bcne nutshell

BCNE in a Nutshell Study Guide for Exam 150-120

Global Education Services

Revision 0511

Corporate Headquarters - San Jose, CA USAT: (408) [email protected]

European Headquarters - Geneva, SwitzerlandT: +41 22 799 56 [email protected]

Asia Pacific Headquarters - SingaporeT: [email protected]

© 2011 Brocade Communications Systems, Inc. All Rights Reserved.

Brocade, the Brocade B-weave logo, Fabric OS, File Lifecycle Manager, MyView, Secure Fabric OS, SilkWorm, and StorageX are registered trademarks and the Brocade B-wing symbol and Tapestry are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. FICON is a registered trademark of IBM Corporation in the U.S. and other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

Revision 0511

©2011 Brocade Communications i

Brocade Certified Network Engineer in a Nutshell Second Edition

Objective: The BCNE Nutshell guide is designed to help you prepare for the BCNE Certification, exam number 150-120.

Audience: The BCNE Nutshell self-study guide is intended for those who have successfully completed the ETH 101 and 103 training courses, and who wish to undertake self-study or review activities before taking the actual BCNE exam. The BCNE guide is not intended as a substitute for classroom training or hands-on time with Brocade products.

How to make the most of the BCNE guide: The BCNE guide summarizes the key topics on the BCNE exam for you in an easy to use format. It is organized closely around the exam objectives. We suggest this guide be used in conjunction with our free online knowledge assessment test, CNE 101-WBT BCNE Knowledge Assessment. To benefit from the BCNE guide, we strongly recommend you have successfully completed the Course# withFullName course.

We hope you find this useful in your journey towards BCNE Certification, and we welcome your feedback by sending an email to [email protected].

Joe CannataCertification Manager

BCNE in a Nutshell First Edition

©2011 Brocade Communications iii


Table of Contents

1 - Layer 1 Hardware Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Implementing Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Implementing Hardware Platforms and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 - Layer 2 Switching and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Layer 2 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Layer 2 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Virtual Local Area Network Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Link Aggregation Implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 - General Layer 2 and Layer 3 Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Ethernet Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Transparent Bridging and MAC Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Traffic Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26End-to-End Packet Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Virtual Router Redundancy Protocol - Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 - Routing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35General Routing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Border Gateway Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Multicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5 - Access Control List Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48ACL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 - Quality of Service Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51QoS Queueing Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

7 - Wireless Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Wireless Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

8 - Network Security, Management, and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Network Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Network Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Applying Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Maintenance Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

iv ©2011 Brocade Communications


9 - Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Analyzing Troubleshooting Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Taking the Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

©2011 Brocade Communications v


List of Figures

SFP Side View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1MAC Address OUI and Unique ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2MAC Address Inside an Ethernet Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Physical media cable types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3POE Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Per VLAN Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8802.1D STP Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9STP Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Fast Port Span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Basic MRP Single-ring Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Switch Frame Forwarding Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Types of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Private VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18802.1Q Tagging (Packet Format) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Dual-mode VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Inter-VLAN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Dynamic Trunks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Ethernet Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27End-to-End Flow Example 1 of 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28End-to-End Flow Example 2 of 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29End-to-End Flow Example 3 of 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30End-to-End Flow Example 4 of 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31VRRP-E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Multiple VRRP-E Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39OSPF AS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40OSPF DR Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44BGP Peer Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44BGP Route Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45IP Multicast Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Standard ACL Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Policy-based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50802.11b Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54CLI Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

©2011 Brocade Communications vii


List of Tables

STP Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Default Administrative Distances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

©2011 Brocade Communications 1


1 - Layer 1 Hardware ConceptsWhen you have completed reviewing this section be sure you can do the following:

• Demonstrate knowledge of physical media

• Demonstrate knowledge of how to implement PoE

SFP TransceiversThe Small Form-factor Pluggable (SFP) is a compact, hot-pluggable transceiver used for both telecommunication and data communication applications. It interfaces a network device motherboard (for a switch, router, media converter, or similar device) to a fiber optic or copper networking cable. It is a popular industry format. SFP transceivers are designed to support SONET, gigabit Ethernet (GbE), Fibre Channel (FC), and other communications standards.

The standard covers SFP+ supporting data rates up to 10 Gbps (includes 8 Gbps Fibre Channel and 10 GbE). The SFP+ has the same form factor as a regular SFP. If copper is required 1000 Mbit TX SFPs could be used on non-combo ports.

Figure 1: SFP Side View

Media Access Control (MAC) Address Format• MAC Address is also known as:

- Ethernet address

- Physical address

- Data Link address

- Hardware address

- IEEE address

• A MAC address is not a logical address, it is a physical address burned into the Network Interface Controller (NIC) at the factory

- The MAC address is used to uniquely identify each node on the Ethernet network


2 ©2011 Brocade Communications

• A MAC comprises 48 bits in 6 hex pairs: xx:xx:xx:yy:yy:yy

- The first 3 bytes (xx:xx:xx) represent the manufacturer’s IEEE registered Organizational Unique Identifier (OUI)

- The last 3 bytes (yy:yy:yy) represent a unique ID (all NICs must be unique)

Figure 2: MAC Address OUI and Unique ID

• MAC addresses can also be notated by three sets of four nibbles:

- 1234.5678.9abc

• The Destination Address (DA) and Source Address (SA) fields in an ethernet frame each contain a MAC address

Figure 3: MAC Address Inside an Ethernet Frame

Cable Types• Coaxial

- Thick

- Thin

• Twisted Pair (TP)

- Shielded (STP)

- Unshielded (UTP)

• UTP is less expensive and less resistant to noise than STP

• Fiber Optic

- Multi-mode

- Single mode



Figure 4: Physical media cable types

Basic Cabling Issues TerminologyThe following are cabling issues:

• Noise is unwanted signals, or interference, from sources near network cabling, such as electrical motors, power lines and radar

• Attenuation is the amount of signal loss over a given distance

• Crosstalk is a type of interference caused by signals traveling on nearby wire pairs infringing on another pair’s signal

• Bend radius is the radius of the maximum arc into which you can loop a cable before you will cause transmission errors



• Latency is the delay between the transmission of a signal and its receipt

• Jitter is a variation in packet transit delay caused by queuing, contention and serialization effects on the path through the network

Implementing Power over EthernetPower over Ethernet (POE) devices, are compliant with the IEEE 802.3af standards for delivering in-line power over existing network cabling infrastructure, enabling multicast-enabled full streaming audio and video applications for converged services, such as Voice over IP (VoIP), WLAN access points, IP surveillance cameras, and other IP technology devices. POE technology eliminates the need for an electrical outlet and dedicated UPS near IP powered devices. With power sourcing devices, power is consolidated and centralized in the wiring closets, improving the reliability and resiliency of the network. Because POE provides power over Ethernet through the cable, power is continuous, even in the event of a power failure. An error message is displayed if the device attached does not support POE.

Figure 5: POE Implementation

The following example displays the operational status:

Switch_A# show inline powerPower Capacity: Total is 2160000 mWatts. Current Free is 18800 mWatts.Power Allocations: Requests Honored 769 times<truncated>Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/ State State Consumed Allocated Error--------------------------------------------------------------------------4/1 On On 5070 9500 802.3af n/a 2 n/a4/2 On On 1784 9500 Legacy n/a 3 n/a4/3 On On 2347 9500 802.3af n/a 3 n/a4/4 On On 2441 9500 Legacy n/a 3 n/a4/5 On On 6667 9500 802.3af Class 3 3 n/a4/6 On On 2723 9500 802.3af Class 2 3 n/a<truncated> --------------------------------------------------------------------------Total 137367 242000Grand Total 1846673 2127400



POE Cabling RequirementsThe 802.3af standard currently supports POE on 10/100/1000 Mbps Ethernet ports operating over standard Category 5 unshielded twisted pair (UTP) cable or better. If your network uses cabling categories less than 5, you cannot implement POE without first upgrading your cables to CAT 5 UTP or better.

Implementing Hardware Platforms and Features

Identifying Code VersionsBrocade products run one of three types of images:

• Router code

• Switch code

• ServerIron code

Use the show version command to view the current running code version:

SW-Switch# show versionCopyright (c) 1996-20107 Brocade Communications Systems, Inc. Unit 1: Compiled on Mar 17 2010 at 19:15:26 labeled as FCXS07001b (3805331 bytes) from Primary FCXS070001b.bin SW: Version 07.0.01bT7f1<truncated output>

Check the configuration guide for the specific hardware platform to identify the correct code and version.

File ManagementYou can specify which partition to boot from using the boot system flash command. When to boot is specified by the level at which the command is issued. For example, issuing from the Privileged level causes the command to execute immediately:

SW-Switch# boot system flash primarySW-Switch# boot system flash secondary

Issuing from the Config level causes the command to execute at the next scheduled reload or reboot and allows for the command to be persistently stored in the startup configuration file:

SW-Switch(config)# boot system flash secondarySW-Switch(config)# write memorySW-Switch(config)# exitSW-Switch# reload at 00:00:15 01-01-12

Besides the flash partitions, the system can be booted from either a TFTP server or a BootP server. The following command sequence examples is typed from the privileged exec level and boots the system from the TFTP server at 192.22.33.44 using the vm1r07501.bin file.

SW-Switch# boot system tftp 192.22.33.44 vm1r07501.bin

After booting from a TFTP server, the booted image file should be copied from the TFTP server to primary flash when the boot is completed, so that the next system boot maintains the current functions independent of the TFTP server connection.



The secondary partition of the flash card may be used as the storage space for upgrade code. If the image is on the TFTP server, the code may be transferred to the switch’s flash card. Then the switch may be booted from the image stored on the flash card.

The following command example transfers the image between the TFTP server and the flash card, from the privileged EXEC level:

SW-Switch# copy tftp flash 192.22.33.44 vm1r07501.bin secondary

Once copied to the switch, issue the reload command to reboot the switch using the new image:

SW-Switch# reload

Digital Optical MonitoringYou can let a Brocade device monitor optical transceivers in the system, either globally or by specified ports. When this feature is enabled, the system monitors the temperature and signal power levels for the optical transceivers in the specified ports. Console messages and syslog messages are sent when optical operating conditions fall below or rise above the XFP or SFP manufacturer’s recommended thresholds.

You can configure your Brocade device to monitor optical transceivers in the system, either globally or by specified ports. To enable optical monitoring on all Brocade-qualified optics installed in the device, use the command:

FastIron(config)#optical-monitor

To enable optical monitoring on a port or a range of ports, use the following command:

FastIron(config)#interface ethernet 1/1 to 1/2FastIron(config-mif-e10000-1/1-1/2)#optical-monitor



2 - Layer 2 Switching and ProtocolsWhen you have completed reviewing this section be sure you can do the following:

• Describe Layer 2 protocols

• Describe Layer 2 functionality

• Describe the different VLAG implementations

Layer 2 ProtocolsA protocol is a set of rules that governs the communications between computers on a network

These rules include guidelines that regulate the following characteristics of a network:

• Access method

• Allowed physical topologies

• Transport medium

• Speed of data transfer

Per VLAN Spanning Tree (PVST)In environments with multiple VLANs, the Per VLAN Spanning Tree (PVST) protocol may be used. Brocade Layer 2 and Layer 3 switches support standard STP as described in the IEEE 802.1D specification. PVST is enabled within each VLAN as it is enabled on an L2 switch. The enhanced PVST+ support in release 07.6.01 allows a Brocade device to interoperate with PVST spanning trees and the IEEE 802.1Q spanning tree at the same time. IEEE 802.1Q and PVST regions cannot interoperate directly but can interoperate indirectly through PVST+ regions. PVST has the following characteristics:

• Each VLAN has its own Spanning Tree instance

• Each VLAN has its own root bridge

• Ports blocked by one STP instance can be used by another STP instance



Figure 6: Per VLAN Spanning Tree

The Root BridgeWhen STP begins, a selection process is made to determine which redundant paths to keep forwarding user traffic and which ones to shut down. BPDUs are sent.

The switch with the lowest Bridge ID (BID) becomes the root bridge. All Brocade switches have the default bridge priority 32768. If that is the case, the lowest MAC address is used. In Figure 7, Switch#1 is the Root Bridge because its Bridge Priority is the lowest; if all three switches have the same Bridge Priority, then Switch#3 will be the Root Bridge because its MAC address is the lowest.

After the election, each switch determines the shortest path to the root bridge. The switch port with the best path to the root bridge is the Root Port (RP). The path cost is based on the bandwidth. The higher the bandwidth, the lower the cost. When multiple switches share a connection that is not a root port, one of them becomes the Designated Port (DP), the other ports are blocked.

• Bridge ID = Bridge Priority + MAC address



The switch with the lowest BID wins and becomes the Root Bridge. If Bridge Priorities are the same, the switch with the lowest MAC address wins and becomes the Root Bridge.

Figure 7: 802.1D STP Convergence

Bridge Protocol Data Units (BPDUs)BPDUs are data messages that are exchanged across switches within a LAN and VLAN to form and maintain a Spanning Tree Protocol topology (Spanning Tree is on by default on switches, but off by default on routers). The BPDU data messages are exchanged across bridges to detect loops in a network topology. The loops are then removed by blocking selected bridge ports and placing redundant switch ports in a backup or blocked state. BPDUs contain information about switches, ports, addresses, priorities, and costs.

The following are BPDU types:

• Configuration BPDU

Generated only by the root bridge and sent to non-root bridges, it provides a method of providing election information across the L2 domains and controlls reconvergence after a link has been broken.

• Topology Change Notification (TCN) BPDU

Topology Change Notification BPDU (TCN BPDU): TCNs are generated by non-root bridges and sent towards the root bridge. Their purpose is to indicate that one of their data forwarding ports has been broken and a new forwarding path needs to be provided.

Switch#300:0E:80:01:90:06

Switch#1

(Priority:100)(Priority:200)

DP DP

DP

RP RP

Root Bridge(Priority:0)

Switch#2

00:0E:80:0A:F0:06

00:0E:80:01:F0:06



BPDU exchanges result in the following:

• One switch is elected as the root switch

• The shortest distance to the root switch is calculated by each switch

• A designated switch is selected. This is the switch closest to the root switch through which user traffic/frames will be forwarded to the root

• A root port for each switch is selected. This is the port providing the best path from the switch to the root switch

• A designated port for each LAN segment is selected. This is the port providing the best path from the LAN segment to the root switch.

• Ports included in the Spanning-Tree Protocol are selected

• If all switches are enabled with default settings, the switch with the lowest MAC address in the network becomes the root switch. The network assuming that Switch 1 has the lowest MAC address and is therefore the root switch. Due to traffic patterns, number of forwarding ports, or line types, Switch 1 might not be the ideal root switch. By increasing the priority (lowering the numerical priority number) of the ideal switch so that it then becomes the root switch, you force a Spanning-Tree Protocol recalculation to form a new, stable topology.

STP Port StatesIn the Spanning Tree algorithm, a port transitions through the states listed in to determine if it either forwards or blocks data traffic.

TABLE 1 STP Port States

State Description

Listening Blocks traffic, listens for BPDUs, and builds the STP tree topology to ensure there are no loops in the network. Creation of the STP topology, within a particular VLAN, involves election of the root bridge and a designated bridge for each LAN segment inside of the VLAN. When the forwarding timer expires, if the port is classified as either a Root Port (RP), or a Designated Port (DP) it moves to the Learning state. If the port has no designation then it moves to the Blocking state.

Learning In the Learning state, RPs and DPs continue to block data traffic as the switches learn MAC addresses and build their MAC tables.

Forwarding The second expiration of the forwarding timer moves RPs and DPs to the Forwarding state to start forwarding traffic.

Blocking Data traffic is blocked for a non-designated port, but BPDUs are allowed to circulate.



You can change the bridge priority, port priority, and path cost so that a predetermined outcome occurs in the election process (Learning state).

Figure 8: STP Port States

Fast Port SpanWhen STP is running on a device, message forwarding is delayed during the spanning tree recalculation period following a topology change. The STP forward delay parameter specifies the period of time a bridge waits before forwarding data packets. The forward delay controls the listening and learning periods of STP reconvergence. You can configure the forward delay to a value from 4–30 seconds. The default is 15 seconds. Therefore, using the standard forward delay, convergence requires at least 30 seconds (15 seconds for listening and an additional 15 seconds for learning) when the default value is used.

The Fast Port Span feature allows certain ports to enter the forwarding state in four seconds. It allows faster convergence on ports that are attached to end stations and do not cause Layer 2 forwarding loops. Because the end stations cannot cause forwarding loops, they can safely go through the STP state changes (blocking to listening to learning to forwarding) more quickly than is allowed by the standard STP convergence time.

Listening state

Blocking state

Learning state

Forwarding state

Port initialization

Port Role is established as: Root PortDesignated PortNon-Designated (15 sec)

Root and Designated Ports:Port receives data traffic Populates its MAC table (15 sec)

Non Designated Ports: Port is BlockedMAC table remains empty

Root and Designated Ports:Send and Receive data traffic



Figure 9: Fast Port Span

Fast Port Span performs the convergence on these ports in four seconds (two seconds for listening and two seconds for learning). In addition, Fast Port Span enhances overall network performance in the following ways:

• Reduces the number of STP topology change notifications on the network

• Eliminates unnecessary MAC cache aging that can be caused by topology change notifications

• When STP sends a topology change notification, devices that receive the notification use the value of the STP forward delay to quickly age out their MAC caches

• If a port matches any of the following criteria, it port is ineligible for Fast Port Span and uses normal STP instead:

- The port is 802.1Q tagged (refer to “802.1Q Tagging” on page 17)

- The port is a member of a trunk group

- The port has learned more than one active MAC address

- An STP configuration BPDU has been received on the port, thus indicating the presence of another bridge on the port

Topology GroupsA topology group is a named set of VLANs that share a Layer 2 topology. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs. You can use topology groups with the following Layer 2 protocols:

• Spanning Tree Protocol (STP)

• Multi-Ring Protocol (MRP)

• Virtual Switch Redundancy Protocol (VSRP)

• Rapid Spanning Tree Protocol (802.1w)



MRP (Metro Ring Protocol) is a Brocade proprietary protocol that prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies. It is an alternative to STP and is especially useful in Metropolitan Area Networks (MANs) where using STP has the following drawbacks:

• STP allows a maximum of seven nodes. Metro rings can easily contain more nodes than this

• STP has a slow re-convergence time, taking many seconds or even minutes. MRP can detect and heal a break in the ring in sub-second time

A ring interface can have one of the following MRP states:

• Preforwarding: The interface can forward Ring Health Packets (RHPs), but cannot forward data. All ring ports are in this state when you enable MRP.

• Forwarding: Each member interface remains in the Forwarding state

• Blocking: The Blocking interface on the Master node has a dead timer. If the dead time expires before the interface receives one of its ring’s RHPs, the interface changes state to Preforwarding. One of the following occur once the secondary interface changes its state to Preforwarding:

- If the interface receives an RHP, the interface changes back to the Blocking state and resets the dead timer.

- If the interface does not receive an RHP for its ring before the Preforwarding time expires, the interface changes to the Forwarding state

- If the link between shared interfaces breaks, the secondary interface on the master node changes to a Preforwarding state.

The ring in Figure 10 consists of four MRP nodes (Brocade switches). Each node has two interfaces with the ring. Each node is also connected to a separate customer network. The nodes forward Layer 2 traffic to and from the customer networks through the ring. The ring interfaces are all in one port-based VLAN. Each customer interface can be in the same VLAN as the ring, or in a separate VLAN.

One node is configured as the master node of the MRP ring. One of the two interfaces on the master node is configured as the primary interface; the other is the secondary interface. The primary interface originates Ring Health Packets (RHPs), which are used to monitor the health of the ring. An RHP is forwarded on the ring to the next interface until it reaches the secondary interface of the master node. The secondary interface blocks the packet to prevent a Layer 2 loop.

Figure 10: Basic MRP Single-ring Topology



You can display the following MRP information:

• Topology group configuration information

• Ring configuration information and statistic

Layer 2 Functionality

Clearing MAC Address EntriesYou can remove learned MAC address entries from the MAC address table. The types of MAC addresses that can be removed are:

• All MAC address entries

• All MAC address entries for a specified Ethernet port

• All MAC address entries for a specified VLAN

• All specified MAC address entry in all VLANs

Running the clear mac-address command without any parameters will remove all MAC address entries.

UniDirectional Link Detection UniDirectional Link Detection (UDLD) is a Layer 2 protocol to monitor the physical condition of any cables and detect any unidirectional links as a result of a cable failure. If it is enabled on a switch or a router, the packets are generated and processed by the device’s CPU. If the link goes down at any point between two devices, UDLD brings the ports on both ends of the link down.

Figure 11: UDLD

Switch Frame Forwarding Methods• Store-and-forward

The switch buffers and, typically, performs a checksum on each frame before forwarding it on.

Store-and-forward switching means that the switch copies each complete frame into the switch memory buffers and computes a cyclic redundancy check (CRC) for errors. CRC is an error-checking method that uses a mathematical formula, based on the number of bits (1s) in the frame, to determine whether the received frame is corrupted. If a CRC error is found, the frame is discarded. If the frame is error free, the switch forwards the frame out the appropriate interface port.



• Cut-through

The switch reads only up to the frame's hardware address before starting to forward it. There is no error checking with this method.

Cut-through switching means that the switch copies into its memory only the destination MAC address, which is located in the first 6 bytes of the frame following the preamble. The switch looks up the destination MAC address in its forwarding table, determines the outgoing interface port, and forwards the frame on to its destination through the designated switch port. This method will not detect runt frames.

Figure 12: Switch Frame Forwarding Methods

• Fragment-free

Another alternative is Fragment-free switching, which works like cut-through switching with the exception that a switch in fragment-free mode stores the first 64 bytes of the frame before forwarding. This can be viewed as a hybrid/compromise between store-and-forward switching and cut-through switching. The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur within the first 64 bytes of a frame.

Virtual Local Area Network Implementations A Virtual LAN (VLAN) is a logical subgroup within a local area network (LAN) that is created through software rather than manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations of mutual interest. VLANs have the following characteristics:

• Creates a broadcast domain

• Done through software configuration

• Implemented in port switching, hubs and LAN switches

By default, all Brocade switch ports are members of VLAN 1. VLANs reduce the time it takes to implement moves, adds and changes. Layer 3 VLANs require that all members are in the same port-based VLAN.



There are two main types of VLANs:

• Layer 2 port-based VLANs

A group of ports which constitutes a Layer 2 broadcast domain.

• Layer 3 protocol-based VLAN

A subset of ports within a Layer 2 port-based VLAN organized according to the Layer 3 protocol type.

Figure 13: Types of VLANs

Private VLANsPlatform support:

• FastIron X Series devices running software release 02.4.00 and later

• FGS and FLS devices running software release

• FGS-STK and FLS-STK devices running software release 05.0.00 and later

• FWS devices running software release 04.3.00 and later

By default, a private VLAN does not forward broadcast or unknown-unicast packets from outside sources into the private VLAN. If needed, you can override this behavior for broadcast packets, unknown-unicast packets, or both. You can configure a combination of the following types of private VLANs:

• Primary: The primary private VLAN ports are “promiscuous”. They can communicate with all the isolated private VLAN ports and community private VLAN ports in the isolated and community VLANs that are mapped to the promiscuous port.

• Isolated: Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN

L2 port-based VLAN 20

L3 protocol-based VLAN for IPv4

L3 protocol-based VLAN for IPv6

L3 protocol-based VLAN for IPX



• Community: Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN

Figure 14: Private VLAN

Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network. The private VLAN can have any combination of community and isolated VLANs.

• You cannot configure isolated, community, or primary VLANs on 802.1Q tagged ports

• Normally, in any port-based VLAN, the device floods unknown unicast, unregistered multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may be sent to only to the CPU for analysis, based on the IGMP snooping configuration.

• When protocol or subnet VLANs, or private VLAN mappings are enabled, the device floods unknown unicast, unregistered multicast, and broadcast packets in software

802.1Q TaggingWhen you create a VLAN on a switch, you need to determine which of its ports participate in that VLAN. The two types of membership are:

• Tagged the switch adds an extra 4 bytes to the Ethernet frame called the 802.1Q header

- Allows multiple port based VLANs to span switches over a single physical link

• Untagged the switch keeps track of this port as a member of the VLAN

802.1Q tagging is an IEEE standard that allows a networking device to add information to a Layer 2 frame in order to identify its VLAN membership. A port can belong to only one port-based VLAN, unless 802.1Q tagging is applied to the port.

802.1Q tagging allows the port to add a four-byte field, which contains the VLAN ID, to each frame sent on the port. Port-based VLANs can also be configured to span multiple devices by tagging the ports within the VLAN. The tag enables each device that receives the frame to determine to which VLAN the frame belongs. 802.1Q tagging applies only to Layer 2 VLANs.

Private VLANPort-Based VLAN

Forwarding among Private VLAN ports



Figure 15: VLAN Tagging

The tag contains the TPID, which identifies the frame as a tagged. The value of the TPID is 8100, and also contains the VLAN ID of the VLAN from which the packet is sent. The VLAN ID is determined by the VLAN on which the packet is being forwarded. There are also 3 bits reserved for the priority (802.1p), and the field type is 8100.

Figure 16: 802.1Q Tagging (Packet Format)

The following command sequence example configures VLAN and assigns an IP address to a VE for VLAN 14:

NetIron(config)# vlan 14NetIron(config-vlan-14)# untag ethernet 1/1 to 1/12NetIron(config-vlan-14)# router-interface ve 1NetIron(config-vlan-14)# exitNetIron(config)# interface ve1 NetIron(config-vif-1)# ip address 192.123.22.1 255.255.255.0



Dual-mode Port VLANsConfiguring a tagged port as a dual-mode port allows it to accept and transmit both tagged and untagged frames.

Figure 17: Dual-mode VLANs

In Figure 17, port e6 is running in dual mode. Port e6 has tagged membership in VLAN 20 and untagged membership in VLAN 10. The network includes an IP phone that typically has a two port switch built into it. One port on an IP phone has the 802.1q ability, and the other for untagged traffic. Thus, frames from both the PC and the phone travel between the phone and switch. The following command example explains how to configure the dual-mode port:

Switch(config)# vlan 10Switch(config-vlan-10)# tagged e6Switch(config-vlan-10)# untagged e34BigIron(config)# vlan 20BigIron(config-vlan-20)# tagged e6BigIron(config-vlan-20)# tagged e49BigIron(config)# interface e6BigIron(config-if-e100-6)# dual-mode 10

Following are a few rules to remember when configuring dual-mode VLANs:

• You can configure private VLANs and dual-mode VLAN ports on the same device

• Dual-mode VLAN ports cannot be members of private VLANs



Inter-VLAN Routing Configuration StepsRouting between VLANs is accomplished by defining a virtual router interface, and assigning an IP address to the virtual interface. Hosts within the subnet set their default gateway to the IP address that has been assigned to the virtual interface.

1. Create VLANs

2. Define a virtual interface (VE) for each VLAN

3. Assign an IP address to each VE

Figure 18: Inter-VLAN Routing

Based on the diagram shown in Figure 18, the following command sequence is an example of how to configure inter-VLAN routing:

FastIron(config)# vlan 10FastIron(config-vlan-22)# untag ethernet 1 to 16FastIron(config-vlan-22)# router-interface ve 1FastIron(config)# interface ve1FastIron(config-vif-1)# ip address 192.123.22.1/24

FastIron(config)# vlan 20FastIron(config-vlan-44)# untag ethernet 33 to 48FastIron(config-vlan-44)# router-interface ve 2FastIron(config)# interface ve2FastIron(config-vif-2)# ip address 192.123.44.1 255.255.255.0



Link Aggregation ImplementationsTrunking is another term for Link Aggregation. Link Aggregation allows an administrator to combine multiple Ethernet links into a larger logical trunk known as a Link Aggregation Group (LAG). The switch treats the trunk as a single logical link. The physical links must all be the same speed and duplex setting and must connect to the same adjacent switch including stackable switches1.

LAG requirements may vary for different platforms, such as the number of links in the LAG, specific port boundaries2. Always check what is supported at both ends

The rules for LAGs are heavily dependent on the hardware type and code version in use. For further information, refer to the configuration guide for the device. All interface parameters in a LAG must match, including:

• Port tag type (tagged/untagged)

• Configured port speed3 and duplex

• QoS priority

Brocade switches support the use of static and dynamic LAGs on the same device4, but can use only one type of LAG for any given port.

Figure 19: Link Aggregation

In addition to traffic load sharing, trunk groups provide redundant, alternate paths for traffic if any of the segments fail.

1. Link Aggregation Groups are also referred to as: Ethernet trunk, NIC Teaming, Port Channel, Port Teaming, Port Trunking, Link Bundling, EtherChannel, Multi-Link Trunking (MLT), DMLT, SMLT, DSMLT, R-SMLT, NIC bonding, Network Fault Tolerance (NFT), and Fast EtherChannel.

2. Multi-Chassis Trunking is a technology that allows multiple switches to appear as a single logical switch connecting to another switch using a standard LAG. Since the technology is an enhancement to the standard LAG protocol, a single MCT-unaware server or switch using a standard LAG trunk can connect to two MCT-aware switches--and the traffic is dynamically load balanced. For more information on this topic, please refer to the FastIron Configuration Guide for the particular platform.

3. Each port in the LAG operates at the speed of the slowest link. For example, if one LAG is created with 2 ports and one is running at 10 Gbps and the other is running at 1 Gbps; each link operates at 1 Gbps. This behavior occurs if the ports are configured to auto and negotiate to different speeds.

4. Multiple LAGs can be created on a switch with some of them being static LAGs and some of them being dynamic LAGs. A single port can only be part of one LAG type.



• Benefits of trunking:

- Load-sharing

- Redundancy

There are two types of trunking:

• Static trunking

- Manually configured aggregate links containing multiple ports

• Dynamic Trunking: (802.3ad Link Aggregation)

- Dynamically created and managed trunk groups using Link Aggregation Control Protocol (LACP)

Trunking can be established between Brocade Layer 2/3 switches, or between a switch and a server.

Dynamic TrunkingBrocade software supports the IEEE 802.3ad standard for link aggregation. This standard describes the Link Aggregation Control Protocol (LACP), a mechanism for allowing ports on both sides of a redundant link to form a trunk link (aggregate link), without the need for manual configuration of the ports into trunk groups. When you enable link aggregation on a group of Brocade ports, the Brocade ports can negotiate with the ports at the remote ends of the links to establish trunk groups. To display link aggregation information, including the key for all ports on which link aggregation is enabled, enter the following command at any level of the CLI:

Switch(config)# show link-aggregationSystem ID 00e0.52a9.bb00Port [sys P] [Port P] [Key] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]1/1 1 1 20 No L Agg Syn No No Def Exp Blo1/2 1 1 20 No L Agg Syn No No Def Exp Blo1/3 1 1 20 No L Agg Syn No No Def Exp Blo1/4 1 1 20 No L Agg Syn No No Def Exp Ina1/5 1 1 10 Yes L Agg No No No Def Exp Blo1/6 1 1 10 Yes L Agg No No No Def Exp Blo1/7 1 1 10 Yes L Agg No No No Def Exp Blo1/8 1 1 10 Yes L Agg No No No Def Exp Ope

Ope displays the operation state of the link. The following are blanks of operational states:

• Ina – Inactive

• Ope – Operational

• Blo – Port is blocked



Configuring 802.3ad Dynamic Trunks LACP is a mechanism for allowing ports on both sides of a redundant link to form a trunk link (aggregate link), without the need for manual configuration of the ports into trunk groups.

The key identifies the group of potential trunk ports to which the port belongs. Every port that is 802.3ad-enabled has a key. Ports with the same key, on the same switch, are called a Key Group and are eligible to be in the same trunk group. A default key is automatically assigned to an untagged port when link-aggregation has been enabled on it.

Figure 20: Dynamic Trunks

BigIron_A(config)# interface ethernet 1/1BigIron_A(config-if-e1000-1/1)# link-aggregate activeBigIron_A(config)# interface ethernet 1/2BigIron_A(config-if-e1000-1/2)# link-aggregate activeBigIron_B(config)# interface ethernet 1/1 to 1/2BigIron_B(config-mif-1/1-1/2)# link-aggregate passive

The active device sends and receives LACP Protocol Data Unit (LACPDU) messages; the passive device only receives LACPDUs.

Port 1Port 2

Port 8

Port 3

Port 4

Port 6Port 5

Port 7

Port 1

Port 2

Port 8

Port 3Port 4

Port 6Port 5

Port 7

Switch 1 Switch 2

Key 10

Key 20 Key 30

Key 40



3 - General Layer 2 and Layer 3 ConceptsWhen you have completed reviewing this section be sure you can demonstrate your knowledge of general routing and switching functionality by describing and implementing information contained withing this section.

Ethernet Frame FormatEthernet uses a very simple and efficient frame format:

Figure 21: Ethernet Frame Format

Transparent Bridging and MAC TableEthernet switches, also known as transparent bridges, have three primary functions:

• Learn MAC addresses of nodes and their associated ports

• Filter incoming frames destined for nodes that are located on the same incoming port

• Forward incoming frames to known destinations through their associated ports; and if the frame is unknown, it floods the unknown frames out on all ports belonging to that VLAN, except for the incoming port

Use the show mac-address command to display the MAC address table

FastIron# show mac-addressTotal active entries from all ports = 3Total static entries from all ports = 1

MAC-Address Port Type VLAN1234.1234.1234 15 Static 10004.8038.2f24 15 Dynamic 10004.8038.2f00 13 Dynamic 10010.5a86.b159 10 Dynamic 1

Address Resolution ProtocolAddress Resolution Protocol (ARP) is used to associate a Layer 3 (Network layer) address, such as an IP address, with a Layer 2 (Data Link layer) address (MAC address).



ARP is used to resolve MAC addresses for hosts on the local subnet; for remote destinations, the source host sends out ARP requests asking for the MAC address of the default gateway. If a node matches the requested IP, it sends back its MAC address. Other nodes discard the ARP request.

Figure 22: ARP

Spanning Tree Protocol (STP)Spanning Tree Protocol (STP) is a link management protocol that provides path redundancy while preventing undesirable loops in the Ethernet network. In order for an Ethernet network to function properly, only one active path can exist between two nodes:

• Multiple active paths between nodes cause loops in the network

• If a loop exists in the network topology, the potential exists for duplication of frame delivery

• When loops occur, switches may see the same node appear on different ports on the switch

Figure 23: STP

The STP algorithm relies on the use of Bridge Protocol Data Units (BPDUs), which provide information to all switches about the distance in hops to each switch port from a root switch. By default, the switch with the lowest MAC address becomes the root bridge.



There is a configurable parameter (Bridge Priority) that can be set on each switch to allow administrators to predetermine a specific root bridge. Using BPDU information, a switch can determine whether one of its ports provides an optimal path to the root bridge. If it does not, that port is placed in the blocked state. If the path distance is optimal but is the same as another switches path, a simple method (a”tie breaker”) allows one of the ports to be placed in blocked mode. If one network segment in the Spanning Tree Protocol becomes unreachable, or if a port cost changes, the spanning-tree algorithm reconfigures the spanning-tree topology and re-establishes the link by activating the standby path.

Traffic TypesUnicast traffic describes point to point communication where there is just one sender, and one receiver. Unicast transmission, in which a packet is sent from a single source to a specified destination, is still the predominant form of transmission on LANs and within the Internet. IP networks support the Unicast transfer mode, and most users are familiar with the standard unicast applications (e.g. HTTP, SMTP, FTP and Telnet) which employ the TCP transport protocol.

Multicast traffic describes communication which occurs between a sender and a grouping of recipients. Multicasting is the networking technique of delivering the same packet simultaneously to a group of clients. One example of an application which may use multicast is a video server sending out networked TV channels.

Broadcast traffic describes communication where a piece of information is sent from one point to all other points. In this case there is one sender and many receivers. An example of this is the ARP which uses a broadcast to send an address resolution query to all devices on a LAN segment in order to resolve an IP address to a physical MAC address. A host will drop the ARP if it is not the target of the request. ARPs are used to resolve unknown destination MAC addresses.

RoutingRouting is needed when data needs to reach a remote network that is not directly connected to the local router.

Defining a Default RouteA default route is a routing table entry used to route packets when an explicit route to a destination network is not in the routing table. It is the network route used by a router when no other known route exists for a given IP packet's destination address. It is last in the order of execution of the routing table.

Brocade supports two types of default routes:

• Explicit default route

- IPv4 default route 0.0.0.0 0.0.0.0 or 0.0.0.0/0

- Can be a static route or learned dynamically by a routing protocol like OSPF. OSPF uses a command called default-information originate to send the default route to other OSPF routers

• Candidate default route

- A Candidate default network is used when a default route is not statically configured or propagated by a routing protocol

- The default route has precedence over the default network



Figure 24: Default Routes

The command ip route 0.0.0.0 0.0.0.0 209.157.1.1 is a default route or “route of last resort” because it is last place in the order of execution of the route table.

The ip route 0.0.0.0 0.0.0.0 209.157.1.1 can appear in a route table because it is:

• Manually configured on the router

• Can be sent to other routesr by a routing protocol like OSPF

• The command ip default-network 209.157.1.0 is a default network route and is there in case a default route is not present because it has neither been manually configured nor passed by routing protocol like OSPF

The following ouput displays the 10.1.1.0/30 network is marked as the candidate default network with the asterisk * sign. This network is remote to Router_A and has been learned by Router_A through the routing protocol OSPF. That is why the Type field for the network 10.1.1.0 is marked as *O.

Router_A(config)# show ip routeTotal number of IP routes: 6, avail: 79994 (out of max 80000)B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost Type 0.0.0.0 0.0.0.0 156.10.20.21 9 1 S1 10.1.1.0 255.255.255.252 10.1.2.1 7 1 *O2 10.1.2.0 255.255.255.252 0.0.0.0 7 1 D3 156.10.20.20 255.255.255.252 0.0.0.0 9 1 D4 172.16.1.0 255.255.255.0 10.1.2.1 7 1 S5 192.168.1.0 255.255.255.0 0.0.0.0 1 1 D

End-to-End Packet FlowThe following example details how a packet is routed from Host A to Host B on another subnet or network address.



1. If the destination host’s network number was the same as the source host’s, then the destination host would be considered local and on the same subnet. This is determined by taking Host A taking its own IP address and subnet mask and determining its own network address and then doing the same operation with the destination IP and destination’s subnet mask and comparing the results. If they are the same then the destination Host B would be considered local; Otherwise the packets will be forwarded to the default gateway in order to be sent to a remote host. In this example the destination Host B’s Network ID of 192.168.3.0 is different from the source Host A’s Network ID of 192.168.1.0 and therefore the packets will need to be routed to the destination Host B.

2. The source Host A must check its own Local Route Table for its default gateway (this is the general behavior unless a special route has been defined). The default gateway IP is the IP of the routing interface for that subnet. In this example it is 192.168.1.1 which is the IP of Router 1 Interface E1. Since this is an Ethernet LAN, Host A will need to encapsulate the frame in order to sent it out to the routing interface of E1 and to do so it needs to know the MAC address of the routing interface. If it is not in its local cache an ARP broadcast will need to be initiated in order to send the encapsulated frames to the routing interface (E1 on Router1).

Figure 25: End-to-End Flow Example 1 of 4

3. In Figure 26, the default gateway’s MAC address is not in Host A’s cache. Host A initiates a local ARP broadcast request attempting to resolve the IP address to a physical MAC address.

4. Router 1 responds with a unicast ARP response to Host A with its MAC address of 22.

5. Host A creates/encapsulates an Ethernet frame with its own MAC 11 as the source and a destination MAC address of 22. Notice the destination IP still remains 192.168.3.20 and the frame can be sent on the wire.




6. Once Interface E1 on R1 receives the Ethernet frame it looks at the destination MAC address of the frame to check it if matches his own in order to determine if he is the recipient of the frame. In this case R1 interface E1 is the default gateway of Host A and therefore the intended recipient. R1 checks the frame’s Type field and notices 0x800 which indicates that there is an IP packet in the data portion of the Ethernet frame. R1 then proceeds to decapsulate the Ethernet frame in order to analyze the destination IP of the packet.

7. The Router must then consult its routing table to determine what to do with the packet. In general terms it looks to identify network routes in its table which would include the destination IP address as a host address on that network. Note: If there are several viable routes to the destination network it will chose the route with the longest “subnet mask” match. How routing tables become populated and an in depth look of how they are evaluated are beyond the scope of this example and class. After viewing R1’s routing table it finds that the network address of 192.168.3.0 is the destination network where these packets need to be routed. It also notices the next hop IP of 192.168.2.2 which represents the next stop for the packets on its way to the 192.168.3.0 network and this can be reached through local interface E2.

8. In order for R1 to do the frame encapsulation process it needs to know the MAC address of the 192.168.2.2 interface. So it must check its local ARP cache and again if the MAC address is not found, it must send an ARP broadcast to request the MAC address. In this case it will be already present. Therefore the frame encapsulation process can continue. Notice that the source and destination IP addresses stay the same but the source MAC becomes 33 and the destination MAC becomes 44. Also note that it also will decrement the Time to Live field of the packet (in the IP header) by 1. Now the packet is sent on the wire.




9. Once Interface E1 on R2 receives the Ethernet frame, it looks at the destination MAC address of the frame to check it if matches his own in order to determine if he is the recipient of the frame. In this case R2 interface E1 is the next hop IP of R1 and therefore the intended recipient. R2 checks the frame’s Type field and notices 0x800 which indicates that there is an IP packet in the data portion of the Ethernet Frame. R2 then proceeds to decapsulate the Ethernet frame in order to analyze the destination IP of the packet.

10. R2 must then consult its routing table to determine what to do with the packet. After consulting its routing table it finds that the Network Address of 192.168.3.0 is the destination network where these packets need to be forwarded and this is a directly connected route in its table through interface E2.

11. In order for R2 to do the frame encapsulation process it needs to know the MAC address of the final destination host B with the IP 192.168.3.20. So it must check its local ARP cache and again if the MAC address is not found it must be a ARP broadcast to resolve the IP Address to a matching physical MAC address. In this case it will be already present and therefore the frame encapsulation process can continue. Notice that the source MAC is 55 and the destination MAC becomes 66. Now the frame(s) are sent on the wire.

12. Once Host B receives the frame, it recognizes its own MAC address. It then decapsulates the frame and notices that itself is the intended host with an IP of 192.168.3.20.




Note

Throughout the packet flow the source and destination IP addresses stay the same, but the source and destination MAC changes. Also, the Time to Live field of the packet (in the IP header) is decre-mented by 1.

Virtual Router Redundancy Protocol - EnhancedVirtual Router Redundancy Protocol - Enhanced (VRRP-E) is Brocade’s enhanced version of VRRP that overcomes limitations in the standard protocol. All routers are backups for a given Virtual Router ID (VRID). The router with the highest priority (a configurable value) becomes master. VRRP-E uses UDP to send Hello messages in IP multicast messages. To prevent an immediate transition from backup to re-instated master, enable the slow start timer.

VRRP-E requires only that the VRID be in the same subnet as an interface configured on the VRIDs interface. Multiple VRIDs can exist on a single interface.

VRRP-E supports the use of more than one track port.

The Virtual IP (VIP) is a unique IP address on the same subnet as the VRRP-e routers. There is no concept of an owner IP address, as a real interface IP is not used. The elected master hosts the VIP address and answers ICMP requests. VRRP-e uses UDP (port 8888) to send multicast hello messages to 224.0.0.2, the multicast address. The VIP address can be reached by the use of ping. All switches participating in VRRP-E with the same VRID group must have the same Virtual IP address.



Figure 29: VRRP-E

The following command sequence sets up and activates VRRP-E. It follows the configuration rules which state the following:

• The router interfaces in a VRID must be in the same IP subnet

• The Hello/Dead intervals must be set to the same values on all the VRRP-E enabled devices

• The Virtual IP (VIP) address must be configured the same on routers belonging to the same VRRP-E backup group

Router_A(config)# router VRRPExtendedRouter_A(config)# interface e1Router_A(config-if-1)# ip address 192.53.5.2 Router_A(config-if-1)# ip VRRPExtended vrid 1Router_A(config-if-1-vrid-1)# backup priority 110 track-priority 20Router_A(config-if-1-vrid-1)# ip-address 192.53.5.1 <-- Virtual IPRouter_A(config-if-1-vrid-1)# track-port e15 e16Router_A(config-if-1-vrid-1)# activate

Router_B(config)# router VRRPExtendedRouter_B(config)# interface e1Router_B(config-if-1)# ip address 192.53.5.3 Router_B(config-if-1)# ip VRRPExtended vrid 1Router_B(config-if-1-vrid-1)# backup priority 80Router_B(config-if-1-vrid-1)# ip-address 192.53.5.1 <-- Virtual IPRouter_B(config-if-1-vrid-1)# activate



Figure 30: Multiple VRRP-E Groups

In Figure 30, Router A and Router B use VRRP-E to load share as well as provide redundancy to the hosts. The load sharing is accomplished by creating two VRRP-E groups. Each group has its own virtual IP address. Half of the clients point to virtual IP address of VRID 1 as their default gateway and the other half point to virtual IP address of VRID 2 as their default gateway. This enables some of the outbound Internet traffic to go through Router A and the rest to go through Router B.

VRRP-e reduces the priority of a VRRP-E interface by the amount of a tracked interface's priority if the tracked interface's link goes down. For example, if the VRRP-E interface's priority is 200 and a tracked interface with track priority 20 goes down, the software changes the VRRP-E interface's priority to 180. If another tracked interface goes down, the software reduces the VRIDs priority again, by the amount of the tracked interface's track priority.



Router A is the master for VRID 1 (backup priority = 110) and Router B is the backup for VRID 1 (backup priority = 100). RouterA and RouterB both track the uplinks to the Internet. If an uplink failure occurs on Router A, its backup priority is decremented by 20 (track priority = 20), so that all traffic destined to the Internet is sent through Router B instead.

Similarly, RouterB is the master for VRID 2 (backup priority = 110) and RouterA is the backup for VRID 2 (backup priority = 100). Router A and Router B are both tracking the uplinks to the Internet. If an uplink failure occurs on RouterB, its backup priority is decremented by 20 (track priority = 20), so that all traffic destined to the internet is sent through RouterA instead.



4 - Routing ConceptsWhen you have completed reviewing this section be sure you can do the following:

• Describe general routing concepts

• Demonstrate knowledge of the OSPF protocol

• Demonstrate basic knowledge of the BGP protocol

• Demonstrate basic knowledge of multicast routing

General Routing Concepts

Routing Information Procotol (RIP)RIP is a simple and easy to manage IGP for smaller networks and has the following charactericstics:

• A distance-vector routing protocol

• Uses periodic updates to exchange routing information

• Uses hop count as its metric

• Limits the maximum number of hops allowed to 15

• Hop count of 16 is considered an infinite distance and is used to remove inaccessible routes and limit routing loops

• RIP is enabled on a per interface basis. This way RIP updates are not flooded out of every port.

• RIPv2 supports MD5

• Does not scale well and can have poor convergence times

RIPv1 vs. RIPv2 Similarities:

• Use of Split Horizon and/or Poison Reverse to prevent routing loops

• Maximum hop count of 15

• Use of split horizon or split horizon with poison reverse

• Use of triggered updates

Major enhancements of RIPv2 over RIPv1:

• Support of authentication (clear text or MD5)

• Support of CIDR and VLSM

Basic configuration steps:

Enable RIP globally

Assign IP address/mask to interfaces

Specify RIP version for interfaces

There are three basic steps to enabling IP RIP routing:

1. Enable RIP globally

2. Assign IP address/mask to each routed interface

3. Specify RIP version for interfaces



The following command sequence is an example of RIPv2 configuration.

Router_A(config)# router ripRouter_A(config-rip-router)# interface e1Router_A(config-if-1)# ip address 207.95.8.1/24Router_A(config-if-1)# ip rip v2-onlyRouter_A(config-if-1)# interface ve 10Router_A(config-if-2)# ip address 207.95.10.2 255.255.255.0Router_A(config-if-2)# ip rip v2-only

Classless Inter-Domain Routing (CIDR)CIDR was created to help resolve the following problems:

• Because of the Internet evolution there was a real concern that in the IPv4 address space, especially Class B addresses would be exhausted

• Running out of capacity in the global routing tables

• Eventual exhaustion of the entire 32-bit IP address space

The motivation behind CIDR implementations was allocating IP address space more efficiently. CIDR is used instead of handing out full classful addresses (A or B) to organizations that were not fully utilizing the entire address space.

During the early adoption phase of CIDR a real concern existed about the imminent depletion of Class B networks. Class C networks were not favored by companies due to its inherent host address constraints. CIDR was seen as an interim solution until the adoption of IPv6 and its much larger address space. For example, if a network administrator needs 300 IP addresses she would typically need either a small portion of a class B networks, and thereby waste much of that address space, or 2 Class C networks (remember 254 hosts are possible in a standard Class C network). There is no middle ground with the structured classful address scheme. CIDR provides a mechanism for aggregating multiple smaller networks into a single larger network as in combining 2 Class C networks to provide 512 host addresses.

CIDR provides the mechanism to combine multiple networks into groups or blocks, which the router treats as one big network (route summarization or route aggregation). For example, instead of having to store 10 Class C network addresses (any multiple number of smaller classful networks) the router can store a single CIDR-based network address.

The eventual adoption of IPv6 is the answer to a much larger addressing space. Variable Length Subne Masks (VLSM) is used to set the boundary between host ID and network.

Variable Length Subnet Masks Variable Length Subnet Masks (VLSM) is classically understood as “subnetting a subnet” It provides for partitioning a larger address block into smaller blocks, or subnets, using multiple variable length subnet masks. CIDR leverages VLSM and provides the ability to allocate address space based on the organizational needs of a customer. In the case of larger ISPs, they are then able to allocate variable length address space based on customer’s organizational needs since they own the overall larger block and all routing traffic passes back through them to the Internet. VLSM allows subnets to be defined with different subnetwork sizes as needed under a single network ID, thereby minimizing wasted addresses.



SubnettingTo begin we will use a fairly easy subnetting example for a traditional class C network – 192.168.1.100 -255.255.255.192

• The chart below shows the decimal and binary values

Figure 31: Subnetting

• How many subnet bits are there?

- 2 (most significant) bits from the 4th octet (27 or 128 + 26 or 64 = 192)

• How many Host ID bits are left?

- 6 bits

• To determine the # of possible (sub) networks take the # of subnet bits to the power of 2

- In this case 22 = 4 possible (sub) networks

- Remember there is only 1 possible network with the default subnet mask of 255.255.255.0

• To determine the # of possible host addresses per subnetwork take the # of Host ID bits to the power of 2 and then subtract 2 for the network and broadcast addresses for the subnetwork

- In this 26 - 2 = 64. 64 - 2 = 62 possible host addresses per subnetwork

- It is important to note when subnetting each subnetwork created has an identical number of host ID space created. In this example we can use up to 4 subnetworks and each subnetwork has a possible of 62 unique host addresses that can be deployed.



Administrative DistanceEach route in a routing table has a metric called an administrative distance in the range of 0-255. Lower metrics mean better values or routes are chosen. The lowest value administrative distance is the one that is stored in the routing table.

Routed vs. Routing ProtocolsA routed protocol can be routed by a router, which means that it can be sent from one router to another. This type of protocol contains the data elements required for a packet to be sent outside of its host network or network segment. Required in such a protocol is an addressing scheme. Based on the addressing scheme, a device is able to identify the network to which a host belongs, in addition to identifying that host on that network. All hosts on an internetwork (routers, servers, and workstations) can utilize the services of a routed protocol. Following are some routed protocols:

• IPX

• IP

- SMTP

- SNMP

- Telnet

A routing protocol, on the other hand, is only used between routers. Its purpose is to help routers building and maintain routing tables. Examples of routing protocols are RIP, OSPF, IS-IS, and BGP.

The routing table is the table based on which the router makes a routing decision. The example in the slide shows, as indicated in the Type column, the first route is a static route; the second is a directly attached network; the third route is learned from the OSPF routing protocol.

Open Shortest Path FirstOpen Shortest Path First (OSPF) is a link state routing Internet Gateway Protocol (IGP) for medium to large networks. Its cost metric is based on aggregated link cost. OSPF supports CIDR and VLSM. It is hierarchy-based using OSPF areas. Its network topology is built using Link State Advertisements (LSAs) received from other routers. OSPF has the following characteristics:

• Decreases routing overhead

• Speeds up convergence

• Confines network instability to a single area of the network

• Communicates between routers using multicast advertisements

TABLE 2 Default Administrative Distances

Procotol Cost

Directly connected 0

Static 1

External BGP (eBGP) 20

OSPF 110

RIP 120

Internal BGP (iBGP) 200



• Has no periodic updates

AreasRouters in OSPF are split into different groups called areas. The purpose is to reduce traffic and CPU load. The area that is the most restrictive uses the least resources (CPU and memory). Areas may be organized in any way that makes the most sense for a particular network. Areas are assigned numbers on the range of 1 through 4,294,967,295. Enabling OSPF logging is good for troubleshooting.

Figure 32: OSPF Areas

Area Types:

• Area 0 - Backbone

- A required area to which all other areas must connect

• Ordinary or standard area (Normal or transit area)

- All routers in a OSPF area have the same topological database, but their routing tables are based on the router’s position in the area and are unique to the router

• Stub area

- An area that does not accept external routes but accepts routes from within the same autonomous system

• Not So Stubby Area (NSSA)

- A stub area does not accept external summary routes from the backbone, but can advertise external summary routes into the backbone

San Jose

Los Angeles

New York



• Totally stubby area

- This area won’t accept routes from any other area. The Area Border Router (ABR) advertises 0.0.0.0/0 instead

OSPF Autonomous System (AS) is the entire OSPF routing domain. An OSPF AS can be divided into multiple areas. The propagation of Types 1 and 2 Link State Advertisements is limited to the bounds of an area.

An OSPF router can be a member of multiple areas. These routers are known as Area Border Routers (ABRs). Each ABR maintains a separate topological database for each area the router is in. Each topological database contains all of the LSAs within a given area. The routers within the same area have identical topological databases. The ABR is responsible for forwarding routing information or changes between its border areas.

An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside an AS. The ASBR is able to import and translate different protocols routes into OSPF through a process known as redistribution.

Figure 33: OSPF AS

OSPFs Four Level Routing Hierarchy

• Level 1 - Intra-area routing

• Level 2 - Inter-area routing

• Level 3 - External Type 1 Metrics

• Level 4 - External Type 2 Metrics

If there are two routing paths to choose from then paths that are internal to an OSPF routing domain are preferred over external routes. External routes can be imported into the OSPF domain at two separate levels, one that has Type 1 Metrics and the other Type 2 Metrics.



The use of Type 1 metrics assumes that in the path from the OSPF router to the destination, the internal OSPF AS component (path to the ASBR advertising the AS-external-LSA) and external component are of the same importance.

In Type 2 metrics, it is assumed that only the external component is more significant than the internal component. The aggregate cost to these external destinations does not change when viewed from different routers, since the internal costs are not important. But the cost of Intra-area and Inter-area destinations does change depending on which router the cost is observed.

Designated RoutersIn order to minimize the amount of information exchange on a particular segment, OSPF elects one router to be a designated router and one router to be a backup designated router on each multi access segment. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router will exchange the information with the DR and BDR. The DR and BDR will relay the information to everybody else. The adjacency building process takes effect after multiple stages have been fulfilled. Routers that become adjacent will have the exact link state database.

Figure 34: OSPF DR Election

Designated Router (DR) election is done by selecting the neighboring router with the highest priority. The router with the next largest priority is elected as the Backup DR (BDR). If the DR goes offline, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR. If two neighbors share the same priority, the router with the highest router ID is designated as the DR.

1. The Router ID can be manually configured using the global ip router-id x.x.x.x command.

2. If the Router ID is not manually configured, the IP address configured on the lowest numbered loopback interface is used as the Router ID

3. If there is no loopback interface, then the router ID is the lowest numbered IP address configured on the device

When only one router on the network claims the DR role despite neighboring routers with higher priorities or router IDs; this router remains the DR. This is also true for BDRs.

The DR and BDR election process is performed when one of the following events occurs:



1. An interface is in a waiting state and the wait time expires

2. An interface is in a waiting state and a hello packet is received that addresses the BDR

3. A change in the neighbor state occurs, such as, a neighbor state transitions from 2 or higher, communication to a neighbor is lost, or a neighbor declares itself to be the DR or BDR for the first time

Link State AdvertisementLink State Advertisement (LSA) is an OSPF data packet that communicates the router's local routing topology to all other local routers in the same OSPF area.

OSPF Link State process:

1. Link State Advertisements exchanged between routers

2. Topology Database is built

3. Router runs Shortest Path First (SPF) algorithm to calculate the best path

4. SPF tree is generated

5. Best routes are selected from SPF tree, and entered into the routing table, based on cost to individual networks

LSA Types (by type code)

• Type 1: Router LSA - generated by each router for each area to which it belongs.

• Type 2: Network LSA - generated by DRs describing the set of routers attached to a particular network.

• Type 3: Network Summary LSA - generated by ABRs describing inter-area routes.

• Type 4: ASBR Summary LSA - generated by ABRs advertising the IP address of the ASBR.

• Type 5: External LSA - generated by the ASBR describing networks external to the Autonomous System (AS).

• Type 7: NSSA External LSA - generated by ASBR and only flooded within the Not-So-Stubby area. The ABR converts Type 7 LSAs into type 5 before flooding them into the backbone area (area 0).

RedistributionRedistribution enables one routing protocol to learn and advertise routes that exist under some other process. The other process could be one or more of the following:

• Another dynamic routing protocol (another instance of the same routing protocol or a different routing protocol)

• Static routes

• Directly connected interfaces on which no routing protocol has been enabled

The following command sequence uses the redistribution command to send OSPF routes as RIP updates. Redistribution enables one routing protocol to learn and advertise routes that exist under some other process.

Router_B(config)# router ripRouter_B(config-rip-router)# redistribution

The following command sequence uses the redistribution rip command to send RIP routes as OSPF LSAs.



Router_B(config)# router ospfRouter_B(config-ospf-router)# redistribution ripRouter_B(config-ospf-router)# redistribution connected

OSPF does not include directly connected networks in routing updates. The redistribution connected command takes directly connected routes and sends them out as OSPF LSAs. For the OSPF domain to have that network in its route tables, you must configure using the following command:

Router_B(config-ospf-router)#redistribution connected

The ip rip learn-default command allows a router to learn and advertise default RIP routes. This command is necessary on RIP routers, so they learn the default route redistributed from OSPF. This command can be applied on a global or interface basis. This example shows the feature enabled at the interface level:

Router_D(config)#int e 2/2Router_D(config-if-2/2)#ip rip learn-default

Ideally, all routers within a given AS should run the same routing protocol. Rarely there are technical reasons to run multiple routing protocols. Redistributions should be avoided as much as possible.

Figure 35: Redistribution

Border Gateway ProtocolBorder Gateway Protocol (BGP) is an inter-Autonomous System (AS) routing protocol between exactly two routers. Defined in RFC 1771 it performs loop-free inter-AS routing. Once a TCP handshake is completed, BGP places a router in an established state. BGP is a Path Vector Protocol to learn shortest route (path) to a network in another AS. BGP rides on top of TCP - port 179.



Figure 36: BGP

BGP Peer Establishment and Route AdvertisementBGP peers are two BGP routers first create a TCP connection. That TCP connection is up and alive constantly, during which BGP dynamically exchanges routing information.

BGP session is when BGP peers must negotiate a neighbor relationship creating a BGP session or they will never exchange routing updates.

Initially, all BGP routes are exchanged. After that, only incremental updates are sent as network information changes. The incremental update approach saves enormous amounts of CPU overhead and bandwidth.

The TCP connection established between two BGP peers stays alive until a problem arise. In that case, a BGP notification message is sent and the TCP connection is torn down.

Figure 37: BGP Peer Establishment

1. Routers establish a TCP connection

2. Routers establish a BGP session

3. BGP peers exchange routing information

- BGP routers do not automatically advertise any routes unless configured to do so (using the BGP “network” command)

Router_A(config)#router bgpRouter_A(config-bgp-router)#network 100.1.1.0/24

- Initially the full BGP tables are exchanged; after that only incremental occur

- TCP connection stays alive until BGP problems cause termination



The BGP route table is empty until routes are injected into it from an IGP. This injection could be on a broad scale using the redistribution command, or very specific routes could be injected using the network command. The arrows in Figure 38 display the prefix information that is received by Router A and Router C. When prefixes are advertised from a BGP peer, they are transmitted to all BGP neighbors. The arrows are being used to focus on routers A and C that use this prefix information.

In a production network Router C, owned by an ISP, receives the entire Internet Routing table. Typically, a subset of these, for example a default route, is forwarded to Router A. Also in a production network, the Customer Prefix advertised by Router B would be one of the 100,000+ prefixes in the internet routing table. This information would allow all members of the internet access to AS 100.

Router_B(config-bgp-router)# network 1.1.1.0/24Router_D(config-bgp-router)# network 1.1.3.0/24

CAUTION

Liberal use of redistribution from and IGP into BGP can result in publishing private network information to destinations outside of the autonomous system, as well as illegal (unregistered) addresses.

Figure 38: BGP Route Advertisement

BGP Connectivity MaintenanceOnce a BGP connection is established using OPEN messages, BGP peers initially uses UPDATE messages to send each other a large amount of routing information. They then settle into a routine, where the BGP session is maintained, but UPDATE messages are sent only when needed. Since these updates correspond to route changes, and route changes are normally infrequent, this means many seconds may elapse between receipt of consecutive UPDATE messages. While a BGP peer is waiting to hear the next UPDATE message, it remains on hold. To keep track of how long it has been on hold, each BGP device maintains a special hold timer. To ensure that the timer doesn't expire even when no UPDATEs need to be sent for a long while, each peer periodically sends a BGP KEEPALIVE message. The name says it all: the message just keeps the BGP connection alive. The rate at which KEEPALIVE messages is sent is implementation-dependent, but the standard recommends that they be sent with an interval of one-third the value of the hold timer. So if the hold timer has a value of three seconds, each peer sends a KEEPALIVE every second (unless it needs to send some other message type in that second). To prevent excess bandwidth use, KEEPALIVEs must be sent no more often than once per second, so that is the minimum interval even if the hold timer is shorter than three seconds.



Multicast Routing

PIM Sparse ModeBrocade devices support Protocol Independent Multicast (PIM) Sparse version 2. PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments. The Brocade implementation is based on RFC 2362. In a PIM Sparse network, a PIM Sparse router that is connected to a host that wants to receive information for a multicast group must explicitly send a join request on behalf of the receiver (host). Traffic is optimized for a wide distribution. PIM Sparse routers are organized into domains. A PIM Sparse domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary.

• Switches that are configured with PIM Sparse interfaces also can be configured to fill one or more of the following roles:

- PMBR: A PIM switch that has some interfaces within the PIM domain and other interface outside the PIM domain. PMBRs connect the PIM domain to the Internet.

- BSR: The Bootstrap Router (BSR) distributes RP information to the other PIM Sparse switches within the domain. Each PIM Sparse domain has one active BSR. For redundancy, you can configure ports on multiple switches as candidate BSRs. The PIM Sparse protocol uses an election process to select one of the candidate BSRs as the BSR for the domain. The BSR with the highest BSR priority (a user-configurable parameter) is elected. If the priorities result in a tie, then the candidate BSR interface with the highest IP address is elected.

- RP: The Rendezvous Point (RP) is the meeting point for PIM Sparse sources and receivers. A PIM Sparse domain can have multiple RPs, but each PIM Sparse multicast group address can have only one active RP. PIM Sparse switches learn the addresses of RPs and the groups for which they are responsible from messages that the BSR sends to each of the PIM Sparse switches.

To enhance overall network performance, Brocade Layer 3 Switches use the RP to forward only the first packet from a group source to the group’s receivers. After the first packet, the Layer 3 Switch calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The Layer 3 Switch calculates a separate SPT for each source-receiver pair.

By default, when a multicast packet is received on a PIM-capable router interface in a multi-path topology, the interface checks its IP routing table to determine the shortest path back to the source. If the alternate paths have the same cost, the first entry in the IP routing table is picked as the path back to the source. When choosing the RPF, the router first checks the Multicast Routing Table. If the table is not available, it chooses an RPF from the IP Routing Table.

Mapping IP Multicast to a MAC AddressTo map an IP Multicast address to the corresponding hardware/Ethernet multicast address, place the low-order 23 bits of the IP multicast address into the low-order 23 bits of the special Ethernet multicast address. 01-00-5e is reserved for multicast. If the IP address is 239.6.30.5 the corresponding MAC address would result in: 01-00-5e-06-1e-05.



Figure 39: IP Multicast Mapping



5 - Access Control List ConceptsAfter reviewing this section you should be able to describe Access Control List (ACL) concepts using different scenarios.

ACL OverviewBrocade’s FastIron devices support rule-based ACLs (sometimes called hardware-based ACLs), where the decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in hardware. In addition, Brocade’s FastIron devices support inbound ACLs only; outbound ACLs are not supported. Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing. Rule-based ACLs are supported on the following interface types:

• Gigabit Ethernet ports

• 10 Gigabit Ethernet ports

• Trunk groups

• Virtual routing interfaces

Access Control ListsACLs filter traffic by permitting or denying incoming frames from passing through interfaces that have the ACL applied to them. Each ACL is a collection of permit and deny statements (rules) that apply to frames. The switch sequentially compares the frame against each rule in the ACL and either forwards or drops it. A switch also compares the fields in the frame against any ACLs applied to the interface to verify that the frame has the required permissions to be received or forwarded. The order of the rules in an ACL is critical because the first rule that matches the traffic stops further processing of the frame. Since ACLs are executed sequentially, from top to bottom, place the deny statements before the permit statements. There is an implicit deny statement at the end of each ACL. All traffic not specifically permitted is automatically denied.There are two types of ACLs:

• Standard (ACL 1-99)

- Permits or Denies packets based on source IP address

- Configured with the access-list command

• Extended (ACL 100-199)

- Permits or Denies packets based on source and destination IP addresses, TCP/UDP ports, or protocol number/name

- Configured with the access-list command

- The following are editing options for extended ACLs:

• Insert a new ACL entry within an existing ACL

• Delete an entry from an ACL

• Replace an existing ACL entry

• Add, insert, replace, or delete a remark per ACL entry

•



If you can, try to apply ACLs “Inbound” rather than “Outbound”. Inbound ACL behavior states that the first instance of a TCP or UDP packet is handled by the ASIC and not the CPU. Enabling access list logging impacts the CPU.

Example Standard ACL

Figure 40: Standard ACL Example

Router_A(config)# ip dns server-address 209.157.22.30Router_A(config)# access-list 1 deny host 209.157.22.26 logRouter_A(config)# access-list 1 deny host 209.157.29.12 logRouter_A(config)# access-list 1 deny host IPHost1 logRouter_A(config)# access-list 1 permit anyRouter_A(config)# interface ethernet 1/1Router_A(config-if-1/1)# ip access-group 1 in

Example Explanation

Q: Why do the 2nd , 3rd, and 4th access list 1 lines have no subnet mask?

A: With the host argument, there is an implicit /32 bit mask.

- The host argument is used in the syntax as a substitute for the subnet mask.

- DNS server configuration allows a host name to be specified and it is looked up on the servers listed in the command, you can list up to four servers. The DNS servers are searched in the order listed in the configuration.

- Syslog entries: The first time an ACL entry permits or denies a packet, the software immediately generates a Syslog entry and SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry for each ACL entry that has denied a packet. The message indicates the number of packets denied by the ACL entry during the previous five minutes.

Policy-Based Routing (PBR)Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic.

A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR, you can route IP packets based on their source IP address. With extended ACLs, you can route IP packets based on all of the clauses in the extended ACL.



Figure 41: Policy-based Routing

QoS Options for ACLsQuality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on incoming port, VLAN membership, and so on. The following QoS ACL options are supported:

- dscp-cos-mapping

This option is similar to the dscp-matching command (described below). This option maps the Differentiated Services Code Point (DSCP) value in incoming packets to a hardware table that provides mapping of each of the 0–63 DSCP values, and distributes them among eight traffic classes (internal priorities) and eight 802.1p priorities. By default, the Brocade device does the 802.1p to CoS mapping.

- dscp-marking

Marks the DSCP value in the outgoing packet with the value you specify.

- internal-priority-marking and 802.1p-priority-marking

Supported with the DSCP marking option, these commands assign traffic that matches the ACL to a hardware forwarding queue (internal-priority-marking), and re-mark the packets that match the ACL with the 802.1p priority (802.1p-priority-marking).

- dscp-matching

Matches on the packet’s DSCP value. This option does not change the packet’s forwarding priority through the device or mark the packet.

ACL-based Rate LimitingACL-based rate limiting provides the facility to limit the rate for IP traffic that matches the permit conditions in extended IP ACLs. This feature is available in the Layer 2 and Layer 3 code.

Customer BAS 110

209.157.23.X

Customer CAS 120

209.157.24.X

Customer DAS 130

209.157.25.X

192.168.2.1

192.168.2.2

192.168.2.3

ISP_WAN

VLAN

RVE1

AS 200

VE3: 192.168.2.4/24



6 - Quality of Service ConceptsAfter reviewing this section you should be able to describe Quality of Service (QoS) concepts and their use in different situations.

QoS Queueing Methods• Weighted Round Robin (WRR) – WRR ensures that all queues are serviced during each cycle. A weighted

fair queuing algorithm is used to rotate service among the eight queues on FESX, FSX, FWSX, FGS, FLS, FWS, and FGS-STK and FLS-STK devices. The rotation is based on the weights you assign to each queue. This method rotates service among the queues, forwarding a specific number of packets in one queue before moving on to the next one. WRR is the default queuing method and uses a default set of queue weights.

• Strict Priority (SP) – SP ensures service for high priority traffic. The software assigns the maximum weights to each queue which causes the queuing mechanism to serve as many packets in one queue as possible before moving to a lower queue. This method biases the queuing mechanism to favor the higher queues over the lower queues.

• Hybrid WRR and SP – Starting with software release 02.2.00, an additional configurable queueing mechanism combines both the strict priority and weighted round robin mechanisms. The combined method enables the Brocade device to give strict priority to delay-sensitive traffic such as VoIP traffic, and weighted round robin priority over other traffic types.

802.1p• The 802.1p priority is also called the Class of Service (CoS), and uses a 3-bit field

• There is support for up to 8 priority levels (0-7) with 7 being the highest

• It is not preserved end-to-end

• Trust levels can be one of the following:

- Static MAC address

- Ingress port default priority

- ACL keyword

MarkingMarking is the process of changing the packet’s QoS information (the 802.1p and DSCP information in a packet) for the next hop. For example, for traffic coming from a device that does not support DiffServ, you can change the packet’s IP Precedence value into a DSCP value before forwarding the packet.

You can mark a packet’s Layer 2 CoS value, its Layer 3 DSCP value, or both values. The Layer 2 CoS or DSCP value the device marks in the packet is the same value that results from mapping the packet’s QoS value into a Layer 2 CoS or DSCP value.

Marking is optional and is disabled by default. Marking is performed using ACLs. When marking is not used, the device still performs the mappings listed in “Classification” for scheduling the packet, but leaves the packet’s QoS values unchanged when the device forwards the packet.



7 - Wireless ConceptsAfter reviewing this section you should be able to do the following:

• Describe wireless protocols

• Describe wireless security protocols

Wireless Protocols

802.11b Channels802.11 divides each of its bands into channels, similar to how the radio and TV broadcast bands are allocated, but with greater channel width and overlap. There are only 3 non-overlapping channels available in the 802.11b standard.These are Channels 1,6, and 11. For WiFi access points that are located near each other it is recommended that they each use one of the above non-overlapping channels to minimize the effects of interference. (The following graphic is used with permission from the Creative Commons website.)

Figure 42: 802.11b Spectrum

Extended Service Set IDsAn Extended Service Set ID (ESSID) identifies a WLAN with which clients can establish a connection. The Brocade IronPoint Mobility Series provides multiple configuration options for managing the traffic, security, and service requirements that are needed by the enterprise. You can configure:

• a VLAN that supports multiple access points per ESSID

• multiple ESSIDs per physical access point

• a VLAN for each ESSID to separate network traffic and can also specify that a VLAN be shared between multiple ESSIDs

• an ESSID that supports just one person

• an ESSID for Remote Access Point (AP), such as in a branch office, and that AP can also support ESSIDs for local traffic

Typically, a wireless LAN supports one beacon on a single BSSID (Basic Service Set Identifier), which can advertise the primary ESSID. Clients can request to associate to that BSSID by requesting one of the ESSIDs. The Brocade IronPoint Mobility Series allows you to customize a beacon per ESSID to support different access point settings, such as base or supported transmit rates, different BSSIDs, different beacon intervals, and different Delivery Traffic Indication Message (DTIM) periods. This beacon customization allows service customization for each ESSID, as well as more flexibility in supporting different clients and services.



802.11iBrocade IronPoint Mobility Series supports both WiFi Protected Access (WPA) and WPA2 protocols that have been presented by the Wi-Fi Alliance as interim security standards that improve upon the known vulnerabilities of Wired Equivalent Privacy (WEP) until the release of the 802.11i standard.

In WPA2, the WPA Message Integrity Code (MIC) algorithm is replaced by a message authentication code, CCMP, that is considered fully secure and the RC4 cipher is replaced by the Advanced Encryption Standard (AES), as described in CCMP-AES.

WPA includes the encryption protocol Temporal Key Integrity Protocol (TKIP) and leverages existing 802.1X authentication, including the dynamic key management facility.

If 802.1X authentication is not available (in a SOHO, for example), WPA2-Personal or WPA-Personal can be implemented as alternatives and provide for manual key distribution between APs and clients.

802.1X AuthenticationFor enterprise wireless security to scale to hundreds or thousands of users, an authentication framework that supports centralized user authentication must be used in addition to the encryption type specified by 802.11, WEP, or by using WPA/WPA2 , which incorporates TKIP/CCMP-AES and 802.1X authentication.

The use of IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys if WPA/WPA2 is configured. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.

There are three basic pieces to 802.1X authentication:

1. Supplicant—a software client running on the wireless station

2. Authenticator—the access point and the controller

3. Authentication Server—an authentication database, usually a RADIUS server such as Cisco ACS, Microsoft IAS or Funk (Juniper) Odyssey.

Extensible Authentication Protocol (EAP) is used to pass the authentication information between the supplicant (the wireless station) and the authentication server (RADIUS, MS IAS, or other). The actual authentication is defined and handled by the EAP type. The access point (and the controller in the configuration) acts as the authenticator. The authenticator is a client of the RADIUS server that allows the supplicant and the authentication server to communicate. The EAP type you choose, and whether you choose to implement authentication in your organization, depends on the level of security you require.

• EAP-TLS

• EAP-PEAP

• EAP-TTLS

• Cisco LEAP



8 - Network Security, Management, and MonitoringAfter reviewing this section you should be able to do the following:

• Describe the tools used to monitor a network

• Desribe the tools used to manage a network

• Demonstrate how to apply security on switches and routers

• Describe maintenance procedures for switches and routers

Network Monitoring

Restricting Remote Access to the Device to Specific VLAN IDsYou can restrict management access to a Foundry device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods:

• Telnet access

• Web management access

• SNMP access

• TFTP access

By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on the VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.

Figure 43: Management Access

Syslog MessagesA Brocade device’s software can write syslog messages to provide information at the following severity levels:

• Emergencies

• Alerts

• Critical



• Errors

• Warnings

• Notifications

• Informational

• Debugging

The device writes the messages to a local buffer. The buffer can hold up to 1000 entries. You also can specify the IP address or host name of up to six Syslog servers. When you specify a Syslog server, the Brocade device writes the messages both to the system log and to the Syslog server.

Using a Syslog server ensures that the messages remain available even after a system reload. The Brocade device’s local Syslog buffer is cleared during a system reload or reboot, but the Syslog messages sent to the Syslog server remain on the server.

By default, to view Syslog messages generated by a Brocade device, you need to display the Syslog buffer or the log on a Syslog server used by the Brocade device. You can enable real-time display of Syslog messages on the management console. When you enable this feature, the software displays a Syslog message on the management console when the message is generated. However, to enable display of real-time Syslog messages in Telnet or SSH sessions, you also must enable display within the individual sessions.

To enable real-time display of Syslog messages, enter the logging console command at the global CONFIG level of the CLI.

FastIron(config)#logging console

sFlow Configuration Considerations• FastIron devices support sFlow packet sampling of inbound traffic only. These devices do not sample

outbound packets. However, FastIron devices support byte and packet count statistics for both traffic directions.

• sFlow is supported on all Ethernet ports (10/100, Gigabit, and 10 Gigabit)

• Enabling sFlow may cause a slight and noticeable increase of up to 20% in CPU utilization. In typical scenarios, this is normal behavior for sFlow, and it does not affect the functionality of other features on the switch.

• The sampling rate is the average ratio of the number of packets incoming on an sFlow enabled port, to the number of flow samples taken from those packets. sFlow sampling can affect performance in some configurations.

• Note that on the FastIron devices, the configured sampling rate and the actual rate are the same. The software does not adjust the configured sampling rate as on other Brocade devices.

• sFlow and multicast packets are forwarded by default on a Brocade switch

The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N packets are sampled. The sflow sample command at the global level or port level specifies N, the denominator of the fraction. A higher denominator means a lower sampling rate since fewer packets are sampled. Likewise, a lower denominator means a higher sampling rate because more packets are sampled. For example, if you change the denominator from 512 to 128, the sampling rate increases because four times as many packets will be sampled. Brocade recommends that you do not change the denominator to a value lower than the default. Sampling requires CPU resources. Using a low denominator for the sampling rate can cause high CPU utilization.



Port Mirroring and MonitoringPort mirroring is a method of monitoring network traffic that forwards a copy of each incoming or outgoing packet from one port on a network switch to another port where the packet can be analyzed. Port mirroring may be used as a diagnostic tool or debugging feature, especially for preventing attacks. Port mirroring can be managed locally or remotely.

Configure port mirroring by determining which port from which to copy all packets and assign a mirror port where the copies of the packets are sent. A packet received on, or issued from, the first port is forwarded to the second port. Attach a protocol analyzer on the mirror port to monitor each segment separately. The analyzer captures and evaluates the data without affecting the client on the original port.

In the following command sequence example, incoming and outgoing traffic on port e1/2/11 is copied to the mirror port, e 1/2/4, and then monitors are enabled.

FastIron(config)#mirror-port ethernet 1/2/4FastIron(config)#interface ethernet 1/2/11FastIron(config-if-e1000-11)#monitor ethernet 1/2/4 both

The mirror port may be a port on the same switch with an attached RMON probe, a port on a different switch in the same hub, or the switch processor. To configure port monitoring, first specify the mirror port, then enable monitoring on the monitored port.

• The mirror port is the port to which the monitored traffic is copied. Attach your protocol analyzer to the mirror port.

• The monitored port is the port whose traffic you want to monitor

Network Management

Console PortThe first step in configuring your Brocade device is to connect a console cable (typically shipped with your device) to the serial port. You can then use the Command Line Interface (CLI ) to assign an IP address. After you assign an address, you can access the system through Telnet, the Web management interface, or Iron View. In order to attach a management station using the serial port, connect a PC or terminal to the serial port using a straight through cable. You will need a serial interface on your computer or a DB9-to-USB converter to be able to access the switch. The serial port has a male DB-9 connector. You will need a straight-through (female-to-female) cable. You need to run a terminal emulation program such as Hyperterm or Procomm plus on the PC. The session parameters should be set to the following:

• Baud: 9600

• Data Bits: 8

• Parity: none

• Stop Bits: 1

• Flow control: none

For a modem connection, you must use a DB-9F-to-DB25F cross-over cable.



SNMPSNMP is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. SNMP management access may be controlled, or restricted, by using a VLAN or ACLs.

Applying Security

Restricting Remote AccessBy default, a Brocade device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods:

• Telnet access

• SSH access

• Web Management access

• SNMP access

SNMP and Web Management use community strings for authentication. In addition, you can restrict all access methods to the same IP address using a single command.

To restrict Telnet access:

FastIron(config)# telnet-client 209.157.22.39

To restrict SSH access:

FastIron(config)# ip ssh client 209.157.22.39

To restrict Web Management access:

FastIron(config)# web-client 209.157.22.39

To restrict SNMP access:

FastIron(config)# snmp-client 209.157.22.39

To restrict all access:

FastIron(config)# all-client 209.157.22.39

To restrict access using ACLs the command is basically the same for all, except for the modifier before the access group. An example for Telnet:

FastIron(config)# access-list 10 deny host 209.157.22.32 logFastIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 logFastIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 logFastIron(config)# access-list 10 deny 209.157.25.0/24 logFastIron(config)# access-list 10 permit anyFastIron(config)# telnet access-group 10FastIron(config)# write memory



To allow Telnet access to the device, you must first issue the telnet server command. If you wish to allow SSHv2 access, additionally, you must generate a Crypto Key. That is done with the crypto key generate command. In addition, you must use AAA authentication to create a password to allow SSHv2 access.

Levels of the CLIThe CLI is organized into the following levels:

• User: Displays information and perform basic tasks such as pings and traceroutes

- View basic information

- Verify connectivity (ping command)

• Privileged: Allows you use the same commands as those at the User level plus configuration commands that do not require saving the changes to the system-config file

- Enter through the enable command

- Can be password protected

- View detailed information (show commands)

- Execute system-wide features

• CONFIG: Allows you make configuration changes to the device. To save the changes across reboots, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, for routing protocols, and other configuration areas.

- Enter through the configure terminal command

- Make global or local system changes (VLANs)

- Save changes with the write memory command

You can tell which level of the command hierarchy that you are currently at by looking at the system prompt.

• User = >

• Privileged = #

• CONFIG = (config)#

Figure 44: CLI Prompts

User EXEC >

Privileged EXEC #

Global Configuration(config)#

The CONFIG level contains sub-levels for configuringindividual interfaces, VLANs, routing protocols, and otherconfiguration areas. The prompts for these levels will change to indicate the current level



Securing CLIThere are 5 ways to secure access to the Privileged EXEC and CONFIG levels of CLI:

• Establish a password for Telnet access to the CLI

• Establish passwords for management privilege levels

• Set up local user accounts

• Configure TACACS/TACACS+ security

• Configure RADIUS security

Maintenance Procedures

Switch and Router show CommandsThe following show commands are from routers and switches.

• show chassis: Display MAC address

FGS648P-STK Switch# show chassisThe stack unit 1 chassis info:Power supply 1 (NA - AC - Regular) present, status okPower supply 2 not presentFan 1 okFan 2 okExhaust Side Temperature Readings:Current temperature : 35.5 deg-CWarning level.......: 80.0 deg-CShutdown level......: 90.0 deg-CIntake Side Temperature Readings:Current temperature : 33.5 deg-CBoot Prom MAC: 0012.f2de.9440Management MAC: 0000.0000.0011The stack unit 2 chassis info:Power supply 1 (NA - AC - Regular) present, status okPower supply 2 not present <output truncated>

• show interface brief - Interface status

SW-Switch# show interface briefPort Link L2 State Dupl Speed Trunk Tag Priori MAC1/1/1 Down None None None None No level10 0024.38b7.4bc01/1/3 Down None None None None No level10 0024.38b7.4bc21/1/4 Down None None None None No level10 0024.38b7.4bc3<truncated output>

• show stat: Interface statistics

• show ip: IP address and mask information

• show span: Spanning tree information

• show mac-address: MAC forwarding table



• show mac-address stat: Number of MACs learned per port

• show flash: Flash memory images

FastIron# show flashActive Management Module (Slot 9):Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin)Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin)Compressed BootROM Code size = 524288, Version 03.0.01T3e5Code Flash Free Space = 9699328Standby Management Module (Slot 10):Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin)Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.bin)Compressed BootROM Code size = 524288, Version 03.0.01T3e5Code Flash Free Space = 524288

• show version: Software version, uptime, and last reload

FastIron# show versionSW: Version 03.0.00T53 Copyright (c) 2009 Brocade Communications Systems, Inc.Compiled on Mar 26 2003 at 13:50:31 labeled as FER03000(3089381 bytes) from Primary fer03000.binHW: Stackable FES2402-PREM-ILP==================================330 MHz Power PC processor 8245 (version 129/1014) 66 MHz bus512 KB boot flash memory16384 KB code flash memory128 MB DRAMMonitor Option is onThe system uptime is 4 days 4 hours 8 minutes 33 secondsThe system : started=warm start

• show vlan: Configured VLANs

• show telnet: IP address(es) of active telnet session(s)

• show trunk: Configured and active trunk groups

• show tech-support: Details for assistance in troubleshooting when working with Support

File ManagementThe flash memory is divided into two different storage areas. This allows you to have two different software image versions stored in the flash memory. Secondary flash is storage space for upgrade code:

• Put new code in the secondary flash

• Schedule a reload to boot on secondary flash during low traffic periods. Unsuccessful reloads will cause the system to revert back to primary flash.

• When confidence is established in upgrade code, use the copy flash flash primary command to overwrite the old software image with the upgrade image in primary flash

• The following command copies the system image in the primary flash to the TFTP server:

- FastIron# copy flash tftp 192.22.33.44 vm1r07501.bin primary

- A failure may indicate the presence of something in the secondary flash



9 - TroubleshootingAfter reviewing this section you should be able to do the following:

• Demonstrate knowledge of troubleshooting tools and techniques

• Demonstrate ability to analyze troubleshooting output

Tools and Techniques

Reasons for Ping FailuresPings could fail because a host is unreachable due to one of the following:

• A route to the target is unavailable

• An ARP for the default gateway could not be resolved

• The default gateway does not exist

Reasons For OSPF Neighbor Establishment Failures• Different areas

• Different dead-intervals

• Different authentication passwords

CollisionsAn increasing collision rate (number of packets output divided by the number of collisions) does not indicate a problem: it is merely an indication of a higher offered load to the network. An example of this could be because another station was added to the network. Excessive collisions indicate a problem. Common causes are devices connected as full-duplex on a shared Ethernet, broken NICs, or simply too many stations on the shared medium. The excessive collisions can be resolved by hardcoding speed and duplex.

Gathering DataAs previously mentioned, the show tech command is extremely useful in gathering data for an escalated support call. The more information you can provide up front, the more likely a faster resolution is possible.

Analyzing Troubleshooting Output

Rapid STP (802.1w) Port DescriptionsForwarding Ports

• Root port - port having the best path to the root switch

• Designated port - on a given link, it is the port having the superior BPDU

• Edge port - a special type of designated port. It is a port that has been identified through a manual configuration as being at the edge of the network and comes up immediately as a designated port.



Blocking Ports

• Alternate port - a port that is not a root port, and can not be a designated port, because it is receiving a superior BPDU from another switch

• Backup port - a port that is not a root port, and can not be a designated port, because it is receiving a superior BPDU from its own switch

• Disabled port - a port not controlled by RSTP either because it is down, administratively down, or administratively removed from RSTP

Displaying the IP Route TableFastIron(config)#show ip route

Total number of IP routes: 4, avail: 79995 (out of 80000 max)

B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default

Destination NetMask Gateway Port Cost Type

0.0.0.0 0.0.0.0 172.20.1.14 2 1 S

1 172.16.1.0 255.255.255.0 0.0.0.0 1 1 D

2 172.16.4.8 255.255.255.252 172.16.1.1 1 1 O

3 172.20.1.12 255.255.255.252 0.0.0.0 2 1 D

Different route sources are shown above, both static and dynamically learned. If a route to a destination network is expected and is not shown, the router has not learned the route.



Taking the TestAfter the Introduction Screen, once you click on Next (N), you will see the Non-Disclosure agreement:

IMPORTANT: PLEASE READ THE FOLLOWING BROCADE NON-DISCLOSURE CONFIDENTIALITY AGREEMENT CAREFULLY BEFORE TAKING THIS EXAM.

The following Non-Disclosure Confidentiality Agreement (the “Agreement”) sets forth the terms and conditions of your use of the exam materials as defined below.

The Disclosure to you of this Exam and any questions, answers, worksheets, computations, drawings, diagrams, or any communications, including verbal communication by any party, regarding or related to the Exam and such Exam Materials and any derivatives thereof is subject to the Terms and Conditions of this Agreement.

You understand, acknowledge and agree:

• That the questions and answers of the Exam are the exclusive and confidential property of Brocade and are protected by Brocade intellectual property rights;

• That you may not disclose the Exam questions or answers or discuss any of the content of the Exam Materials with any person, without prior approval from Brocade;

• Not to copy or attempt to make copies (written, photocopied, or otherwise) of any Exam Material, including, without limitation, any Exam questions or answers;

• Not to sell, license, distribute, or give away the Exam Materials, questions, or answers;

• You have not purchased, solicited or used unauthorized (non-Brocade sanctioned) Exam Materials, questions, or answers in preparation for this exam;

• That your obligations under this Agreement shall continue in effect after the Exam and, if applicable, after termination of your credential, regardless of the reason or reasons for terminations, and whether such termination is voluntary or involuntary.

Brocade reserves the right to take all appropriate actions to remedy or prevent disclosure or misuse, including, without limitation, obtaining an immediate injunction. Brocade reserves the right to validate all results and take any appropriate actions as needed. Brocade also reserves the right to use any technologies and methods for verifying the identity of candidates. Such technology may include, without limitation, personally identifiable information, challenge questions, identification numbers, photographic information, and other measures to protect against fraud and abuse.

Neither this Agreement nor any right granted hereunder shall be assignable or otherwise transferable by you.

By clicking on the "A" button (“YES, I AGREE”), you are consenting to be bound by the terms and conditions of this agreement and state that you have read this agreement carefully and you understand and accept the obligations which it imposes without reservation. You further state that no promises or representations have been made to induce agreement and that you accept this agreement voluntarily and freely.

A. YES, I AGREE

B. NO, I DO NOT AGREE

bcne nutshell

Documents

spanning tree protocol

l3 protocolbased vlan

mac address entries

privileged exec level

frame encapsulation process

physical mac address

unknown unicasts received

lowest mac address