Académique Documents
Professionnel Documents
Culture Documents
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for both
telecommunication and data communications applications.
It interfaces a network device motherboard (for a switch, router, media converter or similar
device) to a fiber optic or copper networking cable. It is a popular industry format.
SFP transceivers are designed to support SONET, Gigabit Ethernet, Fibre Channel, and other
communications standards. The standard is covering SFP+ supporting data rates up to 10
Gbps (to also include for 8 Gbps Fibre Channel, and 10 GbE). The SFP+ has a smaller form
factor than a regular SFP.
The XFP (10 Gigabit Small Form Factor Pluggable) is a hot-swappable, protocol-independent
optical transceiver, for 10 gigabit Ethernet, 10 Gigabit per second SONET/SDH, Fibre
Channel, gigabit Ethernet and other applications. SFP+ is smaller than XFP.
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Revision 0810
BCNE in a Nutshell
Jitter is the time delay variation of a periodic signal in electronics and telecommunications,
often in relation to a reference clock source.
Collisions: An increasing collision rate (number of packets output divided by the number of
collisions) may not indicate a problem: it is merely an indication of a higher offered load to
the network. An example of this could be because another station was added to the
network. Excessive collisions indicate a problem. Common causes are devices connected as
full-duplex on a shared Ethernet, broken NICs, or simply too many stations on the shared
medium. The excessive collisions can be resolved by hard coding speed and duplex.
Revision 0810
10
BCNE in a Nutshell
Coaxial cable, or coax, is an electrical cable with an inner conductor surrounded by a tubular
insulating layer typically of a flexible material with a high dielectric constant, all of which are
surrounded by a conductive layer called the shield (typically of fine woven wire for flexibility,
or of a thin metallic foil), and finally covered with a thin insulating layer on the outside.
Twisted Pair Cable consists of two copper wires, twisted around each other to cancel out any
noise in the circuit. There are two main types of twisted pair cabling: Unshielded Twisted
Pair (UTP) and Shielded Twisted Pair (STP).
UTP has four pairs of wires inside the jacket. Each pair is twisted with a different number of
twists per inch to help eliminate interference from adjacent pairs.
STP uses metal braid or sheathing to reduce interference. It provides better EMI
(electromagnetic interference) protection than UTP cables. The only difference between STP
and UTP is that STP has a foil or wire braid wrapped around the individual wires of the pairs.
The shielding is designed to minimize EMI radiation and susceptibility to crosstalk.
Fiber optic cabling consists of a center glass core surrounded by several layers of protective
materials. It transmits light rather than electronic signals. It is the standard for connecting
networks between buildings, due to its immunity to the effects of moisture and light. Singlemode fibers have a small glass core (about 9). Single-mode fibers are used for high speed
data transmission over long distances. They are less susceptible to attenuation than
multimode fibers. Multi-mode fibers have large cores (about either 50 or 62.5). They are
able to carry more data than single-mode fibers though they are best for shorter distances
because of their higher attenuation levels.
The three broad categories of wireless media are: Radio, Microwave, and Infrared.
Revision 0810
11
BCNE in a Nutshell
POE is a way to supply reliable, uninterrupted power to Internet Protocol (IP) telephones, WLAN
access points, network cameras and other Ethernet devices, using existing, commonly used
Category 5 cable infrastructure.
Power over Ethernet (POE) devices, are compliant with the IEEE 802.3af standards for delivering inline power over existing network cabling infrastructure. POE technology eliminates the need for an
electrical outlet and dedicated UPS near IP powered devices. With power sourcing devices, power is
consolidated and centralized in the wiring closets, improving the reliability and resiliency of the
network. Because POE can provide power over Ethernet cable, power is continuous, even in the
event of a power failure. An error message will be displayed if the device attached does not support
POE.
The 802.3af standard currently supports POE on 10/100/1000 Mbps Ethernet ports operating over
standard Category 5 unshielded twisted pair cable or better. If your network uses cabling categories
less than 5, you cannot implement POE without first upgrading your cables to CAT 5 UTP or better.
Here is an example of enabling a port to receive in-line power on Brocade POE-capable devices:
FastIron(config)#interface e 1/1
FastIron(config-if-e1000-1/1)#inline power
After entering the above commands, the console will display the following message:
FastIron(config-if-e1000-1/1)#PoE Info: Power enabled on port 1/1.
Use the command show inline power to view the device type, class, and the POE operational
status for a device/module/interface. In addition you can use the show inline power detail
command to display in depth information about POE power supplies.
Revision 0810
12
BCNE in a Nutshell
Digital Optical Monitoring uses the DOM capability in port transceivers to report operating
conditions such as temperature and power levels through the CLI and MIB. This feature
monitors the transceivers present in the system over a user configured time interval and
raises alarms if the operating values exceed the thresholds.
When this feature is enabled, the system will monitor the temperature and signal power
levels for the optical transceivers in the specified ports. Console messages and syslog
messages are sent when optical operating conditions fall below or rise above the XFP or SFP
manufacturers recommended thresholds.
You can configure your Brocade device to monitor optical transceivers in the system, either
globally or by specified ports.
To enable optical monitoring on all Brocade-qualified optics installed in the device, use the
command:
FastIron(config)#optical-monitor
To enable optical monitoring on a port or a range of ports, use the following command:
FastIron(config)#interface ethernet 1/1 to 1/2
FastIron(config-mif-e10000-1/1-1/2)#optical-monitor
Revision 0810
13
BCNE in a Nutshell
Examples:
FastIron#show flash
Active Management Module (Slot 9):
Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin)
Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin)
Compressed BootROM Code size = 524288, Version 03.0.01T3e5
Code Flash Free Space = 9699328
Standby Management Module (Slot 10):
Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin)
Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin)
Compressed BootROM Code size = 524288, Version 03.0.01T3e5
Code Flash Free Space = 524288
FGS648P-STK Switch#show chassis
The stack unit 1 chassis info:
Power supply 1 (NA - AC - Regular) present, status ok
Power supply 2 not present
Fan 1 ok
Fan 2 ok
Exhaust Side Temperature Readings:
Current temperature : 35.5 deg-C
Warning level.......: 80.0 deg-C
Shutdown level......: 90.0 deg-C
Intake Side Temperature Readings:
Current temperature : 33.5 deg-C
Boot Prom MAC: 0012.f2de.9440
Management MAC: 0000.0000.0011
Revision 0810
14
BCNE in a Nutshell
Revision 0810
15
BCNE in a Nutshell
When STP begins, a selection process is made to determine which redundant paths to keep
forwarding user traffic and which ones to shut down. BPDUs are sent.
A Root Bridge is elected. The switch with the lowest Bridge ID becomes the Root Bridge. All
Brocade switches have the default Bridge Priority 32768. If that is the case, the lowest MAC
address will be used. In the above example, Switch#1 is the Root Bridge because its Bridge
Priority is the lowest; if however, all three switches have the same Bridge Priority, then
Switch#3 will be the Root Bridge because its MAC address is the lowest.
After the election, each switch determines the shortest path to the root bridge. The switch
port with the best path to the root bridge will be called the root port. The path cost is based
on the bandwidth. The higher the bandwidth, the lower the cost. When multiple switches
share a connection that is not a Root Port, one of them will become the Designated Port,
the other will be blocked.
Revision 0810
16
BCNE in a Nutshell
Brocade Layer 2 and Layer 3 Switches support PVST. PVST is enabled within each VLAN by
default on Brocade Layer 2 switches. Each PVST instance has its own Root Bridge.
If the Brocade device is running a switch code, then all configured VLANs have Spanning
Tree enabled by default; if the device is running a router code, then all configured VLANs
have Spanning Tree disabled by default. You can enable or disable STP in each VLAN
separately. In addition, you can enable or disable STP on individual ports.
PVST allows a VLAN trunk to be forwarding for some VLANs while blocking for other VLANs.
Since PVST treats each VLAN as a separate network, it has the ability to load balance traffic
(at layer-2) by forwarding some VLANs on one trunk and other VLANs on another trunk
without causing a Spanning Tree loop.
Revision 0810
17
BCNE in a Nutshell
Revision 0810
18
BCNE in a Nutshell
Fast Port Span allows faster convergence on ports that are attached to end stations and
thus do not present the potential to cause Layer 2 forwarding loops. Its purpose is to remedy
the latency of 802.1D failover at network edge. This can occur because the end nodes do
not cause loops through their single connection.
Fast Port Span allows certain ports to enter the forwarding state in 4 seconds, specifically
end stations. Because end stations cannot cause forwarding loops, they can safely go
through the STP state changes more quickly than is allowed with standard STP. Fast Port
Span also reduces the number of STP topology changes in the network, and eliminates
unnecessary MAC cache aging that can be caused by topology change notifications. Fast
Port Span is on by default.
Fast Port Span will be automatically disabled if any of the following conditions occur:
The port is an 802.1q tagged port
The port is a member of a trunk group
There are more than 1 MAC address detected (indicating a downstream hub)
STP BPDUs have been detected on the port
Revision 0810
19
BCNE in a Nutshell
The configuration example in the slide shows that Topology Group 2 is created including:
Master VLAN 2
Member VLANs 3 and 4
All VLANs belonging to this Topology Group share one single Spanning Tree instance, hence
reducing the processing and memory overhead caused by Spanning Tree.
Revision 0810
20
BCNE in a Nutshell
Cut-through switching means that the switch copies into its memory only the destination
MAC address, which is located in the first 6 bytes of the frame following the preamble. The
switch looks up the destination MAC address in its forwarding table, determines the
outgoing interface port, and forwards the frame on to its destination through the designated
switch port. There is no error checking with this method, hence the switch will not detect
illegal frames such as runt frames. Brocade switches (such as the TurboIron 24X Series) can
operate in the cut-through switching mode. It starts forwarding a frame even before the
whole frame has been received.
Store-and-forward switching means that the switch copies each complete frame into the
switch memory buffers and computes a cyclic redundancy check (CRC) for errors. CRC is an
error-checking method that uses a mathematical formula, based on the number of bits (1s)
in the frame, to determine whether the received frame is corrupted. If a CRC error is found,
the frame is discarded. If the frame is error free, the switch forwards the frame out the
appropriate interface port.
Revision 0810
21
BCNE in a Nutshell
Using the CLI, you may use the show mac-address command to display the MAC table
on a switch.
You may also remove learned MAC address entries from the MAC address table. The types
of MAC address can be removed are:
All MAC address entries
All MAC address entries for a specified Ethernet port
All MAC address entries for a specified VLAN
All specified MAC address entry in all VLANs
For example, to remove entries for the MAC address 000d.cd80.00d0 in all VLANs, enter the
following command at the Privilege EXEC level of the CLI.
FastIron#clear mac-address 0004.8038.2f24
Syntax: clear mac-address <mac-address> | ethernet <port-num> |
vlan <vlan-num>
If you enter clear mac-address without any parameter, the software removes all MAC
address entries.
Revision 0810
22
BCNE in a Nutshell
A Virtual Local Area Network (VLAN) is a logical subgroup within a LAN. It is a logical group
combining user stations and network devices regardless of the physical LAN segment they
are attached to. VLAN allows traffic to flow more efficiently within populations of mutual
interest.
VLANs are created through software configuration, rather than manually moving cables in
the wiring closet. VLANs reduce the time it takes to implement moves, additions, and
changes.
There are multiple types of VLANs, out of which the two main types are:
Layer 2 port-based VLAN:
A set of physical ports on a Brocade device that constitutes a Layer 2 broadcast
domain.
Layer 2 traffic is bridged within a port-based VLAN
Layer 2 broadcasts are sent to all the ports within the VLAN.
By default, all Brocade switch ports are members of VLAN 1.
Layer 3 protocol-based VLAN:
A subset of ports within a port-based VLAN that share a common broadcast domain for
Layer 3 broadcasts of the specified protocol type.
It requires that all members be in the same port-based VLAN. You can configure
protocol-based VLANs (IP, IPv6, IPX, AppleTalk, DECnet, NetBIOS, etc.) within a portbased VLAN.
Revision 0810
23
BCNE in a Nutshell
A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but
also provides additional control over flooding frames on a VLAN.
By default, a private VLAN does not forward broadcast or unknown unicast frames from
outside sources into the private VLAN.
Private VLANs can be used to secure communication between a workstation and servers.
The figure in the slides shows an example which uses a private VLAN to secure traffic
between hosts and the rest of the network through a firewall. Five ports in this example are
members of a private VLAN. The first port (port 3/2) is attached to a firewall. The next four
ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to hosts that rely on the firewall to
secure traffic between the hosts and the rest of the network. In this example, two of the
hosts (on ports 3/5 and 3/6) are in a community private VLAN, and thus can communicate
with one another as well as through the firewall. The other two hosts (on ports 3/9 and
3/10), are in an isolated VLAN and thus can communicate only through the firewall. The two
hosts are secured from communicating with one another even though they are in the same
VLAN.
Revision 0810
24
BCNE in a Nutshell
A private VLAN secures traffic between a primary port and host ports. Traffic between the
hosts and the rest of the network must travel through the primary port.
There are various types of private VLANs:
Primary VLAN: Primary private VLAN ports are promiscuous. They can communicate with
all the isolated private VLAN ports and community private VLAN ports in the isolated and
community VLANs that are mapped to the promiscuous port. Each private VLAN must have
a primary VLAN. The primary VLAN is the interface between the secured ports and the rest
of the network. The private VLAN can have any combination of community and isolated
VLANs.
Isolated VLAN: Broadcasts and unknown unicasts received on isolated ports are sent only
to the primary port. They are not flooded to other ports in the isolated VLAN.
Community VLAN: Broadcasts and unknown unicasts received on community ports are
sent to the primary port and also are flooded to the other ports in the community VLAN.
Revision 0810
25
BCNE in a Nutshell
VLAN Tagging is needed when a single physical link is connected between any 2 switches
carrying multiple VLANs traffic.
A port can belong to only one port-based VLAN, unless you apply 802.1q tagging to the port.
802.1q tagging allows the port to add a four-byte tag field, which contains the VLAN ID, to
each frame sent on the port.
Revision 0810
26
BCNE in a Nutshell
Revision 0810
27
BCNE in a Nutshell
A switch port can be either untagged or tagged. However, configuring a tagged port as a dualmode port allows it to accept and transmit both tagged and untagged frames.
In the above slide, port e6 is running in dual mode. Port e6 has tagged membership in VLAN
20 and untagged membership in VLAN 10. The network includes an IP phone that typically
has a two port switch built into it. One port on an IP phone has the 802.1q ability, and the
other for untagged traffic. Thus, frames from both the PC and the phone travel between the
phone and switch. Here is how to configure the dual-mode port:
Switch(config)# vlan 10
Switch(config-vlan-10)# tagged e 6
Switch(config-vlan-10)# untagged e34
BigIron(config)# vlan 20
BigIron(config-vlan-20)# tagged e 6
BigIron(config-vlan-20)# tagged e 49
BigIron(config)# interface e 6
BigIron(config-if-e100-6)# dual-mode 10
Revision 0810
28
BCNE in a Nutshell
Routing between VLANs is accomplished by defining a virtual router interface, and assigning
an IP address to the virtual interface. Hosts within the subnet set their default gateway to
the IP address that has been assigned to the virtual interface.
Based on the diagram shown in the slide, here is how to configure inter-VLAN routing:
FastIron(config)# vlan 22
FastIron(config-vlan-22)# untag ethernet 1 to 16
FastIron(config-vlan-22)# router-interface ve 1
FastIron(config)# interface ve1
FastIron(config-vif-1)# ip address 192.123.22.1/24
FastIron(config)# vlan 44
FastIron(config-vlan-44)# untag ethernet 33 to 48
FastIron(config-vlan-44)# router-interface ve 2
FastIron(config)# interface ve2
FastIron(config-vif-2)# ip address 192.123.44.1 255.255.255.0
Revision 0810
29
BCNE in a Nutshell
MRP (Metro Ring Protocol) is a Brocade proprietary protocol that prevents Layer 2 loops and
provides fast re-convergence in Layer 2 ring topologies. It is an alternative to STP and is
especially useful in Metropolitan Area Networks (MANs) where using STP has the following
drawbacks:
STP allows a maximum of seven nodes. Metro rings can easily contain more nodes than
this.
STP has a slow re-convergence time, taking many seconds or even minutes. MRP can
detect and heal a break in the ring in sub-second time.
The ring in this example consists of four MRP nodes (Brocade switches). Each node has two
interfaces with the ring. Each node also is connected to a separate customer network. The
nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring
interfaces are all in one port-based VLAN. Each customer interface can be in the same VLAN
as the ring or in a separate VLAN.
One node is configured as the master node of the MRP ring. One of the two interfaces on
the master node is configured as the primary interface; the other is the secondary interface.
The primary interface originates Ring Health Packets (RHPs), which are used to monitor the
health of the ring. An RHP is forwarded on the ring to the next interface until it reaches the
secondary interface of the master node. The secondary interface blocks the packet to
prevent a Layer 2 loops.
Revision 0810
30
BCNE in a Nutshell
Uni-Directional Link Detection (UDLD) monitors a link between two Brocade devices and brings the ports on both ends of the link
down if the link goes down at any point between the two devices.
Normally, a Brocade device load balances traffic across the ports in a trunk group. In the above example, each Brocade
device load balances traffic across two ports. Without the UDLD feature, a link failure on a link that is not directly attached to
one of the Brocade devices is undetected by the Brocade devices. As a result, the Brocade devices continue to send traffic on
the ports connected to the failed link. When UDLD is enabled on the trunk ports on each Brocade device, the devices detect
the failed link, disable the ports connected to the failed link, and use the remaining ports in the trunk group to forward the
traffic. Please note that UDLD does not just work on trunks. It works on any type of physical links.
Ports enabled for UDLD exchange proprietary health-check packets once every second (the keepalive interval). If a port does
not receive a health-check packet from the port at the other end of the link within the keepalive interval, the port waits for two
more intervals. If the port still does not receive a health-check packet after waiting for three intervals, the port concludes that
the link has failed and takes the port down.
To check port states, use show link-keepalive or show interface brief command:
FastIron#show link-keepalive
Total link-keepalive enabled ports: 4
Keepalive Retries: 3 Keepalive Interval: 1 Sec.
Port Physical Link Logical Link State Link-vlan
4/1
up
up
FORWARDING
3
4/2
up
up
FORWARDING
4/3
down
down
DISABLED
4/4
up
down
DISABLED
FastIron#show interfaces brief
Port Link State Dupl Speed Trunk Tag Priori MAC Name
1/1 Up LK-DISABLE None None None No level0 00e0.52a9.bb00
1/2 Down None None None None No level0 00e0.52a9.bb01
1/3 Down None None None None No level0 00e0.52a9.bb02
1/4 Down None None None None No level0 00e0.52a9.bb03
Revision 0810
31
BCNE in a Nutshell
Link Aggregation Control Protocol (LACP) is a mechanism for allowing ports on both sides of
a redundant link to form a trunk link (aggregate link), without the need for manual
configuration of the ports into trunk groups.
As illustrated in the diagram, on Switch 1, because each four-port group has a different key,
ports 1 to 4 and 5 to 8 will not be in the same link aggregation group; neither will ports 1 to
4 and ports 5 to 8 on Switch 2.
Note that in conformance with the 802.3ad specification, the default key assigned to an
aggregate link is based on the port type (1-Gigabit port or 10-Gigabit port). The Brocade
device assigns different keys to 10-Gigabit ports than 1-Gigabit ports, so that ports with
different physical capabilities will not be able to form a trunk.
Revision 0810
32
BCNE in a Nutshell
The active device sends/receives LACPDUs; the passive device only receives LACPDUs.
The commands in this example assign the key 10000 and enable the active mode of link
aggregation on ports 1/1 and 1/2. The ports can send and receive LACPDU messages. If no
key has been explicitly configured, the ports use the default key.
Revision 0810
33
BCNE in a Nutshell
34
BCNE in a Nutshell
Revision 0810
35
BCNE in a Nutshell
Transparent bridges keep a Layer 2 bridge table to track the MAC addresses available out
each port.
Revision 0810
36
BCNE in a Nutshell
ARP stands for Address Resolution Protocol. It is used to associate a Layer 3 (Network layer)
address (such as an IP address) with a Layer 2 (Data Link layer) address (MAC address).
ARP is used to resolve MAC addresses for hosts on the local subnet; for remote
destinations, the source host sends out ARP requests asking for the MAC address of the
default gateway.
Revision 0810
37
BCNE in a Nutshell
2. If a node matches the requested IP, it sends back its MAC address.
3. Other nodes quietly discards the ARP request.
Revision 0810
38
BCNE in a Nutshell
This slide details how a packet is sent (routed) from Host A to Host B on another subnet or
network address:
1. If the destination hosts network number was the same as the source hosts, then the
destination host would be considered local and on the same subnet. This is determined
by taking Host A taking its own IP address and subnet mask and determining its own
network address and then doing the same operation with the destination IP and
destinations subnet mask and comparing the results. If they are the same then the
destination Host B would be considered local; Otherwise the packets will be forwarded
to the default gateway in order to be sent to a remote host. In this example the
destination Host Bs Network ID of 192.168.3.0 is different from the source Host As
Network ID of 192.168.1.0 and therefore the packets will need to be routed to the
destination Host B.
2. The source Host A must check its own Local Route Table for its default gateway (this is
the general behavior unless a special route has been defined). The default gateway IP is
the IP of the routing interface for that subnet. In this example it is 192.168.1.1 which is
the IP of Router 1 Interface E1. Since this is an Ethernet LAN, Host A will need to
encapsulate the frame in order to sent it out to the routing interface of E1 and to do so it
needs to know the MAC address of the routing interface. If it is not in its local cache an
ARP broadcast will need to be initiated in order to send the encapsulated frames to the
routing interface (E1 on Router1).
Revision 0810
39
BCNE in a Nutshell
3. In this example, the default gateways MAC address is not in Host As cache. Host A
initiates a local ARP broadcast request attempting to resolve the IP address to a physical
MAC address.
4. Router 1 responds with a unicast ARP response to Host A with its MAC address of 22.
5. Host A creates/encapsulates an Ethernet frame with its own MAC 11 as the source and
a destination MAC address of 22. Notice the destination IP still remains 192.168.3.20
and the frame can be sent on the wire.
Revision 0810
40
BCNE in a Nutshell
6. Once Interface E1 on R1 receives the Ethernet frame it looks at the destination MAC
address of the frame to check it if matches his own in order to determine if he is the
recipient of the frame. In this case R1 interface E1 is the default gateway of Host A and
therefore the intended recipient. R1 checks the frames Type field and notices 0x800
which indicates that there is an IP packet in the data portion of the Ethernet frame. R1
then proceeds to decapsulate the Ethernet frame in order to analyze the destination IP
of the packet.
7. The Router must then consult its routing table to determine what to do with the packet.
In general terms it looks to identify network routes in its table which would include the
destination IP address as a host address on that network. Note: If there are several
viable routes to the destination network it will chose the route with the longest subnet
mask match. How routing tables become populated and an in depth look of how they
are evaluated are beyond the scope of this example and class. After viewing R1s routing
table it finds that the network address of 192.168.3.0 is the destination network where
these packets need to be routed. It also notices the next hop IP of 192.168.2.2 which
represents the next stop for the packets on its way to the 192.168.3.0 network and this
can be reached through local interface E2.
8. In order for R1 to do the frame encapsulation process it needs to know the MAC address
of the 192.168.2.2 interface. So it must check its local ARP cache and again if the MAC
address is not found, it must send an ARP broadcast to request the MAC address. In this
case it will be already present. Therefore the frame encapsulation process can continue.
Notice that the source and destination IP addresses stay the same but the source MAC
becomes 33 and the destination MAC becomes 44. Also note that it also will decrement
the Time to Live field of the packet (in the IP header) by 1. Now the packet is sent on the
wire.
Revision 0810
41
BCNE in a Nutshell
9. Once Interface E1 on R2 receives the Ethernet frame, it looks at the destination MAC
address of the frame to check it if matches his own in order to determine if he is the
recipient of the frame. In this case R2 interface E1 is the next hop IP of R1 and
therefore the intended recipient. R2 checks the frames Type field and notices 0x800
which indicates that there is an IP packet in the data portion of the Ethernet Frame.
R2 then proceeds to decapsulate the Ethernet frame in order to analyze the
destination IP of the packet.
10. R2 must then consult its routing table to determine what to do with the packet. After
consulting its routing table it finds that the Network Address of 192.168.3.0 is the
destination network where these packets need to be forwarded and this is a directly
connected route in its table through interface E2.
11. In order for R2 to do the frame encapsulation process it needs to know the MAC
address of the final destination host B with the IP 192.168.3.20. So it must check its
local ARP cache and again if the MAC address is not found it must be a ARP broadcast
to resolve the IP Address to a matching physical MAC address. In this case it will be
already present and therefore the frame encapsulation process can continue. Notice
that the source MAC is 55 and the destination MAC becomes 66. Now the frame(s) are
sent on the wire.
12. Once Host B receives the frame, it recognizes its own MAC address. It then
decapsulates the frame and notices that itself is the intended host with an IP of
192.168.3.20.
Revision 0810
42
BCNE in a Nutshell
Routing is needed when a router needs to reach a remote network which is not directly
connected to itself.
There are two types of routing: Static and Dynamic. This slide illustrates how static and
default routes are configured for the routers to reach their remote networks.
Revision 0810
43
BCNE in a Nutshell
VRRPE (Virtual Router Redundancy Protocol - Extended) is Brocades enhanced version of the
standard VRRP (Layer 3 protocol).
All routers are Backups for a given VRID. The router with the highest priority becomes Master.
Multiple VRIDs may be configured on each router interface.
VRRPE uses UDP to send Hello messages (keepalives) in IP multicast messages.
If Backup routers stop receiving Hellos, they assume the failure of the Master. The router with the
next highest priority will take over and become the new Master.
Configuration Rules for VRRPE:
All routers participating in VRRPE with the same VRID group must have the same Virtual IP
address. Multiple VRIDs may be configured per router interface.
VRRPE supports the use of more than one tracked port.
The VIP address can be reached by the use of ping, even when the previous Master router is down.
Ports may be tracked. The priority of a VRRPE interface will be reduced by the amount of a tracked
interfaces priority if the tracked interfaces link goes down. Multiple ports may be tracked. For
example, if the VRRPE interfaces priority is 110 and a tracked interface with track priority 20 goes
down, the software changes the VRRPE interfaces priority to 90. If two tracked interfaces go down,
the priority will become 70.
To prevent an immediate transition from backup to re-instated master, enable the slow start
timer.
Virtual Switch Redundancy Protocol (VSRP) is a Brocade proprietary protocol that provides
redundancy and sub-second failover in Layer 2 and 3 mesh topologies. Based on VRRPE, VSRP
provides one or more backups for a Layer 2 switch or Layer 3 switch. If the active Layer 2 switch or
Layer 3 switch becomes unavailable, one of the backups takes over as the active device and
continues forwarding traffic for the network.
Revision 0810
44
BCNE in a Nutshell
Revision 0810
45
BCNE in a Nutshell
In this example, Router_A and Router_B use VRRPE to load share as well as provide
redundancy to the hosts. The load sharing is accomplished by creating two VRRPE groups.
Each group has its own Virtual IP address. Half of the hosts point to VRID 1s virtual IP
address as their default gateway and the other half point to VRID 2s Virtual IP address as
their default gateway. This will enable some of the outbound Internet traffic to go through
Router_A and the rest to go through Router_B.
Router_A is the master for VRID 1 (backup priority = 110) and Router_B is the backup for
VRID 1 (backup priority = 100). Router_A and Router_B both track the uplinks to the
Internet. If an uplink failure occurs on Router_A, its backup priority is decremented by 20
(track priority = 20), so that all traffic destined to the Internet is sent through Router_B
instead. Similarly, Router_B is the master for VRID 2 (backup priority = 110) and Router_A is
the backup for VRID 2 (backup priority = 100). If an uplink failure occurs on Router_B, its
backup priority is decremented by 20 (track priority = 20), so that all traffic destined to the
internet is sent through Router_A instead.
Revision 0810
46
BCNE in a Nutshell
Revision 0810
47
BCNE in a Nutshell
VLSM (Variable Length Subnet Masking) is a classless addressing scheme allowing for
allocation on arbitrary-length prefixes (partition between network and host ID).
CIDR (Classless Inter-Domain Routing, classically known as supernetting) is a classless
addressing scheme, where the prefix length determines the partition between the Network
and Host ID (as opposed to the classful addressing scheme using first 5 high-order bits of
the first octet).
A real motivation behind CIDR implementations was allocating IP address space more
efficiently instead of handing out full classful addresses (A or B) to organizations that were
not being fully utilized. CIDR also leverages Variable Length Subnet Masks (VLSM) and
provides the ability allocate address space based on the organizational needs of a
customer. For example, if a network administrator has a need for 300 hundred IP
addresses, he/she would typically either need a small portion of a class B network (and
thereby waste much of that address space) or 2 class C networks (remember 254 hosts
possible in a standard class C network). There is no middle ground with the structured
classful addressing scheme. CIDR provides a mechanism for aggregating multiple smaller
networks into a single larger network as in combining 2 Class C networks to provide 512
host addresses.
CIDR provides the mechanism to combine multiple networks into groups or blocks, which
the router, in turn, treats as one big network (route summarization or route aggregation). For
instance instead of having to store 10 Class C network addresses (any multiple number of
smaller classful networks) the router can store a single CIDR-based network address.
Revision 0810
48
BCNE in a Nutshell
Revision 0810
49
BCNE in a Nutshell
Revision 0810
50
BCNE in a Nutshell
More detailed information on how to do subnet calculation may be found in the ETH 101
training course material.
Revision 0810
51
BCNE in a Nutshell
A routed protocol can be routed by a router, which means that it can be sent from one router
to another. This type of protocol contain the data elements required for a packet to be sent
outside of its host network or network segment. Required in such a protocol is an
addressing scheme. Based on the addressing scheme, you will be able to identify the
network to which a host belongs, in addition to identifying that host on that network. All
hosts on an internetwork (routers, servers, and workstations) can utilize the services of a
routed protocol. Examples of a routed protocol are IP, IPX, and AppleTalk.
A routing protocol, on the other hand, is only used between routers. Its purpose is to help
routers building and maintain routing tables. Examples of routing protocols are RIP, OSPF, ISIS, and BGP.
The routing table is the table based on which the router makes a routing decision. The
example in the slide shows, as indicated in the Type column, the first route is a static route;
the second is a directly attached network; the third route is learned from the OSPF routing
protocol.
Revision 0810
52
BCNE in a Nutshell
The Router ID is a property global to the router (NOT specific to any routing protocols such as
OSPF or BGP).
1. Manually configure Router ID takes precedence over any other form in making the
Router ID decision. It is recommended that you do so on Brocade switches.
2. If theres no manually assigned Router ID and but there are loopback interfaces, the
default router ID is the IP address configured on the lowest numbered loopback
interface. For example, there are loopback 1 and loopback 2 interfaces configured on a
router. The IP address of loopback 1 will be used as the Router ID.
3. If there is no loopback interface configured, then the default Router ID is the lowest
numbered IP interface address configured on the device.
Revision 0810
53
BCNE in a Nutshell
Routers can learn about networks from various protocols. To select one route over another
based on the source of the route information, the router can use the Administrative
Distances assigned to the sources.
The Administrative Distance is used by routers to compare routes from different sources.
When selecting a route from among different sources (BGP4, OSPF, RIP, static routes, and
so on), the software compares the routes on the basis of each routes administrative
distance. The lower the Administrative Distance, the more preferred the route is. For
example, if the router receives routes for the same network from OSPF and from RIP, the
router will prefer the OSPF route by default.
Administrative distance values may be modified (except for that of directly connected
routes). The distance you specify influences the choice of routes when the router has
multiple routes for the same network from different protocols. The router prefers the route
with the lower administrative distance. For example, to change the default administrative
distances for EBGP, IBGP, and Local BGP, enter a command such as the following:
FastIron(config)#router bgp
FastIron(config-bgp-router)#distance 180 160 40
Revision 0810
54
BCNE in a Nutshell
Revision 0810
55
BCNE in a Nutshell
An OSPF AS can be divided into multiple areas. The idea of using areas is to put a boundary
on the explosion of link state updates. Flooding and SPF calculation on a router is limited to
changes within an area. An area can be represented by either a single number or in dotteddecimal notation. All routers within an area have the exact linkstate database. Area 0 is
also known as the backbone area. All other areas much border the backbone area.
An area is interface specific. An OSPF router can be a member of multiple areas. These
routers are known as Area Border Routers (ABRs). Each ABR maintains a separate
topological database for each area the router is in. Each topological database contains all of
the LSA databases for each router within a given area. The routers within the same area
have identical topological databases. The ABR is responsible for forwarding routing
information or changes between its border areas.
Revision 0810
56
BCNE in a Nutshell
The above slide is a report from show ip ospf neighbor executed on Sunnyvale. The
following are the descriptions of the fields:
Port: The port through which the router is connected to its neighbor.
Address: The local IP address of this routers interface with the neighbor.
Pri : The OSPF priority of the neighbor. The priority is used during election of DR and BDR.
State: The state of the conversation between the Layer 3 Switch and the neighbor, and the
title of the neighbor. The state field can have one of the following values: Down, Init, 2-way,
ExStart, Exchange, Loading, or Full. The neighbors title field can be: DR, BDR or DR-other.
Neigh Address: The IP address of the neighbors connected interface
Neigh ID: The neighbors Router ID
Ev: The number of times a neighbors state has changed.
Revision 0810
57
BCNE in a Nutshell
Designated Router (DR) Election is done by selecting the neighboring router with the highest priority.
The router with the next largest priority is elected as the Backup DR (BDR). If the DR goes off line,
the BDR automatically becomes the DR. The router with the next highest priority becomes the new
BDR.
In order to minimize the amount of information exchange on a particular segment, OSPF elects on
router to be a designated router and one router to be a backup designated router on each multi
access segment. The idea behind this is that routers have a central point of contact for information
exchange. Instead of each router exchanging updates with every other router on the segment, every
router will exchange the information with the DR and BDR. The DR and BDR will relay the information
to everybody else. The adjacency building process takes effect after multiple stages have been
fulfilled. Routers that become adjacent will have the exact link state database.
If two neighbors share the same priority, the router with the highest Router ID is designated as the
DR. The router ID is the IP address configured on the lowest numbered loopback interface. If there is
no loopback interface, then the router ID is the lowest numbered IP address configured on the
device. When only one router on the network claims the DR role despite neighboring routers with
higher priorities or router Ids; this router remains the DR. This is also true for BDRs. The DR and BDR
election process is performed when one of the following events occurs:
1. An interface is in a waiting state and the wait time expires.
2. An interface is in a waiting state and a hello packet is received that addresses the BDR.
3. A change in the neighbor state occurs, such as, a neighbor state transitions from 2 or higher,
communication to a neighbor is lost, or a neighbor declares itself to be the DR or BDR for the
first time.
Revision 0810
58
BCNE in a Nutshell
All OSPF routers send Hellos to 224.0.0.5 (All OSPF routers on this subnet) to find
neighbors. As shown in the above slide, those items with check marks must match on two
routers for them to become neighbors.
Adjacency is the next step after the neighboring process (which is the simple Hello exchange
during the Down, Init and 2-Way states). Adjacent routers are routers who go beyond the
hello exchange and proceed into the database exchange process. Each router forms
adjacency with the DR/BDR. When two routers LSDBs become identical, they are said to be
adjacent and reach the full neighbor state.
OSPF routing updates are only sent across adjacencies to 224.0.0.6 (DR/BDR routers).
Revision 0810
59
BCNE in a Nutshell
There are various types of Link State Advertisements (LSAs) existing in different types of
areas.
Revision 0810
60
BCNE in a Nutshell
As shown in the table above, there are various types of OSPF areas. Each type of areas
allows different types of Link State Advertisements (LSAs) to exist.
Any non-OSPF routes (RIP, BGP, Static, Connected, Default routes, etc.), having been
redistributed into the OSPF domain, are considered external routes by OSPF routers. When
these routes travel through a normal area, they are marked as type 5; when they travel
through a NSSA, they are marked as type 7.
You may choose to use different area types to optimize the OSPF network. Too many LSAs
increases the size of Link State Database and hence is memory intensive. The Dijkstra's
algorithm used to calculate the SPF tree is CPU intensive. Frequent link state
advertisements can also cause congestion on the link. All these may make the network
response time very sluggish. For example, if you have system resource concerns, you may
set an area to be a Stub area (Stub of any flavor) .
Revision 0810
61
BCNE in a Nutshell
Redistribution enables one routing protocol to learn and advertise routes that exist under some
other process. The other process could be:
Another dynamic routing protocol (another instance of the same routing protocol or a different
routing protocol)
Static Routes
Directly connected interfaces on which no routing protocol has been enabled
The redistribution rip command under router ospf takes rip routes and sends them
out as OSPF LSAs. The redistribution command under router rip takes OSPF routes and
sends them out as RIP updates.
redistribution Connected: In the above slide, the subnet between Router A and Router B
in the RIP domain. The execution of redistribution rip command will not propagate this
subnet into the OSPF domain. This is true even though routers C and D will know about the
172.16.60.0 subnet through RIP updates. For the OSPF domain to have that network in its route
tables, you must configure:
Router_B(config-ospf-router)#redistribution connected
ip rip learn-default is a command allows a router to learn and advertise default RIP
routes. This command necessary on RIP routers, so they will learn the default route redistributed
from OSPF. This command can be applied on a global or interface basis. This example shows the
feature enabled at the interface level:
Router_D(config)#int e 2/2
Router_D(config-if-2/2)#ip rip learn-default
Ideally, all routers within a given AS should run the same routing protocol. Rarely there are
technical reasons to run multiple routing protocols. Redistributions should be avoided as much as
possible.
Revision 0810
62
BCNE in a Nutshell
BGP peers Two BGP routers first create a TCP connection. That TCP connection is up and
alive constantly, during which BGP dynamically exchanges routing information.
BGP session BGP peers must negotiate a neighbor relationship creating a BGP session or
they will never exchange routing updates.
Incremental updates Initially, all BGP routes are exchanged. After that, only incremental
updates are sent as network information changes. The incremental update approach saves
enormous amounts of CPU overhead and bandwidth.
BGP routers do not automatically advertise any routes to peers. They will only do so if
configured. You may use the BGP network command to advertise a route.
For example,
Router_A(config)#router bgp
Router_A(config-bgp-router)#network 100.1.1.0/24
The TCP connection established between two BGP peers stays alive until a problem arise. In
that case, a BGP notification message is sent and the TCP connection is torn down.
Revision 0810
63
BCNE in a Nutshell
Revision 0810
64
BCNE in a Nutshell
There are two modes in which PIM operates: Dense and Sparse. The Dense Mode (PIM-DM)
is suitable for densely populated multicast groups, primarily in the LAN environment.
The basic assumption behind PIM-DM is that the multicast packet stream has receivers at
most locations. An example of this might be a company presentation by the CEO or
President of a company. By way of contrast, PIM Sparse Mode (PIM-SM) assumes relatively
fewer receivers. An example would be the initial orientation video for new employees.
This difference shows up in the initial behavior and mechanisms of the two protocols. The
Sparse Mode (PIM-SM) only sends multicasts when requested to do so. Whereas PIM-DM
starts by flooding the multicast traffic, and then stopping it each link where it is not needed,
using a Prune message.
Revision 0810
65
BCNE in a Nutshell
Rendezvous Point (RP) The RP is the meeting point for PIM Sparse sources and receivers.
A PIM Sparse domain can have multiple RPs, but each PIM Sparse multicast group address
can have only one active RP. PIM-SM routers learn the addresses of RPs and the multicast
groups for which they are responsible. The info is learned from the RP-Set messages that
the BSR sends out.
To enhance overall network performance, Brocade routers use the RP to forward only the
first packet from a group source to the groups receivers. After the first packet, the router
calculates the shortest path between the receiver and source (the Shortest Path Tree, or
SPT) and uses the SPT for subsequent packets from the source to the receiver. The router
calculates a separate SPT for each source-receiver pair.
The Bootstrap Router (BSR) is a mechanism for multicast routers to learn RP information.
The BSR picks an RP set from the available candidates and periodically announces this set
in a bootstrap message. The function of the BSR is to communicate the RP-Set information
to all routers in the multicast domain. Candidate BSRs (CBSRs) are routers who compete for
the BSR role for a multicast domain.
The elected BSR receives messages from all CRPs in the domain. The bootstrap message
sent by the BSR includes information about all CRPs. Each router uses a common algorithm
to select the same RP address for a given multicast group.
Revision 0810
66
BCNE in a Nutshell
PIM-DM and SM routers use RPF (Reverse Path Forwarding) to verify that a router has
received a multicast packet on the correct incoming interface. The RPF algorithm allows a
router to accept a multicast datagram only on the interface from which the router would
send a unicast datagram to the source of the multicast datagram.
If the same packet has been received on multiple interfaces and the costs from these
interfaces to the source host are the same, then the selection of the shortest path back to
the source is based on which RPF neighbor in the IP routing table has the highest IP
address. To enable the Highest IP RPF feature, enter commands such as the following.
FastIron(config)#router pim
FastIron(config-pim-router)#highest-ip-rpf
For example, after highest IP RPF has been enabled, in the IP routing table below, Gateway
137.80.129.1 will be chosen as the shortest path to the source because it is the RPF
neighbor with the highest IP address.
#show ip route
Destination NetMask
Gateway
Port
Cost
172.17.41.4 255.255.255.252
137.80.127.3
v11
172.17.41.4 255.255.255.252
137.80.126.3
v10
172.17.41.4 255.255.255.252
137.80.129.1
v13
172.17.41.4 255.255.255.252
137.80.128.3
v12
Revision 0810
Type
67
BCNE in a Nutshell
The range from 0100.5e00.0000 through 0100.5e7f.ffff is the available range of Ethernet
MAC addresses for IP multicast.
Ethernet Multicast Address with a prefix: 01:00:5E and combine lower 23 bits of Multicast
IP address. For example, L3 Multicast IP Address 239.10.8.5 will map to L2 multicast
address 01:00:5E:0A:08:05
There is a 32-to-1 overlap of Layer 3 addresses to Layer 2 addresses. Be aware that
32 Layer 3 addresses map to the same Layer 2 multicast address. For example,
224.1.1.1, 224.129.1.1, 238.1.1.1, and 239.1.1.1 can all be mapped to the same
Layer 2 multicast of 01-00-5e-01-01-01.
Revision 0810
68
BCNE in a Nutshell
Revision 0810
69
BCNE in a Nutshell
Revision 0810
70
BCNE in a Nutshell
71
BCNE in a Nutshell
interface ve 3
ip address 192.168.2.4/24
access-list 11 permit 209.157.23.0/24
access-list 12 permit 209.157.24.0/24
access-list 13 permit 209.157.25.0/24
route-map
myroute permit
match ip address
111
11
myroute permit
match ip address
122
12
myroute permit
match ip address
133
13
Revision 0810
72
BCNE in a Nutshell
Revision 0810
73
BCNE in a Nutshell
1. Mark IP traffic originating from the 144.100.20.0 subnet with a DSCP value of 5.
SanJose(config)# access-list 120 permit ip 144.100.20.0/24 any
dscp-marking 5
SanJose(config)#vlan 10
SanJose(config-vlan-10)#untagged e 4/8 to 4/24
SanJose(config-vlan-10)#router-interface ve1
SanJose(config)#interface ve1
SanJose(config-vif-1)#ip address 144.100.20.1/24
3. A DSCP matching ACL denies the traffic from the 144.100.20.0 subnet originating on San
Jose.
Sunnyvale(config)#access-list 111 deny ip 144.100.20.0 0.0.0.255
any dscp-mapping 5
Sunnyvale(config)# access-list 111 permit ip any any
Sunnyvale(config)#interface e 4/1
Sunnyvale(config-if-e100-4/1)#ip access-group 111 in
Revision 0810
74
BCNE in a Nutshell
ACLs may be used for Quality of Service and rate limiting purposes.
As shown in the above example, the first entry in this IP ACL denies TCP traffic from the
209.157.21.x network to the 209.157.22.x network, if the traffic has the IP TOS (Type of
Service) option normal (equivalent to 0000).
The second entry denies all FTP traffic from the 209.157.21. x network to the 209.157.22.x
network, if the traffic has the TOS value 13 (equivalent to max-throughput 0100, mindelay 1000, and min-monetary-cost 0001).
The third entry permits all packets that are not explicitly denied by the other entries. Without
this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you
assign the ACL.
Revision 0810
75
BCNE in a Nutshell
Revision 0810
76
BCNE in a Nutshell
Weighted round robin (WRR) WRR ensures that all queues are serviced during each cycle. A weighted fair
queuing algorithm is used to rotate service among the eight queues on the FastIron and TurboIron 24X
devices. The rotation is based on the weights you assign to each queue. This method rotates service among
the queues, forwarding a specific number of packets in one queue before moving on to the next one. Note that
in stacking mode QOSP7 queue is reserved as Strict Priority under weighted queuing. Attempts to change the
QOSP7 setting will be ignored.
WRR is the default queuing method and uses a default set of queue weights. The number of packets serviced
during each visit to a queue depends on the percentages you configure for the queues. The software
automatically converts the percentages you specify into weights for the queues.
NOTE: Queue cycles on the FastIron and TurboIron 24X devices are based on bytes. These devices service a
given number of bytes (based on weight) in each queue cycle. FES and BI/FI queue cycles are based on
packets. The bytes-based scheme is more accurate than a packets-based scheme if packets vary greatly in
size.
Strict priority (SP) SP ensures service for high priority traffic. The software assigns the maximum weights to
each queue, to cause the queuing mechanism to serve as many packets in one queue as possible before
moving to a lower queue. This method biases the queuing mechanism to favor the higher queues over the
lower queues. For example, strict queuing processes as many packets as possible in qosp3 before processing
any packets in qosp2, then processes as many packets as possible in qosp2 before processing any packets in
qosp1, and so on.
Hybrid WRR and SP a configurable queuing mechanism combining both the strict priority and weighted round
robin mechanisms. The combined method enables the Brocade device to give strict priority to delay-sensitive
traffic such as VoIP traffic, and weighted round robin priority to other traffic types. By default, when you select
the combined SP and WRR queuing method, the Brocade device assigns strict priority to traffic in qosp7 and
qosp6, and weighted round robin priority to traffic in qosp0 through qosp5. Thus, the Brocade device
schedules traffic in queue 7 and queue 6 first, based on the strict priority queuing method. When there is no
traffic in queue 7 and queue 6, the device schedules the other queues in round-robin fashion from the highest
priority queue to the lowest priority queue.
The 3-bit 802.1p field (in the 802.1q tag) may be added to the frame to identify classes (CoS), but they do not
guarantee delivery.
Revision 0810
77
BCNE in a Nutshell
By default, all traffic is in the best-effort queue (qosp0) and is honored on tagged ports. You
can assign traffic to a higher queue based on the following:
Incoming port (ingress port)
Static MAC entry
To change the QoS priority of port 1 to the premium queue (qosp7), enter the following
commands.
FastIron(config)#interface ethernet 1/1
FastIron(config-if-e1000-1/1)#priority 7
The device will assign priority 7 (the highest priority queue) to traffic received on port 1.
By default, all MAC entries are in the best effort queue. When you configure a static MAC
entry, you can assign the entry to a higher QoS level. To configure a static MAC entry and
assign the entry to the premium queue, enter commands such as the following.
FastIron(config)#vlan 9
FastIron(config-vlan-9)#static-mac-address 1145.1163.67FF
ethernet 1/1 priority 7
Revision 0810
78
BCNE in a Nutshell
Revision 0810
79
BCNE in a Nutshell
802.11 divides each of its bands into channels, similar to how the radio and TV broadcast
bands are allocated, but with greater channel width and overlap.
The 802.11b standard defines a total of 14 frequency channels. The FCC allows channels 1
through 11 within the U.S.; whereas, most of Europe can use channels 1 through 13. In
Japan, you have only one choice: channel 14.
There are only 3 non-overlapping channels available in the 802.11b standard. These are
Channels 1,6, and 11. For WiFi access points that are located near each other it is
recommended that they each use one of the above non-overlapping channels to minimize
the effects of interference.
Data Rates:
802.11a: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps
802.11g: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps
Revision 0810
80
BCNE in a Nutshell
The Beacon frame, which is a type of management frame, provides the "heartbeat" of a WLAN, enabling stations to
establish and maintain communications in an orderly fashion.
There is a variety of information in a Beacon frame:
Beacon interval - the amount of time between Beacon transmissions.
Timestamp used by stations to update their local clocks for synchronization amongst each other.
ESSID - An extended service set ID (ESSID) identifies a WLAN with which clients can establish a connection. You can
configure:
A VLAN that supports multiple access points per ESSID
Multiple ESSIDs per physical access point
A VLAN for each ESSID to separate network traffic and can also specify that a VLAN be shared between multiple
ESSIDs
An ESSID that supports just one person
An ESSID for Remote AP, such as in a branch office, and that AP can also support ESSIDs for local traffic
Typically, a WLAN supports one Beacon on a single BSSID, which can advertise the primary ESSID. Clients can request
to associate to that BSSID by requesting one of the ESSIDs. The Brocade wireless products allows you to customize a
Beacon per ESSID to support different access point settings, such as base or supported transmit rates, different
BSSIDs, different Beacon intervals, and different DTIM periods. This Beacon customization allows service
customization for each ESSID, as well as more flexibility in supporting different clients and services.
Supported rates - information describing the rates which a particular WLAN supports.
Parameter Sets - information about the specific signaling methods (such as frequency hopping spread spectrum, direct
sequence spread spectrum, etc.).
Capability Information - signifies requirements of stations who wish to belong to the WLAN that the Beacon represents.
Traffic Indication Map (TIM) - An access point periodically sends the TIM within a Beacon to identify which stations using
power saving mode have data frames waiting for them in the access point's buffer. The TIM identifies a station by the
association ID that the access point assigned during the association process.
Revision 0810
81
BCNE in a Nutshell
The hidden node problem occurs when a node is visible from a wireless access point (AP),
but not from other nodes communicating with the AP. This leads to difficulties in media
access control.
In order to solve this problem, a RTS/CTS method has been introduced. A node wishing to
send data initiates the process by sending a RTS (Request to Send) frame. The receiver
node replies with a packet called CTS (Cleared to Send) frame. After the transmitter node
receives the CTS packet, it transmits the data packets. Any other node receiving the RTS or
CTS frame should refrain from sending data for a given time. Encoded within the RTS/CTS
frames is a duration field. The duration field is set such that the data transmission can be
completed within the designated time period. If the node wanting to transmit does not
receive a CTS frame, it backs off and waits.
Revision 0810
82
BCNE in a Nutshell
802.1X Authentication: For enterprise wireless security to scale to hundreds or thousands of users,
an authentication framework that supports centralized user authentication must be used. The use of
IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as dynamically varying encryption keys if WPA/WPA2 is configured.
802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless
LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time
passwords, certificates, and public key authentication.
There are three basic components to 802.1X authentication:
1. Supplicanta software client running on the wireless station
2. Authenticatorthe access point and the controller
3. Authentication Serveran authentication database, usually a RADIUS server.
Extensible Authentication Protocol (EAP) is used to pass the authentication information between the
supplicant (the wireless station) and the authentication server (RADIUS, MS IAS, or other). The actual
authentication is defined and handled by the EAP type. The access point (and the controller in the
configuration) acts as the authenticator. The authenticator is a client of the RADIUS server that
allows the supplicant and the authentication server to communicate. The EAP type you choose, and
whether you choose to implement authentication in your organization, depends on the level of
security you require. There are several types of EAP: EAP-TLS, EAP-PEAP, EAP-TTLS, and Cisco LEAP.
Wireless Encryption: WEP (Wired Equivalent Privacy) is 802.11's optional encryption standard
implemented in the MAC layer that most radio NIC and AP vendors support. Due to the known
vulnerabilities of WEP, 802.11i was ratified in 2004, in order to address security issues in WiFi
networks. It supports TKIP (Temporal Key Integrity Protocol) and CCMP-AES (Advanced Encryption
Standard) encryption algorithms.
Revision 0810
83
BCNE in a Nutshell
Revision 0810
84
BCNE in a Nutshell
To manage a Layer 2 Switch using Telnet, Secure Shell (SSH) CLI connections, or the Web
Management Interface, you must configure an IP address for the Layer 2 Switch from the
console connection.
Console terminal settings: baud rate: 9600, data bits: 8, parity: none, stop bits: 1 and flow
control: none.
All Brocade FastIron devices support the creation of management VLANs. By default, the
management IP address you configure on a Layer 2 Switch applies globally to all the ports
on the device. This is true even if you divide the device ports into multiple port-based VLANs.
You may also designate a particular VLAN for management access (discussed on the next
slide).
Revision 0810
85
BCNE in a Nutshell
If you want to restrict the IP management address to a specific port-based VLAN, you can make that
VLAN the designated management VLAN for the device. When you configure a VLAN to be the
designated management VLAN, the management IP address you configure on the device is
associated only with the ports in the designated VLAN. To establish a Telnet management session
with the device, a user must access the device through one of the ports in the designated VLAN.
To configure a designated management VLAN, enter commands such as the following.
FastIron(config)#vlan 10 by port
FastIron(config-vlan-10)#untag ethernet 1/1 to 1/4
FastIron(config-vlan-10)#management-vlan
You can restrict access to management functions from remote sources, including Telnet, the Web
Management Interface, and SNMP. You may use Standard ACLs to control the following access
methods to management functions on a Brocade device: Telnet, SSH, Web management, and
SNMP.
Here is an example of using ACLs to restrict SNMP access:
FastIron(config)#access-list 25 deny host 209.157.22.98 log
FastIron(config)#access-list 25 deny 209.157.23.0 0.0.0.255 log
FastIron(config)#access-list 25 permit any
FastIron(config)#access-list 30 deny 209.157.25.0 0.0.0.255 log
FastIron(config)#access-list 30 deny 209.157.26.0/24 log
FastIron(config)#access-list 30 permit any
FastIron(config)#snmp-server community public ro 25
FastIron(config)#snmp-server community private rw 30
You can restrict SNMP access to a specific IP address to allow SNMP access (which includes
IronView Network Manager) to the Brocade device only to the host with IP address 209.157.22.14,
enter the following command:
FastIron(config)#snmp-client 209.157.22.14
Revision 0810
86
BCNE in a Nutshell
The example below uses an ACL to allow Telnet access only to the IP addresses in the permit entries and denies
Telnet attempts from all other IP addresses:
FastIron(config)#access-list 10 permit host 209.157.22.32
FastIron(config)#access-list 10 permit 209.157.23.0 0.0.0.255
FastIron(config)#access-list 10 permit 209.157.24.0 0.0.0.255
FastIron(config)#access-list 10 permit 209.157.25.0/24
FastIron(config)#telnet access-group 10
If you would like to restrict Telnet access to a single host, you may also use the following command:
FastIron(config)#telnet-client 209.157.22.32
To restrict Telnet access to a specific VLAN by only allowing clients in a specific VLAN, enter a command such as the
following:
FastIron(config)#telnet server enable vlan 10
Using an ACL to restrict SSH access example:
FastIron(config)#access-list 12 deny host 209.157.22.98 log
FastIron(config)#access-list 12 permit any
FastIron(config)#ssh access-group 12
You can restrict SSH connection to a device based on the clients IP address or MAC address. To allow SSH access
to the Brocade device only to the host with IP address 209.157.22.39 and MAC address 0007.e90f.e9a0, enter the
following command: FastIron(config)#ip ssh client 209.157.22.39 0007.e90f.e9a0
To allow Telnet, Web, and SNMP management access to the Brocade device only to the host with IP address
209.157.22.69, enter three separate commands (one for each access type) or enter the following command:
FastIron(config)#all-client 209.157.22.69
Revision 0810
87
BCNE in a Nutshell
You can define up to 16 local user accounts on a Brocade device. User accounts regulate
who can access the management functions in the CLI using the following methods:
Telnet access
Web management access
SNMP access
Note you may also secure Telnet access by setting up a password using the command:
SW-FastIron(config)#enable telnet password MyTelPswd
Local user accounts provide greater flexibility for controlling management access to Brocade
devices than do management privilege level passwords and SNMP community strings. You
can continue to use the privilege level passwords and the SNMP community strings as
additional means of access authentication. Alternatively, you can choose not to use local
user accounts and instead continue to use only the privilege level passwords and SNMP
community strings. Community strings may be used for SNMP and Web access types.
Revision 0810
88
BCNE in a Nutshell
Follow the steps given below to configure SSH (Secure Shell) on a Brocade device.
1. Set the host name and domain name on the Brocade device.
FastIron(config)#hostname Fesx424Router
FastIron(config)#ip dns domain-name home.com
2.
Generate a host RSA public and private key pair for the device.
When SSH is configured, a public and private host RSA key pair is generated for the Brocade device. The
SSH server on the Brocade device uses this host RSA key pair, along with a dynamically generated server
RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it. The
host RSA key pair is stored in the system-config file in the Brocade device. Only the public key is readable.
The public key should be added to a known hosts file (for example, $HOME/.ssh/known_hosts on UNIX
systems) on the clients who want to access the device. Some SSH client programs add the public key to the
known hosts file automatically; in other cases, you must manually create a known hosts file and place the
public key (for the Brocade device) in it. To generate a public and private RSA host key pair for the most
Brocade devices, enter the following commands:
FastIron(config)#crypto key generate rsa
FastIron(config)#write memory
To disable SSH, you must delete the RSA host key pair. To do this in SSHv1, enter the following:
FastIron(config)#crypto key zeroize rsa
FastIron(config)#write memory
3.
4.
Revision 0810
89
BCNE in a Nutshell
The commands in the CLI are organized into the following levels:
User Lets you display information and perform basic tasks such as ping and
traceroute.
Privileged Lets you use the same commands as those at the User level plus
configuration commands that do not require saving the changes to the system-config file.
Config Lets you make configuration changes to the device. To save the changes across
reboots, you need to save them to the system-config file. The CONFIG level contains sublevels for individual ports, for VLANs, for routing protocols, and other configuration areas.
Revision 0810
90
BCNE in a Nutshell
Use the show boot-preference command to display the boot sequence in the startup
config and running config files.
Revision 0810
91
BCNE in a Nutshell
By default, to view Syslog messages generated by a Brocade device, you need to display the Syslog
buffer or the log on a Syslog server used by the Brocade device. You can enable real-time display of
Syslog messages on the management console. When you enable this feature, the software displays
a Syslog message on the management console when the message is generated.
To enable real-time display of Syslog messages, enter the following command at the global config
level: FastIron(config)#logging console
However, to enable display of real-time Syslog messages on Telnet or SSH sessions, you also must
enable display within the individual sessions. Enter the following command from the Privileged EXEC
level of the session.
telnet@FastIron#terminal monitor
Syslog trace was turned on
To disable the feature in the management session, enter the terminal monitor command again. The
command toggles the feature on and off.
To display the Syslog messages in the devices local buffer, enter the show logging command at
any level of the CLI.
The Syslog daemon on the Syslog server uses a facility to determine where to log the messages from
the Brocade device. The default facility for messages the Brocade device sends to the Syslog server
is user.
To configure the device to save the System log messages after a soft reboot, enter:
FastIron(config)#logging persistence
To clear the Syslog messages stored in the local buffer of the Brocade device, enter:
FastIron#clear logging
Revision 0810
92
BCNE in a Nutshell
You can specify which kinds of OSPF-related Syslog messages are logged. By default, the only OSPF
messages that are logged are those indicating possible system errors. If you want other kinds of
OSPF messages to be logged, you can configure the Brocade device to log them.
For example, to specify that all OSPF-related Syslog messages be logged, enter the following
commands.
FastIron(config)#router ospf
FastIron(config-ospf-router)#log all
Syntax:
[no] log all|adjacency|bad_packet[checksum]|database|memory|retransmit
The log command has the following options:
The all option causes all OSPF-related Syslog messages to be logged. If you later disable this
option with the no log all command, the OSPF logging options return to their default settings.
The adjacency option logs essential OSPF neighbor state changes, especially on error cases.
This option is disabled by default.
The bad_packet checksum option logs all OSPF packets that have checksum errors. This
option is enabled by default.
The bad_packet option logs all other bad OSPF packets. This option is disabled by default.
The database option logs OSPF LSA-related information. This option is disabled by default.
The memory option logs abnormal OSPF memory usage. This option is enabled by default.
The retransmit option logs OSPF retransmission activities. This option is disabled by default.
Revision 0810
93
BCNE in a Nutshell
Traffic on a particular port can be monitored. The monitored traffic will be copied to another
port.
To configure port monitoring on an individual port on a Brocade device, use the following
command syntax:
Syntax: [no] mirror-port ethernet [<stackunit>/<slotnum>/]<portnum> [input | output]
Syntax: [no] monitor ethernet [<stack-unit>/<slotnum>/]<portnum>
both | in | out
For example, we want to monitor incoming and outgoing traffic on port e 1/2/11, and the
monitored traffic will be copied to port e 1/2/4, the mirror port.
FastIron(config)#mirror-port ethernet 1/2/4
FastIron(config)#interface ethernet 1/2/11
FastIron(config-if-e1000-11)#monitor ethernet 1/2/4 both
Revision 0810
94
BCNE in a Nutshell
The sampling rate is the average ratio of the number of packets incoming on an sFlow-enabled port,
to the number of packets taken from a sample.
The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N
packets will be sampled. The sFlow sample command at the global level or port level specifies N, the
denominator of the fraction. Thus a higher number for the denominator means a lower sampling
rate since fewer packets are sampled. Likewise, a lower number for the denominator means a
higher sampling rate because more packets are sampled. For example, if you change the
denominator from 512 to 128, the sampling rate increases because four times as many packets will
be sampled. Note that Brocade recommends that you do not change the denominator to a value
lower than the default. Sampling requires CPU resources. Using a low denominator for the sampling
rate can cause high CPU utilization.
You can change the default (global) sampling rate. You also can change the rate on an individual
port, overriding the default sampling rate of 512. With a sampling rate of 512, on average, one in
every 512 packets forwarded on an interface is sampled. To change the default (global) sampling
rate, enter a command such as the following at the global config level of the CLI:
FastIron(config)#sflow sample 2048
You can configure an individual port to use a different sampling rate than the global default
sampling rate. This is useful in cases where ports have different bandwidths. For example, if you are
using sFlow on 10/100 ports and Gbps Ethernet ports, you might want to configure the Gbps ports
to use a higher sampling rate (and thus gather fewer samples per number of packets) than the
10/100 ports. To change the sampling rate on an individual port, enter a command such as the
following at the configuration level for the port:
FastIron(config-if-1/1)#sflow sample 8192
Revision 0810
95
BCNE in a Nutshell
The show version command shows the software version that the switch or stack is
running.
The show flash command displays the boot and flash images installed on the device.
Revision 0810
96
BCNE in a Nutshell
To display the stack MAC address, enter the show chassis command.
Revision 0810
97
BCNE in a Nutshell
To display port information, you may use commands show interface or show
interface brief.
The State column indicates Spanning Tree port state: None, Listen, Learn, Blocked, or
Forward.
The Listening and Learning are transitional states whenever network topology changes
happen.
Revision 0810
98
BCNE in a Nutshell
Searching and filtering using | and operators can save you time when searching through
long outputs of show commands.
For example, if you want to view ports that are active, use show interface | include
Up. If you want to view ports that are manually disabled, use show interface |
include Disable.
Revision 0810
99
BCNE in a Nutshell
Revision 0810
100
BCNE in a Nutshell
Revision 0810
101
BCNE in a Nutshell
Revision 0810
102
BCNE in a Nutshell
Footnote 1: Study materials from Brocade or Brocade authorized partners are made
available at no cost ($0). Any study materials for which a fee is charged should be avoided.
Revision 0810
103
BCNE in a Nutshell
In countries where English is not the primary language, examinees are given an additional
30 minutes. The following is a list of countries where VUE considers English to be the
primary language: Australia, Belize, Bermuda, Canada, Ireland, New Zealand, South Africa,
the United Kingdom and the United States.
No student may take the exam more than 2 times in a two week period. Pearson VUE
accepts many of the major world currencies. All examinees are required to accept a nondisclosure agreement. This agreement means the examinee will not discuss or disclose any
of the questions or exam contents. Failure to comply with the agreement may result in
forfeiture of certification status and benefits.
Revision 0810
104
BCNE in a Nutshell
Revision 0810
105
BCNE in a Nutshell
Revision 0810
106
BCNE in a Nutshell
Revision 0810
107
BCNE in a Nutshell
Revision 0810
108