ECS4100 Series CLI Reference Guide Software Release v1.2.77.212 www.edge-core.
CLI Reference Guide ECS4100-12T Gigabit Ethernet Switch L2+/L3 Lite Gigabit Ethernet Switch with 8 10/100/1000BASE-T ports, 2 Combos and 2 SFP ports ECS4100-12PH Gigabit Ethernet Switch L2+/L3 Lite UPOE Gigabit Ethernet Switch with 8 10/100/1000BASE-T PoE+ Ports , 2 Combos and 2 SFP ports ECS4100-26TX Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T ports and 2 10 SFP+ ports ECS4100-26TX-ME Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T ports an
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
How to Use This Guide Revision v1.2.24.182 Date 10/2018 v1.2.24.182 09/2018 v1.2.9.173 11/2017 Change Description Added: ◆ ECS4100-12T v2 to models supported ◆ "led-port-mode" on page 453 allows PoE port link activity LEDs to show PoE status. Added: ◆ "dot1x eapol-pass-through" on page 272 ◆ "Automatic Traffic Control Commands" on page 470 commands to set broadcast and multicast storm detection limits and control actions to be taken.
How to Use This Guide Revision v1.2.2.
How to Use This Guide Revision v1.2.2.172 Date 06/2017 v1.11.08.
How to Use This Guide – 8 –
Contents Section I How to Use This Guide 3 Contents 9 Tables 43 Getting Started 49 1 Initial Switch Configuration Connecting to the Switch 51 51 Configuration Options 51 Connecting to the Console Port 52 Logging Onto the Command Line Interface 53 Setting Passwords 53 Remote Connections 54 Configuring the Switch for Remote Management 55 Using the Network Interface 55 Setting an IP Address 55 Configuring the Switch for Cloud Management 61 Enabling SNMP Management Access 61 Mana
Contents Section II Configuring SNTP 75 Configuring NTP 76 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 77 79 79 Console Connection 79 Telnet Connection 80 Entering Commands 81 Keywords and Arguments 81 Minimum Abbreviation 81 Command Completion 81 Getting Help on Commands 82 Partial Keyword Lookup 84 Negating the Effect of Commands 84 Using Command History 84 Understanding Command Modes 84 Exec Commands 85 Configuration Commands 86 Command Li
Contents exit 99 4 System Management Commands Cloud Management 101 101 mgmt 102 mgmt loglevel 102 mgmt setoption 103 mgmt property 105 mgmt upgrade 105 show mgmt status 106 show mgmt version 106 show mgmt log 106 show mgmt option 107 Device Designation 107 hostname 107 Banner Information 108 banner configure 109 banner configure company 110 banner configure dc-power-info 111 banner configure department 111 banner configure equipment-info 112 banner configure equipment-
Contents show startup-config 124 show system 125 show tech-support 126 show users 127 show version 128 show watchdog 128 watchdog software 129 Frame Size 129 jumbo frame 129 File Management 130 General Commands 131 boot system 131 copy 132 delete 136 dir 137 whichboot 138 Automatic Code Upgrade Commands 138 upgrade opcode auto 138 upgrade opcode path 140 upgrade opcode reload 141 show upgrade 141 TFTP Configuration Commands 141 ip tftp retry 141 ip tftp timeout
Contents stopbits 150 timeout login response 151 disconnect 152 terminal 152 show line 153 Event Logging 154 logging command 154 logging facility 155 logging history 155 logging host 156 logging on 157 logging trap 158 clear log 158 show log 159 show logging 160 SMTP Alerts 161 logging sendmail 162 logging sendmail destination-email 162 logging sendmail host 163 logging sendmail level 163 logging sendmail source-email 164 show logging sendmail 165 Time 165 SNTP
Contents show ntp statistics peer 173 show ntp peer-status 173 Manual Configuration Commands 174 clock summer-time (date) 174 clock summer-time (predefined) 175 clock summer-time (recurring) 176 clock timezone 178 calendar set 179 show calendar 179 Time Range 180 time-range 180 absolute 181 periodic 182 show time-range 183 Switch Clustering 183 cluster 184 cluster commander 185 cluster ip-pool 186 cluster member 186 rcommand 187 show cluster 188 show cluster member
Contents snmp-server enable port-traps mac-notification 198 show snmp-server enable port-traps 199 SNMPv3 Commands 200 snmp-server engine-id 200 snmp-server group 201 snmp-server user 202 snmp-server view 204 show snmp engine-id 205 show snmp group 205 show snmp user 206 show snmp view 207 Notification Log Commands 208 nlm 208 snmp-server notify-filter 209 show nlm oper-status 210 show snmp notify-filter 210 Additional Trap Commands 211 memory 211 process cpu 211 proce
Contents 8 Authentication Commands User Accounts and Privilege Levels 229 230 enable password 230 username 231 privilege 233 show privilege 233 Authentication Sequence 234 authentication enable 234 authentication login 235 RADIUS Client 236 radius-server acct-port 236 radius-server auth-port 237 radius-server host 237 radius-server key 238 radius-server retransmit 239 radius-server timeout 239 show radius-server 240 TACACS+ Client 240 tacacs-server host 241 tacacs-server
Contents accounting commands 252 accounting exec 252 authorization commands 253 authorization exec 253 show accounting 254 show authorization 255 Web Server 256 ip http authentication 256 ip http port 257 ip http server 257 ip http secure-port 258 ip http secure-server 258 Telnet Server 260 ip telnet max-sessions 260 ip telnet port 261 ip telnet server 261 telnet (client) 262 show ip telnet 262 Secure Shell 263 ip ssh authentication-retries 265 ip ssh server 266 ip
Contents Authenticator Commands 274 dot1x intrusion-action 274 dot1x max-reauth-req 274 dot1x max-req 275 dot1x operation-mode 276 dot1x port-control 277 dot1x re-authentication 277 dot1x timeout quiet-period 278 dot1x timeout re-authperiod 278 dot1x timeout supp-timeout 279 dot1x timeout tx-period 279 dot1x re-authenticate 280 Information Display Commands 281 show dot1x 281 Management IP Filter 283 management 283 show management 284 PPPoE Intermediate Agent 285 pppoe in
Contents show port security Network Access (MAC Address Authentication) 300 302 network-access aging 303 network-access mac-filter 304 mac-authentication reauth-time 305 network-access dynamic-qos 305 network-access dynamic-vlan 307 network-access guest-vlan 308 network-access link-detection 308 network-access link-detection link-down 309 network-access link-detection link-up 309 network-access link-detection link-up-down 310 network-access max-mac-count 311 network-access mode mac-
Contents ip dhcp snooping information option encode no-subtype 326 ip dhcp snooping information option remote-id 327 ip dhcp snooping information option tr101 board-id 328 ip dhcp snooping information policy 329 ip dhcp snooping verify mac-address 330 ip dhcp snooping vlan 330 ip dhcp snooping information option carry-to-client 331 ip dhcp snooping information option circuit-id 332 ip dhcp snooping max-number 333 ip dhcp snooping trust 334 clear ip dhcp snooping binding 335 clear ip d
Contents show ip source-guard 354 show ip source-guard binding 355 IPv6 Source Guard 356 ipv6 source-guard binding 356 ipv6 source-guard 358 ipv6 source-guard max-binding 359 show ipv6 source-guard 360 show ipv6 source-guard binding 361 ARP Inspection 361 ip arp inspection 362 ip arp inspection filter 363 ip arp inspection log-buffer logs 364 ip arp inspection validate 365 ip arp inspection vlan 366 ip arp inspection limit 367 ip arp inspection trust 367 show ip arp inspecti
Contents show ip access-list IPv6 ACLs 383 384 access-list ipv6 384 permit, deny (Standard IPv6 ACL) 385 permit, deny (Extended IPv6 ACL) 386 ipv6 access-group 388 show ipv6 access-group 389 show ipv6 access-list 389 MAC ACLs 390 access-list mac 390 permit, deny (MAC ACL) 391 mac access-group 394 show mac access-group 395 show mac access-list 395 ARP ACLs 396 access-list arp 396 permit, deny (ARP ACL) 397 show access-list arp 398 ACL Information 398 clear access-list har
Contents clear counters 410 show discard 411 show interfaces brief 411 show interfaces counters 412 show interfaces history 416 show interfaces status 418 show interfaces switchport 419 Transceiver Threshold Configuration 421 transceiver-monitor 421 transceiver-threshold-auto 421 transceiver-threshold current 422 transceiver-threshold rx-power 423 transceiver-threshold temperature 424 transceiver-threshold tx-power 425 transceiver-threshold voltage 426 show interfaces transcei
Contents lacp timeout 442 Trunk Status Display Commands 443 show lacp 443 show port-channel load-balance 446 13 Power over Ethernet Commands 447 power inline compatible 448 power inline maximum allocation 448 power mainpower maximum allocation 449 power inline 450 power inline maximum allocation 451 power inline priority 452 power inline time-range 453 led-port-mode 453 show power inline status 454 show power inline time-range 455 show power mainpower 456 14 Port Mirroring C
Contents Threshold Commands 473 auto-traffic-control apply-timer 473 auto-traffic-control release-timer 474 auto-traffic-control 475 auto-traffic-control action 475 auto-traffic-control alarm-clear-threshold 476 auto-traffic-control alarm-fire-threshold 477 auto-traffic-control auto-control-release 478 auto-traffic-control control-release 479 SNMP Trap Commands 479 snmp-server enable port-traps atc broadcast-alarm-clear 479 snmp-server enable port-traps atc broadcast-alarm-fire 480
Contents 18 UniDirectional Link Detection Commands 497 udld detection-interval 497 udld message-interval 498 udld recovery 499 udld recovery-interval 499 udld aggressive 500 udld port 501 show udld 502 19 Address Table Commands 505 mac-address-table aging-time 505 mac-address-table hash-algorithm 506 mac-address-table static 507 clear mac-address-table dynamic 508 show mac-address-table 508 show mac-address-table aging-time 509 show mac-address-table hash-algorithm 509 show
Contents spanning-tree hello-time 524 spanning-tree max-age 525 spanning-tree mode 525 spanning-tree mst configuration 527 spanning-tree pathcost method 527 spanning-tree priority 528 spanning-tree system-bpdu-flooding 529 spanning-tree transmission-limit 529 max-hops 530 mst priority 531 mst vlan 531 name 532 revision 533 spanning-tree bpdu-filter 533 spanning-tree bpdu-guard 534 spanning-tree cost 535 spanning-tree edge-port 536 spanning-tree link-type 537 spanning-tre
Contents 23 VLAN Commands 551 GVRP and Bridge Extension Commands 552 bridge-ext gvrp 552 garp timer 553 switchport forbidden vlan 554 switchport gvrp 555 show bridge-ext 555 show garp timer 556 show gvrp configuration 557 Editing VLAN Groups 557 vlan database 558 vlan 558 Configuring VLAN Interfaces 560 interface vlan 560 switchport acceptable-frame-types 561 switchport allowed vlan 562 switchport ingress-filtering 563 switchport mode 564 switchport native vlan 565 vla
Contents switchport l2protocol-tunnel 581 show l2protocol-tunnel 582 Configuring VLAN Translation 582 switchport vlan-translation 582 show vlan-translation 584 Configuring Protocol-based VLANs 585 protocol-vlan protocol-group (Configuring Groups) 586 protocol-vlan protocol-group (Configuring Interfaces) 586 show protocol-vlan protocol-group 587 show interfaces protocol-vlan protocol-group 588 Configuring IP Subnet VLANs 589 subnet-vlan 589 show subnet-vlan 590 Configuring MAC Base
Contents ring-port 609 exclusion-vlan 610 enable (ring) 610 enable (instance) 611 meg-level 611 control-vlan 612 rpl owner 613 rpl neighbor 614 wtr-timer 615 guard-timer 616 holdoff-timer 616 mep-monitor 617 major-ring 618 propagate-tc 619 non-revertive 619 raps-def-mac 623 raps-without-vc 624 version 626 inclusion-vlan 627 physical-ring 627 erps forced-switch 628 erps manual-switch 630 erps clear 631 clear erps statistics 632 show erps statistics 632 show
Contents qos map cos-queue 642 qos map dscp-queue 644 qos map trust-mode 645 show qos map cos-queue 646 show qos map dscp-queue 647 show qos map trust-mode 647 26 Quality of Service Commands 649 class-map 650 description 651 match 652 rename 653 policy-map 653 class 654 police rate 655 set cos 656 set ip dscp 657 service-policy 657 show class-map 658 show policy-map 659 show policy-map interface 659 27 Multicast Filtering Commands 661 IGMP Snooping 661 ip igmp sn
Contents ip igmp snooping vlan general-query-suppression 671 ip igmp snooping vlan immediate-leave 672 ip igmp snooping vlan last-memb-query-count 673 ip igmp snooping vlan last-memb-query-intvl 674 ip igmp snooping vlan mrd 674 ip igmp snooping vlan proxy-address 675 ip igmp snooping vlan query-interval 677 ip igmp snooping vlan query-resp-intvl 677 ip igmp snooping vlan static 678 ip igmp snooping immediate-leave 679 clear ip igmp snooping groups dynamic 679 clear ip igmp snooping s
Contents show ip igmp throttle interface 699 show ip multicast-data-drop 699 MLD Snooping 700 ipv6 mld snooping 701 ipv6 mld snooping proxy-reporting 702 ipv6 mld snooping querier 702 ipv6 mld snooping query-interval 703 ipv6 mld snooping query-max-response-time 703 ipv6 mld snooping robustness 704 ipv6 mld snooping router-port-expire-time 705 ipv6 mld snooping unknown-multicast mode 705 ipv6 mld snooping unsolicited-report-interval 706 ipv6 mld snooping version 707 ipv6 mld snoop
Contents show ipv6 mld query-drop 724 show ipv6 mld throttle interface 725 MVR for IPv4 726 mvr 727 mvr associated-profile 727 mvr domain 728 mvr profile 729 mvr proxy-query-interval 729 mvr proxy-switching 730 mvr robustness-value 731 mvr source-port-mode dynamic 732 mvr upstream-source-ip 733 mvr vlan 733 mvr immediate-leave 734 mvr type 735 mvr vlan group 736 clear mvr groups dynamic 737 clear mvr statistics 737 show mvr 738 show mvr associated-profile 739 show mv
Contents mvr6 type 757 mvr6 vlan group 759 clear mvr6 groups dynamic 760 clear mvr6 statistics 760 show mvr6 761 show mvr6 associated-profile 762 show mvr6 interface 762 show mvr6 members 763 show mvr6 domain 764 show mvr6 profile 766 show mvr6 statistics 766 28 LLDP Commands 773 lldp 775 lldp holdtime-multiplier 775 lldp med-fast-start-count 776 lldp notification-interval 776 lldp refresh-interval 777 lldp reinit-delay 777 lldp tx-delay 778 lldp admin-status 779 lld
Contents lldp med-location civic-addr 787 lldp med-notification 789 lldp med-tlv ext-poe 789 lldp med-tlv inventory 790 lldp med-tlv location 790 lldp med-tlv med-cap 791 lldp med-tlv network-policy 791 lldp notification 792 show lldp config 793 show lldp info local-device 794 show lldp info remote-device 795 show lldp info statistics 797 29 CFM Commands 799 Defining CFM Structures 802 ethernet cfm ais level 802 ethernet cfm ais ma 803 ethernet cfm ais period 804 ethernet
Contents snmp-server enable traps ethernet cfm cc 821 mep archive-hold-time 822 clear ethernet cfm maintenance-points remote 822 clear ethernet cfm errors 823 show ethernet cfm errors 824 Cross Check Operations 825 ethernet cfm mep crosscheck start-delay 825 snmp-server enable traps ethernet cfm crosscheck 825 mep crosscheck mpid 826 ethernet cfm mep crosscheck 827 show ethernet cfm maintenance-points remote crosscheck 828 Link Trace Operations 828 ethernet cfm linktrace cache 828
Contents clear efm oam counters 846 clear efm oam event-log 846 efm oam remote-loopback 847 efm oam remote-loopback test 848 show efm oam counters interface 849 show efm oam event-log interface 849 show efm oam remote-loopback interface 851 show efm oam status interface 851 show efm oam status remote interface 852 31 Domain Name Service Commands DNS Commands 853 854 ip domain-list 854 ip domain-lookup 855 ip domain-name 856 ip host 856 ip name-server 857 ipv6 host 858 clear
Contents show ipv6 dhcp duid 870 show ipv6 dhcp vlan 870 DHCP Relay 872 Global DHCP Relay settings 872 ip dhcp l2/l3 relay 872 ip dhcp relay server 873 show ip dhcp relay 874 L2 DHCP Relay option settings 875 ip dhcp relay information option 875 ip dhcp relay information option encode no-subtype 875 ip dhcp relay information policy 876 ip dhcp relay port-enable 877 ip dhcp relay information option vlan 877 DHCP Relay for IPv4 878 ip dhcp relay server 878 ip dhcp restart relay
Contents option 43 893 clear ip dhcp binding 893 show ip dhcp binding 894 show ip dhcp 895 show ip dhcp pool 895 33 IP Interface Commands 897 IPv4 Interface 897 Basic IPv4 Configuration 898 ip address 898 ip default-gateway 900 show ip interface 901 show ip traffic 902 traceroute 903 ping 904 ARP Configuration 905 arp 905 ip proxy-arp 906 clear arp-cache 907 show arp 907 IPv6 Interface 908 Interface Address Configuration and Utilities 909 ipv6 default-gateway 909
Contents traceroute6 927 Neighbor Discovery 928 ipv6 nd dad attempts 928 ipv6 nd ns-interval 930 ipv6 nd raguard 931 show ipv6 nd raguard 932 ipv6 nd reachable-time 932 clear ipv6 neighbors 933 show ipv6 neighbors 933 ND Snooping 935 ipv6 nd snooping 936 ipv6 nd snooping auto-detect 937 ipv6 nd snooping auto-detect retransmit count 938 ipv6 nd snooping auto-detect retransmit interval 938 ipv6 nd snooping prefix timeout 939 ipv6 nd snooping max-binding 940 ipv6 nd snooping tr
Contents Section III distance 953 maximum-prefix 954 neighbor 955 network 955 passive-interface 956 redistribute 957 timers basic 958 version 959 ip rip authentication mode 960 ip rip authentication string 961 ip rip receive version 961 ip rip receive-packet 962 ip rip send version 963 ip rip send-packet 964 ip rip split-horizon 964 clear ip rip route 965 show ip rip 966 Appendices 967 A Troubleshooting 969 Problems Accessing the Management Interface 969 Using Syste
Tables Table 1: Options 60, 66 and 67 Statements 73 Table 2: Options 55 and 124 Statements 73 Table 3: General Command Modes 85 Table 4: Configuration Command Modes 87 Table 5: Keystroke Commands 87 Table 6: Command Group Index 89 Table 7: General Commands 93 Table 8: System Management Commands 101 Table 9: Cloud Management Commands 101 Table 10: Cloud Management Agent Options 103 Table 11: Device Designation Commands 107 Table 12: Banner Commands 108 Table 13: System Status Command
Tables Table 30: Switch Cluster Commands 183 Table 31: SNMP Commands 189 Table 32: show snmp engine-id - display description 205 Table 33: show snmp group - display description 206 Table 34: show snmp user - display description 207 Table 35: show snmp view - display description 208 Table 36: RMON Commands 215 Table 37: sFlow Commands 223 Table 38: Authentication Commands 229 Table 39: User Access Commands 230 Table 40: Default Login Settings 232 Table 41: Authentication Sequence Comma
Tables Table 65: IPv6 Source Guard Commands 356 Table 66: ARP Inspection Commands 362 Table 67: Commands for Configuring Traffic Segmentation 370 Table 68: Traffic Segmentation Forwarding 371 Table 69: Access Control List Commands 377 Table 70: IPv4 ACL Commands 377 Table 71: IPv6 ACL Commands 384 Table 72: MAC ACL Commands 390 Table 73: ARP ACL Commands 396 Table 74: ACL Information Commands 398 Table 75: Interface Commands 401 Table 76: show interfaces counters - display description
Tables Table 100: Address Table Commands 513 Table 101: TWAMP Commands 519 Table 102: Spanning Tree Commands 521 Table 103: Recommended STA Path Cost Range 535 Table 104: Default STA Path Costs 536 Table 105: VLAN Commands 551 Table 106: GVRP and Bridge Extension Commands 552 Table 107: show bridge-ext - display description 556 Table 108: Commands for Editing VLAN Groups 557 Table 109: Commands for Configuring VLAN Interfaces 560 Table 110: Commands for Displaying VLAN Information 567
Tables Table 135: IGMP Filtering and Throttling Commands 687 Table 136: IGMP Authentication RADIUS Attribute Value Pairs 692 Table 137: MLD Snooping Commands 700 Table 138: show ipv6 MLD snooping statistics input - display description 714 Table 139: show ipv6 MLD snooping statistics output - display description 714 Table 140: show ipv6 MLD snooping statistics query - display description 715 Table 141: show ipv6 MLD snooping statistics summary - display description 716 Table 142: MLD Filtering
Tables Table 170: MEP Defect Descriptions 836 Table 171: show fault-notify-generator - display description 838 Table 172: OAM Commands 841 Table 173: Address Table Commands 853 Table 174: show dns cache - display description 860 Table 175: show hosts - display description 860 Table 176: DHCP Commands 863 Table 177: DHCP Client Commands 863 Table 178: Options 60, 66 and 67 Statements 866 Table 179: Options 55 and 124 Statements 866 Table 180: DHCP Relay Option 82 Commands 872 Table 181
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 50 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS4100-26TX* is opened. To end the CLI session, enter [Exit].
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in-band Interface management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Cloud Management Configuring the Switch for Cloud Management The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system. By default, the cloud management agent is disabled on the switch.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access views to version 1 or 2c community strings that suit your specific security requirements (see snmp-server view command). Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch.
Chapter 1 | Initial Switch Configuration Managing System Files where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press .
Chapter 1 | Initial Switch Configuration Managing System Files server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named “startup1.cfg” that contains system settings for switch initialization, including information about the unit identifier, and MAC address for the switch.
Chapter 1 | Initial Switch Configuration Managing System Files Choose file type: 1. config; 2. opcode: 2 Source file name: ECS4100_V1.2.24.182.bix Destination file name: ECS4100_V1.2.24.182.bix Flash programming started. Flash programming completed. Success. Console#config Console(config)#boot system opcode:ECS4100_V1.2.24.182.bix Success.
Chapter 1 | Initial Switch Configuration Installing a Port License File Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success. Console# To restore configuration settings from a backup server, enter the following command: 1. From the Privileged Exec mode prompt, type “copy tftp startup-config” and press . 2. Enter the address of the TFTP server. Press . 3.
Chapter 1 | Initial Switch Configuration Installing a Port License File Eth 1/ 8 Eth 1/ 9 Eth 1/10 Eth 1/11 Eth 1/12 Console# License License License License License 1 1 1 1 1 0 0 0 0 0 Auto Auto Auto Auto Auto 1000BASE-T 1000BASE-T 1000BASE-T 1000BASE SFP 1000BASE SFP None None None None None To order a license, you must provide the following information to Edgecore: ◆ Switch model number (for example, ECS4100-12T) ◆ System MAC address.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings To verify that a port license is installed on the switch, enter the show interfaces brief command from the console port.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled. ◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept ECS4100-Series.BIX from the server even though ECS4100-series.bix was requested).
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ■ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings 4. Display the automatic upgrade settings. Console#show upgrade Auto Image Upgrade Global Settings: Status : Enabled Reload Status : Enabled Path : File Name : ECS4100-series.bix Console# The following shows an example of the upgrade process. Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ------Unit 1: ECS4100_V1.1.3.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Client Identifier Access Control (MAC) Address or a unique client identifier. The client identifier is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ◆ The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten. ◆ If the name of the bootup configuration file is the same as the Factory Default Configuration file, the download procedure will be terminated, and the switch will not send any further DHCP client requests.
Chapter 1 | Initial Switch Configuration Setting the System Clock The following configuration example is provided for a Linux-based DHCP daemon (dhcpd.conf file). In the “Vendor class” section, the server will always send Option 66 and 67 to tell the switch to download the “test” configuration file from server 192.168.255.101. ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; log-facility local7; server-name "Server1"; Server-identifier 192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock The switch also supports the following time settings: ◆ Time Zone – You can specify the offset from Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT). ◆ Summer Time/Daylight Saving Time (DST) – In some regions, the time shifts by one hour in the fall and spring. The switch supports manual entry for one-time or recurring clock shifts.
Chapter 1 | Initial Switch Configuration Setting the System Clock SNTP Status : Enabled SNTP Server : 10.1.0.19 Current Server : 10.1.0.19 Console# Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “UniDirectional Link Detection Commands” on page 497 ◆ “Address Table Commands” on page 505 ◆ “Smart Pair Commands” on page 513 ◆ “TWAMP Commands” on page 519 ◆ “Spanning Tree Commands” on page 521 ◆ “VLAN Commands” on page 551 ◆ “ERPS Commands” on page 603 ◆ “Class of Service Commands” on page 637 ◆ “Quality of Service Commands” on page 649 ◆ “Multicast Filtering Commands” on page 661 ◆ “LLDP Commands” on page 773 ◆ “CFM Commands” on page 799 ◆
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tcam tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows power Shows the power saving information Displays PPPoE configuration Shows current priv
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map DHCP IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Table 5: Keystroke Commands (Continued) Keystroke Function Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line. Ctrl-W Deletes the last word typed.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page UniDirectional Link Detection Detect and disables unidirectional links 497 Address Table Configures the address table for filtering specified addresses, 505 displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 521 ERPS Configures Ethernet Ring Protection Switching for increased availab
Chapter 2 | Using the Command Line Interface CLI Command Groups GC (Global Configuration) IC (Interface Configuration) IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) – 91 –
Chapter 2 | Using the Command Line Interface CLI Command Groups – 92 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 132).
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (98) enable password (230) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 84. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 100 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Cloud Management Table 9: Cloud Management Commands Command Function Mode show mgmt status Displays the cloud management agent status PE show mgmt version Displays the cloud management agent code version PE show mgmt log Displays log messages from the cloud management agent PE show mgmt option Displays the cloud management agent configuration options PE mgmt This command enables or disables the cloud management agent for the switch.
Chapter 4 | System Management Commands Cloud Management Command Mode Global Configuration Command Usage ◆ The logging levels from minimum severity to maximum severity are: Trace, Debug, Info, Warn, Error. ◆ This command configures messages logged by the cloud management agent based on severity. Messages from the configured level up to the maximum level are logged. Therefore, if Info is the configured level, all messages for Info, Warn, and Error are logged.
Chapter 4 | System Management Commands Cloud Management Table 10: Cloud Management Agent Options (Continued) Name Type Required Default Notes acn.mgmt.loglevel string no “info” Various logging levels for mgmtd. Possible values in lowering order: error, warn, info, debug, trace. acn.mgmt.hb_interval int no 60 Heartbeat message sending interval. acn.mgmt.hb_ack_timeout int no 57 Heartbeat acknowledgement timeout (to consider connection problem is present) acn.mgmt.
Chapter 4 | System Management Commands Cloud Management Example Console(config)#mgmt setoption acn.mgmt.status_interval=600 Console(config)# mgmt property This command sets the cloud management agent properties to their default values. Syntax mgmt property default Default Setting None Command Mode Global Configuration Example Console(config)#mgmt property default Console(config)# mgmt upgrade This command upgrades the cloud management agent software from a file on a TFTP server.
Chapter 4 | System Management Commands Cloud Management show mgmt status This command displays the status of the cloud management agent. Syntax show mgmt status Command Mode Privileged Exec Example Console#show mgmt status Console# show mgmt version This command displays the version of the cloud management agent. Syntax show mgmt version Command Mode Privileged Exec Example Console#show mgmt version Mgmtd version: 1.4.
Chapter 4 | System Management Commands Device Designation 2020-10-26 10:19:39 [info]: mgmtd status set to REG_FAILED 2020-10-26 10:19:39 [error]: Error: Unable to contact registration service! (Empty response) Console# show mgmt option This command displays the cloud management agent options. Syntax show mgmt option Command Mode Privileged Exec Example Console#show mgmt option Mgmtd Option: acn.mgmt=acn acn.mgmt.loglevel=info acn.mgmt.enabled=0 acn.register=register acn.register.state=0 acn.register.
Chapter 4 | System Management Commands Banner Information name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page. ◆ This command and the prompt command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Chapter 4 | System Management Commands Banner Information Table 12: Banner Commands (Continued) Command Function Mode banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by GC banner under the
Chapter 4 | System Management Commands Banner Information The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edgecore Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4510-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edgecore Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner Edgecore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS4100-26TX Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 13: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correc
Chapter 4 | System Management Commands System Status 1 1 Console# 0 0 16 17 128 128 0 0 128 DE4 128 DEM Table 14: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 15: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status FS HTTP_TD HW_WTDOG_TD IML_TX IP_SERVICE_GROU KEYGEN_TD L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/28/52) port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface ethernet 1/1 no negotiation ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (123) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS4100-52P System OID String : 1.3.6.1.4.1.259.10.1.46.107 System Information System Up Time : 0 days, 0 hours, 0 minutes, and 24.
Chapter 4 | System Management Commands System Status Table 16: show system – display description (Continued) Parameter Description System Contact Administrator responsible for the system. MAC Address MAC address assigned to this switch. Web Server/Port Shows administrative status of web server and UDP port number. Web Secure Server/Port Shows administrative status of secure web server and UDP port number. Telnet Server/Port Shows administrative status of Telnet server and TCP port number.
Chapter 4 | System Management Commands System Status --------------- ----------------- --------- ----------192.168.2.99 F0-79-59-8F-2B-FE dynamic VLAN 1 Total entry : 1 show interfaces brief: Interface Name --------- ---------------Eth 1/ 1 Eth 1/ 2 Eth 1/ 3 Eth 1/ 4 Eth 1/ 5 ...
Chapter 4 | System Management Commands System Status show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number Hardware Version Number of Ports Main Power Status Role Loader Version Linux Kernel Version Operation Code Version : : : : : : : : EC1609000920 R0A 26 Up Master 1.0.0.4 2.6.19 1.1.3.
Chapter 4 | System Management Commands Frame Size watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly. Syntax watchdog software {disable | enable} Default Setting Disabled Command Mode Privileged Exec Example Console#watchdog software disable Console# Frame Size This section describes commands used to configure the Ethernet frame size on the switch.
Chapter 4 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
Chapter 4 | System Management Commands File Management can be copied to the FTP/SFTP/TFTP server, but cannot be used as the destination on the switch.
Chapter 4 | System Management Commands File Management Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type. ◆ If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (137) whichboot (138) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server.
Chapter 4 | System Management Commands File Management sftp - Keyword that copies a file to or from an SFTP server. startup-config - The configuration used for system initialization. tftp - Keyword that allows you to copy to/from a TFTP server. Default Setting None Command Mode Privileged Exec Command Usage ◆ The system prompts for data required to complete the copy command. ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on
Chapter 4 | System Management Commands File Management ◆ Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption. Although the underlying premises of SFTP are similar to SCP, it requires some additional steps to verify the protocol versions and perform security checks.
Chapter 4 | System Management Commands File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Chapter 4 | System Management Commands File Management This example shows how to copy a file from an SFTP server. Note that the public key offered by the server is not found on the local system, but is saved locally after the user selects to continue the copy operation. Console#copy sftp file SFTP server IP address: 192.168.0.110 Choose file type: 1. config: 2. opcode: 1 Source file name: startup2.cfg Destination file name: startup2.
Chapter 4 | System Management Commands File Management Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete file name test2.cfg Console# Related Commands dir (137) delete public-key (267) dir This command displays a list of files in flash memory. Syntax dir {config | opcode}: [filename]} config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image.
Chapter 4 | System Management Commands File Management Example The following example shows how to display all file information: Console#dir File Name Type Startup Modified Time Size (bytes) ------------------------------ ------- ------- ------------------- -----------Unit 1: ECS4100_V1.1.3.164.bix OpCode Y 2016-10-17 11:30:26 9027848 Factory_Default_Config.cfg Config N 2015-07-01 07:24:11 455 startup1.
Chapter 4 | System Management Commands File Management Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This command is used to enable or disable automatic upgrade of the operational code. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up: 1. It will search for a new version of the image at the location specified by upgrade opcode path command.
Chapter 4 | System Management Commands File Management upgrade opcode path This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current setting. Syntax upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
Chapter 4 | System Management Commands File Management upgrade opcode This command reloads the switch automatically after the opcode upgrade is reload completed. Use the no form to disable this feature. Syntax [no] upgrade opcode reload Default Setting Disabled Command Mode Global Configuration Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings.
Chapter 4 | System Management Commands File Management Default Setting 15 Command Mode Global Configuration Example Console(config)#ip tftp retry 10 Console(config)# ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line Example Console#show ip tftp TFTP Settings: Retries : 15 Timeout : 5 seconds Console# Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line Table 21: Line Commands (Continued) Command Function Mode terminal Configures terminal settings, including escape-character, line length, terminal type, and width PE show line Displays a terminal line's parameters NE, PE * These commands only apply to the serial port. line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line.
Chapter 4 | System Management Commands Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.
Chapter 4 | System Management Commands Line Command Usage ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
Chapter 4 | System Management Commands Line ◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example Console(config-line-console)#login local Console(config-line-console)# Related Commands username (231) password (148) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting No password is specified.
Chapter 4 | System Management Commands Line Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Chapter 4 | System Management Commands Line Related Commands password-thresh (148) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Chapter 4 | System Management Commands Line Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Chapter 4 | System Management Commands Line width - The number of character columns displayed on the terminal. (Range: 0-80) Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters.
Chapter 4 | System Management Commands Event Logging Silent Time Baud Rate Data Bits Parity Stop Bits VTY Configuration: Password Threshold EXEC Timeout Login Timeout Silent Time Console# : : : : : Disabled 115200 8 None 1 : : : : 3 times 600 seconds 300 sec. Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Command Usage The records stored include the commands executed from the CLI, command execution time and information about the CLI user including user name, user interface (console, Telnet, SSH) and user IP address. The severity level for this record type is 6 (see the logging facility command). Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages.
Chapter 4 | System Management Commands Event Logging ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 23: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g.
Chapter 4 | System Management Commands Event Logging Default Setting UPD Port: 514 Command Mode Global Configuration Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Chapter 4 | System Management Commands Event Logging logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level level] no logging trap [level] level - One of the syslog severity levels listed in the table on page 155.
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (159) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash. flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 25: show logging trap - display description Field Description Global Configuration Syslog logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip-address ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing.
Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Chapter 4 | System Management Commands Time show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.com SMTP Source E-mail Address: bill@this-company.
Chapter 4 | System Management Commands Time Table 27: Time Commands (Continued) Command Function Mode show ntp Shows the status of connections to NTP peers PE Manual Configuration Commands clock summer-time (date) Configures summer time* for the switch’s internal clock GC clock summer-time (predefined) Configures summer time* for the switch’s internal clock GC clock summer-time (recurring) Configures summer time* for the switch’s internal clock GC clock timezone Sets the time zone for the s
Chapter 4 | System Management Commands Time Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# Related Commands sntp server (167) sntp poll (167) show sntp (168) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
Chapter 4 | System Management Commands Time NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. Syntax [no] ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure. ◆ Note that NTP authentication key numbers and values must match on both the server and client. ◆ NTP authentication is optional.
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the ntp servers command. Once enabled the switch will issue time synchronization requests periodically. Example Console(config)#ntp client Console(config)# Related Commands sntp client (166) ntp server (171) ntp server This command sets the IP addresses of the servers to which NTP time requests are sent to.
Chapter 4 | System Management Commands Time Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)# Related Commands ntp client (170) show ntp (172) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
Chapter 4 | System Management Commands Time Reference Time Console# : e0c697a3.6b04c19f Wed, Jul 3 2019 2:55:31.418 show ntp statistics This command displays the statistics from an NTP peer. peer Syntax show ntp statistics peer {ip-address | ipv6-address | hostname} ip-address - IP address of an NTP peer. ipv6-address - IPv6 address of an NTP peer. hostname - Host name of an NTP peer. Command Mode Privileged Exec Example Console#show ntp statistics Peer 192.168.125.88 Remote Host : 192.168.125.
Chapter 4 | System Management Commands Time Remote Host ---------------1.1.1.1 192.168.1.10 *192.168.125.88 Console# Local Interface --------------0.0.0.0 0.0.0.0 192.168.125.138 St Poll Reach Delay Offset Dispersion -- ------ ----- -------- -------- ---------16 1024 0 0.000000 0.00000 3.99217010 16 1024 0 0.000000 0.00000 3.99217010 13 1024 1 0.001160 -0.00011 0.
Chapter 4 | System Management Commands Time Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time ◆ This command sets the summer-time time relative to the configured time zone. To specify the time corresponding to your local time when summer time is in effect, select the predefined summer-time time zone appropriate for your location, or manually configure summer time if these predefined configurations do not apply to your location (see clock summer-time (date) or clock summer-time (recurring).
Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin. (Range: 0-59 minutes) e-week - The week of the month when summer time will end. (Range: 1-5) e-day - The day of the week summer time will end.
Chapter 4 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
Chapter 4 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Chapter 4 | System Management Commands Time Range Summer Time in Effect : No Console# Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes. Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 31: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands Table 31: SNMP Commands (Continued) Command Function Mode Transceiver Power Threshold Trap Commands transceiver-threshold current Sends a trap when the transceiver current falls outside the IC (Port) specified thresholds transceiver-threshold rx-power Sends a trap when the power level of the received signal falls outside the specified thresholds IC (Port) transceiver-threshold temperature Sends a trap when the transceiver temperature falls outside th
Chapter 5 | SNMP Commands General SNMP Commands snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (193) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled MAC-notification : Disabled MAC-notification interval : 1 second(s) SNMP Communities : 1. public, and the access level is read-only 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands Default Setting Issue authentication traps Other traps are disabled Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication notifications are enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (194) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a link-up or link-down state change occurs. Use the no form to restore the link-up-down default setting.
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the snmp-server enable traps macauthentication command. Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# show snmp-server This command shows if SNMP traps are enabled or disabled for the specified enable port-traps interfaces.
Chapter 5 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - IPv4 or IPv6 address of the remote device.
Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)# Related Commands snmp-server host (196) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the Web Management Guide. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMPv3 Commands 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption. aes128 - Uses SNMPv3 with privacy with AES128 encryption. aes192 - Uses SNMPv3 with privacy with AES192 encryption. aes256 - Uses SNMPv3 with privacy with AES256 encryption. des56 - Uses SNMPv3 with privacy with DES56 encryption. priv-password - Privacy password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password.
Chapter 5 | SNMP Commands SNMPv3 Commands Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name view-name - Name of an SNMP view. A maximum of 32 views can be configured.
Chapter 5 | SNMP Commands SNMPv3 Commands Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP EngineBoots: 1 Remote SNMP Engine ID 80000000030004e2b316c54321 Console# IP address 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands Security Model Read View Write View Notify View Storage Type Row Status : : : : : : v1 defaultview No writeview specified No notifyview specified Volatile Active Group Name Security Model Read View Write View Notify View Storage Type Row Status : : : : : : : public v2c defaultview No writeview specified No notifyview specified Volatile Active Group Name Security Model Read View Write View Notify View Storage Type Row Status : : : : : : : private v1 defaultv
Chapter 5 | SNMP Commands SNMPv3 Commands Console#show snmp user Engine ID User Name Group Name Security Model Security Level Authentication Protocol Privacy Protocol Storage Type Row Status SNMP remote user Engine ID User Name Group Name Security Model Security Level Authentication Protocol Privacy Protocol Storage Type Row Status Console# : : : : : : : : : 800001030300e00c0000fd0000 steve rd v1 None None None Nonvolatile Active : : : : : : : : : 0000937564846450000 mark public v3 Anthentication and p
Chapter 5 | SNMP Commands Notification Log Commands View Name Subtree OID View Type Storage Type Row Status Console# : : : : : defaultview 1 included volatile active Table 35: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry. Row Status The row status of this entry.
Chapter 5 | SNMP Commands Notification Log Commands snmp-server This command creates an SNMP notification log. Use the no form to remove this notify-filter log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the snmp-server host command. Note: The notification log is stored locally.
Chapter 5 | SNMP Commands Notification Log Commands recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station. ◆ When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
Chapter 5 | SNMP Commands Additional Trap Commands Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for memory utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands Default Setting Rising Threshold: 90% Falling Threshold: 70% Command Mode Global Configuration Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands trap - If traps are enabled, the switch will send an alarm message if CPU utilization exceeds the high watermark in percentage of CPU usage time or exceeds the maximum threshold in the number of packets being processed by the CPU.
Chapter 5 | SNMP Commands Additional Trap Commands – 214 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 222 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) disabled - Disables the timeout on the sFlow interface. ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector. A full IPv6 address including the network prefix and host address bits.
Chapter 7 | Flow Sampling Commands Example This example shows an sflow collector being created on the switch. Console#sflow owner stat_server1 timeout 100 destination 192.168.220.225 port 22500 max-datagram-size 512 version v5 Console# This example shows how to modify the sFlow port number for an already configured collector.
Chapter 7 | Flow Sampling Commands Example This example sets the polling interval to 10 seconds. Console#sflow polling interface ethernet 1/9 instance 1 receiver owner1 polling-interval 10 Console# sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands Example This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 100. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 100 max-header-size 200 Console# The following command removes a sampling data source from Ethernet interface 1/1.
Chapter 7 | Flow Sampling Commands – 228 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 143), user authentication via a remote authentication server (page 229), and host access authentication for specific ports (page 271).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 84 and “Configuration Commands” on page 86.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1-5) host-ip-address - IPv4 or IPv6 address of a TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the accounting of Exec mode commands. Use the no form commands to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ | server-group} no aaa accounting commands level {default | method-name} level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ The authorization of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the authorization method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled. ◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Server Group Configuration Command Usage ◆ When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command. ◆ When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.
Chapter 8 | Authentication Commands AAA accounting This command applies an accounting method to entered CLI commands. Use the commands no form to disable accounting for entered CLI commands. Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default method list created with the aaa accounting commands command.
Chapter 8 | Authentication Commands AAA Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands. Syntax authorization commands level {default | list-name} no authorization commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands AAA Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# show authorization This command displays the current authorization settings per function and per port.
Chapter 8 | Authentication Commands Web Server Console# Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http authentication aaa exec-authorization default Console(config)# Related Commands aaa authorization commands (248) ip http server (257) show system (125) ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http server Console(config)# Related Commands ip http authentication (256) show system (125) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS.
Chapter 8 | Authentication Commands Web Server Syntax [no] ip http secure-server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (258) copy tftp https-certificate (132) show system (125) Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Command Usage A maximum of eight sessions can be concurrently opened for Telnet and Secure Shell (i.e., both Telnet and SSH share a maximum number of eight sessions). Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet server Console(config)# telnet (client) This command accesses a remote device using a Telnet connection. Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254...
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports only SSH Version 2.0 clients.
Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v2 Clients a.
Chapter 8 | Authentication Commands Secure Shell Related Commands show ip ssh (269) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Enabled Command Mode Global Configuration Command Usage The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | Authentication Commands Secure Shell Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ The switch uses RSA for SSHv2 clients. ◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. ◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it.
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (267) ip ssh save host-key (269) no ip ssh server (266) ip ssh save host-key This command saves the host key from RAM to flash memory. Syntax ip ssh save host-key Default Setting Saves the RSA key.
Chapter 8 | Authentication Commands Secure Shell show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-32 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 49: show ssh - display description Field Description Connection The session number. A total of eight SSH and Telnet sessions are allowed. Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X Port Authentication The switch supports IEEE 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 50: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x re-authenticate Forces re-authentication on specific ports PE Shows all dot1x related information PE Information Display Commands show dot1x General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values.
Chapter 8 | Authentication Commands 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (278) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 275) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands Management IP Filter Reauth Max Retries Max Request Operation Mode Port Control Intrusion Action Supplicant : : : : : 2 2 Multi-host Auto Block traffic : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count : 0 Current Identifier : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configur
Chapter 8 | Authentication Commands Management IP Filter Default Setting All addresses Command Mode Global Configuration Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 52: PPPoE Intermediate Agent Commands Command Function Mode show pppoe intermediateagent info Displays PPPoE IA configuration settings PE show pppoe intermediateagent statistics Displays PPPoE IA statistics PE pppoe intermediate- This command enables the PPPoE Intermediate Agent globally on the switch. Use agent the no form to disable this feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command sets the access node identifier, generic error message, or vendor agent format-type identifier for the switch. Use the no form to restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# pppoe intermediate- This command enables the PPPoE IA on an interface. Use the no form to disable this agent port-enable feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent mac-cpe - The MAC address of the CPE attached to this interface is used as the remote ID. remote-id-string - String identifying the remote identifier (or interface) on this switch to which the user is connected. (Range: 1-63 ASCII characters) remote-id-delimiter enable - Enables a user-specified delimiter value for the remote ID. ascii-code - A character used to separate components in the remote circuit ID value.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate-agent port-format-type remote-id-delimiter This command sets the remote-id delimiter for an interface. Use the enable keyword to enable the delimiter. Use the no form with the enable keyword to disable the delimiter. Use the no form without any keywords toto restore the default settings. Syntax pppoe intermediate-agent port-format-type remote-id-delimiter {enable | ascii-code} ascii-code - ASCII character of delimiter.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent ◆ At least one trusted interface must be configured on the switch for the PPPoE IA to function. Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# pppoe intermediate- This command enables the stripping of vendor tags from PPPoE Discovery packets agent vendor-tag strip sent from a PPPoE server. Use the no form to disable this feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Privileged Exec Example Console#clear pppoe intermediate-agent statistics Console# show pppoe This command displays configuration settings for the PPPoE Intermediate Agent. intermediate-agent info Syntax show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent show pppoe This command displays statistics for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent – 294 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Incoming traffic with source addresses not stored in the static address table, will be flooded. However, if a security function such as 802.
Chapter 9 | General Security Measures Port Security action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable port. max-mac-count address-count - The maximum number of MAC addresses that can be learned on a port.
Chapter 9 | General Security Measures Port Security number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out. ◆ MAC addresses that port security has learned, can be saved in the configuration file as static entries. See command port security mac-address-as-permanent.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the switch saving the MAC addresses learned by port security on ethernet port 1/3. Console#port security mac-address-as-permanent interface ethernet 1/3 Console# port security Use this command to save the MAC addresses that port security has learned as mac-address sticky “sticky” entries.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) only source MAC address entries in MAC Filter table can be learned as secure MAC addresses.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 57: Network Access Commands (Continued) Command Function Mode mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated GC network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN IC network-access lin
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# :
Chapter 9 | General Security Measures Web Authentication Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out.
Chapter 9 | General Security Measures Web Authentication the web browser is forwarded on to the originally requested web page. Successful authentication is valid for all hosts connected to the port. Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 234). Note: Web authentication cannot be configured on trunk ports.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default.
Chapter 9 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters.
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 9 | General Security Measures DHCPv4 Snooping Table 60: DHCP Snooping Commands (Continued) Command Function ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption Mode IC ip dhcp snooping maxnumber configures the maximum number of DHCP clients which IC can be supported per interface ip dhcp snooping trust Configures the specified interface as trusted IC clear ip dhcp snooping binding Clears DHCP snooping binding table
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/remove option 82 information in incoming DHCP packets but not relay them. Packets are processed as follows: ■ If an incoming packet is a DHCP request packet with option 82 information, it will modify the option 82 information according to settings specified with ip dhcp snooping information policy command.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping mac-address - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU). ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID. (Range: 0-9) Default Setting not defined Command Mode Global Configuration Example This example sets the board ID to 0.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header. Use the no form to disable this function.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage ◆ When DHCP snooping is enabled globally using the ip dhcp snooping command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (323) ip dhcp snooping vlan (330) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address ip-address] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx) ip-address - Specifies an IPv6 address entry.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Usage ◆ Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv6 Snooping If a DHCPv6 packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: a.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (343) ipv6 dhcp snooping trust (345) ipv6 dhcp snooping This command enables the insertion of interface-id option 18 information into option interface-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping drop - Drops the client’s request packet instead of relaying it. keep - Retains the Option 18 information in the client request, and forwards the packets to trusted ports. replace - Replaces the Option 18 remote-ID in the client’s request with the relay agent’s interface-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports.
Chapter 9 | General Security Measures DHCPv6 Snooping allows compatible DHCPv6 servers to use the information when assigning IP addresses, or to set other services or policies for clients. ◆ When DHCPv6 Snooping Information Option 37 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCPv6 request packets forwarded by the switch and in reply packets sent back from the DHCPv6 server.
Chapter 9 | General Security Measures DHCPv6 Snooping drop - Drops the client’s request packet instead of relaying it. keep - Retains the Option 37 information in the client request, and forwards the packets to trusted ports. replace - Replaces the Option 37 remote-ID in the client’s request with the relay agent’s remote-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports.
Chapter 9 | General Security Measures DHCPv6 Snooping filtering will be performed on any untrusted ports within the VLAN as specified by the ipv6 dhcp snooping trust command. ◆ When the DHCPv6 snooping is globally disabled, DHCPv6 snooping can still be configured for specific VLANs, but the changes will not take effect until DHCPv6 snooping is globally re-enabled.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command configures the specified interface as trusted. Use the no form to trust restore the default setting. Syntax [no] ipv6 dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears DHCPv6 snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ipv6 dhcp snooping binding [mac-address ipv6-address] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx) ipv6-address - Corresponding IPv6 address.
Chapter 9 | General Security Measures DHCPv6 Snooping show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry. Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address ip-address mode - Specifies the binding mode. acl - Adds binding to ACL table. mac - Adds binding to MAC address table.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Static bindings are processed as follows: ■ ■ ◆ A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true: ■ If there is no binding entry with the same VLAN ID and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 337).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (337) ipv6 dhcp snooping vlan (343) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures ARP Inspection Eth 1/5 Eth 1/6 . . . SIP Disabled 1 5 show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 337) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. ◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Chapter 9 | General Security Measures ARP Inspection Command Usage ◆ ARP ACLs are configured with the commands described under “ARP ACLs” on page 396. ◆ If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
Chapter 9 | General Security Measures ARP Inspection ◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message. ◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
Chapter 9 | General Security Measures ARP Inspection Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Command Mode Interface Configuration (Port, Static Aggregation) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip arp inspection interface ethernet 1/1 Port Number ------------Eth 1/1 Console# Trust Status -------------------Trusted Rate Limit (pps) -----------------------------150 show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show ip arp inspection This command shows the configuration settings for VLANs, including ARP vlan Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] vlan-id - VLAN ID.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 67: Commands for Configuring Traffic Segmentation (Continued) Command Function Mode traffic-segmentation uplink/ downlink Configures uplink/downlink ports for client sessions GC traffic-segmentation uplink-to-uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions GC show traffic-segmentation Displays the configured traffic segments PE traffic-segmentation This
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 68: Traffic Segmentation Forwarding (Continued) Destination Source Session #1 Downlinks Session #1 Uplinks Session #2 Downlinks Session #2 Uplinks Normal Ports Session #2 Uplink Ports Blocking Blocking/ Forwarding* Forwarding Forwarding Forwarding Normal Ports Forwarding Forwarding Forwarding Forwarding Forwarding * The forwarding state for uplink-to-uplink ports is configured by the trafficsegmentation uplink-to
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example Console(config)#traffic-segmentation session 1 Console(config)# traffic-segmentation This command configures the uplink and down-link ports for a segmented group of uplink/downlink ports. Use the no form to remove a port from the segmented group. Syntax [no] traffic-segmentation [session session-id] {uplink interface-list [downlink interface-list] | downlink interface-list} session-id – Traffic segmentation session.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks. Console(config)#traffic-segmentation Console(config)#traffic-segmentation uplink ethernet 1/10 downlink ethernet 1/5-8 Console(config)# traffic-segmentation This command specifies whether or not traffic can be forwarded between uplink uplink-to-uplink ports assigned to different client sessions.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------1 Ethernet 1/1 Ethernet 1/2 Ethernet 1/3 Ethernet 1/4 Console# – 375 –
Chapter 9 | General Security Measures Port-based Traffic Segmentation – 376 –
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} [tcp | udp ] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [control-flag control-flags flag-bitmask] [time-range time-range-name] no {permit | deny} [tcp | udp ] {any | source address-b
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bit mask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (378) Time Range (180) ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (385) permit, deny (Extended IPv6 ACL) (386) ipv6 access-group (388) show ipv6 access-list (389) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (384) Time Range (180) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-128 for destination prefix) dscp – DSCP traffic class. (Range: 0-63) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) sport – Protocol5 source port number. (Range: 0-65535) dport – Protocol4 destination port number.
Chapter 10 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.” Console(config-ext-ipv6-acl)#permit any any next-header 43 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (384) Time Range (180) ipv6 access-group This command binds an IPv6 ACL to a port.
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands show ipv6 access-list (389) Time Range (180) show ipv6 This command shows the ports assigned to IPv6 ACLs. access-group Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (388) show ipv6 access-list This command displays the rules for configured IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (391) mac access-group (394) show mac access-list (395) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} tagged-eth2 {any | host source | source address} {any | host destination | destination address} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {permit | deny} untagged-eth2 {any | host source | source address} {any | host destination | destination address} [ethertype ethertype [ethertype-bitmask]] [time-range time-range-name] no {permit | deny} untagged-eth2 {any | host source | source address} {any | host
Chapter 10 | Access Control Lists MAC ACLs prefix-length - Length of IPv6 prefix. A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128) cos – Class-of-Service value (Range: 0-7) cos-bitmask6 – Class-of-Service bitmask. (Range: 0-7) ip precedence – IP Precedence value (Range: 0-7) vid – VLAN ID. (Range: 1-4094) vid-bitmask6 – VLAN bitmask.
Chapter 10 | Access Control Lists MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (390) Time Range (180) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (394) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 10 | Access Control Lists ACL Information Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-arp-acl)# Related Commands access-list arp (396) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information clear access-list This command clears the hit counter for the rules in all ACLs, or for the rules in a hardware counters specified ACL. Syntax clear access-list hardware counters [direction in [interface interface]] | [interface interface] | [name acl-name[direction in]] in – Clears counter for ingress rules. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.9 ip extended – Shows ingress or egress rules for Extended IPv4 ACLs.
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 75: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sets thresholds for transceiver current which c
Chapter 11 | Interface Commands Interface Configuration port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Chapter 11 | Interface Commands Interface Configuration Example The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# discard This command discards CDP or PVST packets. Use the no form to forward the specified packet type to other ports configured the same way.
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Example This example sets a interval of 15 minutes for sampling standard statistical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)# media-type This command forces the transceiver mode to use for SFP+ ports. Use the no form to restore the default mode.
Chapter 11 | Interface Commands Interface Configuration Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
Chapter 11 | Interface Commands Interface Configuration shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons.
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. ◆ To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Chapter 11 | Interface Commands Interface Configuration Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
Chapter 11 | Interface Commands Interface Configuration ◆ The Type field will always display “NA” for a trunk entry because a trunk allows for mixed port types such as 1000BASE-T and 1000BASE SFP. ◆ If link status is down due to an administrative setting or the result of a protocol state, the reason will be listed in the Status field (i.e., Disabled, STP LBD, BpduGuard, LinkDet, DynQoS, PortSec, LBD, ATC Bcast, ATC Mcast, UDLD, License).
Chapter 11 | Interface Commands Interface Configuration 0 0 0 0 Discard Input Discard Output Error Input Error Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Frames Too Long 0 Symbol Errors 0 Pause Frames Input 0 Pause Frames Output ====
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces counters - display description (Continued) Parameter Description Unicast Output The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent. Discard Input The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces counters - display description (Continued) Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces counters - display description (Continued) Parameter Description Utilization Statistics Octets input in kbits per second Number of octets entering this interface in kbits per second. Packets input per second Number of packets entering this interface in packets per second. Input utilization The input utilization rate for this interface.
Chapter 11 | Interface Commands Interface Configuration Command Usage If no interface is specified, information on all interfaces is displayed. Example Console#show interfaces history ethernet 1/1 15min Interface : Eth 1/ 1 Name : 15min Interval : 900 second(s) Buckets Requested : 96 Buckets Granted : 17 Status : Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 04:15:00 0.
Chapter 11 | Interface Commands Interface Configuration 00d 00d 00d 00d 00d 00d 00d 00d 00d 00d 01:45:00 02:00:00 02:15:00 02:30:00 02:45:00 03:00:00 03:15:00 03:30:00 03:45:00 04:00:00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Interface Configuration Flow Control LACP MAC Learning Link-up-down Trap Media Type Current Status: Link Status Port Operation Status Operation Speed-duplex Up Time Flow Control Type Max Frame Size MAC Learning Status Console# : : : : : Disabled Disabled Enabled Enabled None : : : : : : : Up Up 100full 0w 0d 1h 11m 2s (4262 seconds) None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of t
Chapter 11 | Interface Commands Interface Configuration Acceptable Frame Type Native VLAN Priority for Untagged Traffic GVRP Status Allowed VLAN Forbidden VLAN 802.1Q Tunnel Status 802.1Q Tunnel Mode 802.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 77: show interfaces switchport - display description (Continued) Field Description 802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets (page 570). Layer 2 Protocol Tunnel Shows if Layer 2 Protocol tunnel is enabled (page 578).
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver current at port 9 of an ECS4100-12T (SFP port).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power transmitted at port 9 of an ECS4100-12T. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold tx-power low-alarm -4000 Console(config-if)#transceiver-threshold tx-power high-alarm 820 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 9 of an ECS4100-12T switch (SFP port).
Chapter 11 | Interface Commands Transceiver Threshold Configuration DDM Information Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.
Chapter 11 | Interface Commands Cable Diagnostics ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.00 Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.
Chapter 11 | Interface Commands Cable Diagnostics show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/22/24/48) Command Mode Privileged Exec Command Usage The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
Chapter 11 | Interface Commands Power Savings Eth 1/ 1 Eth 1/ 2 Eth 1/ 3 Eth 1/ 4 Eth 1/ 5 Eth 1/ 6 Eth 1/ 7 Eth 1/ 8 Eth 1/ 9 Eth 1/10 Eth 1/11 Eth 1/12 Console# GE GE GE GE GE GE GE GE GE GE N/A N/A Up Down Down Down Up Down Down Down Down Down Down Up OK (3) NT NT NT NT NT NT NT NT NT NS NS OK (3) NT NT NT NT NT NT NT NT NT NS NS OK (3) NT NT NT NT NT NT NT NT NT NS NS OK (3) NT NT NT NT NT NT NT NT NT NS NS 2017-06-05 21:41:56 Power Savings power-save This command enables power savings mode on
Chapter 11 | Interface Commands Power Savings none is detected, the MAC interface is also powered down to save additional energy. If energy is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface. ■ Power saving when there is a link partner: Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 16 trunks.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-mac Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port-channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second Flow Control : Disabled MAC Learning : Enabled Link-up-down Trap : Enabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation Speed-duplex : 1000full Up Time : 0w 0d 0h 0m 53s (53 seconds) Flow Control Type
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting. Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Default is dependent on the port speed: 1000f–4, 100f–3, and 10f–2 Command Mode Interface Configuration (Port Channel) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands . . . Table 79: show lacp counters - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 80: show lacp internal - display description (Continued) Field Description System Priority LACP system priority assigned to this port channel. Port Priority LACP port priority assigned to this interface within the channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 81: show lacp neighbors - display description (Continued) Field Description Partner Admin Port ID Current administrative value of the port number for the protocol Partner. Partner Oper Port ID Operational port number assigned to this aggregation port by the port’s protocol partner. Partner Admin Key Current administrative value of the Key for the protocol partner.
13 Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices listed on page 2. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 13 | Power over Ethernet Commands power inline This command allows the switch to detect and provide power to powered devices compatible that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature. Syntax [no] power inline compatible [unit] unit - Unit identifier.
Chapter 13 | Power over Ethernet Commands Default Setting class Command Mode Global Configuration Command Usage The IEEE standard does not define the maximum power of each PD class. The following table is an example from Microsem's PoE IC implementation. Table 84: Maximum PoE Based on PD Classification PD Class Maximum Power (Watts) Class 0 (AF) 16.1 Class 0 (AT) 33.6 Class 1 4.2 Class 2 7.3 Class 3 16.1 Class 4 33.
Chapter 13 | Power over Ethernet Commands ◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power. Example Console(config)#power mainpower maximum allocation 180000 Console(config)# Related Commands power inline priority (452) power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly.
Chapter 13 | Power over Ethernet Commands power inline This command limits the power allocated to specific ports. Use the no form to maximum allocation restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port.
Chapter 13 | Power over Ethernet Commands power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Chapter 13 | Power over Ethernet Commands power inline This command binds a time-range to a port during which PoE is supplied to the time-range attached device. Use the no form to remove this binding. Syntax power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range.
Chapter 13 | Power over Ethernet Commands Example Console(config)#led-port-mode poe Console(config)# show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1) port - Port number.
Chapter 13 | Power over Ethernet Commands Table 86: show power inline status - display description (Continued) Field Description Max Power The maximum power allocated to this port (see power inline maximum allocation) Used Power The current power consumption on the port in milliwatts Priority The port’s power priority setting (see power inline priority) show power inline This command displays the time-range and current status for specific ports or for all time-range ports.
Chapter 13 | Power over Ethernet Commands show power Use this command to display the current power status for the switch. mainpower Syntax show power mainpower unit Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power. Console#show power mainpower Unit 1 PoE Status PoE Maximum Available Power PoE Maximum Allocation Power System Operation Status PoE Power Consumption Software Version : : : : : 180.0 Watts 180.0 Watts On 0.
14 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands 2. Use the access-group command to add a mirrored port to access control list. 3. Use the port monitor access-list command to specify the destination port to which traffic matching the ACL will be mirrored.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. Syntax [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. Syntax rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. Syntax [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 466 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
15 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 91: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Table 94: ATC Commands (Continued) Command Function Mode ATC Trap Commands snmp-server enable Sends a trap when broadcast traffic falls beneath port-traps atc broadcast- the lower threshold after a storm control response alarm-clear has been triggered IC (Port) snmp-server enable Sends a trap when broadcast traffic exceeds the port-traps atc broadcast- upper threshold for automatic storm control alarm-fire IC (Port) snmp-ser
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 250 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (475) auto-traffic-control alarm-clear-threshold (476) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (477) auto-traffic-control apply-timer (473) snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (475) auto-traffic-control alarm-clear-threshold (476) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for port-traps atc automatic storm control.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (477) auto-traffic-control apply-timer (473) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold port-traps atc after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
16 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands bcast-discared - When a loopback condition on a specific port is detected, all received packets at the port are dropped. block - When a loopback is detected on a port which a member of a specific VLAN, packets belonging to that VLAN are dropped at the offending port. none - No action is taken.
Chapter 16 | Loopback Detection Commands loopback-detection This command specifies the interval to wait before the switch automatically recover-time releases an interface from shutdown state. Use the no form to restore the default setting. Syntax loopback-detection recover-time seconds no loopback-detection recover-time seconds - Recovery time from shutdown state.
Chapter 16 | Loopback Detection Commands Example Console(config)#loopback-detection transmit-interval 60 Console(config)# loopback detection This command sends a trap when a loopback condition is detected, or when the trap switch recovers from a loopback condition. Use the no form to restore the default state.
Chapter 16 | Loopback Detection Commands Example Console#loopback-detection release Console# show loopback- This command shows loopback detection configuration settings for the switch or detection for a specified interface. Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel no.
17 MAC-Thrashing Commands A MAC-thrashing feature can be configured on the switch to detect traffic with identical MAC addresses being received on different physical ports. Once detected, the system can then take a configured action on a port. In this way, MAC-thrashing can detect switching loops and take an appropriate action in order to eliminate the loop condition and prevent CPU overload caused by the constant switching of the learned MAC address in the Forwarding Database (FDB).
Chapter 17 | MAC-Thrashing Commands Table 96: MAC Thrashing Commands Command Function Mode mac-address-table macthrashing interface enable Enables MAC-thrashing on the specified interface. GC mac-address-table macthrashing interface action Specifies the action to take on the interface when a GC MAC-thrashing event has been detected. mac-address-table macthrashing actionduration Specifies the interval to wait before releasing an interface from a MAC-thrashing action.
Chapter 17 | MAC-Thrashing Commands Default Setting Disabled Command Mode Global Configuration Command Usage MAC-thrashing must be enabled for a specific interface for this function to take effect. Use the no form to disable MAC-thrashing on the specified interface. Example This example enables MAC-thrashing detection on the specified interface.
Chapter 17 | MAC-Thrashing Commands Command Mode Global Configuration Command Usage ◆ MAC-thrashing on the specified interface must be in the disabled state when changing the MAC-thrashing action. Example This example sets the MAC-thrashing action to link-down.
Chapter 17 | MAC-Thrashing Commands Example Console#show mac-address-table mac-thrashing Action duration: 30 seconds Interface --------Eth 1/ 1 Eth 1/ 2 Eth 1/ 3 Eth 1/ 4 Eth 1/ 5 Eth 1/ 6 Eth 1/ 7 Eth 1/ 8 Eth 1/ 9 Eth 1/10 Eth 1/11 Eth 1/12 Eth 1/13 Eth 1/14 Eth 1/15 Eth 1/16 Eth 1/17 Eth 1/18 Eth 1/19 Eth 1/20 Eth 1/21 Eth 1/22 Eth 1/23 Eth 1/24 Eth 1/25 Eth 1/26 Eth 1/27 Eth 1/28 Console# MAC-thrashing ------------Enabled Disabled Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled
Chapter 17 | MAC-Thrashing Commands – 496 –
18 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 18 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 18 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 18 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 30 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 18 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 18 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | UniDirectional Link Detection Commands Table 98: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 18 | UniDirectional Link Detection Commands – 504 –
19 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 19 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash table algorithm used by the MAC address table. Use hash-algorithm the no form of the command to reset the algorithm to default. Syntax mac-address-table hash-algorithm algorithm no mac-address-table hash-algorithm algorithm - select either hash algorithm 0 or 1 - see the command usage section for a description.
Chapter 19 | Address Table Commands mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Address Table Commands clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Syntax clear mac-address table dynamic Default Setting None Command Mode Privileged Exec Command Usage Even if a hash collision for a MAC address is resolved, entries in collision MAC address table are not removed until this command is issued to reset the table, or the system is reset.
Chapter 19 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ ■ Learn - Dynamic address entries Config - Static entry Security - Port Security ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
Chapter 19 | Address Table Commands Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table hash-algorithm Configured Hash Algorithm: 0 Activated Hash Algorithm: 1 Console# show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count [interface interface] interface ethernet unit/port unit - Unit identifier.
Chapter 19 | Address Table Commands Number of Dynamic MAC Address Console# – 511 – : 2
Chapter 19 | Address Table Commands – 512 –
20 Smart Pair Commands Smart Pair Concept A smart pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it. If the primary port recovers, all traffic will again be forwarded through the primary port after a configured delay.
Chapter 20 | Smart Pair Commands Smart Pair Concept Command Mode Global Configuration Command Usage Use the command to create a new smart pair or to enter the smart-pair configuration mode of an existing smart pair. Example Console(config)#smart-pair 1 Console(config-smart-pair)# smart-pair restore Use the smart-pair restore command to manually restore traffic to the primary port of a specified smart pair. Syntax smart-pair restore ID ID - Identification Number.
Chapter 20 | Smart Pair Commands Smart Pair Concept primary-port This command configures the primary port of a specified smart pair. Use the no form of the command to remove the configured primary port from the smart pair. Syntax primary-port interface no primary-port interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Smart Pair Commands Smart Pair Concept backup-port This command configures the backup port of a specified smart pair. Use the no form of the command to remove the configured backup port from the smart pair. Syntax backup-port interface no backup interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Smart Pair Commands Smart Pair Concept wtr-delay This command sets the wait-to-restore delay for a smart pair. Use the no form of the command to set the delay to the default value. Syntax wtr-delay seconds seconds - delay in seconds (Range:0, 5-3600) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage ◆ If the wtr-delay parameter is set to 0, traffic will not be restored after a failed port is recovered.
Chapter 20 | Smart Pair Commands Smart Pair Concept – 518 –
21 TWAMP Commands The Two-Way Active Measurement Protocol (TWAMP) is defined by RFC 5357. TWAMP is an open protocol for measuring network performance between any two devices that support the TWAMP protocol. TWAMP uses the methodology and architecture of OWAMP (One-Way Active Measurement Protocol, RFC 4656), which defines an open protocol for the measurement of one-way metrics, but extends it to two-way, or round-trip, metrics.
Chapter 21 | TWAMP Commands Example Console(config)#twamp reflector Console(config)# twamp reflector This command sets the TWAMP session timeout on the switch. Use the no form to refwait restore the default. Syntax twamp reflector refwait seconds no twamp reflector refwait seconds - The timeout value in seconds.
22 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 22 | Spanning Tree Commands Table 102: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree restricted-tcn Prevents a TCN from being propagated f
Chapter 22 | Spanning Tree Commands allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. ◆ When spanning tree is enabled globally by this command or enabled on an interface (spanning-tree spanning-disabled command), loopback detection is disabled.
Chapter 22 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 22 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 22 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 22 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 22 | Spanning Tree Commands and higher values assigned to ports with slower media. Note that path cost (page 535) takes precedence over port priority (page 544). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP.
Chapter 22 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on the system-bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 22 | Spanning Tree Commands Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form of the command to set the number of hops to the default value. Syntax max-hops hop-number no max-hops hop-number - Maximum hop number for multiple spanning tree.
Chapter 22 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
Chapter 22 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Chapter 22 | Spanning Tree Commands Example Console(config-mstp)#name R&D Console(config-mstp)# Related Commands revision (533) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form of the command to set the revision number to the default value. Syntax revision number no revision number - Revision number of the spanning tree.
Chapter 22 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command stops all Bridge Protocol Data Units (BPDUs) from being transmitted on configured edge ports to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
Chapter 22 | Spanning Tree Commands Command Usage ◆ An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker. If an interface is shut down by BPDU Guard, it must be manually re-enabled using the no spanning-tree spanning-disabled command if the auto-recovery interval is not specified.
Chapter 22 | Spanning Tree Commands Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 104: Default STA Path Costs Port Type Short Path Cost (IEEE 802.
Chapter 22 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 22 | Spanning Tree Commands ◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link. ◆ RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies.
Chapter 22 | Spanning Tree Commands Syntax spanning-tree loopback-detection action {block | shutdown duration} no spanning-tree loopback-detection action shutdown - Shuts down the interface. duration - The duration to shut down the interface.
Chapter 22 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: ■ The port receives any other BPDU except for it’s own, or; ■ The port’s link status changes to link down and then link up again, or; ■ The port ceases to receive it’s own BPDUs in a forward delay interval.
Chapter 22 | Spanning Tree Commands spanning-tree This command prevents a TCN from being propagated from an aggreation switch restricted-tcn to the uplink port on access switches. Use the no form to restore the default setting.
Chapter 22 | Spanning Tree Commands Command Usage ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs. ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode.
Chapter 22 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (541) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 22 | Spanning Tree Commands spanning-tree This command configures the priority for the specified interface. Use the no form to port-priority restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm.
Chapter 22 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
Chapter 22 | Spanning Tree Commands Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree This command stops the propagation of topology change notifications (TCN). Use tc-prop-stop the no form to allow propagation of TCN messages.
Chapter 22 | Spanning Tree Commands Command Usage Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the spanning-tree loopback-detection release-mode command and BPDU loopback occurs. Example Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface.
Chapter 22 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id [brief | interface] | brief | stp-enabled-only] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Spanning Tree Commands Example Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance : 0 VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max.
Chapter 22 | Spanning Tree Commands This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port (Eth) : Current Root Cost : RSTP Enabled 32768.
23 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 23 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 23 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 23 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (556) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 23 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Chapter 23 | VLAN Commands GVRP and Bridge Extension Commands Table 107: show bridge-ext - display description Field Description Maximum Supported VLAN Numbers The maximum number of VLANs supported on this switch. Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Chapter 23 | VLAN Commands Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands garp timer (553) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 23 | VLAN Commands Editing VLAN Groups state - Keyword to be followed by the VLAN state. active - VLAN is operational. suspend - VLAN is suspended. Suspended VLANs do not pass packets. rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces Configuring VLAN Interfaces Table 109: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an interface IC switchport gvrp Enables
Chapter 23 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (409) interface (402) vlan (558) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces switchport This command configures VLAN groups on the selected interface. Use the no form allowed vlan to restore the default. Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. ◆ Ports can only be added to an RSPAN VLAN using the commands described under “RSPAN Mirroring Commands”.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 23 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 3: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
Chapter 23 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 110: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid.) 5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan).
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show dot1q-tunnel (577) show interfaces switchport (419) dot1q-tunnel tpid Use this command to set the global setting for the QinQ outer tag ethertype field. Use the no form of the command to set the ethertype field to the default value. Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling Syntax switchport dot1q-tunnel service default match untag discard no switchport dot1q-tunnel service default match all Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service match untagged discard Console(config-if)# switchport This command creates a CVLAN to SPVLAN mapping entry.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs. ◆ Note that all customer interfaces should be configured as access interfaces (that is, a user-to-network interface) and service provider interfaces as uplink interfaces (that is, a network-to-network interface). Use the dot1q-tunnel tpid uplink command to set an interface to access or uplink mode.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 100,200,300 untagged Console(config-if)#switchport dot1q-tunnel mode access 5. Configure the following selective QinQ mapping entries.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling show dot1q-tunnel This command shows tunnel service subscriptions, default discard service, and service discarded untagged traffic configuration. Syntax show dot1q-tunnel service [svid | default] svid - VLAN ID for the outer VLAN tag (SPVID). (Range: 1-4094) default - Shows the default discard service, and discarded untagged traffic configuration Command Mode Privileged Exec Example Console#show dot1q service 802.
Chapter 23 | VLAN Commands Configuring IEEE 802.1Q Tunneling show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | VLAN Commands Configuring L2PT Tunneling Related Commands dot1q-tunnel tpid (570) Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 23 | VLAN Commands Configuring L2PT Tunneling ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network. In this way, normally segregated network segments can be configured to function inside a common protocol domain.
Chapter 23 | VLAN Commands Configuring L2PT Tunneling ■ with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported.
Chapter 23 | VLAN Commands Configuring L2PT Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 23 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 23 | VLAN Commands Configuring VLAN Translation ingress - specifies ingress only egress - specifies egress only original-vlan - The original VLAN ID. (Range: 1-4094) new-vlan - The new VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port.
Chapter 23 | VLAN Commands Configuring VLAN Translation Console(config-vlan)#vlan 100 media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 10 tagged Console(config-if)#switchport allowed vlan add 100 tagged Console(config-if)#interface ethernet 1/1 Console(config-if)#switchport vlan-translation 10 100 Console(config-if)#end Console#show vlan-translation Ingress VLAN Translation Interface Old VID New VID --------- -----
Chapter 23 | VLAN Commands Configuring Protocol-based VLANs Eth 1/ 2 Console# 200 10 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 23 | VLAN Commands Configuring Protocol-based VLANs access can be regained by removing the offending Protocol VLAN rule via the console. Alternately, the switch can be power-cycled, however all unsaved configuration changes will be lost. protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group.
Chapter 23 | VLAN Commands Configuring Protocol-based VLANs vlan-id - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) priority - The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command.
Chapter 23 | VLAN Commands Configuring Protocol-based VLANs group-id - Group identifier for a protocol group. (Range: 1-2147483647) sort-by-type - Sort display information by frame type and protocol type. Default Setting All protocol groups are displayed.
Chapter 23 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 23 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 23 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 23 | VLAN Commands Configuring MAC Based VLANs Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Chapter 23 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 23 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 23 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 23 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "A new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 23 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 23 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 773 for more information on LLDP.
Chapter 23 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 23 | VLAN Commands Configuring Excluded VLANs Configuring Excluded VLANs Excluded VLANs provide port-based security and isolation between ports within an assigned session. An Excluded VLAN session contains Uplink ports that can communicate with all other ports in the session, and Downlink ports that can only communicate with Uplink ports in the session.
Chapter 23 | VLAN Commands Configuring Excluded VLANs Command Mode Global Configuration Command Usage ◆ An Excluded VLAN session consists of defined Downlink ports, Uplink ports, and VLANs. Up to 4 Excluded VLAN sessions can be configured on the switch, and up to 8 VLANs can be included in each session. ◆ Packets from a Downlink port can only be forwarded to Uplink ports in the same session. ◆ Packets from Uplink ports can be forwarded to any ports in the same session.
Chapter 23 | VLAN Commands Configuring Excluded VLANs – 602 –
24 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 24 | ERPS Commands Table 119: ERPS Commands (Continued) Command Function Mode raps-def-mac Sets the switch’s MAC address to be used as the node identifier ERPS Inst in R-APS messages raps-without-vc Terminates the R-APS channel at the primary ring to sub-ring interconnection nodes ERPS Inst version Specifies compatibility with ERPS version 1 or 2 ERPS Inst inclusion-vlan Specifies the VLAN groups to be included in the ERPS protection ERPS Inst ring.
Chapter 24 | ERPS Commands 6. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, the holdofftimer command to filter out intermittent link faults, and the wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 7. Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands.
Chapter 24 | ERPS Commands Example Console(config)#erps Console(config)# Related Commands enable (ring) (610) erps node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax erps node-id mac-address no erps node-id mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 24 | ERPS Commands erps vlan-group This command creates or modifies an ERPS VLAN group. Use the no form of this command to remove VLANs from a VLAN group or to delete a VLAN group. Syntax erps vlan-group vlan-group-name {add|remove} vlan-list no erps vlan-group vlan-group-name vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). add – Adds VLANs to a group. remove – Deletes VLANs from a group.
Chapter 24 | ERPS Commands Command Usage ◆ The switch can support ERPS rings up to half the number of physical ports on the switch. Example Console(config)#erps ring campus1 Console(config-erps-ring)# erps instance This command creates an ERPS instance and enters ERPS instance configuration mode. Use the no form to delete an ERPS instance. Syntax erps instance instance-name [id ring-id] no erps instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 24 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface no ring-port {east | west} east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 24 | ERPS Commands exclusion-vlan Use this command to specify VLAN groups that are to be on the exclusion list of a physical ERPS ring. Use the no form of the command to remove VLAN groups from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters) Default Setting None Command Mode ERPS Ring Configuration Command Usage ◆ VLANs that are on the exclusion list are not protected by the ERPS ring.
Chapter 24 | ERPS Commands ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps-ring)#enable Console(config-erps-ring)# Related Commands erps (605) enable (instance) This command activates the current ERPS instance. Use the no form to disable the current instance.
Chapter 24 | ERPS Commands no meg-level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 1 Command Mode ERPS Instance Configuration Command Usage ◆ This parameter is used to ensure that received R-APS PDUs are directed for this instance. A unique level should be configured for each local instance if there are many R-APS PDUs passing through this switch.
Chapter 24 | ERPS Commands Command Usage ◆ The Control VID must be included in one of inclusion VLAN groups. ◆ Configure one control VLAN for each ERPS instance. First create the VLAN to be used as the control VLAN (vlan, page 558), add the VLAN to an ERPS VLAN group (erps vlan-group), add the ring ports for the east and west interface as tagged members to this VLAN (switchport allowed vlan, page 562), and then use the control-vlan command to add it to the ERPS instance.
Chapter 24 | ERPS Commands Command Mode ERPS Instance Configuration Command Usage ◆ Only one RPL owner can be configured on an instance. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the instance or the protection state is enabled with the erps forced-switch or erps manual-switch command). ◆ The east and west connections to the instance must be specified for all ring nodes using the ring-port command.
Chapter 24 | ERPS Commands ◆ Note that is not mandatory to declare an RPL neighbor. Example Console(config-erps-inst)#rpl neighbor Console(config-erps-inst)# wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting.
Chapter 24 | ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds no guard-timer milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Chapter 24 | ERPS Commands Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Chapter 24 | ERPS Commands ◆ If CFM determines that a MEP node which has been configured to monitor a ring port with this command has gone down, this information is passed to ERPS, which in turn processes it as a ring node failure. For more information on how ERPS recovers from a node failure, refer to “Ethernet Ring Protection Switching” in the Web Management Guide.
Chapter 24 | ERPS Commands propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Instance Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring.
Chapter 24 | ERPS Commands Non-revertive behavior for Protection, Forced Switch, and Manual Switch states are basically the same. Non-revertive behavior requires the erps clear command to used to return the RPL from Protection state to Idle state.
Chapter 24 | ERPS Commands c. When the operator issues the erps clear command for non-revertive mode at the RPL Owner Node, the non-revertive operation is cleared, the RPL Owner Node blocks its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d. Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB.
Chapter 24 | ERPS Commands ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS(NR) message and in the absence of any other higher priority request does not perform any action. b. Then, after the operator issues the erps clear command at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message on both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
Chapter 24 | ERPS Commands an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. b.
Chapter 24 | ERPS Commands Example Console(config-erps-inst)#raps-def-mac Console(config-erps-inst)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes. Use the no form to restore the default setting. Syntax [no] raps-without-vc Default Setting R-APS with Virtual Channel Command Mode ERPS Instance Configuration Command Usage A sub-ring may be attached to a primary ring with or without a virtual channel.
Chapter 24 | ERPS Commands Figure 6: Sub-ring with Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Virtual Channel ◆ Sub-ring without R-APS Virtual Channel – Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network. In this situation, the R-APS messages are terminated on the interconnection points.
Chapter 24 | ERPS Commands version This command specifies compatibility with ERPS version 1 or 2. Syntax version {1 | 2} no version 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
Chapter 24 | ERPS Commands inclusion-vlan Use this command to specify VLAN groups that are to be on the inclusion list of an ERPS instance. Use the no form of the command to removed the VLAN from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters). Default Setting None Command Mode ERPS Instance Configuration Command Usage VLANs that are on the inclusion list are protected by the ERPS instance.
Chapter 24 | ERPS Commands Example Console(config-erps-inst)#phyical-ring campus1 Console(config-erps-inst)# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch instance instance-name {east | west} instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) east - East ring port. west - West ring port.
Chapter 24 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Chapter 24 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch instance r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command. Syntax erps manual-switch instance instance-name {east | west} instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) east - East ring port. west - West ring port.
Chapter 24 | ERPS Commands e. A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. f. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node. At this point, traffic flows around the ring are resumed. From this point on, the following rules apply regarding processing of further manual switch commands: a.
Chapter 24 | ERPS Commands Command Usage ◆ Two steps are required to make a ring operating in non-revertive mode return to Idle state from forced switch or manual switch state: 1.Issue an erps clear command to remove the forced switch command on the node where a local forced switch command is active. 2.Issue an erps clear command on the RPL owner node to trigger the reversion. ◆ The erps clear command will also stop the WTR and WTB delay timers and reset their values.
Chapter 24 | ERPS Commands Example This example displays statistics for all configured ERPS instances.
Chapter 24 | ERPS Commands show erps This command displays status information for all configured VLAN groups, rings, and instances, or for a specified VLAN group, ring, or instance. Syntax show erps {[vlan-group vlan-group-name] | [ring ring-name] | [instance instance-name]} vlan-group - Keyword to display ERPS VLAN group settings. vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). ring - Keyword to display ERPS ring configuration settings. ring-name - Name of a specific ERPS ring.
Chapter 24 | ERPS Commands Table 122: show erps r ing - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch. ERPS node-id ERPS node identifier used in R-APS messages. Number of ERPS Ring Shows the number of ERPS rings configured on the switch. Ring Displays the name of each ring followed by a brief list of status information ID ERPS ring identifier used in R-APS messages. Enabled Shows if the specified ring is enabled.
Chapter 24 | ERPS Commands – 636 –
25 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 25 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 25 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 25 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (638) show queue weight (641) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 25 | Class of Service Commands Priority Commands (Layer 2) port. (Note that if the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) 5 6 7 10 12 14 ... Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 126: Default Mapping of CoS/CFI Values to Queue/CFI CFI 0 1 0 2 2 1 0 0 2 1 1 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 CoS Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default mapping of CoS/CFI to Queue/CFI values shown in Table 126 is based on the recommended settings in IEEE 802.1p for mapping CoS values to output queues.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-queue This command maps DSCP values in incoming packets to per-hop behavior for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ... dscp7 no qos map dscp-queue dscp0 ... dscp7 dscp-queue - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) dscp - DSCP value in ingress packets.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# show qos map cos- This command shows the ingress CoS to eqress queue map. queue Syntax show qos map cos-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to eqress queue map. queue Syntax show qos map dscp-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/522) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 25 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console# – 648 –
26 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 26 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, a CoS value, or a source port.
Chapter 26 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 653). The policy map is then bound by a service policy to an interface (page 657). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 26 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 26 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 26 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 653) before assigning it to a Policy Map.
Chapter 26 | Quality of Service Commands ◆ Up to 16 classes can be included in a policy map. Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive.
Chapter 26 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else the packet is red and Tc is not decremented.
Chapter 26 | Quality of Service Commands set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
Chapter 26 | Quality of Service Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Only one policy map can be assigned to an interface. ◆ First define a class map, then define a policy map, and finally use the servicepolicy command to bind the policy map to the required interface. Example This example applies a service policy to an ingress interface.
Chapter 26 | Quality of Service Commands show policy-map This command displays the QoS policy maps which define classification criteria for ingress or egress traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] policy-map-name - Name of the policy map. (Range: 1-32 characters) class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all policy maps and all classes.
Chapter 26 | Quality of Service Commands service-policy output rdpolicy Console# – 660 –
27 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Table 130: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping routeralert-option-check Discards any IGMPv2/v3 packets that do not include the Router Alert option GC ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs GC ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanni
Chapter 27 | Multicast Filtering Commands IGMP Snooping Table 130: IGMP Snooping Commands (Continued) Command Function Mode clear ip igmp snooping statistics Clears IGMP snooping statistics PE show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping interface Shows the IGMP snooping immediate leave configuration PE on the port show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Sh
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures multicast router ports to forward multicast streams only mrouter-forward- when multicast groups are joined. Use the no form to disable it. mode dynamic Syntax ip igmp snooping mrouter-forward dynamic no ip igmp snooping mrouter-forward Default Setting Disabled Command Mode Global Configuration Example The following example enables IGMP snooping globally.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs. Use the no form to disable flooding. Syntax [no] ip igmp snooping tcn-flood Default Setting Disabled Command Mode Global Configuration Command Usage When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the unregistered-data- no form to drop unregistered multicast traffic. flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol version-exclusive packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default. intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or groupand-source-specific query message.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 665), or as a proxy host when IGMP snooping proxy reporting is enabled (page 664). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the static port.
Chapter 27 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables immediate leave processing on the interface. Use the no immediate-leave form to restore the default. Syntax [no] ip igmp snooping immediate-leave Default Disabled Command Mode Privileged Exec Command Usage The command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled on the port.
Chapter 27 | Multicast Filtering Commands IGMP Snooping interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Version Exclusive Immediate Leave Last Member Query Interval Last Member Query Count General Query Suppression Query Interval Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : : : : : : : Using global status (Disabled) Disabled 10 (unit: 1/10s) 2 Disabled 125 100 (unit: 1/10s) 0.0.0.
Chapter 27 | Multicast Filtering Commands IGMP Snooping interface [ip-address] | vlan-id [interface [ip-address]] | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) igmpsnp - Display only entries learned through IGMP snooping. sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic. Example The following shows the ports in VLAN 1 which are attached to multicast routers.
Chapter 27 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 14 5 Console# Table 131: show ip igmp snooping statistics input - display description Field Description Interfac
Chapter 27 | Multicast Filtering Commands IGMP Snooping Table 132: show ip igmp snooping statistics output - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed. Group The number of multicast groups active on this interface.
Chapter 27 | Multicast Filtering Commands Static Multicast Routing Table 133: show ip igmp snooping statistics vlan query - display description Field Description V2 Warning Count The number of times the query version received (Version 2) does not match the version configured for this interface. V3 Warning Count The number of times the query version received (Version 3) does not match the version configured for this interface.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling trunk) on this switch, that interface can be manually configured to join all the current multicast groups. ◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect. Example The following shows how to configure port 10 as a multicast router port within VLAN 1.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Table 135: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE show ip multicast-datadrop Shows if the interface is configured to drop multicast data PE packets ip igmp filter This command globally enables IGMP filtering and thro
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp igmp-with- This command globally enables the support of IGMP with PPPoE protocol. Use the pppoe no form to disable the feature. Syntax [no] ip igmp igmp-with-pppoe Default Setting Disabled Command Mode Global Configuration Example Console(config)#ip igmp igmp-with-pppoe Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage Each profile has only one access mode; either permit or deny. ◆ ◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface. When authentication enabled and an IGMP JOIN request is received, an authentication request is sent to a configured RADIUS server. Use the no form to disable IGMP authentication.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Group Record contain the interface's source list for the specified multicast address, if not empty. TO_EX (CHANGE_TO_EXCLUDE_MODE) - Indicates that the interface has changed to EXCLUDE filter mode for the specified multicast address. The Source Address fields in this Group Record contain the interface's new source list for the specified multicast address, if not empty.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups 10 Console(config-if)# ip igmp This command sets the IGMP throttling action for an interface on the switch. Use max-groups action the no form of the command to restore the action to the default value. Syntax ip igmp max-groups action {deny | replace} no ip igmp max-groups action deny - The new multicast group join report is dropped.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp authentication Ethernet 1/1: Enabled Ethernet 1/2: Enabled Ethernet 1/3: Enabled . . .
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp filter IGMP Filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp igmp- This command displays the IGMP PPPoE protocol configuration.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp profile IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 IGMP Profile 50 Deny Range 239.1.1.1 239.1.1.12 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets.
Chapter 27 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 27 | Multicast Filtering Commands MLD Snooping Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip multicast-data-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4.
Chapter 27 | Multicast Filtering Commands MLD Snooping Table 137: MLD Snooping Commands (Continued) Command Function Mode ipv6 mld snooping unsolicited-report-interval Specifies how often the upstream interface should transmit unsolicited MLD snooping reports (when proxy reporting is enabled) GC ipv6 mld snooping version Configures the MLD Snooping version GC ipv6 mld snooping vlan immediate-leave Removes a member port of an IPv6 multicast service if a leave packet is received at that port and ML
Chapter 27 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables MLD Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ipv6 mld snooping proxy-reporting Default Setting Disabled Command Mode Global Configuration Command Usage When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states.
Chapter 27 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 27 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value.
Chapter 27 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the router-port- default. expire-time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 27 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD snooping reports when proxy reporting is enabled.
Chapter 27 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} no ipv6 mld snooping version 1 - MLD version 1. 2 - MLD version 2.
Chapter 27 | Multicast Filtering Commands MLD Snooping ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one MLD-enabled device, either a service host or a neighbor running MLD snooping.
Chapter 27 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan-id - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
Chapter 27 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 27 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information using the global form of the command first and then the command is executed with keyword vlan to show specific VLAN MLD configuration.
Chapter 27 | Multicast Filtering Commands MLD Snooping Total Entries 3, limit 255 VLAN Multicast IPv6 Address ---- --------------------------------------1 FF02::01:01:01:01 1 FF02::01:01:01:02 1 FF02::01:01:01:02 Member Port ----------Eth 1/1 Eth 1/1 Eth 1/1 Type --------------MLD Snooping Multicast Data User Console# show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list.
Chapter 27 | Multicast Filtering Commands MLD Snooping vlan-id - A VLAN identification number. (Range: 1-4094) Command Mode Privileged Exec Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- -----1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface.
Chapter 27 | Multicast Filtering Commands MLD Snooping Example The following shows MLD snooping input-related message statistics: Console#show ipv6 mld snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 4 0 0 0 0 0 2 Console# Table 138: show ipv6 MLD snooping statistics input - display description Field Description Interface The unit/port
Chapter 27 | Multicast Filtering Commands MLD Snooping Table 139: show ipv6 MLD snooping statistics output - display description Field Description Join Succ The number of times a multicast group was successfully joined. Group The number of MLD groups active on this interface.
Chapter 27 | Multicast Filtering Commands MLD Snooping Console#show ipv6 mld snooping statistics summary interface vlan 1 Number of Groups: 1 Querier: : Report & Leave: : Other Querier : None Host Addr : None Other Uptime : 0(h):0(m):0(s) Unsolicit Expire : 0 sec Other Expire : 0(m):0(s) Self Addr : None Self Expire : 2(m): 3(s) Self Uptime : 0(h):10(m):58(s) Transmit : Transmit : General : 7 Report : 0 Group Specific: 0 Leave : 0 Recieved : Recieved : General : 0 Report : 4 Group Specific: 0 Leave : 0 joi
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Table 141: show ipv6 MLD snooping statistics summary - display description Field Description Querier: Other Querier IPv6 address of remote querier on this interface. Other Uptime Time remote querier has been up. Other Expire Time after which remote querier is assumed to have expired. Self Addr IPv6 address of local querier on this interface. Self Expire Time after which local querier is assumed to have expired.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Table 142: MLD Filtering and Throttling Commands (Continued) Command Function Mode show ipv6 mld query-drop Shows if the interface is configured to drop MLD query packets PE show ipv6 mld throttle interface Displays the MLD throttling setting for interfaces PE ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. Syntax [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#ipv6 mld profile 19 Console(config-mld-profile)#permit Console(config-mld-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ipv6-address high-ipv6-address low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage ◆ The MLD filtering profile must first be created with the ipv6 mld profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups 10 Console(config-if)# ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. Use the action no form of the command to set the action to the default. Syntax ipv6 mld max-groups action {deny | replace} no ipv6 mld max-groups action deny - The new multicast group join report is dropped.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier. Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 27 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling. interface Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Table 143: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr interface Shows MVR settings for interfaces attached to the MVR VLAN PE show mvr members Shows information about the current number of entries in PE the forwarding database, or detailed information about a specific multicast address show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Default Setting Disabled Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (729) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr profile profile-name start-ip-address end-ip-address no mvr profile profile-name profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Syntax mvr proxy-query-interval interval no mvr proxy-query-interval interval - The interval at which the receiver port sends out general queries. (Range: 2-31744 seconds) Default Setting 125 seconds Command Mode Global Configuration Command Usage This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 MVR subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR proxy service. ◆ When the source port receives report and leave messages, it only forwards them to other source ports. ◆ When receiver ports receive any query messages, they are dropped.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Command Usage ◆ This command is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. ◆ This command only takes effect when MVR proxy switching is enabled.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 mvr upstream- This command configures the source IP address assigned to all MVR control packets source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command. ◆ MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but MVR receiver ports should not be statically configured as members of this VLAN.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 ◆ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to the same interface. ◆ Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command. Example The following enables immediate leave on a receiver port.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following configures one source port and several receiver ports on the switch.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear mvr statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Table 144: show mvr - display description (Continued) Field Description MVR Proxy Query Interval Shows the interval at which the receiver port sends out general queries MVR Source Port Mode Shows if the switch forwards all multicast streams, or only those which the source port has dynamically joined MVR Domain An independent multicast domain. MVR Config Status Shows if MVR is globally enabled on the switch.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 27 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 147: show mvr statistics input - display
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Table 148: show mvr statistics output - display description (Continued) Field Description Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Table 149: show mvr statistics query - display description (Continued) Field Description Warn Rate Limit Count down from 15 seconds after receiving a Query different from the configured version. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 27 | Multicast Filtering Commands MVR for IPv4 Table 150: show mvr statistics summary interface - display description Field Description Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter. Source Port Drop Number of report/leave messages dropped by MVR source port. Others Drop Number of report/leave messages dropped for other reasons.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 151: show mvr statistics summary interface mvr vlan - description Field Description Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured by IGMP version 1, 2 or 3. Report & Leave Host IP Addr Source IP address used to send report/leave messages from source port.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 152: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function mvr6 proxy-switching Enables MVR6 proxy switching, where the source port acts as GC a host, and the receiver port acts as an MVR6 router with querier service enabled mvr6 robustness-value Configures the expected packet loss, and thereby the number GC of times to generate report and group-specific queries mvr6 source-port-mode dynamic Configures the switch to on
Chapter 27 | Multicast Filtering Commands MVR for IPv6 mvr6 associated- This command binds the MVR6 group addresses specified in a profile to an MVR6 profile domain. Use the no form of this command to remove the binding. Syntax [no] mvr6 domain domain-id associated-profile profile-name domain-id - An independent multicast domain. (Range: 1-5) profile-name - The name of a profile containing one or more MVR6 group addresses.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Example The following example enables MVR6 for domain 1: Console(config)#mvr6 domain 1 Console(config)# mvr6 profile This command maps a range of MVR6 group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr6 profile profile-name start-ip-address end-ip-address no mvr6 profile profile-name profile-name - The name of a profile containing one or more MVR6 group addresses.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Example The following example maps a range of MVR6 group addresses to a profile: Console(config)#mvr6 profile rd ff01:0:0:0:0:0:0:fe ff01:0:0:0:0:0:0:ff Console(config)# mvr6 proxy-query- This command configures the interval at which the receiver port sends out general interval queries. Use the no form to restore the default setting.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ When MVR6 proxy-switching is enabled, an MVR6 source port serves as the upstream or host interface, and the MVR6 receiver port serves as the querier. The source port performs only the host portion of MVR6 by sending summarized membership reports, and automatically disables MVR6 router functions. ◆ Receiver ports are known as downstream or router interfaces.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 mvr6 robustness- This command configures the expected packet loss, and thereby the number of value times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ By default, the switch forwards any multicast streams within the address range set by a profile, and bound to a domain. The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr6 source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR6 multicast data is received. Use the no form of this command to restore the default MVR6 VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR6 multicast data is received. This is also the VLAN to which all source ports must be assigned.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6. A port which is not configured as an MVR6 receiver or source port can use MLD snooping to join or leave multicast groups using the standard rules for multicast filtering (see “MLD Snooping” on page 700).
Chapter 27 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan group This command statically binds a multicast group to a port which will receive longterm multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. Syntax [no] mvr6 domain domain-id vlan vlan-id group ip-address domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Receiver VLAN to which the specified multicast traffic is flooded.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 clear mvr6 groups This command clears multicast group information dynamically learned through dynamic MVR6. Syntax clear mvr6 groups dynamic domain-id domain-id - An independent multicast domain. (Range: 1-5) Command Mode Privileged Exec Command Usage This command only clears entries learned though MVR6. Statically configured multicast addresses are not cleared.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 show mvr6 This command shows information about MVR6 domain settings, including MVR6 operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr6 [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all MVR6 domains.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 153: show mvr6 - display description (Continued) Field Description MVR Current Learned Groups The current number of MVR group addresses MVR6 Upstream Source IP The source IP address assigned to all upstream control packets. show mvr6 This command shows the profiles bound the specified domain. associated-profile Syntax show mvr6 [domain domain-id] associated-profile domain-id - An independent multicast domain.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Example The following displays information about the interfaces attached to the MVR6 VLAN in domain 1: Console#show mvr6 domain 1 interface MVR6 Domain : 1 Port Type Status Immediate Leave Static Group Address -------- -------- ------------------- ---------------- ---------------Eth1/ 1 Source Active/Forwarding Eth1/ 2 Receiver Active/Forwarding Disabled ff00::1(VLAN1) Console# Table 154: show mvr6 interface - display description Field Description P
Chapter 27 | Multicast Filtering Commands MVR for IPv6 ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) Default Setting Displays configuration settings for all domains and all forwarding entries. Command Mode Privileged Exec Example The following shows information about the current number of multicast forwarding entries in all domains.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 ] | mld | sort-by-port [ip-address | ds-vlan vlan-id [ip-address | interface ipaddress] | interface ip-address ] | unknown]} domain-id - An independent multicast domain. (Range 1-5) ip-address - IPv6 address for an MVR6 multicast group. host-ip-address - Show entries by subscriber IPv6 address mld - Show entries created by MLD protocol. sort-by-port - Show entries with groups sorted by port.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 27 | Multicast Filtering Commands MVR for IPv6 input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface. domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays MVR query-related statistics.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 156: show mvr6 statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR6 group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR6 groups active on this interface.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 158: show mvr6 statistics query - display description Field Description Other Querier Address The IPv6 address of the querier on this interface. Other Querier Uptime Other querier’s time up. Other Querier Expire Time The time after which this querier is assumed to have expired. Self Querier Address This querier’s IPv6 address. Self Querier Uptime This querier’s time up. Self Querier Expire Time This querier’s expire time.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 159: show mvr6 statistics summary interface - display description Field Description Transmit Report Number of transmitted reports. Leave Number of transmitted leaves. Received Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 Table 160: show mvr6 statistics summary interface mvr vlan - description Field Description Other Uptime Other querier’s time up. Self Addr This querier’s IP address. Self Expire This querier’s expire time. Self Uptime This querier’s time up. Transmit General Number of general queries sent from receiver port. Group Specific Number of group specific queries sent from receiver port. Received General Number of general queries received.
Chapter 27 | Multicast Filtering Commands MVR for IPv6 – 772 –
28 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 28 | LLDP Commands Table 161: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system IC description lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port-based IC protocol related VLAN information
Chapter 28 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 28 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 28 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 28 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 28 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 28 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 28 | LLDP Commands Neither the IPv4 address nor the IPv6 address of a VLAN interface is configured. The CPU MAC address (or device MAC address) will be sent in the Management Address TLV of the LLDP PDU transmitted. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ipv6-address Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its port description. port-description Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-description description.
Chapter 28 | LLDP Commands Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols. Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 585). Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 562 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 586. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Chapter 28 | LLDP Commands specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776. The following table describes some of the CA type numbers and provides examples. Table 162: LLDP MED Location CA Types CA Type Description CA Value Example 0 The ISO 639 language code used for presenting the address en information.
Chapter 28 | LLDP Commands Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# lldp med-notification This command enables the transmission of SNMP trap notifications about LLDPMED changes. Use the no form to disable LLDP-MED notifications.
Chapter 28 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Chapter 28 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Chapter 28 | LLDP Commands Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 28 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) port-channel channel-id (Range: 1-16) Command Mode Privileged Exec Example The following example shows the basic LLDP parameters for Port 1.
Chapter 28 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device. Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 28 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] detail - Shows detailed information. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 28 | LLDP Commands Port MAU Type : 16 Power via MDI Power Class Power MDI Supported Power MDI Enabled Power Pair Controllable Power Pairs Power Classification : : : : : : PSE Yes Yes No Spare Class 1 Link Aggregation Link Aggregation Capable : Yes Link Aggregation Enable : No Link Aggregation Port ID : 0 Max Frame Size : 1522 Console# The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. ...
Chapter 28 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 28 | LLDP Commands – 798 –
29 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 29 | CFM Commands Table 163: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 29 | CFM Commands Table 163: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 29 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 29 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 29 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 29 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 29 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 29 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 29 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 29 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 29 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 29 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 29 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 29 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 29 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 29 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 29 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 29 | CFM Commands Defining CFM Structures Table 165: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 29 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 29 | CFM Commands Continuity Check Operations Table 166: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 29 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 29 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 29 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (827) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 29 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 29 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 29 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay no ethernet cfm mep crosscheck start-delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 29 | CFM Commands Cross Check Operations mep-unknown – Sends a trap if an unconfigured MEP comes up. Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 29 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 29 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 29 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 29 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting.
Chapter 29 | CFM Commands Link Trace Operations ethernet cfm linktrace This command sends CFM link trace messages to the MAC address of a remote MEP. Syntax ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number | priority level] destination-mpid – The identifier of a remote MEP that is the target of the link trace message.
Chapter 29 | CFM Commands Link Trace Operations ◆ When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. Example This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm This command clears link trace messages logged on this device.
Chapter 29 | CFM Commands Loopback Operations Table 168: show ethernet cfm linktrace-cache - display description (Continued) Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
Chapter 29 | CFM Commands Loopback Operations transmit-count – The number of times the loopback message is sent. (Range: 1-1024) padding-value – Padding characters used to fill the data TLV in a loopback message. (Range: Any hexadecimal characters; Default: 0x0) priority-value – Priority assigned to the loopback message (Range:0-7; Default: 7) packet-size – The size of the loopback message. (Range: 64-1518 bytes) Default Setting Loop back count: One loopback message is sent.
Chapter 29 | CFM Commands Fault Generator Operations Fault Generator Operations mep fault-notify This command sets the time a defect must exist before a fault alarm is issued. Use alarm-time the no form to restore the default setting. Syntax mep fault-notify alarm-time alarm-time no fault-notify alarm-time alarm-time – The time that one or more defects must be present before a fault alarm is generated.
Chapter 29 | CFM Commands Fault Generator Operations Command Usage ◆ A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that a configured time period (see the mep fault-notify alarm-time command) has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by this command.
Chapter 29 | CFM Commands Fault Generator Operations Example This example sets the lowest priority defect that will generate a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify lowest-priority 1 Console(config-ether-cfm)# mep fault-notify This command configures the time after a fault alarm has been issued, and no reset-time defect exists, before another fault alarm can be issued. Use the no form to restore the default setting.
Chapter 29 | CFM Commands Delay Measure Operations Example This example shows the fault notification settings configured for one MEP. Console#show MD Name -----------voip Console# ethernet cfm MA Name -----------rd fault-notify-generator mep 1 Highest Defect Lowest Alarm Alarm Time Reset Time -------------- ------------- ---------- ---------none macRemErrXcon 3sec. 10sec. Table 171: show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry.
Chapter 29 | CFM Commands Delay Measure Operations interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds) packet-size – The size of the delay-measure message. (Range: 64-1518 bytes) timeout - The timeout to wait for a response. (Range: 1-5 seconds) Default Setting Count: 5 Interval: 1 second Size: 64 bytes Timeout: 5 seconds Command Mode Privileged Exec Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
Chapter 29 | CFM Commands Delay Measure Operations 2 3 4 5 < 10 0 < 10 0 40 40 < 10 40 Success rate is 100% (5/5), delay time min/avg/max=0/8/40 ms. Average frame delay variation is 16 ms.
30 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 30 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 30 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 30 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 30 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 30 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 30 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 30 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/26/28/52) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 30 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 30 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 30 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 30 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
31 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 31 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 31 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 31 | Domain Name Service Commands DNS Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 31 | Domain Name Service Commands DNS Commands Command Usage Use the no ip host command to clear static entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.
Chapter 31 | Domain Name Service Commands DNS Commands 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (856) ip domain-lookup (855) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 31 | Domain Name Service Commands DNS Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.
Chapter 31 | Domain Name Service Commands DNS Commands Table 174: show dns cache - display description Field Description No. The entry number for each resource record. Flag The flag is always “4” indicating a cache entry and therefore unreliable. Type This field includes “Host” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
Chapter 31 | Domain Name Service Commands Multicast DNS Commands Multicast DNS Commands ip mdns This command enables multicast DNS. Use the no form to disable this feature. Syntax [no] ip mdns Default Setting Disabled Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide.
Chapter 31 | Domain Name Service Commands Multicast DNS Commands – 862 –
32 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 32 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 32 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edgecore"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 32 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 32 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 32 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 32 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 32 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (911) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 32 | DHCP Commands DHCP Client List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# Related Commands ipv6 address (910) – 871 –
Chapter 32 | DHCP Commands DHCP Relay DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server. Table 180: DHCP Relay Option 82 Commands Command Function Mode ip dhcp l2/l3 relay Specifies to enable L2 or L3 DHCP Relay on a globally for the switch.
Chapter 32 | DHCP Commands DHCP Relay L2 -Configures the switch as an L2 DHCP Relay agent. L3 -Configures the switch as an L3 DHCP Relay agent. Default Setting L3 Command Mode Global Configuration Usage Guidelines Using the switch as an L3 DHCP Relay agent requires at least one connection to the client’s subnet plus a valid route to the DHCP Server’s network.
Chapter 32 | DHCP Commands DHCP Relay subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then passes the DHCP response received from the server to the client. ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference.
Chapter 32 | DHCP Commands DHCP Relay Eth 1/1 Eth 1/2 …… Eth 1/52 Console# Enabled Enabled Enabled L2 DHCP Relay option settings ip dhcp relay Enables the option 82 information to be relayed when the switch is set as information option an L2 DHCP Relay agent. Use the no form of the command to disable relaying option 82 information (RFC3046).
Chapter 32 | DHCP Commands DHCP Relay Command Mode Global Configuration Usage Guidelines ◆ Use this command when the Type and Length fields do not need to be relayed as part of the CID and RID in the option 82 packets. Example Console(config)#ip dhcp relay information option encode no-subtype Console(config)# ip dhcp relay This command sets the Information 82 forwarding policy of the switch’s information policy DHCP Relay service. Use the no form of the command to set the policy to the default setting.
Chapter 32 | DHCP Commands DHCP Relay Example Console(config)#ip dhcp relay information policy keep Console(config)# ip dhcp relay port- This command enables DHCP relay Information Option 82 for L2 relay on a port. enable Use the no form of the command to disable DHCP relay Information Option 82 for L2 relay on a port.
Chapter 32 | DHCP Commands DHCP Relay Example Console(config)#ip dhcp relay information option vlan add 1,3,5-10 Console(config)# DHCP Relay for IPv4 ip dhcp relay server This command specifies the DHCP server or relay server addresses to use. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server.
Chapter 32 | DHCP Commands DHCP Relay Example Console(config)#interface vlan 1 Console(config-if)#ip dhcp relay server 192.168.10.19 Console(config-if)# Related Commands ip dhcp restart relay (879) ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. Syntax ip dhcp restart relay Default Setting Disabled Command Mode Privileged Exec Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch.
Chapter 32 | DHCP Commands DHCP Relay DHCP Relay for IPv6 ipv6 dhcp relay This command specifies a DHCPv6 server or the VLAN to which client requests are destination forwarded, and also enables DHCPv6 relay service on this interface. Use the no form to disable this service.
Chapter 32 | DHCP Commands DHCP Relay ◆ Up to five relay destinations may be configured by repeating this command. ◆ When issuing the no ipv6 dhcp relay destination command without any arguments, the switch will delete all configured destination addresses and disable DHCP for IPv6 relay for all VLANs.
Chapter 32 | DHCP Commands DHCP Server DHCP Server This section describes commands used to configure client address pools for the DHCP service.
Chapter 32 | DHCP Commands DHCP Server ip dhcp This command specifies IP addresses that the DHCP server should not assign to excluded-address DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range. high-address - The last IP address in an excluded address range. Default Setting All IP pool addresses may be assigned.
Chapter 32 | DHCP Commands DHCP Server Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (891) host (888) service dhcp This command enables the DHCP server on this switch. Use the no form to disable the DHCP server. Syntax [no] service dhcp Default Setting Enabled Command Mode Global Configuration Command Usage If the DHCP server is running, you must restart it to implement any configuration changes.
Chapter 32 | DHCP Commands DHCP Server Example Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# Related Commands next-server (892) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier. Syntax client-identifier {text text | hex hex} no client-identifier text - A text string. (Range: 1-32 characters) hex - The hexadecimal value.
Chapter 32 | DHCP Commands DHCP Server default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router { address1 [address2] | bootfile filename} no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. bootfile filename - specifies the boot file name.
Chapter 32 | DHCP Commands DHCP Server Usage Guidelines ◆ If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. ◆ Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# domain-name This command specifies the domain name for a DHCP client. Use the no form to remove the domain name.
Chapter 32 | DHCP Commands DHCP Server • • ethernet ieee802 Default Setting If no type is specified, the default protocol is Ethernet. Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 32 | DHCP Commands DHCP Server network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. ◆ When searching for a manual binding, the switch compares the client identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients.
Chapter 32 | DHCP Commands DHCP Server Command Modes DHCP Pool Configuration Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Use the no form to remove the NetBIOS name server list.
Chapter 32 | DHCP Commands DHCP Server netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
Chapter 32 | DHCP Commands DHCP Server the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. If no manually configured host address is found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored.
Chapter 32 | DHCP Commands DHCP Server option 43 Use this command to enable option 43 which helps controller-based wireless access points associate with a wireless access point controller. Use the no form of the command to disable option 43. Syntax option 43 {ascii word | hex hex-value | ip-address address1[address2 [address3[ address 4]]]} ascii word - ASCII character string representing the Wireless Access Controllers (Range: 1-48 ASCII characters).
Chapter 32 | DHCP Commands DHCP Server Command Mode Privileged Exec Usage Guidelines ◆ An address specifies the client’s IP address. If no ip address is specified, the DHCP server clears all automatic bindings. ◆ Use the no host command to delete a manual binding. ◆ This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
Chapter 32 | DHCP Commands DHCP Server show ip dhcp This command displays DHCP address pools configured on the switch. Command Mode Privileged Exec Example Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp pool This command displays the detailed configuration information of DHCP address pools on the switch.
Chapter 32 | DHCP Commands DHCP Server – 896 –
33 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 33 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 33 | IP Interface Commands IPv4 Interface Command Usage ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets.
Chapter 33 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (867) ip default-gateway (900) ipv6 address (910) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 33 | IP Interface Commands IPv4 Interface C 192.168.2.0/24 is directly connected, VLAN1 Console(config)# Related Commands ip address (898) ip route (946) ipv6 default-gateway (909) show ip interface This command displays the settings of an IPv4 interface.
Chapter 33 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 33 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 33 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.99 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms <10 ms <10 ms 192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 33 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 857) and host name-to-address translation enabled (page 855). If necessary, local devices can also be specified in the DNS static host table (page 856). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 33 | IP Interface Commands IPv4 Interface Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128. ◆ You may need to put a static entry in the cache if there is no response to an ARP broadcast message.
Chapter 33 | IP Interface Commands IPv4 Interface ◆ Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables. Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache.
Chapter 33 | IP Interface Commands IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 145.30.20.
Chapter 33 | IP Interface Commands IPv6 Interface Table 186: IPv6 Configuration Commands (Continued) Command Function Mode traceroute6 Shows the route packets take to the specified host PE Neighbor Discovery ipv6 nd dad attempts Configures the number of consecutive neighbor IC solicitation messages sent on an interface during duplicate address detection ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation IC retransmissions on an interface ipv6 nd raguard Blocks incomin
Chapter 33 | IP Interface Commands IPv6 Interface For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent. ◆ An IPv6 default gateway should be defined if the destination has been assigned an IPv6 address that is located in a different IP segment. ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 33 | IP Interface Commands IPv6 Interface command, or it can be automatically configured using the ipv6 address autoconfig command. ◆ If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 33 | IP Interface Commands IPv6 Interface Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface.
Chapter 33 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 33 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. ◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Chapter 33 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 33 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 33 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 33 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set. Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (920) jumbo frame (129) show ipv6 This command displays the current IPv6 default gateway.
Chapter 33 | IP Interface Commands IPv6 Interface Command Mode Privileged Exec Example This example displays all the IPv6 addresses configured for the switch. Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 33 | IP Interface Commands IPv6 Interface Table 187: show ipv6 interface - display description (Continued) Field Description IPv6 Link MTU Maximum transmission unit for this interface (bytes). ND DAD Indicates whether (neighbor discovery) duplicate address detection is enabled. number of DAD attempts The number of consecutive neighbor solicitation messages sent on the interface during duplicate address detection.
Chapter 33 | IP Interface Commands IPv6 Interface Table 188: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path. Since Time since an ICMP packet-too-big message was received from this destination. Destination Address Address which sent an ICMP packet-too-big message. * No information is displayed if an IPv6 address has not been assigned to the switch.
Chapter 33 | IP Interface Commands IPv6 Interface neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages ICMPv6 sent 6 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 3 neighbor solicit messages neighbor advertisement messages redirect messages group
Chapter 33 | IP Interface Commands IPv6 Interface Table 189: show ipv6 traffic - display description (Continued) Field Description discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. delivers The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP).
Chapter 33 | IP Interface Commands IPv6 Interface Table 189: show ipv6 traffic - display description (Continued) Field Description ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Chapter 33 | IP Interface Commands IPv6 Interface Table 189: show ipv6 traffic - display description (Continued) Field Description echo reply messages The number of ICMP Echo Reply messages sent by the interface. router solicit messages The number of ICMP Router Solicitation messages sent by the interface. router advertisement messages The number of ICMP Router Advertisement messages sent by the interface.
Chapter 33 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 33 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# traceroute6 This command shows the route packets take to the specified destination.
Chapter 33 | IP Interface Commands IPv6 Interface prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. Example Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination.
Chapter 33 | IP Interface Commands IPv6 Interface ◆ An interface that is re-activated restarts duplicate address detection for all unicast IPv6 addresses on the interface. While duplicate address detection is performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses.
Chapter 33 | IP Interface Commands IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 33 | IP Interface Commands IPv6 Interface ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 5.
Chapter 33 | IP Interface Commands IPv6 Interface show ipv6 nd raguard This command displays the configuration setting for RA Guard. Syntax show ipv6 nd raguard [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 33 | IP Interface Commands IPv6 Interface soliciting node with a neighbor advertisement message to become a confirmed neighbor, after which the reachable timer will be considered in effect for subsequent unicast IPv6 layer communications. ◆ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value. ◆ Setting the time limit to 0 means that the configured time is unspecified by this router.
Chapter 33 | IP Interface Commands IPv6 Interface Default Setting All IPv6 neighbor discovery cache entries are displayed.
Chapter 33 | IP Interface Commands ND Snooping Related Commands show mac-address-table (508) ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table. These tables can be used for stateless address auto-configuration or for address filtering by IPv6 Source Guard. ND snooping maintains a binding table in the process of neighbor discovery. When it receives an Neighbor Solicitation (NS) packet from a host, it creates a new binding.
Chapter 33 | IP Interface Commands ND Snooping Table 191: ND Snooping Commands (Continued) Command Function Mode show ipv6 nd snooping Shows configuration settings for ND snooping PE show ipv6 nd snooping binding Shows entries in the binding table PE show ipv6 nd snooping prefix Show entries in the prefix table PE ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of VLANs. Use the no form to disable this feature.
Chapter 33 | IP Interface Commands ND Snooping ■ If an NS message is received on an untrusted interface, and the address prefix does not match any entry in the prefix table, it drops the packet. ■ If the message does match an entry in the prefix table, it adds an entry to the dynamic user binding table after a fixed delay, and forwards the packet.
Chapter 33 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect Console(config)# ipv6 nd snooping This command sets the number of times the auto-detection process sends an NS auto-detect message to determine if a dynamic user binding is still valid. Use the no form to retransmit count restore the default setting.
Chapter 33 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping autodetect retransmit count command) x the retransmit interval. Based on the default settings, this is 3 seconds.
Chapter 33 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user max-binding binding table which can be bound to a port. Use the no form to restore the default setting. Syntax ipv6 nd snooping max-binding max-bindings no ipv6 nd snooping max-binding max-bindings – The maximum number of address entries in the dynamic user binding table which can be bound to a port.
Chapter 33 | IP Interface Commands ND Snooping Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table.
Chapter 33 | IP Interface Commands ND Snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping Global ND Snooping status: enabled ND Snooping auto-detection: disabled ND Snooping auto-detection retransmit count: 3 ND Snooping auto-detection retransmit interval: 1 (second) ND Snooping is configured on the following VLANs: VLAN 1, Interface Trusted Max-binding --------------------------Eth 1/1 Yes 1 Eth 1/2 No 5 Eth 1/3 No 5 Eth 1/4 No 5 Eth 1/5 No 5 . . .
Chapter 33 | IP Interface Commands ND Snooping Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------2001:b000:: 64 2592000 100 1 Eth 1/1 2001:: 64 600 34 2 Eth 1/2 Console# – 943 –
Chapter 33 | IP Interface Commands ND Snooping – 944 –
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. See show ip route database. static – Displays all static entries.
Chapter 28 | IP Routing Commands Global Routing Configuration C 192.168.2.0/24 is directly connected, VLAN1 Console# The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Global Routing Configuration i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info C C *> 127.0.0.0/8 is directly connected, lo0 *> 192.168.1.0/24 is directly connected, VLAN1 Console# show ip route This command displays summary information for the routing table.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect mess
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Table 194: Routing Information Protocol Commands (Continued) Command Function Mode passive-interface Stops RIP from sending routing updates on the specified interface RC redistribute Redistribute routes from one routing domain to another RC timers basic Sets basic timers, including update, timeout, garbage collection RC version Specifies the RIP version to use on all network interfaces (if RC not already specified with a recei
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Related Commands network (955) default-information This command generates a default external route into the local RIP autonomous originate system. Use the no form to disable this feature. Syntax [no] default-information originate Default Setting Disabled Command Mode Router Configuration Command Usage This command sets a default route for every Layer 3 interface where RIP is enabled.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ This command does not override the metric value set by the redistribute command. When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes. ◆ The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols. A smaller administrative distance indicates a more reliable protocol. ◆ The administrative distance is applied to all routes learned for the specified network. Example Console(config-router)#distance 2 192.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) neighbor This command defines a neighboring router with which this router will exchange routing information. Use the no form to remove an entry. Syntax [no] neighbor ip-address ip-address - IP address of a neighboring router. Default Setting No neighbors are defined.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ RIP only sends and receives updates on interfaces specified by this command. If a network is not specified, the interfaces in that network will not be advertised in any RIP updates. ◆ Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example Console(config-router)#passive-interface vlan 1 Console(config-router)# Related Commands neighbor (955) redistribute This command imports external routing information from other routing domains (that is, directly connected routes, protocols, or static routes) into the autonomous system. Use the no form to disable this feature.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example This example redistributes static routes and sets the metric for all of these routes to a value of 3. Console(config-router)#redistribute static metric 3 Console(config-router)# Related Commands default-metric (952) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ◆ Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates. ◆ These timers must be set to the same values for all routers in the network. Example This example sets the update timer to 40 seconds. The timeout timer is subsequently set to 240 seconds, and the garbage-collection timer to 160 seconds.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Related Commands ip rip receive version (961) ip rip send version (963) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (964) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (959) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Interface Configuration (VLAN) Default Setting split-horizon poisoned Command Usage ◆ Split horizon never propagates routes back to an interface from which they have been acquired. ◆ Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Using this command with the “all” parameter clears the RIP table of all routes. To avoid deleting the entire RIP network, use the redistribute connected command to make the RIP network a connected route. To delete the RIP routes learned from neighbors and also keep the RIP network intact, use the “rip” parameter with this command (clear ip rip route rip). Example This example clears one specific route.
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 969 ◆ “License Information” on page 971 – 967 –
Section III | Appendices – 968 –
A Troubleshooting Problems Accessing the Management Interface Table 195: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
List of Commands aaa accounting commands 245 aaa accounting dot1x 246 aaa accounting exec 247 aaa accounting update 248 aaa authorization commands 248 aaa authorization exec 249 aaa group server 250 absolute 181 access-list arp 396 access-list ip 378 access-list ipv6 384 access-list mac 390 accounting commands 252 accounting dot1x 251 accounting exec 252 arp 905 authentication enable 234 authentication login 235 authorization commands 253 authorization exec 253 auto-traffic-control 475 auto-traffic-control
List of Commands control-vlan 612 copy 132 databits 145 default-information originate 952 default-metric 952 default-router 886 delete 136 delete public-key 267 description 651 description 404 dir 137 disable 98 discard 405 disconnect 152 distance 953 dns-server 886 domain-name 887 dot1q-tunnel system-tunnel-control 569 dot1q-tunnel tpid 570 dot1x default 272 dot1x eapol-pass-through 272 dot1x intrusion-action 274 dot1x max-reauth-req 274 dot1x max-req 275 dot1x operation-mode 276 dot1x port-control 277 do
List of Commands ip dhcp relay server 878 ip dhcp restart client 867 ip dhcp restart relay 879 ip dhcp snooping 323 ip dhcp snooping max-number 333 ip dhcp snooping database flash 335 ip dhcp snooping information option 325 ip dhcp snooping information option carry-to-client 331 ip dhcp snooping information option circuit-id 332 ip dhcp snooping information option encode no-subtype 326 ip dhcp snooping information option remote-id 327 ip dhcp snooping information option tr101 board-id 328 ip dhcp snooping
List of Commands ipv6 mld query-drop 722 ipv6 mld snooping 701 ipv6 mld snooping proxy-reporting 702 ipv6 mld snooping querier 702 ipv6 mld snooping query-interval 703 ipv6 mld snooping query-max-response-time 703 ipv6 mld snooping robustness 704 ipv6 mld snooping router-port-expire-time 705 ipv6 mld snooping unknown-multicast mode 705 ipv6 mld snooping unsolicited-report-interval 706 ipv6 mld snooping version 707 ipv6 mld snooping vlan immediate-leave 707 ipv6 mld snooping vlan mrouter 708 ipv6 mld snoopi
List of Commands maximum-prefix 954 media-type 407 meg-level 611 memory 211 mep archive-hold-time 822 mep crosscheck mpid 826 mep fault-notify alarm-time 835 mep fault-notify lowest-priority 835 mep fault-notify reset-time 837 mep-monitor 617 mgmt 102 mgmt loglevel 102 mgmt property 105 mgmt setoption 103 mgmt upgrade 105 mst priority 531 mst vlan 531 mvr 727 mvr associated-profile 727 mvr domain 728 mvr immediate-leave 734 mvr profile 729 mvr proxy-query-interval 729 mvr proxy-switching 730 mvr robustness
List of Commands pppoe intermediate-agent vendor-tag strip 291 primary-port 515 privilege 233 process cpu 211 process cpu guard 212 prompt 93 propagate-tc 619 protocol-vlan protocol-group (Configuring Groups) 586 protocol-vlan protocol-group (Configuring Interfaces) 586 qos map cos-queue 642 qos map dscp-queue 644 qos map trust-mode 645 queue mode 638 queue weight 639 quit 96 radius-server acct-port 236 radius-server auth-port 237 radius-server host 237 radius-server key 238 radius-server retransmit 239 ra
List of Commands show ip arp inspection configuration 368 show ip arp inspection interface 368 show ip arp inspection log 369 show ip arp inspection statistics 369 show ip arp inspection vlan 370 show ip dhcp 895 show ip dhcp binding 894 show ip dhcp dynamic-provision 867 show ip dhcp pool 895 show ip dhcp relay 874 show ip dhcp snooping 336 show ip dhcp snooping binding 336 show ip igmp authentication 695 show ip igmp filter 696 show ip igmp igmp-with-pppoe 697 show ip igmp query-drop 698 show ip igmp sno
List of Commands show ntp statistics peer 173 show ntp status 172 show policy-map 659 show policy-map interface 659 show port monitor 459 show port security 300 show port-channel load-balance 446 show power inline status 454 show power inline time-range 455 show power mainpower 456 show power-save 432 show pppoe intermediate-agent info 292 show pppoe intermediate-agent statistics 293 show privilege 233 show process cpu 120 show process cpu guard 120 show process cpu task 121 show protocol-vlan protocol-gro
List of Commands spanning-tree hello-time 524 spanning-tree link-type 537 spanning-tree loopback-detection 538 spanning-tree loopback-detection action 538 spanning-tree loopback-detection release 546 spanning-tree loopback-detection release-mode 539 spanning-tree loopback-detection trap 540 spanning-tree max-age 525 spanning-tree mode 525 spanning-tree mst configuration 527 spanning-tree mst cost 541 spanning-tree mst port-priority 542 spanning-tree pathcost method 527 spanning-tree port-bpdu-flooding 543
List of Commands – 984 –