ICOS User Manual

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 342 [warning: Documents this large are best viewed by clicking the View PDF Link!]

ICOS user manual
ICOS user manual
iii
Table of Contents
1. About This Document ......................................................................................................... 1
1.1. Purpose and Audience ............................................................................................ 2
1.2. Conventions ............................................................................................................ 3
1.3. Terms and Acronyms .............................................................................................. 4
2. ICOS modules ................................................................................................................... 8
2.1. Management Features ............................................................................................. 9
2.1.1. Management Options .................................................................................... 9
2.1.2. Management of Basic Network Information .................................................... 9
2.1.3. Dual Software Images .................................................................................. 9
2.1.4. File Management .......................................................................................... 9
2.1.5. FTP File Update ........................................................................................... 9
2.1.6. Malicious Code Detection ............................................................................. 9
2.1.7. Automatic Installation of Firmware and Configuration .................................... 10
2.1.8. Warm Reboot ............................................................................................. 10
2.1.9. SNMP Alarms and Trap Logs ...................................................................... 10
2.1.10. CDP Interoperability Through ISDP ............................................................ 10
2.1.11. Remote Monitoring (RMON) ...................................................................... 10
2.1.12. Statistics Application ................................................................................. 10
2.1.13. Log Messages .......................................................................................... 11
2.1.14. System Time Management ........................................................................ 11
2.1.15. Source IP Address Configuration ............................................................... 11
2.1.16. Multiple Linux Routing Tables .................................................................... 11
2.1.17. Core Dump ............................................................................................... 11
2.1.18. Core Dump File Handling .......................................................................... 11
2.1.19. Kernel Core Dump .................................................................................... 12
2.1.20. Chef API Integration ................................................................................. 12
2.1.21. Puppet API Integration .............................................................................. 12
2.1.22. Zero-Touch Provisioning ........................................................................... 13
2.1.23. Open Network Install Environment Support ................................................ 13
2.1.24. Interface Error Disable and Auto Recovery ................................................. 14
2.1.25. Network Instrumentation App—Visibility Into Packet Processing ................... 14
2.1.26. CPU Traffic Filtering ................................................................................. 14
2.2. Security Features .................................................................................................. 15
2.2.1. Configurable Access and Authentication Profiles .......................................... 15
2.2.2. AAA Command Authorization ...................................................................... 15
2.2.3. Password-Protected Management Access .................................................... 15
2.2.4. Strong Password Enforcement .................................................................... 15
2.2.5. MAC-Based Port Security ........................................................................... 15
2.2.6. RADIUS Client ........................................................................................... 15
2.2.7. TACACS+ Client ......................................................................................... 15
2.2.8. Dot1x Authentication (IEEE 802.1X) ............................................................ 16
2.2.9. MAC Authentication Bypass ........................................................................ 16
2.2.10. Denial of Service ...................................................................................... 16
2.2.11. DHCP Snooping ....................................................................................... 16
2.2.12. Dynamic ARP Inspection ........................................................................... 16
2.2.13. IP Source Address Guard ......................................................................... 16
2.3. Switching Features ................................................................................................ 17
2.3.1. VLAN Support ............................................................................................ 17
2.3.2. Double VLANs ............................................................................................ 17
ICOS user manual
iv
2.3.3. Switchport Modes ....................................................................................... 17
2.3.4. Spanning Tree Protocol (STP) ..................................................................... 17
2.3.5. Rapid Spanning Tree .................................................................................. 17
2.3.6. Multiple Spanning Tree ............................................................................... 17
2.3.7. Bridge Protocol Data Unit (BPDU) Guard ..................................................... 18
2.3.8. BPDU Filtering ........................................................................................... 18
2.3.9. PVRSTP and PVSTP .................................................................................. 18
2.3.10. Link Aggregation ....................................................................................... 18
2.3.11. Track LAG Member Port Flaps .................................................................. 18
2.3.12. Link Aggregate Control Protocol (LACP) .................................................... 18
2.3.13. Virtual Port Channel (VPC) ....................................................................... 19
2.3.14. Flow Control Support (IEEE 802.3x) .......................................................... 19
2.3.15. Asymmetric Flow Control .......................................................................... 19
2.3.16. Alternate Store and Forward (ASF) ............................................................ 19
2.3.17. Jumbo Frames Support ............................................................................. 20
2.3.18. Auto-MDI/MDIX Support ............................................................................ 20
2.3.19. Unidirectional Link Detection (UDLD) ......................................................... 20
2.3.20. Expandable Port Configuration .................................................................. 20
2.3.21. VLAN-Aware MAC-based Switching ........................................................... 20
2.3.22. Back Pressure Support ............................................................................. 20
2.3.23. Auto Negotiation ....................................................................................... 21
2.3.24. Storm Control ........................................................................................... 21
2.3.25. Port Mirroring ........................................................................................... 21
2.3.26. Remote Switch Port Analyzer (RSPAN) ..................................................... 22
2.3.27. sFlow ....................................................................................................... 22
2.3.28. Static and Dynamic MAC Address Tables .................................................. 22
2.3.29. Link Layer Discovery Protocol (LLDP) ........................................................ 22
2.3.30. Link Layer Discovery Protocol (LLDP) for Media Endpoint Devices ............... 23
2.3.31. DHCP Layer 2 Relay ................................................................................ 23
2.3.32. MAC Multicast Support ............................................................................. 23
2.3.33. IGMP Snooping ........................................................................................ 23
2.3.34. Source Specific Multicasting (SSM) ........................................................... 23
2.3.35. Control Packet Flooding ............................................................................ 23
2.3.36. Flooding to mRouter Ports ........................................................................ 23
2.3.37. IGMP Snooping Querier ............................................................................ 24
2.3.38. Multicast VLAN Registration ...................................................................... 24
2.3.39. Management and Control Plane ACLs ....................................................... 24
2.3.40. Link Dependency ...................................................................................... 24
2.3.41. IPv6 Router Advertisement Guard ............................................................. 24
2.3.42. FIP Snooping ........................................................................................... 25
2.3.43. ECN Support ............................................................................................ 25
2.4. Data Center Features ............................................................................................ 26
2.4.1. Priority-based Flow Control ......................................................................... 26
2.4.2. Data Center Bridging Exchange Protocol ..................................................... 26
2.4.3. Quantized Congestion Notification ............................................................... 26
2.4.4. CoS Queuing and Enhanced Transmission Selection .................................... 26
2.4.5. OpenFlow ................................................................................................... 27
2.4.6. DCVPN Gateway ........................................................................................ 27
2.4.7. MPLS ......................................................................................................... 27
2.4.8. Dynamic Topology Map and Prescriptive Topology Mapping ......................... 28
2.5. Routing Features ................................................................................................... 29
ICOS user manual
v
2.5.1. IP Unnumbered .......................................................................................... 29
2.5.2. Open Shortest Path First (OSPF) ................................................................ 29
2.5.3. Border Gateway Protocol (BGP) .................................................................. 29
2.5.4. VLAN Routing ............................................................................................ 30
2.5.5. IP Configuration .......................................................................................... 30
2.5.6. ARP Table Management ............................................................................. 30
2.5.7. BOOTP/DHCP Relay Agent ........................................................................ 30
2.5.8. IP Helper and UDP Relay ........................................................................... 30
2.5.9. Router Discovery ........................................................................................ 31
2.5.10. Routing Table ........................................................................................... 31
2.5.11. Virtual Router Redundancy Protocol (VRRP) .............................................. 31
2.5.12. Bidirectional Forwarding Detection ............................................................. 31
2.5.13. VRF Lite ................................................................................................... 31
2.5.14. RFC 5549 ................................................................................................ 31
2.5.15. Algorithmic Longest Prefix Match (ALPM) ................................................... 32
2.6. Layer 3 Multicast Features ..................................................................................... 33
2.6.1. Distance Vector Multicast Routing Protocol .................................................. 33
2.6.2. Internet Group Management Protocol .......................................................... 33
2.6.3. IGMP Proxy ................................................................................................ 33
2.6.4. Protocol Independent Multicast .................................................................... 33
2.6.4.1. Dense Mode (PIM-DM) .................................................................... 33
2.6.4.2. Sparse Mode (PIM-SM) .................................................................... 33
2.6.4.3. Source Specific Multicast (PIM-SSM) ................................................ 33
2.6.4.4. PIM IPv6 Support ............................................................................ 34
2.6.5. MLD/MLDv2 (RFC2710/RFC3810) ............................................................... 34
2.7. Quality of Service Features .................................................................................... 35
2.7.1. Access Control Lists (ACL) ......................................................................... 35
2.7.2. ACL Remarks ............................................................................................. 35
2.7.3. ACL Rule Priority ........................................................................................ 35
2.7.4. ACL Counters ............................................................................................. 35
2.7.5. Differentiated Services (DiffServ) ................................................................. 36
2.7.6. Class of Service (CoS) ............................................................................... 36
3. Getting Started with Switch Configuration .......................................................................... 37
3.1. Accessing the Switch Command-Line Interface ....................................................... 38
3.1.1. Connecting to the Switch Console ............................................................... 38
3.2. Accessing the Switch CLI Through the Network ...................................................... 40
3.2.1. Using the Service Port or Network Interface for Remote Management ............ 40
3.2.2. Configuring Service Port Information ............................................................ 40
3.2.3. Configuring the In-Band Network Interface ................................................... 41
3.3. DHCP Option 61 ................................................................................................... 42
3.3.1. Configuring DHCP Option 61 ...................................................................... 42
3.4. Booting the Switch ................................................................................................ 43
3.4.1. Utility Menu Functions ................................................................................. 43
3.4.1.1. 1 Start ICOS Application ............................................................... 44
3.4.1.2. 2 – Load Code Update Package ....................................................... 44
3.4.1.3. 3 Load Configuration ..................................................................... 46
3.4.1.4. 4 Select Serial Speed ................................................................... 46
3.4.1.5. 5 Retrieve Error Log ..................................................................... 47
3.4.1.6. 6 – Erase Current Configuration ....................................................... 47
3.4.1.7. 7 Erase Permanent Storage .......................................................... 47
3.4.1.8. 8 Select Boot Method ................................................................... 48
ICOS user manual
vi
3.4.1.9. 9 Activate Backup Image ............................................................... 48
3.4.1.10. 10 – Start Diagnostic Application .................................................... 48
3.4.1.11. 11 Reboot .................................................................................. 48
3.4.1.12. 12 Erase All Configuration Files ................................................... 49
3.5. Understanding the User Interfaces ......................................................................... 50
3.5.1. Using the Command-Line Interface .............................................................. 50
3.5.2. Using SNMP .............................................................................................. 51
3.5.3. SNMPv3 ..................................................................................................... 51
3.5.4. Management via Net-SNMP ........................................................................ 51
3.5.5. Using RESTful APIs ................................................................................... 51
3.5.6. Using the RESTCONF Interface .................................................................. 52
4. Configuring Switch Management Features ......................................................................... 53
4.1. Managing Images and Files ................................................................................... 54
4.1.1. Supported File Management Methods .......................................................... 55
4.1.2. Uploading and Downloading Files ................................................................ 55
4.1.3. Managing Switch Software (Images) ............................................................ 55
4.1.4. Managing Configuration Files ...................................................................... 56
4.1.5. Editing and Downloading Configuration Files ................................................ 56
4.1.6. Creating and Applying Configuration Scripts ................................................. 56
4.1.7. Uncompressing Configuration Scripts ........................................................... 57
4.1.8. Non-Disruptive Configuration Management ................................................... 57
4.1.9. Saving the Running Configuration ............................................................... 58
4.1.10. File and Image Management Configuration Examples ................................. 58
4.1.10.1. Upgrading the Firmware ................................................................. 58
4.1.11. Managing Configuration Scripts ................................................................. 60
4.2. Enabling Automatic Image Installation and System Configuration ............................. 63
4.2.1. DHCP Auto Install Process ......................................................................... 63
4.2.1.1. Obtaining IP Address Information ...................................................... 63
4.2.1.2. Obtaining Other Dynamic Information ................................................ 63
4.2.1.3. Obtaining the Image ......................................................................... 64
4.2.1.4. Obtaining the Configuration File ........................................................ 64
4.2.2. Monitoring and Completing the DHCP Auto Install Process ........................... 66
4.2.2.1. Saving a Configuration ..................................................................... 66
4.2.2.2. Stopping and Restarting the Auto Install Process ............................... 66
4.2.2.3. Managing Downloaded Config Files .................................................. 66
4.2.3. DHCP Auto Install Dependencies ................................................................ 66
4.2.3.1. Default Auto Install Values ............................................................... 67
4.2.4. Enabling DHCP Auto Install and Auto Image Download ................................ 67
4.3. Downloading a Core Dump .................................................................................... 69
4.3.1. Using NFS to Download a Core Dump ........................................................ 69
4.3.2. Using TFTP or FTP to Download a Core Dump ............................................ 69
4.4. Enabling Kernel Core Dump .................................................................................. 71
4.5. Setting the System Time ....................................................................................... 72
4.5.1. Manual Time Configuration ......................................................................... 72
4.5.2. Configuring SNTP ....................................................................................... 73
4.6. Creating CPU Traffic Filters ................................................................................... 74
4.6.1. Configuration Example ................................................................................ 74
4.7. Configuring a Packet Trace (Network Instrumentation App) ...................................... 75
5. Configuring Security Features ........................................................................................... 77
5.1. Controlling Management Access ............................................................................ 78
5.1.1. Using RADIUS Servers for Management Security ......................................... 78
ICOS user manual
vii
5.1.2. RADIUS Dynamic Authorization ................................................................... 79
5.1.3. Using TACACS+ to Control Management Access ......................................... 80
5.1.4. Configuring and Applying Authentication Profiles .......................................... 81
5.1.5. Configuring Authentication Profiles for Port-Based Authentication .................. 82
5.1.6. Configuring the Primary and Secondary RADIUS Servers ............................. 83
5.1.7. Configuring an Authentication Profile ........................................................... 83
5.2. Configuring DHCP Snooping, DAI, and IPSG .......................................................... 85
5.2.1. DHCP Snooping Overview .......................................................................... 85
5.2.2. Populating the DHCP Snooping Bindings Database ...................................... 86
5.2.3. DHCP Snooping and VLANs ....................................................................... 86
5.2.4. DHCP Snooping Logging and Rate Limits .................................................... 87
5.2.5. IP Source Guard Overview ......................................................................... 87
5.2.6. IPSG and Port Security ............................................................................... 87
5.2.7. Dynamic ARP Inspection Overview .............................................................. 88
5.2.8. Optional DAI Features ................................................................................ 88
5.2.9. Increasing Security with DHCP Snooping, DAI, and IPSG ............................. 88
5.2.10. Configuring DHCP Snooping ..................................................................... 89
5.2.11. Configuring IPSG ...................................................................................... 90
6. Configuring Switching Features ......................................................................................... 92
6.1. VLANs .................................................................................................................. 93
6.1.1. VLAN Tagging ............................................................................................ 94
6.1.2. Double-VLAN Tagging ................................................................................ 94
6.1.3. Default VLAN Behavior ............................................................................... 95
6.1.4. VLAN Configuration Example ...................................................................... 96
6.1.4.1. Configure the VLANs and Ports on Switch 1 ...................................... 98
6.1.4.2. Configure the VLANs and Ports on Switch 2 ...................................... 99
6.2. Switchport Modes ................................................................................................ 101
6.3. LAGs—Operation and Configuration ..................................................................... 103
6.3.1. Static and Dynamic Link Aggregation ......................................................... 103
6.3.2. LAG Hashing ............................................................................................ 103
6.3.2.1. Resilient Hashing ........................................................................... 104
6.3.2.2. Hash Prediction with ECMP and LAG .............................................. 104
6.3.3. LAG Interface Naming Convention ............................................................. 105
6.3.4. LAG Interaction with Other Features .......................................................... 105
6.3.4.1. VLAN ............................................................................................. 105
6.3.4.2. STP ............................................................................................... 105
6.3.4.3. Statistics ........................................................................................ 106
6.3.5. LAG Configuration Guidelines .................................................................... 106
6.3.6. Link Aggregation Configuration Examples .................................................. 106
6.3.6.1. Configuring Dynamic LAGs ............................................................. 106
6.3.6.2. Configuring Static LAGs ................................................................. 107
6.4. Virtual Port Channel Operation and Configuration ............................................. 109
6.4.1. Overview .................................................................................................. 109
6.4.2. Deployment Scenarios .............................................................................. 109
6.4.3. Definitions ................................................................................................ 110
6.4.4. Configuration Consistency ......................................................................... 111
6.4.5. VPC Fast Failover .................................................................................... 113
6.4.6. VPC Configuration .................................................................................... 114
6.5. Unidirectional Link Detection (UDLD) .................................................................... 119
6.5.1. UDLD Modes ............................................................................................ 119
6.5.2. UDLD and LAG Interfaces ......................................................................... 119
ICOS user manual
viii
6.5.3. Configuring UDLD ..................................................................................... 119
6.6. Port Mirroring ...................................................................................................... 122
6.6.1. Configuring Port Mirroring ......................................................................... 122
6.6.2. Configuring RSPAN .................................................................................. 123
6.6.2.1. Configuration on the Source Switch (SW1) ...................................... 123
6.6.2.2. Configuration on the Intermediate Switch (SW2) .............................. 124
6.6.2.3. Configuration on the Destination Switch (SW3) ................................ 124
6.6.3. VLAN-Based Mirroring .............................................................................. 125
6.6.4. Flow-Based Mirroring ................................................................................ 125
6.7. Spanning Tree Protocol ....................................................................................... 127
6.7.1. Classic STP, Multiple STP, and Rapid STP ................................................ 127
6.7.2. STP Operation .......................................................................................... 127
6.7.2.1. MSTP in the Network ..................................................................... 127
6.7.3. Optional STP Features .............................................................................. 130
6.7.3.1. BPDU Flooding .............................................................................. 130
6.7.3.2. Edge Port ...................................................................................... 130
6.7.3.3. BPDU Filtering ............................................................................... 131
6.7.3.4. Root Guard .................................................................................... 131
6.7.3.5. Loop Guard ................................................................................... 131
6.7.3.6. BPDU Protection ............................................................................ 131
6.7.4. PVRSTP ................................................................................................... 132
6.7.4.1. DirectLink Rapid Convergence ........................................................ 133
6.7.4.2. IndirectLink Rapid Convergence Feature ......................................... 133
6.7.4.3. Reacting to Indirect Link Failures .................................................... 134
6.7.4.4. Interoperability Between PVSTP and PVRSTP Modes ...................... 135
6.7.4.5. Interoperability With IEEE Spanning Tree Protocols ......................... 135
6.7.4.6. Common Spanning Tree ................................................................. 135
6.7.4.7. SSTP BPDUs Flooding Across MST (CST) Regions ......................... 136
6.7.4.8. Interoperability with RSTP .............................................................. 136
6.7.4.9. Interoperability with MSTP .............................................................. 138
6.7.4.10. Native VLAN Inconsistent State .................................................... 139
6.7.5. STP Configuration Examples ..................................................................... 139
6.7.5.1. Configuring STP ............................................................................. 140
6.7.5.2. Configuring MSTP .......................................................................... 141
6.7.5.3. Configuring PVRSTP ...................................................................... 142
6.8. IGMP Snooping ................................................................................................... 146
6.8.1. IGMP Snooping Querier ............................................................................ 146
6.8.2. Configuring IGMP Snooping ...................................................................... 146
6.8.3. IGMPv3/SSM Snooping ............................................................................. 149
6.9. Multicast VLAN Registration Configuration ............................................................ 150
6.9.1. Overview .................................................................................................. 150
6.9.2. MVR Configuration Example ...................................................................... 152
6.10. LLDP and LLDP-MED ........................................................................................ 154
6.10.1. LLDP and Data Center Applications ......................................................... 154
6.10.1.1. Configuring LLDP ......................................................................... 154
6.11. sFlow ................................................................................................................ 157
6.11.1. sFlow Sampling ...................................................................................... 158
6.11.2. Packet Flow Sampling ............................................................................. 158
6.11.3. Sampling in Hardware ............................................................................. 158
6.11.4. Counter Sampling ................................................................................... 159
6.11.5. Configuring sFlow in Software ................................................................. 159
ICOS user manual
ix
6.11.6. Configuring sFlow in Hardware ................................................................ 161
6.12. Link Dependency ............................................................................................... 163
6.13. RA Guard .......................................................................................................... 164
6.14. FIP Snooping .................................................................................................... 165
6.15. ECN .................................................................................................................. 168
6.15.1. Enabling ECN in Microsoft Windows ........................................................ 169
6.15.2. Example 1: SLA Example ........................................................................ 169
6.15.3. Example 2: Data Center TCP (DCTCP) Configuration ............................... 171
7. Configuring Data Center Features ................................................................................... 173
7.1. Data Center Technology Overview ....................................................................... 174
7.2. Priority-Based Flow Control .................................................................................. 176
7.2.1. PFC Operation and Behavior ..................................................................... 176
7.2.2. Configuring PFC ....................................................................................... 177
7.3. Data Center Bridging Exchange Protocol .............................................................. 178
7.3.1. Interoperability with IEEE DCBX ................................................................ 178
7.3.2. DCBX and Port Roles ............................................................................... 179
7.3.3. Configuration Source Port Selection Process .............................................. 180
7.3.4. Configuring DCBX .................................................................................... 181
7.4. CoS Queuing ...................................................................................................... 183
7.4.1. CoS Queuing Function and Behavior ......................................................... 183
7.4.1.1. Trusted Port Queue Mappings ........................................................ 183
7.4.1.2. Un-trusted Port Default Priority ....................................................... 184
7.4.1.3. Queue Configuration ...................................................................... 184
7.4.1.4. Traffic Class Groups ...................................................................... 184
7.4.2. Configuring CoS Queuing and ETS ........................................................... 185
7.5. Enhanced Transmission Selection ........................................................................ 188
7.5.1. ETS Operation and Dependencies ............................................................. 188
7.6. Quantized Congestion Notification (QCN) ............................................................. 189
7.7. OpenFlow Operation and Configuration ................................................................ 190
7.7.1. Enabling and Disabling OpenFlow ............................................................. 190
7.7.2. Interacting with the OpenFlow Manager ..................................................... 191
7.7.3. Deploying OpenFlow ................................................................................. 191
7.7.4. OpenFlow Scenarios ................................................................................. 191
7.7.5. OpenFlow Variants ................................................................................... 191
7.7.5.1. OpenFlow 1.0/1.3 ........................................................................... 191
7.7.5.2. Data Center Tenant Networking ...................................................... 192
7.7.6. OpenFlow Interaction with Other Functions ................................................ 192
7.7.7. Configuring OpenFlow ............................................................................... 192
7.8. DCVPN Gateway Operation and Configuration ...................................................... 197
7.8.1. Overview .................................................................................................. 197
7.8.2. VXLAN ..................................................................................................... 197
7.8.3. NVGRE .................................................................................................... 197
7.8.4. Functional Description ............................................................................... 198
7.8.4.1. Switch Overlay Mode ..................................................................... 198
7.8.4.2. VTEP to VN Association ................................................................. 198
7.8.4.3. Configuration of Remote VTEPs ..................................................... 198
7.8.4.4. VTEP Next-Hop Resolution ............................................................ 199
7.8.4.5. VXLAN UDP Destination Port ......................................................... 200
7.8.4.6. Tunnels ......................................................................................... 200
7.8.4.7. MAC Learning and Aging ............................................................... 201
7.8.4.8. Host Configuration ......................................................................... 201
ICOS user manual
x
7.8.4.9. ECMP ............................................................................................ 202
7.8.4.10. MTU ............................................................................................ 202
7.8.4.11. TTL and DSCP/TOS ..................................................................... 203
7.8.4.12. Packet Forwarding ....................................................................... 203
7.8.5. Usage Scenarios ...................................................................................... 203
7.8.5.1. VXLAN Gateway With Single Tunnel ............................................... 203
7.8.5.2. VXLAN Gateway With Multiple Tunnels ........................................... 205
7.9. MPLS Operation and Configuration ...................................................................... 208
7.9.1. Overview .................................................................................................. 208
7.9.2. ICOS MPLS Features ............................................................................... 208
7.9.2.1. Static Layer-2 MPLS Labels ........................................................... 209
7.9.2.2. Static Layer-2 MPLS Label Configuration Examples ......................... 209
7.9.2.3. Static Layer-3 MPLS Labels ........................................................... 210
7.9.2.4. MPLS Status and Statistics ............................................................ 211
7.9.2.5. MPLS Label Distribution with BGP .................................................. 212
7.9.2.6. “Per-Switch” Label BGP Distribution ................................................ 212
7.9.2.7. Per Interface Label BGP Distribution ............................................... 213
7.9.2.8. Bidirectional Forwarding Detection .................................................. 214
7.9.2.9. MPLS-Ping and MPLS-Traceroute .................................................. 214
7.9.3. ICOS MPLS Use Cases ............................................................................ 214
7.9.3.1. IPv6 Clos Network ......................................................................... 214
7.9.3.2. Switch Configuration ...................................................................... 215
7.9.3.3. Verifying Configuration ................................................................... 220
7.9.3.4. Traffic Forwarding Examples .......................................................... 222
7.9.3.5. IPv4 Network with IPv6 Subnets, VLANs, and LAGs ......................... 224
7.9.3.6. Traffic Forwarding Examples .......................................................... 231
7.9.4. MPLS Device Connectivity Diagnostics and Debugging ............................... 233
7.9.4.1. LFDB Lookup Failure Packet Trace ................................................. 233
7.9.4.2. MPLS and Port Counters ................................................................ 234
7.9.4.3. MPLS Packet Capture .................................................................... 235
7.9.4.4. Restrictions and Limitations ............................................................ 236
8. Configuring Routing ........................................................................................................ 238
8.1. Basic Routing and Features ................................................................................. 239
8.1.1. VLAN Routing ........................................................................................... 239
8.1.2. When To Configure VLAN Routing ............................................................ 240
8.1.3. IP Routing Configuration Example ............................................................. 240
8.1.3.1. Configuring Switch A ...................................................................... 241
8.1.3.2. Configuring Switch B ...................................................................... 242
8.1.4. IP Unnumbered Configuration Example ...................................................... 243
8.2. OSPF .................................................................................................................. 246
8.2.1. Configuring an OSPF Border Router and Setting Interface Costs ................. 246
8.3. VRRP ................................................................................................................. 249
8.3.1. VRRP Operation in the Network ................................................................ 249
8.3.2. VRRP Router Priority ................................................................................ 249
8.3.3. VRRP Preemption ..................................................................................... 249
8.3.4. VRRP Accept Mode .................................................................................. 250
8.3.4.1. VRRP Route and Interface Tracking ................................................ 250
8.3.5. VRRP Configuration Example .................................................................... 250
8.3.5.1. VRRP with Load Sharing ................................................................ 251
8.3.6. VRRP with Route and Interface Tracking ................................................... 253
8.4. IP Helper ............................................................................................................ 257
ICOS user manual
xi
8.4.1. Relay Agent Configuration Example ........................................................... 259
8.5. Border Gateway Protocol (BGP) ........................................................................... 261
8.5.1. BGP Topology .......................................................................................... 261
8.5.1.1. External BGP Peering .................................................................... 262
8.5.1.2. Internal BGP Peering ..................................................................... 262
8.5.1.3. Advertising Network Layer Reachability Information .......................... 262
8.5.2. BGP Behavior ........................................................................................... 263
8.5.2.1. BGP Route Selection ..................................................................... 263
8.5.3. BGP Dynamic Neighbors .......................................................................... 264
8.5.4. BGP Extended Communities ..................................................................... 264
8.5.5. VPNv4/VRF Route Distribution via BGP ..................................................... 265
8.5.5.1. Overview ....................................................................................... 265
8.5.5.2. VPNv4 Address Family ................................................................... 265
8.5.5.3. Controlling Route Distribution .......................................................... 265
8.5.5.4. The Route Target Attribute (RT) ...................................................... 265
8.5.5.5. The Site of Origin Attribute (SoO) ................................................... 266
8.5.6. BGP Configuration Examples .................................................................... 266
8.5.6.1. Two Autonomous Systems in a Network .......................................... 266
8.5.6.2. BGP with VRF ............................................................................... 271
8.5.6.3. Route Leaking between VRFs ........................................................ 273
8.5.6.4. BGP Dynamic Neighbors ................................................................ 277
8.6. Bidirectional Forwarding Detection ........................................................................ 279
8.6.1. Overview .................................................................................................. 279
8.6.2. Configuring BFD ....................................................................................... 279
8.7. VRF Lite Operation and Configuration .................................................................. 281
8.7.1. Overview .................................................................................................. 281
8.7.2. VRF Functionality ..................................................................................... 281
8.7.3. Route Leaking .......................................................................................... 282
8.7.3.1. Adding Leaked Routes ................................................................... 282
8.7.3.2. Using Leaked Routes ..................................................................... 282
8.7.3.3. CPU-Originated Traffic ................................................................... 282
8.7.4. VRF and ICOS Feature Support ................................................................ 282
8.7.5. VRF Lite Deployment Scenarios ................................................................ 284
8.7.5.1. VRF Configuration Example ............................................................ 287
8.8. IPv6 Routing ....................................................................................................... 289
8.8.1. How Does IPv6 Compare with IPv4? ......................................................... 289
8.8.2. How Are IPv6 Interfaces Configured? ........................................................ 289
8.8.3. Default IPv6 Routing Values ...................................................................... 290
8.8.4. Configuring IPv6 Routing Features ............................................................ 291
8.8.4.1. Configuring Global IP Routing Settings ............................................ 291
8.8.4.2. Configuring IPv6 Interface Settings ................................................. 292
8.8.4.3. Configuring IPv6 Neighbor Discovery .............................................. 292
8.8.4.4. Configuring IPv6 Route Table Entries and Route Preferences ........... 294
8.8.5. IPv6 Show Commands .............................................................................. 295
8.9. ECMP Hash Selection ......................................................................................... 297
9. Configuring IPv4 and IPv6 Multicast ................................................................................ 298
9.1. L3 Multicast Overview .......................................................................................... 299
9.1.1. IP Multicast Traffic .................................................................................... 299
9.1.2. Multicast Protocol Switch Support .............................................................. 299
9.1.3. Multicast Protocol Roles ............................................................................ 300
9.1.4. L3 Multicast Switch Requirements ............................................................. 300
ICOS user manual
xii
9.1.5. Determining Which Multicast Protocols to Enable ....................................... 300
9.1.6. Multicast Routing Tables ........................................................................... 300
9.1.7. Multicast Tunneling ................................................................................... 300
9.1.8. IGMP ....................................................................................................... 301
9.1.8.1. IGMP Proxy ................................................................................... 301
9.1.9. MLD Protocol ........................................................................................... 301
9.1.10. PIM Protocol ........................................................................................... 302
9.1.10.1. Using PIM-SM as the Multicast Routing Protocol ............................ 302
9.1.10.2. Using PIM-DM as the Multicast Routing Protocol ............................ 302
9.1.11. DVMRP .................................................................................................. 303
9.1.11.1. Understanding DVMRP Multicast Packet Routing ........................... 303
9.1.11.2. Using DVMRP as the Multicast Routing Protocol ............................ 304
9.2. Default L3 Multicast Values .................................................................................. 305
9.3. L3 Multicast Configuration Examples .................................................................... 307
9.3.1. Configuring Multicast VLAN Routing With IGMP and PIM-SM ...................... 307
9.3.2. Configuring DVMRP .................................................................................. 310
10. Configuring Quality of Service ....................................................................................... 311
10.1. ACLs ................................................................................................................. 312
10.1.1. MAC ACLs ............................................................................................. 312
10.1.2. IP ACLs .................................................................................................. 312
10.1.2.1. ACL Redirect Function ................................................................. 313
10.1.2.2. ACL Mirror Function ..................................................................... 313
10.1.2.3. ACL Logging ................................................................................ 314
10.1.2.4. Time-Based ACLs ........................................................................ 314
10.1.2.5. ACL Rule Remarks ...................................................................... 314
10.1.2.6. ACL Rule Priority ......................................................................... 315
10.1.2.7. ACL Limitations ............................................................................ 315
10.1.2.8. ACL Configuration Process ........................................................... 315
10.1.2.9. Preventing False ACL Matches ..................................................... 315
10.1.2.10. IPv6 ACL Qualifiers .................................................................... 316
10.1.3. ACL Configuration Examples ................................................................... 317
10.1.3.1. Configuring an IP ACL .................................................................. 317
10.1.3.2. Configuring a MAC ACL ............................................................... 318
10.1.3.3. Configuring a Time-Based ACL ..................................................... 319
10.2. CoS .................................................................................................................. 321
10.2.1. Trusted and Untrusted Port Modes .......................................................... 321
10.2.2. Traffic Shaping on Egress Traffic ............................................................. 321
10.2.3. Defining Traffic Queues ........................................................................... 321
10.2.3.1. Supported Queue Management Methods ....................................... 322
10.2.4. CoS Configuration Example ..................................................................... 322
10.3. DiffServ ............................................................................................................. 325
10.3.1. DiffServ Functionality and Switch Roles ................................................... 325
10.3.2. Elements of DiffServ Configuration ........................................................... 325
10.3.3. Configuring DiffServ to Provide Subnets Equal Access to External Net-
work ................................................................................................................... 326
xiii
List of Figures
4.1. File location .................................................................................................................. 59
4.2. Text editor .................................................................................................................... 61
5.1. RADIUS Topology ......................................................................................................... 79
5.2. DHCP Binding ............................................................................................................... 86
5.3. DHCP Snooping Configuration Topology ........................................................................ 89
6.1. Simple VLAN Topology .................................................................................................. 94
6.2. Double VLAN Tagging Network Example ........................................................................ 95
6.3. Network Topology for VLAN Configuration ...................................................................... 97
6.4. LAG Configuration ....................................................................................................... 103
6.5. STP Blocking .............................................................................................................. 109
6.6. VPC in a Layer-2 Network ........................................................................................... 110
6.7. VPC Components ........................................................................................................ 110
6.8. VOIP Phones in a VPC Topology ................................................................................. 114
6.9. VPC Configuration Diagram ......................................................................................... 115
6.10. UDLD Configuration Example ..................................................................................... 120
6.11. RSPAN Configuration Example .................................................................................. 123
6.12. STP in a Small Bridged Network ................................................................................ 128
6.13. Single STP Topology ................................................................................................. 128
6.14. Logical MSTP Environment ........................................................................................ 129
6.15. IRC Flow ................................................................................................................... 134
6.16. PVRSTP and IEEE Spanning Tree Interoperability ...................................................... 135
6.17. PVRSTP and RSTP Interoperability ............................................................................ 137
6.18. MSTP and PVRSTP Interoperability ............................................................................ 139
6.19. STP Example Network Diagram ................................................................................. 140
6.20. MSTP Configuration Example ..................................................................................... 141
6.21. Switch with IGMP Snooping ....................................................................................... 147
6.22. MVR-Enabled Network ............................................................................................... 151
6.23. sFlow Architecture ..................................................................................................... 157
7.1. DCBX Configuration .................................................................................................... 181
7.2. OpenFlow Network Example ........................................................................................ 192
7.3. VXLAN Gateway—One Tunnel Between a Pair of VTEPs .............................................. 203
7.4. VXLAN Gateway—Multiple Tunnels .............................................................................. 206
7.5. IPv6 Clos Network Example ......................................................................................... 214
7.6. MPLS Labels in IPv4/IPv6 Network with LAGs and VLAN Routing .................................. 224
8.1. Inter-VLAN Routing ...................................................................................................... 240
8.2. IP Routing Example Topology ...................................................................................... 241
8.3. IP Unnumbered Configuration Example ........................................................................ 243
8.4. OSPF Area Border Router ........................................................................................... 247
8.5. VRRP with Load Sharing Network Diagram .................................................................. 251
8.6. VRRP with Tracking Network Diagram ......................................................................... 254
8.7. L3 Relay Network Diagram .......................................................................................... 259
8.8. Example BGP Network ................................................................................................ 262
8.9. BGP Configuration Example ......................................................................................... 267
8.10. BGP with Virtual Routers ........................................................................................... 271
8.11. Route Leaking From Global Routing Table Into a VRF ................................................. 273
8.12. Routing Leaking Between Different VRFs of a Router .................................................. 276
8.13. VRF Scenarios .......................................................................................................... 285
8.14. VRF Routing With Shared Services ............................................................................ 286
9.1. Multicast VLAN Routing with IGMP and PIM-SM Example ............................................. 308
ICOS user manual
xiv
10.1. IP ACL Example Network Diagram ............................................................................. 317
10.2. CoS Mapping and Queue Configuration ...................................................................... 323
10.3. DiffServ Internet Access Example Network Diagram .................................................... 326
xv
List of Tables
4.1. Files to Manage ............................................................................................................ 54
4.2. Configuration File Possibilities ........................................................................................ 65
4.3. TFTP Request Types .................................................................................................... 65
4.4. Auto Install Defaults ...................................................................................................... 67
5.1. Authentication Method Summary .................................................................................... 81
6.1. VLAN Default and Maximum Values ............................................................................... 96
6.2. Example VLANs ............................................................................................................ 96
6.3. Switch Port Connections ................................................................................................ 97
7.1. DCB Features ............................................................................................................. 174
7.2. 802.1p-to-TCG Mapping ............................................................................................... 187
7.3. TCG Bandwidth and Scheduling ................................................................................... 187
8.1. IPv6 Routing Defaults .................................................................................................. 290
8.2. IPv6 Interface Defaults ................................................................................................ 290
8.3. Global IP Routing Settings ........................................................................................... 291
8.4. IPv6 Interface settings ................................................................................................. 292
8.5. IPv6 Neighbor Discovery Settings ................................................................................ 293
8.6. IPv6 Static Routes ....................................................................................................... 294
8.7. IPv6 Configuration Status ............................................................................................ 295
9.1. L3 Multicast Defaults ................................................................................................... 305
10.1. Common EtherType Numbers .................................................................................... 316
10.2. Common IP Protocol Numbers ................................................................................... 316
1
Chapter 1. About This Document
About This Document
2
1.1. Purpose and Audience
This guide describes the ICOS software features and provides configuration examples for many of
the features. ICOS software runs on a variety of platforms and is ideal for Layer 2/3 switching solu-
tions in the data center.
The information in this guide is intended for any of the following individuals:
System administrators who are responsible for configuring and operating a network using ICOS
software
Software engineers who are integrating ICOS software into a router or switch product
Level 1 and/or Level 2 Support providers
To obtain the greatest benefit from this guide, you should have an understanding of the base soft-
ware and should have read the specification for your networking device platform. You should also
have basic knowledge of Ethernet and networking concepts.
About This Document
3
1.2. Conventions
The following conventions may be used in this document:
Parameters are order dependent.
The text in bold italics should be replaced with a name or number. To use spaces as part of a
name parameter, enclose it in double quotes like this: "System Name with Spaces".
Parameters may be mandatory values, optional values, choices, or a combination.
<parameter>. The <> angle brackets indicate that a mandatory parameter must be entered in
place of the brackets and text inside them.
[parameter]. The [] square brackets indicate that an optional parameter may be entered in place
of the brackets and text inside them.
choice1 | choice2. The | indicates that only one of the parameters should be entered.
[{}] Braces within square brackets. Optional parameter values. Indicates a choice within an op-
tional element. [{choice1 | choice2}]
The {} curly braces indicate that a parameter must be chosen from the list of choices.
About This Document
4
1.3. Terms and Acronyms
Term Definition
Access port A port where native (i.e. unencapsulated) packets are associated
with a DCVPN. May be a physical port or a LAG.
ACL Access Control List
Adj-RIB-In The collection of routing information received from peers
AS Autonomous System
BFD Bidirectional Forwarding Detection
BGP Border Gateway Protocol
BPDU Bridge Protocol Data Unit
CBS Committed Burst Size
CIR Committed Information Rate
CLI Command Line Interface
CN Congestion Notification, IEEE 802.1Qau
CoA Change of Authorization
CoS Class of Service
CS Class Selector (as in PHB)
DAC Dynamic Authorization Client
DAS Dynamic Authorization Server
DCB Data Center Bridging
DCPDP Dual Control Plane Detection Protocol
DCVPN Data center virtual private network. This term can refer to the over-
all data center L2 over L3 tunneling feature, realized through VXLAN
or NVGRE. This term may also be used to refer to the DC L2 over L3
tunnel application in ICOS.
DCVPN Gateway A VXLAN or NVGRE gateway
Default Router The legacy router. When the Virtual Routing feature is disabled on-
ly the Default Router is operational. When the Virtual Routing feature
is enabled the Default Router supports all routing protocols and fea-
tures, while the Virtual Routers support only a subset of features. Al-
so the default router is configured via CLI without specifying the “vrf”
keyword.
802.3ad IEEE Std for Link Aggregation
DSCP Differentiated Services Code Point
eBGP Exterior Border Gateway Protocol
ECMP Equal-Cost Multipath
ECN Explicit Congestion Notification
ENode FCoE End Node
About This Document
5
Term Definition
ETS Enhanced Transmission Selection, IEEE 802.1Qaz
FC Fibre Channel
FCF FCoE Forwarder
FCoE Fibre Channel Over Ethernet
FDB Forwarding Database
FIP Fibre Channel Initialization Protocol
iBGP Interior Border Gateway Protocol
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IP Internet Protocol
IP Interface An interface configured as an IP interface rather than a lay-
er 2 switching interface. An IP interface must be assigned one more
IP addresses.
LACP Link Aggregation Control Protocol
LAG Link aggregation
LFDB Label Forwarding Database
LSP Label Switched Path
MAC Media Access Control
MFDB Multicast Forwarding Database
MIB Management Information Base
VPC partner switch DUT that is VPC unaware and forms one end of the LAG (with VPC
aware switches on the other end)
VPC peer switches DUTs that are VPC aware and pair to form one end of the LAG
VPC peer-link Peer-Link between two MLAG peer switches
MAB MAC Authentication Bypass. This feature provides 802.1x-unaware
clients (such as printers and fax machines) controlled access to the
network using the devices' MAC address as an identifier.
MPLS Multi-Protocol Label Switching
MVR Multicast VLAN Registration
NAS Network Access Server
Network port (in DCVPN) A port where DCVPN tunnels originate or terminate.
Non-redundant ports Ports on the VPC aware switch that do not participate in VPC.
NSF Non-stop forwarding
NVE Network Virtualization Edge. NVGRE term for a device or software
module that bridges between the overlay and underlay networks.
Synonym for VTEP.
NVGRE Network Virtualization using Generic Routing Encapsulation
About This Document
6
Term Definition
PBS Peak Burst Size
PDU Protocol data unit
PFC Priority-based Flow Control,
PIR Peak Information Rate
QoS Quality of Service
RADIUS Remote Authentication Dial In User Services
RED Random Early Discard
RFC Request For Comments
Route Leaking The ability to inject routes belonging to one VR instance into another.
RTO Routing Table Object. The common routing table, or “RIB”, which col-
lects routes from all sources (local, static, dynamic) and determines
the most preferred route to each destination.
SDM Switch Database Management
SNMP Simple Network Management Protocol
STP Spanning Tree Protocol
TCP Transmission Control Protocol
Tenant An organization for which one or more virtual networks has been pro-
visioned.
Tenant System A physical or virtual resource, such as a compute or storage device,
that is assigned to a specific tenant.
TRILL Transparent Interconnect of Lots of Links
UDP User Datagram Protocol
UI User Interface
Underlay network IP network that carries tunnel encapsulated traffic from one VTEP/
NVE to another.
VLAN Virtual Local Area Network
VM Virtual Machine. A virtualized end host.
VN Virtual Network. The set of tunnels, VTEPs, and tenant systems
forming a closed user group. For VXLAN, all traffic in a VN car-
ries the same VNID. This document uses VN interchangeably with
DCVPN.
VNID Virtual network identifier. A 24-bit value that uniquely identifies a
VXLAN segment.
VoIP Voice over Internet Protocol
VPC Virtual Port Channel
VR Virtual Router
VR-aware Whether the feature is aware of and works independently in each Vir-
tual Router
About This Document
7
Term Definition
VR instance An instance of the virtual router
VRF Virtual Routing and Forwarding (unless otherwise specified, VRF
refers to VRF Lite solution in ICOS.
VRF Lite VRF Without MPLS
VRID Virtual Router Identifier
VRRP Virtual Router Redundancy Protocol
VSID Virtual Segment Subnet IdentifierD.ID. A 24-bit value used as a Virtu-
al network identifier in NVGRE.
VTEP Virtual Tunnel End Point. A device or module that does VXLAN tun-
nel initiation and termination. Synonym for NVE.
VXLAN Virtual Extensible Local Area Network
WRED Weighted Random Early Discard
ZTP Zero-Touch Provisioning. This feature enables automatic installation
of the Chef Client/Puppet Agent to support Auto Install functionality
upon switch bootup.
8
Chapter 2. ICOS modules
This section provides a brief overview of the supported ICOS features. The features are catego-
rized as follows:
Section 2.1, “Management Features”
Section 2.2, “Security Features”
Section 2.3, “Switching Features”
Section 2.4, “Data Center Features”
Section 2.5, “Routing Features”
Section 2.6, “Layer 3 Multicast Features”
Section 2.7, “Quality of Service Features”
Not all modules are available for all platforms or software releases.
ICOS modules
9
2.1. Management Features
This section describes the management features ICOS software supports. For additional informa-
tion and configuration examples for some of these features, see Chapter 4, Configuring Switch
Management Features.
2.1.1. Management Options
You can use the following methods to manage the switch:
Use a telnet client, SSH client, or a direct console connection to access the CLI. The CLI syntax
and semantics conform as much as possible to common industry practice.
Use a network management system (NMS) to manage and monitor the system through SNMP.
The switch supports SNMP v1/v2c/v3 over the UDP/IP transport protocol.
2.1.2. Management of Basic Network Information
The DHCP client on the switch allows the switch to acquire information such as the IP address and
default gateway from a network DHCP server. You can also disable the DHCP client and configure
static network information. Other configurable network information includes a Domain Name Serv-
er (DNS), host name to IP address mapping, and a default domain name.
The switch also includes a DHCPv6 client for acquiring IPv6 addresses, prefixes, and other IPv6
network configuration information.
2.1.3. Dual Software Images
The switch can store up to two software images. The dual image feature allows you to upgrade the
switch without deleting the older software image. You designate one image as the active image
and the other image as the backup image.
2.1.4. File Management
You can upload and download files such as configuration files and system images by using FTP,
TFTP, Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a
server are a good way to back up the switch configuration. You can also download a configuration
file from a server to the switch to restore the switch to the configuration in the downloaded file.
2.1.5. FTP File Update
This feature adds support for file transfers using FTP protocol. FTP Transfers are supported over
both IPv4 and IPv6. Upon failure of a FTP transfer operation, a LOG message is sent to the log-
ging component, the initiating application is notified of the failure, and any partial or temporary files
for the transfer are removed from persistent memory.
2.1.6. Malicious Code Detection
This feature provides a mechanism to detect the integrity of the image, if the software binary is cor-
rupted or tampered with while end user attempts to download the software image to the switch.
ICOS modules
10
This release addresses this problem by using digital signatures to verify the integrity of the binary
image. It also provides flexibility to download a digitally signed configuration script and verify the
digital signature to ensure the integrity of the downloaded configuration file.
2.1.7. Automatic Installation of Firmware and Configu-
ration
The Auto Install feature allows the switch to upgrade to a newer software image and update the
configuration file automatically during device initialization with the limited administrative configu-
ration on the device. The switch can obtain the necessary information from a DHCP server on the
network.
2.1.8. Warm Reboot
The Warm Reboot feature reduces the time it takes to reboot the switch thereby reducing the traf-
fic disruption in the network during a switch reboot. For a typical switch, the traffic disruption is re-
duced from about two minutes for a cold reboot to about 20 seconds for a warm reboot.
2.1.9. SNMP Alarms and Trap Logs
The system logs events with severity codes and timestamps. The events are sent as SNMP traps
to a trap recipient list.
2.1.10. CDP Interoperability Through ISDP
Industry Standard Discovery Protocol (ISDP) allows the switch to interoperate with Cisco devices
running the Cisco Discovery Protocol (CDP). ISDP is a proprietary Layer 2 network protocol which
inter-operates with Cisco network equipment and is used to share information between neighbor-
ing devices (routers, bridges, access servers, and switches).
2.1.11. Remote Monitoring (RMON)
RMON is a standard Management Information Base (MIB) that defines current and historical MAC-
layer statistics and control objects, allowing real-time information to be captured across the entire
network. The data collected is defined in the RMON MIB, RFC 2819 (32-bit counters), RFC 3273
(64-bit counters), and RFC 3434 (High Capacity Alarm Table).
2.1.12. Statistics Application
The statistics application collects the statistics at a configurable time interval. The user can spec-
ify the port number(s) or a range of ports for statistics to be displayed. The configured time inter-
val applies to all ports. Detailed statistics are collected between the specified time range in date
and time format. The time range can be defined as having an absolute time entry and/or a periodic
time. For example, a user can specify the statistics to be collected and displayed between 9:00 12
NOV 2011 (START) and 21:00 12 NOV 2011 (END) or schedule it on every MON, WED and FRI
9:00 (START) to 21:00 (END).
The user receives these statistics in a number of ways as listed below:
ICOS modules
11
User requests through CLI for a set of counters.
User can configure the device to display statistics using syslog or email alert. The syslog or
email alert messages are sent by the statistics application at END time.
The statistics are presented on the console at END time.
2.1.13. Log Messages
The switch maintains in-memory log messages as well as persistent logs. You can also configure
remote logging so that the switch sends log messages to a remote log server. You can also config-
ure the switch to send log messages to a configured SMTP server. This allows you to receive the
log message in an e-mail account of your choice. Switch auditing messages, CLI command log-
ging, and SNMP logging can be enabled or disabled.
2.1.14. System Time Management
You can configure the switch to obtain the system time and date through a remote Simple Network
Time Protocol (SNTP) server, or you can set the time and date locally on the switch. You can also
configure the time zone and information about time shifts that might occur during summer months.
The manually-configured local clock settings are not retained across a system reset if
the platform does not include a Real Time Clock (RTC).
2.1.15. Source IP Address Configuration
Syslog, TACACS, SNTP, sFlow, SNMP Trap, RADIUS, and DNS Clients allow the IP Stack to se-
lect the source IP address while generating the packet. This feature provides an option for the user
to select an interface for the source IP address while the management protocol transmits packets
to management stations. The source address is specified for each protocol.
2.1.16. Multiple Linux Routing Tables
On Linux systems, local and default IPv4 routes for the service port and network port are installed
in routing tables dedicated to each management interface. Locally-originated IPv4 packets use
these routing tables when the source IP address of the packet matches an address on one of
these interfaces. This feature allows the Linux IP stack to use default routes for different interfaces
simultaneously.
2.1.17. Core Dump
The core dump feature provides the ability to retrieve the state from a crashed box such that it can
be then loaded into a debugger and have that state re-created there.
2.1.18. Core Dump File Handling
A core dump file can be transferred to a debugger using several methods, depending on the sup-
ported switch interfaces and capabilities:
ICOS modules
12
Via a USB connection (if supported)
Stored locally on flash (if it is of sufficient size) and accessed from a remote system via NFS.
Transferred via FTP to a remote FTP server.
Because the size of the core dump file can be several hundred megabytes, the file is compressed
using the bzip2 compression technique available in BusyBox. Compression is enabled by default
and can be enabled/ disabled using the CLI.
2.1.19. Kernel Core Dump
The kernel core dump feature enables the system to perform a warm reboot into a new kernel in
reserved memory, allowing the current state of the operating kernel to be captured for analysis.
This feature is available only on Ubuntu Linux distributions of the ICOS software.
2.1.20. Chef API Integration
ICOS provides a Chef agent that allows a Chef server to configure the switch. This configuration is
done via Chef Recipes. The recipes are written in Ruby and will interface to the ICOS OpEN API in
order to enact configuration changes.
The following items are supported:
The standard Chef Client (version:11.4.0), available from OpsCode (www.opscode.com).
Creating a set of RPMs for installing Chef Client.
Integrating the ported Chef Client with the ICOS software.
Providing a simple Broadcom API cookbook and role to make ICOS specific configurations.
The agent and dependent RPMs require 32 MB of NVRAM (flash). The agent requires approxi-
mately 23 MB of DRAM once initialized.
2.1.21. Puppet API Integration
ICOS provides a Puppet agent that allows a Puppet server to manage patches and configure/pro-
vision the switch.
Puppet is designed to deploy system configurations. It supports the following:
Open source based on Ruby
• Policy-based
Runs every 30 minutes
An abstraction layer between the system administrator and the system
Capable to run on any UNIX operating system
The agent and dependent RPMs require 32 MB of NVRAM (flash)
ICOS modules
13
The agent requires approximately 25 MB of DRAM once initialized
The following items are supported:
Standard Puppet Agent (version: 3.1.1), available from Puppet Labs (https://puppetlabs.com/)
Creating a set of RPMs for installing Puppet Agent.
Integrating the ported Puppet Agent with ICOS.
Providing a few Broadcom Netdev Providers which uses an API to perform ICOS specific config-
urations.
2.1.22. Zero-Touch Provisioning
The Zero Touch Provisioning (ZTP) feature is an enhancement to the existing AutoInstall feature
that supports the installation of Chef Client or Puppet Agent at the time of device bootup. ICOS re-
lease 3.0.1 and later support automatic installation of the Chef Client/Puppet Agent. In prior releas-
es, these can be installed manually.
ZTP uses DHCP option 125 to download an .ini file from a TFTP server and installs the Chef
Client/Puppet Agent as defined in the .ini file.
Automatic installation of Chef Client/Puppet Agent occurs when:
The device boots with no saved configuration found in the designated storage areas.
The device boots with a saved configuration that has AutoInstall enabled.
ZTP enables installing the device “Chef Client” or “Puppet Agent” ready without login into the de-
vice. Installing “Chef Client” or “Puppet Agent” is involved transferring necessary files (bootstrap-
ping and RPMs) to the device and executing Linux commands on the device. The feature takes
cares of retrieving necessary files and executes Linux commands automatically. However, DHCP
server, HTTP Server and RPM repositories must exist in the network to perform the actions auto-
matically.
The Zero Touch Provisioning feature on x86 platforms allows administrators to execute custom
script on Broadcom devices. Upon the first boot after a successful ONIE installation of ICOS, the
DHCP client requests the “Provisioning script URL” via DHCP Option 239. The provisioning script
is downloaded from the URL and executed by a ZTP service. The provisioning script execution is
performed only once, and the configuration mode is disabled. The script execution mode can be
re-enabled by modifying a ZTP-related configuration file. The provisional script can be used to per-
form basic operations, including but not limited to execute Linux commands, modify Linux applica-
tion configuration files.
2.1.23. Open Network Install Environment Support
Open Network Install Environment (ONIE) allows customers to install their choice of network op-
erating system (NOS) onto an ICOS platform. When the switch boots, ONIE enables the switch to
fetch a NOS stored on a remote server. The remote server can hold multiple NOS images, and the
administrator can specify which NOS to load and run on the switch. ONIE support in ICOS facili-
tates automated data center provisioning by enabling a bare-metal network switch ecosystem.
ICOS modules
14
ONIE is a small operating system. It is preinstalled as firmware and requires an ONIE-compliant
boot loader (U-Boot/BusyBox), a kernel (Linux) and the ONIE discovery and execution application
provided by the ODM.
2.1.24. Interface Error Disable and Auto Recovery
If ICOS software detects an error condition for an interface, it places the interface in diagnostic dis-
abled state by shutting down the interface. The error-disabled interface does not allow any traffic
until it is re-enabled. The interface can be manually re-enabled by the administrator or, when the
Auto Recovery feature is enabled, can be re-enabled automatically after a configurable time-out.
There are multiple reasons that may cause ICOS to place an interface in the error-disabled state.
Auto Recovery can be configured to take effect if an interface is error-disabled for any reason, or
for some reasons but not others.
2.1.25. Network Instrumentation App—Visibility Into
Packet Processing
The packet trace feature provides detailed information on how a specific packet is processed
through the ingress pipeline. The feature allows the user to send a special visibility loopback pack-
et into the Ingress Packet Processing Pipeline that is then processed as if it were received on one
of the front-panel ports, so that internal forwarding and packet processing states can be logged.
The internal forwarding and packet processing data retrieved for the packet as a part of the packet
trace feature is called a trace profile. The trace profile contains data such as the lookup resolution
results, lookup status, state of the ingress port, hashing info for the packet (i.e., LAG hash resolu-
tion, and ECMP route resolution). This information can be useful for detecting/diagnosing potential
network problems.
2.1.26. CPU Traffic Filtering
Packets and from the switch CPU can be sent to a remote Wireshark packet analyzer. These CPU
packets can also be saved in pcap format as a file, which can be uploaded to external server to
view the packets. ICOS provides an option to define filters that limit the captured data to packets
that match the filter criteria.
ICOS also provides a trace mechanism for packets received by CPU and matches the filter until
the packet is delivered to registered application. This can help determine whether a packet was
dropped or mishandled after being received by the CPU.
ICOS modules
15
2.2. Security Features
This section describes the security features ICOS software supports. For additional information
and configuration examples for some of these features, see Chapter 5, Configuring Security Fea-
tures
2.2.1. Configurable Access and Authentication Pro-
files
You can configure rules to limit access to the switch management interface based on criteria such
as access type and source IP address of the management host. You can also require the user to
be authenticated locally or by an external server, such as a RADIUS server.
2.2.2. AAA Command Authorization
This feature enables AAA Command Authorization in ICOS.
2.2.3. Password-Protected Management Access
Access to the CLI and SNMP management interfaces is password protected, and there are no de-
fault users on the system.
2.2.4. Strong Password Enforcement
The Strong Password feature enforces a baseline password strength for all locally administered
users. Password strength is a measure of the effectiveness of a password in resisting guessing
and brute-force attacks. The strength of a password is a function of length, complexity and ran-
domness. Using strong passwords lowers overall risk of a security breach.
2.2.5. MAC-Based Port Security
The port security feature limits access on a port to users with specific MAC addresses. These ad-
dresses are manually defined or learned on that port. When a frame is seen on a locked port, and
the frame source MAC address is not tied to that port, the protection mechanism is invoked.
2.2.6. RADIUS Client
The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up
to 32 authentication and accounting RADIUS servers.
2.2.7. TACACS+ Client
The switch has a TACACS+ client. TACACS+ provides centralized security for validation of users
accessing the switch. TACACS+ provides a centralized user management system while still retain-
ing consistency with RADIUS and other authentication processes.
ICOS modules
16
2.2.8. Dot1x Authentication (IEEE 802.1X)
Dot1x authentication enables the authentication of system users through a local internal server or
an external server. Only authenticated and approved system users can transmit and receive data.
Supplicants are authenticated using the Extensible Authentication Protocol (EAP). Also supported
are PEAP, EAP-TTL, EAP- TTLS, and EAP-TLS.
ICOS software supports RADIUS-based assignment (via 802.1X) of VLANs, including guest and
unauthenticated VLANs. The Dot1X feature also supports RADIUS-based assignment of filter IDs
as well as MAC-based authentication, which allows multiple supplicants connected to the same
port to each authenticate individually.
2.2.9. MAC Authentication Bypass
ICOS software also supports the MAC-based Authentication Bypass (MAB) feature, which pro-
vides 802.1x-unaware clients (such as printers and fax machines) controlled access to the net-
work using the devices' MAC address as an identifier. This requires that the known and allowable
MAC address and corresponding access rights be pre-populated in the authentication server. MAB
works only when the port control mode of the port is MAC-based.
2.2.10. Denial of Service
The switch supports configurable Denial of Service (DoS) attack protection for many different
types of attacks.
2.2.11. DHCP Snooping
DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and
DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address,
IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be en-
abled globally and on specific VLANs. Ports within the VLAN can be configured to be trusted or
untrusted. DHCP servers must be reached through trusted ports. This feature is supported for both
IPv4 and IPv6 packets.
2.2.12. Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets.
The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts
traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious
station sends ARP requests or responses mapping another station’s IP address to its own MAC
address.
2.2.13. IP Source Address Guard
IP Source Guard and Dynamic ARP Inspection use the DHCP snooping bindings database. When
IP Source Guard is enabled, the switch drops incoming packets that do not match a binding in the
bindings database. IP Source Guard can be configured to enforce just the source IP address or
both the source IP address and source MAC address. Dynamic ARP Inspection uses the bindings
database to validate ARP packets. This feature is supported for both IPv4 and IPv6 packets.
ICOS modules
17
2.3. Switching Features
This section describes the Layer 2 switching features ICOS software supports. For additional infor-
mation and configuration examples for some of these features, see Chapter 6, Configuring Switch-
ing Features
2.3.1. VLAN Support
VLANs are collections of switching ports that comprise a single broadcast domain. Packets are
classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress
port and packet contents. Packets sharing common attributes can be groups in the same VLAN.
ICOS software is in full compliance with IEEE 802.1Q VLAN tagging.
2.3.2. Double VLANs
The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag on network traffic.
The additional tag helps differentiate between customers in the Metropolitan Area Networks (MAN)
while preserving individual customer’s VLAN identification when they enter their own 802.1Q do-
main.
2.3.3. Switchport Modes
The switchport mode feature helps to minimize the potential for configuration errors. The feature
also makes VLAN configuration easier by reducing the amount of commands needed for port con-
figuration. For example, to configure a port connected to an end user, the administrator can config-
ure the port in Access mode. Ports connected to other switches can be configured in Trunk mode.
VLAN assignments and tagging behavior are automatically configured as appropriate for the con-
nection type.
A third switchport mode, General mode, provides no configuration restrictions and allows the ad-
ministrator to configure the port with custom VLAN settings.
2.3.4. Spanning Tree Protocol (STP)
Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows
bridges to automatically prevent and resolve L2 forwarding loops. The STP feature supports a va-
riety of per-port settings including path cost, priority settings, Port Fast mode, STP Root Guard,
Loop Guard, TCN Guard, and Auto Edge. These settings are also configurable per-LAG.
2.3.5. Rapid Spanning Tree
Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies to enable faster span-
ning tree convergence after a topology change, without creating forwarding loops. The port set-
tings supported by STP are also supported by RSTP.
2.3.6. Multiple Spanning Tree
Multiple Spanning Tree (MSTP) operation maps VLANs to spanning tree instances. Packets as-
signed to various VLANs are transmitted along different paths within MSTP Regions (MST Re-
ICOS modules
18
gions). Regions are one or more interconnected MSTP bridges with identical MSTP settings. The
MSTP standard lets administrators assign VLAN traffic to unique paths.
The switch supports IEEE 802.1Q-2005, which is a version of corrects problems associated with
the previous version, provides for faster transition-to-forwarding, and incorporates new features for
a port (restricted role and restricted TCN).
2.3.7. Bridge Protocol Data Unit (BPDU) Guard
Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the al-
ready existing topology of STP. Thus devices, which were originally not a part of STP, are not al-
lowed to influence the STP topology.
2.3.8. BPDU Filtering
When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets re-
ceived on that port to be dropped. Additionally, the BPDU Filtering feature prevents a port in Port
Fast mode from sending and receiving BPDUs. A port in Port Fast mode is automatically placed in
the forwarding state when the link is up to increase convergence time.
2.3.9. PVRSTP and PVSTP
ICOS support both Rapid Spanning Tree Per VLAN (PVRSTP) and Spanning Tree Per VLAN
(PVSTP). PVRSTP is the IEEE 802.1w (RSTP) standard implemented per VLAN. A single in-
stance of rapid spanning tree (RSTP) runs on each configured VLAN. Each RSTP instance on a
VLAN has a root switch. PVSTP is the IEEE 802.1D (STP) standard implemented per VLAN.
2.3.10. Link Aggregation
Up to eight ports can combine to form a single Link Aggregated Group (LAG). This enables fault
tolerance protection from physical link disruption, higher bandwidth connections and improved
bandwidth granularity.
A LAG is composed of ports of the same speed, set to full-duplex operation.
2.3.11. Track LAG Member Port Flaps
This feature enables a user to track how many times a LAG member has flapped. The member
flap counter show the number of times a port member is INACTIVE, either because the link is
down, or the administrative state is disabled. The Link Down counter shows the number of times
the LAG is down because all its member ports are INACTIVE.
2.3.12. Link Aggregate Control Protocol (LACP)
Link Aggregate Control Protocol (LACP) uses peer exchanges across links to determine, on an on-
going basis, the aggregation capability of various links, and continuously provides the maximum
level of aggregation capability achievable between a given pair of systems. LACP automatically
determines, configures, binds, and monitors the binding of ports to aggregators within the system.
ICOS modules
19
2.3.13. Virtual Port Channel (VPC)
This feature enables a LAG to be created across two independent units, which creates a scenario
where some member ports of the VPC can reside on one unit and the other members of the VPC
can reside on the other unit. The partner device on the remote side can be an VPC unaware unit.
For the VPC unaware unit, the VPC appears to be a single LAG connected to a single unit.
VPC is also known as Multi-Switch Link Aggregation (MLAG).
2.3.14. Flow Control Support (IEEE 802.3x)
Flow control enables lower speed switches to communicate with higher speed switches by re-
questing that the higher speed switch refrains from sending packets. Transmissions are temporari-
ly halted to prevent buffer overflows.
2.3.15. Asymmetric Flow Control
Asymmetric Flow Control can only be configured globally for all ports on XGS4 silicon based
switches.
When in asymmetric flow control mode, the switch responds to PAUSE frames received from
peers by stopping packet transmission, but the switch does not initiate MAC control PAUSE
frames.
When the switch is configured in asymmetric flow control (or no flow control mode), the device is
placed in egress drop mode. Egress drop mode maximizes the throughput of the system at the ex-
pense of packet loss in a heavily congested system, and this mode avoids head of line blocking.
Asymmetric flow control is NOT supported on Fast Ethernet platforms as the support was intro-
duced to the physical layer with the Gigabit PHY specifications.
In asymmetric flow control mode, the switch advertises the symmetric flow control ca-
pability, but forces the Tx Pause to OFF in the MAC layer. At PHY level, Pause bit = 1,
and ASM_DIR =1 have to be advertised to the peer. At Driver level, Tx Pause = 0, and
Rx Pause = 1, as described in IEEE 802.3- 2005 Table 28B-2. The operational state
(MAC layer) of receive Flow Control (Rx) is based on the pause resolution in IEEE
802.3-2005 Table 28B-3. The operational state (MAC layer) of Flow Control on Send
side (Tx) is always Off.
2.3.16. Alternate Store and Forward (ASF)
The Alternate Store and Forward (ASF) feature, which is also known as cut-through mode, re-
duces latency for large packets. When ASF is enabled, the memory management unit (MMU) can
forward a packet to the egress port before it has been entirely received on the Cell Buffer Pool
(CBP) memory.
Support for ASF is not available on all platforms.
ICOS modules
20
2.3.17. Jumbo Frames Support
Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing
time, and fewer interrupts. The maximum transmission unit (MTU) size is configurable per-port.
2.3.18. Auto-MDI/MDIX Support
Your switch supports auto-detection between crossed and straight-through cables. Media-Depen-
dent Interface (MDI) is the standard wiring for end stations, and the standard wiring for hubs and
switches is known as Media- Dependent Interface with Crossover (MDIX).
2.3.19. Unidirectional Link Detection (UDLD)
The UDLD feature detects unidirectional links physical ports by exchanging packets containing in-
formation about neighboring devices. The purpose of the UDLD feature is to detect and avoid uni-
directional links. A unidirectional link is a forwarding anomaly in a Layer 2 communication channel
in which a bidirectional link stops passing traffic in one direction.
2.3.20. Expandable Port Configuration
This feature is available only on platforms that contain expandable ports, which are
ports capable of being configured as a variable number of ports.
Expandable ports allow the administrator to configure a 40G port in either 4×10G mode or 1×40G
mode. When the 40G port is operating in 4×10G mode, the port operates as four 10G ports, each
on a separate lane. This mode requires the use of a suitable 4×10G to 1×40G pigtail cable.
Expandable port capability can be enabled on 40G ports using the CLI command [no] hardware
profile portmode. On switches based on the Broadcom BCM56850 and later devices, a change to
the port mode is made effective immediately. On switches based on other chips, the mode of the
expandable port takes place when the system boots, so if the mode is changed during switch op-
eration, the change does not take effect until the next boot cycle.
2.3.21. VLAN-Aware MAC-based Switching
Packets arriving from an unknown source address are sent to the CPU and added to the Hardware
Table. Future packets addressed to or from this address are more efficiently forwarded.
2.3.22. Back Pressure Support
On half-duplex links, a receiver may prevent buffer overflows by jamming the link so that it is un-
available for additional traffic. On full duplex links, a receiver may send a PAUSE frame indicating
that the transmitter should cease transmission of frames for a specified period.
When flow control is enabled, the switch will observe received PAUSE frames or jamming signals,
and will issue them when congested.
ICOS modules
21
2.3.23. Auto Negotiation
Auto negotiation allows the switch to advertise modes of operation. The auto negotiation function
provides the means to exchange information between two switches that share a point-to-point link
segment, and to automatically configure both switches to take maximum advantage of their trans-
mission capabilities.
The switch enhances auto negotiation by providing configuration of port advertisement. Port adver-
tisement allows the system administrator to configure the port speeds that are advertised.
2.3.24. Storm Control
When Layer 2 frames are forwarded, broadcast, unknown unicast, and multicast frames are flood-
ed to all ports on the relevant virtual local area network (VLAN). The flooding occupies bandwidth,
and loads all nodes connected on all ports. Storm control limits the amount of broadcast, unknown
unicast, and multicast frames accepted and forwarded by the switch.
Per-port and per-storm control type (broadcast, multicast, or unicast), the storm control feature can
be configured to automatically shut down a port when a storm condition is detected on the port;
or to send a trap to the system log. When configured to shut down, the port is put into a diag-dis-
abled state. The user must manually re-enable the interface for it to be operational. When config-
ured to send a trap, the trap is sent once in every 30 seconds. When neither action is configured,
the switch rate-limits the traffic when storm conditions occur.
See the ICOS CLI Command Reference for command examples.
2.3.25. Port Mirroring
Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing
packets from up to four source ports to a monitoring port. The switch also supports flow-based mir-
roring, which allows you to copy certain types of traffic to a single destination port. This provides
flexibility—instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset
of that traffic. You can configure the switch to mirror flows based on certain kinds of Layer 2, Layer
3, and Layer 4 information.
ICOS supports up to four monitor sessions. Port mirroring, flow based mirroring, RSPAN, and
VLAN mirroring can be configured at the same time on the switch using different sessions IDs and
in any combinations. Any two sessions cannot be identical. Multiple mirroring sessions are sup-
ported for all types of mirroring.
A given interface can be used as a source interface for different sessions. For example a mirroring
session can be created with source interface as port A and destination interface as port B. Another
session can be created with source interface as port A and destination interface as port C. An in-
terface cannot be configured as a destination interface for more than one session.
Traffic to and from the CPU can also be mirrored by specifying the CPU as the source interface.
An IP/MAC access-list can be attached to any mirroring session or to all sessions at the same
time.
ICOS modules
22
2.3.26. Remote Switch Port Analyzer (RSPAN)
Along with the physical source ports, the network traffic received/transmitted on a VLAN can be
monitored. A port mirroring session is operationally active if and only if both a destination (probe)
port and at least one source port or VLAN is configured. If neither is true, the session is inactive.
ICOS supports remote port mirroring and VLAN mirroring. Traffic from/to all the physical ports
which are members of that particular VLAN is mirrored.
The source for a port mirroring session can be either physical ports or VLAN.
For Flow-based mirroring, ACLs are attached to the mirroring session. The network traffic that
matches the ACL is only sent to the destination port. This feature is supported for remote monitor-
ing also. IP/MAC access-list can be attached to the mirroring session.
Flow-based mirroring is supported only if the QoS feature exists in the package.
Up to four RSPAN sessions can be configured on the switch and up to four RSPAN VLANs are
supported. An RSPAN VLAN cannot be configured as a source for more than one session at the
same time. To configure four RSPAN mirroring sessions, you must configure four RSPAN VLANs.
2.3.27. sFlow
sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology
is built into network equipment and gives complete visibility into network activity, enabling effective
management and control of network resources. The switch supports sFlow version 5.
ICOS supports packet sampling in hardware on BCM56960 platforms. Packet sampling in hard-
ware does not require the sampled packet to be copied to the CPU for processing and is, there-
fore, less CPU-intensive (However, the counter sampling mechanism is performed in software.)
2.3.28. Static and Dynamic MAC Address Tables
You can add static entries to the switch’s MAC address table and configure the aging time for
entries in the dynamic MAC address table. You can also search for entries in the dynamic table
based on several different criteria.
2.3.29. Link Layer Discovery Protocol (LLDP)
The IEEE 802.1AB defined standard, Link Layer Discovery Protocol (LLDP), allows the switch to
advertise major capabilities and physical descriptions. This information can help you identify sys-
tem topology and detect bad configurations on the LAN.
ICOS modules
23
2.3.30. Link Layer Discovery Protocol (LLDP) for Me-
dia Endpoint Devices
The Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) provides an exten-
sion to the LLDP standard for network configuration and policy, device location, Power over Ether-
net management, and inventory management.
2.3.31. DHCP Layer 2 Relay
This feature permits Layer 3 Relay agent functionality in Layer 2 switched networks. The switch
supports L2 DHCP relay configuration on individual ports, link aggregation groups (LAGs) and
VLANs.
2.3.32. MAC Multicast Support
Multicast service is a limited broadcast service that allows one-to-many and many-to-many con-
nections. In Layer 2 multicast services, a single frame addressed to a specific multicast address is
received, and copies of the frame to be transmitted on each relevant port are created.
2.3.33. IGMP Snooping
Internet Group Management Protocol (IGMP) Snooping is a feature that allows a switch to for-
ward multicast traffic intelligently on the switch. Multicast IP traffic is traffic that is destined to a
host group. Host groups are identified by class D IP addresses, which range from 224.0.0.0 to
239.255.255.255. Based on the IGMP query and report messages, the switch forwards traffic only
to the ports that request the multicast traffic. This prevents the switch from broadcasting the traffic
to all ports and possibly affecting network performance.
2.3.34. Source Specific Multicasting (SSM)
This mechanism provides the ability for a host to report interest in receiving a particular multicast
stream only from among a set of specific source addresses, or its interest in receiving a multicast
stream from any source other than a set of specific source addresses.
2.3.35. Control Packet Flooding
This feature enhances the MGMD Snooping functionality to flood multicast packets with
DIP=224.0.0.x to ALL members of the incoming VLAN irrespective of the configured filtering be-
havior. This enhancement depends on the ability of the underlying switching silicon to flood pack-
ets with DIP=224.0.0.x irrespective of the entries in the L2 Multicast Forwarding Tables. In plat-
forms that do not have the said hardware capability, 2 ACLs (one for IPv4 and another for IPv6)
would be consumed in the switching silicon to accomplish the flooding using software.
2.3.36. Flooding to mRouter Ports
This feature enhances the MGMD Snooping functionality to flood unregistered multicast streams
to ALL mRouter ports in the VLAN irrespective of the configured filtering behavior. This enhance-
ICOS modules
24
ment depends on the ability of the underlying switching silicon to flood packets to specific ports in
the incoming VLAN when there are no entries in the L2 Multicast Forwarding Tables for the spe-
cific stream. In platforms that do not have the this hardware capability, incoming multicast streams
will always be flooded in the ingress VLAN when there is a L2MC-MISS in the switching silicon.
2.3.37. IGMP Snooping Querier
When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast
routing, the IP multicast router acts as the IGMP querier. However, if it is desirable to keep the
multicast network Layer 2 switched only, the IGMP Snooping Querier can perform the query func-
tions of a Layer 3 multicast router.
2.3.38. Multicast VLAN Registration
The Multicast VLAN Registration (MVR) protocol, like IGMP Snooping, allows a layer-2 switch to
listen to IGMP frames and forward the multicast traffic only to the receivers that request it. Unlike
IGMP Snooping, MVR allows the switch to listen across different VLANs. MVR uses a dedicated
VLAN, which is called the multicast VLAN, to forward multicast traffic over the layer-2 network to
the various VLANs that have multicast receivers as members.
2.3.39. Management and Control Plane ACLs
This feature provides hardware-based filtering of traffic to the CPU. An optional management
feature is available to apply the ACL on the CPU port. Currently, control packets like BPDU are
dropped because of the implicit deny all rule added at the end of the list. To overcome this rule,
you must add rules that allow the control packets.
Support for user-defined simple rate limiting rule attributes for inbound as well as outbound traf-
fic is also available. This attribute is supported on all QoS capable interfaces - physical, lag, and
control-plane. Outbound direction is only supported on platforms with an Egress Field Processor
(EFP).
2.3.40. Link Dependency
The ICOS Link Dependency feature supports enabling/disabling ports based on the link state of
other ports (i.e., making the link state of some ports dependent on the link state of others). In the
simplest form, if port A is dependent on port B and switch detects link loss on B, the switch auto-
matically brings down link on port A. When the link is restored to port B, the switch automatically
restores link to port A. The link action command option determines whether link A will come up/go
down, depending upon the state of link B.
2.3.41. IPv6 Router Advertisement Guard
ICOS switches support IPv6 Router Advertisement Guard (RA-Guard) to protect against attacks
via rogue Router Advertisements in accordance with RFC 6105. ICOS RA Guard supports State-
less RA-Guard, where the administrator can configure the interface to allow received router adver-
tisements and router redirect message to be processed/forwarded or dropped.
By default, RA-Guard is not enabled on any interfaces. RA-Guard is enabled/disabled on physical
interfaces or LAGs. RA-Guard does not require IPv6 routing to be enabled.
ICOS modules
25
2.3.42. FIP Snooping
The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discov-
ery, initialization, and maintenance. FIP uses a separate EtherType from FCoE to distinguish dis-
covery, initialization, and maintenance traffic from other FCoE traffic. FIP frames are standard Eth-
ernet size (1518 Byte 802.1q frame), whereas FCoE frames are a maximum of 2240 bytes.
FIP snooping is a frame inspection method used by FIP Snooping Bridges to monitor FIP frames
and apply policies based upon the L2 header information in those frames.
FIP snooping allows for:
Auto-configuration of Ethernet ACLs based on information in the Ethernet headers of FIP
frames.
Emulation of FC point-to-point links within the DCB Ethernet network.
Enhanced FCoE security/robustness by preventing FCoE MAC spoofing.
The role of FIP snooping-enabled ports on the switch falls under one of the following types:
Perimeter or Edge port (connected directly to a Fibre Channel end node or ENode).
Fibre Channel forwarder (FCF) facing port (that receives traffic from FCFs targeted to the EN-
odes).
The FIP Snooping Bridge feature supports the configuration of the perimeter port role
and FCF- facing port roles and is intended for use only at the edge of the switched
network.
The default port role in an FCoE-enabled VLAN is as a perimeter port. FCF-facing ports are config-
ured by the user.
2.3.43. ECN Support
Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks sig-
nal congestion by dropping packets. A Random Early Discard scheme provides earlier notifica-
tion than tail drop by dropping packets already queued for transmission. ECN marks congested
packets that would otherwise have been dropped and expects an ECN capable receiver to signal
congestion back to the transmitter without the need to retransmit the packet that would have been
dropped. For TCP, this means that the TCP receiver signals a reduced window size to the trans-
mitter but does not request retransmission of the CE marked packet.
ICOS implements ECN capability as part of the WRED configuration process. It is configured as
parameter in the random-detect command. Eligible packets are marked by hardware based upon
the WRED configuration. The network operator can configure any CoS queue to operate in ECN
marking mode and can configure different discard thresholds for each color.
ICOS modules
26
2.4. Data Center Features
This section describes the data center features ICOS software supports. For additional information
and configuration examples for some of these features, see Chapter 7, Configuring Data Center
Features
2.4.1. Priority-based Flow Control
The Priority-based Flow Control (PFC) feature allows the user to pause or inhibit transmission of
individual priorities within a single physical link. By configuring PFC to pause a congested priority
(priorities) independently, protocols that are highly loss sensitive can share the same link with traf-
fic that has different loss tolerances. Priorities are differentiated by the priority field of the 802.1Q
VLAN header.
An interface that is configured for PFC is automatically disabled for 802.3x flow control.
Support for PFC is not available on all platforms.
2.4.2. Data Center Bridging Exchange Protocol
The Data Center Bridging Exchange Protocol (DCBX) is used by data center bridge devices to ex-
change configuration information with directly-connected peers. The protocol is also used to detect
misconfiguration of the peer DCBX devices and optionally, for configuration of peer DCBX devices.
Support for DCBX is not available on all platforms.
2.4.3. Quantized Congestion Notification
Quantized Congestion Notification (QCN) supports congestion management of long-lived data
flows within a network domain by enabling bridges to signal congestion information to end sta-
tions capable of transmission rate limiting to avoid frame loss. This mechanism enables support for
higher-layer protocols that are highly loss or latency sensitive. QCN helps to allow network storage
traffic, high performance computing traffic, and internet traffic to coexist within the same network.
QCN allows the flow of traffic to increase or decrease based on the behavior of the reaction point.
Support for QCN is not available on all platforms.
2.4.4. CoS Queuing and Enhanced Transmission
Selection
The CoS Queuing feature allows the switch administrator to directly configure certain aspects of
the device hardware queuing to provide the desired QoS behavior for different types of network
ICOS modules
27
traffic. The priority of a packet arriving at an interface can be used to steer the packet to the appro-
priate outbound CoS queue through a mapping table. CoS queue characteristics such as minimum
guaranteed bandwidth, transmission rate shaping, etc. are user configurable at the queue (or port)
level.
Enhanced Transmission Selection (ETS) allows Class of Service (CoS) configuration settings to
be advertised to other devices in a data center network through DCBX ETS TLVs. CoS information
is exchanged with peer DCBX devices using ETS TLVs.
Support for CoS Queuing and ETS is not available on all platforms.
2.4.5. OpenFlow
The OpenFlow feature enables the switch to be managed by a centralized OpenFlow Controller
using the OpenFlow protocol. ICOS supports the OpenFlow 1.0 standard and the OpenFlow 1.3
standard. ICOS uses the OpenFlow agent from the Open vSwitch (OVS) project. ICOS release 3.2
uses OVS version 2.3.0. The Open vSwitch code is licensed under the “Apache 2” license.
The OpenFlow 1.0 standard supports a single-table data forwarding path. However, ICOS sup-
ports Open Vswitch proprietary extensions to enable the OpenFlow controller to access multiple
forwarding tables.
The OpenFlow 1.3 standard enables a multi-table data forwarding path. However, as of release
3.2, ICOS supports a single-table OpenFlow 1.3 data forwarding path. Support for additional hard-
ware tables in the OpenFlow 1.3 data path may be added in future releases.
2.4.6. DCVPN Gateway
Logically segregated virtual networks in a data center are sometimes referred to as data center
VPNs (DCVPNs). VXLAN and NVGRE are two realizations of a DCVPN. The ICOS DCVPN Gate-
way is a solution that allows VXLAN and NVGRE to communicate with another network, particular-
ly a VLAN. It offers VXLAN Tunnel Endpoint (VTEP) functionality for VXLAN and Network Virtual-
ization Edge (NVE) functionality for NVGRE tunnels on the switch.
Both VXLAN and NVGRE are layer-3, IP-based technologies that prepend an existing layer-2
frame with a new IP header, providing layer-3 based tunneling capabilities for layer-2 frames. This
essentially enables a layer-2 domain to extend across a layer-3 boundary.
For the traffic from a VXLAN/NVGRE to use services on physical devices in a distant network, the
traffic must pass through a DCVPN Gateway.
The ICOS DCVPN Gateway feature is configurable through the CLI. It also offers an Overlay API
to facilitate programming from external agents.
2.4.7. MPLS
Multiprotocol Label Switching (MPLS) is a technique for forwarding data between network nodes
using short MPLS-assigned path labels instead of long network addresses associated with the
underlying forwarding protocol. MPLS may be deployed in data centers to enable multi-service
ICOS modules
28
networks, which deliver data transport services and IP routing services across the same pack-
et-switched network infrastructure. It may also improve network reliability and performance.
2.4.8. Dynamic Topology Map and Prescriptive Topol-
ogy Mapping
To easily identify ports where a network cabling error and/or other cabling complication (mis-
wiring) has occurred, a CLI command can be used to light the LED for a single port or multiple
ports and turn off all other port LEDs. The port-locator enable command is executed on individual
interfaces.
In the case where a port has two LEDs, one for link and a second for activity, only the link LED is
used for the port locator function. The activity LED will be turned off while the port locator is active.
If a port has link and activity combined on a single LED, the LED will not blink if activity is present
on the port, regardless of whether port-locator is enabled or disabled on the port.
The out-of-band port LED is not affected by this feature.
Prescriptive Topology Mapping (PTM) uses a topology file to verify the cabling on a switch. The
topology file can be distributed either by Chef or Puppet, or can be provided manually to all the
switches in the network to verify the entire topology. PTM relies on an open-source LLDP daemon
(LLDPD) to gather information about the partner switches and their links.
ICOS modules
29
2.5. Routing Features
This section describes the layer-3 routing features ICOS software supports. For additional informa-
tion and configuration examples for some of these features, see Chapter 8, Configuring Routing
2.5.1. IP Unnumbered
Each routing interface can be configured to borrow the IP address from the loopback interfaces
and use this IP for all routing activities.
The IP Unnumbered feature was initially developed to avoid wasting an entire subnet on point-to-
point serial links. Though VLSM (Variable Length Subnet Mask) or private addresses can be used
instead of IP Unnumbered, neither technique can be supported by classful routing protocols such
as RIPv1 and IGRP.
The IP Unnumbered feature can also be used in situations where adjacencies are transient and
adjacent interfaces cannot be easily configured with IPv4 addresses in the same subnet. It also
helps in reducing the configuration overhead in large scale Data-Center deployments.
2.5.2. Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is a dynamic routing protocol commonly used within medium-to-
large enterprise networks. OSPF is an interior gateway protocol (IGP) that operates within a single
autonomous system.
2.5.3. Border Gateway Protocol (BGP)
BGP is an exterior routing protocol used in large-scale networks to transport routing information
between autonomous systems (AS). As an interdomain routing protocol, BGP is used when AS
path information is required to provide partial or full Internet routing downstream. ICOS supports
BGP version 4.
The following BGP features are supported:
Proprietary BGP MIB support for reporting status variables and internal counters.
Additional route map support:
Match as-path
Set as-path
Set local-preference
Set metric
Support for inbound and outbound neighbor-specific route maps.
Handling the BGP RTO full condition.
Supports for the show ip bgp command.
Supports for the show ip bgp traffic command.
ICOS modules
30
Supports for the bgp always-compare-med command.
Support for the maximum number of BGP neighbors: 128.
A prefix list is supported to filter the output of the show ip bgp command.
Configurable maximum length of a received AS_PATH.
Show command to list the routes accepted from a specific neighbor.
Show command to list the routes rejected from a specific neighbor.
Support for BGP communities.
Support for IPv6.
IPv6 Transport and Prefix list
Support for BGP peer templates to simplify neighbor configuration.
VRF support
Dynamic neighbor creation
Extended communities
Dynamic route leaking between VRF instances
2.5.4. VLAN Routing
ICOS software supports VLAN routing. You can also configure the software to allow traffic on a
VLAN to be treated as if the VLAN were a router port.
2.5.5. IP Configuration
The switch IP configuration settings to allow you to configure network information for VLAN rout-
ing interfaces such as IP address and subnet mask, MTU size, and ICMP redirects. Global IP con-
figuration settings for the switch allow you to enable or disable the generation of several types of
ICMP messages and enable or disable the routing mode.
2.5.6. ARP Table Management
You can create static Address Resolution Protocol (ARP) entries and manage many settings for
the dynamic ARP table, such as age time for entries, retries, and cache size.
2.5.7. BOOTP/DHCP Relay Agent
The switch BOOTP/DHCP Relay Agent feature relays BOOTP and DHCP messages between
DHCP clients and DHCP servers that are located in different IP subnets.
2.5.8. IP Helper and UDP Relay
The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a
different subnet.
ICOS modules
31
2.5.9. Router Discovery
For each interface, you can configure the Router Discovery Protocol (RDP) to transmit router ad-
vertisements. These advertisements inform hosts on the local network about the presence of the
router.
2.5.10. Routing Table
The routing table displays information about the routes that have been dynamically learned. You
can configure static and default routes and route preferences. A separate table shows the routes
that have been manually configured.
2.5.11. Virtual Router Redundancy Protocol (VRRP)
VRRP provides hosts with redundant routers in the network topology without any need for the
hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a
secondary router assumes control and continues to use the virtual router IP (VRIP) address.
VRRP Route Interface Tracking extends the capability of VRRP to allow tracking of specific route/
interface IP states within the router that can alter the priority level of a virtual router for a VRRP
group.
2.5.12. Bidirectional Forwarding Detection
In a network device, Bidirectional Forwarding Detection (BFD) is presented as a service to its user
applications, providing them options to create and destroy a session with a peer device and report-
ing upon the session status. On ICOS switches, BGP and OSPF can use BFD for monitoring of
their neighbors' availability in the network and for fast detection of connection faults with them.
2.5.13. VRF Lite
The Virtual Routing and Forwarding (VRF) Lite feature enables a router to function as multiple
routers. Each virtual router (VR) manages its own routing domain. Specifically, each virtual router
maintains its own IP routes, routing interfaces, and host entries, which enables each virtual router
to make its own routing decisions, independent of other virtual routers. More than one virtual rout-
ing table may contain a route to a given destination. The network administrator can associate a
subset of the router’s interfaces with each virtual router. The router routes packets according to the
virtual routing table associated with the packet’s ingress interface. Each interface can be associat-
ed with at most one virtual router.
As part of the latest ICOS release, the OSPF, PING, BGP and Traceroute applications are VR-
aware.
2.5.14. RFC 5549
ICOS software supports RFC 5549, “Advertising IPv4 Network Layer Reachability Information with
an IPv6 Next Hop.” This specification enables the deployment of a mixed IPv4/IPv6 network with-
out having to assign IPv4 addresses to transit links between switches. Instead, IPv6 interfaces are
used for forwarding the IPv4 traffic.
ICOS modules
32
This feature enables IPv4 routes to use IPv6 NDPs to determine the next hop. No IPv6 tunneling
is needed. The IPv4 packets are routed as normal but they use next hops determined by the IPv6
protocol. RFC 5549 adds BGP extensions to insert these IPv4 routes with IPv6 next hops into the
routing table.
When this feature is present in software, it is applicable to port-based and VLAN-based routing in-
terfaces. RFC 5549 forwarding mode is enabled only when two neighbor routers use the BGP ca-
pabilities field to agree that the RFC 5549 forwarding mode is supported on the interface.
This feature enables the customers to minimize the use of IPv4 addresses. The IPv4 addresses
only need to be assigned to the routing interfaces to which the IPv4 servers are connected. All the
interconnect links in the network and the switch management IP addresses are IPv6.
The typical usage scenario for this feature is to interconnect IPv4 subnets at the edge of the net-
work via IPv6 core network.
There is no user configuration associated with this feature. When used, the show ip route com-
mand may show some IPv4 routes with IPv6 addresses as next hops.
2.5.15. Algorithmic Longest Prefix Match (ALPM)
ALPM is a protocol used by routers to select an entry from a forwarding table. When an exact
match is not found in the forwarding table, the match with the longest subnet mask, also called
longest prefix match, is chosen. It is called the longest prefix match because it is also the entry
where the largest number of leading address bits of the destination address match those in the ta-
ble entry.
ALPM is primarily a switch silicon feature and the algorithm for this is implemented in the SDK on
the chip. ALPM enables supporting for large number of routes (for BGP, 32k IPv4 routes and 24k
IPv6 are supported).
Support for ALPM is platform-dependent. For platforms that support ALPM, two SDM templates,
“dual-ipv4-and- ipv6 alpm-data-center” and “dual-ipv4-and-ipv6 alpm-mpls-data-center”, are made
available to accommodate the larger number of routes.
ICOS modules
33
2.6. Layer 3 Multicast Features
For information about configuring L3 multicast features, see Chapter 9, Configuring IPv4 and IPv6
Multicast
2.6.1. Distance Vector Multicast Routing Protocol
Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVM-
RP-enabled routers, establishing two way neighboring relationships and building a neighbor table.
It exchanges report packets and creates a unicast topology table, which is used to build the multi-
cast routing table. This multicast route table is then used to route the multicast packets.
2.6.2. Internet Group Management Protocol
The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts and routers) to
report their IP multicast group memberships to any neighboring multicast routers. For example,
Aurora Series switches perform the “multicast router part” of the IGMP protocol, which means it
collects the membership information needed by the active multicast router.
2.6.3. IGMP Proxy
The IGMP Proxy feature allows the switch to act as a proxy for hosts by sending IGMP host mes-
sages on behalf of the hosts that the switch discovered through standard IGMP router interfaces.
2.6.4. Protocol Independent Multicast
2.6.4.1. Dense Mode (PIM-DM)
Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scal-
able inter-domain multicast routing across the Internet, independent of the mechanisms provided
by any particular unicast routing protocol. The Protocol Independent Multicast-Dense Mode (PIM-
DM) protocol uses an existing Unicast routing table and a Join/Prune/Graft mechanism to build a
tree. PIM-DM creates source-based shortest- path distribution trees, making use of reverse path
forwarding (RPF).
2.6.4.2. Sparse Mode (PIM-SM)
Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traf-
fic to multicast groups that may span wide area networks, and where bandwidth is a constraint.
PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data
threshold rate is used to toggle between trees.
2.6.4.3. Source Specific Multicast (PIM-SSM)
Protocol Independent Multicast—Source Specific Multicast (PIM-SSM) is a subset of PIM-SM and
is used for one-to-many multicast routing applications, such as audio or video broadcasts. PIM-
SSM does not use shared trees.
ICOS modules
34
2.6.4.4. PIM IPv6 Support
PIM-DM and PIM-SM support IPv6 routes.
2.6.5. MLD/MLDv2 (RFC2710/RFC3810)
MLD is used by IPv6 systems (listeners and routers) to report their IP multicast addresses mem-
berships to any neighboring multicast routers. The implementation of MLD v2 is backward compat-
ible with MLD v1.
MLD protocol enables the IPv6 router to discover the presence of multicast listeners, the nodes
that want to receive the multicast data packets, on its directly attached interfaces. The protocol
specifically discovers which multicast addresses are of interest to its neighboring nodes and pro-
vides this information to the multicast routing protocol that make the decision on the flow of the
multicast data packets.
ICOS modules
35
2.7. Quality of Service Features
This section describes the Quality of Service (QoS) features ICOS software supports. For addition-
al information and configuration examples for some of these features, see Chapter 10, Configuring
Quality of Service
2.7.1. Access Control Lists (ACL)
Access Control Lists (ACLs) ensure that only authorized users have access to specific resources
while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide
traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded
or blocked, and above all provide security for the network. The switch supports the following ALC
types:
IPv4 ACLs
IPv6 ACLs
MAC ACLs
For all ACL types, you can apply the ACL rule when the packet enters or exits the physical port,
LAG, or VLAN interface.
2.7.2. ACL Remarks
Users can use ACL remarks to include comments for ACL rule entries in any MAC ACL. Remarks
assist the user in understanding ACL rules easily.
2.7.3. ACL Rule Priority
This feature allows user to add sequence numbers to ACL rule entries and re-sequence them.
When a new ACL rule entry is added, the sequence number can be specified so that the new ACL
rule entry is placed in the desired position in the access list.
2.7.4. ACL Counters
For the following ACL types, ICOS provides a counter for every ACL rule applied on physical inter-
face, LAG, and VLAN, with no additional configuration:
IP standard ACLs
IP extended ACLs
IPv4 named ACLs
IPv6 named ACLs
MAC ACLs
These counter values can be viewed and reset using CLI show and clear commands for ACLs.
ICOS modules
36
2.7.5. Differentiated Services (DiffServ)
The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and
given certain QoS treatment in accordance with defined per-hop behaviors. ICOS software sup-
ports both IPv4 and IPv6 packet classification.
2.7.6. Class of Service (CoS)
The Class Of Service (CoS) queueing feature lets you directly configure certain aspects of switch
queuing. This provides the desired QoS behavior for different types of network traffic when the
complexities of DiffServ are not required. CoS queue characteristics, such as minimum guaran-
teed bandwidth and transmission rate shaping, are configurable at the queue (or port) level.
37
Chapter 3. Getting Started with
Switch Configuration
Getting Started with
Switch Configuration
38
3.1. Accessing the Switch Command-Line In-
terface
The command-line interface (CLI) provides a text-based way to manage and monitor the switch
features. You can access the CLI by using a direct connection to the console port or by using a
Telnet or SSH client.
To access the switch by using Telnet or Secure Shell (SSH), the switch must have an IP address
configured on either the service port or the network interface, and the management station you
use to access the device must be able to ping the switch IP address. DHCP is enabled by default
on the service port. It is disabled on the network interface.
By default, entry into Privileged EXEC mode requires a password for Telnet and SSH
access methods, and if the correct password is not supplied access is denied. Be-
cause no password is configured by default, access is always denied. For informa-
tion about changing the default settings for Telnet and SSH access methods, see Sec-
tion 5.1.4, “Configuring and Applying Authentication Profiles”
3.1.1. Connecting to the Switch Console
To connect to the switch and configure or view network information, use the following steps:
1. Using a straight-through modem cable, connect a VT100/ANSI terminal or a workstation to the
console (serial) port. If you attached a PC, Apple, or UNIX workstation, start a terminal-emula-
tion program, such as putty, HyperTerminal or TeraTerm.
2. Configure the terminal-emulation program to use the following settings:
Baud rate: 115200 bps
Data bits: 8
Parity: none
Stop bit: 1
Flow control: none
3. Power on the switch. For information about the boot process, including how to access the boot
menu, see Section 3.4, “Booting the Switch” After the system completes the boot cycle, the
User: prompt appears.
4. At the User: prompt, type admin and press ENTER. The Password: prompt appears.
5. There is no default password. Press ENTER at the password prompt if you did not change the
default password. After a successful login, the screen shows the system prompt, for example
(Routing) >.
6. At the (Routing) > prompt, enter enable to enter the Privileged EXEC command mode.
7. There is no default password to enter Privileged EXEC mode. Press ENTER at the password
prompt if you did not change the default password. The command prompt changes to (Routing)
#.
Getting Started with
Switch Configuration
39
8. To view service port network information, type show serviceport and press ENTER.
(Routing) #show serviceport
Interface Status............................... Up
IP Address ..................................... 10.27.21.33
Subnet Mask. ................................... 255.255.252.0
Default Gateway ................................ 10.27.20.1
IPv6 Administrative Mode....................... Enabled
IPv6 Prefix is ................................ fe80::210:18ff:fe82
:157c/64
Configured IPv4 Protocol....................... DHCP
Configured IPv6 Protocol....................... None
IPv6 AutoConfig Mode........................... Disabled
Burned In MAC Address.......................... 00:10:18:82:15:7C
By default, the DHCP client on the service port is enabled. If your network has a DHCP server,
then you need only to connect the switch service port to your management network to allow the
switch to acquire basic network information.
Getting Started with
Switch Configuration
40
3.2. Accessing the Switch CLI Through the
Network
Remote management of the switch is available through the service port or through the network in-
terface. To use telnet, SSH, or SNMP for switch management, the switch must be connected to
the network, and you must know the IP or IPv6 address of the management interface. The switch
has no IP address by default. The DHCP client on the service port is enabled, and the DHCP client
on the network interface is disabled.
After you configure or view network information, configure the authentication profile for telnet or
SSH (see Section 5.1.4, “Configuring and Applying Authentication Profiles”) and physically and
logically connect the switch to the network, you can manage and monitor the switch remotely. You
can also continue to manage the switch through the terminal interface via the console port.
3.2.1. Using the Service Port or Network Interface for
Remote Management
The service port is a dedicated Ethernet port for out-of-band management. Broadcom recom-
mends that you use the service port to manage the switch. Traffic on this port is segregated from
operational network traffic on the switch ports and cannot be switched or routed to the operational
network. Additionally, if the production network is experiencing problems, the service port still al-
lows you to access the switch management interface and troubleshoot issues. Configuration op-
tions on the service port are limited, which makes it difficult to accidentally cut off management ac-
cess to the switch.
Alternatively, you can choose to manage the switch through the production network, which is
known as in-band management. Because in-band management traffic is mixed in with production
network traffic, it is subject to all of the filtering rules usually applied on a switched/routed port such
as ACLs and VLAN tagging. You can access the in-band network management interface through a
connection to any front-panel port.
3.2.2. Configuring Service Port Information
To disable DHCP/BOOTP and manually assign an IPv4 address, enter:
serviceport protocol none
serviceport ip ipaddress netmask [gateway]
For example, serviceport ip 192.168.2.23 255.255.255.0 192.168.2.1
To disable DHCP/BOOTP and manually assign an IPv6 address and (optionally) default gateway,
enter:
serviceport protocol none
serviceport ipv6 address address/prefix-length [eui64]
serviceport ipv6 gateway gateway
To view the assigned or configured network address, enter:
show serviceport
Getting Started with
Switch Configuration
41
To enable the DHCP client on the service port, enter:
serviceport protocol dhcp
To enable the BOOTP client on the service port, enter:
serviceport protocol bootp
3.2.3. Configuring the In-Band Network Interface
To use a DHCP server to obtain the IP address, subnet mask, and default gateway information,
enter:
network protocol dhcp
To use a BOOTP server to obtain the IP address, subnet mask, and default gateway information,
enter:
network protocol bootp
To manually configure the IPv4 address, subnet mask, and (optionally) default gateway, enter:
network parms ipaddress netmask [gateway]
For example, network parms 192.168.2.23 255.255.255.0 192.168.2.1
To manually configure the IPv6 address, subnet mask, and (optionally) default gateway, enter:
network ipv6 address address/prefix-length [eui64]
network ipv6 gateway gateway
To view the network information, enter:
show network.
To save these changes so they are retained during a switch reset, enter the following command:
copy system:running-config nvram:startup-config
Getting Started with
Switch Configuration
42
3.3. DHCP Option 61
DHCP Option 61 (client Identifier) allows the DHCP server to be configured to provide an IP ad-
dress to a switch based on its Media Access Control (MAC) Address or an ID entered into the sys-
tem. DHCP servers use this value to index their database of address bindings. This value is ex-
pected to be unique for all clients in an administrative domain. This option allows the system to
move from one part of the network to another while maintaining the same IP address.
DHCP client Identifier (Option 61) is used by DHCP clients to specify their unique identifier. The
client identifier option is optional and can be specified while configuring the DHCP on the inter-
faces. DHCP Option 61 is enabled by default.
3.3.1. Configuring DHCP Option 61
Configuring the DHCP with client-id (option 61) differs depending on the port or interface. Refer to
the information below:
Service Port:
To enable DHCP with client-id (option 61) on from the service port, issue the following command:
(Routing) #serviceport protocol dhcp client-id
Network Port:
To enable DHCP with client-id (option 61) on from the network port, issue the following command:
(Routing) #network protocol dhcp client-id
Routing Enabled Interface:
To enable DHCP with client-id (option 61) on from on the routing enabled interface, issue the fol-
lowing command in interface configuration mode.
(Routing) (Interface 0/1)#ip address dhcp client-id
Physical Interface:
To enable DHCP with client-id (option 61) on from on the physical interface, issue the commands
as shown below:
(Routing) #config
(Routing) (Config)#interface 0/4
(Routing) (Interface 0/4)#ip address dhcp client-id
VLAN Interface:
To enable DHCP with client-id (option 61) on from on the VLAN interface, issue the commands as
shown below:
(Routing) #config
(Routing) (Config)#interface vlan 10
(Routing) (Interface vlan 10)#ip address dhcp client-id
Getting Started with
Switch Configuration
43
3.4. Booting the Switch
When the power is turned on with the local terminal already connected, the switch goes through
Power-On Self-Test (POST). POST runs every time the switch is initialized and checks hardware
components to determine if the switch is fully operational before completely booting.
If a critical problem is detected, the program flow stops. If POST passes successfully, a valid exe-
cutable image is loaded into RAM.
POST messages are displayed on the terminal and indicate test success or failure.
To view the text that prints to the screen during the boot process, perform the following steps:
1. Make sure that the serial cable is connected to the terminal.
2. Connect the power supply to the switch.
3. Power on the switch. As the switch boots, the boot-up test first counts the switch memory avail-
ability and then continues to boot.
4. During boot, you can use the Utility menu, if necessary, to run special procedures. To enter the
Boot menu, press 2 within the first five seconds after the following message appears.
Select startup mode. If no selection is made within 5 seconds,
the FASTPATH Application will start automatically...
FASTPATH Startup -- Main Menu
1 - Start FASTPATH Application
2 - Display Utility Menu Select (1, 2):
For information about the Boot menu, see Section 3.4.1, “Utility Menu Functions”
5. If you do not start the boot menu, the operational code continues to load.
After the switch boots successfully, the User login prompt appears and you can use the local ter-
minal to begin configuring the switch. However, before configuring the switch, make sure that the
software version installed on the switch is the latest version.
3.4.1. Utility Menu Functions
Utility menu functions vary on different platforms. The following example might not
represent the options available on your platform.
You can perform many configuration tasks through the Utility menu, which can be invoked after the
first part of the POST is completed.
To display the Utility menu, boot the switch observe the output that prints to the screen. After vari-
ous system initialization information displays, the following message appears:
FASTPATH Startup Rev: 8.2
Select startup mode. If no selection is made within 5 seconds, the
Getting Started with
Switch Configuration
44
FASTPATH Application will start automatically...
FASTPATH Startup -- Main Menu
1 - Start FASTPATH Application
2 - Display Utility Menu Select (1, 2):
Press press 2 within five seconds to start the Utility menu. If you do not press 2, the system loads
the operational code.
After you press 2 the following information appears:
FASTPATH Startup -- Utility Menu
1 - Start FASTPATH Application
2 - Load Code Update Package
3 - Load Configuration
4 - Select Serial Speed
5 - Retrieve Error Log
6 - Erase Current Configuration
7 - Erase Permanent Storage
8 - Select Boot Method
9 - Activate Backup Image
10 - Start Diagnostic Application
11 - Reboot
12 - Rease All Configuration Files Q - Quit from FASTPATH Startup
Select option (1-12 or Q):
The following sections describe the Utility menu options.
3.4.1.1. 1 – Start ICOS Application
Use option 1 to resume loading the operational code. After you enter 1, the switch exits the Startup
Utility menu and the switch continues the boot process.
3.4.1.2. 2 – Load Code Update Package
Use option 2 to download a new software image to the switch to replace a corrupted image or to
update, or upgrade the system software.
The switch is preloaded with ICOS software, so these procedures are needed only for upgrading
or downgrading to a different image.
You can use any of the following methods to download the image:
• TFTP
• XMODEM
• YMODEM
• ZMODEM
If you use TFTP to download the code, the switch must be connected to the network, and the code
to download must be located on the TFTP server.
Getting Started with
Switch Configuration
45
When you use XMODEM, YMODEM, or ZMODEM to download the code, the code must be locat-
ed on an administrative system that has a console connection to the switch.
Use the following procedures to download an image to the switch by using TFTP: . From the Utili-
ty menu, select 2 and press ENTER. The switch creates a temporary directory and prompts you to
select the download method:
+ Creating tmpfs filesystem on tmpfs for download…done. Select Mode of Transfer (Press T/X/Y/Z
for TFTP/XMODEM/YMODEM/ZMODEM) []:
1. Enter T to download the image from a TFTP server to the switch.
2. Enter the IP address of the TFTP server where the new image is located, for example:
Enter Server IP []:192.168.1.115
3. Enter the desired IP address of the switch management interface, for example:
Enter Host IP []192.168.1.23
The switch uses the IP address, subnet mask, and default gateway information you
specify for the TFTP download process only. The switch automatically reboots after
the process completes, and this information is not saved. . Enter the subnet mask
associated with the management interface IP address or press ENTER to accept
the default value, which is 255.255.255.0. . Optionally, enter the IP address of the
default gateway for the switch management interface, for example:
Enter Gateway IP []192.168.1.1
. Enter the filename, including the file path (if it is not in the TFTP root directory), of the image to download, for example:
Enter Filename[]images/image0630.stk
4. Confirm the information you entered and enter y to allow the switch to contact the TFTP server.
After the download completes, you are prompted to reboot the switch. The switch loads the im-
age during the next boot cycle.
Use the following procedures to download an image to the switch by using XMODEM, YMODEM,
or ZMODEM.
1. From the Utility menu, select 2 and press ENTER.
The switch creates a temporary directory and prompts you to select the download method:
Creating tmpfs filesystem on tmpfs for download...done.
Select Mode of Transfer (Press T/X/Y/Z for TFTP/XMODEM/YMODEM/ZMODEM) []:
2. Specify the protocol to use for the download.
Enter X to download the image by using the XMODEM file transfer protocol.
Enter Y to download the image by using the YMODEM file transfer protocol.
Enter Z to download the image by using the ZMODEM file transfer protocol.
3. When you are ready to transfer the file from the administrative system, enter y to continue.
Getting Started with
Switch Configuration
46
Do you want to continue? Press(Y/N): y
4. From the terminal or terminal emulation application on the administrative system, initiate the file
transfer. For example, if you use HyperTerminal, use the following procedures:
a. From the HyperTerminal menu bar, click Transfer > Send File. The Send File window dis-
plays.
b. Browse to the file to download and click Open to select it.
c. From the Protocol: field, select the protocol to use for the file transfer.
d. Click Send.
After you start the file transfer, the software is downloaded to the switch, which can take sev-
eral minutes. The terminal emulation application might display the loading process progress.
5. After software downloads, you are prompted to reboot the switch. The switch loads the image
during the next boot cycle.
3.4.1.3. 3 – Load Configuration
Use option 3 to download a new configuration that will replace the saved system configuration file.
You can use any of the following methods to download the configuration file:
• TFTP
• XMODEM
• YMODEM
• ZMODEM
Use the following procedures to download a configuration file to the switch.
1. From the Utility menu, select 3 and press ENTER.
2. Enter T to download the text-based configuration file to the switch.
3. Specify the protocol to use for the download.
4. Respond to the prompts to begin the file transfer.
The configuration file download procedures are very similar to the software image download pro-
cedures. For more information about the prompts and how to respond, see Section 3.4.1.2, “2 –
Load Code Update Package”
3.4.1.4. 4 – Select Serial Speed
Use option 4 to change the baud rate of the serial interface (console port) on the switch. When you
select option 4, the following information displays:
1 - 2400
2 - 4800
Getting Started with
Switch Configuration
47
3 - 9600
4 - 19200
5 - 38400
6 - 57600
7 - 115200
8 - Exit without change Select option (1-8):
To set the serial speed, enter the number that corresponds to the desired speed.
The selected baud rate takes effect immediately.
3.4.1.5. 5 – Retrieve Error Log
Use option 5 to retrieve the error log that is stored in nonvolatile memory and upload it from the
switch to your ASCII terminal or administrative system. You can use any of the following methods
to copy the error log to the system:
• TFTP
• XMODEM
• YMODEM
• ZMODEM
Use the following procedures to upload the error log from the switch:
1. From the Utility menu, select 5 and press ENTER.
2. Specify the protocol to use for the download.
3. Respond to the prompts to begin the file transfer.
If you use TFTP to upload the file from the switch to the TFTP server, the prompts and procedures
very similar to the steps described for the TFTP software image download. For more information
about the prompts and how to respond, see Section 3.4.1.2, “2 – Load Code Update Package”
If you use XMODEM, YMODEM, or ZMODEM to transfer the file, configure t