Fastiron 08070 L3guide PDF
Fastiron 08070 L3guide PDF
Fastiron 08070 L3guide PDF
Export Restrictions
These products and associated technical data (in print or electronic form) may be subject to export control laws of the United
States of America. It is your responsibility to determine the applicable regulations and to comply with them. The following notice
is applicable for all products or technology subject to export control:
These items are controlled by the U.S. Government and authorized for export only to the country of ultimate destination for use by the
ultimate consignee or end-user(s) herein identified. They may not be resold, transferred, or otherwise disposed of, to any other country
or to any person other than the authorized ultimate consignee or end-user(s), either in their original form or after being incorporated
into other items, without first obtaining approval from the U.S. government or as otherwise authorized by U.S. law and regulations.
Disclaimer
THIS CONTENT AND ASSOCIATED PRODUCTS OR SERVICES ("MATERIALS"), ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES OF
ANY KIND, WHETHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, ARRIS
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, FREEDOM FROM COMPUTER VIRUS,
AND WARRANTIES ARISING FROM COURSE OF DEALING OR COURSE OF PERFORMANCE. ARRIS does not represent or warrant
that the functions described or contained in the Materials will be uninterrupted or error-free, that defects will be corrected, or
are free of viruses or other harmful components. ARRIS does not make any warranties or representations regarding the use of
the Materials in terms of their completeness, correctness, accuracy, adequacy, usefulness, timeliness, reliability or otherwise. As
a condition of your use of the Materials, you warrant to ARRIS that you will not make use thereof for any purpose that is unlawful
or prohibited by their associated terms of use.
Limitation of Liability
IN NO EVENT SHALL ARRIS, ARRIS AFFILIATES, OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, LICENSORS
AND THIRD PARTY PARTNERS, BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, EXEMPLARY OR
CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER, EVEN IF ARRIS HAS BEEN PREVIOUSLY ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES, WHETHER IN AN ACTION UNDER CONTRACT, TORT, OR ANY OTHER THEORY ARISING FROM
YOUR ACCESS TO, OR USE OF, THE MATERIALS. Because some jurisdictions do not allow limitations on how long an implied
warranty lasts, or the exclusion or limitation of liability for consequential or incidental damages, some of the above limitations
may not apply to you.
Trademarks
ARRIS, the ARRIS logo, Ruckus, Ruckus Wireless, Ruckus Networks, Ruckus logo, the Big Dog design, BeamFlex, ChannelFly,
EdgeIron, FastIron, HyperEdge, ICX, IronPoint, OPENG, SmartCell, Unleashed, Xclaim, ZoneFlex are trademarks of ARRIS
International plc and/or its affiliates. Wi-Fi Alliance, Wi-Fi, the Wi-Fi logo, the Wi-Fi CERTIFIED logo, Wi-Fi Protected Access (WPA),
the Wi-Fi Protected Setup logo, and WMM are registered trademarks of Wi-Fi Alliance. Wi-Fi Protected Setup™, Wi-Fi Multimedia™,
and WPA2™ are trademarks of Wi-Fi Alliance. All other trademarks are the property of their respective owners.
IP Addressing...................................................................................................................................................................................... 35
IP configuration overview......................................................................................................................................................................... 35
Full Layer 3 support........................................................................................................................................................................... 35
IP interfaces........................................................................................................................................................................................ 36
IP packet flow through a Layer 3 device..........................................................................................................................................37
IP route exchange protocols............................................................................................................................................................. 40
IP multicast protocols........................................................................................................................................................................ 40
IP interface redundancy protocols...................................................................................................................................................41
RIP...................................................................................................................................................................................................... 199
RIP overview............................................................................................................................................................................................. 199
Overview of RIP route learning and advertising parameters..................................................................................................... 199
Redistribution of routes into RIP....................................................................................................................................................200
Enabling RIP and configuring global parameters................................................................................................................................ 202
Configuring RIP interfaces......................................................................................................................................................................204
Displaying RIP Information.....................................................................................................................................................................205
RIPng.................................................................................................................................................................................................. 209
RIPng Overview........................................................................................................................................................................................209
RIPng configuration overview................................................................................................................................................................ 209
RIPng timers..................................................................................................................................................................................... 209
RIPng route loop prevention.......................................................................................................................................................... 210
RIPng route learning and advertisement......................................................................................................................................210
Route redistribution into RIPng..................................................................................................................................................... 210
Applying filters to RIPng route redistribution...............................................................................................................................210
Enabling RIPng and configuring global parameters............................................................................................................................211
OSPFv2............................................................................................................................................................................................... 215
OSPFv2 overview..................................................................................................................................................................................... 216
Autonomous System...............................................................................................................................................................................216
OSPFv2 components and roles..............................................................................................................................................................217
Area Border Routers........................................................................................................................................................................217
Autonomous System Boundary Routers...................................................................................................................................... 217
Designated routers.......................................................................................................................................................................... 217
Reduction of equivalent AS external LSAs............................................................................................................................................218
Algorithm for AS external LSA reduction..............................................................................................................................................220
Enabling OSPFv2......................................................................................................................................................................................220
Backbone area......................................................................................................................................................................................... 220
Assigning OSPFv2 areas..........................................................................................................................................................................221
Area range................................................................................................................................................................................................ 221
Assigning an area range..................................................................................................................................................................221
Area types.................................................................................................................................................................................................222
Stub area and totally stubby area......................................................................................................................................................... 222
Disabling summary LSAs for a stub area...................................................................................................................................... 223
Not-so-stubby area (NSSA)..................................................................................................................................................................... 223
Configuring an NSSA....................................................................................................................................................................... 224
Configuring a summary-address for the NSSA............................................................................................................................ 225
Assigning interfaces to an area............................................................................................................................................................. 225
Link state advertisements...................................................................................................................................................................... 226
Virtual links...............................................................................................................................................................................................226
Configuring virtual links.................................................................................................................................................................. 227
Default route origination........................................................................................................................................................................228
External route summarization............................................................................................................................................................... 229
SPF timers.................................................................................................................................................................................................229
Modifying Shortest Path First timers.................................................................................................................................................... 230
OSPFv2 administrative distance............................................................................................................................................................ 230
OSPFv2 LSA refreshes............................................................................................................................................................................. 231
Configuring the OSPFv2 LSA pacing interval................................................................................................................................ 231
Support for OSPF RFC 2328 Appendix E............................................................................................................................................... 231
OSPFv2 graceful restart.......................................................................................................................................................................... 232
Disabling OSPFv2 graceful restart..................................................................................................................................................233
Re-enabling OSPFv2 graceful restart............................................................................................................................................. 233
Disabling OSPFv2 graceful restart helper..................................................................................................................................... 234
OSPFv2 stub router advertisement.......................................................................................................................................................234
OSPFv2 Shortest Path First throttling................................................................................................................................................... 235
IETF RFC and internet draft support..................................................................................................................................................... 235
OSPFv2 non-stop routing....................................................................................................................................................................... 235
Limitations of NSR........................................................................................................................................................................... 236
Enabling OSPFv2 NSR...................................................................................................................................................................... 236
Synchronization of critical OSPFv2 elements.......................................................................................................................................237
Link state database synchronization............................................................................................................................................. 237
LSA delayed acknowledging........................................................................................................................................................... 237
LSA syncing and packing ................................................................................................................................................................ 237
Neighbor device synchronization.................................................................................................................................................. 237
OSPFv3............................................................................................................................................................................................... 255
OSPFv3 overview..................................................................................................................................................................................... 255
Configuring the router ID....................................................................................................................................................................... 256
Enabling OSPFv3......................................................................................................................................................................................256
Configuring OSPFv3................................................................................................................................................................................ 256
OSPFv3 areas........................................................................................................................................................................................... 257
Backbone area................................................................................................................................................................................. 257
Area range........................................................................................................................................................................................ 257
Area types......................................................................................................................................................................................... 257
Assigning OSPFv3 areas.................................................................................................................................................................. 258
Assigning OSPFv3 areas to interfaces........................................................................................................................................... 259
Stub area and totally stubby area..................................................................................................................................................259
Configuring a stub area...................................................................................................................................................................260
Not-so-stubby area.......................................................................................................................................................................... 261
Configuring an NSSA....................................................................................................................................................................... 261
LSA types for OSPFv3...................................................................................................................................................................... 262
Virtual links...............................................................................................................................................................................................262
Virtual link source address assignment........................................................................................................................................ 264
Configuring virtual links.................................................................................................................................................................. 264
OSPFv3 route redistribution.................................................................................................................................................................. 265
Redistributing routes into OSPFv3.................................................................................................................................................266
Default route origination........................................................................................................................................................................267
Configuring default external routes.............................................................................................................................................. 267
Disabling and re-enabling OSPFv3 event logging................................................................................................................................ 268
Filtering OSPFv3 routes.......................................................................................................................................................................... 268
Configuring an OSPFv3 distribution list using an IPv6 prefix list as input................................................................................ 268
BGP4................................................................................................................................................................................................... 297
BGP4 overview......................................................................................................................................................................................... 298
BGP4 peering........................................................................................................................................................................................... 298
BGP4 message types...............................................................................................................................................................................299
OPEN message................................................................................................................................................................................. 299
UPDATE message............................................................................................................................................................................. 300
NOTIFICATION message.................................................................................................................................................................. 300
KEEPALIVE message.........................................................................................................................................................................301
REFRESH message........................................................................................................................................................................... 301
BGP4 attributes....................................................................................................................................................................................... 301
BGP4 best path selection algorithm..................................................................................................................................................... 301
Implementation of BGP4........................................................................................................................................................................ 302
Device ID...................................................................................................................................................................................................303
BGP global mode .................................................................................................................................................................................... 303
Configuring a local AS number.............................................................................................................................................................. 304
Neighbor configuration.......................................................................................................................................................................... 304
Configuring BGP4 neighbors.......................................................................................................................................................... 305
Peer groups.............................................................................................................................................................................................. 306
Configuring BGP4 peer groups...................................................................................................................................................... 306
Advertising the default BGP4 route...................................................................................................................................................... 307
Four-byte AS numbers............................................................................................................................................................................ 307
Cooperative BGP4 route filtering.......................................................................................................................................................... 308
BGP4 parameters.................................................................................................................................................................................... 308
Route redistribution................................................................................................................................................................................ 309
Redistributing routes into BGP4.................................................................................................................................................... 309
Advertised networks............................................................................................................................................................................... 310
Importing routes into BGP4................................................................................................................................................................... 310
Route reflection....................................................................................................................................................................................... 311
BGP4+................................................................................................................................................................................................. 333
BGP4+ overview.......................................................................................................................................................................................333
BGP global mode .................................................................................................................................................................................... 334
IPv6 unicast address family....................................................................................................................................................................335
BGP4+ neighbors.....................................................................................................................................................................................336
Configuring BGP4+ neighbors using global IPv6 addresses.......................................................................................................336
Configuring BGP4+ neighbors using link-local addresses.......................................................................................................... 337
BGP4+ peer groups................................................................................................................................................................................. 338
Configuring BGP4+ peer groups.................................................................................................................................................... 338
Configuring a peer group with IPv4 and IPv6 peers.................................................................................................................... 339
Importing routes into BGP4+................................................................................................................................................................. 340
Advertising the default BGP4+ route.................................................................................................................................................... 341
Advertising the default BGP4+ route to a specific neighbor..............................................................................................................341
Using the IPv6 default route as a valid next hop for a BGP4+ route.................................................................................................342
BGP4+ next hop recursion..................................................................................................................................................................... 343
Enabling next-hop recursion.......................................................................................................................................................... 343
VRRPv2............................................................................................................................................................................................... 365
VRRPv2 overview..................................................................................................................................................................................... 365
VRRP terminology............................................................................................................................................................................ 368
VRRP limitations on ICX devices..................................................................................................................................................... 368
VRRP hold timer............................................................................................................................................................................... 368
VRRP interval timers........................................................................................................................................................................ 368
VRRP authentication........................................................................................................................................................................ 369
VRRP master device abdication to backup device....................................................................................................................... 370
ARP and VRRP control packets....................................................................................................................................................... 370
Enabling an owner VRRP device............................................................................................................................................................ 370
Enabling a backup VRRP device............................................................................................................................................................. 372
Configuring simple text authentication on VRRP interfaces.............................................................................................................. 374
Configuring MD5 authentication on VRRP interfaces......................................................................................................................... 375
Abdicating VRRP master device status................................................................................................................................................. 376
Tracked ports and track priority with VRRP and VRRP-E.....................................................................................................................377
Tracking ports and setting the VRRP priority................................................................................................................................377
VRRP backup preemption.......................................................................................................................................................................378
Disabling VRRP backup preemption.............................................................................................................................................. 378
Accept mode for backup VRRP devices................................................................................................................................................ 379
Enabling accept mode on a backup VRRP device........................................................................................................................ 380
Suppressing RIP route advertisements on VRRP backup devices..................................................................................................... 381
VRRPv3............................................................................................................................................................................................... 395
VRRPv3 overview..................................................................................................................................................................................... 395
VRRP limitations on ICX devices..................................................................................................................................................... 396
Enabling an IPv6 VRRPv3 owner device................................................................................................................................................ 396
Enabling an IPv6 VRRPv3 backup device.............................................................................................................................................. 397
Enabling an IPv4 VRRPv3 owner device................................................................................................................................................ 398
Enabling an IPv4 VRRPv3 backup device.............................................................................................................................................. 400
Tracked ports and track priority with VRRP and VRRP-E.....................................................................................................................401
Tracking ports and setting VRRP priority using VRRPv3.............................................................................................................. 401
Accept mode for backup VRRP devices................................................................................................................................................ 402
Enabling accept mode on a backup VRRP device........................................................................................................................ 402
Alternate VRRPv2 checksum for VRRPv3 IPv4 sessions...................................................................................................................... 404
Enabling the VRRPv2 checksum computation method in a VRRPv3 IPv4 session................................................................... 405
Displaying alternate VRRPv2 checksum settings......................................................................................................................... 406
Automatic generation of a virtual link-local address for VRRPv3...................................................................................................... 406
Assigning an auto-generated link-local IPv6 address for a VRRPv3 cluster.............................................................................. 407
Displaying VRRPv3 statistics...................................................................................................................................................................408
Clearing VRRPv3 statistics...................................................................................................................................................................... 409
VRRP-Ev3 Overview................................................................................................................................................................................. 409
Enabling an IPv6 VRRP-Ev3 device.........................................................................................................................................................410
Displaying and clearing VRRP-Ev3 statistics......................................................................................................................................... 411
Multi-VRF........................................................................................................................................................................................... 413
Multi-VRF overview.................................................................................................................................................................................. 413
FastIron considerations for Multi-VRF........................................................................................................................................... 415
VRF-related system-max values..................................................................................................................................................... 415
Additional features to support Multi-VRF..................................................................................................................................... 418
Configuring Multi-VRF............................................................................................................................................................................. 419
Configuring VRF system-max values ............................................................................................................................................ 419
Creating VLANs as links on a tagged port for security................................................................................................................ 420
Configuring a VRF instance............................................................................................................................................................. 421
Starting a routing process for a VRF.............................................................................................................................................. 421
Assigning a Layer 3 interface to a VRF...........................................................................................................................................422
Assigning a loopback interface to a VRF....................................................................................................................................... 423
Verifying a Multi-VRF configuration............................................................................................................................................... 423
Removing a VRF configuration....................................................................................................................................................... 424
Configuring static ARP for Multi-VRF............................................................................................................................................. 425
Document Conventions
The following tables list the text and notice conventions that are used throughout this guide.
NOTE
A NOTE provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related
information.
CAUTION
A CAUTION statement alerts you to situations that can be potentially hazardous to you or cause damage to
hardware, firmware, software, or data.
DANGER
A DANGER statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you.
Safety labels are also attached directly to products to warn of these conditions or situations.
Convention Description
bold text Identifies command names, keywords, and command options.
italic text Identifies a variable.
[] Syntax components displayed within square brackets are optional.
Default responses to system prompts are enclosed in square brackets.
{x|y|z} A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must
select one of the options.
x|y A vertical bar separates mutually exclusive elements.
<> Nonprinting characters, for example, passwords, are enclosed in angle brackets.
... Repeat the previous element, for example, member[member...].
\ Indicates a “soft” line break in command examples. If a backslash separates two lines of a command
input, enter the entire command at the prompt without the backslash.
Document Feedback
Ruckus is interested in improving its documentation and welcomes your comments and suggestions.
White papers, data sheets, and other product documentation are available at https://www.ruckuswireless.com.
For product support information and details on contacting the Support Team, go directly to the Support Portal using https://
support.ruckuswireless.com, or go to https://www.ruckuswireless.com and select Support.
Open a Case
When your entire network is down (P1), or severely impacted (P2), call the appropriate telephone number listed below to get
help:
• Continental United States: 1-855-782-5871
• Canada: 1-855-782-5871
• Europe, Middle East, Africa, and Asia Pacific, toll-free numbers are available at https://support.ruckuswireless.com/
contact-us and Live Chat is also available.
Self-Service Resources
The Support Portal at https://support.ruckuswireless.com/contact-us offers a number of tools to help you to research and
resolve problems with your Ruckus products, including:
• Technical Documentation—https://support.ruckuswireless.com/documents
• Community Forums—https://forums.ruckuswireless.com/ruckuswireless/categories
• Knowledge Base Articles—https://support.ruckuswireless.com/answers
Using these resources will help you to resolve some issues, and will provide TAC with additional data from your troubleshooting
analysis if you still require assistance through a support case or RMA. If you still require help, open and manage your case at
https://support.ruckuswireless.com/case_management
ARP/Nexthop port move syslog disable Whenever a port, on which a MAC address for an Refer to Disabling next hop or ARP port
ARP is learnt, is moved to a different port, syslog movement syslog message generation on
is generated by default. The default behavior can page 26.
be disabled and prevent syslogs from being
generated with every port movement for ARP
entries.
User-configurable MAC address Multicast communication is now supported on a Refer to User-configurable MAC address per
user-configured MAC address. IP interface on page 103
OSPFv2 and OSPFv3 authentication Authentication options and commands for Refer to OSPFv2 authentication on page 247
OSPFv2 and OSPFv3 expanded to include and OSPFv3 authentication on page 280
support for security standards such as FIPS.
Updated content for defect fix Replaced the “Configuring a link-local IPv6 Refer to
address on an interface” section with two • Enabling IPv6 on an interface on
sections (rewritten for clarity): page 134
• Enabling IPv6 on an interface • Configuring a link-local IPv6 address
• Configuring a link-local IPv6 address on on an interface on page 134
an interface
Updated content for defect fix Added a table indication GR support to the Refer to
following sections: • OSPFv2 graceful restart on page 232
• OSPFv2 graceful restart • OSPFv3 graceful restart helper on
• OSPFv3 graceful restart helper page 278
Updated content for defect fix The accept mode functionality enables a VRRP Refer to Accept mode for backup VRRP
nonowner master device to respond to ping, devices on page 379
Telnet, and traceroute packets, but the device
will not respond to SSH packets. When the
device acting as the master device is not the IP
address owner (the device with the interface
whose actual IP address is used as the virtual
device's IP address), the master device accepts
only the ARP packets sent to the virtual IP
address. When accept mode is configured, the
master device responds to ping, TELNET, and
traceroute packets sent to the virtual IP address
even when the master device is not the IP
address owner.
Minor editorial updates Minor editorial updates were made throughout All chapters.
the Configuration Guide.
Supported hardware
This guide supports the following Ruckus products:
• Ruckus ICX 7750 Series
• Ruckus ICX 7650 Series
• Ruckus ICX 7450 Series
• Ruckus ICX 7250 Series
• Ruckus ICX 7150 Series
For information about what models and modules these devices support, see the hardware installation guide for the specific
product family.
NOTE
Ruckus Layer 2 switches also support ARP. However, the configuration options described later in this section apply only
to Layer 3 switches, not to Layer 2 switches.
The Layer 3 switch encapsulates IP packets in Layer 2 packets regardless of whether the ultimate destination is locally attached
or is multiple router hops away. Because the Layer 3 switch IP route table and IP forwarding cache contain IP address
information but not MAC address information, the Layer 3 switch cannot forward IP packets based solely on the information in
the route table or forwarding cache. The Layer 3 switch needs to know the MAC address that corresponds with the IP address of
either the packet locally attached destination or the next-hop router that leads to the destination.
For example, to forward a packet whose destination is multiple router hops away, the Layer 3 switch must send the packet to the
next-hop router toward its destination, or to a default route or default network route if the IP route table does not contain a
route to the packet destination. In each case, the Layer 3 switch must encapsulate the packet and address it to the MAC address
of a locally attached device, the next-hop router toward the IP packet destination.
To obtain the MAC address required for forwarding a datagram, the Layer 3 switch first looks in the ARP cache (not the static ARP
table) for an entry that lists the MAC address for the IP address. The ARP cache maps IP addresses to MAC addresses. The cache
also lists the port attached to the device and, if the entry is dynamic, the age of the entry. A dynamic ARP entry enters the cache
when the Layer 3 switch receives an ARP reply or receives an ARP request (which contains the sender IP address and MAC
address). A static entry enters the ARP cache from the separate static ARP table when the interface for the entry comes up.
To ensure the accuracy of the ARP cache, each dynamic entry has its own age timer. The timer is reset to zero each time the
Layer 3 switch receives an ARP reply or ARP request containing the IP address and MAC address of the entry. If a dynamic entry
reaches its maximum allowable age, the entry times out and the software removes the entry from the table. Static entries do not
age out and can be removed only by you.
If the ARP cache does not contain an entry for the destination IP address, the Layer 3 switch broadcasts an ARP request out all its
IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to
the Layer 3 switch, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed
directly to the Layer 3 switch. The Layer 3 switch places the information from the ARP response into the ARP cache.
ARP requests contain the IP address and MAC address of the sender, so all devices that receive the request learn the MAC
address and IP address of the sender and can update their own ARP caches accordingly.
NOTE
The ARP request broadcast is a MAC broadcast, which means the broadcast goes only to devices that are directly
attached to the Layer 3 switch. A MAC broadcast is not routed to other networks. However, some routers, including
Ruckus Layer 3 switches, can be configured to reply to ARP requests from one network on behalf of devices on another
network.
NOTE
If the router receives an ARP request packet that it is unable to deliver to the final destination because of the ARP
timeout and no ARP response is received (the Layer 3 switch knows of no route to the destination address), the router
sends an ICMP Host Unreachable message to the source.
If Device A wants to communicate with Device B, knowing the IP address of Device B is not sufficient; the MAC address is also
required. ARP supplies the MAC address.
This command configures the device to accept up to 100 ARP packets each second. If the device receives more than 100 ARP
packets during a one-second interval, the device drops the additional ARP packets during the remainder of that one-second
interval.
The num variable specifies the number of ARP packets and can be from 0 through 100. If you specify 0, the device will not accept
any ARP packets.
NOTE
If you want to change a previously configured the ARP rate limiting policy, you must remove the previously configured
policy using the no rate-limit-arp command before entering the new policy.
NOTE
Host devices connected to an ICX 7750 that also have a valid IP address and reply periodically to the arp request are not
timed out, even if no traffic is destined for the device. This behavior is restricted to only ICX 7750 devices.
To globally change the ARP aging parameter to 20 minutes, enter the ip arp-age command.
device(config)# ip arp-age 20
The num parameter specifies the number of minutes, which can be from 0 through 240. The default is 10. If you specify 0, aging
is disabled.
To override the globally configured IP ARP age on an individual interface, enter the ip arp-age command followed by the new
value at the interface configuration level.
device(config-if-e1000-1/1/1)# ip arp-age 30
For example, if Proxy ARP is enabled on a Layer 3 switch connected to two subnets, 10.10.10.0/24 and 10.20.20.0/24, the Layer 3
switch can respond to an ARP request from 10.10.10.69 for the MAC address of the device with IP address 10.20.20.69. In
standard ARP, a request from a device in the 10.10.10.0/24 subnet cannot reach a device in the 10.20.20.0 subnet if the subnets
are on different network cables, and thus is not answered.
NOTE
An ARP request from one subnet can reach another subnet when both subnets are on the same physical segment
(Ethernet cable), because MAC-layer broadcasts reach all the devices on the segment.
Proxy ARP is disabled by default on Ruckus Layer 3 switches. This feature is not supported on Ruckus Layer 2 switches.
You can enable proxy ARP at the Interface level, as well as at the Global CONFIG level, of the CLI.
NOTE
Configuring proxy ARP at the Interface level overrides the global configuration.
device(config)# ip proxy-arp
To again disable IP proxy ARP on a global basis, enter the no ip proxy-arp command.
device(config)# no ip proxy-arp
NOTE
By default, gratuitous ARP is disabled for local proxy ARP.
Ruckus Layer 3 switches have a static ARP table, in addition to the regular ARP cache. Unlike static ARP entries, dynamic ARP
entries are removed from the ARP cache if the ARP aging interval expires before the entry is refreshed. Static entries do not age
out, regardless of whether the Ruckus device receives an ARP request from the device that has the entry address.
NOTE
You cannot create static ARP entries on a Layer 2 switch.
The maximum number of static ARP entries you can configure depends on the software version running on the device.
The num variable specifies the entry number. You can specify a number from 1 up to the maximum number of static entries
allowed on the device.
The ip-addr variable specifies the IP address of the device that has the MAC address of the entry.
Changing the maximum number of entries the static ARP table can hold
NOTE
The basic procedure for changing the static ARP table size is the same as the procedure for changing other configurable
cache or table sizes.
To increase the maximum number of static ARP table entries you can configure on a Ruckus Layer 3 switch, enter commands
such as the following at the global CONFIG level of the CLI.
NOTE
You must save the configuration to the startup-config file and reload the software after changing the static ARP table
size to place the change into effect.
The num variable indicates the maximum number of static ARP entries and can be within one of these ranges, depending on the
software version running on the device.
A new ARP entry is created when a gratuitous ARP packet is received. If the ARP is already existing, it will be updated with the new
content.
To enable learning gratuitous ARP, enter the following command at the device configuration level.
Use the show run command to see whether ARP is enabled or disabled. Use the show arp command to see the newly learned
ARP entries.
Use the clear arp command to clear learned ARP entries. Static ARP entries are not removed.
This may cause flooding of the syslog server or console with syslog messages in certain deployments where next hop or ARP port
movement occurs continuously. In such scenarios, the default behavior can be disabled and syslog messages can be prevented
from being generated with every port movement for ARP entries using the no ip arp port-move-syslog command.
The status of the nexthop or ARP port movement syslog message (enabled or disabled) can be viewed in the output of the show
ip command.
The following example shows sample output of the show ip command in which the status of the next hop or ARP port
movement syslog message (enabled) is displayed.
device(config)# show ip
ttl: 64, arp-age: 10, bootp-relay-max-hops: 4
router-id : 10.1.1.1
enabled : BGP4 UDP-Broadcast-Forwarding Source-Route Load-Sharing RARP VSRP
arp-port-move-syslog
disabled: Route-Only Directed-Broadcast-Forwarding IRDP Proxy-ARP RIP OSPF
VRRP VRRP-Extended ICMP-Redirect add-host-route-first
The following example shows sample output of the show ip command in which the status of the next hop or ARP port
movement syslog message (disabled) is displayed.
2. Enter the ip arp inspection validate command followed by one or more of the available options to perform a check on
incoming ARP packets.
• dst-mac
The destination MAC address in the Ethernet header must match the target hardware address in the body of ARP
response packets. Packets with different MAC addresses are classified as invalid and are dropped.
• src-mac
The source MAC address in the Ethernet header must match the sender hardware address in the body of ARP
request and response packets. Packets with different MAC addresses are classified as invalid and are dropped.
• ip
Each ARP packet has a valid sender IP address and target IP address. In ARP response packets, the target IP address
cannot be an invalid or unexpected IP address. The sender IP address cannot be an invalid or unexpected IP
address in ARP request or response packets. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Packets with invalid and unexpected IP addresses are classified as invalid and are dropped.
The following example enables validation of ARP packets based on the destination MAC address.
NOTE
You cannot change the priority of the ingress ARP packets on the management port.
2. Enter the arp-internal-priority command followed by the appropriate value. The default is 4. You may choose a value
from 0 through 7, with 7 being the highest priority.
device(config)# arp-internal-priority 4
This example resets the priority of incoming ARP packets to the default priority of 4.
The following example shows the priority of incoming ARP packets set to level 7.
RARP is enabled by default. However, you must create a RARP entry for each host that will use the Layer 3 device for booting. A
RARP entry consists of the following information:
• Entry sequence number in the RARP table
• MAC address of the boot client
• IP address the Layer 3 device assigns to the client
When a client sends a RARP broadcast to request an IP address, the Layer 3 device responds to the request by looking in the
RARP table for an entry that contains the client MAC address. If the RARP table contains an entry for the client, the Layer 3 device
sends a unicast response to the client that contains the IP address associated with the client MAC address in the RARP table. If
the RARP table does not contain an entry for the client, the Layer 3 device silently discards the RARP request and does not reply
to the client.
To configure the Layer 3 device to forward BootP/DHCP requests when boot clients and boot servers are on different subnets on
different Layer 3 device interfaces, refer to the DHCP client section in the Ruckus FastIron DHCP Configuration Guide.
Disabling RARP
RARP is enabled by default. To disable RARP, enter the following command at the global CONFIG level.
device(config)# no ip rarp
device(config)# ip rarp
To assign a static IP RARP entry for static routes on a Ruckus router, enter a command such as the following.
This command creates a RARP entry for a client with MAC address 0000.0054.2348. When the Layer 3 switch receives a RARP
request from this client, the Layer 3 switch replies to the request by sending IP address 192.53.4.2 to the client.
The number parameter identifies the RARP entry number. You can specify an unused number from 1 to the maximum number of
RARP entries supported on the device. To determine the maximum number of entries supported on the device, refer to the
section "Displaying and modifying system parameter default settings" in the Ruckus FastIron Layer 2 Switching Configuration Guide.
The mac-addr parameter specifies the MAC address of the RARP client.
The ip-addr parameter specifies the IP address the Layer 3 switch will give the client in response to the client RARP request.
NOTE
You must save the configuration to the startup-config file and reload the software after changing the RARP cache size to
place the change into effect.
Dynamic ARP Inspection (DAI) enables the Ruckus device to intercept and examine all ARP request and response packets in a
subnet and discard packets with invalid IP-to-MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks
such as ARP cache poisoning, and disallow misconfiguration of client IP addresses.
DAI allows only valid ARP requests and responses to be forwarded and supports Multi-VRFs with overlapping address spaces.
ARP poisoning
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. Before a host
can talk to another host, it must map the IP address to a MAC address first. If the host does not have the mapping in its ARP
table, it creates an ARP request to resolve the mapping. All computers on the subnet receive and process the ARP requests, and
the host whose IP address matches the IP address in the request sends an ARP reply.
An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network by poisoning the ARP caches
of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. For instance, a malicious
host can reply to an ARP request with its own MAC address, thereby causing other hosts on the same subnet to store this
information in their ARP tables or replace the existing ARP entry. Furthermore, a host can send gratuitous replies without having
received any ARP requests. A malicious host can also send out ARP packets claiming to have an IP address that actually belongs
to another host (for example, the default router). After the attack, all traffic from the device under attack flows through the
attacker computer and then to the router, switch, or host.
When you enable DAI on a VLAN, by default, all member ports are untrusted. You must manually configure trusted ports. In a
typical network configuration, ports connected to host ports are untrusted. You configure ports connected to other switches or
routers as trusted.
DAI inspects ARP packets received on untrusted ports, as shown in the following figure. DAI carries out the inspection based on
IP-to-MAC address bindings stored in a trusted binding database. For the Ruckus device, the binding database is the ARP table
and the DHCP snooping table, which supports DAI, DHCP snooping, and IP Source Guard. To inspect an ARP request packet, DAI
checks the source IP address and source MAC address against the ARP table. For an ARP reply packet, DAI checks the source IP,
source MAC, destination IP, and destination MAC addresses. DAI forwards the valid packets and discards those with invalid IP-to-
MAC address bindings.
When ARP packets reach a trusted port, DAI lets them through, as shown in the following figure.
Refer to System reboot and the binding database section in the Ruckus FastIron DHCP Configuration Guide.
1. Configure inspection ARP entries for hosts on untrusted ports. Refer to Configuring an inspection ARP entry on page
32.
2. Enable DAI on a VLAN to inspect ARP packets. Refer to Enabling DAI on a VLAN on page 32.
3. Configure the trust settings of the VLAN members. ARP packets received on trusted ports bypass the DAI validation
process. ARP packets received on untrusted ports go through the DAI validation process. Refer to Enabling trust on a
port on page 33.
4. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC address binding database.
Dynamic ARP inspection is disabled by default and the trust setting for ports is by default untrusted.
This command defines an inspection ARP entry in the static ARP table, mapping a device IP address 10.20.20.12 with its MAC
address 0000.0002.0003. The ARP entry will be moved to the ARP table once the DAI receives a valid ARP packet.
Dynamic ARP Inspection must be enabled to use static ARP inspection entries.
The ip-addr mac-addr parameter specifies a device IP address and MAC address pairing.
The command enables DAI on VLAN 2. ARP packets from untrusted ports in VLAN 2 will undergo DAI inspection.
The commands change the CLI to the interface configuration level of port 1/1/4 and set the trust setting of port 1/1/4 to trusted.
Syslog messages are enabled by default on FastIron devices. Follow these steps to disable DAI messages.
2. Enter the ip arp inspection syslog disable command to disable syslog messages.
You can enable DAI on individual VLANs and assign any interface as the ARP inspection trust interface. If an interface is a tagged
port in this VLAN, you can turn on the trust port per VRF, so that traffic intended for other VRF VLANs will not be trusted.
NOTE
ICX 7150 devices do not support VRFs.
• Configure DAI on a VLAN using the ip arp inspection vlan vlan-id command.
To enable trust on a port for a specific VRF, enter commands such as the following.
The commands change the CLI to the interface configuration level of port 1/1/4 and set the trust setting of port 1/1/4 on VRF 2 to
trusted.
IP configuration overview
IPv4 uses a 32-bit addressing system designed for use in packet-switched networks. IPv4 is the Internet protocol that is most
commonly used currently throughout the world. IPv4 uses a 32-bit addressing system and is represented in a 4-byte dotted
decimal format: x.x.x.x.
Ruckus Layer 2 switches and Layer 3 switches support Internet Protocol version 4 (IPv4) and IPv6. IP support on Ruckus Layer 2
switches consists of host services and functionality to support management access and access to a default gateway.
IP interfaces
NOTE
This section describes IPv4 addresses. For information about IPv6 addresses, refer to the IPv6 addressing chapter.
Ruckus Layer 3 switches and Layer 2 switches allow you to configure IP addresses. On Layer 3 switches, IP addresses are
associated with individual interfaces. On Layer 2 switches, a single IP address serves as the management access address for the
entire device.
All Ruckus Layer 3 switches and Layer 2 switches support configuration and display of IP addresses in classical subnet format (for
example, 192.168.1.1 255.255.255.0) and Classless Interdomain Routing (CIDR) format (for example, 192.168.1.1/24). You can use
either format when configuring IP address information. IP addresses are displayed in classical subnet format by default but you
can change the display format to CIDR.
Layer 3 switches
Ruckus Layer 3 switches allow you to configure IP addresses on the following types of interfaces:
• Ethernet ports
• Virtual routing interfaces (used by VLANs to route among one another)
• Loopback interfaces
• GRE tunnels
Each IP address on a Layer 3 switch must be in a different subnet. You can have only one interface that is in a given subnet. For
example, you can configure IP addresses 192.168.1.1/24 and 192.168.2.1/24 on the same Layer 3 switch, but you cannot
configure 192.168.1.1/24 and 192.168.1.2/24 on the same Layer 3 switch.
The number of IP addresses you can configure on an individual interface depends on the Layer 3 switch model. To display the
maximum number of IP addresses and other system parameters you can configure on a Layer 3 switch, refer to "Displaying and
modifying system parameter default settings" section in the Ruckus FastIron Layer 2 Switching Configuration Guide. .
You can use any of the IP addresses you configure on the Layer 3 switch for Telnet, Web management, or SNMP access.
Layer 2 switches
You can configure an IP address on a Ruckus Layer 2 switch for management access to the Layer 2 switch. An IP address is
required for Telnet access, Web management access, and SNMP access.
You also can specify the default gateway for forwarding traffic to other subnets.
1. When the Layer 3 device receives an IP packet, the device checks for filters on the receiving interface. The filter may be
an Access Control List (ACL) or an IP access policy. If a deny filter on the interface denies the packet, the Layer 3 device
discards the packet and performs no further processing, except for generating a Syslog entry and an SNMP message, if
logging is enabled for the filter.
2. If the packet is not denied at the incoming interface, the Layer 3 device looks in the session table for an entry that has
the same source IP address and TCP or UDP port as the packet. If the session table contains a matching entry, the Layer
3 device immediately forwards the packet, by addressing it to the destination IP address and TCP or UDP port listed in
the session table entry and sending the packet to a queue on the outgoing ports listed in the session table. The device
selects the queue based on the Quality of Service (QoS) level associated with the session table entry.
3. If the session table does not contain an entry that matches the packet source address and TCP or UDP port, the Layer 3
device looks in the IP forwarding cache for an entry that matches the packet destination IP address. If the forwarding
cache contains a matching entry, the device forwards the packet to the IP address in the entry. The device sends the
packet to a queue on the outgoing ports listed in the forwarding cache. The device selects the queue based on the
Quality of Service (QoS) level associated with the forwarding cache entry.
4. If the IP forwarding cache does not have an entry for the packet, the Layer 3 device checks the IP route table for a route
to the packet destination. If the IP route table has a route, the device makes an entry in the session table or the
forwarding cache, and sends the route to a queue on the outgoing ports:
• If the running-config contains an IP access policy for the packet, the software makes an entry in the session table.
The Layer 3 device uses the new session table entry to forward subsequent packets from the same source to the
same destination.
• If the running-config does not contain an IP access policy for the packet, the software creates a new entry in the
forwarding cache. The Layer 3 device uses the new cache entry to forward subsequent packets to the same
destination.
The ARP cache entries are generally for devices that are directly attached to the Layer 3 device.
An exception is an ARP entry for an interface-based static IP route that goes to a destination that is one or more router hops
away. For this type of entry, the MAC address is either the destination device MAC address or the MAC address of the router
interface that answered an ARP request on behalf of the device, using proxy ARP.
ARP cache
The ARP cache can contain dynamic (learned) entries and static (user-configured) entries. The software places a dynamic entry in
the ARP cache when the Layer 3 device learns a device MAC address from an ARP request or ARP reply from the device.
The software can learn an entry when the Layer 2 device or Layer 3 device receives an ARP request from another IP forwarding
device or an ARP reply. Here is an example of a dynamic entry:
Each entry contains the destination device IP address and MAC address.
NOTE
Layer 3 devices have a static ARP table. Layer 2 switches do not.
The software places an entry from the static ARP table into the ARP cache when the entry interface comes up.
Each entry lists the information you specified when you created the entry.
IP route table
The IP route table contains paths to IP destinations.
The IP route table can receive the paths from the following sources and it can contain leaked routes as well (from other VRFs).
• A directly-connected destination, which means there are no router hops to the destination
• A static IP route, which is a user-configured route
• A route learned through RIP
• A route learned through OSPF
• A route learned through BGP4
Each IP route table entry contains the destination IP address and subnet mask and the IP address of the next-hop router
interface to the destination. Each entry also indicates the port attached to the destination or the next-hop to the destination, the
route IP metric (cost), and the type. The type indicates how the IP route table received the route.
IP forwarding cache
The IP forwarding cache contains entries for IP destinations, and provides a fast-path mechanism for forwarding IP packets.
When a Ruckus Layer 3 device has completed the processing and addressing for a packet and is ready to forward the packet, the
device checks the IP forwarding cache for an entry to the packet destination:
• If the cache contains an entry with the destination IP address, the device uses the information in the entry to forward
the packet out the ports listed in the entry. The destination IP address is the address of the packet final destination. The
port numbers are the ports through which the destination can be reached.
• If the cache does not contain an entry and the traffic does not qualify for an entry in the session table instead, the
software can create an entry in the forwarding cache.
Each entry in the IP forwarding cache has an age timer. If the entry remains unused for ten minutes, the software removes the
entry. The age timer is not configurable.
Each entry in the IP forwarding cache has an age timer. The age timer is not configurable.
Each IP forwarding cache entry contains the IP address of the destination, and the IP address and MAC address of the next-hop
router interface to the destination. If the destination is actually an interface configured on the Layer 3 device itself, as shown
here, then next-hop information indicates this. The port through which the destination is reached is also listed, as well as the
VLAN and Layer 4 QoS priority associated with the destination if applicable.
NOTE
You cannot add static entries to the IP forwarding cache. You can increase the number of entries the cache can contain.
The Layer 2 switch or Layer 3 switch selects the session table instead of the IP forwarding table for fast-path forwarding for the
following features:
• Layer 4 Quality-of-Service (QoS) policies
• IP access policies
To increase the size of the session table, refer to the section "Displaying and modifying system parameter default settings" in the
Ruckus FastIron Layer 2 Switching Configuration Guide. The ip-qos-session parameter controls the size of the session table.
All these protocols provide routes to the IP route table. You can use one or more of these protocols, in any combination. The
protocols are disabled by default.
IP multicast protocols
Ruckus Layer 3 switches also support the following Internet Group Membership Protocol (IGMP) based IP multicast protocols:
• Protocol Independent Multicast - Dense mode (PIM-DM)
• Protocol Independent Multicast - Sparse mode (PIM-SM)
For configuration information, refer to "IP Multicast Protocols" in the Ruckus FastIron IP Multicast Configuration Guide.
NOTE
Ruckus Layer 3 switches support IGMP and can forward IP multicast packets. Refer to the "IP Multicast Traffic
Reduction" chapter in the Ruckus FastIron IP Multicast Configuration Guide.
Both methods allow you to filter packets based on Layer 3 and Layer 4 source and destination information.
ACLs also provide great flexibility by providing the input to various other filtering mechanisms such as route maps, which are
used by BGP4.
IP access policies allow you to configure QoS based on sessions (Layer 4 traffic flows).
Only one of these filtering mechanisms can be enabled on a Ruckus device at a time. Ruckus devices can store forwarding
information for both methods of filtering in the session table.
For configuration information, refer to the chapter "Rule-Based IP ACLs" in the Ruckus FastIron Security Configuration Guide.
To save a configuration change permanently so that the change remains in effect following a system reset or software reload,
save the change to the startup-config file:
• To save configuration changes to the startup-config file, enter the write memory command from the Privileged EXEC
level of any configuration level of the CLI.
• To save the configuration changes using the Web Management Interface, select the Save link at the bottom of the dialog.
Select Yes when prompted to save the configuration change to the startup-config file on the device flash memory. You
also can access the dialog for saving configuration changes by clicking on Command in the tree view, then clicking on
Save to Flash.
Changes to memory allocation require you to reload the software after you save the changes to the startup-config file. When
reloading the software is required to complete a configuration change described in this chapter, the procedure that describes the
configuration change includes a step for reloading the software.
NOTE
You cannot disable IP.
IP address and mask notation Format for displaying an IP address and its Class-based
network mask information. You can enable
one of the following: NOTE
Changing this parameter affects
• Class-based format; example:
the display of IP addresses, but
192.168.1.1 255.255.255.0
you can enter addresses in either
• Classless Interdomain Routing format regardless of the display
(CIDR) format; example: setting.
192.168.1.1/24
Router ID The value that routers use to identify The IP address configured on the lowest-
themselves to other routers when exchanging numbered loopback interface.
route information. OSPF and BGP4 use router
If no loopback interface is configured, then
IDs to identify routers. RIP does not use the
the lowest-numbered IP address configured
router ID.
on the device.
Maximum Transmission Unit (MTU) The maximum length an Ethernet packet can 1500 bytes for Ethernet II encapsulation
be without being fragmented.
1492 bytes for SNAP encapsulation
Address Resolution Protocol (ARP) A standard IP mechanism that routers use to Enabled
learn the Media Access Control (MAC) address
of a device on the network. The router sends
the IP address of a device in the ARP request
and receives the device MAC address in an
ARP reply.
ARP rate limiting You can specify a maximum number of ARP Disabled
packets the device will accept each second. If
NOTE
You also can change the ARP age
on an individual interface basis.
NOTE
You also can enable or disable this
parameter on an individual
interface basis.
Directed broadcast mode The packet format the router treats as a All ones
directed broadcast. The following formats can
be directed broadcasts: NOTE
If you enable all-zeroes directed
• All ones in the host portion of the
broadcasts, all-ones directed
packet destination address.
broadcasts remain enabled.
• All zeroes in the host portion of the
packet destination address.
Source-routed packet forwarding A source-routed packet contains a list of IP Enabled
addresses through which the packet must
pass to reach its destination.
Internet Control Message Protocol (ICMP) The Ruckus Layer 3 switch can send the Enabled
messages following types of ICMP messages:
• Echo messages (ping messages)
• Destination Unreachable messages
ICMP Router Discovery Protocol (IRDP) An IP protocol a router can use to advertise Disabled
the IP addresses of its router interfaces to
NOTE
You also can enable or disable
IRDP and configure the
parameters on an individual
interface basis.
NOTE
You must enter the RARP entries
manually. The Layer 3 switch does
not have a mechanism for
learning or dynamically generating
RARP entries.
Maximum BootP relay hops The maximum number of hops away a BootP Four
server can be located from a router and still
be used by the router clients for network
booting.
Domain name for Domain Name Server (DNS) A domain name (for example, None configured
resolver ruckus.router.com) you can use in place of an
IP address for certain operations such as IP
pings, trace routes, and Telnet management
connections to the router.
DNS default gateway addresses A list of gateways attached to the router None configured
through which clients attached to the router
can reach DNSs.
IP load sharing A Ruckus feature that enables the router to Enabled
balance traffic to a specific destination across
multiple equal-cost paths.
NOTE
Load sharing is sometimes called
equal-cost multi-path (ECMP).
Maximum IP load sharing paths The maximum number of equal-cost paths Four
across which the Layer 3 switch is allowed to
distribute traffic.
Origination of default routes You can enable a router to originate default Disabled
routes for the following route exchange
protocols, on an individual protocol basis:
• OSPF
• BGP4
Default network route The router uses the default network route if None configured
the IP route table does not contain a route to
the destination and also does not contain an
explicit default route (0.0.0.0 0.0.0.0 or
0.0.0.0/0).
Static route An IP route you place in the IP route table. No entries
Source interface The IP address the router uses as the source The lowest-numbered IP address on the
address for Telnet, RADIUS, or TACACS/ interface the packet is sent on.
TACACS+ packets originated by the router.
The router can select the source address
based on either of the following:
• The lowest-numbered IP address on
the interface the packet is sent on.
• The lowest-numbered IP address on
a specific interface. The address is
used as the source for all packets of
the specified type regardless of
interface the packet is sent on.
NOTE
You cannot disable IP.
NOTE NOTE
Layer 2 switches have a single IP Some devices have a factory
address used for management default, such as 10.157.22.154,
access to the entire device. Layer 3 used for troubleshooting during
switches have separate IP installation. For Layer 3 switches,
addresses on individual interfaces. the address is on unit 1/slot 1/
port 1 (or 1/1/1).
NOTE
Available on the VE interface only.
NOTE
UDP broadcast forwarding for
client DHCP/BootP requests
(bootps) must be enabled (this is
enabled by default) and you must
configure an IP helper address
(the server IP address or a
directed broadcast to the server
subnet) on the port connected to
the client.
DHCP Client-Based Auto-Configuration Allows the switch to obtain IP addresses from Enabled
a DHCP host automatically, for either a
specified (leased) or infinite period of time.
DHCP Server All FastIron devices can be configured to Disabled
function as DHCP servers.
UDP broadcast forwarding The router can forward UDP broadcast The router helps forward broadcasts for the
packets for UDP applications such as BootP. following UDP application protocols:
By forwarding the UDP broadcasts, the router • bootps
enables clients on one subnet to find servers
• dns
attached to other subnets.
• netbios-dgm
• netbios-ns
• tacacs
• tftp
• time
NOTE
To completely enable a client UDP
application request to find a
server on another subnet, you
must configure an IP helper
address consisting of the server IP
address or the directed broadcast
address for the subnet that
contains the server. Refer to the
next row.
NOTE
Ruckus Layer 2 switches also provide IP multicast forwarding, which is enabled by default. For information about this
feature, refer to "IP Multicast Traffic Reduction" in the Ruckus FastIron IP Multicast Configuration Guide.
IP address and mask notation Format for displaying an IP address and its Class-based
network mask information. You can enable
one of the following: NOTE
Changing this parameter affects
• Class-based format; example:
the display of IP addresses, but
192.168.1.1 255.255.255.0
you can enter addresses in either
• Classless Interdomain Routing format regardless of the display
(CIDR) format; example: setting.
192.168.1.1/24
IP address A Layer 3 network interface address None configured
NOTE NOTE
Layer 2 switches have a single IP Some devices have a factory
address used for management default, such as 10.157.22.154,
access to the entire device. Layer 3 used for troubleshooting during
switches have separate IP installation. For Layer 3 switches,
addresses on individual interfaces. the address is on port 1 (or 1/1/1).
DHCP gateway stamp The device can assist DHCP/BootP Discovery None configured
packets from one subnet to reach DHCP/
BootP servers on a different subnet by
placing the IP address of the router interface
that forwards the packet in the packet
Gateway field.
DHCP gateway stamp You can configure a list of DHCP stamp None configured
addresses for a port. When the port receives
a DHCP/BootP Discovery packet from a client,
the port places the IP addresses in the
gateway list into the packet Gateway field.
Basic IP configuration
IP is enabled by default. Basic configuration consists of adding IP addresses for Layer 3 switches, enabling a route exchange
protocol, such as the Routing Information Protocol (RIP).
NOTE
The terms Layer 3 switch and router are used interchangeably in this chapter and mean the same.
If you are configuring a Layer 3 switch, refer to Configuring IP addresses to add IP addresses, then enable and configure the
routing protocols, as described in other chapters of this guide.
If you are configuring a Layer 2 switch, refer to Configuring the management IP address and specifying the default gateway to
add an IP address for management access through the network and to specify the default gateway.
The rest of this chapter describes IP and how to configure it in more detail. Use the information in this chapter if you need to
change some of the IP parameters from their default values or you want to view configuration information or statistics.
IP address replacement
An interface supports multiple primary address configuration. However, you can configure only one primary IP address in a
subnet. Beginning with Ruckus FastIron release 08.0.50, you can configure the primary IP address on a physical interface
(Ethernet), management interface, virtual interface (VE or loopback), or a tunnel interface even if the primary IP address was
already configured.
When you configure an IP address, using the ip address command with the replace option, the existing IP address is removed
and the new IP address is applied to the interface. After the IP address replacement, you must re-establish all the Telnet and
Secure Shell (SSH) sessions because the current sessions get either terminated or timed out.
• The IP address replacement feature is supported on a Ruckus FastIron router image only.
• You cannot change the subnet mask by using the replace parameter.
• You can replace IP addresses only on the management interface and data ports.
• You cannot replace a secondary IP address. You can only replace the primary IP address.
Replacing an IP address
You must remove all secondary IP addresses, if they exist, before replacing the existing primary IP address with a new IP address.
1. NOTE
The device does not prompt, if no primary IP address matching subnet of the new IP address is already
configured on interface and the user use the replace option. When the ip address command is used with the
replace option, the new IP address is configured.
3. Use the ip address command to replace an existing primary IP address with a new IP address. Note that when you
choose the replace option to remove the existing IP address on an interface, the action cannot be undone.
4. Use the show running interface command to display the newly configured IP address on the interface.
The following example shows how to replace the primary IP address of an interface.
The following example shows how to display the primary IP address of an interface.
Configuring IP addresses
You can configure an IP address on the following types of Layer 3 switch interfaces:
• Ethernet port
NOTE
• When you configure an IPv4 address on a device, a syslog appears stating that the IP address has been added.
• If you reconfigure the same IP address or a different IP address on the device, a syslog appears stating that the
IP address has been added.
• The syslog does not state that the existing IP address was replaced with a new IP address.
You can increase this amount to up to 128 IP subnet addresses per port by increasing the size of the ip-subnet-port table.
Refer to the section "Displaying system parameter default values" in the Ruckus FastIron Layer 2 Switching Configuration Guide.
NOTE
Once you configure a virtual routing interface on a VLAN, you cannot configure Layer 3 interface parameters on
individual ports. Instead, you must configure the parameters on the virtual routing interface itself.
Ruckus devices support both classical IP network masks (Class A, B, and C subnet masks, and so on) and Classless Interdomain
Routing (CIDR) network prefix masks:
• To enter a classical network mask, enter the mask in IP address format. For example, enter "10.157.22.99 255.255.255.0"
for an IP address with a Class-C subnet mask.
• To enter a prefix network mask, enter a forward slash ( / ) and the number of bits in the mask immediately after the IP
address. For example, enter "10.157.22.99/24" for an IP address that has a network mask with 24 significant bits (ones).
By default, the CLI displays network masks in classical IP address format (for example, 255.255.255.0). You can change the
display to prefix format.
You also can enter the IP address and mask in CIDR format, as follows.
or
The ospf-ignore and ospf-passive parameters modify the Layer 3 switch defaults for adjacency formation and interface
advertisement. Use one of these parameters if you are configuring multiple IP subnet addresses on the interface but you want to
prevent OSPF from running on some of the subnets:
• ospf-passive - This option disables adjacency formation with OSPF neighbors. By default, when OSPF is enabled on an
interface, the software forms OSPF router adjacencies between each primary IP address on the interface and the OSPF
neighbor attached to the interface.
• ospf-ignore - This option disables OSPF adjacency formation and also disables advertisement of the interface into OSPF.
The subnet is completely ignored by OSPF.
NOTE
The ospf-passive option disables adjacency formation but does not disable advertisement of the interface into OSPF.
To disable advertisement in addition to disabling adjacency formation, you must use the ospf-ignore option.
Use the secondary parameter if you have already configured an IP address within the same subnet on the interface.
NOTE
When you configure more than one address in the same subnet, all but the first address are secondary addresses and
do not form OSPF adjacencies.
NOTE
All physical IP interfaces on Ruckus FastIron Layer 3 devices share the same MAC address. For this reason, if more than
one connection is made between two devices, one of which is a Ruckus FastIron Layer 3 device, Ruckus recommends
the use of virtual interfaces. It is not recommended to connect two or more physical IP interfaces between two routers.
NOTE
If you configure the Ruckus Layer 3 switch to use a loopback interface to communicate with a BGP4 neighbor, you also
must configure a loopback interface on the neighbor and configure the neighbor to use that loopback interface to
communicate with the Ruckus Layer 3 switch. Refer to Assigning an IP address to a loopback interface.
To add a loopback interface, enter commands such as those shown in the following example.
device(config-bgp-router)# exit
device(config)# interface loopback 1
device(config-lbif-1)# ip address 10.0.0.1/24
The num parameter specifies the virtual interface number. You can specify from 1 to the maximum number of virtual interfaces
supported on the device. To display the maximum number of virtual interfaces supported on the device, enter the show default
values command. The maximum is listed in the System Parameters section, in the Current column of the virtual-interface row.
NOTE
The Ruckus feature that allows routing between VLANs within the same device, without the need for external routers, is
called Integrated Switch Routing (ISR).
You can configure IP routing interface parameters on a virtual interface. This section describes how to configure an IP address on
a virtual interface. Other sections in this chapter that describe how to configure interface parameters also apply to virtual
interfaces.
NOTE
The Layer 3 switch uses the lowest MAC address on the device (the MAC address of port 1 or 1/1/1) as the MAC address
for all ports within all virtual interfaces you configure on the device.
To add a virtual interface to a VLAN and configure an IP address on the interface, enter commands such as the following.
The first two commands in this example create a Layer 3 protocol-based VLAN name "IP-Subnet_10.1.2.0/24" and add a range of
untagged ports to the VLAN. The router-interface command creates virtual interface 1 as the routing interface for the VLAN.
The num variable specifies the virtual interface number. You can enter a number from 1 through 4095.
When configuring virtual routing interfaces on a device, you can specify a number from 1 through 4095. However, the total
number of virtual routing interfaces that are configured must not exceed the system-max limit of 512 (or 382 for the ICX 7150.
The default for the ICX 7150 is 128).
The last two commands move the configuration to the interface configuration mode for the virtual interface and assign an IP
address to the interface.
Configuration limitations and feature limitations for IP Follow on a virtual routing interface
• When configuring IP Follow, the primary virtual routing interface should not have ACL or DoS Protection configured. It is
recommended that you create a dummy virtual routing interface as the primary and use the IP-follow virtual routing
interface for the network.
• Global Policy Based Routing is not supported when IP Follow is configured.
• IPv6 is not supported with IP Follow.
• Ruckus FastIron devices support IP Follow with OSPF and VRRP protocols only.
device(config-vif-1)# interface ve 2
device(config-vif-2)# ip follow ve 1
device(config-vif-2)# interface ve 3
device(config-vif-3)# ip follow ve 1
Deleting an IP address
To delete an IP address, enter the no ip address command.
This command deletes IP address 10.1.2.1. You do not need to enter the subnet mask.
device(config-if-e1000-1)# no ip address *
To conserve IPv4 address space, a 31-bit subnet mask can be assigned to point-to-point networks. Support for an IPv4 address
with a 31-bit subnet mask is described in RFC 3021.
With IPv4, four IP addresses with a 30-bit subnet mask are allocated on point-to-point networks. In contrast, a 31-bit subnet mask
uses only two IP addresses: all zero bits and all one bits in the host portion of the IP address. The two IP addresses are
interpreted as host addresses, and do not require broadcast support because any packet that is transmitted by one host is
always received by the other host at the receiving end. Therefore, directed broadcast on a point-to-point interface is eliminated.
IP-directed broadcast CLI configuration at the global level, or the per interface level, is not applicable on interfaces configured
with a 31-bit subnet mask IP address.
When the 31-bit subnet mask address is configured on a point-to-point link, using network addresses for broadcast purposes is
not allowed. For example, in an IPV4 broadcast scheme, the following subnets can be configured:
• 10.10.10.1 - Subnet for directed broadcast: {Network-number, -1}
• 10.10.10.0 - Subnet for network address: {Network-number, 0}
In a point-to-point link with a 31-bit subnet mask, the previous two addresses are interpreted as host addresses and packets are
not rebroadcast.
You can configure an IPv4 address with a 31-bit subnet mask on any interface (for example, Ethernet, loopback, VE, or tunnel
interfaces).
You can also enter the IP address and mask in the Classless Inter-domain Routing (CIDR) format, as follows.
The ip-address variable specifies the host address. The ip-mask variable specifies the IP network mask. The subnet -mask-bits
variable specifies the network prefix mask.
To disable configuration for an IPv4 address with a 31-bit subnet mask on any interface, use the no form of the command.
You cannot configure a secondary IPv4 address with a 31-bit subnet mask on any interface. The following error message is
displayed when a secondary IPv4 address with a 31-bit subnet mask is configured.
Configuration example
FIGURE 4 Configured 31- bit and 24-bit subnet masks
Router A is connected to Router B as a point-to-point link with 10.1.1.0/31 subnet. There are only two available addresses in this
subnet, 10.1.1.0 on Router A and 10.1.1.1 on Router B,
Routers B and C are connected by a regular 24-bit subnet. Router C can either be a switch with many hosts belonging to the
10.2.2.2/24 subnet connected to it, or it can be a router.
Router A
RouterA(config)# interface ethernet 1/1/1
RouterA(config-if-e1000-1/1/1)# ip address 10.1.1.0/31
Router B
RouterB(config)# interface ethernet 1/1/1
RouterB(config-if-e1000-1/1/1)# ip address 10.1.1.1/31
RouterB(config-if-e1000-1/1/1)# exit
RouterB(config# interface ethernet 1/3/1
RouterB(config-if-e1000-1/3/1)# ip address 10.2.2.1/24
Router C
RouterC(config# interface ethernet 1/3/1
RouterC(config-if-e1000-1/3/1)# ip address 10.2.2.2/24
You can create a list of domain names that can be used to resolve host names. This list can have more than one domain name.
When a client sends a DNS query, all hosts within the domains in the list can be recognized and queries can be sent to any
domain on the list.
After you define a domain name, the Ruckus device automatically appends the appropriate domain to a host and forwards it to
the DNS servers for resolution.
For example, if the domain "ds.company.com" is defined on a Layer 2 or Layer 3 switch and you want to initiate a ping to "mary",
you must reference only the host name instead of the host name and its domain name. For example, you could use the following
command to initiate the ping.
The Layer 2 or Layer 3 switch qualifies the host name by appending a domain name (for example, mary.ds1.company.com). This
qualified name is sent to the DNS server for resolution. If there are four DNS servers configured, it is sent to the first DNS server.
If the host name is not resolved, it is sent to the second DNS server. If a match is found, a response is sent back to the client with
the host IP address. If no match is found, an "unknown host" message is returned.
Alternatively, you can configure DNS servers one after the other.
In this example, the first IP address entered becomes the primary DNS address and all others are secondary addresses. Because
IP address 10.98.7.15 is the last address listed, it is also the last address consulted to resolve a query.
The domain names are tried in the order you enter them.
The only required parameter is the IP address of the host at the other end of the route.
After you enter the traceroute command, a message indicating that the DNS query is in process and the current gateway
address (IP address of the domain name server) being queried appear on the screen. When traceroute fails, an error occurs as
shown in the last two lines in the following example.
NOTE
In the example, 10.157.22.199 is the IP address of the domain name server (default DNS gateway address), and
10.157.22.80 represents the IP address of the NYC02 host.
The entire IP packet, including the source and destination address and other control information and the data, is placed in the
data portion of the Layer 2 packet. Typically, an Ethernet network uses one of two different formats of Layer 2 packet:
• Ethernet II
• Ethernet SNAP (also called IEEE 802.3)
The control portions of these packets differ slightly. All IP devices on an Ethernet network must use the same format. Ruckus
Layer 3 switches use Ethernet II by default. You can change the IP encapsulation to Ethernet SNAP on individual ports if needed.
NOTE
All devices connected to the Layer 3 switch port must use the same encapsulation type.
To change the IP encapsulation type on interface 5 to Ethernet SNAP, enter the following commands.
The default MTU is 1500 bytes for Ethernet II packets and 1492 for Ethernet SNAP packets.
MTU enhancements
Ruckus devices contain the following enhancements to jumbo packet support:
• Hardware forwarding of Layer 3 jumbo packets - Layer 3 IP unicast jumbo packets received on a port that supports the
frame MTU size and forwarded to another port that also supports the frame MTU size are forwarded in hardware.
Previous releases support hardware forwarding of Layer 2 jumbo frames only.
• ICMP unreachable message if a frame is too large to be forwarded - If a jumbo packet has the Do not Fragment (DF) bit
set, and the outbound interface does not support the packet MTU size, the Ruckus device sends an ICMP unreachable
message to the device that sent the packet.
NOTE
These enhancements apply only to transit traffic forwarded through the Ruckus device.
connected to clients that can support the jumbo frames, increase the MTU only on those three ports. Leave the MTU
size on the other ports at the default value (1500 bytes). Globally increase the MTU size only if needed.
You can increase the MTU size to accommodate jumbo packet sizes up to 10,200 bytes.
To globally enable jumbo support on all ports of a FastIron device, enter commands such as the following.
device(config)# jumbo
device(config)# write memory
device(config)# end
device# reload
NOTE
You must save the configuration change and then reload the software to enable jumbo support.
When jumbo mode is enabled, the maximum Ethernet MTU sizes are as follows:
• 10,218 bytes - The maximum for Ethernet II encapsulation (Default MTU: 9216)
• 10,214 bytes - The maximum for SNAP encapsulation (Default MTU: 9216)
NOTE
If you set the MTU of a port to a value lower than the global MTU and from 576 through 1499, the port fragments the
packets. However, if the port MTU is exactly 1500 and this is larger than the global MTU, the port drops the packets. For
ICX 7150, ICX 7250, ICX 7450, ICX 7650, and ICX 7750 devices, the minimum IPv4 and IPv6 MTU values for both physical
and virtual interfaces are 1280.
NOTE
You must save the configuration change and then reload the software to enable jumbo support.
To change the MTU for interface 1/1/5 to 1000, enter the following commands.
The num variable specifies the MTU. Ethernet II packets can hold IP packets from 576 through 1500 bytes long. If jumbo mode is
enabled, Ethernet II packets can hold IP packets up to 10,218 bytes long. Ethernet SNAP packets can hold IP packets from 576
through 1492 bytes long. If jumbo mode is enabled, SNAP packets can hold IP packets up to 10,214 bytes long. The default MTU
for Ethernet II packets is 1500. The default MTU for SNAP packets is 1492.
NOTE
Routing Information Protocol (RIP) does not use the router ID.
NOTE
If you change the router ID, all current BGP4 sessions are cleared.
If you prefer, you can explicitly set the router ID to any valid IP address. The IP address cannot be in use on another device in the
network.
NOTE
Ruckus Layer 3 switches use the same router ID for both OSPF and BGP4. If the router is already configured for OSPF,
you may want to use the router ID that is already in use on the router rather than set a new one. To display the router
ID, enter the show ip command at any CLI level or select the IP->General links from the Configure tree in the Web
Management Interface.
NOTE
You can specify an IP address used for an interface on the Ruckus Layer 3 switch, but do not specify an IP address in use
by another device.
When the Layer 3 switch originates a packet of one of the following types, the source address of the packet is the lowest-
numbered IP address on the interface that sends the packet:
• Telnet
• TACACS/TACACS+
• TFTP
• RADIUS
• Syslog
• SNTP
• SNMP traps
You can configure the Layer 3 switch to always use the lowest-numbered IP address on a specific Ethernet, loopback, or virtual
interface as the source addresses for these packets. When configured, the Layer 3 switch uses the same IP address as the source
for all packets of the specified type, regardless of the ports that actually sends the packets.
Identifying a single source IP address for specified packets provides the following benefits:
• If your server is configured to accept packets only from specific IP addresses, you can use this feature to simplify
configuration of the server by configuring the Ruckus device to always send the packets from the same link or source
address.
• If you specify a loopback interface as the single source for specified packets, servers can receive the packets regardless
of the states of individual links. Thus, if a link to the server becomes unavailable but the client or server can be reached
through another link, the client or server still receives the packets, and the packets still have the source IP address of the
loopback interface.
The software contains separate CLI commands for specifying the source interface for specific packets. You can configure a source
interface for one or more of these types of packets separately.
The following sections show the syntax for specifying a single source IP address for specific packet types.
Telnet packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all Telnet packets, enter
commands such as the following.
The commands in this example configure loopback interface 2, assign IP address 10.0.0.2/24 to the interface, then designate the
interface as the source for all Telnet packets from the Layer 3 switch.
The following commands configure an IP interface on an Ethernet port and designate the address port as the source for all Telnet
packets from the Layer 3 switch.
Syntax: [no] ip telnet source-interface { ethernet unit / slot / port | loopback num | management num |venum }
TACACS/TACACS+ packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all TACACS/TACACS+ packets,
enter commands such as the following.
device(config)# interface ve 1
device(config-vif-1)# ip address 10.0.0.3/24
device(config-vif-1)# exit
device(config)# ip tacacs source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the
interface as the source for all TACACS/TACACS+ packets from the Layer 3 switch.
Syntax: [no] ip tacacs source-interface { ethernet unit / slot / port | loopback num | management num |venum }
RADIUS packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all RADIUS packets, enter
commands such as the following.
device(config)# interface ve 1
device(config-vif-1)# ip address 10.0.0.3/24
device(config-vif-1)# exit
device(config)# ip radius source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the
interface as the source for all RADIUS packets from the Layer 3 switch.
Syntax: [no] ip radius source-interface { ethernet unit / slot / port | loopback num | management num |venum }
TFTP packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all TFTP packets, enter
commands such as the following.
device(config)# interface ve 1
device(config-vif-1)# ip address 10.0.0.3/24
device(config-vif-1)# exit
device(config)# ip tftp source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the
interface's address as the source address for all TFTP packets.
Syntax: [no] ip tftp source-interface { ethernet unit / slot / port | loopback num | management num |venum }
The default is the lowest-numbered IP address configured on the port through which the packet is sent. The address therefore
changes, by default, depending on the port.
Syslog packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all Syslog packets, enter
commands such as the following.
device(config)# interface ve 1
device(config-vif-1)# ip address 10.0.0.4/24
device(config-vif-1)# exit
device(config)# ip syslog source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.4/24 to the interface, then designate the
interface's address as the source address for all Syslog packets.
Syntax: [no] ip syslog source-interface { ethernet unit / slot / port | loopback num | management num |venum }
The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent. The address
therefore changes, by default, depending on the port.
SNTP packets
To specify the lowest-numbered IP address configured on a virtual interface as the device source for all SNTP packets, enter
commands such as the following.
device(config)# interface ve 1
device(config-vif-1)# ip address 10.0.0.5/24
device(config-vif-1)# exit
device(config)# ip sntp source-interface ve 1
The commands in this example configure virtual interface 1, assign IP address 10.0.0.5/24 to the interface, then designate the
interface's address as the source address for all SNTP packets.
Syntax: [no] ip sntp source-interface { ethernet unit / slot / port | loopback num | management num |venum }
The default is the lowest-numbered IP or IPv6 address configured on the port through which the packet is sent. The address
therefore changes, by default, depending on the port.
SNMP packets
To specify a loopback interface as the SNMP single source trap, enter commands such as the following.
The commands in this example configure loopback interface 1, assign IP address 10.00.1/24 to the loopback interface, then
designate the interface as the SNMP trap source for this device. Regardless of the port the Ruckus device uses to send traps to
the receiver, the traps always arrive from the same source IP address.
Syntax: [no] snmp-server trap-source { ethernet unit / slot / port | loopback num | venum }
While the timer is running, if any of the ports comes into forwarding state, the device cancels the timer and does not notify the
VE down event to the protocols.
NOTE
In the case of multiple flaps, if any of the ports comes into forwarding state before the delay notification timer expiry
then the device cancels the timer and a fresh timer is started during port down event. Incase of continuous flaps where
flap time is less than delay notification timer, the flaps can be detected by other methods like port statistics or drop in
traffic or by the convergence logs of layer2 loop detection protocols.
Suppressing the link status notification allows a quick port status change and recovery to occur without triggering any of the
changes that are necessary when a port stays down.
NOTE
Configuring delayed Layer 3 notifications on the VE feature is supported on ICX 7150, ICX 7250, ICX 7450, ICX 7650, and
ICX 7750 product families from Ruckus.
device(config)# interface ve 50
device(config-vif-50)# delay-notifications 20
The following example shows how to configure the delay time for notifying the Layer 3 protocols of the VE down event.
device(config)# interface ve 50
device(config-vif-50)# delay-notifications 20
All these parameters are global and thus affect all IP interfaces configured on the Layer 3 switch.
The default value for the TTL threshold is 64. You can change the TTL threshold to a value from 1 through 255.
device(config)# ip ttl 25
NOTE
A less common type, the all-subnets broadcast, goes to all directly-attached subnets. Forwarding for this broadcast type
also is supported, but most networks use IP multicasting instead of all-subnet broadcasting.
Forwarding for all types of IP directed broadcasts is disabled by default. You can enable forwarding for all types if needed. You
cannot enable forwarding for specific broadcast types.
To enable forwarding of IP directed broadcasts, enter the ip directed-broadcast command in device configuration mode.
Ruckus software makes the forwarding decision based on the router's knowledge of the destination network prefix. Routers
cannot determine that a message is unicast or directed broadcast apart from the destination network prefix. The decision to
forward or not forward the message is by definition only possible in the last hop router.
To disable the directed broadcasts, enter the no ip directed-broadcast command in device configuration mode.
To enable directed broadcasts on an individual interface instead of globally for all interfaces, enter the ip directed-broadcast
command at the interface configuration level as shown in the following example.
NOTE
The Layer 3 switch allows you to disable sending of the Source-Route-Failure messages.
• Loose source routing - Requires that the packet pass through all of the listed routers but also allows the packet to travel
through other routers, which are not listed in the packet.
The Layer 3 switch forwards both types of source-routed packets by default. To disable the feature, use either of the following
methods. You cannot enable or disable strict or loose source routing separately.
Most IP hosts are configured to receive IP subnet broadcast packets with all ones in the host portion of the address. However,
some older IP hosts instead expect IP subnet broadcast packets that have all zeros instead of all ones in the host portion of the
address. To accommodate this type of host, you can enable the Layer 3 switch to treat IP packets with all zeros in the host
portion of the destination IP address as broadcast packets.
NOTE
When you enable the Layer 3 switch for zero-based subnet broadcasts, the Layer 3 switch still treats IP packets with all
ones the host portion as IP subnet broadcasts too. Thus, the Layer 3 switch can be configured to support all ones only
(the default) or all ones and all zeroes.
NOTE
This feature applies only to IP subnet broadcasts, not to local network broadcasts. The local network broadcast address
is still expected to be all ones.
To enable the Layer 3 switch for zero-based IP subnet broadcasts in addition to ones-based IP subnet broadcasts, enter the
following command.
device(config)# ip broadcast-zero
device(config)# write memory
device(config)# end
device# reload
NOTE
You must save the configuration and reload the software to place this configuration change into effect.
You can selectively disable the following types of Internet Control Message Protocol (ICMP) messages:
• Echo messages (ping messages) - The Layer 3 switch replies to IP pings from other IP devices.
• Destination Unreachable messages - If the Layer 3 switch receives an IP packet that it cannot deliver to its destination,
the Layer 3 switch discards the packet and sends a message back to the device that sent the packet to the Layer 3
switch. The message informs the device that the destination cannot be reached by the Layer 3 switch.
If you need to re-enable response to ping requests, enter the following command.
You can disable the Ruckus device from sending these types of ICMP messages on an individual basis. To do so, use the following
CLI method.
NOTE
Disabling an ICMP Unreachable message type does not change the Ruckus device ability to forward packets. Disabling
ICMP Unreachable messages prevents the device from generating or forwarding the Unreachable messages.
To disable all ICMP Unreachable messages, enter the no ip icmp unreachable command.
Syntax: [no] ip icmp unreachable { host | protocol | administration | fragmentation-needed | port | source-route-fail }
• If you enter the command without specifying a message type (as in the example above), all types of ICMP Unreachable
messages listed above are disabled. If you want to disable only specific types of ICMP Unreachable messages, you can
specify the message type. To disable more than one type of ICMP message, enter the no ip icmp unreachable
command for each messages type.
• The host parameter disables ICMP Host Unreachable messages.
• The protocol parameter disables ICMP Protocol Unreachable messages.
• The administration parameter disables ICMP Unreachable (caused by Administration action) messages.
• The fragmentation-needed parameter disables ICMP Fragmentation-Needed But Do not-Fragment Bit Set messages.
• The port parameter disables ICMP Port Unreachable messages.
• The source-route-fail parameter disables ICMP Unreachable (caused by Source-Route-Failure) messages.
To disable ICMP Host Unreachable messages but leave the other types of ICMP Unreachable messages enabled, enter the
following commands instead of the command shown above.
If you have disabled all ICMP Unreachable message types but you want to re-enable certain types, for example ICMP Host
Unreachable messages, you can do so by entering the following command.
NOTE
The device forwards misdirected traffic to the appropriate router, even if you disable the redirect messages.
By default, IP ICMP redirect over global level is disabled and a Ruckus Layer 3 switch does not send an ICMP redirect message to
the source of a misdirected packet in addition to forwarding the packet to the appropriate router. To enable ICMP redirect
messages globally, enter the following command at the global CONFIG level of the CLI:
To disable ICMP redirect messages on a specific virtual interface, enter the following command at the configuration level for the
virtual interface:
device(config-vlan-10)# interface ve 10
device(config-vif-10)# no ip redirect
When the software uses the default network route, it also uses the default network route's next hop gateway as the gateway of
last resort.
This feature is especially useful in environments where network topology changes can make the next hop gateway unreachable.
This feature allows the Layer 3 switch to perform default routing even if the default network route's default gateway changes.
The feature thus differs from standard default routes. When you configure a standard default route, you also specify the next
hop gateway. If a topology change makes the gateway unreachable, the default route becomes unusable.
For example, if you configure 10.10.10.0/24 as a candidate default network route, if the IP route table does not contain an explicit
default route (0.0.0.0/0), the software uses the default network route and automatically uses that route's next hop gateway as the
default gateway. If a topology change occurs and as a result the default network route's next hop gateway changes, the software
can still use the default network route. To configure a default network route, use the following CLI method.
If you configure more than one default network route, the Layer 3 switch uses the following algorithm to select one of the routes.
To verify that the route is in the route table, enter the following command at any level of the CLI.
This example shows two routes. Both of the routes are directly attached, as indicated in the Type column. However, one of the
routes is shown as type "*D", with an asterisk (*). The asterisk indicates that this route is a candidate for the default network
route.
IP load sharing uses a hashing algorithm based on the source IP address, destination IP address, and protocol field in the IP
header, TCP, and UDP information.
NOTE
IP load sharing is also called "Equal-Cost Multi-Path (ECMP) load sharing or just ECMP.
NOTE
IP load sharing is based on next-hop routing, and not on source routing.
NOTE
The term "path" refers to the next-hop router to a destination, not to the entire route to a destination. Thus, when the
software compares multiple equal-cost paths, the software is comparing paths that use different next-hop routers, with
equal costs, to the same destination.In many contexts, the terms "route" and "path" mean the same thing. The term
"path" is used in this section to refer to an individual next-hop router to a destination, while the term "route" refers
collectively to the multiple paths to the destination. Load sharing applies when the IP route table contains multiple,
equal-cost paths to a destination.
NOTE
Ruckus devices also perform load sharing among the ports in aggregate links. Refer to "Trunk group load sharing" in the
Ruckus FastIron Layer 2 Switching Configuration Guide.
The value of the administrative distance is determined by the source of the route. The Layer 3 switch is configured with a unique
administrative distance value for each IP route source.
When the software receives multiple paths to the same destination and the paths are from different sources, the software
compares the administrative distances of the paths and selects the path with the lowest administrative distance. The software
then places the path with the lowest administrative distance in the IP route table. For example, if the Layer 3 switch has a path
learned from OSPF and a path learned from IBGP for a given destination, only the path with the lower administrative distance
enters the IP route table.
Here are the default administrative distances on the Ruckus Layer 3 switch:
• Directly connected - 0 (this value is not configurable)
• Static IP route - 1 (applies to all static routes, including default routes and default network routes)
• Exterior Border Gateway Protocol (EBGP) - 20
• OSPF - 110
• Interior Gateway Protocol (IBGP) - 200
• Local BGP - 200
• Unknown - 255 (the router will not use this route)
Lower administrative distances are preferred over higher distances. For example, if the router receives routes for the same
network from OSPF and from IBGP, the router will prefer the OSPF route by default.
NOTE
You can change the administrative distances individually. Refer to the configuration chapter for the route source for
information.
Since the software selects only the path with the lowest administrative distance, and the administrative distance is determined
by the path source. IP load sharing applies only when the IP route table contains multiple paths to the same destination, from
the same IP route source.
IP load sharing does not apply to paths that come from different sources.
Path cost
The cost parameter provides a common basis of comparison for selecting from among multiple paths to a given destination.
Each path in the IP route table has a cost. When the IP route table contains multiple paths to a destination, the Layer 3 switch
chooses the path with the lowest cost. When the IP route table contains more than one path with the lowest cost to a
destination, the Layer 3 switch uses IP load sharing to select one of the lowest-cost paths.
The source of a path cost value depends on the source of the path:
• IP static route - The value you assign to the metric parameter when you configure the route. The default metric is 1.
• OSPF - The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and
external Link State Advertisements (LSAs).
• BGP4 - The path Multi-Exit Discriminator (MED) value.
NOTE
If the path is redistributed between two or more of the above sources before entering the IP route table, the cost can
increase during the redistribution due to settings in redistribution filters.
The load sharing state for all the route sources is based on the state of IP load sharing. Since IP load sharing is enabled by default
on all Ruckus Layer 3 switches, load sharing for static IP routes, OSPF routes, and BGP4 routes also is enabled by default.
NOTE
In the table below, the default and the maximum number of paths for a static IP route and OSPF depend on the value
for IP load sharing, and are not separately configurable.
NOTE
In the table below, the default and the maximum number of paths are not applicable for BGP4 using the Ruckus ICX
7210 and ICX 7250.
Static IP route 4 8 32
OSPF 4 8 32
BGP4 1 4 32
device(config)# no ip load-sharing
Syntax: no ip load-sharing
8 32
For optimal results, set the maximum number of paths to a value at least as high as the maximum number of equal-cost paths
your network typically contains. For example, if the Layer 3 switch you are configuring for IP load sharing has six next-hop
routers, set the maximum paths value to six.
To change the number of IP load sharing paths, enter a command such as the following.
device(config)# ip load-sharing 6
The configuration of the maximum number of IP load sharing paths to a value more than 8 is determined by the maximum
number of ECMP paths defined at the system level using the system-max max-ecmp command. You cannot configure the
maximum number of IP load sharing paths higher than the value defined at the system level. Also, you cannot configure the
maximum number of ECMP paths at the system level to a value less than the configured IP load sharing value.
To define the maximum number of ECMP paths at the system level, enter a command such as the following.
The num variable specifies the maximum number of ECMP paths and the value range can be from 8 through 32. This command
is supported only on the Ruckus ICX 7650 and ICX 7750.
You must save the configuration and reload the device for the maximum ECMP value change to take effect.
When a route is installed by routing protocols or configured static route for the first time, and the IPv6 route table contains
multiple, equal-cost paths to that route, the device checks the IPv6 neighbor for each next hop. Every next hop where the link
layer address has been resolved will be stored in hardware. The device will initiate neighbor discovery for the next hops whose
link layer addresses are not resolved. The hardware will hash the packet and choose one of the paths. The number of paths
would be updated in hardware as the link layer gets resolved for a next hop.
If the path selected by the device becomes unavailable, the IPv6 neighbor should change state and trigger the update of the
destination path in the hardware.
Ruckus FastIron devices support network-based ECMP load-sharing methods for IPv6 traffic. The Ruckus device distributes traffic
across equal-cost paths based on a XOR of some bits from the MAC source address, MAC destination address, IPv6 source
address, IPv6 destination address, IPv6 flow label, IPv6 next header. The software selects a path based on a calculation involving
the maximum number of load-sharing paths allowed and the actual number of paths to the destination network. This is the
default ECMP load-sharing method for IPv6.
You can manually disable or enable ECMP load sharing for IPv6 and specify the number of equal-cost paths the device can
distribute traffic across. In addition, you can display information about the status of ECMP load-sharing on the device.
If you want to re-enable the feature after disabling it, you must specify the number of load-sharing paths. By entering a
command such as the following, iPv6 load-sharing will be re-enabled.
device(config)#ipv6 load-sharing 4
The num variable specifies the number of paths and can be from 2-8. The default is 4. On ICX 7650 and ICX 7750 devices, the
value of the num variable can be from 2 through 32.
The configuration of the maximum number of IP load sharing paths to a value more than 8 is determined by the maximum
number of ECMP paths defined at the system level using the system-max max-ecmp command. You cannot configure the
maximum number of IP load sharing paths higher than the value defined at the system level.
To define the maximum number of ECMP paths at the system level, enter a command such as the following.
The num variable specifies the maximum number of ECMP paths and the value range can be from 8 through 32. This is
supported only on ICX 7650 and ICX 7750 devices.
To change the number of ECMP load sharing paths for IPv6, enter a command such as the following.
device(config)#ipv6 load-sharing 6
The num variable specifies the number of paths and can be from 2 through 8, depending on the device you are configuring. On
the Ruckus ICX 7650 and ICX 7750, the value of the num variable can be from 2 through 32.
The configuration of the maximum number of IP load sharing paths to a value more than 8 is determined by the maximum
number of ECMP paths defined at the system level using the system-max max-ecmp command. You cannot configure the
maximum number of IP load sharing paths higher than the value defined at the system level. Also, you cannot configure the
maximum number of ECMP paths at the system level to a value less than the configured IP load sharing value.
To define the maximum number of ECMP paths at the system level, enter a command such as the following.
The num variable specifies the maximum number of ECMP paths and the value range can be from 8 through 32. This command
is supported only on ICX 7650 and ICX 7750.
You must save the configuration and reload the device for the maximum ECMP value change to take effect.
device#show ipv6
Global Settings
unicast-routing enabled, hop-limit 64
No IPv6 Domain Name Set
No IPv6 DNS Server Address set
Prefix-based IPv6 Load-sharing is Enabled, Number of load share paths: 4
NOTE
You can configure IRDP parameters only an individual port basis. To do so, IRDP must be disabled globally and enabled
only on individual ports. You cannot configure IRDP parameters if the feature is globally enabled.
When IRDP is enabled, the Layer 3 switch periodically sends Router Advertisement messages out the IP interfaces on which the
feature is enabled. The messages advertise the Layer 3 switch IP addresses to directly attached hosts who listen for the
messages. In addition, hosts can be configured to query the Layer 3 switch for the information by sending Router Solicitation
messages.
Some types of hosts use the Router Solicitation messages to discover their default gateway. When IRDP is enabled on the Ruckus
Layer 3 switch, the Layer 3 switch responds to the Router Solicitation messages. Some clients interpret this response to mean
that the Layer 3 switch is the default gateway. If another router is actually the default gateway for these clients, leave IRDP
disabled on the Ruckus Layer 3 switch.
IRDP parameters
IRDP uses the following parameters. If you enable IRDP on individual ports instead of enabling the feature globally, you can
configure these parameters on an individual port basis:
• Packet type - The Layer 3 switch can send Router Advertisement messages as IP broadcasts or as IP multicasts
addressed to IP multicast group 224.0.0.1. The packet type is IP broadcast.
• Maximum message interval and minimum message interval - When IRDP is enabled, the Layer 3 switch sends the
Router Advertisement messages every 450 - 600 seconds by default. The time within this interval that the Layer 3 switch
selects is random for each message and is not affected by traffic loads or other network factors. The random interval
minimizes the probability that a host will receive Router Advertisement messages from other routers at the same time.
The interval on each IRDP-enabled Layer 3 switch interface is independent of the interval on other IRDP-enabled
interfaces. The default maximum message interval is 600 seconds. The default minimum message interval is 450
seconds.
• Hold time - Each Router Advertisement message contains a hold time value. This value specifies the maximum amount
of time the host should consider an advertisement to be valid until a newer advertisement arrives. When a new
advertisement arrives, the hold time is reset. The hold time is always longer than the maximum advertisement interval.
Therefore, if the hold time for an advertisement expires, the host can reasonably conclude that the router interface that
sent the advertisement is no longer available. The default hold time is three times the maximum message interval.
• Preference - If a host receives multiple Router Advertisement messages from different routers, the host selects the
router that sent the message with the highest preference as the default gateway. The preference can be a number from
0-4294967296. The default is 0.
device(config)# ip irdp
This command enables IRDP on the IP interfaces on all ports. Each port uses the default values for the IRDP parameters. The
parameters are not configurable when IRDP is globally enabled.
This example shows how to enable IRDP on a specific port and change the maximum advertisement interval for Router
Advertisement messages to 400 seconds.
NOTE
To enable IRDP on individual ports, you must leave the feature globally disabled.
Syntax: [no] ip irdp { broadcast | multicast } [ holdtime seconds ] [ maxadvertinterval seconds ] [ minadvertinterval
seconds ] [ preference number ]
The broadcast and multicast parameters specify the packet type the Layer 3 switch uses to send Router Advertisement:
• broadcast - The Layer 3 switch sends Router Advertisement as IP broadcasts. This is the default.
• multicast - The Layer 3 switch sends Router Advertisement as multicast packets addressed to IP multicast group
224.0.0.1.
The holdtime seconds parameter specifies how long a host that receives a Router Advertisement from the Layer 3 switch should
consider the advertisement to be valid. When a host receives a new Router Advertisement message from the Layer 3 switch, the
host resets the hold time for the Layer 3 switch to the hold time specified in the new advertisement. If the hold time of an
advertisement expires, the host discards the advertisement, concluding that the router interface that sent the advertisement is
no longer available. The value must be greater than the value of the maxadvertinterval parameter and cannot be greater than
9000. The default is three times the value of the maxadvertinterval parameter.
The maxadvertinterval parameter specifies the maximum amount of time the Layer 3 switch waits between sending Router
Advertisements. You can specify a value from 1 to the current value of the holdtime parameter. The default is 600 seconds.
The minadvertinterval parameter specifies the minimum amount of time the Layer 3 switch can wait between sending Router
Advertisements. The default is three-fourths (0.75) the value of the maxadvertinterval parameter. If you change the
maxadvertinterval parameter, the software automatically adjusts the minadvertinterval parameter to be three-fourths the
new value of the maxadvertinterval parameter. If you want to override the automatically configured value, you can specify an
interval from 1 to the current value of the maxadvertinterval parameter.
The preference number parameter specifies the IRDP preference level of this Layer 3 switch. If a host receives Router
Advertisements from multiple routers, the host selects the router interface that sent the message with the highest interval as the
host default gateway. The valid range is from 0 to 4294967296. The default is 0.
You can configure the Layer 3 switch to forward clients‘ requests to UDP application servers. To do so:
• Enable forwarding support for the UDP application port, if forwarding support is not already enabled.
• Configure a helper adders on the interface connected to the clients. Specify the helper address to be the IP address of
the application server or the subnet directed broadcast address for the IP subnet the server is in. A helper address is
associated with a specific interface and applies only to client requests received on that interface. The Layer 3 switch
forwards client requests for any of the application ports the Layer 3 switch is enabled to forward to the helper address.
NOTE
The application names are the names for these applications that the Layer 3 switch software recognizes, and might not
match the names for these applications on some third-party devices. The numbers listed in parentheses are the UDP
port numbers for the applications. The numbers come from RFC 1340.
NOTE
Forwarding support for BootP/DHCP is enabled by default.
You can enable forwarding for other applications by specifying the application port number.
You also can disable forwarding for an application.
NOTE
If you disable forwarding for a UDP application, forwarding of client requests received as broadcasts to helper
addresses is disabled. Disabling forwarding of an application does not disable other support for the application. For
example, if you disable forwarding of Telnet requests to helper addresses, other Telnet support on the Layer 3 switch is
not also disabled.
NOTE
You also must configure a helper address on the interface that is connected to the clients for the application. The Layer
3 switch cannot forward the requests unless you configure the helper address.
The udp-port-name parameter can have one of the following values. For reference, the corresponding port numbers from RFC
1340 are shown in parentheses. If you specify an application name, enter the name only, not the parentheses or the port
number shown here:
• bootpc (port 68)
• bootps (port 67)
• discard (port 9)
• dns (port 53)
• dnsix (port 90)
• echo (port 7)
• mobile-ip (port 434)
• netbios-dgm (port 138)
• netbios-ns (port 137)
• ntp (port 123)
• tacacs (port 65)
• talk (port 517)
• time (port 37)
• tftp (port 69)
In addition, you can specify any UDP application by using the application UDP port number.
The udp-port-num parameter specifies the UDP application port number. If the application you want to enable is not listed above,
enter the application port number. You also can list the port number for any of the applications listed above.
This command disables forwarding of SNMP requests to the helper addresses configured on Layer 3 switch interfaces.
You can configure up to 16 helper addresses on each interface. You can configure a helper address on an Ethernet port or a
virtual interface.
To configure a helper address on unit 1, slot 1, port 2, enter the following commands.
The commands in this example change the CLI to the configuration level for port 1/1/2, then add a helper address for server
10.95.7.6 to the port. If the port receives a client request for any of the applications that the Layer 3 switch is enabled to forward,
the Layer 3 switch forwards the client request to the server.
By default, IP helper does not forward client broadcast request to a server within the network.
To forward a client broadcast request when the client and server are on the same network, configure an IP helper with unicast
option on the interface connected to the client.
To configure an IP helper unicast option on unit 1, slot 1, port 2, enter the following commands:
The IP helper with unicast parameter forwards the client request to the server 10.10.10.1 which is within the network.
The num variable specifies the helper address number and can be from 1 through 16.
The ip-addr variable specifies the server IP address or the subnet directed broadcast address of the IP subnet the server is in.
The unicast parameter specifies that the client request must be forwarded to the server that is on the same network.
By default, the CLI displays network masks in classical IP address format (example: 255.255.255.0). You can change the display to
prefix format.
or
You also can enter the IP address and mask in CIDR format, as follows.
To specify the Layer 2 switch default gateway, enter a command such as the following.
NOTE
When configuring an IP address on a Layer 2 switch that has multiple VLANs, make sure the configuration includes a
designated management VLAN that identifies the VLAN to which the global IP address belongs. Refer to "Designated
VLAN for Telnet management sessions to a Layer 2 Switch" in the Ruckus FastIron Security Configuration Guide.
For example, if the domain "newyork.com" is defined on a Ruckus Layer 2 switch or Layer 3 switch and you want to initiate a ping
to host "NYC01" on that domain, you need to reference only the host name in the command instead of the host name and its
domain name. For example, you could enter either of the following commands to initiate the ping.
To define four possible default DNS gateway addresses, enter command such as the following:
In this example, the first IP address in the ip dns server-address command becomes the primary gateway address and all others
are secondary addresses. Because IP address 10.98.7.15 is the last address listed, it is also the last address consulted to resolve a
query.
Syntax: traceroute host-ip-addr [ maxttl value ] [ minttl value ] [ numeric ] [ timeout value ] [ source-ip ip-addr ]
The only required parameter is the IP address of the host at the other end of the route.
After you enter the command, a message indicating that the DNS query is in process and the current gateway address (IP
address of the domain name server) being queried appear on the screen.
NOTE
In the previous example, 10.157.22.199 is the IP address of the domain name server (default DNS gateway address), and
10.157.22.80 represents the IP address of the NYC02 host.
The default TTL is 64. You can change the ttl-threshold to a value from 1 through 255.
device(config)# ip ttl 25
device(config)# exit
NOTE
ICX 7150 devices do not support Generic Routing Encapsulation (GRE) tunnels.
Ruckus devices allow the tunneling of packets of the following protocols over an IPv4 network using GRE:
• OSPF V2
• BGP4
• RIP V1 and V2
NOTE
ICX 7150 devices do not support Generic Routing Encapsulation (GRE) tunnels.
RFC 1191 describes a method for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path.
When a FastIron device receives an IP packet that has its Do not Fragment (DF) bit set, and the packet size is greater than the
MTU value of the outbound interface, then the FastIron device returns an ICMP Destination Unreachable message to the source
of the packet, with the code indicating "fragmentation needed and DF set". The ICMP Destination Unreachable message includes
the MTU of the outbound interface. The source host can use this information to help determine the minimum MTU of a path to a
destination.
RFC 4459 describes solutions for issues with large packets over a tunnel. The following methods, from RFC 4459, are supported:
• If a source attempts to send packets that are larger than the lowest MTU value along the path, Path MTU Discovery
(PMTUD) can signal to the source to send smaller packets. This method is described in Section 3.2 of RFC 4459.
• Inner packets can be fragmented before encapsulation, in such a manner that the encapsulated packet fits in the tunnel
path MTU, which is discovered using PMTUD. This method is described in Section 3.4 of RFC 4459.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
ICX 7150 devices do not support Generic Routing Encapsulation (GRE) tunnels.
NOTE
The above features are supported on VLANs that do not have VE ports.
• Whenever multiple IP addresses are configured on a tunnel source, the primary address of the tunnel is always used for
forming the tunnel connections. Therefore, carefully check the configurations when configuring the tunnel destination.
• When a GRE tunnel is configured, you cannot configure the same routing protocol on the tunnel through which you
learn the route to the tunnel destination. For example, if the FastIron learns the tunnel destination route through the
OSPF protocol, you cannot configure the OSPF protocol on the same tunnel and vice-versa. When a tunnel has OSPF
configured, the FastIron cannot learn the tunnel destination route through OSPF. This could cause the system to become
unstable.
• The tunnel destination cannot be resolved to the tunnel itself or any other local tunnel. This is called recursive routing.
This scenario would cause the tunnel interface to flap and the Syslog message TUN-RECURSIVE-DOWN to be logged. To
resolve this issue, create a static route for the tunnel destination.
NOTE
ICX 7150 devices do not support Generic Routing Encapsulation (GRE) tunnels.
NOTE
The fragmentation behavior depends on the mtu-exceed setting on the router.
NOTE
ICX 7150 devices do not support Generic Routing Encapsulation (GRE) tunnels. The below tasks are not supported for
ICX 7150 devices.
Required tasks
Create a tunnel interface. Not assigned
Configure the source address or source interface for the tunnel Not assigned
interface.
Configure the destination address of the tunnel interface. Not assigned
Enable GRE encapsulation on the tunnel interface. Disabled
NOTE
Step 4 must be performed before step 5.
After configuring GRE tunnels, you can view the GRE configuration and observe the routes that use GRE tunnels.
The tunnel-number is a numerical value that identifies the tunnel being configured.
NOTE
You can also use the port-name command to name the tunnel. To do so, follow the configuration instructions in
"Assigning a port name" section in the Ruckus FastIron Management Configuration Guide.
NOTE
ICX 7150 devices do not support tunnels. This task is not supported for ICX 7150 devices.
NOTE
ICX 7150 devices do not support tunnels. This task is not supported for ICX 7150 devices.
To assign the VRF named VRF1 to tunnel 1, enter the following commands.
The vrf-name variable is the name of the VRF that the interface is being assigned to.
NOTE
If the destination address for a tunnel interface is not resolved, Ruckus recommends that you either configure the
source interface (instead of the source address ) as the source for a tunnel interface, or enable GRE link keepalive on the
tunnel interface.
NOTE
ICX 7150 devices do not support tunnels. This task is not supported for ICX 7150 devices.
The tunnel source address should be one of the router IP addresses configured on a physical, loopback, or VE interface, through
which the other end of the tunnel is reachable.
To configure the source address for a specific tunnel interface, enter commands such as the following.
The source interface should be the port number of the interface configured on a physical, loopback, or VE interface. The source
interface should have at least one IP address configured on it. Otherwise, the interface will not be added to the tunnel
configuration and an error message similar to the following will be displayed:
To configure the source interface for a specific tunnel interface, enter commands such as the following.
Syntax: [no] tunnel source { ip-address | ethernet unit / slot / port | ve number | loopback number }
The ip-address variable is the source IP address being configured for the specified tunnel.
The ethernet unit / slot / port parameter identifies a physical interface being configured for the specified tunnel, for example
1/3/1.
The ve number variable is the VE interface number being configured for the specified tunnel.
If you attempt to delete an IP address without first removing the tunnel source, the console will display an error message, as
shown in the following example.
NOTE
The previous error message will also display on the CLI when an interface is part of a VLAN. A VLAN cannot be deleted
until the tunnel source is first removed.
NOTE
ICX 7150 devices do not support tunnels. This task is not supported for ICX 7150 devices.
To configure the destination address for a specific tunnel interface, enter commands such as the following.
The ip-address variable is the destination IP address being configured for the specified tunnel.
NOTE
Ensure a route to the tunnel destination exists on the tunnel source device. Create a static route if necessary.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
Before configuring a new GRE tunnel, the system should have at least one slot available for adding the default tunnel
MTU value to the system tables. Depending on the configuration, the default tunnel MTU range is ((1500 or 10218) -
24) . To check for slot availability, or to see if the MTU value is already configured in the IP table, use the show ip mtu
command.
NOTE
ICX 7150 devices do not support tunnels.
The unit / slot / port parameter identifies the tunnel loopback port for the specified tunnel interface, for example, 1/3/1.
NOTE
ICX 7150 devices do not support tunnels.
To configure an IP address for a specified tunnel interface, enter commands such as the following.
The ip-address is the IP address being configured for the specified tunnel interface.
NOTE
ICX 7150 devices do not support tunnels.
You can set an MTU value for packets entering the tunnel. Packets that exceed either the default MTU value of 1476/9192 bytes
(for jumbo case) or the value that you set using this command, are fragmented and encapsulated with IP/GRE headers for transit
through the tunnel (if they do not have the DF bit set in the IP header). All fragments will carry the same DF bit as the incoming
packet. Jumbo packets are supported, although they may be fragmented based on the configured MTU value.
The following command allows you to change the MTU value for packets transiting "tunnel 1":
The packet-size variable specifies the maximum size in bytes for the packets transiting the tunnel. Enter a value from 576 through
1476. The default value is 1476.
NOTE
To prevent packet loss after the 24 byte GRE header is added, make sure that any physical interface that is carrying GRE
tunnel traffic has an IP MTU setting at least 24 bytes greater than the tunnel MTU setting. This configuration is only
allowed on the system if the tunnel mode is set to GRE.
NOTE
ICX 7150 devices do not support tunnels.
ICX 7250 8 8
ICX 7420 64 16
ICX 7650 64 16
ICX 7750 64 16
To change the maximum number of tunnels supported, enter commands such as the following.
NOTE
You must save the configuration (write memory) and reload the software to place the change into effect.
The number variable specifies the number of GRE tunnels that can be supported on the device. The permissible range is 16 - 64.
The system-max gre-tunnels command determines the interface range that is supported for an interface tunnel. For example,
if the system-max value is reduced, it is possible that the configured interfaces may be rejected after a system reload.
NOTE
ICX 7150 devices do not support tunnels.
To enable GRE link keepalive, configure it on one end of the tunnel and ensure the other end of the tunnel has GRE enabled.
NOTE
Keepalives are not supported when a tunnel interface is not within the default-VRF.
NOTE
ICX 7150 devices do not support tunnels.
These commands configure the device to wait for 4 consecutive lost keepalive packets before bringing the tunnel down. There
will be a 12 second interval between each packet. Note that when the tunnel comes up, it would immediately (within one second)
send the first keepalive packet.
The seconds variable specifies the number of seconds between each initiation of a keepalive message. The range for this interval
is 2 - 32767 seconds. The default value is 10 seconds.
The retries variable specifies the number of times that a packet is sent before the system places the tunnel in the DOWN state.
Possible values are from 1 through 255. The default number of retries is 3.
Use the show interface tunnel and show ip tunnel traffic commands to view the GRE link keepalive configuration.
To re-enable PMTUD after it has been disabled, enter the following command:
This command configures the device to wait for 20 minutes before resetting the path MTU to its original value.
Syntax:[no] tunnel path-mtu-discovery { age-timer minutes | infinite }
NOTE
ICX 7150 devices do not support tunnels.
For an overview of multicast routing support over a GRE tunnel, refer to Support for IPv4 multicast routing over GRE tunnels on
page 85. To view information about multicast protocols and GRE tunnel-specific information, refer to Displaying multicast
protocols and GRE tunneling information on page 97.
NOTE
ICX 7150 devices do not support tunnels.
Use the no form of the command to disable PIM-SM on the tunnel interface.
Use the no form of the command to disable PIM-DM on the tunnel interface.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
ICX 7150 devices do not support tunnels.
The following shows an example output of the show ip interface command, which includes information about GRE tunnels.
The show ip route command displays routes that are pointing to a GRE tunnel as shown in the following example.
The show ip interface tunnel command displays the link status and IP address configuration for an IP tunnel interface as shown
in the following example.
The show interface tunnel command displays the GRE tunnel configuration and the pmtd aging timer information.
The show ip tunnel traffic command displays the link status of the tunnel and the number of keepalive packets received and
sent on the tunnel.
The show statistics tunnel command displays GRE tunnel statistics for a specific tunnel ID number. The following shows an
example output for tunnel ID 1.
RFC 2784 supports GRE tunnel ports. The show statistics tunnel command output now includes information from the hardware
counters for each tunnel. For example:
Tunnel Status Indicates whether the tunnel is up or down. Possible values are:
• Up/Up - The tunnel and line protocol are up.
• Up/Down - The tunnel is up and the line protocol is down.
• Down/Up - The tunnel is down and the line protocol is up.
• Down/Down - The tunnel and line protocol are down.
Packet Received The number of packets received on the tunnel since it was last cleared
by the administrator.
Packet Sent The number of packets sent on the tunnel since it was last cleared by
the administrator.
KA recv The number of keepalive packets received on the tunnel since it was
last cleared by the administrator.
KA sent The number of keepalive packets sent on the tunnel since it was last
cleared by the administrator.
NOTE
All other show commands that are supported currently for Ethernet, VE, and IP loopback interfaces, are also supported
for tunnel interfaces. To display information for a tunnel interface, specify the tunnel in the format tn num . For
example, show interface tn 1. In some cases, the Ethernet port that the tunnel is using will be displayed in the format
tnnum:eport .
The following shows an example output of the show ip pim interface command.
The following shows an example output of the show ip pim nbr command.
The following shows an example output of the show ip pim mcache command.
L3 (HW) 1: tn1:e2(VL1)
fast=1 slow=0 pru=1 graft
age=120s up-time=8m HW=1 L2-vidx=8191 has mll
The following shows an example output of the show ip pim flow command.
The following shows an example output of the show statistics command. The following statistics demonstrate an example
where the encapsulated multicast traffic ingresses a tunnel endpoint on port e 2, egresses and re-ingresses as native multicast
traffic on the loopback port e 4, and is then forwarded to the outbound interface e 1.
The show ip mtu command can be used to see if there is space available for the ip_default_mtu_24 value in the system, or if the
MTU value is already configured in the IP table. The following shows an example output of the show ip mtu command.
device(config-tnif-10)#show ip mtu
idx size usage ref-count
0 10218 1 default
1 800 0 1
2 900 0 1
3 750 0 1
4 10194 1 1
5 10198 0 1
Syntax:show ip mtu
NOTE
ICX 7150 devices do not support tunnels.
To reset a dynamically-configured MTU on a tunnel Interface back to the configured value, enter a command such as the
following.
Use the pmtud option to reset a dynamically-configured MTU on a tunnel Interface back to the configured value.
NOTE
ICX 7150 devices do not support tunnels.
When the interface bandwidth is configured, the number of network and router link state advertisement generation is reduced
during an operation down or a shutdown of one or more of the associated interfaces of the VE interface. For OSPF, when the
dynamic cost feature is enabled, the bandwidth for a VE interface is the sum of bandwidth for either all associated ports or all
active associated ports. However, when the interface bandwidth is configured on the VE interface itself, the bandwidth of the
associated ports are not used in the OSPF cost calculation. This means that even when one of the associated ports of the VE
interface goes down, there is no OSPF cost recalculation.
The bandwidth for IP interfaces feature can be configured for a physical interface, Link aggregation (LAG) groups, a VE interface,
and a tunnel interface.
• Influence the cost on OSPF interfaces for specific tunnels, VE interfaces, and physical interfaces.
The bandwidth for IP interfaces feature enables OSPF to calculate its interface metric cost more precisely, based on the specified
interface bandwidth. If the interface bandwidth feature is disabled, OSPF calculates the cost as the reference-bandwidth divided
by the fixed port bandwidth, as outlined in the Changing the reference bandwidth for the cost on OSPFv2 interfaces on page 244
section. When the interface bandwidth feature is enabled, OSPF calculates the cost as the reference-bandwidth divided by the
interface bandwidth. For a physical interface, the interface bandwidth is assigned by default to the port speed.
The interface bandwidth feature also enables OSPF to use the configured interface bandwidth for a VE interface to calculate its
routing metric, without considering the bandwidth of the associated physical ports. When this feature is enabled, the bandwidth
for a VE interface is the interface bandwidth value if it is configured under the VE. Alternatively, it is the sum of the interface
bandwidth for all associated ports or all active ports when OSPF dynamic cost is enabled.
The bandwidth of a trunk port for OSPF is, by default, the sum of either all the associated ports or all active associated ports
when OSPF dynamic cost is enabled. The interface bandwidth defined on the LAG virtual interface is used if the interface
bandwidth is configured; otherwise it reverts to the default behavior.
NOTE
If the interface bandwidth configuration on the LAG virtual interface is different to any of the member ports, then the
LAG does not become operational. When the LAG is deleted, the interface bandwidth value for all member ports is reset
to the port speed.
The configured value is exposed in SNMP via ifSpeed (in ifTable) and ifHighSpeed (in ifXTable) objects.
NOTE
GRE or IPv6 tunnel bandwidth may limit routing protocol traffic propagating through the tunnel. For example, if the
tunnel defaults to 8kbps , OSPF uses 50% of the tunnel bandwidth for Hello and update traffic. Therefore, it is good
practice to increase the tunnel bandwidth when a routing protocol runs over it to eliminate flapping, and give the
routing protocol more capacity to send its update and Hello messages.
If the interface bandwidth feature is disabled, OSPF calculates the cost as the reference-bandwidth divided by the fixed port
bandwidth, as outlined in the Changing the reference bandwidth for the cost on OSPFv2 interfaces on page 244 section. When
the interface bandwidth feature is enabled, OSPF calculates the cost as the reference-bandwidth divided by the interface
bandwidth.
OSPF uses the following formula to calculate the path cost when interface bandwidth is available:
• OSPF path cost = ((auto-cost × reference-bandwidth + interface bandwidth) -1) / interface bandwidth.
In the above formula, the cost is calculated in megabits per second (Mbps). The auto-cost is configured using the auto-cost
reference-bandwidth command in OSPF router configuration mode or OSPFv3 router configuration mode. For more
information on changing the OSPF auto-cost reference-bandwidth, refer to the Changing the reference bandwidth for the cost on
OSPFv3 interfaces on page 273 section.
2. Enter the interface ethernet command to configure an Ethernet interface and enter interface configuration mode.
3. Enter the bandwidth command and specify a value to set the bandwidth value on the interface.
This example sets the bandwidth to 2000 kbps on a specific Ethernet interface.
The bandwidth specified in this example results in the following OSPF cost, assuming the auto-cost is 100:
• OSPF cost is equal to ((100 * 1000) + (2000 - 1)/ 2000) = 50
device(config)# vlan 10
3. Enter the tagged ethernet command and specify an interface to add a port that is connected to the device and host in
the same port-based VLAN.
4. Enter the router-interface ve command and specify a value to create a virtual interface as the routing interface for the
VLAN.
device(config-vlan-10)# router-interface ve 10
device(config-vlan-10)# interface ve 10
The bandwidth specified in this example results in the following OSPF cost, assuming the auto-cost is 100:
• OSPF cost is equal to ((100 * 1000) + (2000 - 1)/ 2000) = 50
NOTE
ICX 7150 devices do not support tunnels.
2. Enter the interface tunnel command and specify a value to configure a tunnel interface.
3. Enter the tunnel mode gre ip command to enable GRE IP encapsulation on the tunnel interface.
4. Enter the tunnel source command and specify an IP address to configure the source address for the tunnel interface.
5. Enter the tunnel destination command and specify an IP address to configure the destination address for the tunnel
interface.
6. Enter the ip address command and specify an IP address and a network mask to assign an IP address to the tunnel
interface.
7. Enter the bandwidth command and specify a value to set the bandwidth value on the interface.
This example sets the bandwidth to 2000 kbps on a specific tunnel interface .
The bandwidth specified in this example results in the following OSPF interface costs, assuming the auto-cost is 100:
• OSPF Interface Cost for the Trunk Group is equal to ((100 * 1000) + (2000 - 1)÷ 2000) = 50
• OSPF Interface Cost for the GRE/IPv6 tunnel is equal to ((100 * 1000) + (2000 - 1)÷ 2000) = 50
If an IP MAC address is not configured, the IP interface uses the MAC address from the router or stack.
User-configurable MAC address per IP interface supports the following unicast and multicast protocols:
• IPv4 support: ARP, BGP, OSPF, RIP, PIM-SM, PIM-DM, IGMP, MSDP
• IPv6 support: BGP4+, Neighbor Discovery (ND), OSPFv3, RD, RIPng, PIM-SM, PIM-DM, MLD
In addition to the unicast protocol support, the configured MAC address is used by IPv4 and IPv6 unicast software-generated
packets (for example, ping) and IPv4 and IPv6 hardware-forwarded packets. For IPv4 addresses that are configured on the IP
interface, gratuitous ARP is generated when the IP MAC address is configured. For IPv6 addresses, Duplicate Address Detection
(DAD) is started and link-local addresses are regenerated when the IP MAC address is configured.
If Virtual Router Redundancy Protocol (VRRP) IPv4 or IPv6 sessions are configured on an interface where an IP MAC address is
configured, the VRRP sessions continue to use the virtual MAC address assigned to the virtual router ID (VRID) for any ARP or ND
queries.
device(config-if-e1000-1/1/6)# end
6. Use the show ip interface command to verify the user-configured MAC address.
• The Layer 3 system parameter limits for FastIron IPv6 models are automatically adjusted by the system and cannot be
manually modified.
The following example shows output on an ICX 7450 with third generation modules.
• OSPF
• PIM
• RIPV1 and V2
• VRRP
• VRRP-E
• VSRP
• IPv6 Routing
• IPv6 Multicast
IP routing is enabled by default on devices running Layer 3 code. All other protocols are disabled, so you must enable them to
configure and use them.
To enable a protocol on a device running Layer 3 code, enter router at the global CONFIG level, followed by the protocol to be
enabled. The following example shows how to enable OSPF.
device(config)#router ospf
Syntax: router bgp | igmp | ip | ospf | pim | rip | vrrp | vrrp-e | vsrp
NOTE
Consult your reseller or Ruckus to understand the risks involved before disabling all Layer 2 switching operations.
Beginning with the Ruckus FastIron release 8.0.50, when global route-only is enabled, the following syslogs appear to indicate the
impact of the L2 functions already available on the ports.
• On tagged ports and virtual Ethernet (VE) interfaces
ROUTE-ONLY: Only would cause L2 functions non-functional on %p Port, Part of VE/Tagged Interface
• On generic attribute registration protocol (GARP) VLAN registration protocol (GVRP)-enabled ports
ROUTE-ONLY: Only would cause L2 functions non-functional on 1/1/15 Port, Part of VE/Tagged
Interface
• On virtual switch redundancy protocol (VSRP)-enabled ports
ROUTE-ONLY: Only would cause VSRP non-functional on 7th VLAN
• On metro ring protocol (MRP)-enabled ports
ROUTE-ONLY: Global Route-Only would cause MRP non-functional on %dth VLAN
(config)# route-only
(config)# exit
device# write memory
device# reload
device(config)# no route-only
device(config)# exit
device# write memory
device# reload
To disable Layer 2 switching only on a specific interface, go to the interface configuration level for that interface, and then disable
the feature. The following commands show how to disable Layer 2 switching on port 2.
FastIron devices with Layer 3 images support Layer 3 LAGs, which are used for routing and not switching. For details on how to
create a LAG, refer to Link Aggregation in the Ruckus FastIron Layer 2 Switching Configuration Guide. Perform the following steps to
enable routing on a LAG:
1. In the global configuration mode, run the interface lag command to enter the LAG virtual interface configuration mode.
2. Run the route-only command to disable switching and enable routing on the LAG.
device(config-lag-if-lg55)# route-only
The following example shows the creation of a dynamic LAG that is used for routing on a FastIron device with Layer 3 image.
To set disable hardware ip checksum check for all ports, enter the following command.
device# disable-hw-ip-checksum-check
disable-ip-header-check set for all ports
To clear disable hardware ip checksum check on all ports, enter the following command.
To set disable hardware ip checksum check on for example, port range 0-12, enter the following command.
To set disable hardware ip checksum check on, for example, port range 13-24, enter the following command.
To clear disable hardware ip checksum check on, for example, port range 13-24, enter the following command.
NOTE
The port range could be any consecutive range, it may not necessarily be a decimal number.
NOTE
This command only functions on the IPv4 platform.
By default, the CLI displays network masks in classical IP address format (example: 255.255.255.0). You can change the displays
to prefix format (example: /18) on a Layer 3 switch or Layer 2 switch using the following CLI method.
NOTE
This option does not affect how information is displayed in the Web Management Interface.
To enable CIDR format for displaying network masks, entering the following command at the global CONFIG level of the CLI.
device(config)# ip show-subnet-length
device# show ip
Global Settings
ttl: 64, arp-age: 10, bootp-relay-max-hops: 4
router-id : 10.95.11.128
enabled : UDP-Broadcast-Forwarding Source-Route Load-Sharing RARP OSPF VRRP-Extended VSRP
disabled: Route-Only Directed-Broadcast-Forwarding BGP4 IRDP Proxy-ARP RIP VRRP ICMP-Redirect
Static Routes
Index IP Address Subnet Mask Next Hop Router Metric Distance
1 0.0.0.0 0.0.0.0 10.157.23.2 1 1
Policies
Index Action Source Destination Protocol Port Operator
1 deny 10.157.22.34 10.157.22.26 tcp http =
64 permit any any
Syntax: show ip
NOTE
This command has additional options, which are explained in other sections in this guide, including the sections
following this one.
Global settings
ttl The Time-To-Live (TTL) for IP packets. The TTL specifies the maximum
number of router hops a packet can travel before reaching the Ruckus
router. If the packet TTL value is higher than the value specified in this
field, the Ruckus router drops the packet.
arp-age The ARP aging period. This parameter specifies how many minutes an
inactive ARP entry remains in the ARP cache before the router ages
out the entry.
bootp-relay-max-hops The maximum number of hops away a BootP server can be located
from the Ruckus router and still be used by the router clients for
network booting.
router-id The 32-bit number that uniquely identifies the Ruckus router.
NOTE
T his field applies only if the IP protocol is TCP or UDP.
Operator The comparison operator for TCP or UDP port names or numbers.
NOTE
This field applies only if the IP protocol is TCP or UDP.
Syntax: show ip interface [ ethernet unit / slot / port | loopback num | tunnel num | venum ]
NOTE
ICX 7150 devices do not support tunnels.
Interface The type and the slot and port number of the interface.
IP-Address The IP address of the interface.
NOTE
If an "s" is listed following the address, this is a secondary
address. When the address was configured, the interface
already had an IP address in the same subnet, so the
software required the "secondary" option before the
software could add the interface.
To display detailed IP information for a specific interface, enter a command such as the following.
To display the contents of the ARP cache when a VRF is configured, enter the following command at any CLI level.
Syntax: show arp [ ip-addr [ ip-mask ] | num-entries-to-skip | ethernet unit / slot / port | inspect | mac-address xxxx.xxxx.xxxx
[ MAC-mask ] | management man-port | resource | vrf vrf-name ]
The ip-addr and ip-mask parameters let you restrict the display to entries for a specific IP address and network mask. Specify the
IP address masks in standard decimal mask format (for example, 255.255.0.0).
The mac-address xxxx.xxxx.xxxx parameter lets you restrict the display to entries for a specific MAC address.
The MAC-mask parameter lets you specify a mask for the mac-address xxxx.xxxx.xxxx parameter, to display entries for multiple
MAC addresses. Specify the MAC address mask as "f"s and "0"s, where "f"s are significant bits.
NOTE
The ip-mask parameter and mask parameter perform different operations. The ip-mask parameter specifies the network
mask for a specific IP address, whereas the mask parameter provides a filter for displaying multiple MAC addresses that
have specific values in common.
The vrf vrf-name parameter lets you restrict the display to entries for a specific VRF.
The num-entries-to-skipparameter lets you display the table beginning with a specific entry number.
NOTE
The entry numbers in the ARP cache are not related to the entry numbers for static ARP table entries.
This display shows the following information. The number in the left column of the CLI display is the row number of the entry in
the ARP cache. This number is not related to the number you assign to static MAC entries in the static ARP table.
Total number of ARP Entries The number of entries in the ARP cache.
Entries in default routing instance The total number of ARP entries supported on the device.
Entries in VRF vrf-name The total number of ARP entries for the specified VRF.
IP Address The IP address of the device.
MAC Address The MAC address of the device.
Type The ARP entry type, which can be one of the following:
• Dynamic - The Layer 3 switch learned the entry from an
incoming packet.
• Static - The Layer 3 switch loaded the entry from the static
ARP table when the device for the entry was connected to
the Layer 3 switch.
• DHCP - The Layer 3 Switch learned the entry from the DHCP
binding address table.
NOTE
If the type is DHCP, the port number will not be available
until the entry gets resolved through ARP.
Age The number of minutes before which the ARP entry was refreshed. If
this value reaches the ARP aging period, the entry is removed from
the table.
NOTE
Static entries do not age out.
NOTE
If the ARP entry type is DHCP, the port number will not be
available until the entry gets resolved through ARP.
Status The status of the entry, which can be one of the following:
• Valid - This a valid ARP entry.
• Pend - The ARP entry is not yet resolved.
This example shows two static entries. Note that because you specify an entry index number when you create the entry, it is
possible for the range of index numbers to have gaps, as shown in this example.
NOTE
The entry number you assign to a static ARP entry is not related to the entry numbers in the ARP cache.
Syntax: show ip static-arp [ ip-addr [ ip-mask ] | num-entries-to-skip | ethernet unit / slot / port | mac-address xxxx.xxxx.xxxx
[ MAC-mask ] ]
The ip-addr and ip-mask parameters let you restrict the display to entries for a specific IP address and network mask. Specify the
IP address masks in standard decimal mask format (for example, 255.255.0.0).
The mac-addressxxxx.xxxx.xxxx parameter lets you restrict the display to entries for a specific MAC address.
The mask parameter lets you specify a mask for the mac-addressxxxx.xxxx.xxxx parameter, to display entries for multiple MAC
addresses. Specify the MAC address mask as "f"s and "0"s, where "f"s are significant bits.
NOTE
The ip-mask parameter and mask parameter perform different operations. The ip-mask parameter specifies the network
mask for a specific IP address, whereas the mask parameter provides a filter for displaying multiple MAC addresses that
have specific values in common.
The num-entries-to-skip parameter lets you display the table beginning with a specific entry number.
Static ARP table size The maximum number of static entries that can be configured on the
device using the current memory allocation. The range of valid
memory allocations for static ARP entries is listed after the current
allocation.
Index The number of this entry in the table. You specify the entry number
when you create the entry.
IP Address The IP address of the device.
MAC Address The MAC address of the device.
Port The port attached to the device the entry is for.
The ip-addr parameter displays the cache entry for the specified IP address.
The num parameter displays the cache beginning with the row following the number you enter. For example, to begin displaying
the cache at row 10, enter the following command.
NOTE
If the entry is type U (indicating that the destination is this
Ruckus device), the address consists of zeroes.
Type The type of host entry, which can be one or more of the following:
• D - Dynamic
• P - Permanent
• F - Forward
• U - Us
• C - Complex Filter
• W - Wait ARP
• I - ICMP Deny
• K - Drop
• R - Fragment
• S - Snap Encap
Port The port through which this device reaches the destination. For
destinations that are located on this device, the port number is shown
as "n/a".
VLAN Indicates the VLANs the listed port is in.
Pri The QoS priority of the port or VLAN.
Here is an example of how to use the direct option. To display only the IP routes that go to devices directly attached to the Layer
3 switch, enter the following command.
Notice that the route displayed in this example has "D" in the Type field, indicating the route is to a directly connected device.
Here is an example of how to use the static option. To display only the static IP routes, enter the following command.
Notice that the route displayed in this example has "S" in the Type field, indicating the route is static.
Here is an example of how to use the longer option. To display only the routes for a specified IP address and mask, enter a
command such as the following.
This example shows all the routes for networks beginning with 10.159. The mask value and longer parameter specify the range
of network addresses to be displayed. In this example, all routes within the range 10.159.0.0 - 10.159.255.255 are listed.
The summary option displays a summary of the information in the IP route table. The following is an example of the output
from this command.
In this example, the IP route table contains 35 entries. Of these entries, 6 are directly connected devices, 28 are static routes, and
1 route was calculated through OSPF. One of the routes has a zero-bit mask (this is the default route), 27 have a 22-bit mask, 5
have a 24-bit mask, and 1 has a 32-bit mask.
The following table lists the information displayed by the show ip route command.
Clearing IP routes
If needed, you can clear the entire route table or specific individual routes.
When an interface subnet route with an interface address that directly matches a host route learned from a neighboring device is
configured and subsequently removed, the clear ip route command should be used so that the learned route is updated in the
Routing and Hardware Forwarding table.
To clear all routes from the IP route table, enter the following command.
To clear route 10.157.22.0/24 from the IP routing table, enter the clear ip route command.
or
IP statistics
received The total number of IP packets received by the device.
sent The total number of IP packets originated and sent by the device.
forwarded The total number of IP packets received by the device and forwarded
to other devices.
filtered The total number of IP packets filtered by the device.
fragmented The total number of IP packets fragmented by this device to
accommodate the MTU of this device or of another device.
reassembled The total number of fragmented IP packets that this device re-
assembled.
bad header The number of IP packets dropped by the device due to a bad packet
header.
no route The number of packets dropped by the device because there was no
route.
unknown proto The number of packets dropped by the device because the value in
the Protocol field of the packet header is unrecognized by this device.
no buffer This information is used by Ruckus customer support.
other errors The number of packets dropped due to error types other than those
listed above.
ICMP statistics
The ICMP statistics are derived from RFC 792, "Internet Control Message Protocol", RFC 950, "Internet Standard Subnetting Procedure", and
RFC 1256, "ICMP Router Discovery Messages". Statistics are organized into Sent and Received. The field descriptions below apply to each.
total The total number of ICMP messages sent or received by the device.
errors This information is used by Ruckus customer support.
unreachable The number of Destination Unreachable messages sent or received by
the device.
time exceed The number of Time Exceeded messages sent or received by the
device.
parameter The number of Parameter Problem messages sent or received by the
device.
source quench The number of Source Quench messages sent or received by the
device.
redirect The number of Redirect messages sent or received by the device.
echo The number of Echo messages sent or received by the device.
echo reply The number of Echo Reply messages sent or received by the device.
timestamp The number of Timestamp messages sent or received by the device.
timestamp reply The number of Timestamp Reply messages sent or received by the
device.
The TCP statistics are derived from RFC 793, "Transmission Control Protocol".
active opens The number of TCP connections opened by sending a TCP SYN to
another device.
passive opens The number of TCP connections opened by this device in response to
connection requests (TCP SYNs) received from other devices.
failed attempts This information is used by Ruckus customer support.
active resets The number of TCP connections this device reset by sending a TCP
RESET message to the device at the other end of the connection.
passive resets The number of TCP connections this device reset because the device
at the other end of the connection sent a TCP RESET message.
input errors This information is used by Ruckus customer support.
in segments The number of TCP segments received by the device.
out segments The number of TCP segments sent by the device.
retransmission The number of segments that this device retransmitted because the
retransmission timer for the segment had expired before the device
at the other end of the connection had acknowledged receipt of the
segment.
RIP statistics
The RIP statistics are derived from RFC 1058, "Routing Information Protocol".
requests sent The number of requests this device has sent to another RIP router for
all or part of its RIP routing table.
requests received The number of requests this device has received from another RIP
router for all or part of this device RIP routing table.
responses sent The number of responses this device has sent to another RIP router
request for all or part of this device RIP routing table.
responses received The number of responses this device has received to requests for all
or part of another RIP router routing table.
unrecognized This information is used by Ruckus customer support.
bad version The number of RIP packets dropped by the device because the RIP
version was either invalid or is not supported by this device.
bad addr family The number of RIP packets dropped because the value in the Address
Family Identifier field of the packet header was invalid.
device# show ip
Switch IP address: 192.168.1.2
Subnet mask: 255.255.255.0
Default router address: 192.168.1.1
TFTP server address: None
Configuration filename: None
Image filename: None
Syntax: show ip
IP configuration
Switch IP address The management IP address configured on the Layer 2 switch. Specify
this address for Telnet access or Web management access.
Subnet mask The subnet mask for the management IP address.
Default router address The address of the default gateway, if you specified one.
Most recent TFTP access
TFTP server address The IP address of the most-recently contacted TFTP server, if the
switch has contacted a TFTP server since the last time the software
was reloaded or the switch was rebooted.
Configuration filename The name under which the Layer 2 switch startup-config file was
uploaded or downloaded during the most recent TFTP access.
Image filename The name of the Layer 2 switch flash image (system software file) that
was uploaded or downloaded during the most recent TFTP access.
NOTE
To display the ARP maximum capacity for your device, enter the show default values command.
Field
NOTE
If the MAC address is all zeros, the entry is for the default
gateway, but the Layer 2 switch does not have a link to the
gateway.
NOTE
If the MAC address is all zeros, this field shows a random
VLAN ID, since the Layer 2 switch does not yet know which
port the device for this entry is attached to.
TCP Statistics
1 current active tcbs, 4 tcbs allocated, 0 tcbs freed 0 tcbs protected
0 active opens, 0 passive opens, 0 failed attempts
0 active resets, 0 passive resets, 0 input errors
27 in segments, 24 out segments, 0 retransmission
IP statistics
received The total number of IP packets received by the device.
sent The total number of IP packets originated and sent by the device.
fragmented The total number of IP packets fragmented by this device to
accommodate the MTU of this device or of another device.
reassembled The total number of fragmented IP packets that this device re-
assembled.
bad header The number of IP packets dropped by the device due to a bad packet
header.
no route The number of packets dropped by the device because there was no
route.
unknown proto The number of packets dropped by the device because the value in
the Protocol field of the packet header is unrecognized by this device.
no buffer This information is used by Ruckus customer support.
other errors The number of packets that this device dropped due to error types
other than the types listed above.
ICMP statistics
The ICMP statistics are derived from RFC 792, "Internet Control Message Protocol", RFC 950, "Internet Standard Subnetting Procedure", and
RFC 1256, "ICMP Router Discovery Messages". Statistics are organized into Sent and Received. The field descriptions below apply to each.
total The total number of ICMP messages sent or received by the device.
errors This information is used by Ruckus customer support.
unreachable The number of Destination Unreachable messages sent or received by
the device.
time exceed The number of Time Exceeded messages sent or received by the
device.
parameter The number of Parameter Problem messages sent or received by the
device.
source quench The number of Source Quench messages sent or received by the
device.
redirect The number of Redirect messages sent or received by the device.
echo The number of Echo messages sent or received by the device.
echo reply The number of Echo Reply messages sent or received by the device.
timestamp The number of Timestamp messages sent or received by the device.
timestamp reply The number of Timestamp Reply messages sent or received by the
device.
addr mask The number of Address Mask Request messages sent or received by
the device.
addr mask reply The number of Address Mask Replies messages sent or received by
the device.
An IPv6 address comprise 8 fields of 16-bit hexadecimal values separated by colons (:). The following figure shows the IPv6
address format.
As shown in the above figure, HHHH is a 16-bit hexadecimal value, while H is a 4-bit hexadecimal value. The following is an
example of an IPv6 address.
2001:0000:0000:0200:002D:D0FF:FE48:4672
Note that this IPv6 address includes hexadecimal fields of zeros. To make the address manageable, you can:
• Omit the leading zeros. For example, 2001:0:0:200:2D:D0FF:FE48:4672.
• Compress the successive groups of zeros at the beginning, middle, or end of an IPv6 address to two colons (::) once per
address. For example, 2001::200:2D:D0FF:FE48:4672.
As shown in Figure 10, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can
specify the IPv6 prefix using the prefix/prefix-length format, where the following applies.
The prefix-length parameter is specified as a decimal value that indicates the network portion of the IPV6 address.
2001:DB8:49EA:D088::/64
A major difference between IPv4 and IPv6 addresses is that IPv6 addresses support scope , which describes the topology in
which the address may be used as a unique identifier for an interface or set of interfaces.
Unicast An address for a single interface. A packet Depends on the type of the unicast address:
sent to a unicast address is delivered to the • Aggregatable global address--An
interface identified by the address. address equivalent to a global or
public IPv4 address. The address
structure is as follows: a fixed prefix
of 2000::/3 (001), a 45-bit global
routing prefix, a 16-bit subnet ID,
and a 64-bit interface ID.
• Site-local address--An address used
within a site or intranet. (This
address is similar to a private IPv4
address.) A site consists of multiple
network links. The address structure
is as follows: a fixed prefix of
FEC0::/10 (1111 1110 11), a 16-bit
subnet ID, and a 64-bit interface ID.
• Link-local address--An address used
between directly connected nodes
on a single network link. The
address structure is as follows: a
fixed prefix of FE80::/10 (1111 1110
10) and a 64-bit interface ID.
• IPv4-compatible address--An
address used in IPv6 transition
mechanisms that tunnel IPv6
A switch automatically configures a link-local unicast address for an interface by using the prefix of FE80::/10 (1111 1110 10) and
a 64-bit interface ID. The 128-bit IPv6 address is then subjected to duplicate address detection to ensure that the address is
unique on the link. If desired, you can override this automatically configured address by explicitly configuring an address.
NOTE
Ruckus FastIron devices support RFC 2526, which requires that within each subnet, the highest 128 interface identifier
values reserved for assignment as subnet anycast addresses. Thus, if you assign individual IPv6 addresses within a
subnet, the second highest IPv6 address in the subnet does not work.
The automatic configuration of a host interface works in the following way: a switch on a local link periodically sends switch
advertisement messages containing network-type information, such as the 64-bit prefix of the local link and the default route, to
all nodes on the link. When a host on the link receives the message, it takes the local link prefix from the message and appends a
64-bit interface ID, thereby automatically configuring its interface. (The 64-bit interface ID is derived from the MAC address of the
host’s NIC.) The 128-bit IPv6 address is then subjected to duplicate address detection to ensure that the address is unique on the
link.
The duplicate address detection feature verifies that a unicast IPv6 address is unique before it is assigned to a host interface by
the stateless auto configuration feature. Duplicate address detection uses neighbor solicitation messages to verify that a unicast
IPv6 address is unique.
NOTE
For the stateless auto configuration feature to work properly, the advertised prefix length in switch advertisement
messages must always be 64 bits.
The IPv6 stateless autoconfiguration feature can also automatically reconfigure a host’s interfaces if you change the ISP for the
host’s network. (The host’s interfaces must be renumbered with the IPv6 prefix of the new ISP.)
The renumbering occurs in the following way: a switch on a local link periodically sends advertisements updated with the prefix
of the new ISP to all nodes on the link. (The advertisements still contain the prefix of the old ISP.) A host can use the addresses
created from the new prefix and the existing addresses created from the old prefix on the link. When you are ready for the host
to use the new addresses only, you can configure the lifetime parameters appropriately using the ipv6 nd prefix-advertisement
command. During this transition, the old prefix is removed from the switch advertisements. At this point, only addresses that
contain the new prefix are used on the link.
NOTE
IPv6 static routes and IPv6 unicast routing (multicast routing is not supported) are not supported in the base Layer 3
software images.
Ruckus devices provide support for configuring an IPv6 address on the management port as described in Configuring the
management port for an IPv6 automatic address configuration on page 132, and for configuring a system-wide IPv6 address on a
Layer 2 switch. Configuration of the system-wide IPv6 address is exactly similar to configuration of an IPv6 address in router
mode, except that the IPv6 configuration is at the Global CONFIG level instead of at the Interface level.
The process for defining the system-wide interface for IPv6 is described in the following sections:
• Configuring a global or site-local IPv6 address with a manually configured interface ID on page 131
• Configuring a link-local IPv6 address as a system-wide address for a switch on page 131
NOTE
When configuring an IPv6 host address on a Layer 2 switch that has multiple VLANs, make sure that the configuration
includes a designated management VLAN that identifies the VLAN to which the global IP address belongs. Refer to
"Designated VLAN for Telnet management sessions to a Layer 2 Switch" section in the Ruckus FastIron Security
Configuration Guide.
You must specify the ipv6-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
You must specify the prefix-length parameter in decimal value. A slash mark (/) must follow the ipv6-prefix parameter and
precede the prefix-length parameter.
This command enables IPv6 on the switch and specifies that the interface is assigned an automatically computed link-local
address.
To override a link-local address that is automatically computed for the global interface with a manually configured address, enter
a command such as the following.
This command explicitly configures the link-local address FE80::240:D0FF:FE48:4672 for the global interface.
You must specify the ipv6-address parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
The link-local keyword indicates that the router interface should use the manually configured link-local address instead of the
automatically computed link-local address.
NOTE
• When you configure an IPv6 address on a device, a syslog appears stating that the IPv6 address has been
added. You cannot configure the same IPv6 address on the device again.
• When you attempt to configure the same IPv6 address on the device, this syslog appears: "Error:
duplicate IPv6 address!".
• When you configure a different IPv6 address on the device, two different syslogs appear stating that the
existing IPv6 address has been removed and the new IPv6 address has been configured.
The no form of the command disables the forwarding of IPv6 traffic globally on the device.
If you choose to configure a global or site-local IPv6 address for an interface, IPv6 is also enabled on the interface. Further, when
you configure a global or site-local IPv6 address, you must decide on one of the following in the low-order 64 bits:
• A manually configured interface ID.
• An automatically computed EUI-64 interface ID.
If you prefer to assign a link-local IPv6 address to the interface, you must specifically enable IPv6 on the interface, which causes a
link-local address to be automatically computed for the interface. If preferred, you can override the automatically configured link-
local address with an address that you manually configure.
Additionally, the configured interface automatically joins the following required multicast groups for that link:
• Solicited-node multicast group FF02:0:0:0:0:1:FF00::/104 for each unicast address assigned to the interface.
• Solicited-node for subnet anycast address for each unicast assigned address
• Solicited-node for anycast address FF02:0:0:0:0:1:FF00::0000
• All-nodes link-local multicast group FF02::1
• All-routers link-local multicast group FF02::2
The neighbor discovery feature sends messages to these multicast groups. For more information, refer to IPv6 neighbor
discovery configuration on page 145.
NOTE
In the example above, the interface is assigned an automatically computed link-local address. When configuring VLANs
that share a common tagged interface with a physical or Virtual Ethernet (VE) interface, Ruckus recommends that you
override the automatically computed link-local address with a manually configured unique address for the interface. If
the interface uses the automatically computed address, which in the case of physical and VE interfaces is derived from a
global MAC address, all physical and VE interfaces will have the same MAC address. To override a link-local address that
is automatically computed for an interface with a manually configured address, refer to Configuring a link-local IPv6
address on an interface on page 134.
The following example explicitly configures a link-local IPv6 address for an Ethernet interface.
An anycast address looks similar to a unicast address, because it is allocated from the unicast address space. If you assign an
IPv6 unicast address to multiple interfaces, it is an anycast address. On the device, you configure an interface assigned an
anycast address to recognize the address as an anycast address.
For example, the following commands configure an anycast address on interface 1/2/1.
IPv6 anycast addresses are described in detail in RFC 1884. Refer to RFC 2461 for a description of how the IPv6 Neighbor
Discovery mechanism handles anycast addresses.
Each router interface that sends and receives both the IPv4 and IPv6 traffic must be configured with an IPv4 address and an IPv6
address. (An alternative to configuring a router interface with an IPv6 address is to specifically enable IPv6 using the ipv6 enable
command. For more information about using this command, refer to the Ruckus FastIron Command Reference).
To configure a router interface to support both the IPv4 and IPv6 protocol stacks, use commands such as the following.
These commands globally enable IPv6 routing and configure an IPv4 address and an IPv6 address for Ethernet interface 1/3/1.To
disable IPv6 traffic globally on the router, enter the no form of this command. You must specify the ip-address parameter using
8-bit values in dotted decimal notation. You can specify the sub-net-mask parameter in either dotted decimal notation or as a
decimal value preceded by a slash mark (/).The secondary keyword specifies that the configured address is a secondary IPv4
address. To remove the IPv4 address from the interface, enter the no form of this command. For information about configuring a
link-local IPv6 address, refer to Configuring a link-local IPv6 address on an interface on page 134.
As shown in the following illustration, these tunnels encapsulate an IPv6 packet within an IPv4 packet.
A manually configured tunnel establishes a permanent link between switches in IPv6 domains. A manually configured tunnel has
explicitly configured IPv4 addresses for the tunnel source and destination.
This tunneling mechanism requires that the Layer 3 switch at each end of the tunnel run both IPv4 and IPv6 protocol stacks. The
Layer 3 switches running both protocol stacks, or dual-stack routers, can interoperate directly with both IPv4 and IPv6 end
systems and routers.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
ICX 7150 devices do not support tunnels.
For example, to clear statistics for tunnel 1, enter the following command at the Privileged EXEC level or any of the configuration
levels of the CLI.
To clear statistics for all IPv6 tunnels, enter the following command.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
ICX 7150 devices do not support tunnels.
NOTE
ICX 7150 devices do not support tunnels.
Interface Tunnel status The status of the tunnel interface can be one of the following:
• up - IPv4 connectivity is established.
• down - The tunnel mode is not set.
• administratively down - The tunnel interface was disabled
with the disable command.
Line protocol status The status of the line protocol can be one of the following:
• up - IPv6 is enabled through the ipv6 enable or ipv6
address command.
• down - The line protocol is not functioning and is down.
NOTE
ICX 7150 devices do not support tunnels.
IPv6 management
You can configure a Ruckus device to serve as an IPv6 host in an IPv6 network. An IPv6 host has IPv6 addresses on its interfaces,
but does not have full IPv6 routing enabled on it.
NOTE
Unlike IPv4, there is no distinction between standard and extended ACLs in IPv6.
The ACL-name variable specifies a name for the IPv6 ACL. An IPv6 ACL name cannot start with a numeral, for example, 1access.
Also, an IPv4 ACL and an IPv6 ACL cannot share the same name.
To open an SSH session between an IPv6 host running an SSH client program and the Ruckus device, open the SSH client
program and specify the IPv6 address of the device. For more information about configuring SSH on the Ruckus device, refer to
"SSH2 and SCP" chapter in the Ruckus FastIron Security Configuration Guide.
IPv6 Telnet
Telnet sessions can be established between a Ruckus device to a remote IPv6 host, and from a remote IPv6 host to the Ruckus
device using IPv6 addresses.
The telnet command establishes a Telnet connection from a Ruckus device to a remote IPv6 host using the console. Up to five
read-access Telnet sessions are supported on the router at one time. Write-access through Telnet is limited to one session, and
only one outgoing Telnet session is supported on the router at one time.
Use the show telnet command to see the number of open Telnet sessions at any time.
IPv6 traceroute
Use the traceroute command to trace a path from the Ruckus device to an IPv6 host.
The traceroute command displays trace route information for each hop as soon as the information is received. The traceroute
requests display all responses of a minimum TTL of 1 second and a maximum TTL of 30 seconds. In addition, if there are multiple
equal-cost routes to the destination, the Ruckus device displays up to three responses.
http://[<ipv6 address>]
or
https://[<ipv6 address>]
NOTE
You must enclose the IPv6 address with square brackets [ ] in order for the Web browser to work.
Example
device(config)# access-list 12 deny host 2000:2383:e0bb::2/128 log
device(config)# access-list 12 deny 30ff:3782::ff89/128 log
device(config)# access-list 12 deny 3000:4828::fe19/128 log
device(config)# access-list 12 permit any
device(config)# web access-group ipv6 12
Example
device(config)# web client ipv6 3000:2383:e0bb::2/128
The ipv6-address you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373.
For example, if the domain "newyork.com" is defined on a Ruckus device, and you want to initiate a ping to host "NYC01" on that
domain, you need to reference only the host name in the command instead of the host name and its domain name. For
example, you could enter either of the following commands to initiate the ping.
AAAA DNS records are analogous to the A DNS records used with IPv4. They store a complete IPv6 address in each record. AAAA
records have a type value of 28.
To define an IPv6 DNS server address, enter command such as the following:
The ipv6 dns server-address parameter sets IPv6 DNS server addresses.
As an example, in a configuration where ftp6.companynet.com is a server with an IPv6 protocol stack, when a user pings
ftp6.companynet.com, the Ruckus device attempts to resolve the AAAA DNS record. In addition, if the DNS server does not have
an IPv6 address, as long as it is able to resolve AAAA records, it can still respond to DNS queries.
For example, to ping a device with the IPv6 address of 2001:DB8:847f:a385:34dd::45 from the Ruckus device, enter the following
command.
The ipv6-address must be in hexadecimal using 16-bit values between colons as documented in RFC 2373.
The udp-port-num optional parameter specifies the UDP application port used for the Syslog facility.
Contact:
Location:
Community(ro): .....
Traps
Warm/Cold start: Enable
Link up: Enable
Link down: Enable
Authentication: Enable
Locked address violation: Enable
Power supply failure: Enable
Fan failure: Enable
Temperature warning: Enable
STP new root: Enable
STP topology change: Enable
vsrp: Enable
1 10.147.201.100
162 .....
2 2001:DB8::200
162 .....
3 10.147.202.100
162 .....
4 2001:DB8::200
162 .....
NOTE
IPv6 is disabled by default in the router code and must be configured on each interface that will support IPv6.
To illustrate how this algorithm works, imagine a virtual bucket that contains a number of tokens. Each token represents the
ability to send one ICMP error message. Tokens are placed in the bucket at a specified interval until the maximum number of
tokens allowed in the bucket is reached. For each error message that ICMP sends, a token is removed from the bucket. If ICMP
generates a series of error messages, messages can be sent until the bucket is empty. If the bucket is empty of tokens, error
messages cannot be sent until a new token is placed in the bucket.
You can adjust the following elements related to the token bucket algorithm:
• The interval at which tokens are added to the bucket. The default is 100 milliseconds.
• The maximum number of tokens in the bucket. The default is 10 tokens.
ICMP redirects
You can enable a Layer 3 switch to send an IPv6 ICMP redirect message to a neighboring host to inform it of a better first-hop
router on a path to a destination. By default, the sending of IPv6 ICMP redirect messages by a Layer 3 switch is disabled. (For
more information about how ICMP redirect messages are implemented for IPv6, refer to IPv6 neighbor discovery configuration
on page 145.)
NOTE
This feature is supported on Virtual Ethernet (VE) interfaces only.
To illustrate how this algorithm works, imagine a virtual bucket that contains a number of tokens. Each token represents the
ability to send one ICMP error message. Tokens are placed in the bucket at a specified interval until the maximum number of
tokens allowed in the bucket is reached. For each error message that ICMP sends, a token is removed from the bucket. If ICMP
generates a series of error messages, messages can be sent until the bucket is empty. If the bucket is empty of tokens, error
messages cannot be sent until a new token is placed in the bucket.
You can adjust the following elements related to the token bucket algorithm:
• The interval at which tokens are added to the bucket. The default is 100 milliseconds.
• The maximum number of tokens in the bucket. The default is 10 tokens.
For example, to adjust the interval to 1000 milliseconds and the number of tokens to 100 tokens, enter the following command.
The interval in milliseconds at which tokens are placed in the bucket can range from 0 - 2147483647. The maximum number of
tokens stored in the bucket can range from 1 - 200.
NOTE
If you retain the default interval value or explicitly set the value to 100 milliseconds, output from the show run
command does not include the setting of the ipv6 icmp error-interval command because the setting is the
default.Also, if you configure the interval value to a number that does not evenly divide into 100000 (100 milliseconds),
the system rounds up the value to a next higher value that does divide evenly into 100000. For example, if you specify
an interval value of 150, the system rounds up the value to 200.
ICMP rate limiting is enabled by default. To disable ICMP rate limiting, set the interval to zero.
NOTE
This feature is supported on Virtual Ethernet (VE) interfaces only.
For example, to enable the sending of IPv6 ICMP redirect messages on VE 2, enter the following commands.
To disable the sending of IPv6 ICMP redirect messages after it has been enabled on VE 2, enter the following commands.
Use the show ipv6 interface command to verify that the sending of IPv6 ICMP redirect messages is enabled on a particular
interface.
An IPv6 host is required to listen for and recognize the following addresses that identify itself:
• Link-local address.
• Assigned unicast address.
• Loopback address.
• All-nodes multicast address.
• Solicited-node multicast address.
• Multicast address to all other groups to which it belongs.
After receiving the neighbor solicitation message from node 1, node 2 replies by sending a neighbor advertisement message,
which has a value of 136 in the Type field of the ICMP packet header. The neighbor solicitation message contains the following
information:
• Source address: IPv6 address of the node 2 interface that sends the message.
• Destination address: IPv6 address of node 1.
• Link-layer address of node 2.
After node 1 receives the neighbor advertisement message from node 2, nodes 1 and 2 can now exchange packets on the link.
After the link-layer address of node 2 is determined, node 1 can send neighbor solicitation messages to node 2 to verify that it is
reachable. Also, nodes 1, 2, or any other node on the same link can send a neighbor advertisement message to the all-nodes
multicast address (FF02::1) if there is a change in their link-layer address.
Each configured router interface on a link sends out a router advertisement message, which has a value of 134 in the Type field
of the ICMP packet header, periodically to the all-nodes link-local multicast address (FF02::1).
A configured router interface can also send a router advertisement message in response to a router solicitation message from a
node on the same link. This message is sent to the unicast IPv6 address of the node that sent the router solicitation message.
At system startup, a host on a link sends a router solicitation message to the all-routers multicast address (FF01). Sending a
router solicitation message, which has a value of 133 in the Type field of the ICMP packet header, enables the host to
automatically configure its IPv6 address immediately instead of awaiting the next periodic router advertisement message.
Because a host at system startup typically does not have a unicast IPv6 address, the source address in the router solicitation
message is usually the unspecified IPv6 address (0:0:0:0:0:0:0:0). If the host has a unicast IPv6 address, the source address is the
unicast IPv6 address of the host interface sending the router solicitation message.
Entering the ipv6 unicast-routing command automatically enables the sending of router advertisement messages on all
configured router Ethernet interfaces. You can configure several router advertisement message parameters.
A router sends a neighbor redirect message only for unicast packets, only to the originating node, and to be processed by the
node.
A neighbor redirect message has a value of 137 in the Type field of the ICMP packet header.
If duplicate address detection identifies a duplicate unicast IPv6 address, the address is not used. If the duplicate address is the
link-local address of the host interface, the interface stops processing IPv6 packets.
The following example shows how to configure the prefixes that are advertised in the IPv6 router advertisement messages.
The no form of the command removes a prefix from the router advertisement messages sent from a particular interface.
NOTE
When determining if hosts can use stateful autoconfiguration to get non-IPv6-address information, a set Managed
Address Configuration flag overrides an unset Other Stateful Configuration flag. In this situation, the hosts can obtain
nonaddress information. However, if the Managed Address Configuration flag is not set and the Other Stateful
Configuration flag is set, then the setting of the Other Stateful Configuration flag is used.
Use the ipv6 nd suppress-ra command to disable the sending of router advertisement messages on an Ethernet interface.
To enable the sending of router advertisement messages on a tunnel interface, enter commands such as the following.
NOTE
ICX 7150 devices do not support tunnels.
If IPv6 unicast routing is enabled on an Ethernet interface, by default, this interface sends IPv6 router advertisement messages.
The IPv6 router sets the preference field based on the configured value on IPv6 RA and sends it periodically to the IPv6 host or as
a response to the router solicitations.
2. Use the ipv6 nd router-preference command to configure IPv6 RA preference for the IPv6 router.
Ruckus recommends configuring a longer reachable time duration, because a short duration causes the IPv6 network devices to
process the information at a greater frequency.
IP communication within a Layer 2 infrastructure is established by mapping an IP address to a MAC address. An invalid host can
intercept packet flow between legitimate hosts by sending a neighbor solicitation or neighbor advertisement with a forged IP-to-
MAC address binding. The victim host includes an illegitimate entry in the neighbor cache, which is looked up to validate the IP-
to-MAC address binding. After a successful attack, all the traffic are redirected through the invalid host and is vulnerable to man-
in-the-middle attacks. The neighbor discovery inspection validates all the IPv6 packets carrying neighbor discovery messages by
checking the IP-to-MAC address binding of the packets. If there is a discrepancy in the IP-to-MAC address binding, the neighbor
discovery message is considered to be from an invalid host and the packets are discarded.
The following figure illustrates the method by which Host 3 performs ND cache poisoning by sending a neighbor solicitation
message to Host 1 with the source IP of Host 2, and similarly to Host 2 with the source IP of Host 1, with its own MAC address. By
doing this, Host 3 can intercept the packet flow from Host 1 to Host 2.
ND inspection, when enabled on a VLAN, checks all the neighbor discovery messages flowing through the switches between the
hosts that are part of the VLAN and validates the IP-to-MAC address binding of the packets. All the packets are verified against
the trusted binding tables where the preconfigured static ND inspection entries or dynamically learned DHCPv6 snoop entries
are stored. DHCPv6 snooping must be enabled for dynamic inspection of ND messages. For more information on dynamically
learned DHCPv6 snoop entries, refer to the DHCPv6 section in the Ruckus FastIron DHCP Configuration Guide.
To inspect a neighbor discovery message, all the neighbor solicitation and neighbor advertisement messages are directed to a
CPU, and the source IP address and source MAC address of each packet are validated against the entries in the trusted tables.
Only the valid packets are forwarded and those with invalid IP-to-MAC address bindings are discarded. ND inspection follows
CPU-based packet forwarding and thus the neighbor discovery messages in the ND inspection-enabled VLAN may get discarded
depending on the CPU load. The neighbor discovery messages are also rate limited to CPU.
The router interface configuration on the ND inspection-enabled VLAN is also subjected to ND inspection. That is, if the interface
is a Layer 3 interface, the neighbor solicitation and neighbor advertisement messages addressed to the router are also validated.
If there is a discrepancy in the IP-to-MAC address binding, the packets are discarded and the IPv6 neighbor tables will not be
updated. Unlike the neighbor solicitation and neighbor advertisement messages, the router solicitation messages are not
directed to the CPU, because the hosts are supposed to reject the router solicitation messages by default.
The following figure illustrates unhindered flow of packets from Host 1 to Host 2, while the messages that are sent by Host 3 with
invalid IP-to-MAC address bindings are discarded.
Though you can configure interfaces in “trust” or “untrust” mode, ND inspection is performed only on untrusted ports that are
part of the ND inspection-enabled VLAN. When you enable ND inspection on a VLAN, by default, all the interfaces and member
ports are considered as untrusted. When configured, ND inspection protects the directly connected hosts from ND cache
poisoning; the hosts connected across the switches are not insulated from any attack.
NOTE
ND inspection is supported on LAGs and trunk ports and supports Multi-VRF instances. Multiple VRFs can be deployed
on a Ruckus Ethernet switch. Each VLAN having a Virtual Interface (VE) is assigned to a VRF.
The acl-per-port-per-vlan must be enabled using the enable acl-per-port-per-vlan command before configuring ND inspection.
1. Use the ipv6 neighbor inspection vlan command to enable ND inspection on a VLAN.
2. Use ipv6 neighbor inspection command to add a static ND inspection entry. You can add multiple static ND inspection
entries.
3. Use the interface ethernet command to enter the interface configuration mode.
4. Use ipv6-neighbor inspection trust command to enable trust mode for the switch or server port. You can enable trust
mode for multiple ports.
Rejected ND ND Inspect: no static inspect or DHCP6 entry found, packet dropped rx-sip 2001::100 rx-smac
0000.0000.0055 vlan_id 2 vrf_id 0
IPv6 MTU
The IPv6 maximum transmission unit (MTU) is the maximum length of an IPv6 packet that can be transmitted on a particular
interface. If an IPv6 packet is longer than an MTU, the host that originated the packet fragments the packet and transmits its
contents in multiple packets that are shorter than the configured MTU.
By default, in non-jumbo mode, the default and maximum Ethernet MTU size is 1500 bytes. When jumbo mode is enabled, the
default Ethernet MTU size is 9216. The maximum Ethernet MTU size is 10128.
• For ICX 7150, ICX 7250, ICX 7450, ICX 7650, and ICX 7750 devices, the IPv4 and IPv6 MTU values are the same. Modifying
one also changes the value of the other.
• For ICX 7150, ICX 7450, ICX 7650, and ICX 7750 devices, the minimum IPv4 and IPv6 MTU values for both physical and
virtual interfaces are 1280.
• You cannot use IPv6 MTU to set Layer 2 maximum frame sizes per interface. Enabling global jumbo mode causes all
interfaces to accept Layer 2 frames.
For bytes, specify a value between 1280 - 1500, or 1280 - 10218 if jumbo mode is enabled. If a non-default value is configured for
an interface, router advertisements include an MTU option.
NOTE
IPv6 MTU cannot be configured globally. It is supported only on devices running Layer 3 software.
NOTE
A port that has a statically assigned IPv6 entry cannot be added to a VLAN.
NOTE
Static neighbor configurations will be cleared on secondary ports when a LAG is formed.
Use the ipv6 neighbor command to add a static entry for a neighbor .
You configured IPv6 address 2001:DB8:2678:47b and link-layer address 0000.002b.8641 that is reachable through Ethernet
interface 1/3/1. To remove a static IPv6 entry from the IPv6 neighbor discovery cache, use the no form of this command.
device(config)#ipv6 hop-limit 70
A security enhancement disables sending IPv6 source-routed packets to IPv6 devices. (This enhancement conforms to RFC 5095.)
By default, when the router drops a source-routed packet, it sends an ICMP Parameter Problem (type 4), Header Error (code 0)
message to the packet's source address, pointing to the unrecognized routing type.
Ruckus devices vary in the amount of TCAM space that can be allocated for IPv4 and IPv6 routing and GRE tunnel information.
Each IPv6 route entry and GRE tunnel use more storage space then IPv4 route entries. The default, maximum, and minimum
allocation values for each type of data are shown in the following tables.
NOTE
If you disable IPv6 routing, the TCAM space allocations do not change. If you want to allocate the maximum possible
space for IPv4 routing information, you must configure the TCAM space manually.
NOTE
The ICX 7250 device has a fixed allocation of space for eight GRE tunnels.
NOTE
The ICX 7150 device does not support GRE tunnels.
TCAM space allocations for IPv4 and IPv6 routes and other entities can be modified by configuring the number of IPv4 route
entries. Different devices have different amounts of TCAM space, see the "TCAM space allocation" topic for the default,
maximum, and minimum allocations.
NOTE
If you disable IPv6 routing, the TCAM space allocations do not change. If you want to allocate the maximum possible
space for IPv4 routing information, you must configure the TCAM space manually.
NOTE
The ICX 7150 and ICX 7250 device only permit manual configuration of IPv4 routes.
2. To allocate TCAM space to store 6000 IPv4 routes entries, use the following command.
device(config)# exit
5. Reload the device for the new TCAM space allocations to be changed.
device# reload
The following example configures TCAM space for 6000 IPv4 route entries. After the device reload, you can view the new TCAM
allocation numbers for IPv6 entries.
TCAM space allocations for GRE tunnels can be modified using manual configuration. Different devices have different amounts of
TCAM space, see the "TCAM space allocation" topic for the default, maximum, and minimum allocations. The TCAM space
allocation is dependent on the IPv4 route configuration.
NOTE
This task is not supported on ICX 7250 device where the TCAM allocation is for 8 GRE tunnels.
NOTE
ICX 7150 devices do not support tunnels.
2. To allocate TCAM space to store information for up to 20 GRE tunnels, use the following command.
device(config)# exit
5. Reload the device for the new TCAM space allocations to be changed.
device# reload
The following example configures TCAM storage space for 20 GRE tunnel entries. After the device reload, you can view the new
TCAM allocation numbers for GRE tunnels in the running configuration.
To display IPv6 cache information, use the show ipv6 cache command.
If you specify an Ethernet interface, also specify the unit, slot, or port number associated with the interface. If you must specify a
VE interface, also specify the VE number. If you specify a tunnel interface, you must also specify the tunnel number.
The command-line interface (CLI) output of the show ipv6 cache command displays the following information.
Total number of cache entries The number of entries in the cache table.
IPv6 Address The host IPv6 address.
Next Hop The next hop, which can be one of the following:
• Direct - The next hop is directly connected to the router.
• Local - The next hop is originated on this router.
• ipv6 address - The IPv6 address of the next hop.
Port The port on which the entry was learned.
The interface parameter displays detailed information for a specified interface. For the interface, you can specify the Ethernet,
loopback, tunnel, or VE keywords. If you specify an Ethernet interface, also specify unit, slot, and port. If you specify a loopback,
tunnel, or VE interface, also specify the number associated with the interface.
The command-line interface (CLI) output of the show ipv6 interface command shows the following information.
Routing protocols A one-letter code that represents a routing protocol that can be
enabled on an interface.
Interface The interface type, and the port number or number of the interface.
Status The status of the interface. The entry in the Status field will be either
"up/up" or "down/down".
Routing The routing protocols enabled on the interface.
Global Unicast Address The global unicast address of the interface.
To display detailed information for a specific interface, use the show ipv6 interfaceinterface command.
The command-line interface (CLI) output of the show ipv6 interfaceinterface command displays the following information.
Interface/line protocol status The status of interface and line protocol. If you have disabled the
interface with the disable command, the status will be
"administratively down". Otherwise, the status is either "up" or
"down".
IPv6 status/link-local address The status of IPv6. The status is either "enabled" or "disabled".
To display the IPv6 neighbor table, enter the show ipv6 neighbor command.
The ipv6-prefix / prefix-length parameters restrict the display to the entries for the specified IPv6 prefix. You must specify the
ipv6-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the
prefix-length parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede the prefix-length
parameter.
The interface parameter restricts the display to the entries for the specified router interface. For this parameter, you can specify
the ethernet or ve keywords. If you specify an Ethernet interface, also specify unit, slot, and port. If you specify a VE interface,
also specify the VE number.
The output of the show ipv6 neighbor command displays the following information.
Total number of neighbor entries The total number of entries in the IPv6 neighbor table.
IPv6 Address The 128-bit IPv6 address of the neighbor.
Link-Layer Address The 48-bit interface ID of the neighbor.
State The current state of the neighbor. Possible states are as follows:
• INCOMPLETE - Address resolution of the entry is being
performed.
• REACH - The static forward path to the neighbor is
functioning properly.
• REACH - The forward path to the neighbor is functioning
properly.
• STALE - This entry has remained unused for the maximum
interval. While stale, no action takes place until a packet is
sent.
• DELAY - This entry has remained unused for the maximum
interval, and a packet was sent before another interval
elapsed.
• PROBE - Neighbor solicitation are transmitted until a
reachability confirmation is received.
Age The number of seconds the entry has remained unused. If this value
remains unused for the number of seconds specified by the ipv6 nd
reachable-time command (the default is 30 seconds), the entry is
removed from the table.
Port The physical port on which the entry was learned.
vlan The VLAN on which the entry was learned.
IsR Determines if the neighbor is a router or host:
The ipv6-address parameter restricts the display to the entries for the specified IPv6 address. You must specify the ipv6-address
parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
The ipv6-prefix / prefix-length parameters restrict the display to the entries for the specified IPv6 prefix. You must specify the
ipv6-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the
prefix-length parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede the prefix-length
parameter.
The bgp keyword restricts the display to entries for BGP4 routes.
The connect keyword restricts the display to entries for directly connected interface IPv6 routes.
The ospf keyword restricts the display to entries for OSPFv3 routes.
The rip keyword restricts the display to entries for RIPng routes.
The static keyword restricts the display to entries for static IPv6 routes.
The summary keyword displays a summary of the prefixes and different route types.
The following table lists the information displayed by the show ipv6 route command.
To display a summary of the IPv6 route table, enter the show ipv6 route summary command.
The command-line interface (CLI) output of the show ipv6 route summary command displays the following information.
From the IPv6 host, you can display information about IPv6 routers to which the host is connected. The host learns about the
routers through their router advertisement messages. To display information about the IPv6 routers connected to an IPv6 host,
use the show ipv6 router command.
If you configure a device to function as an IPv6 router (you configure IPv6 addresses on its interfaces and enable IPv6 routing
using the ipv6 unicast-routing command the show ipv6 router command displays the following.
Meaningful output for this command is generated for Ruckus devices configured to function as IPv6 hosts only.
The command-line interface (CLI) output of the show ipv6 router command displays the following information.
Router ipv6 address on interface port The IPv6 address for a particular router interface.
Last update The amount of elapsed time (in minutes) between the current and
previous updates received from a router.
Hops The default value that should be included in the Hop Count field of
the IPv6 header for outgoing IPv6 packets. The hops value applies to
the router for which you are displaying information and should be
followed by IPv6 hosts attached to the router. A value of 0 indicates
that the router leaves this field unspecified.
Lifetime The amount of time (in seconds) that the router is useful as the
default router.
Reachable time The amount of time (in milliseconds) that a router assumes a
neighbor is reachable after receiving a reachability confirmation. The
reachable time value applies to the router for which you are
displaying information and should be followed by IPv6 hosts attached
to the router. A value of 0 indicates that the router leaves this field
unspecified.
Retransmit time The amount of time (in milliseconds) between retransmissions of
neighbor solicitation messages. The retransmit time value applies to
the router for which you are displaying information and should be
followed by IPv6 hosts attached to the router. A value of 0 indicates
that the router leaves this field unspecified.
To display general information about each TCP connection on the router, use the show ipv6 tcp connections command.
Local IP address:port The IPv4 or IPv6 address and port number of the local router interface
over which the TCP connection occurs.
Remote IP address:port The IPv4 or IPv6 address and port number of the remote router
interface over which the TCP connection occurs.
TCP state The state of the TCP connection. Possible states include the following:
• LISTEN - Waiting for a connection request.
• SYN-SENT - Waiting for a matching connection request after
having sent a connection request.
• SYN-RECEIVED - Waiting for a confirming connection request
acknowledgment after having both received and sent a
connection request.
• ESTABLISHED - Data can be sent and received over the
connection. This is the normal operational state of the
connection.
• FIN-WAIT-1 - Waiting for a connection termination request
from the remote TCP, or an acknowledgment of the
connection termination request previously sent.
• FIN-WAIT-2 - Waiting for a connection termination request
from the remote TCP.
• CLOSE-WAIT - Waiting for a connection termination request
from the local user.
• CLOSING - Waiting for a connection termination request
acknowledgment from the remote TCP.
• LAST-ACK - Waiting for an acknowledgment of the
connection termination request previously sent to the
remote TCP (which includes an acknowledgment of its
connection termination request).
• TIME-WAIT - Waiting for enough time to pass to be sure the
remote TCP received the acknowledgment of its connection
termination request.
• CLOSED - There is no connection state.
FREE TCP = percentage The percentage of free TCP control block (TCP) space.
FREE TCP QUEUE BUFFER = percentage The percentage of free TCP queue buffer space.
FREE TCP SEND BUFFER = percentage The percentage of free TCP send buffer space.
FREE TCP RECEIVE BUFFER = percentage The percentage of free TCP receive buffer space.
To display detailed information about a specified TCP connection, enter a command such as the following at any CLI level.
The local-ip-address parameter can be the IPv4 or IPv6 address of the local interface over which the TCP connection is taking
place.
The local-port-number parameter is the local port number over which a TCP connection is taking place.
The remote-ip-address parameter can be the IPv4 or IPv6 address of the remote interface over which the TCP connection is
taking place.
The remote-port-number parameter is the local port number over which a TCP connection is taking place.
IP6 Statistics
36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout
0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr
0 no route, 0 can not forward, 0 redirect sent
0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow
0 reassembled, 0 fragmented, 0 ofragments, 0 can not frag
0 too short, 0 too small, 11 not member
0 no buffer, 66819 allocated, 21769 freed
0 forward cache hit, 46 forward cache miss
ICMP6 Statistics
Received:
0 dest unreach, 0 pkt too big, 0 time exceeded, 0 param prob
2 echo req, 1 echo reply, 0 mem query, 0 mem report, 0 mem red
0 router soli, 2393 router adv, 106 nei soli, 3700 nei adv, 0 redirect
0 bad code, 0 too short, 0 bad checksum, 0 bad len
0 reflect, 0 nd toomany opt, 0 badhopcount
Sent:
0 dest unreach, 0 pkt too big, 0 time exceeded, 0 param prob
1 echo req, 2 echo reply, 0 mem query, 0 mem report, 0 mem red
0 router soli, 2423 router adv, 3754 nei soli, 102 nei adv, 0 redirect
0 error, 0 can not send error, 0 too freq
Sent Errors:
0 unreach no route, 0 admin, 0 beyond scope, 0 address, 0 no port
0 pkt too big, 0 time exceed transit, 0 time exceed reassembly
0 param problem header, 0 nextheader, 0 option, 0 redirect, 0 unknown
UDP Statistics
470 received, 7851 sent, 6 no port, 0 input errors
TCP Statistics
57913 active opens, 0 passive opens, 57882 failed attempts
159 active resets, 0 passive resets, 0 input errors
565189 in segments, 618152 out segments, 171337 retransmission
Field Description
IPv6 statistics
received The total number of IPv6 packets received by the router.
sent The total number of IPv6 packets originated and sent by the router.
forwarded The total number of IPv6 packets received by the router and
forwarded to other routers.
delivered The total number of IPv6 packets delivered to the upper layer
protocol.
rawout This information is used by Ruckus Technical Support.
bad vers The number of IPv6 packets dropped by the router because the
version number is not 6.
Field Description
bad scope The number of IPv6 packets dropped by the router because of a bad
address scope.
bad options The number of IPv6 packets dropped by the router because of bad
options.
too many hdr The number of IPv6 packets dropped by the router because the
packets had too many headers.
no route The number of IPv6 packets dropped by the router because there was
no route.
can not forward The number of IPv6 packets the router could not forward to another
router.
redirect sent This information is used by Ruckus Technical Support.
frag recv The number of fragments received by the router.
frag dropped The number of fragments dropped by the router.
frag timeout The number of fragment timeouts that occurred.
frag overflow The number of fragment overflows that occurred.
reassembled The number of fragmented IPv6 packets that the router reassembled.
fragmented The number of IPv6 packets fragmented by the router to
accommodate the MTU of this router or of another device.
ofragments The number of output fragments generated by the router.
can not frag The number of IPv6 packets the router could not fragment.
too short The number of IPv6 packets dropped because they are too short.
too small The number of IPv6 packets dropped because they do not have
enough data.
not member The number of IPv6 packets dropped because the recipient is not a
member of a multicast group.
no buffer The number of IPv6 packets dropped because there is no buffer
available.
forward cache miss The number of IPv6 packets received for which there is no
corresponding cache entry.
ICMP6 statistics
Some ICMP statistics apply to both Received and Sent, some apply to Received only, some apply to Sent only, and some apply to Sent Errors
only.
Applies to received and sent
dest unreach The number of Destination Unreachable messages sent or received by
the router.
pkt too big The number of Packet Too Big messages sent or received by the
router.
time exceeded The number of Time Exceeded messages sent or received by the
router.
param prob The number of Parameter Problem messages sent or received by the
router.
echo req The number of Echo Request messages sent or received by the router.
echo reply The number of Echo Reply messages sent or received by the router.
mem query The number of Group Membership Query messages sent or received
by the router.
mem report The number of Membership Report messages sent or received by the
router.
Field Description
mem red The number of Membership Reduction messages sent or received by
the router.
router soli The number of Router Solicitation messages sent or received by the
router.
router adv The number of Router Advertisement messages sent or received by
the router.
nei soli The number of Neighbor Solicitation messages sent or received by the
router.
nei adv The number of Router Advertisement messages sent or received by
the router.
redirect The number of redirect messages sent or received by the router.
Applies to received only
bad code The number of Bad Code messages received by the router.
too short The number of Too Short messages received by the router.
bad checksum The number of Bad Checksum messages received by the router.
bad len The number of Bad Length messages received by the router.
nd toomanyopt The number of Neighbor Discovery Too Many Options messages
received by the router.
badhopcount The number of Bad Hop Count messages received by the router.
Applies to sent only
error The number of Error messages sent by the router.
can not send error The number of times the node encountered errors in ICMP error
messages.
too freq The number of times the node has exceeded the frequency of sending
error messages.
Applies to sent errors only
unreach no route The number of Unreachable No Route errors sent by the router.
admin The number of Admin errors sent by the router.
beyond scope The number of Beyond Scope errors sent by the router.
address The number of Address errors sent by the router.
no port The number of No Port errors sent by the router.
pkt too big The number of Packet Too Big errors sent by the router.
time exceed transit The number of Time Exceed Transit errors sent by the router.
time exceed reassembly The number of Time Exceed Reassembly errors sent by the router.
param problem header The number of Parameter Problem Header errors sent by the router.
nextheader The number of Next Header errors sent by the router.
option The number of Option errors sent by the router.
redirect The number of Redirect errors sent by the router.
unknown The number of Unknown errors sent by the router.
UDP statistics
received The number of UDP packets received by the router.
sent The number of UDP packets sent by the router.
no port The number of UDP packets dropped because the packet did not
contain a valid UDP port number.
input errors This information is used by Ruckus Technical Support.
Field Description
TCP statistics
active opens The number of TCP connections opened by the router by sending a
TCP SYN to another device.
passive opens The number of TCP connections opened by the router in response to
connection requests (TCP SYNs) received from other devices.
failed attempts This information is used by Ruckus Technical Support.
active resets The number of TCP connections the router reset by sending a TCP
RESET message to the device at the other end of the connection.
passive resets The number of TCP connections the router reset because the device
at the other end of the connection sent a TCP RESET message.
input errors This information is used by Ruckus Technical Support.
in segments The number of TCP segments received by the router.
out segments The number of TCP segments sent by the router.
retransmission The number of segments that the router retransmitted because the
retransmission timer for the segment had expired before the device
at the other end of the connection had acknowledged receipt of the
segment.
To remove entries for IPv6 address 2000:e0ff::1, use the clear ipv6 cache command.
You must specify the ipv6-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You
must specify the prefix-length parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede
the prefix-length parameter.
If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VE, VRF, or tunnel
interface, also specify the VE, VRF name, or tunnel number, respectively.
To remove entries for Ethernet interface 1/3/1, use the clear ipv6 neighbor command.
You must specify the ipv6-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You
must specify the prefix-length parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede
the prefix-length parameter.
If you specify an Ethernet interface, also specify the port number associated with the interface. If you specify a VRF or VE, also
specify the VRF name or VE number respectively.
To clear IPv6 routes associated with the prefix 2000:7838::/32, use the clear ipv6 route command.
The ipv6-prefix / prefix-length parameter clears routes associated with a particular IPv6 prefix. You must specify the ipv6-prefix
parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the prefix-length
parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede the prefix-length parameter. If
you specify a VRF parameter, specify the VRF name.
The IP route table can receive routes from several sources, including static routes. Other route sources include directly connected
networks, RIP, OSPF, and BGP4 protocols.
Static routes can be used to specify desired routes, backup routes, or routes of last resort. Static routing can help provide load
balancing and can use routing information learned from other protocols.
NOTE
ICX 7150 devices do not support tunnels.
You can influence the preference a route is given in the following ways:
• By setting a route metric higher than the default metric
• By giving the route an administrative distance
• By specifying a route tag for use with a route map.
This feature allows the router to adjust to changes in network topology. The router does not continue trying to use routes on
unavailable paths but instead uses routes only when their paths are available.
In the following example, a static route is configured on Switch A. The route configuration is shown following the figure.
The following command configures a static route to 207.95.7.0 destinations, using 207.95.6.157 as the next-hop gateway.
When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or Layer 3
interface through which the Layer 3 device can reach the route. The device adds the route to the IP route table. In this case,
Switch A knows that 207.95.6.157 is reachable through port 1/1/2, and also assumes that local interfaces within that subnet are
on the same port. Switch A deduces that IP interface 207.95.7.7 is also on port 1/1/2.
The software automatically removes a static IP route from the IP route table if the port used by that route becomes unavailable
or the IP address is not valid. When the port becomes available again, the software automatically re-adds the route to the IP
route table.
2. Enter the IP address and prefix length, or enter the IP address and network mask for the route destination network. On
the same command line, enter the IP address for the next hop.
This example configures an IP static route with a destination network address of 10.0.0.0, a destination mask of
255.0.0.0, and a next hop address of 10.1.1.1.
NOTE
In the network mask, "1's" are significant bits, and "0's" allow any value. The mask 255.255.255.0 matches all
hosts within the Class C subnet address specified in the destination IP address. You can use "/24" as the
equivalent address prefix.
The following example configures an IP static route with a destination network address of 10.0.0.0, a prefix length of 24 bits, and
a next hop address of 10.1.1.1.
2. Designate the route destination and next hop, and add a route priority parameter.
Option Description
Cost metric The value is compared to the metric for other static routes in the IPv4 route table to the same
destination. Two or more routes to the same destination with the same metric load share traffic to
the destination. The value may range from 1 through 16. The default is 1. A route with a cost of 16
is considered unreachable.
Administrative This value is compared to the administrative distance of all routes to the same destination. Static
distance routes by default take precedence over learned protocol routes. However, to give a static route a
lower priority than a dynamic route, give the static route the higher administrative distance. The
value is preceded by the keyword distance and can range from 1 to 255. The default is 1. A value
of 255 is considered unreachable.
NOTE
The device replaces a static route if it receives a route to the same destination with a lower administrative
distance.
The following example configures a static route to destinations with an IP address beginning with 10.0.0.0. The route uses IP
address 10.111.10.1 as the next hop. The static route is assigned an administrative distance of 3.
2. Enter the destination IP address and mask or prefix length followed by the IP address of the next hop. On the same
command line, enter the keyword name followed by the identifying ASCII string.
The following example creates a static route to IP destination network addresses beginning with 10.22.22.22 through the next-
hop address 10.1.1.1. The route is given the non-unique name "corporate."
This example repeats the previous route. Because the route has no name, the command removes the designated static
route.
The following example removes the name of the designated static route, removes the route, and saves the change to the IP
routing table.
NOTE
You cannot add an interface-based static route to a network if there is already a static route of any type with the same
metric you specify for the interface-based route.
NOTE
ARP will be generated for a forwarded packet destination IP address when an interface is configured as the next hop.
To configure an IP static route with an IP physical interface as the next hop, follow these steps.
2. Enter the IP address and prefix length, or enter the IP address and network mask for the route destination network. On
the same command line, enter the keyword ethernet followed by the interface number to be used as next hop.
This example configures an IP static route with a destination network address of 10.128.2.69, a network mask of
255.255.255.0, and Ethernet port 1/4/1 as the next hop.
The following example configures an IP static route to destination network addresses beginning with 10.0.0.0 through the next-
hop interface 1/2/1.
2. Enter the IP destination address and the network mask or prefix-length. On the same command line, enter the keyword
ve followed by the appropriate ID number.
The following example configures an IP static route with a destination address of 10.128.2.0, a prefix-length of /24, and a virtual
interface (ve 3) as the next hop.
To configure an IP static route with a tunnel as the next hop, follow these steps.
2. Configure the destination IP address, followed by the prefix length or address mask. On the same command line, enter
the keyword tunnel followed by the tunnel ID.
The following example configures an IP static route with a destination address of 10.128.2.71, a network mask of 255.255.255.0,
and a tunnel gateway (tunnel 4) as the next hop.
Perform these steps to configure a static route with a tag that can be referenced in a route map.
2. Enter the ip route command followed by the destination network IP address and prefix-length and the next-hop IP
address. On the same line, enter the keyword tag followed by a decimal tag number.
NOTE
An address mask may be used instead of the prefix-length (such as 255.255.255.0 instead of /24).
The following example creates an IP static route to destination IP addresses beginning with 10.0.0.0 through the next-hop
address 10.1.1.1. The static route includes the tag "3" for later use in a route map.
The following figure depicts how a null static route works with a standard route to the same destination.
To configure a null route with a lower priority than the preferred route, perform the following steps.
1. NOTE
You cannot add a null static route to a network if there is already a static route of any type with the same
metric you specify for the null route.
This example creates a static route to destination network addresses that have an IP address beginning with
192.168.7.0. These destinations are routed through the next-hop gateway 192.168.6.157. The route carries the default
metric of 1.
3. Configure the null route to the same destination with a higher metric.
This example creates a null static route to the same destination. The metric is set higher so that the preferred route is
used if it is available. When the preferred route becomes unavailable, the null route is used, and traffic to the destination
is dropped.
The following example creates a primary route to all destinations beginning with 192.168.7.0. It creates an alternative null route
to drop the packets when the primary route is not available.
If the default route is a protocol route, that protocol needs to be enabled to resolve static routes. Use the ip route next-hop
command to allow protocol resolution through the default route.
If the default route itself is a static route, you must configure the ip route next-hop-enable-default command to resolve other
static routes through the default route. You may also configure recursive lookup to resolve the next hop.
2. Enter 0.0.0.0 0.0.0.0 as the destination route and network mask. On the same line, enter a valid next-hop address.
NOTE
This command can be independently applied on a per-VRF basis.
The following example configures static routing next-hop recursion to three levels (the default). It configures the network default
static route through next-hop IP address 10.24.4.1 and allows the default route to resolve other static routes.
NOTE
You can specify a level of recursion up to 10.
NOTE
This command can be independently applied on a per-VRF basis.
2. Enter the following command, and, as an option, specify the level of recursion.
This example configures recursive static route lookup to three levels (the default).
The following example configures recursive static route lookup to five levels.
Perform these steps to resolve the next hop for a static route using learned routes from a protocol.
NOTE
Connected routes are always used to resolve static routes.
This example resolves static routes through BGP. Both iBGP and eBGP routes are used to resolve the routes.
NOTE
ICX 7150 devices do not support tunnels or VRFs.
To create an IP static route with a next hop in a non-default VRF, follow these steps.
2. Enter the ip route command followed by the keyword vrf and the VRF name. On the same command line, enter the
destination IP address, followed by the prefix-length or the address mask and then the IP address of the next-hop.
This example configures an IP static route through the non-default VRF "blue" with the next-hop address 10.1.1.1.
The following example configures a static route with a destination address 56.1.5.0/24. The route is configured in the non-default
VRF "red" and uses tunnel 5 as the next-hop gateway.
NOTE
When a tunnel is designated as the next-hop gateway for a non-default VRF destination, the tunnel must already exist
before the static route can be created.
If you configure more than one static route to the same destination with different next-hop gateways but the same metrics, the
router load balances among the routes using a basic round-robin method.
If you configure multiple static IP routes to the same destination with different next-hop gateways and different metrics, the
router always uses the route with the lowest metric. If this route becomes unavailable, the router fails over to the static route
with the next-lowest metric. The following figure depicts two routes with different metrics configured for the same destination.
To set up multiple routes for load sharing or redundancy, perform the following steps.
NOTE
You can also use administrative distance to set route priority; however, be sure to give a static route a lower
administrative distance than other types of routes, unless you want other route types to be preferred over the static
route.
2. Enter multiple routes to the same destination using different next hops.
This example creates three next-hop gateways to the destination. Traffic will alternate among the three paths through
next-hop 10.157.22.1, next-hop 10.111.10.1, and next hop 10.1.1.1.
3. To prioritize the three routes, use different metrics for each of the three potential next hops.
This example creates three alternate routes to the destination. The primary next hop is 10.157.22.1, which has the
default metric of 1 (the default metric is not entered in the CLI). If this path is not available, traffic is directed to
10.111.10.1, which has the next lowest metric of 2. If the second path fails, traffic is directed to 10.1.1.1, which has a
metric of 3.
NOTE
Output examples in this section do not reflect system values for ICX devices. For example, the ICX 7150 default value for
IPv4 static routes is 512, the minimum value is 64, and the maximum value is 512.
Perform these steps to check the maximum setting for static routes and to modify the value.
The maximum number of static IP routes the system can retain is listed under System Parameters in the ip-static-route
row as shown in the following example.
The following example changes the system max value for IP static routes from 2048 to 4096.
1. To display a list of active static routes and their connection times, at the device prompt, enter the show ip route static
command.
2. To show all active IP routes and their connection times, enter the show ip route command.
The following example shows two configured IPv4 routes from the management port. The first is the default route, 0.0.0.0/0. This
is a static route ("S") that uses the next-hop gateway 10.25.224.1. The default route has a distance metric of 254 (beneath the
threshold of 255, which would be unreachable) and a metric of 1. The route has been up for over 8 days.
The second route in this example is a directly connected route to all destinations beginning with 10.25.224.0. It has no extra costs
associated with it and has been up for 6 hours and 39 minutes. The second route is the preferred route because, unlike the first
route, it has no additional cost associated with it.
Static routes are manually configured entries in the existing IPv6 routing table. In setting up static routes, you can specify several
types of destinations:
• Destination network, using an IP address and network mask or prefix length
• Default network route
• Next hop router
• Next hop tunnel gateway
• Next-hop network protocol type
• Ethernet interface, typically used for directly attached destination networks
• Virtual interface
• Null interface
NOTE
ICX 7150 devices do not support tunnels.
You can influence the preference a route is given in the following ways:
• By setting a route metric higher than the default metric
• By giving the route an administrative distance
• Backup routes
• Null routes for intentionally dropping traffic when the desired connection fails
• Alternative routes to the same destination to help load balance traffic.
The following command configures a static route to 2001:DB8::0/32, using 2001:DB8:2343:0:ee44::1 as the next-hop gateway.
When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or Layer 3
interface through which the Layer 3 device can reach the route. The device adds the route to the IP route table. In this case,
Switch A knows that 2001:DB8:2343:0:ee44::1 is reachable through port 1/1/2, and also assumes that local interfaces within that
subnet are on the same port. Switch A deduces that IP interface 2001:DB8::0/32 is also on port 1/1/2.
Before configuring a static IPv6 route, you must enable the forwarding of IPv6 traffic on the Layer 3 switch using the ipv6
unicast-routing command and enable IPv6 on at least one interface by configuring an IPv6 address or explicitly enabling IPv6 on
that interface.
2. Designate the route destination as an IPv6 address in hexadecimal with 16-bit values between colons, as specified in RFC
2373, and include the address prefix length preceded by a slash. On the same command line, enter the IPv6 address of
the next-hop gateway.
The following example configures an IPv6 static route for a destination network with the prefix 2001:DB8::0/32 and a next-hop
gateway with the global address 2001:DB8:0:ee44::1
The no form of the ipv6 route command must be entered with exact parameters to remove the command. If the route is
configured in a non-default VRF, the no form of the ipv6 route command must be entered in VRF configuration mode.
1. (Optional) To view configured routes and confirm exact parameters, enter the command show ipv6 route to display the
IPv6 route table.
2. (Optional) Enter the show ipv6 static route command to narrow the output to static routes only.
4. Enter no followed by the ipv6 route command, including destination and next-hop, as shown in the following example.
(You do not need to include cost metric, distance, or tag parameters.)
The following example removes an existing IPv6 static route from a non-default VRF.
To configure an IPv6 static route with an interface as the next hop as depicted in the following illustration, perform these steps.
2. Designate the route destination. On the same command line, enter the keyword ethernet followed by the interface
number as the next-hop, followed by its link-local IPv6 address.
The following example configures a static IPv6 route for a destination network with the prefix 2001:DB8::0/32 and a next-hop
gateway with the link-local address fe80::1 that the Layer 3 switch can access through Ethernet interface 1/3/1.
To configure a basic IPv6 static route with a virtual interface as a next hop, perform these steps.
2. Enter the IP address prefix and prefix length for the route destination network.
This example shows the first half of the command, the route destination, IPv6 2001:DB8::0/32 network addresses.
3. On the same command line, add the keyword ve followed by the virtual interface ID to be used as the next hop, along
with its link-local address.
This example shows the next-hop destination as virtual interface (ve) 3, with a link-local address of fe80::1.
The following example configures an IPv6 static route to IPv6 2001:DB8::0/32 destinations through next-hop virtual interface 3.
NOTE
ICX 7150 devices do not support tunnels.
To configure a basic IPv6 static route through a next-hop tunnel, perform these steps.
2. Enter the IPv6 destination address and prefix, followed by the keyword tunnel and the tunnel ID.
The following example configures an IPv6 static route to 2001:DB8::0/32 destinations with a next-hop gateway through Tunnel 1.
Before configuring a static IPv6 route, you must enable the forwarding of IPv6 traffic on the Layer 3 switch using the ipv6
unicast-routing command and enable IPv6 on at least one interface by configuring an IPv6 address or explicitly enabling IPv6 on
that interface.
NOTE
ICX 7150 devices do not support VRFs.
NOTE
The VRF designated in the procedure must be a valid VRF.
To configure a VRF as the next hop for an IPv6 static route, follow these steps.
2. Enter the ipv6 route command followed immediately by the keyword vrf and the name of the VRF that contains the
next-hop router for the route. On the same command line, enter the destination IPv6 address, including the prefix
length, and the IPv6 address of the next hop.
This example creates an IPv6 static route for the destination network addresses with the prefix 2001:DB8::0/32 through
the next-hop VRF named "partners" with the global IPv6 address 2001:DB8:0:ee44::1.
Before configuring a static IPv6 route, you must enable the forwarding of IPv6 traffic on the Layer 3 switch using the ipv6
unicast-routing command and enable IPv6 on at least one interface by configuring an IPv6 address or explicitly enabling IPv6 on
that interface.
Follow these steps to create an IPv6 static route with cost metrics.
2. Designate the route destination and next hop, and add a route priority parameter.
Option Description
Cost metric The value is compared to the metric for other static routes in the IPv6 route table to the same
destination. Two or more routes to the same destination with the same metric load share traffic to
the destination. The value may range from 1 through 16. The default is 1. A route with a cost of 16
is considered unreachable.
Administrative This value is compared to the administrative distance of all routes to the same destination. Static
distance routes by default take precedence over learned protocol routes. However, to give a static route a
lower priority than a dynamic route, give the static route the higher administrative distance. The
value is preceded by the keyword distance and can range from 1 to 255. The default is 1. A value
of 255 is considered unreachable.
This example configures a static IPv6 route for a destination network with the prefix 2001:DB8::0/64 and a next-hop
gateway with the global address 2001:DB8:0:ee44::1 and assigns the route a metric of 2.
The following example configures an IPv6 static route for a destination network with the prefix 2001:DB8::0/64 and a next-hop
gateway with the global address 2001:DB8:0:ee44::1. The static route is assigned an administrative distance of 3.
NOTE
You cannot add a null or interface-based static route to a network if there is already a static route of any type with the
same metric you specify for the null or interface-based route.
The following figure depicts how a null static route works with a standard route to the same destination.
The following procedure creates a preferred route and a null route to the same destination. The null route drops packets when
the preferred route is not available.
This example creates a static route to IPv6 2001 : DB8 : : 0/64 destination addresses. These destinations are routed
through link-local address fe80::1 and the next hop gateway virtual interface (ve) 3. The route uses the default cost
metric of 1.
3. Configure the null route to the same destination with a higher metric.
This example creates a null static route to the same destination. The metric is set higher so that the preferred route is
used if it is available.
The following example creates a primary route to all 2001 : DB8 : : 0/64 destinations through virtual interface (ve) 3. It creates an
alternative null route to drop the packets when the primary route is not available.
Because the default route is a static route, you must configure the ip route next-hop-enable-default command to resolve other
static routes through the default route.
2. Enable the default network route for static route resolution of routes to a particular destination.
This example enables the default static route to resolve the next hop for IPv6 static routes.
NOTE
This command can be independently applied on a per-VRF basis.
3. (Optional) Configure the default route for recursive lookup of the next-hop.
This example allows three levels of recursion in looking up the next hop for any IPv6 static route. The default is 3. You
may enter any value from 1 to 10.
4. Enter the following destination route and network mask followed by a valid next-hop address.
The following example configures a default static route to global IPv6 address 2001:DB8:0:ee44::1. The route is able to resolve
static routes using next-hop recursion to three levels (the default).
NOTE
This command can be independently applied on a per-VRF basis.
2. Enter the following command, and, as an option, specify the level of recursion. You can enter a value from 1 through 10.
If no value is specified, the level of recursion is 3.
This example configures recursive static route lookup to three levels (the default).
The following example configures recursive static route lookup to five levels.
Perform these steps to resolve the next hop for an IPv6 static route using learned routes from BGP, OSPF, or RIP protocol.
NOTE
Connected routes are always used to resolve static routes.
This example designates that the VRF named "blue" is to be used and that static routes are to be resolved through BGP.
The following example specifies that IPv6 static routes can be resolved through directly connected OSPF routers (instead of link-
local IPv6 route tables, for example).
If you configure more than one static route to the same destination with different next-hop gateways but the same metrics, the
router load balances among the routes using a basic round-robin method.
If you configure multiple static IP routes to the same destination with different next-hop gateways and different metrics, the
router always uses the route with the lowest metric. If this route becomes unavailable, the router fails over to the static route
with the next-lowest metric. The following figure depicts multiple routes with different metrics configured for the same
destination.
To set up multiple routes for load sharing or redundancy, perform the following steps.
NOTE
You can also use administrative distance to set route priority; however, be sure to give a static route a lower
administrative distance than other types of routes, unless you want other route types to be preferred over the static
route.
2. Enter multiple routes to the same destination using different next hops.
This example creates two next-hop gateways for all 2001:DB8::0/64 destinations. Traffic will alternate between the two
paths.
3. To prioritize multiple routes, use different metrics for each possible next hop.
This example creates an alternate route to all 2001:DB8::0/64 destinations. The primary route uses
2001:DB8:2343:0:ee44::1 as the next hop. The route has the default metric of 1. If this path is not available, traffic is
directed through 2001:DB8:2344:0:ee44::2, which has the next lowest metric (2).
To configure an IPv6 static route with a tag that can be referenced in a route-map, follow these steps.
2. Configure the IPv6 static route destination address and next-hop address. On the same command line, enter the
keyword tag, followed by the decimal number to be referenced later in a route-map.
The following example configures an IPv6 route to IPv6 2001:DB8::0/64 destinations through next-hop 2001:DB8:0:ee44::1. The
route has the tag ID "3," which can be referenced later in a route-map.
Static multicast routes are especially useful when the unicast and multicast topologies of a network are different. You can avoid
the need to make the topologies similar by instead configuring static multicast routes.
You can configure more than one static IPv6 multicast route. The Ruckus device by default uses the most specific route that
matches a multicast source address. Thus, if you want to configure a multicast static route for a specific multicast source and
also configure another multicast static route for all other sources, you can configure two static routes.
You can also influence route preference using cost metrics and administrative distance parameters.
NOTE
Regardless of the administrative distances, the Ruckus device always prefers directly connected routes over other
routes.
The following example configures an IPv6 multicast static route for a destination network with the prefix 2001:db8::0/32, a next-
hop gateway with the global address 2001:db8:0:ee44::1, and an administrative distance of 110.
Follow these steps to create an IPv6 multicast static route in a non-default VRF.
2. Designate the non-default VRF for the IPv6 multicast static route.
device(config-vrf-corporate)# rd 20:10
5. Configure the IPv6 static route, including destination IP address, mask prefix, and next-hop information.
This example configures an IPv6 static route to IP address 2002::/64 destinations via next-hop interface 1/1/1.
The following example creates an IPv6 multicast route with the RD 20:10 to 2002::/64 IP address via next-hop Ethernet interface
1/1/1. The route has a cost metric of 5.
1. To check whether IPv6 is enabled, enter the show ipv6 command. The command can be entered at the device prompt
or in global or interface configuration mode.
As shown in the example, connected, static, RIP, OSPF, and BGP routes are listed, along with the destination address, the
next hop router, the interface used toward the destination, and the administrative distance and cost for each route.
RIP overview
Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance)
to measure the cost of a given route. The distance vector used to define cost is often equivalent to the number of hops between
the Ruckus device and the destination network. A hop is another router through which packets must travel to reach the
destination.
A Ruckus device can receive multiple paths to a destination. The software evaluates the paths, selects the best path, and saves
the path in the IP routing table as the route to the destination. Typically, the best path is the path with the fewest hops. If a RIP
update is received from another router that contains a path with fewer hops than the path stored in the Ruckus device route
table, the older route is replaced with the newer one. The new path is included in the updates sent to other RIP routers, including
Ruckus devices.
RIP routers, including Ruckus devices, can modify a route cost, generally by adding to it, to bias the selection of a route for a
given destination. In this case, a route may have the same number of hops as other routes, but because it has a higher
administrative cost, it is less likely to be used.
A RIP route can have a maximum cost of 15. Any destination with a higher cost is considered unreachable. Although limiting to
larger networks, the low maximum hop count prevents endless loops in the network.
NOTE
Some Ruckus devices support IPv6 RIP, also known as RIPng. Refer to the chapter "RIPng" for more information.
Each filter includes a filter number as part of the command. The filters are performed in numeric sequence, and it helps to enter
filter commands in ascending order.
The following example configures the device so that it does not learn any RIP routes from any RIP neighbors.
In the example, the filter number is 1, which means it is always acted on first. If you want to allow specific routes and deny all
others, give the previous command a higher filter number and insert filters with lower numbers that permit routes you want the
device to learn. The following example permits learning neighbor routes on one IP address (filter 3) and denies all other routes
(filter 32).
If, instead, you want to allow learning on all routes except for one specific route, you must also include a neighbor filter to permit
any route. Be sure you add the filter to permit learning from any neighbors as the filter with the highest number. Otherwise, the
software will match on the "permit any" filter and never act on any later filter that denies a specific neighbor. Consequently,
routes will be learned from the neighbor that was supposed to be filtered out. The following example blocks route learning from
one neighbor (filter 4) and explicitly permits learning routes from all other neighbors (filter 24).
Redistribution filters
You can configure filters to permit or deny redistribution for a route based on its origin (for example, OSPF or BGP4), the
destination network address, or the route’s metric. You can also configure a filter to set the route metric based on these criteria.
NOTE
A route is defined by the destination’s IP address and network mask.
NOTE
By default, routes that do not match a prefix list are learned or advertised. To prevent a route from being learned or
advertised, you must configure a prefix list to deny the route.
To configure prefix lists you can apply later, enter commands such as the following.
In this example, list1 is configured to permit an IP address and mask, and list4 is configured to deny another IP address and
mask.
A route map consists of a sequence of up to 50 instances. The device evaluates a route according to a route map’s instances in
ascending numerical order. The route is first compared against instance 1, then against instance 2, and so on. If a match is found,
the device stops evaluating the route against the remaining route map instances.
Route maps contain match statements. In RIP, match statements are based on prefix lists and access control lists. A route map
can be applied to learned routes (in) our advertised routes (out). Each route is checked against match statements. When a match
is found, the route may be permitted, denied, or modified, depending on the contents of the route map.
The following example shows the configuration of a route map that permits routes to two networks and denies routes to one
network.
In the following example, an access-list (ACL) named 21 is created. The first ACL entry denies IP addresses that match a particular
network mask. The second ACL entry permits any other IP addresses. A route map is configured with the name routemap1 to
permit routes that are defined in routemap configuration sub-mode, and a sequence number of 21 is assigned. In the routemap,
a match statement is defined to match addresses filtered using ACL 21. Any routes that match the IP address and mask of
10.16.0.0 0.0.255.255 will be denied. All other routers are permitted.
NOTE
You can configure a route map to match on all RIP routes as shown in the following match statement. This example
allows any RIP route.
Once enabled, RIP operates with parameters at default settings. Default settings can be modified at the global level. Interface-
level settings can be modified to override global settings on individual interfaces.
device(config-rip-router)# poison-reverse
This example disables split horizon (the default) and enables poison-reverse route loop prevention. To re-enable split
horizon, use the no form of the command.
4. (Optional) Configure the device to avoid routing loops by advertising local RIP routes with a cost of 16 ("infinite" or
"unreachable") when these routes go down.
device(config-rip-router)# poison-local-routes
NOTE
The default distance is 120.
6. (Optional) Modify RIP timer settings. You must enter a value for each of the timers, even for those you are not changing.
This example sets the update timer to 15 seconds, the timeout timer to 115 seconds, the hold-down timer to 115
seconds, and leaves the garbage collection timer at its default setting of 120 seconds.
NOTE
To reset the timers to their defaults, enter the no timer command with the current value of all timer
parameters.
NOTE
If you only want to modify the value of the update timer, use the update-time command.
device(config-rip-router)# learn-default
8. (Optional) Apply global filters for learning and advertising specific routes from neighbors.
This example denies route learning from IP address 10.70.12.103 and permits learning routes from all other neighbors.
9. (Optional) Modify the default redistribution metric.
device(config-rip-router)# default-metric 10
10. NOTE
Do not enable redistribution until you configure other parameters related to redistribution. For example, set
the default redistribution metric and configure any prefix lists or route-maps to be used beforehand.
(Optional) Enable redistribution of routes from other protocols into RIP using available parameters:
• connected - applies redistribution to connected routes
• bgp - applies redistribution to BGP4 routes
• ospf - applies redistribution to OSPF routes
• static - applies redistribution to IP static routes
• metric value - sets the RIP metric value from 1 through 15 for any routes imported into RIP
• route-map name - indicates the name of a pre-configured route map to be used in filtering specified routes
This example redistributes OSPF into RIP and sets the metric for OSPF routes to 3.
This example applies a previously configured route map (routemap1) to OSPF route redistribution.
NOTE
To stop redistributing routes into RIP, use the no form of the redistribute command, including the full
command syntax of the active command.
The following example enables RIP, increases the administrative distance, modifies timer values for all but the garbage-collection
timer, sets the metric for all distributed routes to 10, denies route learning from IP address 10.70.12.203, and applies a pre-
configured route map to redistributed OSPF routes.
2. To enable RIP on the interface, enter the ip rip command and, if necessary, specify the version of RIP.
NOTE
RIP version 2 is the default.
3. (Optional) Change the route loop prevention method used on the interface.
This example disables poison-reverse on the interface and enables split horizon loop prevention (the default).
4. (Optional) To increase the metric for routes learned on the interface, enter the ip rip metric-offset command followed
by the desired value and the keyword in.
This example configures the port to add 5 to the cost of each RIP route it learns.
NOTE
The metric-offset can be any value from 1 through 16. A value of 16 prevents a learned route from being used.
5. (Optional) To increase the metric for RIP routes the interface advertises to neighbors, enter the ip rip metric-offset
command followed by the desired value and the keyword out.
This example configures the port to add 5 to the cost of each route it advertises, using the keyword out.
NOTE
The metric-offset can be any value from 1 through 16. A value of 16 prevents an advertised route from being
used.
This example applies a prefix list (list2) to learned routes and another prefix list (list3) to advertised routes.
The following example configures port 1/1/1 to use RIP version 1 with split horizon loop prevention. It increases the cost of
learned and advertised routes by 5, enables learning default RIP routes, and applies prefix lists to learned and advertised routes.
To display RIP filters for a specific interface, enter the following command.
To display current running configuration for interface 1/1/1, enter the following command.
To display current running configuration for ve 10, enter the following command.
To display current running configuration for ve 20, enter the following command.
RIPng Overview
Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing a
distance) to measure the cost of a given route. RIP uses a hop count as its cost or metric.
IPv6 RIP, known as Routing Information Protocol Next Generation or RIPng, functions similarly to IPv4 RIP version 2. RIPng
supports IPv6 addresses and prefixes.
RIPng maintains a Routing Information Database (RIB), which is a local route table. The local RIB contains the lowest-cost IPv6
routes learned from other RIP routers. RIPng attempts to add routes from its local RIB into the main IPv6 route table.
RIPng timers
You can adjust timers for RIPng. Before doing so, keep the following caveats in mind:
• If you adjust RIPng timers, Ruckus strongly recommends setting the same timer values for all routers and access servers
in the network.
• Setting the update timer to a shorter interval can cause the devices to spend excessive time updating the IPv6 route
table.
• Ruckus recommends setting the timeout timer value to at least three times the value of the update timer.
• Ruckus recommends a shorter hold-down timer interval, because a longer interval can cause delays in RIPng
convergence.
By default, if a RIPng interface goes down, the device does not send a triggered update for the interface’s IPv6 networks. You can
use the poison-local-routes command to configure a RIPng device to send a triggered update containing the local routes of the
disabled interface with an unreachable metric of 16 to the other RIPng routers in the routing domain.
When you redistribute a route from BGP4+ or OSPFv3 into RIPng, the device can use RIPng to advertise the route to its RIPng
neighbors.
When configuring the device to redistribute routes, such as BGP4+ routes, you can optionally specify a metric for the
redistributed routes. If you do not explicitly configure a metric, the default metric value of one is used.
For example, to create and apply a prefix list that permits only routes with the prefix 2001:db8::/32 in RIPng routing updates sent
to RIPng neighbor routers, enter the following commands.
To create and apply a prefix list to deny prefix lengths greater than 64 bits in routes that have the prefix 2001:db8::/64 and allow
all other routes received from RIPng neighbor routers, enter the following commands.
Before configuring the device to run RIPng, you must do the following:
• Enable forwarding of IPv6 traffic on the device using the ipv6 unicast-routing command.
• Enable IPv6 on each interface over which you plan to enable RIPng. You enable IPv6 on an interface by configuring an
IPv6 address or enabling IPv6 with the ipv6 enable command on that interface.
This example enables RIPng and places the device in RIPng router configuration mode.
NOTE
To disable RIPng globally, use the no form of this command.
device(config-ripng-router)# poison-reverse
This example disables split horizon and enables poison-reverse route loop prevention. To re-enable split horizon, use
the no form of the command.
5. (Optional) Configure the device to avoid routing loops by advertising local RIPng routes with a cost of 16 ("infinite" or
"unreachable") when these routes go down.
device(config-ripng-router)# poison-local-routes
7. (Optional) Modify RIPng timer settings. Set the four timers in this order: update timer, timeout timer, hold-down timer,
and garbage-collection timer. You must enter a value for each timer, even when you are not changing the value of an
individual timer.
This example sets updates to be advertised every 45 seconds. If a route is not heard from in 135 seconds, the route is
declared unusable. Further information is suppressed for an additional 10 seconds. Assuming no updates, the route is
flushed from the routing table 20 seconds after the end of the hold-down period.
To return to the default values of the RIPng timers, use the no form of the timers command.
8. NOTE
Do not enable redistribution until you configure the other redistribution parameters.
(Optional) Enable redistribution of routes from other protocols into RIPng using available parameters:
• connected - applies redistribution to connected types
• bgp - applies redistribution to BGP4 routes
• ospf - applies redistribution to OSPF routes
• static - applies redistribution to IP static routes
This example redistributes OSPF into RIPng and sets the metric for OSPF routes to 3.
NOTE
To stop redistributing routes into RIPng, use the no form of the redistribute command, including the full
command syntax of the active command.
9. (Optional) Apply a pre-configured prefix list to control route distribution through RIPng.
The following example enables RIPng globally, sets poison-reverse as the loop prevention method, enables blocking of local
routes for interfaces that are down, redistributes OSPF routes into RIPng with an added cost of 3, and applies a pre-configured
prefix list (routesfor2001) to advertised routes.
1. You can enable RIPng on physical as well as virtual routing interfaces. For example, to enable RIPng on Ethernet
interface 1/3/1, enter the following commands.
NOTE
To disable RIPng on an individual device interface, use the no form of this command.
This example originates IPv6 default routes and includes all other routes in updates sent from Ethernet interface 1/3/1.
3. (Optional) Configure the interface so that it advertises IPv6 address summaries instead of the original route.
This example advertises the summarized prefix 2001:db8::/36 instead of the original IPv6 address from Ethernet
interface 1/3/1.
4. (Optional) Change the metric offset that the interface adds for learned or advertised routes.
In this example, if Ethernet interface 1/3/1 learns about an incoming route, it will increase the incoming metric by two. if
the interface 1/3/1 advertises an outgoing route, it will increase the metric offset by 3.
5. (Optional) Apply a prefix-list to the interface for learned and/or advertised routes.
In this example, the prefix-list test1 is applied to learned routes, and the prefix-list test2 is applied to advertised routes.
The following example enables RIPng on port 1/3/1. It enables learning of default RIPng routes and all other routes. It modifies
the interface to send route summaries. It changes the metric for learned routes to 2 and the metric for advertised routes to 3.
Finally, it applies a pre-configured prefix list to filter incoming (learned) routes.
2. To display the RIPng routing table, enter the following command at any CLI level.
OSPFv2 overview
Open Shortest Path First Version 2 (OSPFv2) is a link-state routing protocol that uses link-state advertisements (LSAs) to update
neighboring routers about a router’s interfaces. Each router maintains an identical area-topology database to determine the
shortest path to any neighboring router.
OSPF is built upon a hierarchy of network components and areas. The highest level of the hierarchy is the autonomous system.
An autonomous system is defined as a number of networks, all of which share the same routing and administration
characteristics. A backbone area forms the core of the network, connecting all other areas. Details of these and other OSPF
components are provided below.
Autonomous System
An Autonomous System can be divided into multiple areas. Each area represents a collection of contiguous networks and hosts.
Areas limit the amount of advertisements sent within the network. This is known as flooding. An area is represented in OSPFv2
by either an IP address or a number.
NOTE
For details of components and virtual links, refer to OSPFv2 components and roles on page 217 and Virtual links on
page 226, respectively.
Once OSPFv2 is enabled on the system, the user assigns an IP address or number as the area ID for each area. The area ID is
representative of all IP addresses (subnets) on a router port. Each port on a router can support one area.
For more information on OSPFv2 areas, refer to the OSPFv2 areas section.
Designated routers
In an OSPF broadcast network, OSPF elects one router to serve as the designated router (DR) and another router on the segment
to act as the backup designated router (BDR). This minimizes the amount of repetitive information that is forwarded on the
network. OSPF forwards all messages to the designated router.
On broadcast networks such as LAN links, all routers on the LAN other than the DR and BDR form full adjacencies with the DR
and BDR and pass LSAs only to them. The DR forwards updates received from one neighbor on the LAN to all other neighbors on
that same LAN. One of the main functions of a DR is to ensure that all the routers on the same LAN have identical LSDBs.
Therefore, on broadcast networks, an LSDB is synchronized between a DROther (a router that is not a DR or a BDR) and its DR
and BDR.
NOTE
In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there
is no need for designated or backup designated routers.
Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges
faster. The neighboring routers become adjacent whenever they can communicate directly. In contrast, in broadcast and non-
broadcast multi-access (NBMA) networks, the Designated Router and Backup Designated Router become adjacent to all other
routers attached to the network.
In a network with no designated router and no backup designated router, the neighboring router with the highest priority is
elected as the DR, and the router with the next highest priority is elected as the BDR, as shown in the figure below. Priority is a
configurable option at the interface level; refer to the ip ospf priority command in the FastIron Command Reference.
If the DR goes off line, the BDR automatically becomes the DR. The router with the next highest priority becomes the new BDR.
If two neighbors share the same priority, the router with the highest router ID is designated as the DR. The router with the next
highest router ID is designated as the BDR. The DR and BDRs are recalculated after the OSPF protocol is disabled and re-enabled
by means of the [no] router ospf command.
NOTE
By default, the device’s router ID is the IP address configured on the lowest numbered loopback interface. If the device
does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
When multiple routers on the same network are declaring themselves DRs, then both the priority and router ID are used to
select the designated router and backup designated routers.
The DR and BDR election process is performed when one of the following events occurs:
• An interface is in a waiting state and the wait time expires.
• An interface is in a waiting state and receives a hello packet that addresses the BDR.
• A change in the neighbor state occurs, such as the following:
– A neighbor state transitions from ATTEMPT state to a higher state.
– Communication to a neighbor is lost.
– A neighbor declares itself to be the DR or BDR for the first time.
In some cases, multiple ASBRs in an AS can originate equivalent LSAs. The LSAs are equivalent when they have the same cost, the
same next hop, and the same destination. The device optimizes OSPF by eliminating duplicate AS External LSAs in this case. The
device with the lower router ID flushes the duplicate External LSAs from its database and thus does not flood the duplicate
External LSAs into the OSPF AS. AS External LSA reduction, therefore, reduces the size of the link state database on the device.
The AS External LSA reduction is described in RFC 2328
In this example, Routers D and E are OSPF ASBRs, and thus communicate route information between the OSPF AS, which
contains Routers A, B, and C, and another routing domain, which contains Router F. The other routing domain is running another
routing protocol, such as BGP4 or RIP. Routers D, E, and F, therefore, are each running both OSPF and either BGP4 or RIP.
Notice that both Router D and Router E have a route to the other routing domain through Router F.
OSPF eliminates the duplicate AS External LSAs. When two or more devices are configured as ASBRs have equal-cost routes to
the same next-hop router in an external routing domain, the ASBR with the highest router ID floods the AS External LSAs for the
external domain into the OSPF AS, while the other ASBRs flush the equivalent AS External LSAs from their databases. As a result,
the overall volume of route advertisement traffic within the AS is reduced and the devices that flush the duplicate AS External
LSAs have more memory for other OSPF data. Because Router D has a higher router ID than Router E, Router D floods the AS
External LSAs for Router F to Routers A, B, and C. Router E flushes the equivalent AS External LSAs from its database.
In either case above, the router with the higher router ID floods the AS External LSAs and the other router flushes its equivalent
AS External LSAs. For example, if Router D is offline, Router E is the only source for a route to the external routing domain. When
Router D comes on-line, it takes over flooding of the AS External LSAs to Router F, while Router E flushes its equivalent AS
External LSAs to Router F.
• One of the ASBRs starts advertising a route that is no longer equivalent to the route the other ASBR is advertising. In this
case, the ASBRs each flood AS External LSAs. Since the LSAs either no longer have the same cost or no longer have the
same next-hop router, the LSAs are no longer equivalent, and the LSA reduction feature no longer applies.
• The ASBR with the higher router ID becomes unavailable or is reconfigured so that it is no longer an ASBR. In this case,
the other ASBR floods the AS External LSAs. For example, if Router D goes off-line, then Router E starts flooding the AS
with AS External LSAs for the route to Router F.
Enabling OSPFv2
A number of steps are required when enabling OSPFv2 on a device.
1. Enter the router ospf command in global configuration mode to enable OSPF on the device.
2. Assign the areas to which the device will be attached.
3. Assign individual interfaces to the OSPF areas.
4. Assign a virtual link to any ABR that does not have a direct link to the OSPF backbone area.
5. Refer to Changing default settings on page 253.
Backbone area
The backbone area (also known as area 0 or area 0.0.0.0) forms the core of OSPF networks. All other areas should be connected
to the backbone area either by a direct link or by virtual link configuration. Routers that have interfaces in both backbone area
and (at least one) non-backbone area are called Area Border Routers (ABR). Inter area routing happens via ABRs.
The backbone area is the logical and physical structure for the OSPF domain and is attached to all non-zero areas in the OSPF
domain.
The backbone area is responsible for distributing routing information between non-backbone areas. The backbone must be
contiguous, but it does not need to be physically contiguous; backbone connectivity can be established and maintained through
the configuration of virtual links.
NOTE
For the ICX 7150, a maximum of 4 OSPF areas is supported for each OSPF instance.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
device(config-ospf-router)# area 0
The following example assigns an OSPFv2 ID to two areas. One of the areas is assigned by decimal number. The second area is
assigned by IP address.
Area range
You can further consolidate routes at an area boundary by defining an area range. The area range allows you to assign an
aggregate address to a range of IP and IPv6 addresses.
This aggregate value becomes the address that is advertised instead of all the individual addresses it represents being
advertised. Only this aggregate or summary address is advertised into other areas instead of all the individual addresses that fall
in the configured range. Area range configuration can considerably reduce the number of Type 3 summary LSAs advertised by a
device. You have the option of adding the cost to the summarized route. If you do not specify a value, the cost value is the default
range metric calculation for the generated summary LSA cost. You can temporarily pause route summarization from the area by
suppressing the type 3 LSA so that the component networks remain hidden from other networks.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the area range command, specifying an area ID, and enter the range. Repeat as necessary.
The following example defines an area range for subnets on 10.0.0.10 and 10.0.0.20.
Area types
OSPFv2 areas can be normal, a stub area, a totally stubby area (TSA), or a not-so-stubby area (NSSA).
• Normal: OSPFv2 devices within a normal area can send and receive external link-state advertisements (LSAs).
• Stub: OSPFv2 devices within a stub area cannot send or receive external LSAs. In addition, OSPFv2 devices in a stub area
must use a default route to the area’s Area Border Router (ABR) to send traffic out of the area.
• NSSA: The Autonomous System Boundary Router (ASBR) of an NSSA can import external route information into the
area.
– ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type 7 External LSAs are a special type of
LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA.
– ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the autonomous
system. The NSSA translator converts a type 7 LSA to a type 5 LSA if F-bit and P-bit are set and there is a reachable
forwarding address. You can configure summary-addresses on the ABR of an NSSA so that the ABR converts
multiple type 7 external LSAs received from the NSSA into a single type 5 external LSA.
When an NSSA contains more than one ABR, OSPFv2 elects one of the ABRs to perform the LSA translation for NSSA.
OSPFv2 elects the ABR with the highest router ID. If the elected ABR becomes unavailable, OSPFv2 automatically elects
the ABR with the next highest router ID to take over translation of LSAs for the NSSA. The election process for NSSA
ABRs is automatic.
• TSA: Similar to a stub area, a TSA does not allow summary routes in addition to not having external routes.
A stub area disables advertisements of external routes. By default, the ABR sends summary LSAs (type 3 LSAs) into stub areas.
You can further reduce the number of LSAs sent into a stub area by configuring the device to stop sending type 3 LSAs into the
area. You can disable the summary LSAs to create a TSA when you are configuring the stub area or after you have configured the
area.
The ABR of a totally stubby area disables origination of summary LSAs into this area, but still accepts summary LSAs from OSPF
neighbors and floods them to other neighbors.
When you enter the area stub command with the no-summary keyword and specify an area to disable the summary LSAs, the
change takes effect immediately. If you apply the option to a previously configured area, the device flushes all the summary LSAs
it has generated (as an ABR) from the area with the exception of the default summary LSA originated. This default LSA is needed
for the internal routers, since external routes are not propagated to them.
NOTE
Stub areas and TSAs apply only when the device is configured as an Area Border Router (ABR) for the area. To
completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is
an ABR for the area.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the area stub command, specifying an area and a cost, followed by the no-summary parameter to set an
additional cost on a specified stub area and prevent any Type 3 and Type 4 summary LSAs from being injected into the
area.
The following example configures a stub area, specifying a cost of 99 and preventing any Type 3 and Type 4 summary LSAs from
being injected into the area.
NSSAs are especially useful when you want to summarize type 5 External LSAs (external routes) before forwarding them into an
OSPFv2 area. The OSPFv2 specification prohibits summarization of type 5 LSAs and requires OSPFv2 to flood type 5 LSAs
throughout a routing domain. When you configure an NSSA, you can specify a summary-address for aggregating the external
routes that the NSSA's ABR exports into other areas.
This example shows two routing domains, a BGP domain and an OSPF domain. The ASBR inside the NSSA imports external
routes from BGP into the NSSA as type 7 LSAs, which the ASBR floods throughout the NSSA.
The ABR translates the type 7 LSAs into type 5 LSAs. If a summary-address is configured for the NSSA, the ABR also summarizes
the LSAs into an aggregate LSA before flooding the type 5 LSAs into the backbone.
Because the NSSA is partially stubby the ABR does not flood external LSAs from the backbone into the NSSA. To provide access to
the rest of the Autonomous System (AS), the ABR generates a default type 7 LSA into the NSSA.
ABRs of an NSSA area can be configured with the no-summary parameter to prevent the generation of type 3 and type 4
summary LSAs into the area. The only exception is the default type 3 LSA, with a prefix of 0.0.0.0/0. The default type 7 LSA is not
originated in this case.
Configuring an NSSA
OSPFv2 areas can be defined as NSSA areas with modifiable parameters.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the area nssa command and specify an area address and a cost.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
4. Enter the summary-address command, followed by the IP address and mask for the summary route.
To assign a loopback interface to an area with the IP address of 10.5.0.0, perform the following task:
3. Enter the ip ospf area command followed by the IP address of the area.
If you want to set an interface to passive mode, use the ip ospf passive command. If you want to block flooding of
outbound LSAs on specific OSPF interfaces, use the ip ospf database-filter all out command. (Refer to the Ruckus
FastIron Command Reference for details.)
The following example assigns a loopback interface to an area with the IP address of 10.5.0.0.
Communication among areas is provided by means of link state advertisements (LSAs). The LSAs supported for each area type
are as follows:
• Backbone (area 0) supports LSAs 1, 2, 3, 4, 5, and 7.
• Nonbackbone area supports LSAs 1, 2, 3, 4, and 5.
• Stub area supports LSAs 1, 2, and 3.
• Totally stubby area (TSA) supports LSAs 1 and 2, and also supports a single LSA 3 per ABR, advertising a default route.
• No so stubby area (NSSA) supports LSAs 1, 2, 3, and 7.
Virtual links
All ABRs must have either a direct or indirect link to the OSPFv2 backbone area (0.0.0.0 or 0). If an ABR does not have a physical
link to the area backbone, the ABR can configure a virtual link to another router within the same area, which has a physical
connection to the area backbone.
The path for a virtual link is through an area shared by the neighbor ABR (router with a physical backbone connection), and the
ABR requires a logical connection to the backbone.
Two parameters fields must be defined for all virtual links—transit area ID and neighbor router:
• The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two
routers. This number should match the area ID value.
• The neighbor router field is the router ID (IP address) of the router that is physically connected to the backbone, when
assigned from the router interface requiring a logical connection. When assigning the parameters from the router with
the physical connection, be aware that the router ID is the IP address of the router requiring a logical connection to the
backbone.
NOTE
By default, a device’s router ID is the IP address configured on the lowest numbered loopback interface. If the device
does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device.
When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link).
The following figure shows an OSPF area border router, Device A, that is cut off from the backbone area (area 0). To provide
backbone access to Device A, you can add a virtual link between Device A and Device C using Area 1 as a transit area. To
configure the virtual link, you define the link on the router that is at each end of the link. No configuration for the virtual link is
required on the routers in the transit area.
A virtual link is configured, and a virtual link endpoint on two devices, ABR1 and ABR2, is defined.
1. On ABR1, enter the configure terminal command to access global configuration mode.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
device(config-ospf-router)# area 0
device(config-ospf-router)# area 1
5. Enter the area virtual-link command and the ID of the OSPFv2 device at the remote end of the virtual link to configure
the virtual link endpoint.
6. On ABR2, enter the configure terminal command to access global configuration mode.
7. Enter the router ospf command to enter OSPFv2 router configuration mode and enable OSPFv2 on the device.
device(config-ospf-router)# area 1
device(config-ospf-router)# area 2
10. Enter the area virtual-link command and the ID of the OSPFv2 device at the remote end of the virtual link to configure
the virtual link endpoint.
ABR1:
device1# configure terminal
device1(config)# router ospf
device1(config-ospf-router)# area 0
device1(config-ospf-router)# area 1
device1(config-ospf-router)# area 1 virtual-link 10.2.2.2
ABR2:
device2# configure terminal
device2(config)# router ospf
device2(config-ospf-router)# area 1
device2(config-ospf-router)# area 2
device2(config-ospf-router)# area 1 virtual-link 10.1.1.1
By default, a device does not advertise the default route into the OSPFv2 domain. If you want the device to advertise the OSPFv2
default route, you must explicitly enable default route origination. When you enable OSPFv2 default route origination, the device
advertises a type 5 default route that is flooded throughout the autonomous system, with the exception of stub areas.
The device advertises the default route into OSPFv2 even if OSPFv2 route redistribution is not enabled, and even if the default
route is learned through an iIBGP neighbor when default-information-originate is configured. The device does not, however,
originate the default route if the active default route is learned from an OSPFv2 device in the same domain.
NOTE
The device does not advertise the OSPFv2 default route, regardless of other configuration parameters, unless you
explicitly enable default route origination.
If default route origination is enabled and you disable it, the default route originated by the device is flushed. Default routes
generated by other OSPFv2 devices are not affected. If you re-enable the default route origination, the change takes effect
immediately and you do not need to reload the software.
When you configure a summary address range, the range takes effect immediately. All the imported routes are summarized
according to the configured summary address range. Imported routes that have already been advertised and that fall within the
range are flushed out of the autonomous system and a single route corresponding to the range is advertised.
If a route that falls within a configured summary address range is imported by the device, no action is taken if the device has
already advertised the aggregate route; otherwise, the device advertises the aggregate route. If an imported route that falls
within a configured summary address range is removed by the device, no action is taken if there are other imported routes that
fall within the same summary address range; otherwise, the aggregate route is flushed.
You can configure up to 32 summary address ranges. The device sets the forwarding address of the aggregate route to 0 and sets
the tag to 0. If you delete a summary address range, the advertised aggregate route is flushed and all imported routes that fall
within the range are advertised individually. If an external link-state database (LSDB) overflow condition occurs, all aggregate
routes and other external routes are flushed out of the autonomous system. When the device exits the external LSDB overflow
condition, all the imported routes are summarized according to the configured summary address ranges.
NOTE
If you use redistribution filters in addition to summary address ranges, the device applies the redistribution filters to
routes first, and then applies them to the summary address ranges.
NOTE
If you disable redistribution, all the aggregate routes are flushed, along with other imported routes.
NOTE
This option affects only imported, type 5 external LSA routes. A single type 5 LSA is generated and flooded throughout
the autonomous system for multiple external routes. Type 7-route redistribution is not affected by this feature. All type
7 routes will be imported (if redistribution is enabled). To summarize type 7 LSAs or exported routes, use NSSA address
range summarization.
SPF timers
The device uses an SPF delay timer and an SPF hold-time timer to calculate the shortest path for OSPFv2 routes. The values for
both timers can be changed.
• SPF delay: When the device receives a topology change, it waits before starting a Shortest Path First (SPF) calculation. By
default, the device waits zero seconds. You can configure the SPF delay to a value from 0 through 65535 seconds. If you
set the SPF delay to 0 seconds, the device immediately begins the SPF calculation after receiving a topology change.
• SPF hold time: The device waits a specific amount of time between consecutive SPF calculations. By default, it waits zero
seconds. You can configure the SPF hold time to a value from 0 through 65535 seconds. If you set the SPF hold time to 0
seconds, the device does not wait between consecutive SPF calculations.
You can set the SPF delay and hold time to lower values to cause the device to change to alternate paths more quickly if a route
fails. Note that lower values for these parameters require more CPU processing time.
NOTE
If you want to change only one of the timers, for example, the SPF delay timer, you must specify the new value for this
timer as well as the current value of the SPF hold timer, which you want to retain. The device does not accept only one
timer value.
NOTE
If you configure SPF timers between 0 through 100, they default to 0.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
3. Enter the timers command with the throttle spf keyword and specify the SPF delay, the hold time, and the maximum
wait time.
The following example sets the SPF initial delay to 100 milliseconds, the hold time to 500 milliseconds, and the maximum wait
time to 5000 milliseconds.
You can influence the device’s decision by changing the default administrative distance for OSPFv2 routes. You can configure a
unique administrative distance for each type of OSPFv2 route. For example, you can configure the Ruckus device to prefer a
static route over an OSPFv2 inter-area route and to prefer OSPFv2 intra-area routes over static routes. The distance you specify
influences the choice of routes when the device has multiple routes to the same network from different protocols. The device
prefers the route with the lower administrative distance.
You can specify unique default administrative distances for the following OSPFv2 route types:
• External routes
• Intra-area routes
• Inter-area routes
• Route maps
NOTE
The choice of routes within OSPFv2 is not influenced. For example, an OSPFv2 intra-area route is always preferred over
an OSPFv2 inter-area route, even if the intra-area route’s distance is greater than the inter-area route’s distance.
The device paces OSPFv2 LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh
each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the device refreshes and
sends out together in one or more packets.
The pacing interval, which is the interval at which the device refreshes an accumulated group of LSAs, is configurable in a range
from 10 through 1800 seconds (30 minutes). The default is 240 seconds (4 minutes). Thus, every four minutes, the device
refreshes the group of accumulated LSAs and sends the group together in the same packets.
The pacing interval is inversely proportional to the number of LSAs the device is refreshing and aging. For example, if you have
approximately 10,000 LSAs, decreasing the pacing interval enhances performance. If you have a very small database (40 to 100
LSAs), increasing the pacing interval to 10 to 20 minutes may enhance performance only slightly.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
The following example changes the OSPFv2 LSA pacing interval is changed to 120 seconds (2 minutes).
NOTE
Support for Appendix E of RFC 2328 is enabled automatically and cannot be disabled. No user configuration is required.
Normally, an OSPF device uses the network address alone for the link state ID of the link state advertisement (LSA) for the
network. For example, if the device needs to generate an LSA for network 10.1.2.3 255.0.0.0, the device generates ID 10.1.2.3 for
the LSA.
However, suppose that an OSPF device needs to generate LSAs for all the following networks:
• 10.0.0.0 255.0.0.0
• 10.0.0.0 255.255.0.0
• 10.0.0.0 255.255.255.0
All three networks have the same network address, 10.0.0.0. Without support for RFC 2328 Appendix E, an OSPF device uses the
same link state ID, 10.0.0.0, for the LSAs for all three networks. For example, if the device generates an LSA with ID 10.0.0.0 for
network 10.0.0.0 255.0.0.0, this LSA conflicts with the LSA generated for network 10.0.0.0 255.255.0.0 or 10.0.0.0 255.255.255.0.
The result is multiple LSAs that have the same ID but that contain different route information.
When appendix E is supported, the device generates the link state ID for a network as the following steps.
If this comparison results in a change to the ID of an LSA that has already been generated, the device generates a new
LSA to replace the previous one. For example, if the device has already generated an LSA for network with ID 10.0.0.0 for
network 10.0.0.0 255.255.255.0, the device must generate a new LSA for the network, if the device needs to generate an
LSA for network 10.0.0.0 255.255.0.0 or 10.0.0.0 255.0.0.0.
Neighboring devices, known as GR helpers, are informed via protocol extensions that the device is undergoing a restart and
assist in the restart. For the duration of the graceful restart, the restarting device and its neighbors continue forwarding packets
ensuring there is no disruption to network performance or topology. Disruptions in forwarding are minimized and route flapping
diminished. When the restart is complete, the device is able to quickly resume full operation due to the assistance of the GR
helpers. The adjacent devices then return to normal operation.
NOTE
In order for a graceful restart on a routing device to be successful, the OSPFv2 neighbors must have GR-helper mode
enabled. GR-helper mode is enabled by default.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
device(config-ospf-router)# no graceful-restart
NOTE
GR is mutually exclusive to NSR.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
device(config-ospf-router)# graceful-restart
4. Enter the graceful restart command with the restart-time parameter and specify a value to change the maximum
restart wait time from the default value of 120 seconds.
The following example re-enables GR and changes the maximum restart wait time from the default value of 120 seconds to 240
seconds.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the graceful-restart command using the helper-disable keyword to disable the GR helper.
OSPFv2 stub router advertisement is useful for avoiding a loss of traffic during short periods when adjacency failures are
detected and traffic is rerouted. Using this feature, traffic can be rerouted before an adjacency failure occurs due to common
services interruptions such as a router being shutdown for maintenance.
OSPFv2 stub router advertisement is also useful during startup because it gives the device enough time to build up its routing
table before forwarding traffic. This can be useful where BGP is enabled on the device because it takes time for the BGP routing
table to converge.
You can also configure and set a metric value for the following LSA types:
• Summary (type 3 and type 4)
• External (type 5 and type 7)
• Opaque (type 10, TE link)
This scheduling method starts with an initial value after which a configured delay time is followed. If a topology change event
occurs the SPF is schedule after the time specified by the initial value, the device starts a timer for the time period specified by a
configured hold time value. If no topology events occur during this hold time, the router returns to using the initial delay time.
If a topology event occurs during the hold time period, the next hold time period is recalculated to a value that is double the
initial value. If no topology events occur during this extended hold time, the device resets to its initial value. If an event occurs
during this extended hold time, the next hold time is doubled again. The doubling occurs as long as topology events occur during
the calculated hold times until a configured maximum delay time value is reached or no event occurs (which resets the router to
the initial hold time). The maximum value is then held until the hold time expires without a topology change event occurring. At
any time that a hold time expires without a topology change event occurring, the router reverts to the initial hold value and
begins the process all over again.
For example, if you set the initial delay timer to 100 milliseconds, the hold timer to 300 and the maximum hold timer to 2000
milliseconds, the following will occur:
If a topology change occurs the initial delay of 100 milliseconds will be observed. If a topology change occurs during the hold
time of 300 milliseconds the hold time is doubled to 600 milliseconds. If a topology change event occurs during the 600
millisecond period, the hold time is doubled again to 1200 milliseconds. If a topology change event occurs during the 1200
millisecond period, the hold time is doubled to 2400 milliseconds. Because the maximum hold time is specified as 2000, the
value will be held at 2000. This 2000 millisecond period will then repeat as long as topology events occur within the maximum
2000 millisecond hold time. When a maximum hold time expires without a topology event occurring, the router reverts to the
initial delay time and the cycle repeats as described.
Therefore, longer SPF scheduling values can be used during network topology instability.
NOTE
A secondary management module must be installed for the device to function as a graceful restart device. If the device
functions as a graceful restart helper device only, there is no requirement for a secondary management module.
During graceful restart (GR), the restarting neighbors must help build routing information during a failover. However, GR may not
be supported by all devices in a network. NSR eliminates this dependency.
NSR does not require support from neighboring devices to perform hitless failover, and OSPF can continue operation without
interruption.
NOTE
NSR does not support IPv6-over-IPv4 tunneling and virtual links, so traffic loss is expected while performing hitless
failover.
If the active management module fails, the standby management module takes over and maintains the current OSPF routes, link-
state advertisements (LSAs), and neighbor adjacencies, so that there is no loss of existing traffic to the OSPF destination.
NOTE
NSR and Graceful Restart (GR) are mutually exclusive.
Limitations of NSR
• Configurations that occur before the switchover are lost due to the CLI synchronization.
• NSR does not support virtual links.
• Changes in the neighbor state or interface state before or during a switchover do not take effect.
• Traffic counters are not synchronized because the neighbor and LSA database counters are recalculated on the standby
module during synchronization.
• LSA acknowledging is delayed because it has to wait until standby acknowledging occurs.
• Depending on the sequence of redistribution or new LSAs (from neighbors), the LSAs accepted within the limits of the
database may change after switchover.
• In NSR hitless failover, after switchover, additional flooding-related protocol traffic is generated to the directly connected
neighbors.
• OSPF startup timers, database overflow, and max-metric, are not applied during NSR switchover.
• Devices may generate OSPF log messages or reset OSPF neighbor timers, but these issues do not cause any OSPF or
traffic disruption.
NOTE
GR is mutually exclusive to NSR.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
device(config-ospf-router)# nonstop-routing
In the case of NSR, the device fails after receiving the LSA from its neighbor and acknowledges that neighbor upon receipt of an
LSA. The LSA synchronization to the standby module is then completed. In this case the standby module, when taking over from
the active module, does not have that LSA in its database and the already acknowledged neighbor does not retransmit that LSA.
For this reason, the NSR-capable device waits for LSA synchronization of the standby module to complete (Sync-Ack) before
acknowledging the neighbor that sent the LSA.
Synchronization limitations
• If a neighbor device is inactive for 30 seconds, and if the standby module takes over in another 10 seconds, the neighbor
device cannot be dropped. The inactivity timer starts again and takes another 40 seconds to drop the neighbor device.
• In standby module, the valid neighbor states are loading, down, 2way, and full. If the active management processor (MP)
fails when the neighbor state is loading, the standby module cannot continue from loading, but the standby can
continue from 2way and tries to establish adjacency between the neighboring devices.
• The minimum OSPF dead-interval timer value is 40 seconds. When the dead-interval value is configured to less than this
minimum value, OSPF NSR cannot be supported.
Interface synchronization
Interface information is synchronized for interfaces such as PTPT, broadcast, and non-broadcast. Interface wait time is not
synchronized to the standby module. If an interface waits for 30 seconds to determine the identity of the designated router (DR)
or the backup designated router (BDR), and if the standby module takes over, the wait timer starts again and takes another 40
seconds for the interface state to change from waiting to BDR, DR, or DROther.
Neighbor database
Neighbor information is updated in the standby module based on updates from the active module. Certain neighbor state and
interface transitions are synchronized to the standby module. By default, the neighbor timers on the standby module are
disabled.
LSA database
The standby module processes LSA synchronization events from the active module and unpacks the LSA synchronization
information to directly install it in its LSDB, as the LSA has already been processed on the active module. The information
required to install all types of LSAs (and special LSAs such as Grace LSAs) is packed by OSPF on the active module in the
synchronization buffer, so that you can directly install LSAs on the standby module without extra processing.
The standby module is not allowed to originate any LSAs of its own. This is to maintain all information consistently from the
active module. The active module synchronizes self-originated LSAs to the standby module.
LSA aging is not applicable on the standby module. During synchronization from the active module, the current LSA age is
recorded and the new database timestamp is created on the standby module to later derive the LSA age as needed.
When the active module sends the LSAs to the standby module, based on the message, the standby module deletes or updates
its LSDB with the latest information.
LSA acknowledging or flooding are not done on the standby module. When the LSA synchronization update arrives from the
active module, it will be directly installed into the LSDB.
The OSPFv2 distribution list can be managed using ACLs or route maps to identify routes to be denied as described in the
following sections:
• Configuring an OSPFv2 Distribution List using ACLs
• Configuring an OSPFv2 Distribution List using route maps
Examples
In the following configuration example, the first three commands configure a standard ACL that denies routes to any 10.x.x.x
destination network and allows all other routes for eligibility to be installed in the IP route table. The last three commands
change the CLI to the OSPFv2 configuration level and configure an OSPFv2 distribution list that uses the ACL as input. The
distribution list prevents routes to any 10.x.x.x destination network from entering the IP route table. The distribution list does not
prevent the routes from entering the OSPFv2 database.
In the following example, the first three commands configure an extended ACL that denies routes to any 10.31.39.x destination
network and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to
the OSPFv2 configuration level and configure an OSPFv2 distribution list that uses the ACL as input. The distribution list prevents
routes to any 10.31.39.x destination network from entering the IP route table. The distribution list does not prevent the routes
from entering the OSPFv2 database.
In the following example, the first command configures a numbered ACL that denies routes to any 10.31.39.x destination
network and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to
the OSPFv2 configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents
routes to any 10.31.39.x destination network from entering the IP route table. The distribution list does not prevent the routes
from entering the OSPFv2 database.
In the following example, the first two commands identify two routes using the ip prefix-list test1 command. Next, a route map
is created using the prefix-list test1 command to identify the two routes and the set distance command to set the OSPFv2
administrative distance of those routes to 200. A distribution list is then configured under the OSPFv2 configuration that uses the
route map named “setdistance” as input.
Once this configuration is implemented, the routes identified by the ip prefix-list command and matched in the route map will
have their OSPFv2 administrative distance set to 200. This is displayed in the output from the show ip route command, as
shown below.
Routes 1 and 2 demonstrate the actions of the example configuration as both display an OSPFv2 administrative distance value of
200. Note that the value is applied to both OSPFv2 learned routes that match the route-map instance containing the set distance
clause. The other OSPFv2 route (route 3), which does not match the relevant instance, continues to have the default OSPFv2
administrative distance of 110.
NOTE
The device advertises the default route into OSPF even if redistribution is not enabled, and even if the default route is
learned through an IBGP neighbor. IBGP routes (including the default route) are not redistributed into OSPF by OSPF
redistribution (for example, by the OSPF redistribute command).
In the figure below, the device acting as the ASBR (Autonomous System Boundary Router) can be configured between the RIP
domain and the OSPF domain to redistribute routes between the two domains.
NOTE
The ASBR must be running both RIP and OSPF protocols to support this activity.
NOTE
Do not enable redistribution until you have configured the redistribution route map. Otherwise, you might accidentally
overload the network with routes you did not intend to redistribute.
The redistribution of RIP and static IP routes into OSPFv2 is configured on a device.
2. Enter the router ospf command to enter OSPFv2 router configuration mode and enable OSPFv2 on the device.
3. Enter the redistribute command with the static parameter to redistribute static routes.
4. Enter the redistribute command with the rip parameter to redistribute RIP routes.
The following example redistributes static and RIP routes into OSPFv2 on a device.
Load sharing
Ruckus devices can load share among up to eight equal-cost IP routes to a destination. By default, IP load sharing is enabled. The
default is 4 equal-cost paths but you can specify from 2 to 8 paths.
On ICX 7650 and ICX 7750 devices, the value range for the maximum number of load-sharing paths is from 2 through 32 ,which is
controlled by the system-max max-ecmp command.
The device software can use the route information it learns through OSPF to determine the paths and costs.
• Router ->R5
• Router ->R6
Normally, the device chooses the path to the R1 with the lower metric. For example, if the metric for R3 is 1400 and the metric for
R4 is 600, the device always chooses R4.
However, suppose the metric is the same for all four routers in this example. If the costs are the same, the device now has four
equal-cost paths to R1. To allow the device to load share among the equal cost routes, enable IP load sharing. Four equal-cost
OSPF paths are supported by default when you enable load sharing.
NOTE
The device is not source routing in these examples. The device is concerned only with the paths to the next-hop routers,
not the entire paths to the destination hosts.
By default, an interface’s OSPFv2 cost is based on the port speed of the interface. The cost is calculated by dividing the reference
bandwidth by the port speed. The default reference bandwidth is 100 Mbps, which results in the following default costs:
• 10 Mbps port - 10
• All other port speeds - 1
You can change the reference bandwidth. The following formula is used to calculate the cost:
Cost = reference-bandwidth/interface-speed
If the resulting cost is less than 1, the cost is rounded up to 1. The default reference bandwidth results in the following costs:
• 10 Mbps port’s cost = 100/10 = 10
• 100 Mbps port’s cost = 100/100 = 1
• 1000 Mbps port’s cost = 100/1000 = 0.10, which is rounded up to 1
The bandwidth for interfaces that consist of more than one physical port is calculated as follows:
• LAG group - The combined bandwidth of all the ports.
• Virtual interface - The combined bandwidth of all the ports in the port-based VLAN that contains the virtual interface.
The default reference bandwidth is 100 Mbps. You can change the reference bandwidth to a value from 1—4294967.
If a change to the reference bandwidth results in a cost change to an interface, the device sends a link-state update to update the
costs of interfaces advertised by the device.
NOTE
If you specify the cost for an individual interface, the cost you specify overrides the cost calculated by the software.
OSPFv2 maintains multiple instances of the routing protocol to exchange route information among various VRF instances. A
multi-VRF-capable device maps an input interface to a unique VRF, based on user configuration. These input interfaces can be
physical or a virtual interface. By default, all input interfaces are attached to the default VRF instance.
Multi-VRF for OSPF (also known as VRF-Lite for OSPF) provides a reliable mechanism for trusted VPNs to be built over a shared
infrastructure. The ability to maintain multiple virtual routing or forwarding tables allows overlapping private IP addresses to be
maintained across VPNs.
NOTE
ICX 7150 devices do not support VRFs.
NOTE
ICX 7150 devices do not support VRFs.
2. Enter the router ospf command and specify a VRF name to enter OSPF router VRF configuration mode and enable
OSPFv2 on a non-default VRF.
NOTE
You can configure OSPFv2 max-metric router LSA in either startup or non-startup mode. When you configure max-
metric in non-startup mode, it only applies once and is not persistent across reloads or after the clear ip ospf all
command is issued.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the max-metric router-lsa command with the on-startup keyword and specify a value to specify a period of time
to advertise a maximum metric after a restart before advertising with a normal metric.
The following example configures an OSPFv2 device to advertise a maximum metric for 85 seconds after a restart before
advertising with a normal metric.
2. Enter the ip router ospf command to enter OSPF router configuration mode and enable OSPFv2 on the device.
3. Enter the rfc1583-compatibility command to re-enable OSPFv2 compatibility with RFC 1583.
device(config-ospf-router)# rfc1583-compatibility
OSPFv2 authentication
OSFPv2 can be configured to authenticate packets using one of the following authentication algorithms:
• Plain text
• Message Digest 5 (MD5)
• Hashed Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA-1)
• Hashed Message Authentication Code-Secure Hash Algorithm 256 (HMAC-SHA-256)
The authentication algorithms provide varying levels of security and must be configured depending on your security
requirements, including any regulatory requirements such as FIPS compliance.
Algorithms HMAC-SHA-1 and HMAC-SHA-256 are supported in FIPS-compliant deployments. MD5 and plain text are not
supported in FIPS deployments.
NOTE
OSPFv2 packets are not authenticated by default. You must configure OSPFv2 authentication as required.
In addition to the other authentication methods, you can configure keychain authentication. For more information regarding the
keychain authentication module and configuration of keychains, refer to the Keychain module section in the Ruckus FastIron
Security Configuration Guide.
NOTE
If multiple OSPFv2 are stacked and authentication is enabled, the OSPFv2 non-stop routing (NSR) feature must be
enabled explicitly. NSR is not enabled by default. If NSR is not enabled, there may be disruption to service upon stack
switchover.
For more information regarding the keychain authentication module and configuration of keychains, refer to the Keychain
module section in the Ruckus FastIron Security Configuration Guide.
NOTE
If multiple OSPFv2 interfaces are deployed within a VRF or Multi-VRF deployment and keychain authentication is
implemented, it is necessary to ensure the ip ospf hello-interval and ip ospf dead-interval values are configured
appropriately. If these values are set too low, for example hello-interval (1 second) and dead-interval (4 seconds), it may
cause performance issues and disruption to service during key rollover.
device(config)# interface ve 1
3. Enter the ip ospf authentication plain-text command with the required plain text key string.
The following example enables plain text authentication using the key string "mystring" on the specified interface.
3. Enter the router ospf command to enter OSPFv2 configuration mode and enable OSPFv2 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication plain-text command, specifying the required plain
text key string.
The following example enables plain text authentication using the key string "mystring" on the specified virtual link.
device(config)# interface ve 1
3. Enter the ip ospf authentication md5 command with the required parameters. The following example enables MD5
authentication with key ID 10 and key string "mymd5passwordkey".
The following example enables MD5 authentication using key ID 10 and key string "mymd5passwordkey" on the specified
interface.
3. Enter the router ospf command to enter OSPFv2 configuration mode and enable OSPFv2 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication md5 command, with the required parameters. The
following example enables MD5 authentication with key ID 10 and key string "mymd5passwordkey".
The following example enables MD5 authentication using the key ID 10 and key string 'mymd5passwordkey'.
device(config)# interface ve 1
3. Enter the ip ospf authentication command with the required authentication option and parameters. The following
example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
The following example enables HMAC-SHA-1 authentication using the key ID 10 and key string "mypasswordkey" on the specified
interface.
3. Enter the router ospf command to enter OSPFv2 configuration mode and enable OSPFv2 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication command, with the required authentication option
and parameters. The following example enables HMAC-SHA-1 authentication with the key ID 10 and key string
"mypasswordkey".
The following example enables HMAC-SHA-1 authentication using the key ID 10 and key string "mypasswordkey" on the specified
virtual link.
device(config)# interface ve 1
3. Enter the ip ospf authentication keychain command with the required keychain name. The following example enables
keychain authentication with the keychain "mykeychain".
The following example enables keychain authentication using the keychain name "mykeychain" on the specified interface.
3. Enter the router ospf command to enter OSPFv2 configuration mode and enable OSPFv2 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication keychain command, with the required keychain
name. The following example enables keychain authentication with the keychain name "mykeychain".
The following example enables keychain authentication using the keychain name "mykeychain" on the specified virtual link.
To configure the authentication key activation wait time on an OSPFv2 interface, complete the following steps.
device(config)# interface ve 1
3. Enter the ip ospf authentication key-activation-wait-time command with the required wait time value. The wait time
can be set from 0 through 14400 seconds. The following example configures a wait time of 600 seconds.
The following example enables an authentication key activation wait time of 600 seconds on the specified interface.
To configure the authentication key activation wait time on an OSPFv2 virtual link, complete the following steps.
3. Enter the router ospf command to enter OSPFv2 configuration mode and enable OSPFv2 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication command, with the required wait time value. The
wait time can be set from 0 through 14400 seconds. The following example configures a wait time of 600 seconds.
The following example enables an authentication key activation wait time of 600 seconds on the specified virtual link.
To view the OSPFv2 interface details and authentication settings, complete the following steps.
Enter the show ip ospf interface command to display general OSPFv2 information.
2. Enter the router ospf command to enter OSPF router configuration mode and enable OSPFv2 globally.
3. Enter the no log all command to disable the logging of all OSPFv2 events.
Disabling OSPFv2
To disable OSPFv2 on a device, use the no router ospf command:
1. Enter the configure terminal command to access global configuration mode.
OSPFv3 overview
Open Shortest Path First (OSPF) is a link-state routing protocol. Each OSPF device originates link-state advertisement (LSA)
packets to describe its link information. These LSAs are flooded throughout the OSPF area. The flooding algorithm ensures that
every device in the area has an identical database. Each device in the area then calculates a Shortest Path Tree (SPT) that shows
the shortest distance to every other device in the area, using the topology information in the Link State database..
IPv6 supports OSPF Version 3 (OSPFv3), which functions similarly to OSPFv2, the version that IPv4 supports, except for the
following enhancements:
• Support for IPv6 addresses and prefixes.
• Ability to configure several IPv6 addresses on a device interface. (While OSPFv2 runs per IP subnet, OSPFv3 runs per link.
In general, you can configure several IPv6 addresses on a router interface, but OSPFv3 forms one adjacency per
interface only, using the link local address of the interface as the source for OSPF protocol packets. On virtual links,
OSPFv3 uses the global IP address as the source. OSPFv3 imports all or none of the address prefixes configured on a
router interface. You cannot select the addresses to import.)
• Ability to run one instance of OSPFv2 and one instance of OSPFv3 concurrently on a link.
• Support for IPv6 link-state advertisements (LSAs).
NOTE
Although OSPFv2 and OSPFv3 function in a similar manner, Ruckus has implemented the user interface for each version
independently of the other. Therefore, any configuration of OSPFv2 features will not affect the configuration of OSPFv3
features and vice versa.
Enabling OSPFv3
When OSPFv3 is enabled on a device, the device enters OSPFv3 router configuration mode. Several commands can then be
accessed that allow the configuration of OSPFv3.
Before enabling the device to run OSPFv3, you must perform the following steps:
• Enable the forwarding of IPv6 traffic on the device using the ipv6 unicast-routing command.
• Enable IPv6 on each interface on which you plan to enable OSPFv3. You enable IPv6 on an interface by configuring an
IPv6 address or explicitly enabling IPv6 on that interface.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
Configuring OSPFv3
A number of steps are required when configuring OSPFv3:
• Configure the router ID.
• Enable OSPFv3 globally.
• Assign OSPFv3 areas.
• Assign OSPFv3 areas to interfaces.
OSPFv3 areas
After OSPFv3 is enabled, you can assign OSPFv3 areas. You can specify the area id in plain number format , such as "area 1", or in
ipv4 address format, such as 10.1.1.1. Each device interface can support one area.
NOTE
You can assign only one area on a device interface.
NOTE
You are required to configure a router ID when running only IPv6 routing protocols.
NOTE
By default, the router ID is the IPv4 address configured on the lowest-numbered loopback interface. If the device does
not have a loopback interface, the default router ID is the highest-numbered IPv4 address configured on the device. You
can also configure router id using the ip router-id command.
NOTE
For the ICX 7150, a maximum of 4 OSPF areas is supported for each OSPF instance.
Backbone area
The backbone area (also known as area 0 or area 0.0.0.0) forms the core of OSPF networks. All other areas should be connected
to the backbone area either by a direct link or by virtual link configuration. Routers that have interfaces in both backbone area
and (at least one) non-backbone area are called Area Border Routers (ABR). Inter area routing happens via ABRs.
The backbone area is the logical and physical structure for the OSPF domain and is attached to all non-zero areas in the OSPF
domain.
The backbone area is responsible for distributing routing information between non-backbone areas. The backbone must be
contiguous, but it does not need to be physically contiguous; backbone connectivity can be established and maintained through
the configuration of virtual links.
Area range
You can further consolidate routes at an area boundary by defining an area range. The area range allows you to assign an
aggregate address to a range of IP and IPv6 addresses.
This aggregate value becomes the address that is advertised instead of all the individual addresses it represents being
advertised. Only this aggregate or summary address is advertised into other areas instead of all the individual addresses that fall
in the configured range. Area range configuration can considerably reduce the number of Type 3 summary LSAs advertised by a
device. You have the option of adding the cost to the summarized route. If you do not specify a value, the cost value is the default
range metric calculation for the generated summary LSA cost. You can temporarily pause route summarization from the area by
suppressing the type 3 LSA so that the component networks remain hidden from other networks.
Area types
OSPFv3 areas can be normal, a stub area, a totally stubby area (TSA), or a not-so-stubby area (NSSA).
• Normal: OSPFv3 devices within a normal area can send and receive external link-state advertisements (LSAs).
• Stub: OSPFv3 devices within a stub area cannot send or receive External LSAs. In addition, OSPF devices in a stub area
must use a default route to the area’s Area Border Router (ABR) to send traffic out of the area.
• TSA: A form of stub area, where Type 3 summary routes are also not propagated in addition to Type 5 external routes.
• NSSA: A form of stub area, where Type 5 external routes by Autonomous System Boundary Routers (ASBRs) outside this
area are not propagated, but where it is allowed to have an ASBR in the area, that can advertise external information.
– ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type 7 External LSAs are a special type of
LSA generated only by ASBRs within an NSSA, and are flooded to all the routers within only that NSSA.
– One of the ABRs of the NSSA area is selected as a NSSA translator, and this router translates the area-specific Type 7
LSAs to Type 5 external LSAs which can be flooded throughout the Autonomous System (except NSSA and stub
areas).
When an NSSA contains more than one ABR, OSPFv3 elects one of the ABRs to perform the LSA translation for NSSA. OSPF elects
the ABR with the highest router ID. If the elected ABR becomes unavailable, OSPFv3 automatically elects the ABR with the next
highest router ID to take over translation of LSAs for the NSSA. The election process for NSSA ABRs is automatic.
Enable IPv6 on each interface on which you plan to enable OSPFv3. You enable IPv6 on an interface by configuring an IP address
or explicitly enabling IPv6 on that interface.
NOTE
For the ICX 7150, a maximum of 4 OSPF areas is supported for each OSPF instance.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
device(config-ospf6-router)# area 0
The following example assigns an OSPFv3 ID to two areas. One of the areas is assigned by decimal number. The second area is
assigned by IP address.
NOTE
All device interfaces must be assigned to one of the defined areas on an OSPFv3 device. When an interface is assigned
to an area, all corresponding subnets on that interface are automatically included in the assignment.
device(config)# interface ve 1
3. Enter the ipv6 address command to add an IPv6 address to the interface.
Area 0 is assigned to the specified interface with the IPv6 address of 2001:db8:93e8:cc00::1.
5. Enter the exit command to return to global configuration mode.
device(config-vif-1)# exit
device(config)# interface ve 2
7. Enter the ipv6 address command to add an IPv6 address to the interface.
Area 1 is assigned to the specified interface with the IPv6 address of 2001:db8:93e8:cc00::1.
The following example configures and enables OSPFv3 on two specified interfaces, and assigns an interface to two router areas.
with a prefix of 0.0.0.0/0 is originated into the stub area by an ABR, so that devices in the area can forward all traffic for which a
specific route is not known, via ABR.
A stub area disables advertisements of external routes. By default, the ABR sends summary LSAs (type 3 LSAs) into stub areas.
You can further reduce the number of LSAs sent into a stub area by configuring the device to stop sending type 3 LSAs into the
area. You can disable the summary LSAs to create a TSA when you are configuring the stub area or after you have configured the
area.
The ABR of a totally stubby area disables origination of summary LSAs into this area, but still accepts summary LSAs from OSPF
neighbors and floods them to other neighbors.
When you enter the area stub command with the no-summary keyword and specify an area to disable the summary LSAs, the
change takes effect immediately. If you apply the option to a previously configured area, the device flushes all the summary LSAs
it has generated (as an ABR) from the area with the exception of the default summary LSA originated. This default LSA is needed
for the internal routers, since external routes are not propagated to them.
NOTE
Stub areas and TSAs apply only when the device is configured as an Area Border Router (ABR) for the area. To
completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is
an ABR for the area.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
The following example sets an additional cost of 100 on a stub area defined as 4.
Not-so-stubby area
A not-so-stubby-area (NSSA) is an OSPFv3 area that provides the benefits of stub areas with the extra capability of importing
external route information. OSPFv3 does not flood external routes from other areas into an NSSA, but does translate and flood
route information from the NSSA into other areas such as the backbone.
NSSAs are especially useful when you want to aggregate type 5 External LSAs (external routes) before forwarding them into an
OSPFv3 area. When you configure an NSSA, you can specify an address range for aggregating the external routes that the ABR of
the NSSAs exports into other areas.
The OSPFv3 specification (RFC 2740) prohibits the advertising of type 5 LSAs and requires OSPFv3 to flood type 5 LSAs
throughout a routing domain.
If the router is an ABR, you can prevent any type 3 and type 4 LSA from being injected into the area by configuring a nssa with the
no-summary parameter. The only exception is that a default route is injected into the NSSA by the ABR, and strictly as a type 3
LSA. The default type 7 LSA is not originated in this case.
By default, the device's NSSA translator role is set to candidate and the router participates in NSSA translation election, if it is an
ABR. You can also configure the NSSA translator role.
In the case where an NSSA ABR is also an ASBR, the default behavior is that it originates type 5 LSAs into normal areas and type 7
LSAs into an NSSA. But you can prevent an NSSA ABR from generating type 7 LSAs into an NSSA by configuring the no-
redistribution parameter.
Configuring an NSSA
OSPFv3 areas can be defined as NSSA areas with configurable parameters.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
4. Enter the area nssa command with the default-information-originate keyword and specify a cost.
Area 3 is defined as an NSSA with the default route option and an additional cost of 33.
Virtual links
All ABRs must have either a direct or indirect link to an OSPFv3 backbone area (0 or 0.0.0.0). If an ABR does not have a physical
link to a backbone area, you can configure a virtual link from the ABR to another router within the same area that has a physical
connection to the backbone area.
The path for a virtual link is through an area shared by the neighbor ABR (router with a physical backbone connection) and the
ABR requiring a logical connection to the backbone.
In the following figure, a virtual link has been created between ABR1 and ABR2. ABR1 has a direct link to the backbone area,
while ABR2 has an indirect link to the backbone area through Area 1.
Two parameters must be defined for all virtual links—transit area ID and neighbor router:
• The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two
routers. This number should match the area ID value.
• The neighbor router is the router ID of the device that is physically connected to the backbone when assigned from the
router interface requiring a logical connection. The neighbor router is the router ID (IPv4 address) of the router requiring
a logical connection to the backbone when assigned from the router interface with the physical connection.
When you establish an area virtual link, you must configure it on both ends of the virtual link. For example, imagine that ABR1 in
Area 1 and Area 2 is cut off from the backbone area (Area 0). To provide backbone access to ABR1, you can add a virtual link
between ABR1 and ABR2 in Area 1 using Area 1 as a transit area. To configure the virtual link, you define the link on the router
that is at each end of the link. No configuration for the virtual link is required on the routers in the transit area.
The automatically selected global IPv6 address for that router is the first global address of any loopback interface in that transit
area. If no global IPv6 address is available on a loopback interface in the area, the first global IPv6 address of the lowest-
numbered interface in the UP state (belonging to the transit area) is assigned. If no global IPv6 address is configured on any of
the OSPFv3 interfaces in the transit area, the virtual links in the transit area do not operate. The automatically selected IPv6
global address is updated whenever the previously selected IPv6 address of the interface changes, is removed, or if the interface
goes down.
NOTE
The existing selected virtual link address does not change because the global IPv6 address is now available on a
loopback interface or a lower-numbered interface in the transit area. To force the global IPv6 address for the virtual link
to be the global IPv6 address of a newly configured loopback, or a lower-numbered interface in the area, you must
either disable the existing selected interface or remove the currently selected global IPv6 address from the interface.
A virtual link is configured, and a virtual link endpoint on two devices, ABR1 and ABR2, is defined.
1. On ABR1, enter the configure terminal command to access global configuration mode.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
device(config-ospf6-router)# area 0
device(config-ospf6-router)# area 1
6. Enter the area virtual-link command and the ID of the OSPFv3 device at the remote end of the virtual link to configure
the virtual link endpoint.
7. On ABR2, enter the configure terminal command to access global configuration mode.
9. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
device(config-ospf6-router)# area 1
device(config-ospf6-router)# area 2
12. Enter the area virtual-link command and the ID of the OSPFv3 device at the remote end of the virtual link to configure
the virtual link endpoint.
ABR1:
device1# configure terminal
device1(config)# ip router-id 10.1.1.1
device1(config)# ipv6 router ospf
device1(config-ospf6-router)# area 0
device1(config-ospf6-router)# area 1
device1(config-ospf6-router)# area 1 virtual-link 10.2.2.2
ABR2:
device2# configure terminal
device2(config)# ip router-id 10.2.2.2
device2(config)# ipv6 router ospf
device2(config-ospf6-router)# area 1
device2(config-ospf6-router)# area 2
device2(config-ospf6-router)# area 1 virtual-link 10.1.1.1
You can configure the device to redistribute routes from the following sources into OSPFv3:
• IPv6 static routes
• Directly connected IPv6 networks
• BGP4+
• RIPng
NOTE
You must configure the route map before you configure a redistribution filter that uses the route map.
NOTE
For an external route that is redistributed into OSPFv3 through a route map, the metric value of the route remains the
same unless the metric is set by the set metric command inside the route map or the default-metric command. For a
route redistributed without using a route map, the metric is set by the metric parameter if set or the default-metric
command if the metric parameter is not set.
The redistribution of both static routes and BGP routes into OSPFv3 is configured on device1. The redistribution of connected
routes into OSPFv3 is configured on device2, and the connected routes to be redistributed are specified.
1. On device1, enter the configure terminal command to access global configuration mode.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
3. Enter the redistribute command with the static parameter to redistribute static routes.
4. Enter the redistribute command with the bgp parameter to redistribute static routes.
5. On device2, enter the configure terminal command to access global configuration mode.
6. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
7. Enter the redistribute command with the connected and route-map parameters to redistribute connected routes and
specify a route map.
The following example redistributes static and BGP routes routes into OSPFv3 on a device.
The following example redistributes connected routes into OSPFv3 on a device and specifies a route map.
By default, a device does not advertise the default route into the OSPFv3 domain. If you want the device to advertise the OSPFv3
default route, you must explicitly enable default route origination. When you enable OSPFv3 default route origination, the device
advertises a type 5 default route that is flooded throughout the autonomous system, with the exception of stub areas.
The device advertises the default route into OSPFv3 even if OSPFv3 route redistribution is not enabled, and even if the default
route is learned through an IBGP neighbor. The device does not, however, originate the default route if the active default route is
learned from an OSPFv3 router in the same domain.
NOTE
The device does not advertise the OSPFv3 default route, regardless of other configuration parameters, unless you
explicitly enable default route origination.
If default route origination is enabled and you disable it, the default route originated by the device is flushed. Default routes
generated by other OSPFv3 devices are not affected. If you re-enable the default route origination, the change takes effect
immediately and you do not need to reload the software.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
3. Enter the default-information-originate command with the always, metric, and metric-type parameters.
The following example creates and advertises a default route with a metric of 2 and a type 1 external route.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
device(config-ospf6-router)# no log-status-change
The functionality of OSPFv3 distribution lists is similar to that of OSPFv2 distribution lists. However, unlike OSPFv2 distribution
lists, which filter routes based on criteria specified in an Access Control List (ACL), OSPFv3 distribution lists can filter routes using
information specified in an IPv6 prefix list or a route map.
1. Enter the show ipv6 ospf route command to verify the OSPFv3 routes.
device> enable
5. Enter the ipv6 prefix-list command, using the deny keyword and specify a name.
An IPv6 prefix list called “filterOspfRoutes” that denies route 2001:db8:2::/64 is configured.
6. Enter the ipv6 prefix-list command using the deny keyword and specify a name. Use the ge keyword to specify a prefix
length greater than or equal to the ipv6-prefix/prefix-length arguments. Use the le keyword to specify a prefix length less
than or equal to the ipv6-prefix/prefix-length arguments.
7. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
8. Enter the distribute-list prefix-list command, using the in keyword and specifying a name to configure a distribution
list that applies the filterOspfRoutes prefix list globally.
9. Enter the exit command until you return to user EXEC mode.
device(config-ospf6-router)# exit
10. Enter the show ipv6 ospf route command to verify that route 2001:db8:2::/64 is now omitted from the route table.
The following example configures an IPv6 prefix list that is used to filter OSPFv3 routes. A distribution list is then configured and
route 2001:db8:2::/64 is omitted from the OSPFv3 route table.
1. Enter the show ipv6 ospf route command to verify the OSPFv3 routes.
device> enable
5. Enter the route-map command, using the permit keyword and specify a name.
8. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
9. Enter the distribute-list route-map command, using the in keyword and specifying a name to create a distribution list
a distribution list using the configured route map “allowinternalroutes”.
10. Enter the exit command until you return to user EXEC mode.
device(config-ospf6-router)# exit
11. Enter the show ipv6 ospf route command to verify that the external routes are omitted from the OSPFv3 route table.
The following example configures a route map that is used to filter OSPFv3 routes. A distribution list is then configured and
external routes omitted from the OSPFv3 route table.
SPF timers
The device uses an SPF delay timer and an SPF hold-time timer to calculate the shortest path for OSPFv3 routes. The values for
both timers can be changed.
The device uses the following timers when calculating the shortest path for OSPFv3 routes:
• SPF delay: When the device receives a topology change, it waits before starting a Shortest Path First (SPF) calculation. By
default, the device waits 5 seconds. You can configure the SPF delay to a value from 0 through 65535 seconds. If you set
the SPF delay to 0 seconds, the device immediately begins the SPF calculation after receiving a topology change.
• SPF hold time: The device waits a specific amount of time between consecutive SPF calculations. By default, it waits 10
seconds. You can configure the SPF hold time to a value from 0 through 65535 seconds. If you set the SPF hold time to 0
seconds, the device does not wait between consecutive SPF calculations.
You can set the SPF delay and hold time to lower values to cause the device to change to alternate paths more quickly if a route
fails. Note that lower values for these parameters require more CPU processing time.
NOTE
If you want to change only one of the timers, for example, the SPF delay timer, you must specify the new value for this
timer as well as the current value of the SPF hold timer, which you want to retain. The device does not accept only one
timer value.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
The SPF delay is changed to 1 second and the SPF hold time is changed to 5 seconds.
The following example changes the SPF delay and hold time.
You can influence the device’s decision by changing the default administrative distance for OSPFv3 routes. You can configure a
unique administrative distance for each type of OSPFv3 route. For example, you can configure the Ruckus device to prefer a
static route over an OSPFv3 inter-area route and to prefer OSPFv3 intra-area routes over static routes. The distance you specify
influences the choice of routes when the device has multiple routes to the same network from different protocols. The device
prefers the route with the lower administrative distance.
You can specify unique default administrative distances for the following OSPFv3 route types:
• Intra-area routes
• Inter-area routes
• External routes
NOTE
The choice of routes within OSPFv3 is not influenced. For example, an OSPFv3 intra-area route is always preferred over
an OSPFv3 inter-area route, even if the intra-area route’s distance is greater than the inter-area route’s distance.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
The administrative distance for intra-area routes is changed from the default to 80.
4. Enter the distance command with the inter-area parameter.
The administrative distance for inter-area routes is changed from the default to 90.
5. Enter the distance command with the external parameter.
The administrative distance for external routes is changed from the default to 100.
The following example changes the default administrative distances for intra-area routes, inter-area routes, and external routes.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
The reference bandwidth specified in this example results in the following costs:
• 10-Mbps port cost = 500/10 = 50
• 100-Mbps port cost = 500/100 = 5
• 1000-Mbps port cost = 500/1000 = 0.5, which is rounded up to 1
• 155-Mbps port cost = 500/155 = 3.23, which is rounded up to 4
• 622-Mbps port cost = 500/622 = 0.80, which is rounded up to 1
• 2488-Mbps port cost = 500/2488 = 0.20, which is rounded up to 1
The costs for 10-Mbps, 100-Mbps, and 155-Mbps ports change as a result of the changed reference bandwidth. Costs for higher-
speed interfaces remain the same.
The device paces OSPFv3 LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh
each time an individual LSA’s refresh timer expires. The accumulated LSAs constitute a group, which the device refreshes and
sends out together in one or more packets.
The pacing interval, which is the interval at which the device refreshes an accumulated group of LSAs, is configurable in a range
from 10 through 1800 seconds (30 minutes). The default is 240 seconds (4 minutes). Thus, every four minutes, the device
refreshes the group of accumulated LSAs and sends the group together in the same packets.
The pacing interval is inversely proportional to the number of LSAs the device is refreshing and aging. For example, if you have
approximately 10,000 LSAs, decreasing the pacing interval enhances performance. If you have a very small database (40 to 100
LSAs), increasing the pacing interval to 10 to 20 minutes may enhance performance only slightly.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
The OSPFv3 LSA pacing interval is changed to 120 seconds (two minutes).
The following example restores the pacing interval to the default value of 240 seconds (4 minutes).
When you configure a summary address range, the range takes effect immediately. All the imported routes are summarized
according to the configured summary address range. Imported routes that have already been advertised and that fall within the
range are flushed out of the autonomous system and a single route corresponding to the range is advertised.
If a route that falls within a configured summary address range is imported by the device, no action is taken if the device has
already advertised the aggregate route; otherwise, the device advertises the aggregate route. If an imported route that falls
within a configured summary address range is removed by the device, no action is taken if there are other imported routes that
fall within the same summary address range; otherwise, the aggregate route is flushed.
The device sets the forwarding address of the aggregate route to 0 and sets the tag to 0. If you delete a summary address range,
the advertised aggregate route is flushed and all imported routes that fall within the range are advertised individually. If an
external link-state database (LSDB) overflow condition occurs, all aggregate routes and other external routes are flushed out of
the autonomous system. When the device exits the external LSDB overflow condition, all the imported routes are summarized
according to the configured address ranges.
NOTE
If you use redistribution filters in addition to summary address ranges, the device applies the redistribution filters to
routes first, and then applies them to the summary address ranges.
NOTE
If you disable redistribution, all the aggregate routes are flushed, along with other imported routes.
NOTE
Only imported, type 5 external LSA routes are affected. A single type 5 LSA is generated and flooded throughout the
autonomous system for multiple external routes.
Multi-VRF for OSPF (also known as VRF-Lite for OSPF) provides a reliable mechanism for trusted VPNs to be built over a shared
infrastructure. The ability to maintain multiple virtual routing or forwarding tables allows overlapping private IP addresses to be
maintained across VPNs.
NOTE
ICX 7150 devices do not support VRFs.
NOTE
ICX 7150 devices do not support VRFs.
2. Enter the vrf command and specify a name to enter Virtual Routing and Forwarding (VRF) configuration mode and
create a non-default VRF instance.
3. Enter the rd command, assigning an administrative number and arbitrary number the route, to distinguish a route for
VRF green.
device(config-vrf-green)# rd 100:200
5. Enter the address-family ipv6 command to enter IPv6 address-family configuration mode.
6. Enter the exit command until you return to global configuration mode.
device(config-vrf-green-ipv6)# exit
7. Enter the ipv6 router ospf command and specify a VRF name to enter OSPFv3 router VRF configuration mode and
enable OSPFv3 on a non-default VRF.
NOTE
ICX 7150 devices do not support VRFs.
Enable IPv6 on each interface on which you plan to enable OSPFv3. You enable IPv6 on an interface by configuring an IP address
or explicitly enabling IPv6 on that interface.
2. Enter the vrf command and specify a name to enter Virtual Routing and Forwarding (VRF) configuration mode and
create a non-default VRF instance.
3. Enter the rd command, assigning an administrative number and arbitrary number the route, to distinguish a route for
VRF green.
device(config-vrf-red)# rd 100:200
5. Enter the address-family ipv6 command to enter IPv6 address-family configuration mode.
6. Enter the exit command until you return to global configuration mode.
device(config-vrf-red-ipv6)# exit
7. Enter the ipv6 router ospf command and specify a VRF name to enter OSPFv3 configuration mode and enable OSPFv3
in a non-default VRF.
device(config-ospf6-router-vrf-red)# area 0
The following example assigns an OSPFv3 ID to two areas in a non-default VRF instance. One of the areas is assigned by decimal
number. The second area is assigned by IP address.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
device(config-ospf6-router)# default-passive-interface
The following example sets all OSPFv3 interfaces as passive, causing them to drop all the OSPFv3 control packets.
When OSPFv3 GR helper is enabled on a device, the device enters helper mode upon receipt of a grace-LSA where the neighbor
state is full. By default, the helper capability is enabled when you start OSPFv3, even if graceful restart is not supported.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
3. Enter the no graceful-restart helper command with the strict-lsa-checking to disable the GR helper with strict link-
state advertisement (LSA) checking.
The following example disables the GR helper with strict link-state advertisement (LSA) checking.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
3. Enter the graceful-restart helper command and specify the strict-lsa-checking parameter to re-enable the GR helper
with strict LSA checking.
The following example re-enables the GR helper with strict LSA checking.
During graceful restart (GR), the restarting neighbors must help build routing information during a failover. However, the GR
helper may not be supported by all devices in a network. Non-stop routing (NSR) eliminates this dependency.
NSR does not require support from neighboring devices to perform hitless failover, and OSPF can continue operation without
interruption.
NOTE
NSR does not support IPv6-over-IPv4 tunnels and virtual links, so traffic loss is expected while performing hitless
failover.
2. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 globally.
device(config-ospf6-router)# nonstop-routing
OSPFv3 authentication
OSFPv3 can be configured to authenticate packets using one of the following authentication methods:
• Authentication trailer
Authentication trailer allows authentication of OSPFv3 packets using Hashed Message Authentication Code-Secure Hash
Algorithm 1 (HMAC-SHA-1) or Hashed Message Authentication Code-Secure Hash Algorithm 256 (HMAC-SHA-256)
• IP Security (IPsec)
IP Security (IPsec) secures OSPFv3 communications by authenticating and encrypting each IP packet of a communication
session.
NOTE
OSPFv3 packets are not authenticated by default. You must configure OSPFv3 authentication as required.
The authentication algorithms provide varying levels of security and must be configured depending on your security
requirements, including any regulatory requirements such as FIPS compliance.
NOTE
OSPFv3 packets are not authenticated by default. You must configure OSPFv3 authentication as required.
In addition to the other authentication methods, you can configure keychain authentication. For more information regarding the
keychain authentication module and configuration of keychains, refer to the Keychain module section in the Ruckus FastIron
Security Configuration Guide.
For more information regarding the keychain authentication module and configuration of keychains, refer to the Keychain
module section in the Ruckus FastIron Security Configuration Guide.
OSPFv3 authentication trailer is defined in RFC 7166 and RFC 6506. RFC 7166 supersedes RFC 6506 and by default FastIron
implements authentication trailer in accordance with RFC 7166. However, some vendor equipment still support RFC 6506. If your
deployment includes vendor equipment that support RFC 6506, you can configure authentication for the required interfaces or
virtual links, as required, using the ospf authentication rfc6506 command.
device(config)# interface ve 1
3. Enter the ipv6 ospf authentication command with the required authentication option and parameters. The following
example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
The following example enables HMAC-SHA-1 authentication using the key ID 10 and key string "mypasswordkey'" on the specified
interface.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication command, with the required authentication option
and parameters. The example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
The following example enables HMAC-SHA-1 authentication using key ID 10 and key string "mypasswordkey" on the specified
virtual link.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area area-ID authentication command, with the required authentication option and parameters. The following
example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
NOTE
This configuration instructs all interfaces within the area to use HMAC-SHA-1 or HMAC-SHA-256 authentication. It is
possible to remove this configuration from individual interfaces using the ipv6 ospf authentication disable command
on the required interface.
The following example enables HMAC-SHA-1 authentication using the key ID 10 and key string "mypasswordkey" on the specified
area.
device(config)# interface ve 1
3. Enter the ipv6 ospf authentication keychain command with the required keychain. The following example enables
keychain authentication with the keychain "mykeychain".
The following example enables keychain authentication using the keychain "mykeychain" on the specified interface.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication command, with the required keychain. The following
example enables keychain authentication with the keychain "mykeychain".
The following example enables keychain authentication using the keychain "mykeychain" on the specified virtual link.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area area-ID authentication command, with the required keychain. The following example enables keychain
authentication with the keychain "mykeychain".
NOTE
This configuration instructs all interfaces within the area to use keychain authentication. It is possible to remove this
configuration from individual interfaces using the ipv6 ospf authentication disable command on the required
interface.
The following example enables keychain authentication using the keychain "mykeychain" on the specified area.
To configure the authentication key activation wait time on an OSPFv3 interface, complete the following steps.
device(config)# interface ve 1
3. Enter the ipv6 ospf authentication key-activation-wait-time command with the required wait time value. The wait
time can be set from 0 through 14400 seconds. The following example configures a wait time of 600 seconds.
The following example enables an authentication key activation wait time of 600 seconds on the specified interface.
To configure the authentication key activation wait time on an OSPFv3 virtual link, complete the following steps.
1. Enter the configure terminal command to access global configuration mode.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area area-ID virtual-link virtual-link-address authentication command, with the required wait time value. The
wait time can be set from 0 through 14400 seconds. The following example configures a wait time of 600 seconds.
The following example enables an authentication key activation wait time of 600 seconds on the specified virtual link.
device(config)# interface ve 1
4. Enter the ipv6 ospf authentication command with the required authentication option and parameters. The following
example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
The following example enables HMAC-SHA-1 authentication using the key ID 10 and key string "mypasswordkey'" on the specified
interface.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
5. Enter area area-ID virtual-link virtual-link-address authentication command, with the required authentication option
and parameters. The example enables HMAC-SHA-1 authentication with key ID 10 and key string "mypasswordkey".
The following example enables HMAC-SHA-1 authentication using key ID 10 and key string "mypasswordkey" on the specified
virtual link.
To view the OSPFv3 interface details and authentication settings, complete the following steps.
Enter the show ipv6 ospf interface command to display general OSPFv3 information.
IPsec provides security features such as data integrity, replay protection, and message confidentiality. You can use IPsec to
secure specific OSPFv3 areas and interfaces and protect OSPFv3 virtual links.
The Encapsulating Security Payload (ESP) protocol authenticates routing information between peers. ESP can provide message
confidentiality, connectionless data integrity, and optional replay protection. ESP has both a header and a trailer. The
authentication data of ESP cannot protect the outer IP header, only the payload that is being encrypted.
IPsec is available for OSPFv3 traffic only and only for packets that are “for-us”. A for-us packet is addressed to one of the IPv6
addresses on the device or to an IPv6 multicast address. Packets that are only forwarded by the line card do not receive IPsec
scrutiny.
Ruckus devices support the following components of IPsec for IPv6-addressed packets:
• Authentication through ESP in transport mode
• Hashed Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA-1) as the authentication algorithm
IPsec is based on security associations (SAs). With respect to traffic classes, this implementation of IPsec uses a single security
association between the source and destination to support all traffic classes and does not differentiate between the different
classes of traffic that the DSCP bits define.
IPsec on a virtual link is a global configuration. Interface and area IPsec configurations are more granular.
Among the entities that can have IPsec protection, the interfaces and areas can overlap. The interface IPsec configuration takes
precedence over the area IPsec configuration when an area and an interface within that area use IPsec. Therefore, if you
configure IPsec for an interface and an area configuration also exists that includes this interface, the interface's IPsec
configuration is used by that interface. However, if you disable IPsec on an interface, IPsec is disabled on the interface even if the
interface has its own specific authentication.
For IPsec, the system generates two types of databases. The Security Association Database (SAD) contains a security association
for each interface or one global database for a virtual link. Even if IPsec is configured for an area, each interface that uses the
area's IPsec still has its own security association in the SAD. Each SA in the SAD is a generated entry that is based on your
specifications of an authentication protocol (for example, ESP), destination address, and a security parameter index (SPI). The SPI
number is user-specified according to the network plan. Consideration for the SPI values to specify must apply to the whole
network.
The system-generated security policy databases (SPDs) contain the security policies against which the system checks the for-us
packets. For each for-us packet that has an ESP header, the applicable security policy in the security policy database (SPD) is
checked to see if this packet complies with the policy. The IPsec task drops the non-compliant packets. Compliant packets
continue on to the OSPFv3 task.
NOTE
ICX 7150 devices do not support VRFs.
Currently certain keyword parameters must be entered though only one keyword choice is possible for that parameter. For
example, the only authentication algorithm is HMAC-SHA1-96, but you must nevertheless enter the sha1 keyword for this
algorithm. Also, although ESP is currently the only authentication protocol, you must enter the esp keyword.
NOTE
When IPsec is configured for an area, the security policy is applied to all the interfaces in the area.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area authentication ipsec spi spi esp sha1, specifying an area, and enter a 40-character hexadecimal key.
IPsec is configured in OSPv3 area 0 with a security parameter index (SPI) value of 600, and Hashed Message
Authentication Code (HMAC) Secure Hash Algorithm 1 (SHA-1) authentication is enabled.
The following example enables HMAC SHA-1 authentication for the OSPFv3 area, setting an SPI value of 600.
For IPsec to work, the IPsec configuration must be the same on all the routers to which an interface connects.
Currently certain keyword parameters must be entered though only one keyword choice is possible for that parameter. For
example, the only authentication algorithm is HMAC-SHA1-96, but you must nevertheless enter the sha1 keyword for this
algorithm. Also, although ESP is currently the only authentication protocol, you must enter the esp keyword.
NOTE
Ensure that OSPFv3 areas are assigned. All device interfaces must be assigned to one of the defined areas on an OSPFv3
router. When an interface is assigned to an area, all corresponding subnets on that interface are automatically included
in the assignment.
device(config)# interface ve 1
3. Enter the ipv6 ospf area command to assign a specified area to the interface.
4. Enter ipv6 ospf authentication ipsec spi value esp sha1 and specify a 40-character hexadecimal key.
IPsec is configured on the specified interface with a security parameter index (SPI) value of 512, and the Encapsulating
Security Payload (ESP) protocol is selected. Secure Hash Algorithm 1 (SHA-1) authentication is enabled.
The following example enables ESP and SHA-1 on a specified OSPFv3 virtual Ethernet (VE) interface.
Currently certain keyword parameters must be entered though only one keyword choice is possible for that parameter. For
example, the only authentication algorithm is HMAC-SHA1-96, but you must nevertheless enter the sha1 keyword for this
algorithm. Also, although ESP is currently the only authentication protocol, you must enter the esp keyword.
The virtual link IPsec security associations (SAs) and policies are added to all interfaces of the transit area for the outbound
direction. For the inbound direction, IPsec SAs and policies for virtual links are added to the global database.
3. Enter the ipv6 router ospf command to enter OSPFv3 configuration mode and enable OSPFv3 on the device.
4. Enter area virtual-link authentication ipsec spi value esp sha1 no-encrypt key, specifying an area address and the ID
of the OSPFv3 device at the remote end of the virtual link..
device(config-ospf6-router)# area 1 virtual-link 10.1.1.1 authentication ipsec spi 512 esp sha1 no-
encrypt 1134567890223456789012345678901234567890
IPsec is configured on the specified virtual link in OSPF area 1.The device ID associated with the virtual link neighbor is
10.1.1.1, the SPI value is 512, and the Encapsulating Security Payload (ESP) protocol is selected. Secure Hash Algorithm 1
(SHA-1) authentication is enabled. The 40-character key is not encrypted in show command displays.
The following example configures IPsec on an OSPFv3 area.
3. Enter the ipv6 router ospf command to enter OSPFv3 router configuration mode and enable OSPFv3 on the device.
4. Enter the key-rollover-interval command and specify the desired interval to set the timing of the configuration
changeover.
The following example sets the timing of the configuration changeover to 240 seconds (4 minutes).
Use the show ipsec statistics command to display the IPsec statistics. After using the clear ipsec statistics command to clear
the IPsec statistics, re-enter the show ipsec statistics command to verify the IPsec statistics have been cleared. The clear ipsec
statistics command resets the IPsec packet statistics and IPsec error statistics counters to zero.
device(config)# exit
2. Enter the show ipsec statistics command to display statistics related to IPsec.
3. Enter the clear ipsec statistics command to clear statistics related to IPsec from the configuration.
4. Enter the show ipsec statistics command to verify that statistics related to IPsec have been cleared from the
configuration.
The counters holding IPsec packet statistics and IPsec error statistics are reset to 0.
The following example clears IPsec statistics and verifies that the IPsec statistics have been cleared.
device(config-ospf6-router)# exit
device(config)# exit
device# show ipsec statistics
device# clear ipsec statistics
device# show ipsec statistics
Use one or more of the following commands to verify OSPFv3 information. Using the show ipv6 ospf command is optional, and
the variations of the command can be entered in any order.
device# exit
2. Enter the show ipv6 ospf command to display general OSPFv3 information.
3. The following example of the show ipv6 ospf area command shows detailed output for assigned OSPFv3 Area 1.
Area 1:
Authentication: Not Configured
Active interface(s)attached to this area: None
Inactive interface(s)attached to this area: ve 20 ve 30
Number of Area scoped LSAs is 311
Sum of Area LSAs Checksum is 9e8fff
Statistics of Area 1:
SPF algorithm executed 10 times
SPF last updated: 5920 sec ago
Current SPF node count: 1
Router: 1 Network: 0
Maximum of Hop count to nodes: 0
4. The following example of the show ipv6 ospf interface brief command shows limited OSPFv3 interface information.
5. The following example of the show ipv6 ospf neighbor command shows OSPFv3 neighbor information for the device.
6. The following example of the show ipv6 ospf virtual-neighbor command shows information about an OSPFv3 virtual
neighbor.
7. The following example of the show ipv6 ospf database command shows information about different OSPFv3 LSAs.
8. The following example of the show ipv6 ospf routes command shows output for OSPFv3 routes.
9. The following example of the show ipv6 ospf database as-external command shows information about external LSAs.
10. The following example of the show ipv6 ospf database command with the tree shows information about the SPF trees.
11. The following example of the show ipv6 ospf database command with the table shows information about the SPF
table.
12. The following example of the show ipv6 ospf redistribute route command shows information about routes that the
device has redistributed into OSPFv3.
13. The following example of the show ipv6 ospf routes command shows information about a specified OSPFv3 route.
BGP4 overview
Border Gateway Protocol version 4 (BGP4) is an exterior gateway protocol that performs inter-autonomous system (AS) or inter-
domain routing. It peers to other BGP-speaking systems over TCP to exchange network reachability and routing information. BGP
primarily performs two types of routing: inter-AS routing, and intra-AS routing. BGP peers belonging to different autonomous
systems use the inter-AS routing, referred as Exterior BGP (eBGP). On the other hand, within an AS BGP can be used to maintain
a consistent view of network topology, to provide optimal routing, or to scale the network.
BGP is a path vector protocol and implements this scheme on large scales by treating each AS as a single point on the path to
any given destination. For each route (destination), BGP maintains the AS path and uses this to detect and prevent loops
between autonomous systems.
Devices within an AS can use different Interior Gateway Protocols (IGPs) such as RIP and OSPF to communicate with one another.
However, for devices in different autonomous systems to communicate, they need to use an EGP. BGP4 is the standard EGP used
by Internet devices and therefore is the EGP implemented on Ruckus devices.
This is a simple example of two BGP4 ASs. Each AS contains three BGP4 devices. All of the BGP4 devices within an AS
communicate using iBGP. BGP4 devices communicate with other autonomous systems using eBGP. Notice that each of the
devices also is running an Interior Gateway Protocol (IGP). The devices in AS1 are running OSPF and the devices in AS2 are
running RIP. The device can be configured to redistribute routes among BGP4, RIP, and OSPF. They also can redistribute static
routes.
NOTE
ICX 7150 devices do not support BGP4.
BGP4 peering
Unlike OSPF or other IGP protocols, BGP4 does not have neighbor detection capability. BGP4 neighbors (or peers) must be
configured manually. A device configured to run BGP4 is called a BGP "speaker." A BGP speaker connects to another speaker
(either in the same or a different AS) by using a TCP connection to port 179 (the well-known BGP port), to exchange the routing
information. The TCP connection is maintained throughout the peering session. While the connection between BGP peers is
alive, two peers communicate by means of the following types of messages:
• OPEN
• UPDATE
• KEEPALIVE
• NOTIFICATION
• ROUTE REFRESH
BGP4 peering can be internal or external, depending on whether the two BGP peers belong to the same AS or different ASs. A
BGP4 session between peers within a single AS is referred to as an Interior BGP (iBGP) session; a session between peers
belonging to different ASs is referred to as an Exterior BGP (eBGP) session.
In order to establish a TCP connection between two iBGP peers, the IP reachability should be established either by means of the
underlying IGP protocol (e.g. OSPF) or by means of static routes. When routes are advertised within iBGP peers, the following
primary actions are taken in contrast to eBGP peering:
• Routes learned from an iBGP peer are not usually advertised to other iBGP peers, in order to prevent loops within an AS.
• Path attributes are not usually changed, in order to maintain the best path selection at other nodes within an AS.
• The AS path and next hop are not normally changed.
16 2 1 variable
NOTE
All values in the following tables are in bytes.
OPEN message
After establishing TCP connection, BGP peers exchange OPEN message to identify each other.
Version Autonomous System Hold-Time BGP Identifier Optional Parameter Optional Parameters
Len
1 2 or 4 2 4 1 4
Version
Autonomous System
A BGP timer command specifies both keep-alive and hold-time operands that manage the intervals for BGP KEEPALIVE and
HOLDTIME messages. The keep alive time specifies how frequently the device sends KEEPALIVE messages to its BGP4 neighbors.
The hold time specifies how long the device waits for a KEEPALIVE or UPDATE message from a neighbor before concluding that
the neighbor is dead. When two neighbors have different hold-time values, the lowest value is used. A hold-time value of 0
means "always consider neighbor to be active."
BGP Identifier
Indicates the router (or device) ID of the sender. When router-id is not configured, device-id is taken from the loopback interface.
Otherwise, the lowest IP address in the system is used.
Parameter List
UPDATE message
The UPDATE message is used to advertise new routes, withdraw previously advertised routes, or both.
Withdrawn Routes
Path Attributes
Indicates characteristics of the advertised path. Possible attributes: Origin, AS Path, Next Hop, MED (Multi-Exit Discriminator),
Local Preference, Atomic Aggregate, Aggregator, Community, extended-Communities.
NLRI
Network Layer Reachability Information — the set of destinations whose addresses are represented by one prefix. This field
contains a list of IP address prefixes for the advertised routes.
NOTIFICATION message
In case of an error that causes the TCP connection to close, the closing peer sends a notification message to indicate the type of
error.
1 1 variable
Error Code
• Cease (voluntarily)
Error Subcode
Error Data
KEEPALIVE message
Because BGP does not regularly exchanges route updates to maintain a session, KEEPALIVE messages are sent to keep the
session alive. A KEEPALIVE message contains just the BGP header without data field. Default KEEPALIVE time is 60 seconds and is
configurable.
REFRESH message
A REFRESH message is sent to a neighbor requesting that the neighbor resend the route updates. This is useful when the
inbound policy has been changed.
BGP4 attributes
BGP4 attributes are passed in UPDATE messages to describe the characteristics of a BGP path by the advertising device. At a high
level, there are only two types of attributes: well-known and optional. All of the well-known attributes, as described in RFC 4271,
are supported.
When multiple paths for the same route prefix are known to a BGP4 device, the device uses the following algorithm to weigh the
paths and determine the optimal path for the route. The optimal path depends on various parameters, which can be modified.
1. Verify that the next hop can be resolved by means of Interior Gateway Protocol (IGP).
2. Use the path with the largest weight.
3. If the weights are the same, prefer the path with the largest local preference.
4. Prefer the route that was self-originated locally.
5. If the local preferences are the same, prefer the path with the shortest AS-path. An AS-SET counts as 1. A confederation
path length, if present, is not counted as part of the path length.
The as-path ignore command disables the comparison of the AS path lengths of otherwise equal paths.
NOTE
This step can be skipped if the as-path-ignore command is configured.
6. If the AS-path lengths are the same, prefer the path with the lowest origin type. From low to high, route origin types are
valued as follows:
• IGP is lowest.
• EGP is higher than IGP but lower than INCOMPLETE.
• INCOMPLETE is highest.
7. If the paths have the same origin type, prefer the path with the lowest MED.
The device compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same
neighboring AS. This behavior is called deterministic MED. Deterministic MED is always enabled and cannot be disabled.
To ensure that the MEDs are always compared, regardless of the AS information in the paths, the always-compare-med
command can be used. This option is disabled by default.
The med-missing-as-worst command can be used to make the device regard a BGP4 route with a missing MED
attribute as the least-favorable path when the MEDs of the route paths are compared.
MED comparison is not performed for internal routes that originate within the local AS or confederation, unless the
compare-med-empty-aspath command is configured.
8. Prefer paths in the following order:
• Routes received through eBGP from a BGP4 neighbor outside of the confederation
• Routes received through eBGP from a BGP4 device within the confederation or routes received through IBGP.
9. If all the comparisons above are equal, prefer the route with the lowest IGP metric to the BGP4 next hop. This is the
closest internal path inside the AS to reach the destination.
10. If the internal paths also are the same and BGP4 load sharing is enabled, load-share among the paths. Otherwise go to
Step 11.
NOTE
For eBGP routes, load sharing applies only when the paths are from neighbors within the same remote AS.
eBGP paths from neighbors in different ASs are not compared, unless multipath multi-as is enabled.
11. If compare-routerid is enabled, prefer the path that comes from the BGP4 device with the lowest device ID. If a path
contains originator ID attributes, then the originator ID is substituted for the router ID in the decision.
12. Prefer the path with the minimum cluster-list length.
13. Prefer the route that comes from the lowest BGP4 neighbor address.
Implementation of BGP4
BGP4 is described in RFC 1771 and the latest BGP4 drafts. The Ruckus BGP4 implementation fully complies with RFC 1771.
Ruckus BGP4 implementation also supports the following RFCs:
• RFC 1745 (OSPF Interactions)
• RFC 1997 (BGP Communities Attributes)
• RFC 2385 (TCP MD5 Signature Option)
• RFC 2439 (Route Flap Dampening)
• RFC 2796 (Route Reflection)
• RFC 2842 (Capability Advertisement)
• RFC 3065 (BGP4 Confederations)
Device ID
BGP automatically calculates the device identifier it uses to specify the origin in routes it advertises. If a router-id configuration is
already present in the system, then device-id is used as the router-id. Otherwise, the device first checks for a loopback interface,
and the IP address configured on that interface is chosen as the device-id. However, if a loopback interface is not configured, the
device-id is chosen from lowest-numbered IP interface address configured on the device. Once device-id is chosen, the device
identifier is not calculated unless the IP address configured above is deleted.
After using the router bgp command you enter into BGP global configuration mode.
Commands entered in BGP global configuration mode apply to the IPv4 unicast address family. Where relevant, this chapter
discusses and provides IPv4-unicast-specific examples. You must first configure IPv4 unicast routing for any IPv4 routing protocol
to be active.
Possible completions:
NOTE
Use well-known private ASNs in the range from 64512 through 65535 if the AS number of the organization is not known.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
Neighbor configuration
For each neighbor a device is going to peer with, there must be a neighbor configuration that specifies an IP address (which must
be the primary IP address of interface connection to get established) and an AS number of the neighbor. For each neighbor, you
can specify a set of attributes. However, in cases where a set of neighbors share the same set of attributes, it is advisable to
create a peer-group.
Commands entered in BGP global configuration mode apply to the IPv4 unicast address family. Where relevant, this chapter
discusses and provides IPv4-unicast-specific examples. You must first configure IPv4 unicast routing for any IPv4 routing protocol
to be active.
The following neighbor configuration options are allowed under BGP global configuration mode:
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor remote-as command, and specify an IP address, to specify the ASN in which the remote neighbor
resides.
Peer groups
Neighbors having the same attributes and parameters can be grouped together by means of the neighbor peer-group
command. You must first create a peer-group, after which you can associate neighbor IP addresses with the peer-group. All of
the attributes that are allowed on a neighbor are also allowed on a peer-group.
An attribute value configured explicitly for a neighbor takes precedence over the attribute value configured for a peer-group. If
neither the peer-group nor the individual neighbor has the attribute configured, the default value for the attribute is used.
For the parameters of a peer group to take effect, the peer group must be activated in the IPv4 or IPv6 address-family. By default,
only IPv4 unicast address family is activated for a peer-group. A user needs to explicitly activate a peer-group in the IPv6 unicast
address-family configuration mode when used with IPv6 peers.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
5. Enter the neighbor peer-group-name remote-as command to specify the ASN of the peer group.
6. Enter the neighbor ip-address peer-group command to associate a neighbor with the peer group.
7. Enter the neighbor ip-address peer-group command to associate another neighbor with the peer group.
The following example creates a peer group and specifies two neighbors to belong to the peer group.
The default route must be present in the local IPv4 route table.
3. Enter the default-information-originate command to advertise the default IPv4 route to all BGP4 neighbors and to
install that route in the local BGP4 route table.
device(config-bgp-router)# default-information-originate
The following example enables a BGP4 device to advertise the default IPv4 route to all BGP4 neighbors and to install that route in
the local BGP4 route table.
Four-byte AS numbers
Four-byte autonomous system numbers (ASNs) can be optionally configured on a device, peer-group, or neighbor. If this is
enabled, the device announces and negotiates "AS4" capability with its neighbors.
You can configure AS4 capability to be enabled or disabled either at the BGP global level or at the neighbor or peer-group level.
You can configure AS4 capability to be enabled for a neighbor while still keeping AS4 numbers disabled at the global level, or
vice-versa. The neighbor AS4 capability configuration takes precedence. If AS4 capability is not configured on the neighbor, then
the peer-group configuration takes effect. The global configuration is used if AS4 capability is configured neither at the neighbor
nor at the peer-group level. If a device having a 4-byte ASN tries to connect to a device that does not have AS4 support, peering
will not be established.
When you enable cooperative filtering, the device advertises this capability in its Open message to the neighbor when initiating
the neighbor session. The Open message also indicates whether the device is configured to send filters, receive filters, or both,
and the types of filters it can send or receive. The device sends the filters as Outbound Route Filters (ORFs) in route refresh
messages.
To configure cooperative filtering, perform the following tasks on the device and on the BGP4 neighbor:
• Configure the filter.
NOTE
Cooperative filtering is currently supported only for filters configured using IP prefix lists.
NOTE
If the device has inbound filters, the filters are still processed even if equivalent filters have been sent as ORFs to the
neighbor.
BGP4 parameters
Some parameter changes take effect immediately while others do not take full effect until the device sessions with its neighbors
are reset. Some parameters do not take effect until the device is rebooted.
• Require the first AS in an update from an EBGP neighbor to be the neighbor AS.
• Change MED comparison parameters.
• Disable comparison of the AS-Path length.
• Enable comparison of the device ID.
• Enable next-hop recursion.
• Change the default metric.
• Disable or re-enable route reflection.
• Configure confederation parameters.
• Disable or re-enable load sharing.
• Change the maximum number of load sharing paths.
• Change other load-sharing parameters.
• Define route flap dampening parameters.
• Add, change, or negate redistribution parameters (except changing the default MED).
• Add, change, or negate route maps (when used by the network command or a redistribution command).
• Apply maximum AS path limit settings for UPDATE messages.
• Aggregate routes
The following parameter changes take effect only after the BGP4 sessions on the device are cleared, or reset using the "soft"
clear option:
• Change the Hold Time or Keep Alive Time.
• Aggregate routes
• Add, change, or negate filter tables that affect inbound and outbound route policies.
• Apply maximum AS path limit settings to the RIB.
The following parameter change takes effect only after you disable and then re-enable redistribution:
• Change the default MED (metric).
Route redistribution
The redistribution of static, connected, RIP, and OSPF routes into BGP is supported. Similarly, routes learned through BGP can
also be redistributed into OSPF.
An optional route-map can be specified, and this map will be consulted before routes are added to BGP. Management routes are
not redistributed.
3. Enter the redistribute command using the connected keyword to redistribute connected routes.
Advertised networks
As previously described, you can advertise routes into BGP by redistributing static, connected, RIP, or OSPF routes.
However, you can explicitly specify routes to be advertised by BGP4 by using the network command in BGP global configuration
mode .
With the exception of static network routes, the routing table must have this route already installed before BGP4 can advertise
this route. You can also specify a route to be local. If the same route is received by means of eBGP, the local IGP route will be
preferred. You can also specify a weight that the device adds to routes that are received from the specified BGP neighbor. BGP4
prefers larger weights over smaller weights.
Refer to the Ruckus FastIron Command Reference for configuration examples and more information.
With the exception of static network routes, the routes imported into BGP4 must first exist in the IPv4 unicast route table.
3. Enter the neighbor remote-as command to specify the ASN in which the remote neighbor resides.
4. Enter the network command and specify a network/mask to import the specified prefix into the BGP4 database.
The following example imports the 10.1.1.1/32 prefix in to the BGP4 database for advertising.
Route reflection
A BGP device can act as a route-reflector client or as a route reflector. You can configure a BGP peer as a route-reflector client
from the device that is going to reflect the routes and act as the route reflector using the neighbor route-reflector-client
command.
When there is more than one route reflector, they should all belong to the same cluster. By default, the value for cluster-id is
used as the device ID. The device ID can be changed using the cluster-id command.
If route-reflector clients are connected in a full iBGP mesh, you can disable client-to-client reflection on the route reflector using
the no client-to-client-reflection command.
A BGP device advertises only those routes that are preferred ones and are installed into the Routing Table Manager (RTM). When
a route cannot be installed into the RTM because the routing table is full, the route reflector may not reflect that route. In cases
where the route reflector is not placed directly in the forwarding path, you can configure the route reflector to reflect routes even
though those routes are not in the RTM using the always-propagate command.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the cluster-id command and specify a value to change the cluster ID of a device from the default device ID.
The following example changes the cluster ID of a device from the default device ID to 321.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor route-reflector-client command to configure a specified neighbor to be a route reflector client.
The following example configures a neighbor with the IPv4 address 10.1.1.1 to be a route reflector client.
Frequent route state changes can cause Internet instability and add processing overhead to the devices that support the route.
Route flap dampening helps reduce the impact of route flap by changing the way a BGP4 device responds to route state changes.
When route flap dampening is configured, the device suppresses unstable routes until the number of route state changes drops
enough to meet an acceptable degree of stability.
Route flap dampening is disabled by default. You can enable the feature globally or on an individual route basis using route
maps.
NOTE
The device applies route flap dampening only to routes learned from eBGP neighbors.
The route flap dampening mechanism is based on penalties. When a route exceeds a configured penalty value, the device stops
using that route and stops advertising it to other devices. The mechanism also allows route penalties to reduce over time if route
stability improves.
3. Enter the aggregate-address command to aggregate the routes from a range of networks into a single network prefix.
The following example enables a BGP4 device to advertise the default route and send the default route to a specified neighbor.
The default route must be present in the local IPv4 route table.
3. Enter the default-information-originate command to advertise the default IPv4 route to all BGP4 neighbors and to
install that route in the local BGP4 route table.
device(config-bgp-router)# default-information-originate
The following example enables a BGP4 device to advertise the default IPv4 route to all BGP4 neighbors and to install that route in
the local BGP4 route table.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor default-originate command and specify an IP address to enable the BGP4 device to advertise the
default IPv4 route to a specific neighbor.
The following example enables a BGP4 device to advertise the default IPv4 route to a specific neighbor.
By default, when BGP4 multipath load sharing is enabled, both iBGP and eBGP paths are eligible for load sharing, while paths
from different neighboring autonomous systems are not eligible. You can change load sharing to apply only to iBGP or eBGP
paths, or to support load sharing among paths from different neighboring autonomous systems.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor weight command and specify an ip address and a weight value to specify a weight that the device
adds to routes that are received from the specified BGP4 neighbor.
The following example specifies a weight of 100 that the device adds to routes that are received from the specified BGP4
neighbor.
By default, a device does not use a default route to resolve a BGP4 next-hop route. If the IPv4 route lookup for the BGP4 next-
hop does not result in a valid IGP route (including static or direct routes), the BGP4 next-hop is considered to be unreachable and
the BGP4 route is not used. You can configure the device to use the default route as a valid next hop.
1. Enter the configure terminal command to access global configuration mode.
3. Enter the next-hop-enable-default command to configure the device to use the default route as a valid next hop.
device(config-bgp-router)# next-hop-enable-default
The following example configures a BGP4 device to use the default route as a valid next hop.
Next-hop recursion
For each BGP4 route learned, the device performs a route lookup to obtain the IPv4 address of the next hop for the route. A
BGP4 route is eligible for addition in the IPv4 route table only if the following conditions are true:
• The lookup succeeds in obtaining a valid next-hop IPv4 address for the route.
• The path to the next-hop IP address is an IGP path or a static route path.
By default, only one lookup is performed for the next-hop IPv4 address for the BGP4 route. If the next hop lookup does not
result in a valid next hop IPv4 address, or the path to the next hop IPv4 address is a BGP4 path, the BGP4 route destination is
considered unreachable. The route is not eligible to be added to the IPv4 route table.
The BGP4 route table can contain a route with a next hop IPv4 address that is not reachable through an IGP route, even though
the device can reach a hop farther away through an IGP route. This can occur when the IGPs do not learn a complete set of IGP
routes, so the device learns about an internal route through iBGP instead of through an IGP. In this case, the IPv4 route table
does not contain a route that can be used to reach the BGP4 route destination.
When next-hop recursion is enabled, if the lookup for the next hop IP address results in an iBGP path that originated in the same
AS, then the next hop is considered as resolved and BGP4 depended routes are eligible for addition in the IPV4 route table.
device(config-bgp-router)# next-hop-recursion
Route filtering
The following route filters are supported:
• AS-path filter
• Community filter
• Prefix list
• Route map
• Table map
NOTE
Support for access lists in route filtering is not available, and has been replaced by prefix-list filtering. BGP does not use
community and extended-community filters directly. Rather, it uses them indirectly through route-map filtering by
means of the route-map command.
NOTE
The ip-extcommunity-list command now supports a range of extended instances, from 100 through 500, beyond the
standard range of 1 through 99.
. Matches any single character. 0.0 matches 0x0 and 020 t..t matches strings
such as test, text, and tart
\ Matches the character following the 172\.1\.. matches 172.1.10.10 but not
backslash. Also matches (escapes) special 172.12.0.0 \. allows a period to be matched as
characters. a period
[] Matches the characters or a range of [02468a-z] matches 0, 4, and w, but not 1, 9,
characters separated by a hyphen, within left or K
and right square brackets.
^ Matches the character or null string at the ^123 matches 1234, but not 01234
beginning of an input string.
? Matches zero or one occurrence of the ba?b matches bb and bab
pattern. (Precede the question mark with Ctrl-
V sequence to prevent it from being
interpreted as a help command.)
$ Matches the character or null string at the 123$ matches 0123, but not 1234
end of an input string.
* Matches zero or more sequences of the 5* matches any occurrence of the number 5
character preceding the asterisk. Also acts as including none 18\..* matches the characters
a wildcard for matching any number of 18. and any characters that follow 18.
characters.
+ Matches one or more sequences of the 8+ requires there to be at least one number 8
character preceding the plus sign. in the string to be matched
() [] Nest characters for matching. Separate (17)* matches any number of the two-
endpoints of a range with a dash (-). character string 17 ([A-Za-z][0-9])+ matches
one or more instances of letter-digit pairs: b8
and W4, as examples
| Concatenates constructs. Matches one of the A(B|C)D matches ABD and ACD, but not AD,
characters or character patterns on either ABCD, ABBD, or ACCD
side of the vertical bar.
_ Replaces a long regular expression list by The characters _1300_ can match any of the
matching a comma (,), left brace ({), right following strings: ^1300$ ^1300space
brace (}), the beginning of the input string, the space1300 {1300, ,1300, {1300} ,1300,
end of the input string, or a space.
Timers
The keep alive time specifies how frequently the device sends KEEPALIVE messages to its BGP4 neighbors. The hold time
specifies how long the device waits for a KEEPALIVE or UPDATE message from a neighbor before concluding that the neighbor is
dead. When the device concludes that a BGP4 neighbor is dead, the device ends the BGP4 session and closes the TCP connection
to the neighbor.
A hold-time value of 0 means that the device waits indefinitely for messages from a neighbor without tearing down the session.
NOTE
Generally, you should set the hold time to three times the value of the keep alive time.
NOTE
You can override the global keep alive time and hold time on individual neighbors.
When the ORF feature is enabled, unwanted routing updates are filtered out, reducing the amount of system resources required
for generating and processing routing updates. The ORF feature is enabled through the advertisement of ORF capabilities to peer
routers. The locally configured BGP4 inbound prefix filters are sent to the remote peer so that the remote peer applies the filter
as an outbound filter for the neighbor.
The ORF feature can be configured with send and receive ORF capabilities. The local peer advertises the ORF capability in send
mode, indicating that it will accept a prefix list from a neighbor and apply the prefix list to locally configured ORFs. The local peer
exchanges the ORF capability in send mode with a remote peer for a prefix list that is configured as an inbound filter for that
peer locally. The remote peer only sends the first update once it receives a ROUTEREFRESH request or BGP ORF with IMMEDIATE
from the peer. The local and remote peers exchange updates to maintain the ORF on each router.
3. Enter the neighbor prefix-list command and specify the in keyword to filter the incoming route updates from a
specified BGP neighbor.
• Enter the neighbor capability orf prefixlist command and specify the receive keyword to advertise ORF receive
capabilities.
• Enter the neighbor capability orf prefixlist command to configure ORF capability in both send and receive modes.
The following example configures ORF in both send and receive modes.
NOTE
The current release supports cooperative filtering only for filters configured using IP prefix lists.
4. Enter the neighbor prefix-list command with the in parameter and specify a prefix-list to filter the incoming route
updates from the specified BGP neighbor.
5. Enter the capability orf prefixlist command with the send parameter to enable the ORF prefix list capability in send
mode.
BGP4 confederations
A large autonomous system (AS) can be divided into multiple subautonomous systems and grouped into a single BGP4
confederation.
Each subautonomous system must be uniquely identified within the confederation AS by a subautonomous system number.
Within each subautonomous system, all the rules of internal BGP (iBGP) apply. For example, all BGP routers inside the
subautonomous system must be fully meshed. Although eBGP is used between subautonomous systems, the subautonomous
systems within the confederation exchange routing information like iBGP peers. Next hop, Multi Exit Discriminator (MED), and
local preference information is preserved when crossing subautonomous system boundaries. To the outside world, a
confederation looks like a single AS.
The AS path list is a loop-avoidance mechanism used to detect routing updates leaving one subautonomous system and
attempting to re-enter the same subautonomous system. A routing update attempting to re-enter a subautonomous system it
originated from is detected because the subautonomous system sees its own subautonomous system number listed in the
update's AS path.
In this example, four devices are configured into two sub-autonomous systems, each containing two of the devices. The sub-
autonomous systems are members of confederation 10. Devices within a sub-AS must be fully meshed and communicate using
iBGP. In this example, devices A and B use iBGP to communicate. devices C and D also use IBGP. However, the sub-autonomous
systems communicate with one another using eBGP. For example, device A communicates with device C using eBGP. The devices
in the confederation communicate with other autonomous systems using eBGP.
Devices in other autonomous systems are unaware that devices A through D are configured in a confederation. In fact, when
devices in confederation 10 send traffic to devices in other autonomous systems, the confederation ID is the same as the AS
number for the devices in the confederation. Thus, devices in other autonomous systems see traffic as coming from AS 10 and
are unaware that the devices in AS 10 are subdivided into sub-autonomous systems within a confederation.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the confederation identifier command and specify an ASN to configure a BGP confederation identifier.
5. Enter the confederation peers command and specify as many ASNs as needed to list all BGP peers that will belong to
the confederation.
The following example creates a confederation with the confederation ID “100” and adds three subautonomous systems to the
confederation.
All communities of a particular type can be filtered out, or certain values can be specified for a particular type of community. You
can also specify whether a particular community is transitive or non-transitive across an autonomous system (AS) boundary.
An extended community is an 8-octet value and provides a larger range for grouping or categorizing communities. BGP extended
community attributes are specified in RFC 4360.
You define the extended community list using the ip extcommunity-list command. The extended community can then be
matched or applied to the neighbor through the route map. The route map must be applied on the neighbor to which routes
need to carry the extended community attributes. The "send-community" should be enabled for the neighbor configuration to
start including the attributes while sending updates to the neighbor.
When a BGP session is established, GR capability for BGP is negotiated by neighbors through the BGP OPEN message. If the
neighbor also advertises support for GR, GR is activated for that neighbor session. If neither peer exchanges the GR capability,
the session is not GR-capable. If the BGP session is lost, the BGP peer router, known as a GR helper, marks all routes associated
with the device as “stale” but continues to forward packets to these routes for a set period of time. The restarting device also
continues to forward packets for the duration of the graceful restart. When the graceful restart is complete, routes are obtained
from the helper so that the device is able to quickly resume full operation.
When the GR feature is configured on a device, both helper router and restarting router functionalities are supported. It is not
possible to disable helper functionality explicitly.
NOTE
BGP4 GR can be configured for a global routing instance or for a specified VRF instance.
NOTE
BGP4 GR is supported in ICX switches in a stack.
device(config-bgp-router)# no graceful-restart
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
device(config-bgp-router)# graceful-restart
• Enter the graceful-restart command using the restart-time keyword to overwrite the default restart-time
advertised to graceful restart-capable neighbors.
• Enter the graceful-restart command using the stale-routes-time keyword to overwrite the default amount of time
that a helper device will wait for an EOR message from a peer.
The following example re-enables the GR feature and sets the purge time to 120 seconds, over-writing the default value.
The following example re-enables the GR feature and sets the restart time to 180 seconds, over-writing the default value.
The following example re-enables the GR feature and sets the stale-routes time to 100 seconds, over-writing the default value.
Use the clear ip bgp neighbor command with the all parameter for the changes to the GR parameters to take effect
immediately.
GTSM is enabled by configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific eBGP peer.
BGP establishes and maintains the session only if the TTL value in the IP packet header is equal to or greater than the TTL value
configured for the peering session. If the value is less than the configured value, the packet is silently discarded and no Internet
Control Message Protocol (ICMP) message is generated.
When GTSM protection is enabled, BGP control packets sent by the device to a neighbor have a Time To Live (TTL) value of 255. In
addition, the device expects the BGP control packets received from the neighbor to have a TTL value of either 254 or 255. For
multihop peers, the device expects the TTL for BGP control packets received from the neighbor to be greater than or equal to
255, minus the configured number of hops to the neighbor. If the BGP control packets received from the neighbor do not have
the anticipated value, the device drops them.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
The following example enables GTSM between a device and a neighbor with the IP address 10.10.10.1.
3. Enter the neighbor allowas-in command and specify a number to disable the BGP AS_PATH check function, and specify
the number of times that the AS path of a received route may contain the recipient BGP speaker's AS number and still
be accepted.
The following example specifies that the AS path of a received route may contain the recipient BGP speaker's AS number three
times and still be accepted.
2. Enter the route-map command using the permit parameter and specifying a route map name to create a route map
instance and allow a matching pattern.
3. Enter the match command with the ip address parameter. Specify a prefix list using the ip prefix-list string parameter
to configure the route map to match on the specified prefix.
The following example configures a route map instance that matches on a specified destination network.
2. Enter the route-map command using the permit parameter and specifying a route map name to create a route map
instance and allow a matching pattern.
3. Enter the match command, using the next-hop parameter and specify a prefix-list, to match IP next-hop match
conditions for a specified prefix list in a route-map instance.
The following example configures a route map and specifies a prefix list to match on a next-hop device.
The continue statement in a matching instance initiates another traversal at the instance specified. The system records all of the
matched instances and, if no deny statements are encountered, proceeds to execute the set clauses of the matched instances.
If the system scans all route-map instances but finds no matches, or if a deny condition is encountered, then it does not update
the routes. Whenever a matched instance contains a deny statement, the current traversal terminates, and none of the updates
specified in the set statements of the matched instances in both current and previous traversals are applied to the routes.
This supports a more programmable route-map configuration and route filtering scheme for BGP4 peering. It can also execute
additional instances in a route map after an instance is executed by means of successful match statements. You can configure
and organize more-modular policy definitions to reduce the number of instances that are repeated within the same route map.
This feature currently applies to BGP4 routes only. For protocols other than BGP4, continue statements are ignored.
This information can be useful if you are working with Ruckus Technical Support to resolve a problem. The buffers do not identify
the system time when the data was written to the buffer. If you want to ensure that diagnostic data in a buffer is recent, you can
clear the buffers. You can clear the buffers for a specific neighbor or for all neighbors.
If you clear the buffer containing the first 400 bytes of the last packet that contained errors, all the bytes are changed to zeros.
The Last Connection Reset Reason field of the BGP4 neighbor table also is cleared.
If you clear the buffer containing the last NOTIFICATION message sent or received, the buffer contains no data.
You can clear the buffers for all neighbors, for an individual neighbor, or for all the neighbors within a specific peer group.
Use one or more of the following commands to verify BGP4 information. The commands do not have to be entered in this order.
1. Enter the show ip bgp summary command.
BGP4 Summary
Router ID: 7.7.7.7 Local AS Number: 100
Confederation Identifier: not configured
Confederation Peers:
Maximum Number of IP ECMP Paths Supported for Load Sharing: 1
Number of Neighbors Configured: 1, UP: 1
Number of Routes Installed: 0
Number of Routes Advertising to All Neighbors: 0 (0 entries)
Number of Attribute Entries Installed: 0
'+': Data in InQueue '>': Data in OutQueue '-': Clearing
'*': Update Policy 'c': Group change 'p': Group change Pending
'r': Restarting 's': Stale '^': Up before Restart '<': EOR waiting
Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend
10.1.1.8 100 ESTAB 0h 9m16s 0 0 0 0
This example shows information about one route-attribute entry that is stored in device memory.
5. Enter the show ip bgp peer-group command.
1 BGP peer-group is pg
Description: peer group abc
SendCommunity: yes
NextHopSelf: yes
DefaultOriginate: yes
Members:
IP Address: 10.168.10.10, AS: 65111
This example shows output for one BGP peer group, called “pg1”.
6. Enter the show ip bgp routes command using the summary keyword.
Use one or more of the following commands to verify BGP4 neighbor information. The commands do not have to be entered in
this order.
This example shows information about all the routes the BGP4 networking device advertised to the neighbor.
This example lists all route information received in route updates from BGP4 neighbors of the device since the soft-
reconfiguration feature was enabled.
BGP4+ overview
The implementation of IPv6 supports multiprotocol BGP (MBGP) extensions that allow Border Gateway Protocol version 4 plus
(BGP4+) to distribute routing information. BGP4+ supports all of the same features and functionality as IPv4 BGP (BGP4).
NOTE
The implementation of BGP4+ supports the advertising of routes among different address families. However, it
supports BGP4+ unicast routes only; it does not currently support BGP4+ multicast routes.
NOTE
ICX 7150 devices do not support BGP4+.
device(config-bgp-router)# ?
Possible completions:
The following neighbor configuration options are allowed under BGP global configuration mode:
Possible completions:
activate Allow exchange of route in the current family mode
advertisement-interval Minimum interval between sending BGP routing updates
capability Advertise capability to the peer
description Neighbor by description
ebgp-btsh Enable EBGP TTL Security Hack Protection
ebgp-multihop Allow EBGP neighbors not on directly connected
networks
enforce-first-as Enforce the first AS for EBGP routes
local-as Assign local-as number to neighbor
maxas-limit Impose limit on number of ASes in AS-PATH attribute
next-hop-self Disable the next hop calculation for this neighbor
password Enable TCP-MD5 password protection
peer-group Assign peer-group to neighbor
remote-as Specify a BGP neighbor
You can generate a configuration for BGP4+ unicast routes that is separate and distinct from configurations for IPv4 unicast
routes.
The commands that you can access while at the IPv6 unicast address family configuration level are also available at the IPv4
unicast address family configuration levels. Each address family configuration level allows you to access commands that apply to
that particular address family only.
Where relevant, this chapter discusses and provides IPv6-unicast-specific examples. You must first configure IPv6 unicast routing
for any IPv6 routing protocol to be active.
The following configuration options are allowed under BGP IPv6 address family unicast mode:
device(config-bgp-ipv6u)# ?
Possible completions:
The following neighbor configuration options are allowed under BGP IPv6 address family unicast mode:
Possible completions:
activate Allow exchange of route in the current family mode
advertisement-interval Minimum interval between sending BGP routing updates
allowas-in Accept as-path with my AS present in it
as-override Override matching AS-number while sending update
capability Advertise capability to the peer
default-originate Originate default route to peer
description Neighbor by description
ebgp-btsh Enable EBGP TTL Security Hack Protection
BGP4+ neighbors
BGP4+ neighbors can be configured using link-local addresses or global addresses.
BGP4+ neighbors can be created using link-local addresses for peers in the same link. For link-local peers, the neighbor interface
over which the neighbor and local device exchange prefixes is specified through the neighbor update-source command, and a
route map is configured to set up a global next hop for packets destined for the neighbor.
To configure BGP4+ neighbors that use link-local addresses, you must do the following:
• Add the IPv6 address of a neighbor in a remote autonomous system (AS) to the BGP4+ neighbor table of the local
device.
• Identify the neighbor interface over which the neighbor and local device will exchange prefixes using the neighbor
update-source command.
• Configure a route map to set up a global next hop for packets destined for the neighbor.
The neighbor should be activated in the IPv6 address family configuration mode using the neighbor activate command.
BGP4+ neighbors can also be configured using a global address. The global IPv6 address of a neighbor in a remote AS must be
added, and the neighbor should be activated in the IPv6 address family configuration mode using the neighbor activate
command.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor remote-as command, specifying an IPv6 address, to specify the ASN in which the remote neighbor
resides.
5. Enter the address family ipv6 unicast command to enter IPv6 address family configuration mode.
6. Enter the neighbor activate command to enable the exchange of information with the neighbor.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor remote-as command, specifying an IPv6 address, to specify the ASN in which the remote neighbor
resides.
6. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
7. Enter the neighbor activate command to enable the exchange of information with the neighbor.
8. Enter the neighbor route-map command and specify the out keyword to apply a route map to outgoing routes.
9. Enter the exit command until you return to global configuration mode.
device(config-bgp-ipv6u)# exit
10. Enter the route-map name permit command to define the route map and enter route map configuration mode.
11. Enter the set ipv6 next-hop command and specify an IPv6 address to set the IPv6 address of the next hop.
The following example configures a neighbor using a link-local address and configures a route map to set up a global next hop
for packets destined for the neighbor.
You must first create a peer group, after which you can associate neighbor IPv6 addresses with the peer group. All of the
attributes that are allowed on a neighbor are allowed on a peer group as well.
BGP4+ peers and peer groups are activated in the IPv6 address family configuration mode to establish the BGP4+ peering
sessions.
An attribute value configured explicitly for a neighbor takes precedence over the attribute value configured on the peer group. In
the case where neither the peer group nor the individual neighbor has the attribute configured, the default value for the
attribute is used.
NOTE
BGP4 neighbors are established and the prefixes are advertised using the neighbor IP address remote-as command in
router BGP mode. However, when establishing BGP4+ peer sessions and exchanging IPv6 prefixes, neighbors must also
be activated using the neighbor IPv6 address activate command in IPv6 address family configuration mode.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
5. Enter the neighbor remote-as command, specifying a peer group, to specify the ASN of the peer group.
6. Enter the neighbor peer-group command to associate a neighbor with the peer group.
7. Enter the neighbor peer-group command to associate another neighbor with the peer group.
8. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
9. Enter the neighbor activate command to establish an IPv6 BGP session with the peer group.
The following example creates a peer group, specifying two neighbors to belong to the peer group, and activates the peer group.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor peer-group command, specifying a peer group, to create a peer group.
5. Enter the neighbor remote-as command to specify the ASN of the peer group.
6. Enter the neighbor peer-group command, specifying an IPv6 address, to associate a neighbor with the peer group.
7. Enter the neighbor peer-group command, specifying a different IPv6 address, to associate another neighbor with the
peer group.
8. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
9. Enter the neighbor activate command to establish an IPv6 BGP session with the peer group.
The following example creates a peer group with both IPv6 and IPv4 peers and activates the peer group in the IPv6 address
family.
The routes imported into BGP4+ must first exist in the IPv6 unicast route table.
3. Enter the neighbor remote-as command, specifying an IPv6 address, to specify the ASN in which the remote neighbor
resides.
4. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
5. Enter the network command and specify a network/mask to import the specified prefix into the BGP4+ database.
The following example imports the 2001:db8::/32 prefix in to the BGP4+ database for advertising.
The default route must be present in the local IPv6 route table.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family unicast configuration mode.
4. Enter the default-information-originate command to advertise the default IPv6 route to all BGP4+ neighbors and to
install that route in the local BGP4+ route table.
device(config-bgp-ipv6u)# default-information-originate
The following example enables a BGP4+ device to advertise the default IPv6 route to all BGP4+ neighbors and to install that route
in the local BGP4+ route table.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
5. Enter the neighbor default-originate command and specify an IPv6 address to enable the BGP4+ device to advertise
the default IPv6 route to a specific neighbor.
The following example enables a BGP4+ device to advertise the default IPv6 route to a specific neighbor.
By default, a device does not use a default route to resolve a BGP4+ next-hop route. If the IPv6 route lookup for the BGP4+ next-
hop does not result in a valid IGP route (including static or direct routes), the BGP4+ next-hop is considered to be unreachable
and the BGP4+ route is not used. You can configure the device to use the default route as a valid next hop.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
4. Enter the next-hop-enable-default command to configure the device to use the default route as a valid next hop.
device(config-bgp-ipv6u)# next-hop-enable-default
The following example configures a BGP4+ device to use the default route as a valid next hop.
For each BGP4+ route learned, the device performs a route lookup to obtain the IPv6 address of the next hop for the route. A
BGP4+ route is eligible for addition in the IPv6 route table only if the following conditions are true:
• The lookup succeeds in obtaining a valid next-hop IPv6 address for the route.
• The path to the next-hop IPv6 address is an IGP path or a static route path.
By default, the software performs only one lookup for the next-hop IPv6 address for the BGP4+ route. If the next hop lookup
does not result in a valid next hop IPv6 address, or the path to the next hop IPv6 address is a BGP4+ path, the BGP4+ route
destination is considered unreachable. The route is not eligible to be added to the IPv6 route table.
The BGP4+ route table can contain a route with a next hop IPv6 address that is not reachable through an IGP route, even though
the device can reach a hop farther away through an IGP route. This can occur when the IGPs do not learn a complete set of IGP
routes, so the device learns about an internal route through IBGP instead of through an IGP. In this case, the IPv6 route table will
not contain a route that can be used to reach the BGP4+ route destination.
To enable the device to find the IGP route to the next-hop gateway for a BGP4+ route, enable recursive next-hop lookups. With
this feature enabled, if the first lookup for a BGP4+ route results in an IBGP path that originated within the same AS, rather than
an IGP path or static route path, the device performs a lookup on the next hop IPv6 address for the next hop gateway. If this
second lookup results in an IGP path, the software considers the BGP4+ route to be valid and adds it to the IPv6 route table.
Otherwise, the device performs another lookup on the next hop IPv6 address of the next hop for the next hop gateway, and so
on, until one of the lookups results in an IGP route.
You must configure a static route or use an IGP to learn the route to the EBGP multihop peer.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
device(config-bgp-ipv6u)# next-hop-recursion
Multiprotocol BGP (MBGP) is an extension to BGP that enables BGP to carry routing information for multiple address families.
MP_REACH_NLRI and MP_UNREACH_NLRI are optional and non-transitive, so that a BGP4+ speaker that does not support the
multiprotocol capabilities ignores the information carried in these attributes, and does not pass it to other BGP4+ speakers. A
BGP speaker that uses multiprotocol extensions for IPv6 uses the capability advertisement procedures to determine whether the
speaker can use multiprotocol extensions with a particular peer.
The next hop information carried in the MP_REACH_NLRI path attribute defines the network layer address of the border router
that will be used as the next hop to the destinations listed in the MP_NLRI attribute in the UPDATE message.
When there is more than one route reflector, they should all belong to the same cluster. By default, the value for cluster-id is
used as the device ID. The device ID can be changed using the cluster-id command.
If route-reflector clients are connected in a full IBGP mesh, you can disable client-to-client reflection on the route reflector using
the no client-to-client-reflection command.
A BGP device advertises only those routes that are preferred ones and are installed into the Routing Table Manager (RTM). When
a route cannot be installed into the RTM because the routing table is full, the route reflector may not reflect that route. In cases
where the route reflector is not placed directly in the forwarding path, you can configure the route reflector to reflect routes even
though those routes are not in the RTM using the always-propagate command.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the cluster-id command and specify a value to change the cluster ID of a device from the default device ID.
The following example changes the cluster ID of a device from the default device ID to 321.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
5. Enter the neighbor route-reflector-client command, specifying an IPv6 address, to configure a specified neighbor to be
a route reflector client.
The following example configures a neighbor with the IPv6 address 2001:db8:e0ff:783a::4 to be a route reflector client.
By default, a device advertises individual BGP4+ routes for all the networks. The aggregation feature allows you to configure a
device to aggregate routes in a range of networks into a single IPv6 prefix. For example, without aggregation, a device will
individually advertise routes for networks 2001:db8:0001:0000::/64, 2001:db8:0002:0000::/64, 2001:db8:0003:0000::/64, and so
on. You can configure the device to send a single, aggregate route for the networks instead so that the aggregate route would be
advertised as 2001:db8::/32 to BGP4 neighbors.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
4. Enter the aggregate-address command to aggregate the routes from a range of networks into a single network prefix.
The following example enables a BGP4+ device to advertise the default route and send the default route to a specified neighbor.
BGP4+ multipath
The BGP4+ multipath feature can be used to enable load-balancing across different paths.
BGP4+ selects only one best path for each IPv6 prefix it receives before installing it in the IP routing table. If you need load-
balancing across different paths, you must enable BGP4+ multipath using the maximum-paths command under IPv6 address
family configuration mode.
IBGP paths and EBGP paths can be exclusively selected, or a combination of IBGP and EBGP paths can be selected.
The following attributes of parallel paths must match for them to be considered for multipathing:
• Weight
• Local Preference
• Origin
• AS-Path Length
• MED
• Neighbor AS (EBGP multipath)
• AS-PATH match (for IBGP multipath)
• IGP metric to BGP next hop
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
device(config-bgp-ipv6u)# maximum-paths 8
or
The following example sets the maximum number of BGP4+ shared paths to 8.
The following example sets the maximum number of BGP4+ shared paths to that of the value already configured using the ip
load-sharing command.
Route maps
Route maps must be applied to IPv6 unicast address prefixes in IPv6 address family configuration mode.
By default, route maps that are applied under IPv4 address family configuration mode using the neighbor route-map command
are applied to only IPv4 unicast address prefixes. To apply route maps to IPv6 unicast address prefixes, the neighbor route-map
command must be used in IPv6 address family configuration mode. The route maps are applied as the inbound or outbound
routing policy for neighbors under the specified address family. Configuring separate route maps under each address family type
simplifies managing complicated or different policies for each address family.
2. Enter the ipv6 prefix-list command and enter a name to configure an IPv6 prefix list.
The prefix list name, sequence number, and permits packets are specified.
3. Enter the route-map command with the permit keyword, and specify a route map name, to define the route map and
enter route map configuration mode.
4. Enter the match ipv6 address command and specify the name of a prefix list.
device(config-route-map-myroutemap)# exit
7. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
8. Enter the neighbor remote-as command, specifying an IPv6 address, to specify the ASN in which the remote neighbor
resides.
9. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
10. Enter the neighbor activate command to enable the exchange of information with the neighbor.
11. Enter the neighbor route-map command and specify the out keyword to apply a route map to outgoing routes.
The following example applies a route map, “myroutemap”, as the outbound routing policy for a neighbor.
Static, connected, OSPF, and RIPng routes can be redistributed into BGP. This task redistributes RIPng routes into BGP4+.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
4. Enter the redistribute command using the rip keyword to redistribute IPv6 RIP routes.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family unicast configuration mode.
4. Enter the redistribute command using the connected keyword to redistribute connected routes into BGP4+.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the address-family ipv6 unicast command to enter address family IPv6 unicast configuration mode.
5. Enter the neighbor weight command and specify an ipv6 address and a weight value to specify a weight that the device
adds to routes that are received from the specified BGP4+ neighbor.
The following example specifies a weight of 200 that the device adds to routes that are received from the specified BGP4+
neighbor.
When the ORF feature is enabled, unwanted routing updates are filtered out, reducing the amount of system resources required
for generating and processing routing updates. The ORF feature is enabled through the advertisement of ORF capabilities to peer
routers. The locally configured BGP4+ inbound prefix filters are sent to the remote peer so that the remote peer applies the filter
as an outbound filter for the neighbor.
The ORF feature can be configured with send and receive ORF capabilities. The local peer advertises the ORF capability in send
mode, indicating that it will accept a prefix list from a neighbor and apply the prefix list to locally configured ORFs. The local peer
exchanges the ORF capability in send mode with a remote peer for a prefix list that is configured as an inbound filter for that
peer locally. The remote peer only sends the first update once it receives a ROUTEREFRESH request or BGP ORF with IMMEDIATE
from the peer. The local and remote peers exchange updates to maintain the ORF on each router.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family configuration mode.
4. Enter the neighbor activate command, specifying an IPv6 address, to add a neighbor.
5. Enter the neighbor prefix-list command, specify an IPv6 address and the in keyword to filter the incoming route
updates from a specified BGP neighbor.
• Enter the neighbor capability orf prefixlist command and specify the receive keyword to advertise ORF receive
capabilities.
• Enter the neighbor capability orf prefixlist command to configure ORF capability in both send and receive modes.
The following example configures ORF in both send and receive modes.
BGP4+ confederations
A large autonomous system (AS) can be divided into multiple subautonomous systems and grouped into a single BGP4+
confederation.
Each subautonomous system must be uniquely identified within the confederation AS by a subautonomous system number.
Within each subautonomous system, all the rules of internal BGP (IBGP) apply. For example, all BGP routers inside the
subautonomous system must be fully meshed. Although EBGP is used between subautonomous systems, the subautonomous
systems within the confederation exchange routing information like IBGP peers. Next hop, Multi Exit Discriminator (MED), and
local preference information is preserved when crossing subautonomous system boundaries. To the outside world, a
confederation looks like a single AS.
The AS path list is a loop-avoidance mechanism used to detect routing updates leaving one subautonomous system and
attempting to re-enter the same subautonomous system. A routing update attempting to re-enter a subautonomous system it
originated from is detected because the subautonomous system sees its own subautonomous system number listed in the
update's AS path.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the confederation identifier command and specify an ASN to configure a BGP confederation identifier.
5. Enter the confederation peers command and specify as many ASNs as needed to list all BGP peers that will belong to
the confederation.
The following example creates a confederation with the confederation ID “100” and adds three subautonomous systems to the
confederation.
A BGP community is a group of destinations that share a common property. Community information identifying community
members is included as a path attribute in BGP UPDATE messages. You can perform actions on a group using community and
extended community attributes to trigger routing decisions. All communities of a particular type can be filtered out, or certain
values can be specified for a particular type of community. You can also specify whether a particular community is transitive or
non-transitive across an autonomous system (AS) boundary.
An extended community is an 8-octet value and provides a larger range for grouping or categorizing communities. BGP extended
community attributes are specified in RFC 4360.
You define the extended community list using the ip extcommunity-list command. The extended community can then be
matched or applied to the neighbor through the route map. The route map must be applied on the neighbor to which routes
need to carry the extended community attributes. The "send-community" should be enabled for the neighbor configuration to
start including the attributes while sending updates to the neighbor.
2. Enter the ip community-list extended command using the permit keyword to configure a BGP community ACL.
3. Enter the route-map name command to create and define a route map and enter route map configuration mode.
4. Enter the match community command and specify a community list name.
5. Enter the set community command to set the BGP community attributes.
device(config-route-map-ComRmap)# exit
7. Enter the route-map name command to define a route map and enter route map configuration mode.
8. Enter the set community command to set the BGP community attributes.
The following example configures a BGP community ACL and sets the BGP community attributes in a route map instance.
2. Enter the ip community-list extended command using the permit keyword to configure a BGP community ACL.
3. Enter the route-map name command to create and define a route map and enter route map configuration mode.
4. Enter the match community command and specify a community list name.
5. Enter the set local-preference command and specify a value to set a BGP local-preference path attribute.
7. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
8. Enter the neighbor ipv6-address remote-as command to specify the ASN in which the remote neighbor resides.
10. Enter the address-family command and specify the ipv6 and unicast keywords to enter IPv6 address family
configuration mode.
11. Enter the neighbor ipv6-address activate command to enable the exchange of information with the neighbor.
12. Enter the neighbor ipv6-address route-map command and specify the in keyword to apply a route map to incoming
routes.
13. Enter the neighbor ipv6-address send-community command to enable the sending of standard and extended attributes
in updates to the specified BGP neighbor.
The GR feature provides a routing device with the capability to inform its neighbors when it is performing a restart.
When a BGP session is established, GR capability for BGP is negotiated by neighbors through the BGP OPEN message. If the
neighbor also advertises support for GR, GR is activated for that neighbor session. If both peers do not exchange the GR
capability, the session is not GR-capable. If the BGP session is lost, the BGP peer router, known as a GR helper, marks all routes
associated with the device as “stale” but continues to forward packets to these routes for a set period of time. The restarting
device also continues to forward packets for the duration of the graceful restart. When the graceful restart is complete, routes
are obtained from the helper so that the device is able to quickly resume full operation.
When the GR feature is configured on a device, both helper router and restarting router functionalities are supported. It is not
possible to disable helper functionality explicitly.
NOTE
BGP4+ GR can be configured for a global routing instance or for a specified VRF instance.
NOTE
BGP4+ GR is supported in ICX switches in a stack.
3. (Optional) Enter the address-family command and specify the ipv6 and unicast keywords to enter IPv6 address family
configuration mode.
4. Enter the no graceful restart command to disable graceful restart at the IPv6 address family configuration level.
device(config-bgp-ipv6u))# no graceful-restart
In the following example, the graceful restart feature is disabled at the IPv6 address family configuration level.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the neighbor ipv6-address remote-as command to specify the autonomous system ASN in which the remote
neighbor resides.
5. Enter the address-family command and specify the ipv6 and unicast keywords to enter IPv6 address family
configuration mode.
device(config-bgp-ipv6u)# graceful-restart
• Enter the graceful-restart command using the restart-time keyword to overwrite the default restart-time
advertised to graceful restart-capable neighbors.
• Enter the graceful-restart command using the stale-routes-time keyword to overwrite the default amount of time
that a helper device will wait for an EOR message from a peer.
The following example re-enables the graceful restart feature and sets the purge time to 300 seconds, overwriting the default
value.
The following example re-enables the graceful restart feature and sets the restart time to 180 seconds, overwriting the default
value.
The following example re-enables the graceful restart feature and sets the stale-routes time to 100 seconds, overwriting the
default value.
Use the clear ipv6 bgp neighbor command with the all parameter for the changes to the graceful restart parameters to take
effect immediately.
GTSM is enabled by configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific eBGP peer.
BGP establishes and maintains the session only if the TTL value in the IP packet header is equal to or greater than the TTL value
configured for the peering session. If the value is less than the configured value, the packet is silently discarded and no Internet
Control Message Protocol (ICMP) message is generated.
When GTSM protection is enabled, BGP control packets sent by the device to a neighbor have a Time To Live (TTL) value of 255. In
addition, the device expects the BGP control packets received from the neighbor to have a TTL value of either 254 or 255. For
multihop peers, the device expects the TTL for BGP control packets received from the neighbor to be greater than or equal to
255, minus the configured number of hops to the neighbor. If the BGP control packets received from the neighbor do not have
the anticipated value, the device drops them.
3. Enter the local-as command to configure the autonomous system number (ASN) in which your device resides.
4. Enter the address-family ipv6 unicast command to enter IPv6 address family unicast configuration mode.
5. Enter the neighbor remote-as command, specifying an IPv6 address, to add a neighbor.
6. Enter the neighbor ebgp-btsh command, specifying an IPv6 address, to enable GTSM.
The following example enables GTSM between a device and a neighbor with the IPv6 address 2001:2018:8192::125.
3. Enter the address-family ipv6 unicast command to enter IPv6 address family unicast configuration mode.
4. Enter the neighbor allowas-in command with an IPv6 address and specify a number to disable the BGP AS_PATH check
function, and specify the number of times that the AS path of a received route may contain the recipient BGP speaker's
AS number and still be accepted.
The following example specifies that the AS path of a received route may contain the recipient BGP speaker's AS number three
times and still be accepted.
Use one or more of the following commands to verify BGP4+ information. The commands do not have to be entered in this
order.
BGP4 Summary
Router ID: 113.1.1.1 Local AS Number: 65020
Confederation Identifier: not configured
Confederation Peers:
Maximum Number of IP ECMP Paths Supported for Load Sharing: 1
Number of Neighbors Configured: 2, UP: 1
Number of Routes Installed: 5, Uses 430 bytes
Number of Routes Advertising to All Neighbors: 7 (7 entries), Uses 336 bytes
Number of Attribute Entries Installed: 4, Uses 360 bytes
Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend
2001:db8:113:113::2 65001 CONN 1d14h32m 0 0 0 4
2001:db8:400:400::2 65020 ESTAB 3h59m24s 2 0 3 0
This example shows information about two route-attribute entries that are stored in device memory.
3. Enter the show ipv6 bgp peer-group command.
5. Enter the show ipv6 bgp routes command, using the detail keyword.
Use one or more of the following commands to verify BGP4+ neighbor information. The commands do not have to be entered in
this order.
This example shows information about all the routes the BGP4+ networking device advertised to the neighbor.
3. Enter the show ipv6 bgp neighbors received-routes command.
This example lists all route information received in route updates from BGP4+ neighbors of the device since the soft-
reconfiguration feature was enabled.
4. Enter the show ipv6 bgp neighbors rib-out-routes command.
VRRPv2 overview
Virtual Router Redundancy Protocol (VRRP) is an election protocol that provides redundancy to routers within a Local Area
Network (LAN).
VRRP was designed to eliminate a single point of failure in a static default-route environment by dynamically assigning virtual IP
routers to participating hosts. A virtual router is a collection of physical routers whose interfaces must belong to the same IP
subnet. A virtual router ID (VRID) is assigned to each virtual router, but there is no restriction against reusing a VRID with a
different address mapping on different LANs.
NOTE
VRRP extended (VRRP-E) is an extended version of the VRRP protocol. Ruckus developed VRRP-E as a proprietary
protocol to address some limitations in standards-based VRRP.
Before examining more details about how VRRP works, it is useful to see why VRRP was developed to solve the issue of a single
point of failure.
FIGURE 31 Single point of failure with Device 1 being the Host1 default gateway
To connect to the Internet or an internal intranet Host 1, in the figure, uses the IP address of 10.53.5.1 on Router 1 as its default
gateway. If this interface goes down, Host1 is cut off from the rest of the network. Router 1 is a single point of failure for Host 1 to
access other networks. In small networks, the administrative burden of configuring Router 2 as the new default gateway is not an
issue, but in larger networks reconfiguring default gateways is impractical. Configuring a VRRP virtual router on Router 1 and
Router 2 provides a redundant path for the hosts. VRRP allows you to provide alternate router paths for a host without changing
the IP address or MAC address by which the host knows its gateway.
To illustrate how VRRP works, the following figure shows the same network, but a VRRP virtual router is configured on the two
physical routers, Router 1 and Router 2. This virtual router provides redundant network access for Host 1. If Router 1 were to fail,
Router 2 would provide the default gateway out of the subnet.
FIGURE 32 Devices configured as VRRP virtual routers for redundant network access for Host 1
The blue rectangle in the figure represents a VRRP virtual router. When you configure a virtual router, one of the configuration
parameters is a group number (also known as a virtual router ID or VRID), which can be a number from 1 through 255. The
virtual router is identified with a group, and within the VRRP group, there is one physical device that forwards packets for the
virtual router and this is called a master VRRP device. The VRRP master device may be a Layer 3 switch or a router.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
In VRRP, one of the physical IP addresses is configured as the IP address of the virtual router, the virtual IP address. The device on
which the virtual IP address is assigned becomes the VRRP owner, and this device responds to packets addressed to any of the IP
addresses in the virtual router group. The owner device becomes the master VRRP device by default and is assigned the highest
priority. Backup devices are configured as members of the virtual router group, and, if the master device goes offline, one of the
backup devices assumes the role of the master device.
NOTE
VRRP operation is independent of BGP4, OSPF, and RIP. Their operation is unaffected when VRRP is enabled on the
same interface as BGP4, OSPF, and RIP.
VRRP terminology
Before implementing VRRP in your network, you must understand some key terms and definitions.
The following VRRP-related terms are in logical order, not alphabetic order:
Virtual router A collection of physical routers that can use VRRP to provide redundancy to routers within a LAN.
Virtual router ID A group of physical routers that are assigned to the same virtual router ID (VRID).
Virtual router address The virtual router IP address must belong to the same subnet as a real IP address configured on the VRRP
interface, and it can be the same as a real IP address configured on the VRRP interface. The virtual router
whose virtual IP address is the same as a real IP address is the IP address owner and the default master.
Owner The owner is the physical router whose real interface IP address is the IP address that you assign to the
virtual router. The owner responds to packets addressed to any of the IP addresses in the corresponding
virtual router. The owner, by default, is the master and has the highest priority (255).
Master The physical router that responds to packets addressed to any of the IP addresses in the corresponding
virtual router. For VRRP, if the physical router whose real interface IP address is the IP address of the virtual
router, then this physical router is always the master.
Backup Routers that belong to a virtual router, but are not the master. If the master becomes unavailable, the
backup router with the highest priority (a configurable value) becomes the new master. By default, routers
are given a priority of 100.
Virtual router IDs can range from 1-255, but some ICX devices only support up to 16 VRRP instances.
Only IPv4 support is provided in VRRPv2. VRRPv3 supports both IPv4 and IPv6.
Hold timer functionality is supported in both version 2 and version 3 of VRRP and VRRP-E.
Hello intervals
Hello messages are sent from the master VRRP device to the backup devices. The purpose of the hello messages is to determine
that the master device is still online. If the backup devices stop receiving hello messages for a period of time, as defined by the
dead (or master-down-interval) interval, the backup devices assume that the master device is offline. When the master device is
offline, the backup device with the highest priority assumes the role of the master device.
NOTE
The hello intervals must be set to the same value on both owner and backup devices for the same VRID.
Dead interval
The dead interval is defined as the period of time for which backup devices wait for a hello message from the master device
before assuming that the master device is offline. An immediate switchover to the backup device with the highest priority is
triggered after the dead interval expires and there is no hello message from the master device. If a value for the dead interval is
not configured, the default value is calculated as three times the hello interval plus the skew time. Skew time is defined as (256 –
priority)/256.
NOTE
The dead interval must be set to the same value on both owner and backup devices for the same VRID.
VRRP authentication
The VRRP authentication type is not a parameter specific to the virtual router. VRRP uses the authentication type associated with
the interfaces on which the virtual router is defined.
If your interfaces do not use authentication, neither does VRRP. For example, if you configure your device interfaces to use an
MD5 password to authenticate traffic, VRRP uses the same MD5 password, and VRRP packets that do not contain the password
are dropped.
In summary, if the interfaces on which you configure the virtual router use authentication, the VRRP or VRRP Extended (VRRP-E)
packets on those interfaces must use the same authentication. The following VRRP and VRRP-E authentication types are
supported:
• No authentication—The interfaces do not use authentication. This authentication type is the default for VRRP and VRRP-
E.
• Simple—The interfaces use a simple text string as a password in packets that they send. If the interfaces use simple
password authentication, the virtual router configured on the interfaces must use the same authentication type and the
same password.
• MD5—This method of authentication ensures that the packet is authentic and cannot be modified in transit. Syslog and
SNMP traps are generated when a packet is dropped due to MD5 authentication failure. MD5 authentication is
supported only in VRRP-E, and the device configuration is unique on a per-interface basis. The MD5 authentication
configuration on an interface takes effect for all VRRP-E virtual routers configured on a particular interface.
NOTE
Authentication is not supported for VRRPv3.
Changing the priority of a VRRP master device allows a temporary abdication of the master device status to allow a backup device
with a higher priority to assume the master device role. By default, a VRRP owner device has a priority of 255, and the lower
priority must be set to a lower priority than at least one of the backup devices associated with the VRID.
When you change the priority of a VRRP owner, the change takes effect only for the current power cycle. The change is not saved
to the startup configuration file when you save the configuration, and it is not retained across a reload or reboot. Following a
reload or reboot, the VRRP owner again has priority 255.
NOTE
This feature supports IPv4 VRRP only. IPv6 VRRP, VRRP-E, and IPv6 VRRP-E are not supported.
Gratuitous ARP
When a VRRP device (either master or backup) sends an ARP request or a reply packet, the MAC address of the sender is the MAC
address of the router interface. One exception is if the owner sends an ARP request or a reply packet, in which case the MAC
address of the sender is the virtual MAC address. Only the master answers an ARP request for the virtual router IP address. Any
backup router that receives this request forwards the request to the master.
• VRRP—A control message is sent only once when the VRRP device assumes the role of the master.
• VRRP-E—A control message is sent every 2 seconds by the VRRP-E master device because VRRP-E control packets do not
use the virtual MAC address.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as the owner VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
NOTE
You can assign a VRID number in the range of 1 through 255.
device(config-if-e1000-1/1/6-vrid-1)# owner
device(config-if-e1000-1/1/6-vrid-1)# version 2
device(config-if-e1000-1/1/6-vrid-1)# activate
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as a backup VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
4. Configure the IP address of the interface for Router 2. All devices configured for the same virtual router ID (VRID) must
be on the same subnet.
NOTE
You can assign a VRID number in the range of 1 through 255.
While configuring a backup device, you can set a priority that is used when a master VRRP device goes offline. The
backup device with the highest priority will assume the role of master device.
7. Configure the VRRP version.
device(config-if-e1000-1/1/5-vrid-1)# version 2
device(config-if-e1000-1/1/5-vrid-1)# hello-interval 10
9. By default, backup VRRP devices do not send hello messages to advertise themselves to the master. Use the following
command to enable a backup router to send hello messages to the master VRRP device.
The VRID IP address is the same virtual IP address you used for Router 1.
11. Enable the VRRP session.
device(config-if-e1000-1/1/5-vrid-1)# activate
VRRP router 1 for this interface is activating
If you configure your device interfaces to use a simple password to authenticate traffic, VRRP interfaces can be configured with
the same simple password, and VRRP packets that do not contain the password are dropped. If your interfaces do not use
authentication, neither does VRRP. Repeat this task on all interfaces on all devices that support the VRID.
NOTE
This task supports VRRPv2 and VRRP-Ev2 only. VRRPv3 and VRRP-Ev3 are not supported.
1. From privileged EXEC mode, enter global configuration mode by issuing the configure terminal command.
4. Enter the simple text password configuration using the ip vrrp auth-type command with a text password.
5. Verify the password on the interface using the show ip vrrp command with either the VRID or Ethernet options.
In this example, the authentication type is simple text authentication. A show running-config command with
appropriate parameters will actually display the password. The output verifies the type of authentication.
If you configure your device interfaces to use an MD5 encrypted password to authenticate traffic, VRRP interfaces can be
configured with the same MD5 password, and VRRP packets that do not contain the password are dropped. If your interfaces do
not use authentication, neither does VRRP. Repeat this task on all interfaces on all devices that support the VRID.
1. From privileged EXEC mode, enter global configuration mode by issuing the configure terminal command.
4. Enter the MD5 password configuration using the ip vrrp auth-type command with a text password. The password will
be encrypted when saved in the configuration file. When an MD5 authentication password is configured on an interface,
a syslog message is displayed.
5. Verify the password on the interface using the show ip vrrp command.
In this example, the auth-type is MD5 authentication where the entered password is encrypted. A show run command
with appropriate parameters will actually display the encrypted password, and you can use the enable password-
display command to actually display the encrypted password. The output verifies the type of authentication.
The following example enables MD5 authentication on Ethernet interface 1/1/6 and verifies the authentication type.
When you change the priority of a VRRP owner, the change takes effect only for the current power cycle. The change is not saved
to the startup configuration file when you save the configuration, and it is not retained across a reload or reboot. Following a
reload or reboot, the VRRP owner again has priority 255.
NOTE
This task is supports IPv4 VRRP only. IPv6 VRRP, VRRP-E, and IPv6 VRRP-E are not supported.
1. On the master device and from privileged EXEC mode, enter global configuration mode by issuing the configure
terminal command.
4. Enter the virtual router ID (VRID) for which the device is the VRRP owner.
NOTE
You can assign a VRID number in the range of 1 through 255.
5. Enter a priority for this device that is lower than the priority of at least one backup device associated with the VRID.
6. Verify the abdication of the master device using the show ip vrrp command.
In this example, the mode shows this device as the owner of the virtual router (mode owner), but the VRRP priority for
the device is only 99 and the state is now backup instead of master. The administrative status is still enabled. The output
verifies that this device is now a backup device.
A tracked port allows you to monitor the state of the interfaces on the other end of a route path. A tracked interface also allows
the virtual router to lower its priority if the exit path interface goes down, allowing another virtual router in the same VRRP (or
VRRP-E) group to take over. When a tracked interface returns to an up state, the configured track priority is added to the current
virtual router priority value. The following conditions and limitations exist for tracked ports:
• Track priorities must be lower than VRRP or VRRP-E priorities.
• The dynamic change of router priority can trigger a master device switchover if preemption is enabled. However, if the
router is an owner, the master device switchover will not occur.
• The maximum number of interfaces that can be tracked for a virtual router is 16.
• Port tracking is allowed for physical interfaces and port channels.
Configure this task on the device on which the tracked interface exists.
4. Enter the IP address for the interface to be used for the virtual router ID (VRID).
5. Enter the following command to enter the appropriate VRRP virtual router ID (VRID) mode.
6. Enter the track-port command to set the track port and priority:
The priority value is used when a tracked port goes down and the new priority is set to this value. Ensure that the
priority value is lower than the priority set for any existing master or backup device to force a renegotiation for the
master device.
The following example shows how to configure Ethernet interface 1/2/4 on virtual router 1 to be tracked; if the interface fails, the
VRRP priority of the device becomes 20, forcing a negotiation for a new master device.
By default, preemption is enabled for VRRP. In VRRP, preemption allows a backup device with the highest priority to become the
master device when the master (also the owner) device goes offline. If another backup device is added with a higher priority, it
will assume the role of the master VRRP device. In some larger networks there may be a number of backup devices with varying
levels of priority, and preemption can cause network flapping. To prevent the flapping, disable preemption.
NOTE
If preemption is disabled for VRRP, the owner device is not affected because the owner device always preempts the
active master. When the owner device is online, the owner device assumes the role of the master device regardless of
the setting for the preempt parameter.
In VRRP-E, preemption is disabled by default. In situations where a new backup device is to be added with a higher priority,
preemption can be enabled. There are no owner devices in VRRP-E to automatically preempt a master device.
A VRRP or VRRP-E session must be globally enabled using the router vrrp or router vrrp-extended command in global
configuration mode.
Preemption is enabled by default for VRRP and VRRP-E, but if several devices come back online with higher priorities than the
original backup device, route flapping can occur as these devices preempt each other. The following steps can be used when you
want to avoid a backup device acting as the master from being preempted by another backup device with a higher priority value.
2. Enter the IP address for the interface to be used for the virtual router ID (VRID).
3. Enter the following command to enter the appropriate VRRP VRID mode.
device(config-if-e1000-1/1/5-vrid-1)# non-preempt-mode
Even if a backup device has a higher priority than the current backup acting as a master device, the backup device will
not assume the role of the VRRP master device.
For each VRRP virtual routing instance, there is one master device and all other devices are backups. Accept mode allows some
network management functionality for backup VRRP devices, providing the ability to respond to ping, traceroute, and Telnet
packets. By default, nonowner VRRP devices do not accept packets destined for the IPv4 or IPv6 VRID addresses. Troubleshooting
network connections to the VRRP nonowner master device is difficult unless accept mode is enabled.
NOTE
The accept mode functionality enables a VRRP nonowner master device to respond to ping, Telnet, and traceroute
packets, but the device will not respond to SSH packets. When the device acting as the master device is not the IP
address owner (the device with the interface whose actual IP address is used as the virtual device’s IP address), the
master device accepts only the ARP packets sent to the virtual IP address. When accept mode is configured, the master
device responds to ping, TELNET, and traceroute packets sent to the virtual IP address even when the master device is
not the IP address owner.
This task is performed on any device that is designated as a backup VRRP device, and the functionality is activated if the backup
device becomes a master VRRP device. Repeat this task for all devices that are to be designated as backup devices.
NOTE
The accept mode functionality does not support SSH packets.
1. On the device designated as a backup VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
4. Configure the IP address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
5. Assign this backup device to VRID 1, the same VRID as the VRRP owner device.
NOTE
You can assign a VRID number in the range of 1 through 255.
While configuring a backup device, you can set a priority that is used when a master VRRP device goes offline. The
backup device with the highest priority will assume the role of master device.
7. Enable accept mode for this device.
device(conf-if-e1000-1/1/5-vrid-1)# accept-mode
device(conf-if-e1000-1/1/5-vrid-1)# end
Interface 1/1/5
----------------
auth-type no authentication
VRID 1 (index 1)
interface 1/1/5
state master
administrative-status enabled
version v2
mode non-owner (backup)
virtual mac aaaa.bbbb.cccc (configured)
priority 110
current priority 110
track-priority 2
hello-interval 1 sec
accept-mdoe enabled
.
.
.
The following example enables accept mode for a backup VRRP device.
A VRRP or VRRP-E session with master and backup devices must be configured and running.
Normally, a VRRP or VRRP-E backup includes route information for the virtual IP address (the backed-up interface) in RIP
advertisements. As a result, other devices receive multiple paths for the backed-up interface and might sometimes
unsuccessfully use the path to the backup device rather than the path to the master device.
You can prevent the backups from advertising route information for the backed-up interface by enabling suppression of the
advertisements.
NOTE
The command syntax is the same for VRRP and VRRP-E.
2. Enable RIP.
device(config-rip-router)# use-vrrp-path
The following example suppresses RIP advertisements for the backed-up interface.
VRRP-Ev2 overview
VRRP Extended (VRRP-E) is an extended version of VRRP. VRRP-E is designed to avoid the limitations in the standards-based VRRP.
To create VRRP-E, Ruckus has implemented the following differences from RFC 3768 which describes VRRPv2 to provide extended
functionality and ease of configuration:
• VRRP-E does not include the concept of an owner device, and a master VRRP-E is determined by the priority configured
on the device.
• While the VRRP-E virtual router IP address must belong in the same subnet as a real IP address assigned to a physical
interface of the device on which VRRP-E is configured, it must not be the same as any of the actual IP addresses on any
interface.
• Configuring VRRP-E uses the same task steps for all devices; there are no differences between master and backup device
configuration. The device configured with the highest priority assumes the master role.
VRRP-E is not supported on non-Ruckus devices and does not interoperate with VRRP sessions on Ruckus devices.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
NOTE
Only VRRP or VRRP-E can be enabled in your network.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as a VRRP-E device, from privileged EXEC mode, enter global configuration mode by issuing the
configure terminal command.
4. Configure the IP address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
NOTE
You can assign a VRID number in the range of 1 through 255.
While configuring a backup device, you can set a priority that is used when a master VRRP device goes offline. The
backup device with the highest priority will assume the role of master device.
7. Configure the VRRP version.
device(config-if-e1000-1/1/5-vrid-1)# version 2
The IP address associated with the VRID must not be configured on any of the devices used for VRRP-E.
9. Enable the VRRP-E session.
device(config-if-e1000-1/1/5-vrid-1)# activate
VRRP-E router 1 for this interface is activating
If you enable short-path forwarding in both master and backup VRRP-E devices, packets sent by Host Server 1 (in the figure) and
destined for the Internet cloud through the device on which a VRRP-E backup interface exists can be routed directly to the VRRP-E
backup device (blue dotted line) instead of being switched to the master router and then back (red dotted-dash line).
In the figure, load-balancing is achieved using short-path forwarding by dynamically moving the virtual servers between Host
Server 1 and Host Server 2.
If short-path forwarding is configured with revert priority on a backup router, the revert priority represents a threshold for the
current priority of the VRRP-E session. When the backup device priority is higher than the configured revert priority, the backup
router is able to perform short-path forwarding. If the backup priority is lower than the revert priority, short-path forwarding is
disabled.
Before configuring VRRP-E load-balancing, VRRP-E must be configured on all devices in the VRRP-E session.
Perform this task on all backup VRRP-E Layer 3 devices to allow load sharing within a VRRP extended group.
device(config-vrrpe-router)# interface ve 10
In this example, virtual Ethernet (ve) configuration mode is entered and the interface is assigned a VLAN number of 10.
4. Enter an IP address for the interface using the ip address command.
5. Enter the ip vrrp-extended vrid command with a number to assign a VRRP-E virtual router ID to the device.
7. Enter the ip-address command with an IP address that is not used on any VRRP-E device interface to add a virtual IP
address to the VRRP-E instance.
8. Enter the short-path-forwarding command with a revert-priority value to configure the backup VRRP-E device as an
alternate path with a specified priority.
When the backup device priority is higher than the configured revert-priority value, the backup router is able to
perform short-path forwarding. If the backup priority is lower than the revert priority, short-path forwarding is disabled.
9. Enter the activate command to activate the VRRP-E instance.
device(config-vif-10-vrid-5)# activate
In the following example, short-path forwarding is configured on a backup VRRP-E device, and a revert priority threshold is
configured. If the backup device priority falls below this threshold, short-path forwarding is disabled.
Virtual Router Redundancy Protocol Extended (VRRP-E) backup devices elect a master VRRP-E device based on the device with the
highest virtual router ID (VRID) priority value. When scheduling an upgrade, the standard failover behavior involves increasing
the priority value of a backup VRRP-E device to enable it to assume the role of VRRP-E master. VRRP-E hitless upgrade provides
functionality to decrease the priority of the virtual router identifier (VRID) to a value of 1 for a master VRRP-E device. When the
short-path forwarding functionality is also configured, the potential for traffic loss is avoided because backup devices can
forward traffic. A new command-line interface (CLI) command is introduced to decrease the priority of VRIDs on the master
device before an upgrade. A second use case is when troubleshooting must be performed on the master VRRP-E device.
To implement the hitless upgrade, configure short-path forwarding on all the devices assigned to the same virtual router ID
(VRID) as the master device. Load the upgrade image and, before the device reloads, enable the CLI that decreases the VRID
priority of the master device. If you save the configuration to the startup configuration file before the reload, the device will
remain a backup device after rebooting to allow time to check that the new image is working correctly. After the hitless upgrade
functionality is configured, VRRP-E activates the automatic backup by setting the master device VRID priority to one. All VRRP-E
devices become backup devices and the software chooses the device with the highest VRID priority to become the master device.
Using short-path forwarding where a backup device can forward traffic, any data traffic loss is avoided.
After the upgrade has been performed, the previous master device boots up as a VRRP-E backup device. To return the device to
its previous role, remove the hitless upgrade configuration. Remember to save the startup configuration after the hitless upgrade
command removal because the system is in maintenance mode after the VRRP-E hitless upgrade is enabled and no other device
configuration changes are recommended.
VRRP-E hitless upgrade functionality is only supported in VRRP-E IPv4. This feature enables short-path forwarding support on all
FastIron devices.
Before configuring VRRP-E hitless upgrade, VRRP-E must be configured on all devices used in the VRRP-E session. To avoid any
traffic loss during the failover process, enable short-path forwarding on all VRRP-E devices.
Perform this task on the master VRRP-E Layer 3 devices to configure the VRRP-E hitless upgrade capability.
3. Configure the Virtual Ethernet (VE) interface for the VRRP-E device.
device(config-vrrpe-router)# interface ve 10
4. Configure the IP address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
6. Designate this router as a backup VRRP device. The backup device with the highest priority assumes the role of master
VRRP-E device.
7. Enter the ip-address command with an IP address that is not used on any VRRP-E device interface to add a virtual IP
address to the VRRP-E instance.
device(config-vif-10-vrid-5)# short-path-forwarding
device(config-vif-10-vrid-5# activate
device(config-vif-10-vrid-5# exit
device(config-vif-10)# exit
12. Enter the activate backup command to work in conjunction with the short-path forwarding configuration to enable
VRRP-E hitless upgrade.
In this example, VRRP-E hitless upgrade is enabled on the master VRRP-E device. The priority of the master VRRP-E
device is set to 1 and the backup device with the highest priority assumes the role of the master VRRP-E device.
13. Return to global configuration mode.
device(config-vrrpe-router)# exit
14. (Optional) You can write the running configuration file to the startup configuration file to ensure that the device remains
as a backup device until after the reload.
Be aware that while the hitless upgrade is enabled, no other device configuration is recommended; the system is in
maintenance mode. After your upgrade or troubleshooting is complete, remove the activate backup command.
In the following example, VRRP-E hitless upgrade is enabled and the running-config file is saved to the startup-config file.
While the VRRP-E hitless upgrade is enabled, load your upgrade image and reboot the device or perform any troubleshooting.
The slow-start interval allows additional time for routing protocols, for example OSPF, to converge without causing route flapping
during the transition from backup device to master device. Included in the VRRP-E slow-start timer feature are track port state
changes and restart options. The use-track-port option implements a slow-start timer for the first tracked port "up" state
change, in addition to the VRRP-E initialization state. The restart option restarts the slow-start timer for subsequent tracked port
"up" state changes.
NOTE
If you change the backup priority of a VRRP-E backup router to be higher than the priority of the original master device,
the slow-start timer will not work. The original master device will take over from the backup device immediately.
In a VRRP extended (VRRP-E) configuration, if a master device goes offline, the backup router with the highest priority takes over
after the expiration of the dead interval timer. When the original master device is back online, you can configure a slow-start
timer interval that extends the time interval beyond the dead interval before the original master device transitions back to the
role of master device.
3. Enter the slow-start command with options to configure the interval, in seconds, and whether tracked-port state
changes trigger the slow-start interval.
In this example, the slow-start timer interval is set to 40 seconds, and the slow-start timer also runs after the first and
subsequent tracked-port state changes.
VRRP-E supports ISSU and combined with the short-path forwarding feature, high availability can be achieved. When a software
upgrade has to be performed, the backup router can be upgraded first and after it comes back online, the VRRP-E priority can be
set to be higher than the current master. A transition is initiated by the software, and with minimal packet loss, the backup router
becomes the master router running the upgraded software version. Perform the following steps that utilize the configurations
and network diagram.
NOTE
Before configuring VRRP-E, configure your network with Layer 3 protocols using OSPF and RIP.
2. The software selects Router C as the master VRRP-E device because the priority and IP address are higher than Router B.
3. Upgrade the software version on Router B, the backup router, and reload.
6. The software transitions the role of VRRP-E master to Router B with only 30 milliseconds of packet loss.
7. Upgrade the software version on Router C, which has become the backup router, and reload.
Router B configuration
The following example configuration configures VRRP-E using the short-path forwarding feature. On this device, the priority value
for VRID 23 is set to 50.
configure terminal
router vrrp-extended
interface ve 123
ip address 192.168.4.11 255.255.255.0
ip vrrp-extended vrid 23
backup priority 50
advertise backup
ip-address 192.168.4.254
short-path-forwarding
activate
Router C configuration
The following example configuration configures VRRP-E using the short-path forwarding feature. On this device, the priority value
for VRID 23 is set to 250.
configure terminal
router vrrp-extended
interface ve 123
ip address 192.168.4.12 255.255.255.0
ip vrrp-extended vrid 23
backup priority 250
advertise backup
ip-address 192.168.4.254
short-path-forwarding
activate
Before displaying VRRP information, VRRPv2 must be configured and enabled in your VRRP or VRRP-E network to generate traffic.
Use one or more of the following commands to display VRRPv2 information. The commands do not have to be entered in this
order.
1. Enter the show ip vrrp command with the vrid option and a virtual router ID (VRID) to display IPv4 VRRP configuration
information about VRID 1.
Interface 1/1/1
----------------
auth-type no authentication
VRID 1 (index 1)
interface 1/1/1
state master
administrative-status enabled
version v2
mode owner
virtual mac aaaa.bbbb.cccc (configured)
priority 255
current priority 255
track-priority 2
hello-interval 1 sec
backup hello-interval 6
3. Enter the show ip vrrp-extended statistics command for Ethernet interface 1/1/5.
Interface 1/1/5
----------------
VRID 2
- number of transitions to backup state = 1
- number of transitions to master state = 1
- total number of vrrp-extended packets received = 0
. received backup advertisements = 0
. received packets with zero priority = 0
. received packets with invalid type = 0
. received packets with invalid authentication type = 0
. received packets with authentication type mismatch = 0
. received packets with authentication failures = 0
. received packets dropped by owner = 0
. received packets with ttl errors = 0
. received packets with ipv6 address mismatch = 0
. received packets with advertisement interval mismatch = 0
. received packets with invalid length = 0
- total number of vrrp-extended packets sent = 2004
. sent backup advertisements = 0
. sent packets with zero priority = 0
- received neighbor solicitation packets dropped = 0
- received proxy neighbor solicitation packets dropped = 0
- received ip packets dropped = 0
To determine the effect of clearing the VRRP statistics, an appropriate show command is entered before and after the clear
command.
Interface 1/1/5
----------------
VRID 2
- number of transitions to backup state = 1
- number of transitions to master state = 1
- total number of vrrp packets received = 0
. received backup advertisements = 0
. received packets with zero priority = 0
.
.
.
- total number of vrrp packets sent = 2004
. sent backup advertisements = 6
. sent packets with zero priority = 0
- received neighbor solicitation packets dropped = 0
4. Enter the show ip vrrp statistics command for Ethernet interface 1/1/5.
Interface 1/1/5
----------------
VRID 2
- number of transitions to backup state = 0
- number of transitions to master state = 0
- total number of vrrp packets received = 0
. received backup advertisements = 0
. received packets with zero priority = 0
.
.
.
- total number of vrrp packets sent = 8
. sent backup advertisements = 0
. sent packets with zero priority = 0
- received neighbor solicitation packets dropped = 0
In this show output for a specified interface after the clear ip vrrp statistics command has been entered, you can see
that the statistical counters have been reset. Although some of the counters are showing numbers because VRRP traffic
is still flowing, the numbers are much lower (8 transmissions instead of 2004 transmissions) than in the initial show ip
vrrp statistics command output.
VRRPv3 overview
VRRP version 3 (VRRPv3) introduces IPv6 address support for both standard VRRP and VRRP enhanced (VRRP-E).
Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in a static default routed
environment by providing redundancy to Layer 3 devices within a local area network (LAN). VRRP uses an election protocol to
dynamically assign the default gateway for a host to one of a group of VRRP routers on a LAN. Alternate gateway router paths
can be allocated without changing the IP address or MAC address by which the host device knows its gateway.
VRRPv3 implements support for IPv6 addresses for networks using IPv6, and it also supports IPv4 addresses for dual-stack
networks configured with VRRP or VRRP-E. VRRPv3 is compliant with RFC 5798. The benefit of implementing VRRPv3 is faster
switchover to backup devices than can be achieved using standard IPv6 neighbor discovery mechanisms. With VRRPv3, a backup
router can become a master router in a few seconds with less overhead traffic and no interaction with the hosts.
When VRRPv3 is configured, the master device that owns the virtual IP address and a master device that does not own the virtual
IP address can both respond to ICMP echo requests (using the ping command) and accept Telnet and other management traffic
sent to the virtual IP address. In VRRPv2, only a master device on which the virtual IP address is the address of an interface on
the master device can respond to ping and other management traffic.
NOTE
When implementing IPv6 VRRPv3 across a network with devices from other vendors, be aware of a potential
interoperability issue with IPv6 VRRPv3 and other vendor equipment. Ruckus has implemented IPv6 VRRPv3
functionality to comply with RFC 5798 and will interoperate comfortably with other vendors that support RFC 5798.
Virtual router IDs can range from 1-255, but some ICX devices only support up to 16 VRRP instances.
Only IPv4 support is provided in VRRPv2. VRRPv3 supports both IPv4 and IPv6.
NOTE
When implementing IPv6 VRRPv3 across a network with devices from other vendors, be aware of a potential
interoperability issue. Ruckus has implemented IPv6 VRRPv3 functionality to comply with RFC 5798 and will interoperate
well with other vendors that support RFC 5798.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as the owner VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
2. Before enabling IPv6 VRRP, you must globally enable IPv6 routing.
NOTE
You can assign a VRID number in the range of 1 through 255.
device(config-if-e1000-1/1/5-vrid-2)# owner
device(config-if-e1000-1/1/5-vrid-2)# version 3
9. Assign an IPv6 link-local address to the VRID for use in the local network.
device(config-if-e1000-1/1/5-vrid-2)# activate
NOTE
When implementing IPv6 VRRPv3 across a network with devices from other vendors, be aware of a potential
interoperability issue. Ruckus has implemented IPv6 VRRPv3 functionality to comply with RFC 5798 and will interoperate
well with other vendors that support RFC 5798.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as a backup VRRPv3 device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
NOTE
You can assign a VRID number in the range of 1 through 255.
6. Designate this router as a VRRPv3 backup device and assign it a priority of 100.
device(config-if-e1000-1/1/4-vrid-2)# version 3
8. By default, backup VRRP devices do not send hello messages to advertise themselves to the master. Use the following
command to enable a backup router to send hello messages to the master VRRP device.
9. Assign the IPv6 link-local address to the VRID for use in the local network.
device(config-if-e1000-1/1/4-vrid-2)# activate
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as the owner VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
NOTE
You can assign a VRID number in the range of 1 through 255.
device(config-if-e1000-1/1/6-vrid-1)# owner
device(config-if-e1000-1/1/6-vrid-1)# version 3
device(config-if-e1000-1/1/6-vrid-1)# activate
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On a device designated as a backup VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
4. Configure the IP address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
5. Assign the same VRID as the VRID used by the owner device.
NOTE
You can assign a VRID number in the range of 1 through 255.
While configuring a backup device, you can set a priority that is used when a master VRRP device goes offline. The
backup device with the highest priority will assume the role of master device.
7. Set the VRRP version to 3 to indicate that this is VRRPv3 session for IPv4.
device(config-if-e1000-1/1/5-vrid-1)# version 3
The VRID IP address is the same virtual IP address that you used for the VRRP owner device.
9. Enable the VRRP session.
device(config-if-e1000-1/1/5-vrid-1)# activate
VRRP router 1 for this interface is activating
A tracked port allows you to monitor the state of the interfaces on the other end of a route path. A tracked interface also allows
the virtual router to lower its priority if the exit path interface goes down, allowing another virtual router in the same VRRP (or
VRRP-E) group to take over. When a tracked interface returns to an up state, the configured track priority is added to the current
virtual router priority value. The following conditions and limitations exist for tracked ports:
• Track priorities must be lower than VRRP or VRRP-E priorities.
• The dynamic change of router priority can trigger a master device switchover if preemption is enabled. However, if the
router is an owner, the master device switchover will not occur.
• The maximum number of interfaces that can be tracked for a virtual router is 16.
• Port tracking is allowed for physical interfaces and port channels.
Before enabling IPv6 VRRPv3, you must globally enable IPv6 routing using the ipv6 unicast-routing command.
Configure this task on the device on which the tracked interface exists.
4. Enter the IPv6 address for the interface to be used for the virtual router ID (VRID).
5. Enter the following command to enter the appropriate VRRPv3 virtual router ID (VRID) mode.
6. Enter the track-port command to set the tracked port and priority:
The priority value is used when a tracked port goes down and the new priority is set to this value. Ensure that the
priority value is lower than the priority set for any existing master or backup device to force a renegotiation for the
master device.
The following example shows how to configure interface Ethernet 1/2/4 on virtual router 1 to be tracked; if the interface fails, the
IPv6 VRRPv3 priority of the device becomes 20, forcing a negotiation for a new master device.
For each VRRP virtual routing instance, there is one master device and all other devices are backups. Accept mode allows some
network management functionality for backup VRRP devices, providing the ability to respond to ping, traceroute, and Telnet
packets. By default, nonowner VRRP devices do not accept packets destined for the IPv4 or IPv6 VRID addresses. Troubleshooting
network connections to the VRRP nonowner master device is difficult unless accept mode is enabled.
NOTE
The accept mode functionality enables a VRRP nonowner master device to respond to ping, Telnet, and traceroute
packets, but the device will not respond to SSH packets. When the device acting as the master device is not the IP
address owner (the device with the interface whose actual IP address is used as the virtual device’s IP address), the
master device accepts only the ARP packets sent to the virtual IP address. When accept mode is configured, the master
device responds to ping, TELNET, and traceroute packets sent to the virtual IP address even when the master device is
not the IP address owner.
This task is performed on any device that is designated as a backup VRRP device, and the functionality is activated if the backup
device becomes a master VRRP device. Repeat this task for all devices that are to be designated as backup devices.
NOTE
The accept mode functionality does not support SSH packets.
1. On the device designated as a backup VRRP device, from privileged EXEC mode, enter global configuration mode by
issuing the configure terminal command.
4. Configure the IP address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
5. Assign this backup device to VRID 1, the same VRID as the VRRP owner device.
NOTE
You can assign a VRID number in the range of 1 through 255.
While configuring a backup device, you can set a priority that is used when a master VRRP device goes offline. The
backup device with the highest priority will assume the role of master device.
7. Enable accept mode for this device.
device(conf-if-e1000-1/1/5-vrid-1)# accept-mode
device(conf-if-e1000-1/1/5-vrid-1)# end
Interface 1/1/5
----------------
auth-type no authentication
VRID 1 (index 1)
interface 1/1/5
state master
administrative-status enabled
version v2
mode non-owner (backup)
virtual mac aaaa.bbbb.cccc (configured)
priority 110
current priority 110
track-priority 2
hello-interval 1 sec
accept-mdoe enabled
.
.
.
The following example enables accept mode for a backup VRRP device.
VRRPv3 introduced a new checksum method for both IPv4 and IPv6 sessions, and this version 3 checksum computation is
enabled by default. To accommodate third-party devices that still use a VRRPv2-style checksum for IPv4 VRRPv3 sessions, a
command-line interface (CLI) command is available for configuration on a Ruckus device. The new version 2 checksum method is
disabled by default and is applicable only to IPv4 VRRPv3 sessions. If configured for VRRPv2 sessions, the VRRPv2-style checksum
command is accepted, but it has no effect.
VRRPv3 uses the v3 checksum computation method by default for both IPv4 and IPv6 sessions on Ruckus devices. Third-party
devices may have only a VRRPv2-style checksum computation available for a VRRPv3 IPv4 session. The use-v2-checksum
command is entered in interface configuration mode.
4. To configure a VRRP virtual routing ID, use the ip vrrp vrid command with an associated ID number.
5. To enable VRRP version 3 (VRRPv3), enter the version command with a version number of v3.
device(config-if-e1000-1/2/4-vrid-14)# version v3
6. To enable the v2 checksum computation method in an IPv4 VRRPv3 session, use the use-v2-checksum command in
VRRP configuration mode.
device(config-if-e1000-1/2/4-vrid-14)# use-v2-checksum
7. Enter the IP address for the interface using the ip-address command.
device(config-if-e1000-1/2/4-vrid-14)# activate
The following example shows the v2 checksum computation method enabled for an VRRPv3 IPv4 session on a Ruckus device.
The following steps are both optional and can be used to verify that the alternate VRRPv2-style checksum computation
command, use-v2-checksum, has been set for VRRPv3 IPv4 sessions.
1. Use the show running-config command to verify that the use-v2-checksum command has been configured for a
specified interface. Only part of the output is displayed.
2. Use the show ip vrrp command with a virtual router ID number to display the current settings of a specific VRRP
session, including the use-v2-checksum command, if configured.
Interface 1/2/4
----------------
auth-type no authentication
VRID 14 (index 1)
interface 1/2/4
state initialize
administrative-status disabled
version v3 - use-v2-checksum
mode non-owner(backup)
virtual mac 0000.5e00.010e
priority 100
current priority 100
track-priority 1
hello-interval 1 sec
backup hello-interval 60 sec
slow-start timer (configured) 0 sec
advertise backup disabled
dead-interval 3500 ms
preempt-mode true
ip-address 10.14.14.99
The default VRRPv3 implementation allows only the link-local address that is configured on a physical interface to be used as the
virtual IPv6 address of a VRRPv3 session. This limits configuring a link-local address for each VRRP instance on the same physical
interface because there can be only one link-local address per physical interface.
When IPv6 link-local address auto-generation is configured for IPv6 VRRP, a virtual IPv6 link-local address is generated
automatically using the EUI-64 result of the virtual MAC address. The virtual IPv6 link-local address is generated for a specific
VRRP instance and the virtual link-local address is carried in VRRPv3 advertisements. The auto-generation process is defined in
RFC 5798 allowing cross-vendor platform support. This ability to generate a link-local address automatically depends on the
existence of a consistent virtual MAC address in the local network.
If the virtual link-local address is configured manually, the configured address takes precedence over the automatically generated
address. The administrator should ensure that the configured virtual link-local address is consistent across all routers in the LAN.
When the manually configured address is removed, the auto-generated address is used.
If there is a mismatch in the IPv6 addresses field, Ruckus devices drop the advertisements that are sent by backup VRRP routers.
The advertisements from the master VRRP router are not dropped regardless of the IPv6 address comparison. The virtual MAC
must be consistent on the local network. When the virtual MAC is modified, the virtual link-local address is regenerated.
The default VRRPv3 implementation allows only the link-local address that is configured on a physical interface to be used as the
virtual IPv6 address of a VRRPv3 session. This limits configuring a link-local address for each VRRP instance on the same physical
interface because there can be only one link-local address per physical interface. To auto-generate and assign a virtual link-local
IPv6 address as the virtual IPv6 address of a VRRPv3 cluster, use the following steps on either an IPv6 VRRPv3 owner or backup
device.
device(config)# interface ve 3
NOTE
You can assign a VRID number in the range of 1 through 255.
device(config-vif-3-vrid-2)# owner
7. Automatically generate the IPv6 link-local address for the VRID for use in the local network.
device(config-vif-3-vrid-2)# activate
The following example shows the auto-generation of a virtual link-local IPv6 address and its allocation as the virtual IPv6 address
of a VRRPv3 session on an IPv6 VRRPv3 owner router.
Before displaying statistics, VRRPv3 must be configured and enabled in your network to generate traffic.
Use one or more of the following commands to display VRRPv3 information. The commands do not have to be entered in this
order.
3. To view detailed statistical information about IPv6 VRRPv3, enter the show ipv6 vrrp statistics command.
VRRP-Ev3 Overview
VRRP Extended version 3 (VRRP-Ev3) introduces IPv6 address support to the Ruckus proprietary VRRP Extended version 2 (VRRP-
Ev2) protocol. VRRP-Ev3 is designed to avoid the limitations in the standards-based VRRPv3 protocol.
To create VRRP-Ev3, Ruckus has implemented the following differences from the RFC 5798 that describes VRRPv3 to provide
extended functionality and ease of configuration:
• VRRP-Ev3 does not include the concept of an owner device and a master VRRP-Ev3 device is determined by the priority
configured on the device.
• While the VRRP-Ev3 virtual router IP address must belong in the same subnet as a real IP address assigned to a physical
interface of the device on which VRRP-Ev3 is configured, it must not be the same as any of the actual IP addresses on
any interface.
• Configuring VRRP-Ev3 uses the same task steps for all devices; no differences between master and backup device
configuration. The device configured with the highest priority assumes the master role.
VRRP-Ev3 is not supported on non-Ruckus devices and does not interoperate with VRRPv2 or VRRPv3 sessions on Ruckus devices.
NOTE
Only VRRPv3 or VRRP-Ev3 can be enabled in your network.
NOTE
Only 16 VRRP instances are configurable on the ICX 7150 device.
1. On the device designated as a VRRP-Ev3 device, from privileged EXEC mode, enter global configuration mode by issuing
the configure terminal command.
4. Configure the IPv6 address of the interface. All devices configured for the same virtual router ID (VRID) must be on the
same subnet.
NOTE
You can assign a VRID number in the range of 1 through 255.
6. Designate this router as a backup VRRPv3 device. All VRRP-Ev3 devices are initially configured as backup devices; the
device with the highest priority assumes the role of master device.
While configuring a backup device, you can set a priority that is used when the designated master VRRP device goes
offline. The backup device with the highest priority will assume the role of master device.
7. Configure the VRRP version.
device(config-if-e1000-1/1/7-vrid-4)# version 3
The IPv6 address associated with the VRID must not be configured on any of the devices used for VRRP-Ev3.
10. Enable the VRRP session.
device(config-if-e1000-1/1/7-vrid-4)# activate
VRRP-E router 4 for this interface is activating
Before displaying statistics, VRRP-Ev3 must be configured and enabled in your network to generate traffic.
Use one or more of the following commands to display VRRP-Ev3 information. The commands do not have to be entered in this
order.
3. Enter the show ipv6 vrrp-extended vrid 1 command to display detailed IPv6 VRRP-E configuration information about
VRID 1.
4. Enter the clear ipv6 vrrp-extended statistics command to reset the statistical counters for an IPv6 VRRP-Ev3 session.
Multi-VRF overview
Virtual Routing and Forwarding (VRF) allows routers to maintain multiple routing tables and forwarding tables on the same
router. A Multi-VRF router can run multiple instances of routing protocols with a neighboring router with overlapping address
spaces configured on different VRF instances.
NOTE
ICX 7150 devices do not support VRFs.
Central to VRF-Lite is the ability to maintain multiple VRF tables on the same Provider Edge (PE) Router. VRF-Lite uses multiple
instances of a routing protocol such as OSPF or BGP to exchange route information for a VPN among peer PE routers. The VRF-
Lite capable PE router maps an input customer interface to a unique VPN instance. The router maintains a different VRF table for
each VPN instance on that PE router. Multiple input interfaces may also be associated with the same VRF on the router, if they
connect to sites belonging to the same VPN. This input interface can be a physical interface or a virtual Ethernet interface on a
port.
In Multi-VRF deployments:
• Two VRF-capable routers must be directly connected at Layer 3, deploying BGP, OSPF, or static routes.
• Each VRF maintains unique routing and forwarding tables.
• Each VRF can be assigned one or more Layer 3 interfaces on a router to be part of the VRF.
• Each VRF can be configured with IPv4 address family, IPv6 unicast address family, or both.
• A packet’s VRF instance is determined based on the VRF index of the interface on which the packet is received.
• Separate routing protocol instances are required for each VRF instance.
• Overlapping address spaces can be configured on different VRF instances.
Multi-VRF deployments provide the flexibility to maintain multiple virtual routers, which are segregated for each VRF instance.
The following illustrates a generic, high-level topology where different enterprise functions are assigned unique VRF instances.
NOTE
ICX 7150 devices do not support VRFs.
When you assign a VRF instance to a static or dynamic LAG, the following rules apply.
• If the LAG is operational, the LAG virtual interface can be assigned to a non-default VRF.
• The member ports of a LAG should not be assigned to a non-default VRF routing instance.
• Once a dynamic LAG is operational, all ports are in a LACP blocking state, until the LAG state converges to the forwarding
state.
• When a dynamic LAG is deleted, all the member ports revert to the default VRF.
For the IPv4 partition, the default value for IPv4 TCAM allocation is decreased to 10,000. IPv6 TCAM allocation can then be
increased from the default value of 908 to 1408. Both IPv4 and IPv6 VRF instances are planned to allocate 500 routes each.
The following table lists the ip-vrf configuration limits for the system-max command, by line card and platform.
NOTE
The ICX 7250 is not included in the preceding table because the device does not support VRF. The following table lists
values for ip-route and ip6-route on the ICX 7250.
TABLE 48 Configuration limits for ip-route and ip6-route on ICX 7250 devices
Configuration Min Default Max
The following table lists values for ip-route and ip6-route on the Ruckus ICX 7150. Values vary depending on the IPv6 prefix
length.
TABLE 49 Configuration limits for ip-route and ip6-route onRuckus ICX 7150
devices
Configuration Min Default Max
The following table lists values for ip-cache and ip6-cache on the Ruckus ICX 7150.
The following examples illustrate the system-max values to support two VRF instances for IPv4 and two instances for IPv6.
• To allocate 2 x 500 routes for IPv4 user-VRF, (10000 - (500+500) = 9000 routes):
NOTE
This example also modifies the ip6-route system-max parameter and is intended only for the ICX 7450.
• After the system reloads, the system-max configuration appears as an active configuration.
!
system-max ip-route 12000
system-max ip6-route 5120
system-max ip-route-default-vrf 9000
system-max ip6-route-default-vrf 5120
system-max ip-route-vrf 500
system-max ip6-route-vrf 500
!
Static ARP
Static ARP entries help ensure Layer 2 to Layer 3 mappings. This removes some network overhead in the form of ARP requests
and replies and can be helpful in managing Multi-VRF networks where devices must communicate on a regular basis. The
interface associated with an ARP entry determines which VRF the ARP entry belongs to. However, the additional management
involved in adding and maintaining static ARP cache entries must also be taken into account.
The arp command is used to configure static ARP entries on a nondefault VRF interface. (An ARP index is not required before a
static ARP is configured.) The arp command is available in the address-family mode for a particular VRF.
Proxy ARP
Proxy ARP allows a Layer 3 switch to answer ARP requests from devices on one subnet on behalf of devices in another network.
Proxy ARP is configured globally and can be further configured per interface. Interface-level configuration overrides the global
configuration.
With the proxy-arp command configured, a router does not respond to ARP requests for IP addresses in the same subnet as the
incoming ports. The local-proxy-arp command permits the router to respond to ARP requests for IP addresses within the same
subnet and to forward all traffic between hosts in the subnet. The local-proxy-arp command is an interface-level configuration
that has no VRF-related impact.
ARP age can be configured globally and on a Layer 3 interface. An ARP age timer configured on a Layer 3 interface overrides the
global configuration for ARP aging. The aging timer ensures that the ARP cache does not retain learned entries that are no longer
valid.
DHCP snooping
Dynamic Host Configuration Protocol (DHCP) snooping enables a Ruckus device to filter untrusted DHCP IPv4 or IPv6 packets in a
subnet. DHCP snooping can ward off MiM attacks, such as a malicious user posing as a DHCP server sending false DHCP server
reply packets with the intention of misdirecting other users. DHCP snooping can also stop unauthorized DHCP servers and
prevent errors resulting from the user misconfiguration of DHCP servers. DHCP snooping supports Multi-VRFs. For more
information on configuring DHCP IPv4 or IPv6 snooping to support a Multi-VRF instance, refer to the FastIron Ethernet Switch
Security Configuration Guide.
IP Source Guard
You can use IP Source Guard (IPSG) together with DAI on untrusted ports. The Ruckus implementation of the IP Source Guard
feature supports configuration on a port, on specific VLAN memberships on a port (for Layer 2 devices only), and on specific
ports on a virtual Ethernet (VE) interface (for Layer 3 devices only). For more information on IPSG, refer to the FastIron Ethernet
Switch Security Configuration Guide.
Configuring Multi-VRF
Configuring VRF system-max values
Use this example procedure to modify the default system-max values to accommodate Multi-VRF on a Ruckus ICX 7450.
The default system-max value must be configured because the device does not have routing table space for user VRFs.
In this example, two user VRFs are configured with 512 maximum routes on each VRF. The ip-route-default-vrf and ip-route-vrf
values must be modified. The write memory and reload commands are required after the modification.
Once the device has rebooted after the reload, enter the show default values command to display the system-max settings.
device(config)#
2. Change the maximum number of routes, save the configuration, and reload the device.
device(config)# vlan 10
device(config-vlan-10)#
3. Repeat the previous step on the corresponding interface on the peer device.
A device can be configured with more than one VRF instance. You should define each VRF instance before assigning the VRF to a
Layer 3 interface. The range of the instance name is from 1 through 255 alphanumeric characters. Each VRF instance is identified
by a unique Route Distinguisher (RD), which is prepended to the address being advertised. Because the RD provides overlapping
client address space with a unique identifier, the same IP address can be used for different VRFs without conflict. The RD can be
an AS number, followed by a colon (:) and a unique arbitrary number as shown below. Alternatively, it can be a local IP address
followed by a colon (:) and a unique arbitrary number, as in "1.1.1.1:100." An optional router ID can also be assigned.
Use the address-family command in VRF configuration mode to specify an IPv4 or IPv6 address family. For a specific address
family you can also configure static route, static ARP, IGMP, and multicast for IPv4, and static route, IPv6 neighbor, and multicast
for IPv6.
ATTENTION
Using the overwrite option while downloading a configuration from a TFTP server to the running-config will lead to the
loss of all VRF configurations when a VRF is configured on a routing interface.
device(config-vrf-corporate)# rd 11:11
3. Use the address-family unicast (VRF) command to configure an address family on the VRF and exit. This example uses
IPv4.
1. In global configuration mode, enable OSPF for the VRF instance "corporate."
device(config-ospf-router-vrf-corporate)# area 0
3. (Optional) Configure the VRF to ensure that essential OSPF neighbor state changes are logged, especially in the case of
errors.
ATTENTION
After you configure a VRF instance on the device, you must assign one or more Layer 3 interfaces (physical or virtual
Ethernet) to the VRF. When you do this, all existing IP addresses are deleted; this action also triggers cache deletion,
route deletion, and associated cleanup. After you assign an interface to the VRF, you must reconfigure the IP address
and interface properties.
device(config)# interface ve 10
device(config-vif-10)# exit
Because a loopback interface is always available as long as the device is available, it allows routing protocol sessions to stay up
even if the outbound interface is down. Assigning a loopback interface to a VRF is similar to assigning any interface. A loopback
interface that is not assigned to a nondefault VRF belongs to the default VRF.
2. In global configuration mode, enter interface subtype configuration mode and assign a loopback interface.
3. Use the vrf forwarding command to assign the interface to the VRF "customer-1" in this example.
To verify all configured VRFs in summary mode, enter the show vrf command, as in the following example.
To verify a specific VRF in detail mode, enter the show vrf detail vrf-name command, as in the following example.
To verify all configured VRFs in detail mode, enter the show vrf detail command, as in the following example.
The following commands display additional information about a specific application, protocol configuration, or protocol state for
both the default VRF and user-defined VRFs.
To delete a VRF instance from a specific port, use the no form of the vrf command. This removes all Layer 3 interface bindings
from the VRF, and returns the interface to default VRF mode. All IP addresses and protocol configuration on this Layer 3 interface
are removed.
To delete an IPv4 or IPv6 address family from a VRF instance, use the no form of the address-family command. All configuration
related to the address family on all ports of the VRF are removed. Routes allocated to the address family are returned to the
global pool.
To delete a VRF instance globally, use the no form of the vrf command. All IPv4 or IPv6 addresses are removed from all
interfaces.
1. The following example illustrates how to configure static ARP on default VRFs on an Ethernet interface.
2. The following example illustrates how to configure static ARP on nondefault VRFs.
NOTE
The arp command can be used to configure static-ARP entries on a nondefault VRF interface. The VRF
command does not require an ARP index before a static-ARP is configured. The arp command is available in
the address-family mode for a particular VRF.
device(config)#
device(config)# vrf customer-1
device(config-vrf-customer-1)# address-family ipv4
device(config-vrf-customer-1-ipv4)# arp 1.1.1.1 0004.8044.5566 ethernet 1/7/8
device(config-vrf-customer-1-ipv4)# exit-address-family
device(config-vrf-customer-1)# exit-vrf
device(config)#
Proxy ARP allows a Layer 3 switch to answer ARP requests from devices on one subnet on behalf of devices in another network.
Proxy ARP is configured globally and can be further configured per interface. Interface-level configuration overrides the global
configuration.
With the proxy-arp command configured, a router does not respond to ARP requests for IP addresses in the same subnet as the
incoming ports. The local-proxy-arp command permits the router to respond to ARP requests for IP addresses within the same
subnet and to forward all traffic between hosts in the subnet. The local-proxy-arp command is an interface-level configuration
that has no VRF-related impact.
ARP age can be configured globally and on a Layer 3 interface. An ARP age timer configured on a Layer 3 interface overrides the
global configuration for ARP aging. The aging timer ensures that the ARP cache does not retain learned entries that are no longer
valid.
device(config)# proxy-arp
device(config)# rate-limit-arp
To configure ARP rate limiting on a Layer 3 Ethernet interface for an aging timeout of 20 minutes:
A number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood Network (TFN), can take
advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks.
Reverse Path Forwarding (RPF) is designed to prevent such an attacker from spoofing a source IP address by checking that the
source IP address specified for a packet is received from a network to which the device has access. Packets with invalid source IP
addresses are not forwarded. RPF is supported for IPv4 and IPv6 packets. Differences in RPF support between IPv4 and IPv6 are
noted within this section where necessary. RFC 3704, Ingress Filtering for Multihomed Networks, covers various aspects of the
source IP address being spoofed in traffic being forwarded.
FastIron devices support two unicast Reverse Path Forwarding (uRPF) modes according to RFC 3704:
• Strict mode: In this mode, all incoming packets are tested against the forwarding information base (FIB). If the incoming
interface is not the best reverse path, the packet check fails. Failed packets are discarded by default. Source IP (SIP)
lookup and the SIP next hop layer interface information is used in this mode. This mode has options to include default
route check or exclude default route check. Including the default route check is the default configuration mode. Use the
rpf-mode strict command for this mode. To exclude the default route check, you must include the option to urpf-
exclude-default after entering the rpf-mode strict command.
• Loose mode: In this mode, each incoming packet's source address is tested against the forwarding information base. As
long as there is a match for the source IP address in the forwarding information base, the traffic is allowed. Next hop
interface information is not used in this mode. The packet is dropped only if the source address is not reachable through
any interface on that router. This mode has options to include or exclude the default route check. Including the default
route check is the default configuration mode. Use the rpf-mode loose command for this mode. To exclude the default
route check, you must include the option to urpf-exclude-default after entering the command rpf-mode loose
explicitly.
• If a VLAN has multiple ports, the uRPF check will not identify packets coming in from different ports within the same
VLAN, because a VLAN is considered as having a single Layer 3 interface.
• uRPF can be configured along with PBR, ACLs, routing protocol configurations, and multicast configurations.
• uRPF is not supported on tunnel interfaces.
• Tunnel keep-alive packets will be dropped in the hardware if uRPF is configured.
• uRPF must not be configured on devices where group-VE, tunnel keep-alive packets, or OpenFlow is configured.
• Counters or logging information is unavailable for uRPF hits.
• After enabling reverse path check, you must reload the device for uRPF to be programmed.
• Tunnel over user VRF should not be configured on a device on which uRPF is enabled.
ICX 7750, ICX 7650, ICX 7450, and ICX 7250 considerations
• ICX 7750 and ICX 7650 devices support global configuration mode and interface configuration mode.
• Per-interface level configuration is available on VE interfaces and physical ports only.
• IPv4 and IPv6 unicast routed packets are subjected to uRPF check on ICX 7750 and ICX 7650 devices.
• Scaling numbers are reduced by half for the following system values when uRPF is enabled: ip-route, ip6-route, ip-route-
default-vrf, ip6-route-default-vrf, ip-route-vrf, ip6-route-vrf.
• uRPF and MCT should not be configured together.
• If the number of ECMP paths for a route is more than 8, the hardware automatically chooses to use loose mode check,
despite the configuration on the incoming interface.
• If the interface is not uRPF-enabled, the traffic is not subjected to uRPF check.
• If the interface is uRPF-enabled, both IPv4 and IPv6 traffic is subjected to uRPF check.
NOTE
uRPF is not supported on the ICX 7150.
NOTE
In strict mode (interface configuration), if the number of ECMP paths for a route is more than eight, the hardware will
apply loose mode check for the SIP check, even if the interface is configured as strict mode.
NOTE
uRPF is not supported on the ICX 7150.
TABLE 53 ICX 7750 and ICX 7650 system-max values without uRPF configuration
System parameter Default Maximum Current Configured
TABLE 54 ICX 7750 system-max values with uRPF configuration after reload
System parameter Default Maximum Current Configured
TABLE 56 ICX 7250 system-max values with uRPF configuration after reload
System parameter Default Maximum Current Configured
TABLE 58 ICX 7450 system-max values with uRPF configuration after reload
System parameter Default Maximum Current Configured
Both strict or loose modes can be configured when you globally enable uRPF on FastIron devices. uRPF is not supported on
tunnel interfaces. When uRPF is enabled on a VE interface or a physical interface with an IP address configured, the prefixes
learned over these uRPF-enabled interfaces will be checked with the uRPF criteria. On FastIron ICX devices, the uRPF check
enables the interface level CLI and hardware settings. You should reload the device after enabling reverse path check for this
configuration to be captured in the system settings.
device(config)# reverse-path-check
You must enable uRPF forwarding globally before you enable the required forwarding modes.
3. Enter the rpf-mode command followed by the required mode (strict or loose) you want to configure on the device. You
can optionally use the exclude default route check (urpf-exclude-default) on the physical interface.
You must enable uRPF globally using the reverse-path-check command before configuring uRPF on PE ports.
The other RPF modes that you can configure are rpf-mode loose, rpf-more strict exclude default, and rpf-mode
loose exclude default.
6. Enter the show run interface ve command to verify the RPF mode configured on the device.