
to values greater than 3. If you do not need a fast leave process,
you can configure values greater than 10. (The value 3 is equal to
0.3 seconds and 10 is equal to 1 second.)
OtherQuerierPresent Timeout Shows the length of time that must pass before a multicast router
determines that no other querier exists. If the local router is the
querier, the value is 0.
FlushAction Configures the flush action to one of the following:
• none
• flushGrpMem
• flushMrouter
• flushSender

Important:
To maximize network performance, configure this parameter
according to the version of IGMP currently in use.
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

SsmSnoopEnable Enables SSM snoop.

SnoopQuerierEnable Enables IGMP Layer 2 Querier.

1716 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 2 VSN Configuration Fundamentals

Name Description
SnoopQuerierAddr Specifies the pseudo address of the IGMP snoop querier.
ExplicitHostTrackingEnable Enables or disables IGMPv3 to track hosts for each channel or
group. The default is disabled. You must select this field if you
want to use fast leave for IGMPv3.
McastMode Indicates the protocol configured on the VLAN.
• snoop — Indicates IGMP snooping is enabled on a VLAN.
• snoop-spb — Indicates IGMP is enabled on a VLAN with an
associated I-SID (IP multicast over Fabric Connect for a Layer 2
VSN).
• pim — Indicates PIM is enabled.
• routed-spb — Indicates IP multicast over Fabric Connect is
enabled on the Layer 3 VSN or for IP Shortcuts.

ExtnUpnpFilterEnable Enables Universal Plug and Play (uPnP) Filtering to filter multicast
packets destined for a specific range.
The default is disabled.
ExtnUpnpFilterAddress Indicates the multicast destination IP address to filter on an IGMP-
enabled interface.
The default is 239.255.255.250/32.
ExtnUpnpFilterAddressMask Indicates the IGMP uPnP Filtering IP subnet to which this interface
is attached.
SnoopOrigin Specifies the origin of IGMP Snooping configuration on the port.
The supported values are:
• config - Set by the user.
• radius - Set by the Remote Authentication Dail-In User Service
(RADIUS) attribute.

Configure IP Multicast over Fabric Connect on a Layer 2 VSN

Use this procedure to enable IP Multicast over Fabric Connect for a Layer 2 VSN. With Layer 2 VSN IP
Multicast over Fabric Connect, multicast traffic remains in the same Layer 2 VSN across the SPBM cloud.

No explicit configuration exists for a Layer 2 VSN. After you configure IP IGMP snooping on a VLAN that
has an I-SID configured, the device enables that VLAN for IP Multicast over Fabric Connect services.

Before You Begin

About This Task

SPBM supports enabling IGMP snooping on a C-VLAN, but it does not support enabling PIM on a
C-VLAN. If you enable IGMP snooping on a C-VLAN, then its operating mode is Layer 2 VSN with IGMP
support on the access networks for optimized forwarding of IP multicast traffic in a bridged network.

This switch only supports IPv4 multicast traffic.

VOSS User Guide for version 8.7 1717

Layer 2 VSN Configuration Fundamentals IP Multicast over Fabric Connect

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Select VLANs.
3. Select the Basic tab.
4. Select a VLAN.
5. Select IP.
6. Select the IGMP tab.
7. Select the SnoopEnable check box.
8. (Optional) Select the SsmSnoopEnable check box, if you use IGMP version 3.
9. (Optional) Select the ProxySnoopEnable check box.
10. (Optional) If you want to enable IGMP version 3, select version3 in the Version check box.
You must enable SSM snoop before you configure IGMP version 3 and both ssm-snoop and
snooping must be enabled for IGMPv3.
11. If you want to enable IGMP version 2, select version2 in the Version check box.
For IGMP Snooping, ensure that the IGMP version used by multicast hosts and other devices in the
network is the same as the IGMP version configured on the IGMP Snooping VLAN, or that you enable
compatibility mode.
12. (Optional) If you want to enable snoop querier, select SnoopQuerierEnable.
13. (Optional) If you want to configure an address for IGMP queries, enter the IP address in
SnoopQuerierAddr.

Note
This step is not always required. The IGMP Querier on the BEB uses a source address
0.0.0.0 by default. When you do not configure this, a BEB sends IGMP queries on the UNI
ports with 0.0.0.0 as the source IP address. Some Layer 2 edge switches do not support
a 0.0.0.0 querier. You can use a fictitious IP address as the querier address, and use the
same address on all BEBs in the network.

14. Select Apply.

Layer 2 VSN with IP Multicast over Fabric Connect configuration example

The example below shows the configuration steps to enable IP Multicast over Fabric Connect support
on C-VLAN 1001 that is part of a Layer 2 VSN, including the querier address.

enable
configure terminal

ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable

VLAN CONFIGURATION

interface vlan 9
ip igmp snooping
ip igmp snoop-querier-addr 192.0.2.201
exit

1718 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

When using IGMPv3, the configuration is:

enable
configure terminal

ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable

VLAN CONFIGURATION

interface vlan 19
ip igmp snooping
ip igmp version 3
ip igmp ssm-snoop
ip igmp snoop-querier-addr 192.0.2.201
exit

Note
You must enable SSM snoop before you configure IGMP version to version 3, and you must
enable both ssm-snoop and snooping for IGMPv3.

Note
You must configure basic SPBM and IS-IS infrastructure.

IP Shortcuts Configuration
This section provides fundamentals concepts for IP Shortcuts configuration. For more information on IP
Shortcuts basic configuration, see IP Shortcuts Configuration on page 1341.

IP Multicast over Fabric Connect within the GRT

IP Multicast over Fabric Connect within the GRT enables you to exchange IP multicast traffic with all or
a subset of VLANs that are in the Global Routing Table (GRT). This restriction is called the scope level,
which IP Multicast over Fabric Connect uses to constrain the multicast streams within the level in which
they originate. For example, if a sender transmits a multicast stream to a BEB on a VLAN that is part of
the GRT with IP Multicast over Fabric Connect enabled, only receivers that are part of the same GRT can
receive that stream.

Applications that can use IP Multicast over Fabric Connect within the GRT include: Video surveillance,
TV/Video/Ticker/Image distribution, VX-LAN.

Both IP Shortcuts and IP Multicast over Fabric Connect within the GRT use the GRT for the scope level
to constrain multicast streams. However, they are separate features that work independently from each
other.

Important
You do not have to enable IP Shortcuts to support IP Multicast over Fabric Connect within the
GRT.

With IP Multicast over Fabric Connect within the GRT, routing of IP multicast traffic is allowed within
the subset of VLANs in the GRT that have IP Multicast over Fabric Connect enabled. When you

VOSS User Guide for version 8.7 1719

IP Shortcuts Configuration IP Multicast over Fabric Connect

enable IP Multicast over Fabric Connect on a VLAN, the VLAN automatically becomes a multicast
routing interface.

You must enable ip spb-multicast on each of the VLANs within the GRT that need to support IP
multicast traffic. Enable IP Multicast over Fabric Connect on all VLANs to which IP multicast senders and
receivers attach. IP Multicast over Fabric Connect is typically configured only on BEBs.

Note
If no IP interface exists on the VLAN, then you create one. (The IP interface must be in the
same subnet as the IGMP hosts that connect to the VLAN).

I-SIDs

Unlike IP Shortcuts with unicast, a data I-SID (for mac-in-mac encapsulation of the multicast traffic) is
required for IP Multicast over Fabric Connect within the GRT. When the multicast stream reaches the
BEB, the BEB assigns a data I-SID to the stream. The data I-SID uses Tx/Rx bits to signify whether the
BEB uses the I-SID to transmit, receive, or both transmit and receive data on that I-SID.

Unlike Layer 2 VSNs and Layer 3 VSNs, IP Multicast over Fabric Connect within the GRT does not have
a scope I-SID to determine the scope of the multicast traffic. Instead the scope is the Global Routing
Table.

TLVs

The scope and data I-SID information is propagated through the SPBM cloud using IS-IS Link State
Packets (LSPs), which carry TLV updates, and result in the multicast tree creation for that stream. For
IP Multicast over Fabric Connect within the GRT, the LSPs carry I-SID information and information about
where IP multicast stream senders and receivers exist using TLV 144 and TLV 186.

IGMP

After you configure ip spb-multicast enable, you cannot enable IGMP, IGMP Snooping, or IGMP
proxy on the interface. If you try to enable IGMP Snooping or proxy on any interface where IP Multicast
over Fabric Connect is enabled, the system displays an error message.

After you configure ip spb-multicast enable on each of the VLANs within the GRT that need to
support IP multicast traffic, any IGMP functions required for IP Multicast over Fabric Connect within the
GRT are automatically enabled. You do not need to configure anything IGMP related.

DvR

When you enable ip spb-multicast on the Controller nodes, the configuration is automatically
pushed to all the Leaf nodes within the domain.

For more information on DvR, see Distributed Virtual Routing on page 688.

1720 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

IP Shortcuts Configuration using the CLI

Configure IP Multicast over Fabric Connect within the GRT

Use this procedure to configure IP Multicast over Fabric Connect within the GRT. The default is disabled.
• Note
◦ You do not have to enable IP Shortcuts to support IP multicast routing in the GRT using
SPBM.
◦ You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the
VLAN.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the C-VLANs and add slots/ports.
• You must enable IP Multicast over Fabric Connect globally.
• If no IP interface exists on the VLAN, then you create one. (The IP interface must be the same subnet
as the IGMP hosts that connect to the VLAN).

About This Task

With IP Multicast over Fabric Connect within the GRT, routing of IP multicast traffic is allowed within
the subset of VLANs in the GRT that have IP Multicast over Fabric Connect enabled. When you
enable IP Multicast over Fabric Connect on a VLAN, the VLAN automatically becomes a multicast
routing interface.

You must configure ip spb-multicast enable on each of the VLANs within the GRT that need to
support IP multicast traffic. The default is disabled. After you enable IP Multicast over Fabric Connect on
each of the VLANs within the GRT that need to support IP multicast traffic, any IGMP functions required
for IP Multicast over Fabric Connect within the GRT are automatically enabled. You do not need to
configure anything IGMP related.

If you only want to use IP Multicast over Fabric Connect, you do not need to enable the Layer 3 VSN or
redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric Connect routing does not depend
on unicast routing, which allows for you to more easily migrate from a PIM environment to IP Multicast
over Fabric Connect. You can migrate a PIM environment to IP Multicast over Fabric Connect first and
then migrate unicast separately or not at all.

The switch only supports IPv4 addresses with IP Multicast over Fabric Connect.

VOSS User Guide for version 8.7 1721

IP Shortcuts Configuration IP Multicast over Fabric Connect

Procedure
1. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

2. Create an IP interface on the VLAN:

ip address <A.B.C.D/X>
3. Enable IP Multicast over Fabric Connect:
ip spb-multicast enable

Note
After you configure ip spb-multicast enable, you cannot enable IGMP, IGMP
Snooping, or IGMP proxy on the interface. If you try to enable IGMP Snooping or proxy
on any interface where IP Multicast over Fabric Connect is enabled, an error message
displays.

Note
When you configure ip spb-multicast enable on the Controller node of a DvR
domain, the configuration is automatically pushed to the Leaf nodes within the domain.

4. (Optional) Disable IP Multicast over Fabric Connect:

no ip spb-multicast enable

default ip spb-multicast enable

5. Ensure IP Multicast over Fabric Connect within the GRT is configured properly:
show ip igmp interface

If routed-spb displays under mode, IP Multicast over Fabric Connect within the GRT is properly
enabled on the VLAN.

Example

Enable IP Multicast over Fabric Connect within the GRT:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 500
Switch:1(config-if)#ip address 192.0.2.1 255.255.255.0
Switch:1(config-if)#ip spb-multicast enable
Switch:1#show ip igmp interface

=========================================================================================

1722 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

Igmp Interface - GlobalRouter

=========================================================================================
QUERY OPER QUERY WRONG LASTMEM
IF INTVL STATUS VERS. VERS QUERIER MAXRSPT QUERY JOINS ROBUST QUERY MODE L2ISID
-----------------------------------------------------------------------------------------
V500 125 active 2 2 0.0.0.0 100 0 0 2 10 routed-spb
V2000 125 inact 2 2 0.0.0.0 100 0 0 2 10

1 out of 1 entries displayed

Variable Definitions

The following table defines parameters for the interface vlan command.

Variable Value
<1-4059> Specifies the VLAN ID.

The following table defines parameters for the interface GigabitEthernet command.

The following table defines parameters for the ip address command.

Variable Value
<A.B.C.D/X> Specifies the address and mask.

Configuring the VRF timeout value

Use this procedure to configure the VRF timeout value. The timeout value ages out the sender when
there is no multicast stream on the VRF. The default is 210 seconds.

Note
You can use this procedure for Layer 3 VSN with IP Multicast over Fabric Connect services and
IP Multicast over Fabric Connect for IP Shortcuts.

Before You Begin

VOSS User Guide for version 8.7 1723

IP Shortcuts Configuration IP Multicast over Fabric Connect

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Configure the timeout value on the VRF:
mvpn fwd-cache-timeout(seconds) <10–86400>
3. (Optional) Configure the timeout value to the default value of 210 seconds:
no mvpn fwd-cache-timeout

default mvpn fwd-cache-timeout(seconds)

Example

Configure the timeout value on the VRF to 500 seconds:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router vrf green
Switch:1(router-vrf)#mvpn fwd-cache-timeout(seconds) 500
Variable definitions

The following table defines parameters for the router vrf command.

Variable Value
WORD<1–16> Specifies the VRF name.

The following table defines parameters for the mvpn fwd-cache-timeout(seconds) command.

Variable Value
<10–86400> Specifies the timeout value. The default is 210 seconds.

Configuring the Global Routing Table timeout value

Use this procedure to configure the timeout value in the GRT. The timeout value ages out the sender
when there are no multicast streams coming from the sender for a specified period of time in seconds.
The default timeout value is 210 seconds.

Before You Begin

1724 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

Procedure

1. Enter IS-IS Router Configuration mode:

enable

configure terminal

router isis
2. Configure the IP Multicast over Fabric Connect forward-cache timeout:
spbm <1–100> multicast fwd-cache-timeout(seconds) <10–86400>
3. (Optional) Configure the IP Multicast over Fabric Connect forward-cache timeout to the default
value of 210 seconds:
default spbm <1–100> multicast fwd-cache-timeout(seconds)

no spbm <1–100> multicast fwd-cache-timeout(seconds)

Example

Configure the IP Multicast over Fabric Connect forward-cache timeout to 300:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#router isis
Switch:1(config-isis)#spbm 1 multicast 1 fwd-cache-timeout 300
Variable definitions

The following table defines parameters for the spbm command.

Variable Value
<1–100> Specifies the SPBM instance. The switch only supports one instance.
<10–86400> Specifies the IP Multicast over Fabric Connect forward-cache timeout in seconds. The
default is 210 seconds.

Viewing IP Multicast over Fabric Connect within the GRT information

Use the following options to display IP Multicast over Fabric Connect within the GRT information to
confirm proper configuration.

Procedure

1. To enter User EXEC mode, log on to the switch.

2. Display all IP Multicast over Fabric Connect route information:
show isis spbm ip-multicast-route [all]
3. Display detailed IP Multicast over Fabric Connect route information:
show isis spbm ip-multicast-route [detail]
4. Display the IP Multicast over Fabric Connect multicast group and source address information:
show isis spbm ip-multicast-route [group {A.B.C.D}] [source {A.B.C.D}]
[source-beb WORD<0–255>]

VOSS User Guide for version 8.7 1725

IP Shortcuts Configuration IP Multicast over Fabric Connect

5. Display summary information for each S, G, V tuple with the corresponding scope, data I-SID, and
the host name of the source:
show isis spb-mcast-summary [count][host-name WORD<0–255>][lspid
<xxxx.xxxx.xxxx.xx-xx>]

Example

Display IP Multicast over Fabric Connect within the GRT information:

Switch:1#show isis spbm ip-multicast-route all
==========================================================================
SPBM IP-multicast ROUTE INFO ALL
==========================================================================
Type VrfName Vlan Source Group VSN-ISID Data ISID BVLAN Source-BEB

Id
--------------------------------------------------------------------------
routed GRT 501 192.0.2.1 233.252.0.1 5010 16300001 10 el2
routed GRT 501 192.0.2.1 233.252.0.2 5010 16300002 20 el2
routed GRT 501 192.0.2.1 233.252.0.3 5010 16300003 10 el2
routed GRT 501 192.0.2.1 233.252.0.4 5010 16300004 20 el2
routed GRT 501 192.0.2.1 233.252.0.5 5010 16300005 10 el2
routed GRT 501 192.0.2.1 233.252.0.6 5010 16300006 20 el2
routed GRT 501 192.0.2.1 233.252.0.7 5010 16300007 10 el2
routed GRT 501 192.0.2.1 233.252.0.8 5010 16300008 20 el2
routed GRT 501 192.0.2.1 233.252.0.9 5010 16300009 10 el2
routed GRT 501 192.0.2.1 233.252.0.10 5010 16300010 20 el2

--------------------------------------------------------------------------
Total Number of SPBM IP multicast ROUTE Entries: 10
--------------------------------------------------------------------------

Switch:1#show isis spbm ip-multicast-route detail

==========================================================================
SPBM IP-MULTICAST ROUTE INFO
==========================================================================
Source Group Data ISID BVLAN NNI Rcvrs UNI Rcvrs Source-BEB
--------------------------------------------------------------------------
192.0.2.10 233.252.0.1 16300001 10 1/3 V604:9/38 el2
192.0.2.10 233.252.0.2 16300002 20 1/2,1/3 V604:9/38 el2
192.0.2.10 233.252.0.3 16300003 10 1/3 V604:9/38 el2
192.0.2.10 233.252.0.4 16300004 20 1/2,1/3 V604:9/38 el2
192.0.2.10 233.252.0.5 16300005 10 1/3 V604:9/38 el2
192.0.2.10 233.252.0.6 16300006 20 1/2,1/3 V604:9/38 el2
192.0.2.10 233.252.0.7 16300007 10 1/3 V604:9/38 el2
192.0.2.10 233.252.0.8 16300008 20 1/2,1/3 V604:9/38 el2
192.0.2.10 233.252.0.9 16300009 10 1/3 V604:9/38 el2
192.0.2.10 233.252.0.10 16300010 20 1/2,1/3 V604:9/38 el2
--------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
--------------------------------------------------------------------------

Switch:1# show isis spb-mcast-summary

=====================================================================
SPB multicast - Summary
=====================================================================
SCOPE SOURCE GROUP DATA LSP HOST
I-SID ADDRESS ADDRESS I-SID BVID FRAG NAME
---------------------------------------------------------------------
GRT 192.0.2.1 233.252.0.1 16300001 10 0x0 el2
GRT 192.0.2.1 233.252.0.3 16300003 10 0x0 el2

1726 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

GRT 192.0.2.1 233.252.0.5 16300005 10 0x0 el2

GRT 192.0.2.1 233.252.0.7 16300007 10 0x0 el2
GRT 192.0.2.1 233.252.0.9 16300009 10 0x0 el2
GRT 192.0.2.1 233.252.0.2 16300002 20 0x0 el2
GRT 192.0.2.1 233.252.0.4 16300004 20 0x0 el2
GRT 192.0.2.1 233.252.0.6 16300006 20 0x0 el2
GRT 192.0.2.1 233.252.0.8 16300008 20 0x0 el2
GRT 192.0.2.1 233.252.0.10 16300010 20 0x0 el2

Variable definitions

The following table defines parameters for the show isis spbm ip-multicast-route
command.

Variable Value
all Displays all IP Multicast over Fabric Connect route information.
detail Displays detailed IP Multicast over Fabric Connect route information.
group {A.B.C.D} Displays information on the group IP address for the IP Multicast over
source {A.B.C.D} Fabric Connect route. If you select source it will also display the source IP
[source-beb WORD<0– address.
255>] Specifies the source BEB name.
vlan Displays IP Multicast over Fabric Connect route information by VLAN.
vrf Displays IP Multicast over Fabric Connect route information by VRF.
vsn-isid Displays IP Multicast over Fabric Connect route information by I-SID.

The following table defines parameters for the show isis spb-mcast-summary command.

Variable Value
count Displays the total number of SPB multicast entries.
host-name Displays the IP Multicast over Fabric Connect summary for a given
host-name.
lspid Displays the IP Multicast over Fabric Connect summary for a given
<xxxx.xxxx.xxxx.xx-xx> LSP ID.

View IGMP Information for IP Multicast over Fabric Connect within the GRT

Use the following commands to display IGMP information.

Procedure

1. Enter Privileged EXEC mode:

Ensure that the ouput displays routed-spb under MODE.

VOSS User Guide for version 8.7 1727

IP Shortcuts Configuration IP Multicast over Fabric Connect

3. Display information about the IGMP cache:

show ip igmp cache [vrf WORD<1–16>][vrfids WORD<0–512>]
4. Display information about the IGMP group:
show ip igmp group [count][group {A.B.C.D}][member-subnet default|
{A.B.C.D/X}][vrf WORD<1–16>][vrfids WORD<0–512>]
5. Display information about the IGMP sender:
show ip igmp sender [count][group {A.B.C.D}][member-subnet default|
{A.B.C.D/X}][vrf WORD<1–16>][vrfids WORD<0–512>]

Example

Display IGMP information for IP multicast over Fabric Connect within the GRT:
Switch:1#show ip igmp interface

1 out of 1 entries displayed

VLAN SNOOP SNOOP DYNAMIC COMPATIBILITY EXPLICIT UPnP

ID QUERIER QUERIER DOWNGRADE MODE HOSTS FILTER
ENABLE ADDRESS VERSION TRACKING ADDRESS
----------------------------------------------------------------------------------------
2 false 0.0.0.0 enable disable disable 239.255.255.250/32
Switch:1#show ip igmp sender
=============================================================================
Igmp Sender - GlobalRouter
=============================================================================
PORT/
GRPADDR IFINDEX MEMBER MLT STATE L2ISID
-----------------------------------------------------------------------------
233.252.0.1 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.2 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.3 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.4 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.5 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.6 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.7 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.8 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.9 Vlan 501 192.2.0.1 spb NOTFILTERED
233.252.0.10 Vlan 501 192.2.0.1 spb NOTFILTERED

1728 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

10 out of 10 entries displayed

Switch:1#show ip igmp group

4 out of 4 group Receivers displayed

Total number of unique groups 2

Variable definitions

The following table defines parameters for the show ip igmp interface command.

The following table defines parameters for the show ip igmp cache command.

Variable Value
vrf WORD<1–16> Specifies the VRF by name.
vrfids WORD<0–512> Specifies the VRF by VRF ID.

The following table defines parameters for the show ip igmp group command.

VOSS User Guide for version 8.7 1729

IP Shortcuts Configuration IP Multicast over Fabric Connect

The following table defines parameters for the show ip igmp sender command.

View TLV Information for IP Multicast over Fabric Connect within the GRT

Use the following commands to check TLV information.

For IP Multicast over Fabric Connect within the GRT, TLV 186 on the BEB where the source is located
displays the multicast source and group addresses and have the Tx bit set. Each multicast group has
its own unique data I-SID with a value between 16,000,000 to 16,512,000. TLV 144 on the BEB bridge,
where the sender is located, has the Tx bit set while on all BEB bridges, where a receiver exists, has the
Rx bit set.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display IS-IS Link State Database information by TLV:
show isis lsdb tlv <1–236> [sub-tlv <1–3>][detail] [home|remote]
3. Display IS-IS Link State Database information by Link State Protocol ID:
show isis lsdb lspid <xxxx.xxxx.xxxx.xx-xx> tlv <1–236> [sub-tlv <1–
3>] [detail] [home|remote]

Example

Display TLV information:

Switch:1# show isis lsdb tlv 186 detail
================================================================================
ISIS LSDB (DETAIL)
================================================================================
--------------------------------------------------------------------------------
Level-1 LspID: 000c.f803.83df.00-06 SeqNum: 0x000002eb Lifetime: 1113
Chksum: 0x7e3b PDU Length: 556
Host_name: Switch
Attributes: IS-Type 1
TLV:186 SPBM IP Multicast:
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.1
Data ISID : 16300012
BVID : 20
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10

1730 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

Group Address : 233.252.0.2

Data ISID : 16300013
BVID : 10
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.3
Data ISID : 16300014
BVID : 20
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.4
Data ISID : 16300015
BVID : 10
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.5
Data ISID : 16300016
BVID : 20
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.6
Data ISID : 16300017
BVID : 10
TX : 1
Route Type : Internal
GRT ISID
Metric:0
IP Source Address: 192.2.0.10
Group Address : 233.252.0.7
Data ISID : 16300018
BVID : 20
TX : 1
Route Type : Internal
Variable Definitions

The following table defines parameters for the show isis lsdb command.

VOSS User Guide for version 8.7 1731

IP Shortcuts Configuration IP Multicast over Fabric Connect

Variable Value
lspid <xxxx.xxxx.xxxx.xx-xx> Specifies information about the IS-IS Link State database by
LSP ID.
remote Displays the IS-IS LSDB information that the system
configures in the remote area.
sub-tlv <1–3> Specifies information about the IS-IS Link State database by
sub-TLV.
sysid <xxxx.xxxx.xxxx> Specifies information about the IS-IS Link State database by
System ID.
tlv <1–236> Specifies information about the IS-IS Link State database by
TLV.

IP Shortcuts configuration using the EDM

This section provides procedures to configure IP Shortcuts using the EDM.

Configuring IP Multicast over Fabric Connect on a VLAN within the GRT

Use this procedure to enable IP Multicast over Fabric Connect on each of the VLANs within the GRT that
need to support IP multicast traffic. The default is disabled.

To configure a VRF with IP Multicast over Fabric Connect, see Configuring IP Multicast over Fabric
Connect on a VLAN for Layer 3 on page 1751.

Note
• You do not have to enable IP Shortcuts to support IP multicast routing in the GRT using
SPBM.
• You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the VLAN.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the C-VLANs and add slots/ports.
• You must enable IP Multicast over Fabric Connect globally.
• If there is no IP interface on the VLAN, then you create one. (The IP interface must be in the same
subnet as the IGMP hosts that connect to the VLAN).

About This Task

You must enable IP Multicast over Fabric Connect on each of the VLANs within the GRT that need to
support IP multicast traffic. After you enable IP Multicast over Fabric Connect on the VLANs, any IGMP
functions required for IP Multicast over Fabric Connect within the GRT are automatically enabled. You
do not need to configure anything IGMP related.

1732 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect IP Shortcuts Configuration

If you only want to use IP Multicast over Fabric Connect, you do not need to enable the Layer 3 VSN or
redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric Connect routing within the GRT
does not depend on unicast routing. This allows for you to more easily migrate from a PIM environment
to IP Multicast over Fabric Connect. You can migrate a PIM environment to IP Multicast over Fabric
Connect first and then migrate unicast separately or not at all.

The switch only supports IPv4 addresses with IP Multicast over Fabric Connect.

Procedure

1. In the navigation pane, expand Configuration > VLAN.

2. Click VLANs.
3. Choose a VLAN, and then click the IP button.
4. Click the SPB Multicast tab.

Note
After you enable IP Multicast over Fabric Connect, you cannot enable IGMP, IGMP
Snooping, or IGMP proxy on the interface. If you try to enable IGMP Snooping or proxy on
any interface where SPBM multicast is enabled, the system displays an error message.

Note
When you enable IP Multicast over Fabric Connect on a Controller switch in a DvR domain,
the configuration is automatically pushed to the Leaf nodes within the domain.

5. Click Enable.
6. Click Apply.

Configuring IP Multicast over Fabric Connect on a brouter port within the GRT

Use this procedure to enable IP Multicast over Fabric Connect on a brouter port IP interface. The default
is enabled.

To configure a brouter port for a VRF with IP Multicast over Fabric Connect, see Configuring IP Multicast
over Fabric Connect on a brouter port for a Layer 3 VSN on page 1752.

Note
• You do not have to enable IP Shortcuts to support IP multicast routing in the GRT using
SPBM.
• You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the VLAN.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the C-VLANs and add slots/ports.
• You must enable IP Multicast over Fabric Connect globally.
• If there is no IP interface on the VLAN, then you create one. (The IP interface must be in the same
subnet as the IGMP hosts that connect to the VLAN).

VOSS User Guide for version 8.7 1733

IP Shortcuts Configuration IP Multicast over Fabric Connect

About This Task

If you only want to use IP Multicast over Fabric Connect, you do not need to enable the Layer 3 VSN or
redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric Connect routing does not depend
on unicast routing, which allows for you to more easily migrate from a PIM environment to Multicast
over Fabric Connect. You can migrate a PIM environment to IP Multicast over Fabric Connect first, and
then migrate unicast separately or not at all.

The switch only supports IPv4 addresses with IP Multicast over Fabric Connect.

Procedure

1. Select an enabled port on the Physical Device View.

2. In the navigation pane, expand Configuration > Edit > Port.
3. Click IP.
4. Click the SPB Multicast tab.
5. Click Enable.

Note
When you enable IP Multicast over Fabric Connect on a DvR Controller switch in a DvR
domain, the configuration is automatically pushed to the Leaf nodes within the domain.

6. Click Apply.

SPB Multicast field description

Use the data in the following table to use the SPB Multicast tab.

Name Description
Enable Enables or disables SPB Multicast. The default is
disable.

Configuring the Global Routing Table timeout value

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must create the C-VLANs and add slots/ports.

1734 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

• You must enable IP Multicast over Fabric Connect globally.

Procedure

1. In the navigation pane, expand Configuration > Fabric > SPBM.

2. Select the SPBM tab.
3. Modify the McastFwdCacheTimeout value.
4. Select Apply.

IP multicast over SPBM within the GRT configuration example

The following example shows the configuration steps to enable IP multicast over SPBM support on
VLANs 10 and 11 that are part of the GRT:
ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable

VLAN CONFIGURATION - PHASE I

interface vlan 500

ip address 192.0.2.1 255.255.255.0
ip spb-multicast enable
exit

interface vlan 501

ip address 192.0.2.2 255.255.255.0
ip spb-multicast enable
exit

Layer 3 VSN Fundamentals

This section provides fundamentals concepts for Layer 3 VSN configuration. For more information on
Layer 3 VSN basic configuration, see Layer 3 VSN Configuration on page 1410.

Layer 3 VSN with IP Multicast over Fabric Connect

IP Multicast over Fabric Connect supports Layer 3 VSN functionality where multicast traffic is bridged
over the SPBM core infrastructure. Layer 3 VSN using IP Multicast over Fabric Connect is helpful when
you need complete security and total isolation of data. No one outside of the Layer 3 VSN can join or
even see the Layer 3 VSN. Applications that can use Layer 3 VSN with IP Multicast over Fabric Connect
include: Video surveillance, TV/Video/Ticker/Image Distribution, VX-LAN, Multi-tenant IP multicast.

Configure the Layer 3 VSN (VRF) as a multicast VPN, and then enable IP Multicast over Fabric Connect
on VRF VLANs to which IP multicast senders and receivers attach. This configuration automatically
enables IGMP snooping and proxy on those VLANs. IGMPv2 at the VLAN level is the default setting,
with no other configuration required. If you want to use IGMPv3, you must configure IGMPv3.

VOSS User Guide for version 8.7 1735

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

IP Multicast over Fabric Connect is only configured on BEBs.

Note
• You do not need to enable IP Shortcuts to support multicast routing in the Layer 3 VSN
using SPBM. IPVPN creation and I-SID assignment for the IPVPN is required, but you do
not need to enable IPVPN.
• If you only want to use IP Multicast over Fabric Connect, you do not need to enable the
Layer 3 VSN or redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric
Connect routing does not depend on unicast routing for Layer 3 VSNs using VRFs, which
allows you to more easily migrate from a PIM environment to IP Multicast over Fabric
Connect. You can migrate a PIM environment to IP Multicast over Fabric Connect first and
then migrate unicast separately or not at all.
• If no IP interface exists on the VLAN, then you create one. (The IP interface must be the
same subnet as the IGMP hosts that connect to the VLAN).

With Layer 3 VSN with IP Multicast over Fabric Connect, multicast traffic remains in the same Layer 3
VSN across the SPBM cloud. For a Layer 3 VSN, traffic can cross VLAN boundaries but remains confined
to the subset of VLANs within the VRF that has IP Multicast over Fabric Connect enabled. If a sender
transmits a multicast stream to a BEB on a Layer 3 VSN with IP Multicast over Fabric Connect enabled,
only receivers that are part of the same Layer 3 VSN can receive that stream.

I-SIDs

In the context of Layer 3 VSNs with IP Multicast over Fabric Connect, the scope is the I-SID value of the
Layer 3 VSN associated with the local VLAN that the IP multicast data was received on.

TLVs

This information is propagated through the SPBM cloud using IS-IS Link State Packets (LSPs), which
carry TLV updates, that result in the multicast tree creation for that stream. For Layer 3 VSNs, the LSPs
carry I-SID information and information about where IP multicast stream senders and receivers exist
using TLV 144 and TLV 185.

IS-IS acts dynamically using the TLV information received from BEBs that connect to the sender and the
receivers to create a multicast tree between them.

IGMP

After a BEB receives an IGMP join message from a receiver, the BEB queries the IS-IS database to check
if a sender exists for the requested stream within the scope of the receiver. If the requested stream does
not exist, the IGMP information is kept, but no further action is taken. If the requested stream exists, the
BEB sends an IS-IS TLV update to its neighbors to inform them of the presence of a receiver and this
information is propagated through the SPBM cloud.

1736 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

DvR

On DvR Controllers in a DvR domain, you must manually configure IP multicast over Fabric Connect
on Layer 3 VSNs (VRFs). This configuration is then automatically pushed to the Leaf nodes in the DvR
domain.

For more information on DvR, see Distributed Virtual Routing on page 688.

Layer 3 VSN Configuration using the CLI

Configure Layer 3 VSN with IP Multicast over Fabric Connect

Use this procedure to configure IP Multicast over Fabric Connect for a Layer 3 VSN.

Configure the Layer 3 VSN (VRF) as a multicast VPN, and then enable IP Multicast over Fabric Connect
on VRF VLANs to which IP multicast senders and receivers attach. After you enable IP Multicast over
Fabric Connect on VRF VLANs, snooping and proxy on those VLANs is enabled. IGMPv2 at the VLAN
level is the default setting. No configuration is required.

Note
On DvR Controllers in a DvR domain, you must manually configure IP multicast over Fabric
Connect on Layer 3 VSNs (VRFs). This configuration is then automatically pushed to the Leaf
nodes in the DvR domain.

Before You Begin

About This Task

With Layer 3 VSN IP Multicast over Fabric Connect, multicast traffic remains in the same Layer 3 VSN
across the SPBM cloud.

For a Layer 3 VSN, traffic can cross VLAN boundaries but remains confined to the subset of VLANs
within the VRF that have ip spbm-multicast enabled. The default is disabled.

All or a subset of VLANs within a Layer 3 VSN can exchange multicast traffic. The BEB only sends out
traffic for a multicast stream on which IGMP joins and reports are received.

The switch only supports IPv4 multicast traffic.

Note
You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the VLAN.
The IP VPN does not need to be enabled for Layer 3 VSN multicast to function.

VOSS User Guide for version 8.7 1737

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Procedure

1. Enter VRF Router Configuration mode for a specific VRF context:

enable

configure terminal

router vrf WORD<1-16>

2. Enable Layer 3 VSN IP Multicast over Fabric Connect for a particular VRF:
mvpn enable

The default is disabled.

3. Exit to Global Configuration mode:
exit
4. Enter Interface Configuration mode:
enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]]

[,...]} or interface vlan <1–4059>

Note
If the platform supports channelization and the port is channelized, you must also specify
the sub-port in the format slot/port/sub-port.

5. Enable Layer 3 VSN IP Multicast over Fabric Connect for a particular VRF:
ip spb-multicast enable
6. (Optional) Enable IGMP version 3:
ip igmp snooping

ip igmp ssm-snoop

ip igmp compatibility-mode

ip igmp version 3

Note
IGMPv2 at the VLAN level is the default setting, with no other configuration required. You
only need to use these commands if you use IGMPv3. You must enable SSM snoop before
you configure IGMP version 3, and you must enable both ssm-snoop and snooping for
IGMPv3.
For IGMP Snooping, ensure that the IGMP version used by multicast hosts and other
devices in the network is the same as the IGMP version configured on the IGMP Snooping
VLAN, or that you enable compatibility mode.

1738 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

7. (Optional) Enable the IGMP Layer 2 Querier address:

ip igmp snoop-querier-addr {A.B.C.D}

Note
If the SPBM bridge connects to an edge switch, it can be necessary to add an IGMP query
address. If you omit adding a query address, the SPB bridge sends IGMP queries with a
source address of 0.0.0.0. Some edge switch models do not accept a query with a source
address of 0.0.0.0.

Example

Configure IP Multicast over Fabric Connect for a Layer 3 VSN:

Switch:>enable
Switch:#configure terminal
Switch:(config)# router vrf green
Switch:(config-vrf)#mvpn enable
Switch:(config)#exit
Switch:(config)#interface vlan 500
Switch:(config-if)#ip spb-multicast enable
Variable Definitions

The following table defines parameters for the router vrf command.

Variable Value
WORD<1–16> Specifies the name of the VRF.

The following table defines parameters for the interface vlan command.

The following table defines parameters for the GigabitEthernet command.

Variable Value
GigabitEthernet{slot/port[/ Identifies the slot and port in one of the following
sub-port] [-slot/port[/sub- formats: a single slot and port (slot/port), a range of slots
port]] [,...]} and ports (slot/port-slot/port), or a series of slots and
ports (slot/port,slot/port,slot/port). If the platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.

VOSS User Guide for version 8.7 1739

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

The following table defines parameters for the ip igmp command.

Variable Value
access-list WORD<1– Specifies the name of the access list from 1–64 characters.
64> {A.B.C.D/X} <eny- Creates an access control group entry for a specific IGMP
tx|deny-rx|deny-both|allow- interface. Specify the IP address of the host and the subnet
only-tx|allow-only-rx|allow- mask used to determine the host or hosts covered by this
only-both> configuration. You can use the host subnet mask to restrict
access to a portion of the network for the host.
Indicates the action for the specified IGMP interface. For
example, if you specify deny-both, the interface denies both
transmitted and received traffic.
compatibility-mode Activates v2-v3 compatibility mode. The default value is
disabled, which means IGMPv3 is not compatible with
IGMPv2. To use the default configuration, use the default
option in the command:
default ip igmp compatibility-mode
, or use the no option to disable compatibility mode:
no ip igmp compatibility-mode
dynamic-downgrade-version Configures if the system downgrades the version of IGMP
to handle older query messages. If the system downgrades,
the host with IGMPv3 only capability does not work. If you
do not configure the system to downgrade the version of
IGMP, the system logs a warning. The system downgrades
to the oldest version of IGMP on the network by default. To
use the default configuration, use the default option in the
command:
default ip igmp dynamic-downgrade-version
or use the no option to disable downgrade:
no ip igmp dynamic-downgrade-version
igmpv3-explicit-host- Enables explicit host tracking on IGMPv3. The default state is
tracking disabled.
immediate-leave Enables fast leave on a VLAN.
immediate-leave-members Configures IGMP fast leave members on a VLAN to specify
{slot/port[/sub-port] [- fast-leave-capable ports.
slot/port[/sub-port]]
[,...]}
last-member-query-interval Configures the maximum response time (in tenths of a
<0–255> second) inserted into group-specific queries sent in response
to leave group messages. This value is also the time between
group-specific query messages. You cannot configure this
value for IGMPv1.
Decreasing the value reduces the time to detect the loss of
the last member of a group. The default is 10 tenths of a
second. Configure this value between 3–10 (equal to 0.3 – 1.0
seconds).

1740 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

Variable Value
mrdisc [maxadvertinterval Configure the multicast router discovery options to enable
<2–180>] the automatic discovery of multicast capable routers. The
[maxinitadvertinterval <2– default parameter values are:
180>] [maxinitadvertisements • maxadvertinterval: 20 seconds
<2–15>] [minadvertinterval • maxinitadvertinterval: 2 seconds
<3–180>] [neighdeadinterval
<2–180>] • maxinitadvertisements: 3
• minadvertinterval: 15 seconds
• neighdeadinterval: 60 seconds

mrouter {slot/port[/sub- Adds multicast router ports.

port] [-slot/port[/sub-
port]] [,...]}
proxy Activates the proxy-snoop option globally for the VLAN.
query-interval <1–65535> Configures the frequency (in seconds) at which the VLAN
transmits host query packets. The default value is 125
seconds.
query-max-response <0–255> Configures the maximum response time (in tenths of a
second) advertised in IGMPv2 general queries on this
interface. You cannot configure this value for IGMPv1. Smaller
values enable a router to prune groups faster. The default is
100 tenths of a second (equal to 10 seconds).

Important:
You must configure this value lower than the query-interval.

robust-value <2–255> Configures the expected packet loss of a network. The

Important:
To maximize network performance, configure this parameter
according to the version of IGMP currently in use:
• IGMPv1—Disable
• IGMPv2—Enable
• IGMPv3—Enable

VOSS User Guide for version 8.7 1741

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Variable Value
static-group {A.B.C.D} Configures IGMP static members to add members to a snoop
{A.B.C.D} [port] {slot/ group.
port[/sub-port] [-slot/ {A.B.C.D} {A.B.C.D} indicates the IP address range of
port[/sub-port]] [,...]} the selected multicast group.
[static|blocked] [port] {slot/port[/sub-port] [-slot/port[/
sub-port]] [,...]} adds ports to a static group entry.
[static|blocked] configures the route to static or
blocked.
stream-limit stream-limit- Configures multicast stream limitation on a VLAN to limit the
max-streams <0-65535> number of concurrent multicast streams on the VLAN. The
default is 4.
stream-limit-group {slot/ Configures multicast stream limitation members on ports of
port[/sub-port] [-slot/ a specific VLAN to limit the number of multicast groups that
port[/sub-port]] [,...]} can join a VLAN. The default max-streams value is 4.
enable max-streams <0-65535>
version <1–3> Configures the version of IGMP that you want to configure
on this interface. For IGMP to function correctly, all routers
on a LAN must use the same version. The default value is 2
(IGMPv2).

View Layer 3 VSN with IP Multicast over Fabric Connect Information

Use the following options to display Layer 3 VSN with IP Multicast over Fabric Connect information to
confirm proper configuration.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display all the VRFs that have MVPN enabled and their corresponding forward cache timeout values:
show ip vrf mvpn
3. Display IP Multicast over Fabric Connect route information:
show isis spbm ip-multicast-route [all][detail]
4. Display IP Multicast over Fabric Connect by group and source address:
show isis spbm ip-multicast-route [group {A.B.C.D}][detail][source
{A.B.C.D}]
5. Display IP Multicast over Fabric Connect route information by VRF:
show isis spbm ip-multicast-route [vrf WORD<1–16>] [group {A.B.C.D}]
6. Display IP Multicast over Fabric Connect route information by VLAN:
show isis spbm ip-multicast-route [vlan <1-4059>][detail][group
{A.B.C.D}]
7. Display IP Multicast over Fabric Connect information by VSN I-SID:
show isis spbm ip-multicast-route [vsn-isid <1–16777215>][detail]
[group {A.B.C.D}]
8. Display summary information for each S, G, V tuple with the corresponding scope, Data I-SID, and
the host name of the source:
show isis spb-mcast-summary [count][host-name WORD<0–255>][lspid
<xxxx.xxxx.xxxx.xx-xx>]

1742 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

Example

Display Layer 3 VSN with IP Multicast over Fabric Connect information:

Switch:1>enable
Switch:1#show ip vrf mvpn

Vrf name : green

mvpn : enable
fwd-cache-timeout(seconds) : 210

Vrf name : 4
mvpn : enable
fwd-cache-timeout(seconds) : 210

Vrf name : blue

mvpn : enable
fwd-cache-timeout(seconds) : 210

Switch:1#show isis spbm ip-multicast-route all

================================================================================
SPBM IP-multicast ROUTE INFO ALL
================================================================================
Type VrfName Vlan Source Group VSN-ISID Data ISID BVLAN Source-BEB
Id
--------------------------------------------------------------------------------
routed GRT 501 192.0.2.1 233.252.0.1 5010 16300001 10 el2
routed GRT 501 192.0.2.1 233.252.0.2 5010 16300002 20 el2
routed GRT 501 192.0.2.1 233.252.0.3 5010 16300003 10 el2
routed GRT 501 192.0.2.1 233.252.0.4 5010 16300004 20 el2
routed GRT 501 192.0.2.1 233.252.0.5 5010 16300005 10 el2
routed GRT 501 192.0.2.1 233.252.0.6 5010 16300006 20 el2
routed GRT 501 192.0.2.1 233.252.0.7 5010 16300007 10 el2
routed GRT 501 192.0.2.1 233.252.0.8 5010 16300008 20 el2
routed GRT 501 192.0.2.1 233.252.0.9 5010 16300009 10 el2
routed GRT 501 192.0.2.1 233.252.0.10 5010 16300010 20 el2

--------------------------------------------------------------------------------
Total Number of SPBM IP multicast ROUTE Entries: 10
--------------------------------------------------------------------------------

Switch:1#show isis spbm ip-multicast-route vrf green

===========================================================================
SPBM IP-MULTICAST ROUTE INFO
===========================================================================
Source Group Data ISID BVLAN Source-BEB
---------------------------------------------------------------------------
192.0.2.10 233.252.0.1 16300001 10 el2
192.0.2.10 233.252.0.2 16300002 20 el2
192.0.2.10 233.252.0.3 16300003 10 el2
192.0.2.10 233.252.0.4 16300004 20 el2
192.0.2.10 233.252.0.5 16300005 10 el2
192.0.2.10 233.252.0.6 16300006 20 el2
192.0.2.10 233.252.0.7 16300007 10 el2
192.0.2.10 233.252.0.8 16300008 20 el2
192.0.2.10 233.252.0.9 16300009 10 el2
192.0.2.10 233.252.0.10 16300010 20 el2
--------------------------------------------------------------------------
Total Number of SPBM IP MULTICAST ROUTE Entries: 10
--------------------------------------------------------------------------

Switch:1#show isis spbm ip-multicast-route vlan 501

==========================================================================
SPBM IP-multicast ROUTE INFO ALL

VOSS User Guide for version 8.7 1743

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

==========================================================================
Type VrfName Vlan Source Group VSN-ISID Data ISID BVLAN Source-BEB

-------------------------------------------------------------------------
Total Number of SPBM IP multicast ROUTE Entries: 10
-------------------------------------------------------------------------

Switch:1# show isis spbm ip-multicast-route vsn-isid 5010

==========================================================================
SPBM IP-multicast ROUTE INFO - VLAN ID : 501, VSN-ISID : 5010
==========================================================================
Source Group Data ISID BVLAN Source-BEB
--------------------------------------------------------------------------
192.0.2.1 233.252.0.2 16300002 20 el2
192.0.2.1 233.252.0.3 16300003 10 el2
192.0.2.1 233.252.0.4 16300004 20 el2
192.0.2.1 233.252.0.5 16300005 10 el2
192.0.2.1 233.252.0.6 16300006 20 el2
192.0.2.1 233.252.0.7 16300007 10 el2
192.0.2.1 233.252.0.8 16300008 20 el2
192.0.2.1 233.252.0.9 16300009 10 el2
192.0.2.1 233.252.0.10 16300010 20 el2

-------------------------------------------------------------------------
Total Number of SPBM IP multicast ROUTE Entries: 10
--------------------------------------------------------------------------

Switch:1# show isis spb-mcast-summary

==========================================================================
SPB multicast - Summary
==========================================================================
SCOPE SOURCE GROUP DATA LSP HOST
I-SID ADDRESS ADDRESS I-SID BVID FRAG NAME
--------------------------------------------------------------------------
5010 192.0.2.1 233.252.0.1 16300001 10 0x0 el2
5010 192.0.2.1 233.252.0.3 16300003 10 0x0 el2
5010 192.0.2.1 233.252.0.5 16300005 10 0x0 el2
5010 192.0.2.1 233.252.0.7 16300007 10 0x0 el2
5010 192.0.2.1 233.252.0.9 16300009 10 0x0 el2
5010 192.0.2.1 233.252.0.2 16300002 20 0x0 el2
5010 192.0.2.1 233.252.0.4 16300004 20 0x0 el2
5010 192.0.2.1 233.252.0.6 16300006 20 0x0 el2
5010 192.0.2.1 233.252.0.8 16300008 20 0x0 el2
5010 192.0.2.1 233.252.0.10 16300010 20 0x0 el2

Variable Definitions

1744 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

The following table defines parameters for the show isis spbm ip-multicast-route
command.

Variable Value
all Displays all IP Multicast over Fabric Connect route information.
detail Displays detailed IP Multicast over Fabric Connect route information.
group{A.B.C.D} Displays information on the group IP address for the IP Multicast over
Fabric Connect route.
vlan<1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060 to
4094 for internal use. On switches that support the vrf-scaling and
spbm-config-mode boot configuration flags, if you enable these flags,
the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default
VLAN and you cannot create or delete VLAN ID 1.
vrfWORD<1–16> Displays IP Multicast over Fabric Connect route information by VRF.
vsn-isid<1– Displays IP Multicast over Fabric Connect route information by I-SID.
16777215>

The following table defines parameters for the show isis spb-mcast-summary command.

Variable Value
count Displays the total number of SPB multicast entries.
host-nameWORD<0–255> Displays the IP Multicast over Fabric Connect summary
information by host-name.
lspid<xxxx.xxxx.xxxx.xx-xx> Displays the IP Multicast over Fabric Connect summary
information by LSP ID.

View IGMP Information for Layer 3 VSN Multicast

Use the following commands to check IGMP information.

Procedure

1. Enter Privileged EXEC mode:

Ensure that the output displays routed-spb under MODE.

3. Display information about the IGMP cache:
show ip igmp cache [vrf WORD<1–16>][vrfids WORD<0–512>]
4. Display information about the IGMP group:
show ip igmp group [count][member-subnet default|{A.B.C.D/X}][vrf
WORD<1–16>][vrfids WORD<0–512>]

VOSS User Guide for version 8.7 1745

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

5. Display information about the IGMP sender:

show ip igmp sender [count][member-subnet default|{A.B.C.D/X}][vrf
WORD<1–16>][vrfids WORD<0–512>]

Example

Display IGMP information for Layer 3 VSN with IP multicast over Fabric Connect:

Switch:#enable
Switch:1#show ip igmp interface vrf green

======================================================================================
Igmp Interface - GlobalRouter
======================================================================================
QUERY OPER QUERY WRONG LASTMEM
IF INTVL STATUS VERS. VERS QUERIER MAXRSPT QUERY JOINS ROBUST QUERY MODE
--------------------------------------------------------------------------------------
V100 125 activ 2 2 0.0.0.0 100 0 0 2 10 routed-spb

1 out of 1 entries displayed

Switch:1#show ip igmp interface vlan 2

========================================================================================
Vlan Ip Igmp
========================================================================================
VLAN QUERY QUERY ROBUST VERSION LAST PROXY SNOOP SNOOP SSM UPnP FAST FAST
ID INTVL MAX MEMB SNOOP ENABLE ORIGIN SNOOP FILTER LEAVE LEAVE
RESP QUERY ENABLE ENABLE ENABLE ENABLE PORTS
----------------------------------------------------------------------------------------
2 125 100 2 2 10 false false RADIUS false false
false

VLAN SNOOP SNOOP DYNAMIC COMPATIBILITY EXPLICIT UPnP

=======================================================================
IGMP Sender - GlobalRouter
=======================================================================
PORT/
GRPADDR IFINDEX MEMBER MLT STATE
----------------------------------------------------------------------
233.252.0.1 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.2 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.3 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.4 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.5 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.6 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.7 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.8 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.9 Vlan 501 192.2.0.1 9/5 NOTFILTERED
233.252.0.10 Vlan 501 192.2.0.1 9/5 NOTFILTERED

10 out of 10 entries displayed

Switch:1# show ip igmp group vrf green

================================================================================
IGMP Group - GlobalRouter

1746 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

================================================================================
GRPADDR INPORT MEMBER EXPIRATION TYPE
--------------------------------------------------------------------------------
233.252.0.1 V501-9/16 192.2.0.1 204 Dynamic
233.252.0.2 V501-9/16 192.2.0.1 206 Dynamic
233.252.0.3 V501-9/16 192.2.0.1 206 Dynamic
233.252.0.4 V501-9/16 192.2.0.1 207 Dynamic
233.252.0.5 V501-9/16 192.2.0.1 204 Dynamic
233.252.0.6 V501-9/16 192.2.0.1 209 Dynamic
233.252.0.7 V501-9/16 192.2.0.1 206 Dynamic
233.252.0.8 V501-9/16 192.2.0.1 206 Dynamic
233.252.0.9 V501-9/16 192.2.0.1 211 Dynamic
233.252.0.10 V501-9/16 192.2.0.1 207 Dynamic

10 out of 10 group Receivers displayed

Total number of unique groups 10

Variable Definitions

The following table defines parameters for the show ip igmp interface command.

Variable Value
gigabitethernet {slot/ Identifies the slot and port in one of the following formats: a single
port[/sub-port] [- slot and port (slot/port), a range of slots and ports (slot/port-slot/
slot/port[/sub-port]] port), or a series of slots and ports (slot/port,slot/port,slot/port). If
[,...]} the platform supports channelization and the port is channelized, you
must also specify the sub-port in the format slot/port/sub-port.
vlan <1-4059> Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs
1 to 4059 are configurable and the system reserves VLAN IDs 4060
to 4094 for internal use. On switches that support the vrf-scaling
and spbm-config-mode boot configuration flags, if you enable
these flags, the system also reserves VLAN IDs 3500 to 3998. VLAN
ID 1 is the default VLAN and you cannot create or delete VLAN ID 1.
vrf WORD<1–16> Specifies the VRF by name.
vrfids WORD<0–512> Specifies the VRF by VRF ID.

The following table defines parameters for the show ip igmp cache command.

Variable Value
vrf WORD<1–16> Specifies the VRF by name.
vrfids WORD<0–512> Specifies the VRF by VRF ID.

The following table defines parameters for the show ip igmp group command.

Variable Value
count Specifies the number of entries.
group {A.B.C.D} Specifies the group address.
member-subnet {A.B.C.D/X} Specifies the IP address and network mask.

VOSS User Guide for version 8.7 1747

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Variable Value
vrf WORD<1–16> Displays the multicast route configuration for a particular VRF by
name.
vrfids WORD<0–512> Displays the multicast route configuration for a particular VRF by
VRF ID.

The following table defines parameters for the show ip igmp sender command.

View TLV Information for a Layer 3 VSN with IP Multicast over Fabric Connect

Use the following commands to check TLV information.

For a Layer 3 VSN multicast, TLV 185 on the BEB where the source is located displays the multicast
source and group addresses and have the Tx bit set. Each multicast group should have its own unique
data I-SID with a value between 16,000,000 to 16,512,000. TLV 144 on the BEB bridge, where the sender
is located, has the Tx bit set. All BEB bridges, where a receiver exists, have the Rx bit set.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display IS-IS Link State Database information by TLV:
show isis lsdb tlv <1–236> [sub-tlv <1–3>] [detail] [home|remote]
3. Display IS-IS Link State Database information by Link State Protocol ID:
show isis lsdb lspid <xxxx.xxxx.xxxx.xx-xx> [tlv <1–236>] [sub-tlv <1–
3>] [detail] [home|remote]

Example

Display TLV information for a Layer 3 VSN with IP Multicast over Fabric Connect:
Switch:1# show isis lsdb tlv 185 detail
================================================================================
ISIS LSDB (DETAIL)
================================================================================
--------------------------------------------------------------------------------
Level-1 LspID: 000c.f803.83df.00-04 SeqNum: 0x000002eb Lifetime: 1113
Chksum: 0x7e3b PDU Length: 556
Host_name: el2
Attributes: IS-Type 1
TLV:185 SPBM IPVPN :
VSN ISID:5010
BVID :10
Metric:0

1748 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

IP Source Address: 192.0.2.10

Group Address : 233.252.0.1
Data ISID : 16300011
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.3
Data ISID : 16300013
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.5
Data ISID : 16300015
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.7
Data ISID : 16300017
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.9
Data ISID : 16300019
TX : 1
VSN ISID:5010
BVID :20
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.2
Data ISID : 16300012
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.4
Data ISID : 16300014
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.6
Data ISID : 16300016
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.8
Data ISID : 16300018
TX : 1
Metric:0
IP Source Address: 192.0.2.10
Group Address : 233.252.0.10
Data ISID : 16300020
TX : 1
Variable Definitions

The following table defines parameters for the show isis lsdb command.

Variable Value
detail Displays detailed information about the IS-IS Link State
database.
home Displays the IS-IS LSDB information that the system configures
in the home area.

VOSS User Guide for version 8.7 1749

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Variable Value
level {l1, l2, l12} Displays information on the IS-IS level. The IEEE 802.1aq
standard currently only defines the use of one hierarchy, Level
1. Level 2 function is disabled.
local Displays information on the local LSDB.
lspid<xxxx.xxxx.xxxx.xx-xx> Specifies information about the IS-IS Link State database by
LSP ID.
remote Displays the IS-IS LSDB information that the system configures
in the remote area.
sub-tlv <1–3> Specifies information about the IS-IS Link State database by
sub-TLV.
sysid <xxxx.xxxx.xxxx> Specifies information about the IS-IS Link State database by
System ID.
tlv <1–236> Specifies information about the IS-IS Link State database by
TLV.

Layer 3 VSN Configuration using EDM

Enable MVPN for a VRF

Use this procedure to enable MVPN for a particular VRF. IP Multicast over Fabric Connect, constrains
multicast streams of senders to all receivers in the same Layer 3 VSN. MVPN functionality is disabled by
default.

Note
VLAN level configuration is also required to turn on the service on each VLAN within the VRF
on which this services is required. You can turn it on under the VLAN context or the brouter
context.

Before You Begin

• You must enable IP Multicast over Fabric Connect globally.

Procedure

1. In the navigation pane, expand Configuration > IP.

2. Select IP-MVPN.
3. Select the MVPN tab.
4. Double-click in the Enable field in the table.
5. Select Enable from the drop down menu.
6. Double-click in the FwdCacheTimeout field in the table, and then type the VRF timeout value.
7. Select Apply.

MVPN Field Descriptions

1750 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

Use the data in the following table to use the MVPN tab.

Name Description
VrfId Specifies the VRF ID.
Enable Enables Layer 3 VSN IP Multicast over Fabric
Connect services for a particular VRF. The default
is disabled.
FwdCacheTimeout Specifies the VRF timeout value. The timeout
value ages out the sender when there is no
multicast stream on the VRF. The default is 210
seconds..

Configuring IP Multicast over Fabric Connect on a VLAN for Layer 3

Use this procedure to enable IP Multicast over Fabric Connect for a Layer 3 VSN. The default is disabled.

To configure a VLAN for IP Shortcuts with IP Multicast over Fabric Connect, see Configuring IP Multicast
over Fabric Connect on a VLAN within the GRT on page 1732.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must configure a VRF and an IP VPN instance with an I-SID configured under it on the switch.
The IP VPN does not need to be enabled for Layer 3 VSN multicast to function.
• You must enable IP Multicast over Fabric Connect globally.
• If there is no IP interface on the VLAN, then you create one. (The IP interface must be in the same
subnet as the IGMP hosts that connect to the VLAN).
• You must enable MVPN for the particular VRF.

About This Task

You must configure VLANs to turn on the service on each VLAN with in the VRF on which the service is
required. You can turn it on under the VLAN context or the brouter context.

If you only want to use IP Multicast over Fabric Connect, you do not need to enable the Layer 3 VSN or
redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric Connect routing does not depend
on unicast routing (for Layer 3 VSN). This allows for you to more easily migrate from a PIM environment
to IP Multicast over Fabric Connect. You can migrate a PIM environment to IP Multicast over Fabric
Connect first and then migrate unicast separately or not at all.

The switch only supports IPv4 address with IP Multicast over Fabric Connect.

Note
You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the VLAN.

VOSS User Guide for version 8.7 1751

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Procedure

1. In the navigation pane, expand Configuration > VRF Context View.

2. Click Set VRF Context View.
3. Choose a VRF name.
4. Click Launch VRF Context View.
5. Select an enabled port on the Physical Device View.
6. In the navigation pane, expand Configuration > VLAN.
7. Click VLANs.
8. Choose a VLAN, and then click the IP from under the tab bar.
9. Click the SPB Multicast tab.
10. Check the Enable box.
11. Click Apply.

Configuring IP Multicast over Fabric Connect on a brouter port for a Layer 3 VSN

Use this procedure to enable IP Multicast over Fabric Connect on a brouter port. The default is disabled.

To configure a brouter port for IP Shortcuts with IP Multicast over Fabric Connect, see Configuring IP
Multicast over Fabric Connect on a brouter port within the GRT on page 1733.

Before You Begin

• You must configure the required SPBM and IS-IS infrastructure, which includes the creation of SPBM
B-VLANs.
• You must configure a VRF and an IP VPN instance with an I-SID configured under it on the switch.
The IP VPN does not need to be enabled for Layer 2 VSN multicast to function.
• You must enable IP Multicast over Fabric Connect globally.
• If there is no IP interface on the VLAN, then you create one. (The IP interface must be in the same
subnet as the IGMP hosts that connect to the VLAN).
• You must enable MVPN for the particular VRF.

About This Task

You must enable IP Multicast over Fabric Connect on each of the VLANs that need to support IP
multicast traffic.

If you only want to use IP Multicast over Fabric Connect, you do not need to enable the Layer 3 VSN or
redistribute unicast routes into or out of IS-IS. IP Multicast over Fabric Connect routing does not depend
on unicast routing, which allows for you to more easily migrate from a PIM environment to Multicast
over Fabric Connect. You can migrate a PIM environment to IP Multicast over Fabric Connect first, and
then migrate unicast separately or not at all.

The switch only supports IPv4 address with IP Multicast over Fabric Connect.

Procedure

1. In the navigation pane, expand Configuration > VRF Context View.

2. Click Set VRF Context View.
3. Choose a VRF name.

1752 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

4. Click Launch VRF Context View.

5. Select an enabled port on the Physical Device View.
6. In the navigation pane, expand Configuration > Edit > Port.
7. Click IP.
8. Click the SPB Multicast tab.
9. Click Enable.
10. Click Apply.

Configuring IGMP on a VLAN interface for a Layer 3 VRF

Use this procedure to configure IGMP for each VLAN interface to enable the interface to perform
multicast operations.

IGMPv2 at the VLAN level is the default setting, with no other configuration required. You only need to
enable IGMPv3. You must enable SSM snoop before you configure IGMP version 3, and you must enable
both ssm-snoop and snooping for IGMPv3.

Note
You cannot enable IP PIM when IP Multicast over Fabric Connect is enabled on the VLAN.

Before You Begin

• You must configure the required SPBM IS-IS infrastructure.
• You must configure a VRF and IP VPN instance with an I-SID on the switch.
• You must create the C-VLANs and add slots/ports.
• You must enable IP Multicast over Fabric Connect for a Layer 3 VSN.

About This Task

Procedure

1. In the navigation pane, expand Configuration > VRF Context View.

2. Click Set VRF Context View.
3. Choose a VRF name.
4. Click Launch VRF Context View.
5. In the navigation pane, expand Configuration > VLAN.
6. Click VLANs.
7. Select the desired VLAN from the listing.
8. Click the IP button.
9. Click the IGMP tab.
10. (Optional) If you want to enable SsmSnoopEnable, select the SsmSnoopEnable box.

VOSS User Guide for version 8.7 1753

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

11. (Optional) If you want to enable Snoop, select the SnoopEnable box.
12. (Optional) In the Version box, select the correct IGMP version.
You must enable SSM snoop before you configure IGMP version 3, and you must enable both
ssm-snoop and snooping for IGMPv3.
13. (Optional) Select SnoopQuerierEnable, to enable Snoop Querier. Only select this option, if you want
to configure an address for the IGMP queries.
14. (Optional) In the SnoopQuerierAddr box, type an IP address, if you want to configure a snoop
querier address.

Note
If the SPBM bridge connects to an edge switch, it can be necessary to add an IGMP query
address. If you omit adding a query address, the SPB bridge sends IGMP queries with a
source address of 0.0.0. Some edge switch models do not accept a query with a source
address of 0.0.0.0.

IGMP field descriptions

Use the data in the following table to use the IGMP tab.

Important:
You must configure this value lower than the QueryInterval.

1754 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

Name Description
SnoopEnable Enables or disables snoop.
SsmSnoopEnable Enables or disables support for SSM on the snoop interface.
ProxySnoopEnable Enables or disables proxy snoop.
Version Configures the version of IGMP (1, 2, or 3) that you want to use on
this interface. For IGMP to function correctly, all routers on a LAN
must use the same version. The default is version 2.
For IGMP Snooping, ensure that the IGMP version used by
multicast hosts and other devices in the network is the same as
the IGMP version configured on the IGMP Snooping VLAN, or that
you enable compatibility mode.
FastLeaveEnable Enables or disables fast leave on the interface.
StreamLimitEnable Enables or disables stream limitation on this VLAN.
Maximum Number Of Stream Configures the maximum number of streams allowed on this
VLAN. The range is from 0–65535 and the default is 4.
Current Number Of Stream Displays the current number of streams. This value is a read-only
value.
FastLeavePortMembers Selects the ports that are enabled for fast leave.
SnoopMRouterPorts Selects the ports in this interface that provide connectivity to an
IP multicast router.
DynamicDowngradeEnable Configures if the switch downgrades the version of IGMP to
handle older query messages. If the switch downgrades, the
host with IGMPv3 only capability does not work. If you do not
configure the switch to downgrade the version of IGMP, the switch
logs a warning. The default value is selected (enabled), which
means the switch downgrades to the oldest version of IGMP on
the network.
CompatibilityModeEnable Enables or disables v2-v3 compatibility mode. The default value
is clear (disabled), which means IGMPv3 is not compatible with
IGMPv2.
ExplicitHostTrackingEnable Enables or disables IGMPv3 to track hosts per channel or group.
The default is disabled. You must select this field if you want to
use fast leave for IGMPv3.
SnoopQuerierEnable Enables Snoop Querier. The default is disabled.
When you enable IGMP Layer 2 Querier, Layer 2 switches in
your network can snoop IGMP control packets exchanged with
downstream hosts and upstream routers. The Layer 2 switches
then generate the Layer 2 MAC forwarding table, used for
switching sessions and multicast traffic regulation, and provide
the recurring queries required to maintain IGMP groups.
Enable Layer 2 Querier on only one node in the VLAN.
SnoopQuerierAddr Specifies the pseudo IP address of the IGMP Snoop Querier. The
default IP address is 0.0.0.0.
If the SPBM bridge connects to an edge switch, it can be
necessary to add an IGMP query address. If you omit adding a
query address, the SPBM bridge sends IGMP queries with a source
address of 0.0.0.0. Some edge switch models do not accept a
query with a source address of 0.0.0.0.

VOSS User Guide for version 8.7 1755

Layer 3 VSN Fundamentals IP Multicast over Fabric Connect

Layer 3 VSN with IP Multicast over Fabric Connect configuration example

The example below shows the configuration to enable IP Multicast over Fabric Connect support on
VLANs 500 and 501 that are part of VRF Green:
ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable

VRF CONFIGURATION

ip vrf green vrfid 2

VLAN CONFIGURATION - PHASE 1

vlan 110 i-sid 100

interface vlan 500
vrf green
ip address 192.0.2.1 255.255.255.0 1
ip spb-multicast enable
exit

vlan 111 i-sid 100

interface vlan 501
vrf green
ip address 192.0.2.2 255.255.0 0
ip spb-multicast enable
exit

ISIS SPBM IPVPN CONFIGURATION

router vrf green

ipvpn
i-sid 100
mvpn enable
exit

When using IGMPv3, the configuration is:

ISIS SPBM CONFIGURATION

router isis
spbm 1 multicast enable

VRF CONFIGURATION

ip vrf green vrfid 2

VLAN CONFIGURATION - PHASE 1

vlan 110 i-sid 100

interface vlan 500
vrf green
ip address 192.0.2.1 255.255.255.0 1
ip spb-multicast enable
ip igmp version 3
exit

1756 VOSS User Guide for version 8.7

IP Multicast over Fabric Connect Layer 3 VSN Fundamentals

vlan 111 i-sid 100

interface vlan 501
vrf green
ip address 192.0.2.2 255.255.0 0
ip spb-multicast enable
ip igmp version 3
exit

ISIS SPBM IPVPN CONFIGURATION

router vrf green

ipvpn
i-sid 100
mvpn enable
exit

VOSS User Guide for version 8.7 1757

IPFIX
IPFIX Fundamentals on page 1758
IPFIX Configuration Using CLI on page 1761
IPFIX Configuration Using EDM on page 1766

Table 124: Internet Protocol Flow Information eXport (IPFIX) product support
Feature Product Release introduced
Internet Protocol Flow VSP 4450 Series Not Supported
Information eXport (IPFIX)
VSP 4900 Series Not Supported
VSP 7200 Series Not Supported
VSP 7400 Series VOSS 8.0
VSP 8200 Series Not Supported
VSP 8400 Series Not Supported
VSP 8600 Series Not Supported
XA1400 Series Not Supported

IPFIX Fundamentals
Internet Protocol Flow Information eXport (IPFIX) is an Internet Engineering Task Force (IETF) standard
of export for Internet Protocol flow information.

IPFIX monitors flows that pass an observation point. The switch organizes flows into a flow group,
which is contained in an observation domain.

An IPFIX flow is a set of packets that pass an observation point in the network during a certain time
interval. Packets that belong to a particular flow have a common set of properties. The switch defines
each property using values from the following:
• Source IP address
• Destination IP address
• IP protocol
• L4 source port
• L4 destination port

A packet belongs to a flow if it completely satisfies all defined properties of the flow.

1758 VOSS User Guide for version 8.7

IPFIX IPFIX Fundamentals

The switch logically organizes flows into a flow group, which corresponds to a single observation point.
A flow can belong to only 1 flow group. A flow group is a collection of packet flows that meet match
criteria. Examples of flow groups are packets ingressing a specific physical port, or packets with a
destination IP address belonging to a specific subnet.

A flow group is contained in an observation domain. The switch assigns the flow group to an
observation domain. The observation domain has a unique observation domain ID that you can
configure. You can configure only 1 observation domain.

The IPFIX solution consists of the following processes:

• Filtering Rules process: The Filtering Rules process gathers information about flows through
different ports, or the observation point. Flow information includes the following:
◦ The IPv4 source address.
◦ The IPv4 destination address.
◦ The L4 source port.
◦ The L4 destination port.
◦ The transport protocol.
◦ The total number of incoming packets for this flow at the observation point since the metering
process (re-)initialization for this observation point.
◦ The total number of octets in incoming packets for this flow at the observation point since the
metering process (re-)initialization for this observation point.
◦ The absolute timestamp of the first packet of this flow.
◦ The absolute timestamp of the last packet of this flow.

The Filtering Rules process runs on the switch.

• Exporting process: The Filtering Rules process sends information to the Exporting process. The
Exporting process uses the UDP transport protocol for network communication with the Collecting
process.

The Exporting process runs on the switch.

• Collecting process: You can view flows and export flow information periodically to a collector. A
collector can store a large number of flow records from several devices in the network. The IPFIX
standard specifies the protocol for exporting the flows to a collector, including the formatting of flow
records and the underlying UDP transport protocol.

Use the collected information for network planning, troubleshooting a live network, and monitoring
security threats.

The best practice is to use the ExtremeAnalytics™ solution as the collector. The ExtremeAnalytics™
solution provides an enhanced method of collecting IPFIX flow information.

VOSS User Guide for version 8.7 1759

IPFIX Fundamentals IPFIX

The external collector for the IPFIX solution must support our IPFIX template, which contains the
following element IDs defined by Internet Assigned Numbers Authority (IANA) IPFIX assignments.

Table 125: IPFIX element IDs

Element ID Name Description
0 unknown Reserved
4 protocolIdentifier The value of the protocol number in the IP packet header.
7 sourceTransportPort The source port identifier in the transport header.
8 sourceIPv4Address The IPv4 source address in the IP packet header.
11 destinationTransportPort The destination port identifier in the transport header.
12 destinationIPv4Address The IPv4 destination address in the IP packet header.
85 octetTotalCount The total number of octets in incoming packets for this
flow at the observation point since the metering process
(re-)initialization for this observation point.
86 packetTotalCount The total number of incoming packets for this flow
at the observation point since the metering process
(re-)initialization for this observation point.
152 flowStartMilliseconds The absolute timestamp of the first packet of this flow.
153 flowEndMilliseconds The absolute timestamp of the last packet of this flow.

IPFIX is a push protocol. The Filtering Rules and Exporting processes periodically send IPFIX messages
to configured receivers without interaction from the Collecting process.

IPFIX collects IPv4 flow information on the switch and conforms with the following:
• IPFIX supports only 1 collector.
• IPFIX learns only IPv4 flows.
• IPFIX sends and receives only TCP/UDP flows.
• IPFIX uses only UDP to export packets.
• You can configure only the template exporting timer.
• The Out-of-Band (OOB) port does not support IPFIX.
• IPFIX exports TCP/UDP IPv4 flows on IS-IS interfaces that are members of a VLAN. IPFIX does not
capture Mac-In-Mac encapsulated flows on IS-IS interfaces.

IPFIX processes IPv4 UDP or TCP Mac-in-Mac packet flows that are terminated by the switch. IPFIX
does not process Mac-in-Mac packet flows that are only traversing the switch (Layer 2 switching).
• Layer 3 Virtual Services Network (L3 VSN) flow packets on NNI ports are not learned by IPFIX.
• The switch supports only ingress sampling. The switch does not support egress sampling.

Note
IPFIX is not supported on OOB, Circuitless IP (CLIP), or VLAN Segmented Management
Instance interfaces.

1760 VOSS User Guide for version 8.7

IPFIX IPFIX Configuration Using CLI

IPFIX Configuration Using CLI

This section provides procedures to configure IPFIX using Command Line Interface (CLI).

Enabling IPFIX Globally

About This Task

Use the following procedure to enable IPFIX globally. IPFIX provides the ability to monitor IPv4 traffic
flows.

The default global state is disabled.

Procedure
1. Enter Global Configuration mode:
enable

configure terminal
2. Enable IPFIX:
ip ipfix enable

Examples
Enable IPFIX globally:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#ip ipfix enable

Disable IPFIX globally:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#no ip ipfix enable

By disabling IPFIX globally, all the processes and traffic

sent to collector(s) will be stopped.Do you agree (y/n) ? y

Displaying IPFIX Global Status

About This Task

Use the following procedure to display global status information for IPFIX.

Procedure
1. To enter User EXEC mode, log on to the switch.
2. Display IPFIX global status:
show ip ipfix

Example
Switch:1#show ip ipfix

VOSS User Guide for version 8.7 1761

Configure the IPFIX Aging Interval IPFIX

==========================================================================================
IPFIX Global
==========================================================================================
Global-State : enable
Observation-Domain ID : 1
Flow Limit : 20000
Flow Count : 0
Aging Interval : 40

Configure the IPFIX Aging Interval

About This Task

Use the following procedure to configure an aging interval for IPFIX. The aging interval determines how
long a traffic flow that is no longer being received, is retained as a flow.

Procedure
Enter Global Configuration mode:
enable

configure terminal

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#ip ipfix aging-interval 30

Variable Definitions
The following table defines parameters for the ip ipfix aging-interval command.

Variable Value
<1-60> Specifies (in seconds) the flow record aging interval. The aging interval
determines how long a traffic flow that is no longer being received is retained
as a flow.
The default is 40 seconds.

Configuring the IPFIX Collector

About This Task

Use the following procedure to configure a collector for IPFIX. Use the ExtremeAnalytics™ solution as
the collector.

Procedure

1. Enter Global Configuration mode:

enable

configure terminal

1762 VOSS User Guide for version 8.7

IPFIX Configuring the IPFIX Collector

2. Configure values for the collector ID, the IP address of the collector, and the IP address of the
exporter. Optionally, you can configure values for the source port sending flow information and the
destination port receiving flow information:
ip ipfix collector <1–1> {A.B.C.D} exporter-ip {A.B.C.D} [dest-port
<1-65535>] [src-port <1-65535>]

Note
You cannot configure collector or exporter IP addresses in the following formats:
• 255.255.255.255
• 127. x.x.x
• 0.x.x.x
• 224.0.0.0 to 239.255.255.255

If you configure a collector or exporter IP address in any of these formats, the following error
message is displayed:
Error: Invalid IP address

3. (Optional) Configure a value for the export interval:

ip ipfix collector 1 export-interval <1-120>
4. (Optional) Configure a value for the initial burst of template packets:
ip ipfix collector 1 initial-burst <1-10>

Example
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#ip ipfix collector 1 192.0.2.15 exporter-ip 192.0.2.16
dest-port 2 src-port 4
Switch:1(config)#ip ipfix collector 1 export-interval 40
S

Nokia Registers AUSF UDM
100% (1)
Nokia Registers AUSF UDM
42 pages
Penetration Testing Step-By-Step Guide
92% (12)
Penetration Testing Step-By-Step Guide
417 pages
Philips Efficia CM Series Network Configuration Manual 74
No ratings yet
Philips Efficia CM Series Network Configuration Manual 74
74 pages
Intro To VOSS & Fabric v0.2
No ratings yet
Intro To VOSS & Fabric v0.2
44 pages
Advanced Wireless Troubleshooting: Tim Smith, Technical Consulting Engineer
No ratings yet
Advanced Wireless Troubleshooting: Tim Smith, Technical Consulting Engineer
157 pages
EXOS User Guide 16 2
No ratings yet
EXOS User Guide 16 2
1,741 pages
B Cisco NX-OS Licensing Guide
No ratings yet
B Cisco NX-OS Licensing Guide
50 pages
UAP2816 Product Description: Huawei Technologies Co., LTD
100% (1)
UAP2816 Product Description: Huawei Technologies Co., LTD
19 pages
CLIRefVOSS 8.10 CRG
No ratings yet
CLIRefVOSS 8.10 CRG
1,893 pages
CLIRefVOSS 8.4 CRG
No ratings yet
CLIRefVOSS 8.4 CRG
1,755 pages
EXOS User Guide 15.7
No ratings yet
EXOS User Guide 15.7
1,745 pages
EXOS User Guide 22 4 PDF
No ratings yet
EXOS User Guide 22 4 PDF
1,812 pages
EXOS User Guide 30 5
0% (1)
EXOS User Guide 30 5
2,087 pages
Extreme Networks
No ratings yet
Extreme Networks
69 pages
ExtremeXOS User Guide 16.2
No ratings yet
ExtremeXOS User Guide 16.2
1,724 pages
ExtremeXOS Feature License Requirements
No ratings yet
ExtremeXOS Feature License Requirements
22 pages
Two-Member QFX Series Virtual Chassis Upgrade Procedure: Network Configuration Example
No ratings yet
Two-Member QFX Series Virtual Chassis Upgrade Procedure: Network Configuration Example
23 pages
EXOS User Guide 16 1 PDF
No ratings yet
EXOS User Guide 16 1 PDF
1,818 pages
ExtremeWireless v10.51 User Guide
No ratings yet
ExtremeWireless v10.51 User Guide
729 pages
ExtremeWireless WiNG AP7662i - AP7662 Access Point Installation Guide
No ratings yet
ExtremeWireless WiNG AP7662i - AP7662 Access Point Installation Guide
41 pages
ConfigUIOSVOSS_8.2_CG
No ratings yet
ConfigUIOSVOSS_8.2_CG
149 pages
EXOSConcepts Bookmap PDF
No ratings yet
EXOSConcepts Bookmap PDF
1,670 pages
MX Solutions Guide
No ratings yet
MX Solutions Guide
200 pages
EXOS Command Reference 16 1
No ratings yet
EXOS Command Reference 16 1
3,377 pages
Extreme (EXOS) Concepts Guide 15.3
No ratings yet
Extreme (EXOS) Concepts Guide 15.3
1,687 pages
Wireless GSG
No ratings yet
Wireless GSG
74 pages
EXOS User Guide 21 1
No ratings yet
EXOS User Guide 21 1
1,606 pages
Cisco Catalyst 9400 Series Hardware Installation Manual
No ratings yet
Cisco Catalyst 9400 Series Hardware Installation Manual
26 pages
Cisco Nexus 9000v 9300v 9500v Guide 93x
No ratings yet
Cisco Nexus 9000v 9300v 9500v Guide 93x
50 pages
EXOS Command Reference 22 1 PDF
No ratings yet
EXOS Command Reference 22 1 PDF
3,125 pages
VX 9000 Installation Guide
No ratings yet
VX 9000 Installation Guide
10 pages
EXOS Command Reference 30 5
No ratings yet
EXOS Command Reference 30 5
3,480 pages
Ethernet Switching Vlans Ex Series
No ratings yet
Ethernet Switching Vlans Ex Series
400 pages
Cisco NX-OS Licensing Guide
No ratings yet
Cisco NX-OS Licensing Guide
50 pages
Ext Xoss&r SG 22
No ratings yet
Ext Xoss&r SG 22
463 pages
EXOS Command Reference 21 1
No ratings yet
EXOS Command Reference 21 1
3,233 pages
B Cisco NX-OS Licensing Guide
No ratings yet
B Cisco NX-OS Licensing Guide
58 pages
EXOS Command Reference 22 4
No ratings yet
EXOS Command Reference 22 4
3,255 pages
B 1710 Programmability CG
No ratings yet
B 1710 Programmability CG
450 pages
EXOS Command Reference 32.2
No ratings yet
EXOS Command Reference 32.2
3,653 pages
Wireless User Guide PDF
No ratings yet
Wireless User Guide PDF
696 pages
Extreme Wireless Wsap3825i
No ratings yet
Extreme Wireless Wsap3825i
48 pages
EXOS Command Reference 22 5
No ratings yet
EXOS Command Reference 22 5
3,296 pages
Software Configuration Guide, Cisco IOS XE 17.13.x (Catalyst 9200 Switches)
No ratings yet
Software Configuration Guide, Cisco IOS XE 17.13.x (Catalyst 9200 Switches)
26 pages
Cisco Nexus 2000 Series Nx Os Fabric Extender Configuration Guide for Cisco Nexus 9000 Series Switches Release 101x
No ratings yet
Cisco Nexus 2000 Series Nx Os Fabric Extender Configuration Guide for Cisco Nexus 9000 Series Switches Release 101x
56 pages
Extreme - Layer 2 Basics
No ratings yet
Extreme - Layer 2 Basics
202 pages
EXOS Command Reference 30 7
No ratings yet
EXOS Command Reference 30 7
3,494 pages
Ex Series Ethernet
No ratings yet
Ex Series Ethernet
292 pages
Extreme Exos Concepts Guide 153
No ratings yet
Extreme Exos Concepts Guide 153
1,682 pages
Qos Command Reference, Cisco Ios Release 15.2 (2) E (Catalyst 2960-X Switch)
No ratings yet
Qos Command Reference, Cisco Ios Release 15.2 (2) E (Catalyst 2960-X Switch)
120 pages
B ACI Virtualization Guide 2 2 2
No ratings yet
B ACI Virtualization Guide 2 2 2
432 pages
Junos Guide To Configuring Interfaces
No ratings yet
Junos Guide To Configuring Interfaces
1,918 pages
Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9300 Switches)
No ratings yet
Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9300 Switches)
30 pages
B 179 Programmability CG
No ratings yet
B 179 Programmability CG
442 pages
B Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide Release 6x
No ratings yet
B Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide Release 6x
38 pages
Software Configuration Guide, Cisco IOS XE Bengaluru 17.6.x (Catalyst 9400 Switches)
No ratings yet
Software Configuration Guide, Cisco IOS XE Bengaluru 17.6.x (Catalyst 9400 Switches)
28 pages
En2092 PDF
No ratings yet
En2092 PDF
50 pages
Catalyst 2960-X Switch VLAN Configuration Guide, Cisco IOS Release 15.0 (2) EX
No ratings yet
Catalyst 2960-X Switch VLAN Configuration Guide, Cisco IOS Release 15.0 (2) EX
120 pages
EXOS Command Reference 15 6
No ratings yet
EXOS Command Reference 15 6
3,268 pages
Juniper - Getting Started Guide For OpenStack - VMX - Vmx-Gsg-Openstack
No ratings yet
Juniper - Getting Started Guide For OpenStack - VMX - Vmx-Gsg-Openstack
75 pages
EXOS User Guide 31.5
100% (1)
EXOS User Guide 31.5
2,183 pages
Cisco IOS XE Configuration Fundamentals Configuration Guide, Release 2
No ratings yet
Cisco IOS XE Configuration Fundamentals Configuration Guide, Release 2
258 pages
Ian Talks Python A-Z
From Everand
Ian Talks Python A-Z
Ian Eress
No ratings yet
Python Programming Concepts
From Everand
Python Programming Concepts
MRB
No ratings yet
Windows Batch File Programming
From Everand
Windows Batch File Programming
Michael Elliott
2/5 (2)
Cpei 775 Data Sheet - Final
No ratings yet
Cpei 775 Data Sheet - Final
4 pages
SZ-100 Hotspot 2.0 Ref Guide 3.1.1 PDF
No ratings yet
SZ-100 Hotspot 2.0 Ref Guide 3.1.1 PDF
87 pages
PureWave-OX230 250 350I WiMAX Outdoor CPE User Manual-20111221
No ratings yet
PureWave-OX230 250 350I WiMAX Outdoor CPE User Manual-20111221
59 pages
Cisco Aironet 3500 AP DataSheet
No ratings yet
Cisco Aironet 3500 AP DataSheet
7 pages
E53.17.x, E53.15.x, and E50.13.x Summary of Firmware Changes
No ratings yet
E53.17.x, E53.15.x, and E50.13.x Summary of Firmware Changes
8 pages
Samsung QBC - Leaflet - WEB - 231115
No ratings yet
Samsung QBC - Leaflet - WEB - 231115
1 page
NSE Question Bank Answers
No ratings yet
NSE Question Bank Answers
14 pages
Flashcards Table On CompTIA Security+ SYO 601 Acronym Flashcards
No ratings yet
Flashcards Table On CompTIA Security+ SYO 601 Acronym Flashcards
42 pages
Kyocera Ecosys p4040dn
No ratings yet
Kyocera Ecosys p4040dn
271 pages
DLMS/COSEM Security Level Enhancement To Construct Secure Advanced Metering Infrastructure
No ratings yet
DLMS/COSEM Security Level Enhancement To Construct Secure Advanced Metering Infrastructure
6 pages
Module 13 Endpoint Security
No ratings yet
Module 13 Endpoint Security
12 pages
Syed Haider Ali: John Hopkins Aramco Healthcare - Jhah Job Responsibilities
No ratings yet
Syed Haider Ali: John Hopkins Aramco Healthcare - Jhah Job Responsibilities
9 pages
FortiNAC-F_7.2.0-Installing_SSL_Certificates
No ratings yet
FortiNAC-F_7.2.0-Installing_SSL_Certificates
23 pages
VoWiFi Related
No ratings yet
VoWiFi Related
66 pages
Five Steps To Securing Your Wireless LAN and Preventing Wireless Threats
No ratings yet
Five Steps To Securing Your Wireless LAN and Preventing Wireless Threats
10 pages
H3C WX3000 Series Integrated Switch: Providing Location-Based User Access Control
No ratings yet
H3C WX3000 Series Integrated Switch: Providing Location-Based User Access Control
8 pages
Security Recommendations for FactoryTalk ProductionCentre
No ratings yet
Security Recommendations for FactoryTalk ProductionCentre
4 pages
FortiAuthenticator-6.6.2-Release-Notes
No ratings yet
FortiAuthenticator-6.6.2-Release-Notes
27 pages
Nortel Switch 5500 Series-Security - Configuration
No ratings yet
Nortel Switch 5500 Series-Security - Configuration
304 pages
Airlap 1142 Nak 9
No ratings yet
Airlap 1142 Nak 9
36 pages
Wimax Router: (Including Configuration For Rut5Xx)
No ratings yet
Wimax Router: (Including Configuration For Rut5Xx)
9 pages
Cpte 2018
No ratings yet
Cpte 2018
10 pages
Computer Networks: Sahar Hoteit, Stefano Secci, Guy Pujolle, Adam Wolisz, Cezary Ziemlicki, Zbigniew Smoreda
No ratings yet
Computer Networks: Sahar Hoteit, Stefano Secci, Guy Pujolle, Adam Wolisz, Cezary Ziemlicki, Zbigniew Smoreda
18 pages
Blackberry Enterprise Solution: Version: 5.0 - Service Pack: 2
No ratings yet
Blackberry Enterprise Solution: Version: 5.0 - Service Pack: 2
152 pages
PE'S - CC5T - Cohort 07
No ratings yet
PE'S - CC5T - Cohort 07
12 pages