ECS4110-28T/28P/52T/52P 28/52-Port Gigabit Ethernet Layer 2+ Switch Management Guide www.edge-core.
M ANAGEMENT G UIDE ECS4110-28T GIGABIT ETHERNET SWITCH Layer 2+ Managed Switch with 24 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Ports ECS4110-28P GIGABIT ETHERNET POE SWITCH Layer 2+ Managed Switch with 24 10/100/1000BASE-T (RJ-45) PoE Ports, and 4 Gigabit SFP Ports ECS4110-52T GIGABIT ETHERNET SWITCH Layer 2+ Managed Switch with 48 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Ports ECS4110-52P GIGABIT ETHERNET POE SWITCH Layer 2+ Managed Switch with 48 10/100/1000BASE-T (RJ-45) PoE Ports
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE REVISION HISTORY This section summarizes the changes in each revision of this guide. JULY 2014 RELEASE This is the second version of this guide. This guide is valid for software release v1.1.2.0. It includes information on the following changes: ◆ Adds information for the ECS4110-28T and ECS4110-28P. ◆ Updated information in Table 1, "Key Features," on page 75. ◆ Updated information under "Description of Software Features" on page 76.
ABOUT THIS GUIDE ◆ Updated the parameter list under "Configuring AAA Accounting" on page 317. ◆ Updated the parameter list under "Configuring AAA Authorization" on page 323. ◆ Updated description of the Access Level parameter under "Configuring User Accounts" on page 326. ◆ Added the section "Setting a Time Range" on page 353. ◆ Updated description of Source Address Type and Destination Address Type parameters under "Configuring an Extended IPv6 ACL" on page 365.
ABOUT THIS GUIDE ◆ Added the sections "Filtering IGMP Query Packets and Multicast Data" on page 584 and "Displaying IGMP Snooping Statistics" on page 586. ◆ Added the section "MLD Snooping (Snooping and Query for IPv6)" on page 595. ◆ Added the section "Configuring MVR Global Settings" on page 605. ◆ Updated the parameter list under "Configuring MVR Domain Settings" on page 607. ◆ Added the section "Configuring MVR Group Address Profiles" on page 608.
ABOUT THIS GUIDE ◆ Added the commands "clock summer-time (date)" on page 777, "clock summer-time (predefined)" on page 778, and "clock summer-time (recurring)" on page 779. ◆ Updated syntax for the command "snmp-server enable traps" on page 798. ◆ Added the commands "snmp-server enable port-traps mac-notification" on page 801 and "show snmp-server enable port-traps" on page 802. ◆ Updated description of syntax for the commands "enable password" on page 824 and "username" on page 825.
ABOUT THIS GUIDE ◆ Added allow-zeros parameter to the command "ip arp inspection validate" on page 952. ◆ Added new commands under the section "Denial of Service Protection" on page 957. ◆ Added new commands under the section "Port-based Traffic Segmentation" on page 963. ◆ Added counter parameter to the commands "ip access-group" on page 975, "ipv6 access-group" on page 981, and "mac access-group" on page 987. ◆ Updated syntax for the command "permit, deny (MAC ACL)" on page 984.
ABOUT THIS GUIDE ◆ Included information for configuring a Layer 3 interface with the command "interface vlan" on page 1157. ◆ Added the command "switchport dot1q-tunnel service match cvid" on page 1168. ◆ Updated syntax for the command "show dot1q-tunnel" on page 1171. ◆ Added the section "Configuring L2CP Tunneling" on page 1172. ◆ Added the section "Configuring VLAN Translation" on page 1176.
ABOUT THIS GUIDE ◆ Added the command "traceroute6" on page 1450. ◆ Added the commands "ipv6 nd dad attempts" on page 1452, "ipv6 nd raguard" on page 1454, "show ipv6 nd raguard" on page 1456, and "ipv6 nd reachable-time" on page 1455. ◆ Added the section "ND Snooping" on page 1458. ◆ Added the chapter "IP Routing Commands" on page 1467. JANUARY 2013 RELEASE This is the first version of this guide. This guide is valid for software release v1.0.0.0.
CONTENTS ABOUT THIS GUIDE SECTION I 5 CONTENTS 13 FIGURES 51 TABLES 65 GETTING STARTED 1 INTRODUCTION 75 Key Features 75 Description of Software Features 76 System Defaults 82 2 INITIAL SWITCH CONFIGURATION 85 Connecting to the Switch 85 Configuration Options 85 Required Connections 86 Remote Connections 87 Basic Configuration 87 Console Connection 87 Setting Passwords 88 Setting an IP Address 89 Downloading a Configuration File Referenced by a DHCP Server 95 Enabling S
CONTENTS Navigating the Web Browser Interface 104 Home Page 104 Configuration Options 105 Panel Display 105 Main Menu 106 4 BASIC MANAGEMENT TASKS 123 Displaying System Information 123 Displaying Hardware/Software Versions 125 Configuring Support for Jumbo Frames 126 Displaying Bridge Extension Capabilities 127 Managing System Files 129 Copying Files via FTP/TFTP or HTTP 129 Saving the Running Configuration to a Local File 131 Setting the Start-Up File 132 Showing System Files
CONTENTS Configuring Transceiver Thresholds 172 Performing Cable Diagnostics 174 Trunk Configuration 176 Configuring a Static Trunk 177 Configuring a Dynamic Trunk 179 Displaying LACP Port Counters 185 Displaying LACP Settings and Status for the Local Side 187 Displaying LACP Settings and Status for the Remote Side 188 Configuring Load Balancing 189 Saving Power 191 Traffic Segmentation 193 Enabling Traffic Segmentation 193 Configuring Uplink and Downlink Ports 194 VLAN Trunking
CONTENTS 8 SPANNING TREE ALGORITHM 239 Overview 239 Configuring Loopback Detection 242 Configuring Global Settings for STA 243 Displaying Global Settings for STA 249 Configuring Interface Settings for STA 250 Displaying Interface Settings for STA 254 Configuring Multiple Spanning Trees 257 Configuring Interface Settings for MSTP 261 9 CONGESTION CONTROL 263 Rate Limiting 263 Storm Control 264 Automatic Traffic Control 266 Setting the ATC Timers 268 Configuring ATC Thresholds and
CONTENTS 13 SECURITY MEASURES 309 AAA Authentication, Authorization and Accounting 310 Configuring Local/Remote Logon Authentication 311 Configuring Remote Logon Authentication Servers 312 Configuring AAA Accounting 317 Configuring AAA Authorization 323 Configuring User Accounts 326 Web Authentication 328 Configuring Global Settings for Web Authentication 329 Configuring Interface Settings for Web Authentication 330 Network Access (MAC Address Authentication) 331 Configuring Global Se
CONTENTS ARP Inspection 375 Configuring Global Settings for ARP Inspection 376 Configuring VLAN Settings for ARP Inspection 378 Configuring Interface Settings for ARP Inspection 380 Displaying ARP Inspection Statistics 381 Displaying the ARP Inspection Log 382 Filtering IP Addresses for Management Access 383 Configuring Port Security 385 Configuring 802.1X Port Authentication 387 Configuring 802.1X Global Settings 389 Configuring Port Authenticator Settings for 802.
CONTENTS Displaying LLDP Local Device Information 435 Displaying LLDP Remote Device Information 438 Displaying Device Statistics 446 Power over Ethernet 448 Setting the Switch’s Overall PoE Power Budget 449 Setting the Port PoE Power Budget 450 Simple Network Management Protocol 452 Configuring Global Settings for SNMP 454 Setting the Local Engine ID 456 Specifying a Remote Engine ID 457 Setting SNMPv3 Views 458 Configuring SNMPv3 Groups 461 Setting Community Access Strings 466 Co
CONTENTS Configuring Maintenance End Points 537 Configuring Remote Maintenance End Points 538 Transmitting Link Trace Messages 540 Transmitting Loop Back Messages 542 Transmitting Delay-Measure Requests 544 Displaying Local MEPs 546 Displaying Details for Local MEPs 547 Displaying Local MIPs 548 Displaying Remote MEPs 549 Displaying Details for Remote MEPs 550 Displaying the Link Trace Cache 552 Displaying Fault Notification Settings 554 Displaying Continuity Check Errors 555 OAM
CONTENTS Setting Immediate Leave Status for MLD Snooping per Interface 597 Specifying Static Interfaces for an IPv6 Multicast Router 598 Assigning Interfaces to IPv6 Multicast Services 600 Showing MLD Snooping Groups and Source List 602 Multicast VLAN Registration for IPv4 603 Configuring MVR Global Settings 605 Configuring MVR Domain Settings 607 Configuring MVR Group Address Profiles 608 Configuring MVR Interface Status 611 Assigning Static MVR Multicast Groups to Interfaces 614 Displ
CONTENTS Displaying the DNS Cache Dynamic Host Configuration Protocol 669 Specifying a DHCP Client Identifier 669 Configuring DHCP Relay Service 671 Configuring the PPPoE Intermediate Agent 672 Configuring PPPoE IA Global Settings 672 Configuring PPPoE IA Interface Settings 674 Showing PPPoE IA Statistics 676 18 GENERAL IP ROUTING 679 Overview 679 Initial Configuration IP Routing and Switching 679 680 Routing Path Management 681 Routing Protocols 682 Configuring IP Routing Interface
CONTENTS Getting Help on Commands 700 Partial Keyword Lookup 702 Negating the Effect of Commands 702 Using Command History 702 Understanding Command Modes 702 Exec Commands 703 Configuration Commands 703 Command Line Processing 705 Output Modifiers 706 CLI Command Groups 20 GENERAL COMMANDS 706 709 prompt 709 reload (Global Configuration) 710 enable 711 quit 712 show history 712 configure 713 disable 714 reload (Privileged Exec) 714 show reload 715 end 715 exit 71
CONTENTS banner configure note 726 show banner 727 System Status 727 show access-list tcam-utilization 728 show memory 728 show process cpu 729 show running-config 729 show startup-config 731 show system 732 show tech-support 732 show users 733 show version 734 show watchdog 734 watchdog software 735 Frame Size 735 jumbo frame 735 File Management 736 General Commands 737 boot system 737 copy 738 delete 741 dir 742 whichboot 743 Automatic Code Upgrade Commands
CONTENTS login 751 parity 752 password 752 password-thresh 753 silent-time 754 speed 754 stopbits 755 timeout login response 756 disconnect 756 terminal 757 show line 758 Event Logging 759 logging facility 759 logging history 760 logging host 761 logging on 761 logging trap 762 clear log 763 show log 763 show logging 764 SMTP Alerts 766 logging sendmail 766 logging sendmail host 766 logging sendmail level 767 logging sendmail destination-email 768 logging s
CONTENTS ntp client 774 ntp server 775 show ntp 776 Manual Configuration Commands 777 clock summer-time (date) 777 clock summer-time (predefined) 778 clock summer-time (recurring) 779 clock timezone 780 calendar set 781 show calendar 782 Time Range 782 time-range 783 absolute 783 periodic 784 show time-range 785 Switch Clustering 786 cluster 787 cluster commander 787 cluster ip-pool 788 cluster member 789 rcommand 789 show cluster 790 show cluster members 790 s
CONTENTS SNMPv3 Commands 803 snmp-server engine-id 803 snmp-server group 804 snmp-server user 805 snmp-server view 806 show snmp engine-id 807 show snmp group 808 show snmp user 809 show snmp view 810 Notification Log Commands 810 nlm 810 snmp-server notify-filter 811 show nlm oper-status 812 show snmp notify-filter 813 Additional Trap Commands 813 memory 813 process cpu 814 23 REMOTE MONITORING COMMANDS 815 rmon alarm 816 rmon event 817 rmon collection history 818
CONTENTS RADIUS Client 830 radius-server acct-port 830 radius-server auth-port 831 radius-server host 831 radius-server key 832 radius-server retransmit 833 radius-server timeout 833 show radius-server 834 TACACS+ Client 834 tacacs-server host 835 tacacs-server key 835 tacacs-server port 836 tacacs-server retransmit 836 tacacs-server timeout 837 show tacacs-server 837 AAA 838 aaa accounting commands 838 aaa accounting dot1x 839 aaa accounting exec 840 aaa accounting upd
CONTENTS ip telnet server 852 show ip telnet 852 Secure Shell 853 ip ssh authentication-retries 856 ip ssh server 856 ip ssh server-key size 857 ip ssh timeout 857 delete public-key 858 ip ssh crypto host-key generate 858 ip ssh crypto zeroize 859 ip ssh save host-key 860 show ip ssh 860 show public-key 861 show ssh 862 802.
CONTENTS dot1x timeout held-period 874 dot1x timeout start-period 875 Information Display Commands show dot1x 875 875 Management IP Filter 878 management 878 show management 879 PPPoE Intermediate Agent 880 pppoe intermediate-agent 881 pppoe intermediate-agent format-type 881 pppoe intermediate-agent port-enable 882 pppoe intermediate-agent port-format-type 883 pppoe intermediate-agent trust 884 pppoe intermediate-agent vendor-tag strip 884 clear pppoe intermediate-agent statistic
CONTENTS network-access port-mac-filter 905 mac-authentication intrusion-action 905 mac-authentication max-mac-count 906 clear network-access 906 show network-access 907 show network-access mac-address-table 908 show network-access mac-filter 909 Web Authentication 909 web-auth login-attempts 910 web-auth quiet-period 911 web-auth session-timeout 911 web-auth system-auth-control 912 web-auth 912 web-auth re-authenticate (Port) 913 web-auth re-authenticate (IP) 913 show web-aut
CONTENTS ipv6 dhcp snooping vlan 931 ipv6 dhcp snooping max-binding 932 ipv6 dhcp snooping trust 932 clear ipv6 dhcp snooping binding 933 clear ipv6 dhcp snooping database flash 934 show ipv6 dhcp snooping 934 show ipv6 dhcp snooping binding 935 show ipv6 dhcp snooping statistics 935 IPv4 Source Guard 936 ip source-guard binding 936 ip source-guard 938 ip source-guard max-binding 939 ip source-guard mode 940 clear ip source-guard binding blocked 941 show ip source-guard 941 sh
CONTENTS Denial of Service Protection 957 dos-protection echo-chargen 958 dos-protection smurf 958 dos-protection tcp-flooding 959 dos-protection tcp-null-scan 959 dos-protection tcp-syn-fin-scan 960 dos-protection tcp-udp-port-zero 960 dos-protection tcp-xmas-scan 961 dos-protection udp-flooding 961 dos-protection win-nuke 962 show dos-protection 962 Port-based Traffic Segmentation 963 traffic-segmentation 963 traffic-segmentation session 964 traffic-segmentation uplink/downlin
CONTENTS show mac access-group 988 show mac access-list 988 ARP ACLs 989 access-list arp 989 permit, deny (ARP ACL) 990 show access-list arp 991 ACL Information 992 clear access-list hardware counters 992 show access-group 992 show access-list 993 27 INTERFACE COMMANDS 995 Interface Configuration 996 interface 996 alias 997 capabilities 997 description 998 discard 999 flowcontrol 1000 media-type 1001 negotiation 1001 shutdown 1002 speed-duplex 1002 clear counters
CONTENTS show interfaces transceiver 1015 show interfaces transceiver-threshold 1016 Cable Diagnostics 1017 test cable-diagnostics 1017 show cable-diagnostics 1018 Power Savings 1019 power-save 1019 show power-save 1020 28 LINK AGGREGATION COMMANDS 1021 Manual Configuration Commands 1022 port channel load-balance 1022 channel-group 1024 Dynamic Configuration Commands 1024 lacp 1024 lacp admin-key (Ethernet Interface) 1026 lacp port-priority 1027 lacp system-priority 1028 l
CONTENTS RSPAN Mirroring Commands 1048 rspan source 1050 rspan destination 1051 rspan remote vlan 1052 no rspan session 1053 show rspan 1053 31 CONGESTION CONTROL COMMANDS Rate Limit Commands rate-limit 1055 1055 1056 Storm Control Commands 1057 switchport packet-rate 1057 Automatic Traffic Control Commands 1058 Threshold Commands 1061 auto-traffic-control apply-timer 1061 auto-traffic-control release-timer 1062 auto-traffic-control 1063 auto-traffic-control action 1063 auto-t
CONTENTS loopback-detection recover-time 1075 loopback-detection transmit-interval 1076 loopback detection trap 1076 loopback-detection release 1077 show loopback-detection 1077 33 UNIDIRECTIONAL LINK DETECTION COMMANDS 1079 udld message-interval 1079 udld aggressive 1080 udld port 1081 show udld 1082 34 ADDRESS TABLE COMMANDS 1085 mac-address-table aging-time 1085 mac-address-table static 1086 clear mac-address-table dynamic 1087 show mac-address-table 1087 show mac-address-t
CONTENTS spanning-tree cost 1105 spanning-tree edge-port 1106 spanning-tree link-type 1107 spanning-tree loopback-detection 1107 spanning-tree loopback-detection action 1108 spanning-tree loopback-detection release-mode 1109 spanning-tree loopback-detection trap 1110 spanning-tree mst cost 1110 spanning-tree mst port-priority 1111 spanning-tree port-bpdu-flooding 1112 spanning-tree port-priority 1112 spanning-tree root-guard 1113 spanning-tree spanning-disabled 1114 spanning-tree
CONTENTS rpl owner 1138 version 1138 wtr-timer 1139 clear erps statistics 1140 erps clear 1140 erps forced-switch 1141 erps manual-switch 1143 show erps 1145 37 VLAN COMMANDS 1149 GVRP and Bridge Extension Commands 1150 bridge-ext gvrp 1150 garp timer 1151 switchport forbidden vlan 1152 switchport gvrp 1152 show bridge-ext 1153 show garp timer 1153 show gvrp configuration 1154 Editing VLAN Groups 1155 vlan database 1155 vlan 1156 Configuring VLAN Interfaces 1157 in
CONTENTS Configuring L2CP Tunneling 1172 l2protocol-tunnel tunnel-dmac 1172 switchport l2protocol-tunnel 1175 show l2protocol-tunnel 1175 Configuring VLAN Translation 1176 switchport vlan-translation 1176 show vlan-translation 1178 Configuring Protocol-based VLANs 1178 protocol-vlan protocol-group (Configuring Groups) 1179 protocol-vlan protocol-group (Configuring Interfaces) 1180 show protocol-vlan protocol-group 1181 show interfaces protocol-vlan protocol-group 1181 Configuring IP
CONTENTS qos map dscp-mutation 1202 qos map phb-queue 1203 qos map trust-mode 1204 show qos map cos-dscp 1205 show qos map dscp-mutation 1205 show qos map phb-queue 1206 show qos map trust-mode 1206 39 QUALITY OF SERVICE COMMANDS 1207 class-map 1208 description 1209 match 1210 rename 1211 policy-map 1211 class 1212 police flow 1213 police srtcm-color 1215 police trtcm-color 1217 set cos 1219 set ip dscp 1220 set phb 1221 service-policy 1222 show class-map 1223 sh
CONTENTS ip igmp snooping version 1234 ip igmp snooping version-exclusive 1234 ip igmp snooping vlan general-query-suppression 1235 ip igmp snooping vlan immediate-leave 1236 ip igmp snooping vlan last-memb-query-count 1237 ip igmp snooping vlan last-memb-query-intvl 1237 ip igmp snooping vlan mrd 1238 ip igmp snooping vlan proxy-address 1239 ip igmp snooping vlan query-interval 1240 ip igmp snooping vlan query-resp-intvl 1241 ip igmp snooping vlan static 1242 clear ip igmp snooping g
CONTENTS MLD Snooping 1262 ipv6 mld snooping 1263 ipv6 mld snooping querier 1263 ipv6 mld snooping query-interval 1264 ipv6 mld snooping query-max-response-time 1265 ipv6 mld snooping robustness 1265 ipv6 mld snooping router-port-expire-time 1266 ipv6 mld snooping unknown-multicast mode 1266 ipv6 mld snooping version 1267 ipv6 mld snooping vlan immediate-leave 1267 ipv6 mld snooping vlan mrouter 1268 ipv6 mld snooping vlan static 1269 clear ipv6 mld snooping groups dynamic 1269 cl
CONTENTS mvr priority 1284 mvr profile 1284 mvr proxy-query-interval 1285 mvr proxy-switching 1286 mvr robustness-value 1287 mvr source-port-mode dynamic 1288 mvr upstream-source-ip 1288 mvr vlan 1289 mvr immediate-leave 1290 mvr type 1291 mvr vlan group 1292 clear mrv groups dynamic 1293 clear mrv statistics 1293 show mvr 1293 show mvr associated-profile 1295 show mvr interface 1295 show mvr members 1296 show mvr profile 1298 show mvr statistics 1298 MVR for IPv6 130
CONTENTS show mvr6 associated-profile 1316 show mvr6 interface 1317 show mvr6 members 1318 show mvr6 profile 1319 show mvr6 statistics 1320 41 LLDP COMMANDS 1323 lldp 1325 lldp holdtime-multiplier 1325 lldp med-fast-start-count 1326 lldp notification-interval 1326 lldp refresh-interval 1327 lldp reinit-delay 1327 lldp tx-delay 1328 lldp admin-status 1329 lldp basic-tlv management-ip-address 1329 lldp basic-tlv port-description 1330 lldp basic-tlv system-capabilities 1331 l
CONTENTS show lldp info local-device 1343 show lldp info remote-device 1344 show lldp info statistics 1346 42 CFM COMMANDS 1347 Defining CFM Structures 1350 ethernet cfm ais level 1350 ethernet cfm ais ma 1351 ethernet cfm ais period 1352 ethernet cfm ais suppress alarm 1352 ethernet cfm domain 1353 ethernet cfm enable 1355 ma index name 1356 ma index name-format 1357 ethernet cfm mep 1358 ethernet cfm port-enable 1359 clear ethernet cfm ais mpid 1359 show ethernet cfm confi
CONTENTS Link Trace Operations 1376 ethernet cfm linktrace cache 1376 ethernet cfm linktrace cache hold-time 1377 ethernet cfm linktrace cache size 1378 ethernet cfm linktrace 1379 clear ethernet cfm linktrace-cache 1380 show ethernet cfm linktrace-cache 1380 Loopback Operations ethernet cfm loopback Fault Generator Operations 1381 1381 1382 mep fault-notify alarm-time 1382 mep fault-notify lowest-priority 1383 mep fault-notify reset-time 1385 show ethernet cfm fault-notify-generator
CONTENTS ip host 1404 ip name-server 1405 ipv6 host 1406 clear dns cache 1406 clear host 1407 show dns 1407 show dns cache 1408 show hosts 1408 45 DHCP COMMANDS 1411 DHCP Client 1411 DHCP for IPv4 1412 ip dhcp client class-id 1412 ip dhcp restart client 1413 DHCP for IPv6 1414 ipv6 dhcp client rapid-commit vlan 1414 ipv6 dhcp restart client vlan 1415 show ipv6 dhcp duid 1416 show ipv6 dhcp vlan 1417 DHCP Relay 1417 ip dhcp relay server 1417 ip dhcp restart relay 141
CONTENTS IPv6 Interface 1432 Interface Address Configuration and Utilities 1433 ipv6 default-gateway 1433 ipv6 address 1434 ipv6 address autoconfig 1435 ipv6 address eui-64 1436 ipv6 address link-local 1438 ipv6 enable 1439 ipv6 mtu 1441 show ipv6 default-gateway 1442 show ipv6 interface 1442 show ipv6 mtu 1444 show ipv6 traffic 1445 clear ipv6 traffic 1449 ping6 1449 traceroute6 1450 Neighbor Discovery 1452 ipv6 nd dad attempts 1452 ipv6 nd ns-interval 1453 ipv6 nd ra
CONTENTS show ipv6 nd snooping prefix 46 IP ROUTING COMMANDS Global Routing Configuration IPv4 Commands SECTION IV 1466 1467 1467 1468 ip route 1468 ip sw-route 1469 show ip route 1469 show ip route database 1470 show ip route summary 1471 APPENDICES 1473 A SOFTWARE SPECIFICATIONS 1475 Software Features 1475 Management Features 1476 Standards 1477 Management Information Bases 1477 B TROUBLESHOOTING 1479 Problems Accessing the Management Interface 1479 Using System Logs 1480
FIGURES Figure 1: Home Page 104 Figure 2: Front Panel Indicators 105 Figure 3: System Information 124 Figure 4: General Switch Information 126 Figure 5: Configuring Support for Jumbo Frames 127 Figure 6: Displaying Bridge Extension Configuration 128 Figure 7: Copy Firmware 130 Figure 8: Saving the Running Configuration 131 Figure 9: Setting Start-Up Files 132 Figure 10: Displaying System Files 133 Figure 11: Configuring Automatic Code Upgrade 136 Figure 12: Manually Setting the System
FIGURES Figure 32: Configuring Local Port Mirroring 160 Figure 33: Configuring Local Port Mirroring 161 Figure 34: Displaying Local Port Mirror Sessions 162 Figure 35: Configuring Remote Port Mirroring 162 Figure 36: Configuring Remote Port Mirroring (Source) 165 Figure 37: Configuring Remote Port Mirroring (Intermediate) 165 Figure 38: Configuring Remote Port Mirroring (Destination) 166 Figure 39: Showing Port Statistics (Table) 169 Figure 40: Showing Port Statistics (Chart) 170 Figure 4
FIGURES Figure 68: Creating Static VLANs 204 Figure 69: Modifying Settings for Static VLANs 204 Figure 70: Showing Static VLANs 204 Figure 71: Configuring Static Members by VLAN Index 207 Figure 72: Configuring Static VLAN Members by Interface 208 Figure 73: Configuring Static VLAN Members by Interface Range 208 Figure 74: Configuring Global Status of GVRP 210 Figure 75: Configuring GVRP for an Interface 211 Figure 76: Showing Dynamic VLANs Registered on the Switch 211 Figure 77: Showing
FIGURES Figure 104: Configuring Port Loopback Detection 243 Figure 105: Configuring Global Settings for STA (STP) 247 Figure 106: Configuring Global Settings for STA (RSTP) 248 Figure 107: Configuring Global Settings for STA (MSTP) 248 Figure 108: Displaying Global Settings for STA 250 Figure 109: Configuring Interface Settings for STA 254 Figure 110: STA Port Roles 256 Figure 111: Displaying Interface Settings for STA 256 Figure 112: Creating an MST Instance 258 Figure 113: Displaying MS
FIGURES Figure 140: Showing the Rules for a Class Map 291 Figure 141: Configuring a Policy Map 298 Figure 142: Showing Policy Maps 299 Figure 143: Adding Rules to a Policy Map 300 Figure 144: Showing the Rules for a Policy Map 300 Figure 145: Attaching a Policy Map to a Port 302 Figure 146: Configuring a Voice VLAN 305 Figure 147: Configuring an OUI Telephony List 306 Figure 148: Showing an OUI Telephony List 306 Figure 149: Configuring Port Settings for a Voice VLAN 308 Figure 150: Con
FIGURES Figure 176: Showing Addresses Authenticated for Network Access 340 Figure 177: Configuring HTTPS 342 Figure 178: Downloading the Secure-Site Certificate 344 Figure 179: Configuring the SSH Server 348 Figure 180: Generating the SSH Host Key Pair 349 Figure 181: Showing the SSH Host Key Pair 350 Figure 182: Copying the SSH User’s Public Key 351 Figure 183: Showing the SSH User’s Public Key 352 Figure 184: Setting the Name of a Time Range 354 Figure 185: Showing a List of Time Ranges
FIGURES Figure 212: Configuring Interface Settings for 802.1X Port Supplicant 396 Figure 213: Showing Statistics for 802.1X Port Authenticator 398 Figure 214: Showing Statistics for 802.
FIGURES Figure 248: Configuring a Remote Engine ID for SNMP 458 Figure 249: Showing Remote Engine IDs for SNMP 458 Figure 250: Creating an SNMP View 459 Figure 251: Showing SNMP Views 460 Figure 252: Adding an OID Subtree to an SNMP View 460 Figure 253: Showing the OID Subtree Configured for SNMP Views 461 Figure 254: Creating an SNMP Group 465 Figure 255: Showing SNMP Groups 465 Figure 256: Setting Community Access Strings 466 Figure 257: Showing Community Access Strings 467 Figure 258
FIGURES Figure 284: ERPS Ring Components 496 Figure 285: Ring Interconnection Architecture (Multi-ring/Ladder Network) 498 Figure 286: Setting ERPS Global Status 500 Figure 287: Sub-ring with Virtual Channel 509 Figure 288: Sub-ring without Virtual Channel 510 Figure 289: Non-ERPS Device Protection 511 Figure 290: Creating an ERPS Ring 514 Figure 291: Creating an ERPS Ring 515 Figure 292: Showing Configured ERPS Rings 515 Figure 293: Blocking an ERPS Ring Port 520 Figure 294: Single CFM
FIGURES Figure 320: Displaying Statistics for OAM Messages 560 Figure 321: Displaying the OAM Event Log 561 Figure 322: Displaying Status of Remote Interfaces 562 Figure 323: Running a Remote Loop Back Test 564 Figure 324: Displaying the Results of Remote Loop Back Testing 565 Figure 325: Multicast Filtering Concept 568 Figure 326: Configuring General Settings for IGMP Snooping 574 Figure 327: Configuring a Static Interface for a Multicast Router 575 Figure 328: Showing Static Interfaces At
FIGURES Figure 356: Configuring Domain Settings for MVR 608 Figure 357: Configuring an MVR Group Address Profile 610 Figure 358: Displaying MVR Group Address Profiles 610 Figure 359: Assigning an MVR Group Address Profile to a Domain 611 Figure 360: Showing the MVR Group Address Profiles Assigned to a Domain 611 Figure 361: Configuring Interface Settings for MVR 614 Figure 362: Assigning Static MVR Groups to an Interface 615 Figure 363: Showing the Static MVR Groups Assigned to a Port 616 F
FIGURES Figure 392: Showing IPv6 Statistics (UDP) 660 Figure 393: Showing Reported MTU Values 661 Figure 394: Configuring General Settings for DNS 664 Figure 395: Configuring a List of Domain Names for DNS 665 Figure 396: Showing the List of Domain Names for DNS 665 Figure 397: Configuring a List of Name Servers for DNS 666 Figure 398: Showing the List of Name Servers for DNS 667 Figure 399: Configuring Static Entries in the DNS Table 668 Figure 400: Showing Static Entries in the DNS Table
FIGURES Figure 428: Configuring VLAN Translation – 63 – 1177
FIGURES – 64 –
TABLES Table 1: Key Features 75 Table 2: System Defaults 82 Table 3: Options 60, 66 and 67 Statements 95 Table 4: Options 55 and 124 Statements 96 Table 5: Web Page Configuration Buttons 105 Table 6: Switch Main Menu 106 Table 7: Port Statistics 166 Table 8: LACP Port Counters 186 Table 9: LACP Internal Configuration Information 187 Table 10: LACP Remote Device Configuration Information 188 Table 11: Traffic Segmentation Forwarding 194 Table 12: Recommended STA Path Cost Range 251 T
TABLES Table 32: PoE Shut Down Sequence 451 Table 33: SNMPv3 Security Models and Levels 453 Table 34: Supported Notification Messages 462 Table 35: ERPS Request/State Priority 517 Table 36: Remote MEP Priority Levels 529 Table 37: MEP Defect Descriptions 529 Table 38: OAM Operation State 557 Table 39: OAM Operation State 563 Table 40: Show IPv6 Neighbors - display description 654 Table 41: Show IPv6 Statistics - display description 656 Table 42: Show MTU - display description 661 Tabl
TABLES Table 68: Switch Cluster Commands 786 Table 69: SNMP Commands 793 Table 70: show snmp engine-id - display description 808 Table 71: show snmp group - display description 809 Table 72: show snmp user - display description 809 Table 73: show snmp view - display description 810 Table 74: RMON Commands 815 Table 75: Authentication Commands 823 Table 76: User Access Commands 824 Table 77: Default Login Settings 826 Table 78: Authentication Sequence Commands 828 Table 79: RADIUS Clie
TABLES Table 104: Commands for Configuring Traffic Segmentation 963 Table 105: Traffic Segmentation Forwarding 964 Table 106: Access Control List Commands 969 Table 107: IPv4 ACL Commands 969 Table 108: Priority Bits Processed by Extended IPv4 ACL 974 Table 109: IPv6 ACL Commands 976 Table 110: MAC ACL Commands 983 Table 111: ARP ACL Commands 989 Table 112: ACL Information Commands 992 Table 113: Interface Commands 995 Table 114: show interfaces switchport - display description 1009 T
TABLES Table 140: ERPS Request/State Priority 1142 Table 141: show erps - summary display description 1145 Table 142: show erps domain - detailed display description 1147 Table 143: show erps statistics - detailed display description 1148 Table 144: VLAN Commands 1149 Table 145: GVRP and Bridge Extension Commands 1150 Table 146: Commands for Editing VLAN Groups 1155 Table 147: Commands for Configuring VLAN Interfaces 1157 Table 148: Commands for Displaying VLAN Information 1164 Table 149:
TABLES Table 176: show mvr members - display description 1297 Table 177: show mvr statistics input - display description 1299 Table 178: show mvr statistics output - display description 1300 Table 179: show mvr statistics query - display description 1300 Table 180: show mvr statistics summary interface - display description 1301 Table 181: show mvr statistics summary interface mvr vlan - description 1302 Table 182: Multicast VLAN Registration for IPv6 Commands 1303 Table 183: show mvr6 - disp
TABLES Table 212: Address Resolution Protocol Commands 1429 Table 213: IPv6 Configuration Commands 1432 Table 214: show ipv6 interface - display description 1443 Table 215: show ipv6 mtu - display description 1444 Table 216: show ipv6 traffic - display description 1446 Table 217: show ipv6 neighbors - display description 1457 Table 218: ND Snooping Commands 1459 Table 203: IP Routing Commands 1467 Table 204: Global Routing Configuration Commands 1467 Table 205: Troubleshooting Chart 1479
TABLES – 72 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 74 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 static routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features AUTHENTICATION This switch authenticates management access via the console port, Telnet, or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.
CHAPTER 1 | Introduction Description of Software Features taking over the load if a port in the trunk should fail. The switch supports up to 12 trunks. STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a predefined threshold, it will be throttled until the level falls back beneath the threshold.
CHAPTER 1 | Introduction Description of Software Features ◆ Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
CHAPTER 1 | Introduction Description of Software Features IEEE 802.1Q This feature is designed for service providers carrying traffic for multiple TUNNELING (QINQ) customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 1 | Introduction Description of Software Features QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 1 | Introduction System Defaults SYSTEM DEFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadc
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. CONNECTING TO THE SWITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). NOTE: An IPv4 address for this switch is obtained via DHCP by default.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
CHAPTER 2 | Initial Switch Configuration Basic Configuration NOTE: Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface" on page 697. For a list of all the CLI commands and detailed information on using the CLI, refer to "CLI Command Groups" on page 706.
CHAPTER 2 | Initial Switch Configuration Basic Configuration CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. To initiate your console connection, press . The “User Access Verification” procedure starts. 2. At the Username prompt, enter “admin.” 3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.) 4.
CHAPTER 2 | Initial Switch Configuration Basic Configuration SETTING AN IP You must establish IP address information for the switch to obtain ADDRESS management access through the network. This can be done in either of the following ways: ◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
CHAPTER 2 | Initial Switch Configuration Basic Configuration 4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
CHAPTER 2 | Initial Switch Configuration Basic Configuration ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): 2001:db8:2222:7272::66/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::1:ff00:66 ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration ■ To obtain IP settings via BOOTP, type “ip address bootp” and press . 3. Type “end” to return to the Privileged Exec mode. Press . 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration DOWNLOADING A CONFIGURATION FILE REFERENCED BY A DHCP SERVER Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Table 4: Options 55 and 124 Statements Option Statement Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file).
CHAPTER 2 | Initial Switch Configuration Basic Configuration requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e.
CHAPTER 2 | Initial Switch Configuration Basic Configuration TRAP RECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
CHAPTER 2 | Initial Switch Configuration Managing System Files MANAGING SYSTEM FILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
CHAPTER 2 | Initial Switch Configuration Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startupconfig command always sets the new file as the startup file.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration ◆ "General IP Routing" on page 679 – 102 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions). NOTE: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface NOTE: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 5: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Information Description Page Displays port connection status 159 Mirror 160 Add Sets the source and target ports for mirroring 160 Show Shows the configured mirror sessions 160 Statistics Shows Interface, Etherlike, and RMON port statistics 166 Chart Shows Interface, Etherlike, and RMON port statistics 166 Transceiver Shows identifying information and operational par
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics 166 Chart Shows Interface, Etherlike, and RMON port statistics 166 Load Balance Sets the load-distribution method among ports in aggregated links Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices 191 RSPAN Mirrors traffic from remot
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Subnet 225 Add Maps IP subnet traffic to a VLAN 225 Show Shows IP subnet to VLAN mapping 225 MAC-Based 227 Add Maps traffic with specified source MAC address to a VLAN 227 Show Shows source MAC address to VLAN mapping 227 Mirror 229 Add Mirrors traffic from one or more source VLANs to a target port 229 Show Shows mirror list 229 MAC Address Lear
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Member Adds VLAN members for an MST instance 257 Show Member Adds or deletes VLAN members for an MST instance 257 Show Information Shows global settings for an MST instance 257 Configure Interface 261 Configure Configures interface settings for an MST instance 261 Show Information Displays interface settings for an MST instance 261 Rate Limit Sets the
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Policy 291 Add Creates a policy map to apply to multiple interfaces 291 Show Shows configured policy maps 291 Modify Modifies the name of a policy map 291 Add Rule Sets the boundary parameters used for monitoring inbound traffic, 291 and the action to take for conforming and non-conforming traffic Show Rule Shows the rules used to enforce bandwidth
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Authorization Description Page Enables authorization of requested services 323 Configure Method 323 Add Configures authorization for various service types 323 Show Shows the authorization settings used for various service types 323 Configure Service Sets the authorization method applied used for the console port, and for Telnet 323 Show Information Shows the configured author
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Access Control Lists 352 Configures the time to apply an ACL 352 Add Specifies the name of a time range 353 Show Shows the name of configured time ranges 353 ACL Configure Time Range Add Rule 353 Absolute Sets exact time or time range 353 Periodic Sets a recurrent time 353 Shows the time specified by a rule 353 Show Rule Configure ACL 357 Show TCAM
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Sets port supplicant settings 394 Displays protocol statistics for the selected port 396 Authenticator Displays protocol statistics for port authenticator 396 Supplicant Displays protocol statistics for port supplicant 396 DoS Protection Protects against Denial-of-Service attacks 399 IP Source Guard Filters IP traffic based on static entries in the IP Source
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Local Device Information 435 General Displays general information about the local device 435 Port/Trunk Displays information about each interface 435 Show Remote Device Information 438 Port/Trunk Displays information about a remote device connected to a port on 438 this switch Port/Trunk Details Displays detailed information about a remote device connect
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Trap 472 Add Configures notification managers to receive messages on key events that occur this switch 472 Show Shows configured notification managers 472 Configure Notify Filter 476 Add Creates an SNMP notification log 476 Show Shows the configured notification logs 476 Shows the status of SNMP communications 478 Remote Monitoring 480 Alarm
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows list of configured ERPS rings, status, and settings 500 Configure Details Configures ring parameters 500 Configure Operation Blocks a ring port using Forced Switch or Manual Switch commands 516 CFM Connectivity Fault Management 520 Configure Global Configures global settings, including administrative status, cross- 523 check start delay, link trace,
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Remote MEP Details Displays detailed CFM information about a specified remote MEP in 550 the continuity check database Show Link Trace Cache Shows information about link trace operations launched from this 552 device Show Fault Notification Generator Displays configuration settings for the fault notification generator 554 Show Continuity Check Error Displays CF
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IPv6 Configuration 643 Configure Global Sets an IPv6 default gateway for traffic with no known next hop Configure Interface Configures IPv6 interface address using auto-configuration or link- 644 local address, and sets related protocol settings Add IPv6 Address Adds an global unicast, EUI-64, or link-local IPv6 address to an interface 650 Show IPv6 Address Show
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page PPPoE Intermediate Agent 672 Configure Global Enables PPPoE IA on the switch, sets access node identifier, sets generic error message Configure Interface Enables PPPoE IA on an interface, sets trust status, enables vendor 674 tag stripping, sets circuit ID and remote ID Show Statistics Shows statistics on PPPoE IA protocol messages Multicast 672 676 567 IGMP Sno
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Trunk Statistics Description Page Shows statistics for protocol messages, number of active groups 586 MLD Snooping 595 General Enables multicast filtering; configures parameters for IPv6 multicast snooping 595 Interface Configures Immediate Leave status for a VLAN 597 Multicast Router 598 Add Static Multicast Router Assigns ports that are attached to a neighboring multic
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Shows statistics for protocol messages and number of active groups 617 Multicast VLAN Registration for IPv6 621 Configure Global Configures proxy switching and robustness value 622 Configure Domain Enables MVR for a domain, sets the MVR VLAN, forwarding priority, 624 and upstream source IP Show Trunk Statistics MVR6 Configure Profile 625 Add Configures multica
4 BASIC MANAGEMENT TASKS This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
CHAPTER 4 | Basic Management Tasks Displaying System Information PARAMETERS These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ■ ECS4110-52T – 1.3.6.1.4.1.259.10.1.39.101 ■ ECS4110-52P – 1.3.6.1.4.1.259.10.1.39.102 ■ ECS4110-28T – 1.3.6.1.4.1.259.10.1.39.103 ■ ECS4110-28P – 1.3.6.1.4.1.259.10.1.39.104 ◆ System Up Time – Length of time the management agent has been up.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions DISPLAYING HARDWARE/SOFTWARE VERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI REFERENCES ◆ "System Management Commands" on page 717 PARAMETERS The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports.
CHAPTER 4 | Basic Management Tasks Configuring Support for Jumbo Frames WEB INTERFACE To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information CONFIGURING SUPPORT FOR JUMBO FRAMES Use the System > Capability page to configure support for Layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities WEB INTERFACE To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply. Figure 5: Configuring Support for Jumbo Frames DISPLAYING BRIDGE EXTENSION CAPABILITIES Use the System > Capability page to display settings based on the Bridge MIB.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to "VLAN Configuration" on page 199.) ◆ Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. ◆ Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch.
CHAPTER 4 | Basic Management Tasks Managing System Files MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP. By backing up a file to an FTP/TFTP server or management station, that file can later be downloaded to the switch to restore operation.
CHAPTER 4 | Basic Management Tasks Managing System Files or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) NOTE: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. NOTE: The maximum number of user-defined configuration files is limited only by available flash memory space. NOTE: The file “Factory_Default_Config.
CHAPTER 4 | Basic Management Tasks Managing System Files SAVING THE RUNNING Use the System > File (Copy) page to save the current configuration CONFIGURATION TO A settings to a local file on the switch. The configuration settings are not LOCAL FILE automatically saved by the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
CHAPTER 4 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. SETTING THE Use the System > File (Set Start-Up) page to specify the firmware or START-UP FILE configuration file to use for system initialization. CLI REFERENCES ◆ "whichboot" on page 743 ◆ "boot system" on page 737 WEB INTERFACE To set a file to use for system initialization: 1. Click System, then File. 2.
CHAPTER 4 | Basic Management Tasks Managing System Files WEB INTERFACE To show the system files: 1. Click System, then File. 2. Select Show from the Action list. 3. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to OPERATION CODE automatically download an operation code file when a file newer than the UPGRADE currently installed one is discovered on the file server.
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled. ◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept ECS4110-SERIES.BIX from the server even though ECS4110-series.bix was requested).
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The ecs4110-series.bix filename must not be included since it is automatically appended by the switch. (Options: ftp, tftp) The following syntax must be observed: tftp://host[/filedir]/ ■ ■ tftp:// – Defines TFTP protocol for the server connection.
CHAPTER 4 | Basic Management Tasks Managing System Files ■ tftp://192.168.0.1/switch-opcode/ The image file is in the “switch-opcode” directory, relative to the TFTP root. ■ tftp://192.168.0.1/switches/opcode/ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.
CHAPTER 4 | Basic Management Tasks Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.5; new version 1.1.2.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
CHAPTER 4 | Basic Management Tasks Setting the System Clock ◆ Day – Sets the day of the month. (Range: 1-31) ◆ Year – Sets the year. (Range: 1970-2037) WEB INTERFACE To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5.
CHAPTER 4 | Basic Management Tasks Setting the System Clock 3. Select SNTP from the Maintain Type list. 4. Modify the polling interval if required. 5. Click Apply Figure 13: Setting the Polling Interval for SNTP CONFIGURING NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock 4. Enable authentication if required. 5. Click Apply Figure 14: Configuring NTP CONFIGURING Use the System > Time (Configure Time Server) pages to specify the IP TIME SERVERS address for NTP/SNTP time servers, or to set the authentication key for NTP time servers. SPECIFYING SNTP TIME SERVERS Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers SPECIFYING NTP TIME SERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI REFERENCES ◆ "ntp server" on page 775 PARAMETERS The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Servers To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List SPECIFYING NTP AUTHENTICATION KEYS Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
CHAPTER 4 | Basic Management Tasks Setting the System Clock WEB INTERFACE To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE Use the System > Time (Configure Time Server) page to set the time zone. TIME ZONE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
CHAPTER 4 | Basic Management Tasks Configuring the Console Port CONFIGURING THE CONSOLE PORT Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings NOTE: The password for the console connection can only be configured through the CLI (see "password" on page 752). NOTE: Password checking can be enabled or disabled for logging in to the console connection (see "login" on page 751). You can select authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch.
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings PARAMETERS The following parameters are displayed: ◆ Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) ◆ TCP Port – Sets the TCP port number for Telnet on the switch. (Range: 1-65535; Default: 23) ◆ Max Sessions – Sets the maximum number of Telnet sessions that can simultaneously connect to this system.
CHAPTER 4 | Basic Management Tasks Displaying CPU Utilization Figure 22: Telnet Connection Settings DISPLAYING CPU UTILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI REFERENCES ◆ "show process cpu" on page 729 PARAMETERS The following parameters are displayed: ◆ Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) ◆ CPU Utilization – CPU utilization over specified interval.
CHAPTER 4 | Basic Management Tasks Displaying Memory Utilization Figure 23: Displaying CPU Utilization DISPLAYING MEMORY UTILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI REFERENCES ◆ "show memory" on page 728 PARAMETERS The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory.
CHAPTER 4 | Basic Management Tasks Resetting the System RESETTING THE SYSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI REFERENCES ◆ "reload (Privileged Exec)" on page 714 ◆ "reload (Global Configuration)" on page 710 ◆ "show reload" on page 715 COMMAND USAGE ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test.
CHAPTER 4 | Basic Management Tasks Resetting the System ■ ■ At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 01-31) ■ MM - The month at which to reload. (Range: 01-12) ■ YYYY - The year at which to reload. (Range: 1970-2037) ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Regularly – Specifies a periodic interval at which to reload the switch.
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) – 152 –
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 153 –
CHAPTER 4 | Basic Management Tasks Resetting the System – 154 –
5 INTERFACE CONFIGURATION This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration PORT CONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. CONFIGURING BY Use the Interface > Port > General (Configure by Port List) page to enable/ PORT LIST disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
CHAPTER 5 | Interface Configuration Port Configuration ◆ ■ SFP-Forced 1000SFP - Forces port to use 1000BASE SFP mode. ■ SFP-Forced 100FX - Forces port to use 100BASE-FX mode. Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control.The following capabilities are supported.
CHAPTER 5 | Interface Configuration Port Configuration Figure 29: Configuring Connections by Port List CONFIGURING BY Use the Interface > Port > General (Configure by Port Range) page to PORT RANGE enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. For more information on command usage and a description of the parameters, refer to "Configuring by Port List" on page 156.
CHAPTER 5 | Interface Configuration Port Configuration Figure 30: Configuring Connections by Port Range DISPLAYING Use the Interface > Port > General (Show Information) page to display the CONNECTION STATUS current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. CLI REFERENCES ◆ "show interfaces status" on page 1007 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type.
CHAPTER 5 | Interface Configuration Port Configuration Figure 31: Displaying Port Information CONFIGURING Use the Interface > Port > Mirror page to mirror traffic from any source LOCAL PORT port to a target port for real-time analysis. You can then attach a logic MIRRORING analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Spanning Tree BPDU packets are not mirrored to the target port. ◆ The destination port cannot be a trunk or trunk member port. PARAMETERS These parameters are displayed: ◆ Source Port – The port whose traffic will be monitored. ◆ Target Port – The port that will mirror the traffic on the source port. ◆ Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both.
CHAPTER 5 | Interface Configuration Port Configuration Figure 34: Displaying Local Port Mirror Sessions CONFIGURING Use the Interface > RSPAN page to mirror traffic from remote switches for REMOTE PORT analysis at a destination port on the local switch. This feature, also called MIRRORING Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-specified VLAN dedicated to that RSPAN session in all participating switches.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see "Configuring VLAN Groups" on page 202) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page. (Default VLAN 1 is prohibited.) 2. Set up the source switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Source), the RSPAN VLAN, and the uplink port1.
CHAPTER 5 | Interface Configuration Port Configuration ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. PARAMETERS These parameters are displayed: ◆ Session – A number identifying this RSPAN session.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Destination Port – Specifies the destination port1 to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
CHAPTER 5 | Interface Configuration Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higherlayer protocol.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To show a list of port statistics: 1. Click Interface, Port, Statistics. 2. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). 3. Select a port from the drop-down list. 4. Use the Refresh button to update the screen.
CHAPTER 5 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
CHAPTER 5 | Interface Configuration Port Configuration PARAMETERS These parameters are displayed: ◆ Port – Port number. (Range: 25-28/49-52) ◆ General – Information on connector type and vendor-related parameters. ◆ DDM Information – Information on temperature, supply voltage, laser bias current, laser power, and received optical power. The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
CHAPTER 5 | Interface Configuration Port Configuration CONFIGURING Use the Interface > Port > Transceiver page to configure thresholds for TRANSCEIVER alarm and warning messages for optical transceivers which support Digital THRESHOLDS Diagnostic Monitoring (DDM). This page also displays identifying information for supported transceiver types, and operational parameters for transceivers which support DDM.
CHAPTER 5 | Interface Configuration Port Configuration ■ ■ High Warning – Sends a warning message when the high threshold is crossed. High Alarm – Sends an alarm message when the high threshold is crossed. The configurable ranges are: ■ Temperature: -128.00-128.00 °C ■ Voltage: 0.00-6.55 Volts ■ Current: 0.00-131.00 mA ■ Power: -40.00-8.20 dBm The threshold value for Rx and Tx power is calculated as the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW).
CHAPTER 5 | Interface Configuration Port Configuration Figure 42: Configuring Transceiver Thresholds PERFORMING Use the Interface > Port > Cable Test page to test the cable attached to a CABLE DIAGNOSTICS port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
CHAPTER 5 | Interface Configuration Port Configuration ■ ◆ Impedance mismatch: Terminating impedance is not in the reference range. Ports are linked down while running cable diagnostics. PARAMETERS These parameters are displayed: ◆ Port – Switch port identifier. ◆ Type – Displays media type. (GE – Gigabit Ethernet, Other – SFP) ◆ Link Status – Shows if the port link is up or down.
CHAPTER 5 | Interface Configuration Trunk Configuration TRUNK CONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two devices. You can create up to 16 trunks at a time on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration CONFIGURING A Use the Interface > Trunk > Static page to create a trunk, assign member STATIC TRUNK ports, and configure the connection parameters.
CHAPTER 5 | Interface Configuration Trunk Configuration 5. Set the unit and port for the initial trunk member. 6. Click Apply. Figure 45: Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
CHAPTER 5 | Interface Configuration Trunk Configuration COMMAND USAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
CHAPTER 5 | Interface Configuration Trunk Configuration ■ ■ Long Timeout – Specifies a slow timeout of 90 seconds. (This is the default setting.) Short Timeout – Specifies a fast timeout of 3 seconds. The timeout is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second.
CHAPTER 5 | Interface Configuration Trunk Configuration more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port. ■ If an LAG already exists with the maximum number of allowed port members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
CHAPTER 5 | Interface Configuration Trunk Configuration To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click General. 5. Enable LACP on the required ports. 6. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3.
CHAPTER 5 | Interface Configuration Trunk Configuration To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step list. 3. Select Configure from the Action list. 4. Modify the required interface settings. (See "Configuring by Port List" on page 156 for a description of the interface settings.) 5. Click Apply. Figure 54: Configuring Connection Settings for a Dynamic Trunk To show connection parameters for a dynamic trunk: 1.
CHAPTER 5 | Interface Configuration Trunk Configuration PARAMETERS These parameters are displayed: Table 8: LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Internal) page to display the configuration settings and FOR THE LOCAL SIDE operational state for the local side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 57: Displaying LACP Port Internal Information DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Neighbors) page to display the configuration settings and FOR THE REMOTE SIDE operational state for the remote side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To display LACP settings and status for the remote side: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Internal. 5. Select a group member from the Port list.
CHAPTER 5 | Interface Configuration Trunk Configuration for switch-to-router trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switchto-server trunk links where the destination IP address is the same for all traffic. ■ ■ Destination MAC Address: All traffic with the same destination MAC address is output on the same link in a trunk.
CHAPTER 5 | Interface Configuration Saving Power WEB INTERFACE To display the load-distribution method used by ports in aggregated links: 1. Click Interface, Trunk, Load Balance. 2. Select the required method from the Load Balance Mode list. 3. Click Apply. Figure 59: Configuring Load Balancing SAVING POWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI REFERENCES ◆ "power-save" on page 1019 ◆ "show power-save" on page 1020 COMMAND USAGE ◆ IEEE 802.
CHAPTER 5 | Interface Configuration Saving Power ■ Power saving when there is a link partner: Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter. When cable length is shorter, power consumption can be reduced since signal attenuation is proportional to cable length.
CHAPTER 5 | Interface Configuration Traffic Segmentation TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation Figure 61: Enabling Traffic Segmentation CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. PARAMETERS These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink.
CHAPTER 5 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN TRUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
CHAPTER 5 | Interface Configuration VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see "Adding Static Members to VLANs" on page 205).
CHAPTER 5 | Interface Configuration VLAN Trunking Figure 65: Configuring VLAN Trunking – 198 –
6 VLAN CONFIGURATION This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs2 – Configures VLAN groups based on specified protocols.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 15 16 14 7 8 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Status – Enables or disables the specified VLAN. ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 162). Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 68: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name, operational status, or Layer 3 Interface status as required. 5. Click Apply. Figure 69: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ADDING STATIC Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or MEMBERS TO VLANS Edit Member by Interface Range) pages to configure port members for the selected VLAN index, interface, or a range of interfaces.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Acceptable Frame Type – Sets the interface to accept all frame types, including tagged or untagged frames, or only tagged frames. When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. (Options: All, Tagged; Default: All) ◆ Ingress Filtering – Determines how to process frames tagged for VLANs for which the ingress port is not a member.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. ◆ Port Range – Displays a list of ports. (Range: 1-28/52) ◆ Trunk Range – Displays a list of ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs 5. Click Apply. Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs CONFIGURING Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to DYNAMIC VLAN enable GVRP and adjust the protocol timers per interface.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs the group. (Range: 500-18000 centiseconds; Default: 1000 centiseconds) Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN – Show VLAN Member ◆ VLAN – Identifier of a VLAN this switch has joined through GVRP.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q TUNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 6 | VLAN Configuration IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to TUNNELING ON operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing THE SWITCH Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 79: Enabling QinQ Tunneling CREATING Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to CVLAN TO SPVLAN SPVLAN mapping entry.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) WEB INTERFACE To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 80: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command. ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on TO A QINQ TUNNEL the switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs 4. Click Apply. Figure 82: Adding an Interface to a QinQ Tunnel PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 6 | VLAN Configuration Protocol VLANs CONFIGURING Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol PROTOCOL VLAN groups. GROUPS CLI REFERENCES ◆ "protocol-vlan protocol-group (Configuring Groups)" on page 1179 PARAMETERS These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 83: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 84: Displaying Protocol VLANs MAPPING Use the VLAN > Protocol (Configure Interface - Add) page to map a PROTOCOL GROUPS protocol group to a VLAN for each interface that will participate in the TO INTERFACES group.
CHAPTER 6 | VLAN Configuration Protocol VLANs ◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: ■ ■ ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 85: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs WEB INTERFACE To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Add from the Action list. 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs WEB INTERFACE To map a MAC address to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Add from the Action list. 3. Enter an address in the MAC Address field, and a mask to indicate a range of addresses. 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field. 6. Click Apply.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring CONFIGURING VLAN MIRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner. CLI REFERENCES ◆ "Port Mirroring Commands" on page 1045 COMMAND USAGE ◆ All active ports in a source VLAN are monitored for ingress traffic only.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring WEB INTERFACE To configure VLAN mirroring: 1. Click VLAN, Mirror. 2. Select Add from the Action list. 3. Select the source VLAN, and select a target port. 4. Click Apply. Figure 91: Configuring VLAN Mirroring To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list.
7 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
CHAPTER 7 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ ■ 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 389). Security Status (see "Configuring Port Security" on page 385) is enabled on the same interface. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
CHAPTER 7 | Address Table Settings Setting Static Addresses SETTING STATIC ADDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
CHAPTER 7 | Address Table Settings Changing the Aging Time 4. Click Apply. Figure 94: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list. Figure 95: Displaying Static MAC Addresses CHANGING THE AGING TIME Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
CHAPTER 7 | Address Table Settings Displaying the Dynamic Address Table WEB INTERFACE To set the aging time for entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Configure Aging from the Action list. 3. Modify the aging status if required. 4. Specify a new aging time. 5. Click Apply.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table WEB INTERFACE To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5. Click Query.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring PARAMETERS These parameters are displayed: ◆ Source MAC – MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. ◆ Target Port – The port that will mirror the traffic from the source port. (Range: 1-28/52) WEB INTERFACE To mirror packets based on a MAC address: 1. Click MAC Address, Mirror. 2. Select Add from the Action list. 3. Specify the source MAC address and destination port. 4. Click Apply.
8 SPANNING TREE ALGORITHM This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
CHAPTER 8 | Spanning Tree Algorithm Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 8 | Spanning Tree Algorithm Overview Figure 102: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 257). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection CONFIGURING LOOPBACK DETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Shutdown Interval – The duration to shut down the interface. (Range: 60-86400 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired. If an interface is shut down due to a detected loopback, and the release mode is set to “Manual,” the interface can be re-enabled using the Release button.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Spanning Tree Type – Specifies the type of spanning tree used on this switch: ■ ◆ ◆ STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode). ■ RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default. ■ MSTP: Multiple Spanning Tree (IEEE 802.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) When the Switch Becomes Root ◆ ◆ ◆ Hello Time – Interval (in seconds) at which the root device transmits a configuration message. ■ Default: 2 ■ Minimum: 1 ■ Maximum: The lower of 10 or [(Max.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Region Revision4 – The revision for this MSTI. (Range: 0-65535; Default: 0) ◆ Region Name4 – The name for this MSTI. (Maximum length: 32 characters; Default: switch’s MAC address) ◆ Max Hop Count – The maximum number of hops allowed in the MST region before a BPDU is discarded. (Range: 1-40; Default: 20) NOTE: Region Revision and Region Name and are both required to uniquely identify an MST region.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 106: Configuring Global Settings for STA (RSTP) Figure 107: Configuring Global Settings for STA (MSTP) – 248 –
CHAPTER 8 | Spanning Tree Algorithm Displaying Global Settings for STA DISPLAYING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA WEB INTERFACE To display global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ ◆ Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ■ Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.) ◆ Root Guard – STA allows a bridge with a lower bridge identifier (or same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ■ If the port does not receive any BPDUs after the edge delay timer expires, its role changes to designated port and it immediately enters forwarding state (see "Displaying Interface Settings for STA" on page 254). ◆ BPDU Guard – This feature protects edge ports from receiving BPDUs. It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 109: Configuring Interface Settings for STA DISPLAYING INTERFACE SETTINGS FOR STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI REFERENCES ◆ "show spanning-tree" on page 1116 PARAMETERS These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ ■ ■ A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 110: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B WEB INTERFACE To display interface settings for STA: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees CONFIGURING MULTIPLE SPANNING TREES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1091 COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees WEB INTERFACE To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 114: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP CONFIGURING INTERFACE SETTINGS FOR MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1091 PARAMETERS These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 251. The default path costs are listed in Table 13 on page 251. WEB INTERFACE To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply.
9 CONGESTION CONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
CHAPTER 9 | Congestion Control Storm Control ◆ Rate – Sets the rate limit level. (Range: 64 - 1000000 kbits per second) WEB INTERFACE To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Check the Status box to enable rate limiting for an interface. 4. Set the rate limit for the required interfaces. 5. Click Apply.
CHAPTER 9 | Congestion Control Storm Control ◆ Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 121: Configuring Storm Control AUTOMATIC TRAFFIC CONTROL Use the Traffic > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI REFERENCES ◆ "Automatic Traffic Control Commands" on page 785 COMMAND USAGE ATC includes storm control for broadcast or multicast traffic.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
CHAPTER 9 | Congestion Control Automatic Traffic Control SETTING THE Use the Traffic > Auto Traffic Control (Configure Global) page to set the ATC TIMERS time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 124: Configuring ATC Timers CONFIGURING ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the THRESHOLDS AND storm control mode (broadcast or multicast), the traffic thresholds, the RESPONSES control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 122 on page 266. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
CHAPTER 9 | Congestion Control Automatic Traffic Control WEB INTERFACE To configure the response timers for automatic storm control: 1. Click Traffic, Auto Traffic Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
CHAPTER 9 | Congestion Control Automatic Traffic Control – 272 –
10 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CHAPTER 10 | Class of Service Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface.
CHAPTER 10 | Class of Service Layer 2 Queue Settings COMMAND USAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. ◆ WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
CHAPTER 10 | Class of Service Layer 2 Queue Settings WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
CHAPTER 10 | Class of Service Layer 2 Queue Settings MAPPING COS VALUES Use the Traffic > Priority > PHB to Queue page to specify the hardware TO EGRESS QUEUES output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values" on page 283).
CHAPTER 10 | Class of Service Layer 2 Queue Settings ◆ The default internal PHB to output queue mapping is shown below. Table 16: Mapping Internal Per-hop Behavior to Hardware Queues Per-hop Behavior 0 1 2 3 4 5 6 7 Hardware Queues 1 0 0 1 2 2 3 3 ◆ The specified mapping applies to all interfaces. PARAMETERS These parameters are displayed: ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7, where 7 is the highest priority) ◆ Queue – Output queue buffer.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 131: Showing CoS Values to Egress Queue Mapping LAYER 3/4 PRIORITY SETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings SETTING PRIORITY The switch allows a choice between using DSCP or CoS priority processing PROCESSING TO methods. Use the Priority > Trust Mode page to select the required DSCP OR COS processing method. CLI REFERENCES ◆ "qos map trust-mode" on page 1204 COMMAND USAGE ◆ If the QoS mapping mode is set to DSCP, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 132: Setting the Trust Mode MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing. The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Drop Precedence – Drop precedence used for Random Early Detection in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) ◆ Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1 0 1 2 3 4 5 6 7 8 9 0 0,0 0,1 0,0 0,3 0,0 0,1 0,0 0,3 1,0 1,1 1 1,0 1,3 1,0 1,1 1,0 1,3 2,0 2,1 2,0 2,3 2 2,0 2,1 2,0 2,3 3,0 3,1 3,0 3,3 3.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 134: Showing DSCP to DSCP Internal Mapping MAPPING COS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in PRIORITIES TO incoming packets to per-hop behavior and drop precedence values for INTERNAL DSCP priority processing. VALUES CLI REFERENCES ◆ "qos map cos-dscp" on page 1200 COMMAND USAGE ◆ The default mapping of CoS to PHB values is shown in Table 18 on page 284.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for Random Early Detection in controlling traffic congestion.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings – 286 –
11 QUALITY OF SERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
CHAPTER 11 | Quality of Service Configuring a Class Map COMMAND USAGE To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value. 3.
CHAPTER 11 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set on the Add page.) ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value. (Range: 0-63) ◆ IP Precedence – An IP Precedence value.
CHAPTER 11 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 138: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 140: Showing the Rules for a Class Map CREATING QOS POLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
CHAPTER 11 | Quality of Service Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
CHAPTER 11 | Quality of Service Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: ■ ■ ■ If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum value of 0, else If the packet has been precolored as yellow or green and if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red
CHAPTER 11 | Quality of Service Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: ■ If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■ the packet is green and both Tp and Tc are decremented by B.
CHAPTER 11 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Conform – Specifies that traffic conforming to the maximum rate (CIR) and committed burst size (BC) will be transmitted without any change to the DSCP service level. ■ ■ Violate – Specifies whether the traffic that committed maximum rate (CIR) or burst size (BC) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Transmit – Transmits in-conformance traffic without any change to the DSCP service level.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Exceed – Specifies whether traffic that exceeds the committed maximum rate (CIR) or burst size (BC) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. ■ ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies The burst size cannot exceed 16 Mbytes. ■ Conform – Specifies that traffic conforming to the committed maximum rate (CIR) and peak burst size (BP) will be transmitted without any change to the DSCP service level. ■ ■ ■ Transmit – Transmits in-conformance traffic without any change to the DSCP service level.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 142: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies Figure 143: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port ATTACHING A POLICY MAP TO A PORT Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI REFERENCES ◆ "Quality of Service Commands" on page 1207 COMMAND USAGE ◆ First define a class map, define a policy map, and then bind the service policy to the required interface. ◆ Only one policy map can be bound to an interface.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port WEB INTERFACE To bind a policy map to a port: 1. Click Traffic, DiffServ. 2. Select Configure Interface from the Step list. 3. Check the box under the Ingress field to enable a policy map for a port. 4. Select a policy map from the scroll-down box. 5. Click Apply.
12 VOIP TRAFFIC CONFIGURATION This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic CONFIGURING VOIP TRAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI Figure 146: Configuring a Voice VLAN CONFIGURING TELEPHONY OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 4. Enter a MAC address that specifies the OUI for VoIP devices in the network. 5. Select a mask from the pull-down list to define a MAC address range. 6. Enter a description for the devices. 7. Click Apply. Figure 147: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports COMMAND USAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs" on page 205). PARAMETERS These parameters are displayed: ◆ Mode – Specifies if the port will be added to the Voice VLAN when VoIP traffic is detected.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port. Alternatively, if you clear the MAC address table manually, then the switch will also start counting down the Remaining Age.
13 SECURITY MEASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting ◆ IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the source address cannot be identified via DHCPv4 snooping nor static source bindings. ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 311. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting PARAMETERS These parameters are displayed: ◆ Authentication Sequence – Select the authentication, or authentication sequence required: ■ Local – User authentication is performed only locally by the switch. ■ RADIUS – User authentication is performed using a RADIUS server only. ■ TACACS – User authentication is performed using a TACACS+ server only.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 151: Authentication Server Operation console Web Telnet RADIUS/ TACACS+ server 1. Client attempts management access. 2. Switch contacts authentication server. 3. Authentication server challenges client. 4. Client responds with proper password or key. 5. Authentication server approves access. 6. Switch grants management access. RADIUS uses UDP while TACACS+ uses TCP.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting ■ ■ ■ ■ ◆ Server IP Address – Address of authentication server. (A Server Index entry must be selected to display this item.) Accounting Server UDP Port – Network (UDP) port on authentication server used for accounting messages. (Range: 1-65535; Default: 1813) Authentication Server UDP Port – Network (UDP) port on authentication server used for authentication messages.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting ■ ■ Authentication Key – Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 152: Configuring Remote Authentication Server (RADIUS) Figure 153: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 154: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting PARAMETERS These parameters are displayed: Configure Global ◆ Periodic Update - Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server. (Range: 1-2147483647 minutes) Configure Method ◆ ◆ Accounting Type – Specifies the service as: ■ 802.1X – Accounting for end users.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting ■ ■ ◆ Console Method Name – Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level through the console interface. VTY Method Name – Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level through Telnet or SSH. Exec ■ ■ Console Method Name – Specifies a user defined method name to apply to console connections.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 156: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 158: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 160: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Figure 162: Displaying Statistics for AAA Accounting Sessions CONFIGURING AAA Use the Security > AAA > Authorization page to enable authorization of AUTHORIZATION requested services, and also to display the configured authorization methods, and the methods applied to specific interfaces.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting Configure Service ◆ Authorization Type - Specifies EXEC authorization, or Command authorization for specific CLI privilege levels. ◆ Console Method Name – Specifies a user defined method name to apply to console connections. ◆ VTY Method Name – Specifies a user defined method name to apply to Telnet and SSH connections. Show Information ◆ Authorization Type - Displays the authorization service.
CHAPTER 13 | Security Measures AAA Authentication, Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list. Figure 164: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2.
CHAPTER 13 | Security Measures Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list. Figure 166: Displaying the Applied AAA Authorization Method CONFIGURING USER ACCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords.
CHAPTER 13 | Security Measures Configuring User Accounts Level 8-14 provide the same default access privileges, including additional commands beyond those provided for Levels 0-7 (equivalent to CLI Normal Exec command mode), and a subset of the configuration commands provided for Level 15 (equivalent to CLI Privileged Exec command mode). Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command.
CHAPTER 13 | Security Measures Web Authentication Figure 167: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 168: Showing User Accounts WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
CHAPTER 13 | Security Measures Web Authentication NOTE: RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 311.) NOTE: Web authentication cannot be configured on trunk ports. CONFIGURING GLOBAL Use the Security > Web Authentication (Configure Global) page to edit the SETTINGS FOR WEB global parameters for web authentication.
CHAPTER 13 | Security Measures Web Authentication Figure 169: Configuring Global Settings for Web Authentication CONFIGURING Use the Security > Web Authentication (Configure Interface) page to INTERFACE SETTINGS enable web authentication on a port, and display information for any FOR WEB connected hosts. AUTHENTICATION CLI REFERENCES ◆ "Web Authentication" on page 909 PARAMETERS These parameters are displayed: ◆ Port – Indicates the port being configured.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) 4. Mark the check box for any host addresses that need to be reauthenticated, and click Re-authenticate. Figure 170: Configuring Interface Settings for Web Authentication NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used. For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.” ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 390).
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) PARAMETERS These parameters are displayed: ◆ MAC Authentication ■ Status – Enables MAC authentication on a port. (Default: Disabled) ■ Intrusion – Sets the port response to a host MAC authentication failure to either block access to the port or to pass traffic through.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) WEB INTERFACE To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ■ ◆ Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event. ■ ■ ■ Trap – An SNMP trap is sent. Trap and shutdown – An SNMP trap is sent and the port is shut down. Shutdown – The port is shut down. WEB INTERFACE To configure link detection on switch ports: 1. Click Security, Network Access. 2.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ Up to 65 filter tables can be defined. ◆ There is no limitation on the number of entries used in a filter table. PARAMETERS These parameters are displayed: ◆ Filter ID – Adds a filter rule for the specified filter. (Range: 1-64) ◆ MAC Address – The filter rule will check ingress packets against the entered MAC address or range of MAC addresses (as defined by the MAC Address Mask).
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Show from the Action list. Figure 175: Showing the MAC Address Filter Table for Network Access DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ■ Attribute – Indicates a static or dynamic address. WEB INTERFACE To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click Security, Network Access. 2. Select Show Information from the Step list. 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4.
CHAPTER 13 | Security Measures Configuring HTTPS CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable SETTINGS FOR HTTPS HTTPS and specify the TCP port used for this service.
CHAPTER 13 | Security Measures Configuring HTTPS NOTE: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. PARAMETERS These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch.
CHAPTER 13 | Security Measures Configuring HTTPS CAUTION: For maximum security, we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased. When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To replace the default secure-site certificate: 1. Click Security, HTTPS. 2. Select Copy Certificate from the Step list. 3. Fill in the TFTP server, certificate and private key file name, and private password. 4. Click Apply. Figure 178: Downloading the Secure-Site Certificate CONFIGURING THE SECURE SHELL The Berkeley-standard includes remote access tools originally designed for Unix systems.
CHAPTER 13 | Security Measures Configuring the Secure Shell COMMAND USAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page 311).
CHAPTER 13 | Security Measures Configuring the Secure Shell 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed.
CHAPTER 13 | Security Measures Configuring the Secure Shell checks whether the signature is correct. If both checks succeed, the client is authenticated. NOTE: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. NOTE: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To configure the SSH server: 1. Click Security, SSH. 2. Select Configure Global from the Step list. 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply.
CHAPTER 13 | Security Measures Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. NOTE: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory) to flash memory. Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair.
CHAPTER 13 | Security Measures Configuring the Secure Shell Figure 181: Showing the SSH Host Key Pair IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a PUBLIC KEYS user’s public key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To copy the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Copy from the Action list. 4. Select the user name and the public-key type from the respective dropdown boxes, input the TFTP server IP address and the public key source file name. 5. Click Apply. Figure 182: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH.
CHAPTER 13 | Security Measures Access Control Lists Figure 183: Showing the SSH User’s Public Key ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
CHAPTER 13 | Security Measures Access Control Lists precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed number of TCAM entries needed for one ACE.
CHAPTER 13 | Security Measures Access Control Lists PARAMETERS These parameters are displayed: Add ◆ Time-Range Name – Name of a time range. (Range: 1-16 characters) Add Rule ◆ Time-Range – Name of a time range. ◆ Mode ■ Absolute – Specifies a specific time or time range. ■ ■ Start/End – Specifies the hours, minutes, month, day, and year at which to start or end. Periodic – Specifies a periodic interval. ■ Start/To – Specifies the days of the week, hours, and minutes at which to start or end.
CHAPTER 13 | Security Measures Access Control Lists Figure 185: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5. Select a mode option of Absolute or Periodic. 6. Fill in the required parameters for the selected mode. 7. Click Apply.
CHAPTER 13 | Security Measures Access Control Lists Figure 187: Showing the Rules Configured for a Time Range SHOWING TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show UTILIZATION utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To show information on TCAM utilization: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show TCAM from the Action list. Figure 188: Showing TCAM Utilization SETTING THE ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL.
CHAPTER 13 | Security Measures Access Control Lists ■ ■ MAC – MAC ACL mode filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060). ARP – ARP ACL specifies static IP-to-MAC address bindings used for ARP inspection (see "ARP Inspection" on page 375). WEB INTERFACE To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 13 | Security Measures Access Control Lists Figure 190: Showing a List of ACLs CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to STANDARD IPV4 ACL configure a Standard IPv4 ACL. CLI REFERENCES ◆ "permit, deny (Standard IP ACL)" on page 971 ◆ "show ip access-list" on page 976 ◆ "Time Range" on page 782 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To add rules to an IPv4 Standard ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IP Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address.
CHAPTER 13 | Security Measures Access Control Lists but limits the checking of ToS bits (underlined in the following example) to the leftmost three bits, ignoring the right most fourth bit. For example, if you configured an access list to deny packets with a ToS of 7 (00001110), the highlighted bit would be ignored, and the access list would drop packets with a ToS of both 6 and 7.
CHAPTER 13 | Security Measures Access Control Lists ◆ Control Code Bit Mask – Decimal number representing the code bits to match. (Range: 0-63) The control bit mask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
CHAPTER 13 | Security Measures Access Control Lists Figure 192: Configuring an Extended IPv4 ACL CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to STANDARD IPV6 ACL configure a Standard IPv6ACL. CLI REFERENCES ◆ "permit, deny (Standard IPv6 ACL)" on page 978 ◆ "show ipv6 access-list" on page 982 ◆ "Time Range" on page 782 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source Prefix-Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page EXTENDED IPV6 ACL to configure an Extended IPv6 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv6 ACL)" on page 979 ◆ "show ipv6 access-list" on page 982 ◆ "Time Range" on page 782 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists ■ ■ ■ ■ ■ ◆ 43: 44: 50: 51: 60: Routing (RFC 2460) Fragment (RFC 2460) Encapsulating Security Payload (RFC 2406) Authentication (RFC 2402) Destination Options (RFC 2460) Time Range – Name of a time range. WEB INTERFACE To add rules to an Extended IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING Use the Security > ACL (Configure ACL - Add Rule - MAC) page to A MAC ACL configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI REFERENCES ◆ "permit, deny (MAC ACL)" on page 984 ◆ "show ip access-list" on page 976 ◆ "Time Range" on page 782 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists ◆ ◆ Internet Protocol – Layer 3 or 4 information to match. ■ No – Not applied. ■ IPv4 – See "Configuring an Extended IPv4 ACL" on page 360. ■ IPv6 – See "Configuring an Extended IPv6 ACL" on page 365. Time Range – Name of a time range. WEB INTERFACE To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5.
CHAPTER 13 | Security Measures Access Control Lists Figure 195: Configuring a MAC ACL CONFIGURING Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure AN ARP ACL ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection" on page 376).
CHAPTER 13 | Security Measures Access Control Lists ◆ Source/Destination IP Subnet Mask – Subnet mask for source or destination address. (See the description for Subnet Mask on page 359.) ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address.
CHAPTER 13 | Security Measures Access Control Lists Figure 196: Configuring a ARP ACL BINDING A PORT TO AN After configuring ACLs, use the Security > ACL (Configure Interface – ACCESS CONTROL Configure) page to bind the ports that need to filter traffic to the LIST appropriate ACLs. Only one access list (IPv4, IPv6 or MAC) can be assigned to a port.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Select IP, MAC or IPv6 from the Type options. 5. Select a port. 6. Select the name of an ACL from the ACL list. 7. Click Apply.
CHAPTER 13 | Security Measures Access Control Lists 3. Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored. PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ ACL – ACL used for ingress packets. WEB INTERFACE To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6.
CHAPTER 13 | Security Measures Access Control Lists Figure 199: Showing the VLANs to Mirror SHOWING Use the Security > ACL > Configure Interface (Show Hardware Counters) ACL HARDWARE page to show statistics for ACL hardware counters. COUNTERS CLI REFERENCES ◆ "show access-list" on page 993 ◆ "clear access-list hardware counters" on page 992 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Type – Selects the type of ACL.
CHAPTER 13 | Security Measures ARP Inspection 5. Select ingress or egress traffic. Figure 200: Showing ACL Statistics ARP INSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks.
CHAPTER 13 | Security Measures ARP Inspection ■ ■ ■ ◆ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs. When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs.
CHAPTER 13 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
CHAPTER 13 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. PARAMETERS These parameters are displayed: ◆ ARP Inspection VLAN ID – Selects any configured VLAN. (Default: 1) ◆ ARP Inspection VLAN Status – Enables ARP Inspection for the selected VLAN.
CHAPTER 13 | Security Measures ARP Inspection CONFIGURING Use the Security > ARP Inspection (Configure Interface) page to specify INTERFACE SETTINGS the ports that require ARP inspection, and to adjust the packet inspection FOR ARP INSPECTION rate. CLI REFERENCES ◆ "ARP Inspection" on page 948 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
CHAPTER 13 | Security Measures ARP Inspection Figure 203: Configuring Interface Settings for ARP Inspection DISPLAYING Use the Security > ARP Inspection (Show Information - Show Statistics) ARP INSPECTION page to display statistics about the number of ARP packets processed, or STATISTICS dropped for various reasons.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To display statistics for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Statistics from the Action list. Figure 204: Displaying Statistics for ARP Inspection DISPLAYING THE ARP Use the Security > ARP Inspection (Show Information - Show Log) page to INSPECTION LOG show information about entries stored in the log, including the associated VLAN, port, and address components.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access WEB INTERFACE To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Log from the Action list.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access ◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address. PARAMETERS These parameters are displayed: ◆ Mode ■ Web – Configures IP address(es) for the web group. ■ SNMP – Configures IP address(es) for the SNMP group. ■ Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups.
CHAPTER 13 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 207: Showing IP Addresses Authorized for Management Access CONFIGURING PORT SECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
CHAPTER 13 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 337. ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Each switch port that will be used must be set to dot1X “Auto” mode. ◆ Each client that needs to be authenticated must have dot1X client software installed and properly configured. ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Identity Profile Password – The dot1x supplicant password used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. (Range: 1-8 characters) ◆ Confirm Profile Password – This field is used to confirm the dot1x supplicant password. ◆ Default – Sets all configurable 802.1X global and port settings to their default values. WEB INTERFACE To configure global settings for 802.1X: 1.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication COMMAND USAGE ◆ When the switch functions as a local authenticator between supplicant devices attached to the switch and the authentication server, configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. ■ MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) ◆ Re-authentication Max Retries – The maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Authenticator. 4. Modify the authentication settings for each port as required. 5. Click Apply Figure 211: Configuring Interface Settings for 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication COMMAND USAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 389) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator on this configuration page.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Supplicant. 4. Modify the supplicant settings for each port as required. 5. Click Apply Figure 212: Configuring Interface Settings for 802.1X Port Supplicant DISPLAYING Use the Security > Port Authentication (Show Statistics) page to display 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Table 24: 802.1X Statistics (Continued) Parameter Description Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator. Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator. Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. Figure 213: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. Figure 214: Showing Statistics for 802.
CHAPTER 13 | Security Measures DoS Protection DOS PROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 13 | Security Measures DoS Protection target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan. (Default: Enabled) ◆ TCP Xmas Scan – A so-called TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
CHAPTER 13 | Security Measures IPv4 Source Guard Figure 215: Protecting Against DoS Attacks IPV4 SOURCE GUARD IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping" on page 412). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CHAPTER 13 | Security Measures IPv4 Source Guard NOTE: Multicast addresses cannot be used by IP Source Guard. ◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see "DHCP Snooping" on page 412), or static addresses configured in the source guard binding table. ◆ If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address and corresponding MAC address (SIPMAC option) will be checked against the binding table.
CHAPTER 13 | Security Measures IPv4 Source Guard page 412) and static entries set by IP source guard (see "Configuring Static Bindings for IPv4 Source Guard" on page 403). WEB INTERFACE To set the IP Source Guard filter for ports: 1. Click Security, IP Source Guard, Port Configuration. 2. Set the required filtering type for each port. 3.
CHAPTER 13 | Security Measures IPv4 Source Guard ■ Only unicast addresses are accepted for static bindings. PARAMETERS These parameters are displayed: Add ◆ Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address. ◆ IP Address – A valid unicast IP address, including classful types A, B or C. Show ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry.
CHAPTER 13 | Security Measures IPv4 Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Binding. 2. Select Show from the Action list. Figure 218: Displaying Static Bindings for IPv4 Source Guard DISPLAYING Use the Security > IP Source Guard > Dynamic Binding page to display the INFORMATION FOR source-guard binding table for a selected interface.
CHAPTER 13 | Security Measures IPv6 Source Guard WEB INTERFACE To display the binding table for IP Source Guard: 1. Click Security, IP Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
CHAPTER 13 | Security Measures IPv6 Source Guard COMMAND USAGE ◆ Setting source guard mode to SIP (Source IP) enables this function on the selected port. Use the SIP option to check the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table. ◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all IPv6 traffic received on that interface, except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping.
CHAPTER 13 | Security Measures IPv6 Source Guard ◆ Filter Type – Configures the switch to filter inbound traffic based on the following options. (Default: Disabled) ■ ■ ◆ Disabled – Disables IPv6 source guard filtering on the port. SIP – Enables traffic filtering based on IPv6 global unicast source IPv6 addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be bound to an interface.
CHAPTER 13 | Security Measures IPv6 Source Guard CONFIGURING STATIC Use the Security > IPv6 Source Guard > Static Configuration page to bind BINDINGS FOR IPV6 a static address to a port. Table entries include a MAC address, IPv6 global SOURCE GUARD unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier.
CHAPTER 13 | Security Measures IPv6 Source Guard Show ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – The port to which this entry is bound. ◆ IPv6 Address – IPv6 address corresponding to the client. ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding.
CHAPTER 13 | Security Measures IPv6 Source Guard To display static bindings for Iv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Show from the Action list. Figure 222: Displaying Static Bindings for IPv6 Source Guard DISPLAYING INFORMATION FOR DYNAMIC IPV6 SOURCE GUARD BINDINGS Use the Security > IPv6 Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To display the binding table for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Dynamic Binding. 2. Mark the search criteria, and enter the required values. 3.
CHAPTER 13 | Security Measures DHCP Snooping ◆ The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. ◆ Filtering rules are implemented as follows: ■ If the global DHCP snooping is disabled, all DHCP packets are forwarded.
CHAPTER 13 | Security Measures DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 ◆ DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure Global) page to enable GLOBAL DHCP Snooping globally on the switch, or to configure MAC Address CONFIGURATION Verification. CLI REFERENCES ◆ "DHCPv4 Snooping" on page 915 PARAMETERS These parameters are displayed: ◆ DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled) ◆ DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure Global from the Step list. 3. Select the required options for the general DHCP snooping process and for the DHCP snooping information policy. 4.
CHAPTER 13 | Security Measures DHCP Snooping ◆ DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. (Default: Disabled) WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4.
CHAPTER 13 | Security Measures DHCP Snooping PARAMETERS These parameters are displayed: ◆ Trust Status – Enables or disables a port as trusted. (Default: Disabled) ◆ Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. ■ Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary string. (Default: VLAN-Unit-Port) ■ Value – An arbitrary string inserted into the circuit identifier field.
CHAPTER 13 | Security Measures DHCP Snooping PARAMETERS These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. ◆ Type – Entry types include: ■ DHCP-Snooping – Dynamically snooped. ■ Static-DHCPSNP – Statically configured. ◆ VLAN – VLAN to which this entry is bound. ◆ Interface – Port or trunk to which this entry is bound.
CHAPTER 13 | Security Measures DHCP Snooping – 420 –
14 BASIC ADMINISTRATION PROTOCOLS This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. SYSTEM LOG Use the Administration > Log > System (Configure Global) page to enable CONFIGURATION or disable event logging, and specify which levels are logged to RAM or flash memory.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) NOTE: The Flash Level must be equal to or less than the RAM Level. NOTE: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging Figure 229: Showing Error Messages Logged to System Memory REMOTE LOG Use the Administration > Log > Remote page to send log messages to CONFIGURATION syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging WEB INTERFACE To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol LINK LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval ◆ Reinitialization Delay – Configures the delay before attempting to reinitialize after LLDP ports are disabled or the link goes down.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 232: Configuring LLDP Timing Attributes CONFIGURING Use the Administration > LLDP (Configure Interface – Configure General) LLDP INTERFACE page to specify the message attributes for individual interfaces, including ATTRIBUTES whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ MED Notification – Enables the transmission of SNMP trap notifications about LLDP-MED changes. (Default: Disabled) ◆ Basic Optional TLVs – Configures basic information included in the TLV field of advertised messages. ■ Management Address – The management address protocol packet includes the IPv4 address of the switch.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ■ ■ ■ ◆ ◆ 9. VLAN ID – The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 199). VLAN Name – The name of all VLANs to which this interface has been assigned (see "IEEE 802.1Q VLANs" on page 199). Port and Protocol VLAN ID – The port-based protocol VLANs configured on this interface (see "Protocol VLANs" on page 220. 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. ◆ MED-Location Civic Address – Configures information for the location of the attached device included in the MED TLV field of advertised messages, including the country and the device type. ■ ■ Country – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 233: Configuring LLDP Interface Attributes CONFIGURING Use the Administration > LLDP (Configure Interface – Add CA-Type) page LLDP INTERFACE to specify the physical location of the device attached to an interface.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 26: LLDP MED Location CA Types (Continued) ◆ CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol To show the physical location of the attached device: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Select Show CA-Type from the Action list. 4. Select an interface from the Port or Trunk list.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 27: Chassis ID Subtype (Continued) ID Basis Reference Interface name ifName (IETF RFC 2863) Locally assigned locally assigned ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see "Displaying System Information" on page 123).
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Interface Details The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. ◆ Local Port/Trunk – Local interface on this switch. ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 236: Displaying Local Device Information for LLDP (General) Figure 237: Displaying Local Device Information for LLDP (Port) Figure 238: Displaying Local Device Information for LLDP (Port Details) DISPLAYING LLDP Use the Administration > LLDP (Show Remote Device Information) page to REMOTE DEVICE display information about devices connected directly to the switch’s ports INFORMATION which are advertising information through L
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol CLI REFERENCES ◆ "show lldp info remote-device" on page 1344 PARAMETERS These parameters are displayed: Port ◆ Local Port – The local port to which a remote LLDP-capable device is attached. ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 28, "System Capabilities," on page 436.) ◆ Management Address List – The management addresses for this device. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 30: Remote Port Auto-Negotiation Advertised Capability Bit Capability 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duplex mode 13 1000BASE-X, -LX, -SX, -CX full duplex mode 14 1000BASE-T half duplex mode 15 1000BASE-T full duplex mode ◆ Remote Port Auto-
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1), derived from the ifNumber of the ifIndex for the port component associated with the remote system. If the remote port is not in link aggregation state and/or it does not support link aggregation, this value should be zero.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – Network Policy10 ◆ Application Type – The primary application(s) defined for this network policy: ■ Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■ Video Conferencing ■ Streaming Video ■ Video Signaling ◆ Tagged Flag – Indicates whether the specified application type is using a tagged or untagged VLAN.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters. (Example: DK, DE or US) ◆ What – The type of device to which the location applies as described for the field entry “Device entry refers to” under “Configuring LLDP Interface Attributes.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 240: Displaying Remote Device Information for LLDP (Port Details) – 445 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 241: Displaying Remote Device Information for LLDP (End Node) DISPLAYING Use the Administration > LLDP (Show Device Statistics) page to display DEVICE STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired. Port/Trunk ◆ Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV.
CHAPTER 14 | Basic Administration Protocols Power over Ethernet Figure 243: Displaying LLDP Device Statistics (Port) POWER OVER ETHERNET The ECS4110-28P/52P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device.
CHAPTER 14 | Basic Administration Protocols Power over Ethernet SETTING THE SWITCH’S Use the Administration > PoE > PSE (Configure Global) page to set the OVERALL POE POWER maximum PoE power budget for the switch (power available to all Gigabit BUDGET Ethernet ports). If the power demand from devices connected to the switch exceeds the power budget, the switch uses port power priority settings to limit the supplied power.
CHAPTER 14 | Basic Administration Protocols Power over Ethernet 3. Set the maximum PoE power provided by the switch, and enable the compatible mode if required. 4. Click Apply. Figure 244: Setting the Switch’s PoE Budget SETTING THE PORT Use the Administration > PoE > PSE (Configure Interface) page to set the POE POWER BUDGET maximum power provided to a port. CLI REFERENCES ◆ "Power over Ethernet Commands" on page 1035 ◆ "Time Range" on page 782 COMMAND USAGE ◆ This switch supports both the IEEE 802.
CHAPTER 14 | Basic Administration Protocols Power over Ethernet ◆ If a device is connected to a switch port and the switch detects that it requires more than the power budget set for the port or to the overall switch, no power is supplied to the device (i.e., port power remains off). ◆ If the power demand from devices connected to all switch ports exceeds the power budget set for the switch, the port power priority settings are used to control the supplied power.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Priority – Sets the power priority for a port. (Options: Low, High, or Critical; Default: Low) ◆ Power Allocation – Sets the power budget for a port. (Range: 3000-34200 milliwatts; Default: 34200 milliwatts) ◆ Power Consumption – Current power consumption on a port. WEB INTERFACE To set the PoE power budget for a port: 1. Click Administration, PoE, PSE. 2. Enable PoE power on selected ports.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: ◆ Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps12 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) ◆ Link-up and Link-down Traps12 – Issues a notification message whenever a port link is established or broken.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING THE Use the Administration > SNMP (Configure Engine - Set Engine ID) page to LOCAL ENGINE ID change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SPECIFYING A Use the Administration > SNMP (Configure Engine - Add Remote Engine) REMOTE ENGINE ID page to configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 248: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Add OID Subtree ◆ View Name – Lists the SNMP views configured in the Add View page. (Range: 1-32 characters) ◆ OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 251: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 253: Showing the OID Subtree Configured for SNMP Views CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3 SNMPV3 GROUPS group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group swCpuUtiRisingNotification 1.3.6.1.4.1.259.10.1.39.2.1.0.107 This notification indicates that the CPU utilization has risen from cpuUtiFallingThreshold to cpuUtiRisingThreshold. swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.39.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 254: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to ACCESS STRINGS configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – Enter plain text characters for the authentication password. (Range: 8-32 characters) ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 259: Showing Local SNMPv3 Users CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: ■ ■ ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. AuthPriv – SNMP communications use both authentication and encryption.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 260: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SPECIFYING Use the Administration > SNMP (Configure Trap) page to specify the host TRAP MANAGERS devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: SNMP Version 1 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) ◆ Community String – Specifies a valid community string for the new trap manager entry.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. ◆ Notification Type ■ ■ ◆ Traps – Notifications are sent as trap messages. Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 264: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 265: Showing Trap Managers CREATING SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to NOTIFICATION LOGS create an SNMP notification log.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 266: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 267: Showing SNMP Notification Logs SHOWING Use the Administration > SNMP (Show Statistics) page to show counters SNMP STATISTICS for SNMP input and output protocol data units.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Illegal operation for community name supplied – The total number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message. ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring WEB INTERFACE To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list. Figure 268: Showing SNMP Statistics REMOTE MONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring CONFIGURING Use the Administration > RMON (Configure Global - Add - Alarm) page to RMON ALARMS define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Falling Threshold – If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm. Figure 270: Showing Configured RMON Alarms CONFIGURING Use the Administration > RMON (Configure Global - Add - Event) page to RMON EVENTS set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Type – Specifies the type of event to initiate: ■ ■ ■ ■ ◆ None – No event is generated. Log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration" on page 422). Trap – Sends a trap message to all configured trap managers (see "Specifying Trap Managers" on page 472).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 271: Configuring an RMON Event To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring COMMAND USAGE ◆ Each index number equates to a port on the switch. ◆ If history collection is already enabled on an interface, the entry must be deleted before any changes can be made. ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 7. Click Apply Figure 273: Configuring an RMON History Sample To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 274: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 5. Click History. Figure 275: Showing Collected RMON History Samples CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics) STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 4. Click Statistics. 5. Select a port from the list as the data source. 6. Enter an index number, and the name of the owner for this entry 7. Click Apply Figure 276: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics.
CHAPTER 14 | Basic Administration Protocols Switch Clustering 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 278: Showing Collected RMON Statistical Samples SWITCH CLUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
CHAPTER 14 | Basic Administration Protocols Switch Clustering manually selected by the administrator through the management station. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a member of one cluster. ◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN: 1. Create VLAN 4093 (see "Configuring VLAN Groups" on page 202). 2.
CHAPTER 14 | Basic Administration Protocols Switch Clustering ◆ Number of Members – The current number of Member switches in the cluster. ◆ Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members. WEB INTERFACE To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4.
CHAPTER 14 | Basic Administration Protocols Switch Clustering WEB INTERFACE To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 280: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Switch Clustering Figure 282: Showing Cluster Candidates MANAGING Use the Administration > Cluster (Show Member) page to manage another CLUSTER MEMBERS switch in the cluster. CLI REFERENCES ◆ "Switch Clustering" on page 786 PARAMETERS These parameters are displayed: Member ID – The ID number of the Member switch. (Range: 1-36) Role – Indicates the current status of the switch in the cluster.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 283: Managing a Cluster Member ETHERNET RING PROTECTION SWITCHING NOTE: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching blocking the RPL. Each link is monitored by its two adjacent nodes using Connectivity Fault Management (CFM) protocol messages.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 285 on page 498 (Normal Condition) depicts an example of a multiring/ladder network. If the network is in normal operating condition, the RPL owner node of each ring blocks the transmission and reception of traffic over the RPL for that ring. This figure presents the configuration when no failure exists on any ring link. In the figure for the Normal Condition there are two interconnected rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 285: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition ring node B ring node C RPL ring node A Signal Fail Condition RPL Owner Node for ERP1 ring node B RPL ERP1 ERP1 ring link (ERP1) ring link (ERP1) ring node D ring node C ERP2 ring node F FAILURE ring node A RPL Owner Node for ERP1 ring node D ERP2 ring node E RPL Owner Node for ERP2 RPL ring node F ring node E RPL
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching 6. Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. 7. Enable an ERPS ring (Configure Domain – Configure Details): Before an ERPS ring can work, it must be enabled.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching 3. Mark the ERPS Status check box. 4. Click Apply. Figure 286: Setting ERPS Global Status ERPS RING Use the Administration > ERPS (Configure Domain) pages to configure CONFIGURATION ERPS rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ MEG Level – The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching (R-APS) information. ◆ Control VLAN – Shows the Control VLAN ID. ◆ Node State – Shows the following ERPS states: ■ ■ ■ Init – The ERPS ring has started but has not yet determined the status of the ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Configure Details ◆ Domain Name – Name of a configured ERPS ring. (Range: 1-12 characters) Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 26 ERPS rings can be configured on the switch. ◆ Domain ID – ERPS ring identifier used in R-APS messages.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The R-APS Def MAC parameter has no effect. ◆ MEG Level – The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ RPL Neighbor – Specifies a ring node to be the RPL neighbor. ■ ■ ◆ The RPL neighbor node, when configured, is a ring node adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions (i.e., the ring is established and no requests are present in the ring) in addition to the block at the other end by the RPL Owner Node.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery with Revertive Mode – When all ring links and ring nodes have recovered and no external requests are active, reversion is handled in the following way: a. The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTR (Wait-to-Restore) timer. b.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching accept an RAPS (NR, RB) message, or when another higher priority request is received. If the ring node where the Forced Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message over both ring ports. ■ Recovery with revertive mode is handled as follows: a.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching commands, and triggers reversion if the ring is in revertive behavior mode. The ring node where the Manual Switch was cleared keeps the ring port blocked for the traffic channel and for the R-APS channel, due to the previous Manual Switch command. This ring port is kept blocked until the RPL is blocked as a result of ring protection reversion, or until there is another higher priority request (e.g.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as result of an operator command. ◆ Major Domain – The ERPS ring used for sending control packets. This switch can support up to six rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching are forwarded over the sub-ring’s virtual channel are broadcast or multicast over the interconnected network. For this reason the broadcast/multicast domain of the virtual channel should be limited to the necessary links and nodes. For example, the virtual channel could span only the interconnecting rings or sub-rings that are necessary for forwarding R-APS messages of this sub-ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 288: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel ◆ Ring Node Major Ring R-APS Def MAC – Sets the switch’s MAC address to be used as the node identifier in R-APS messages. (Default: Enabled) When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching in the following figure, and node E detected CCM loss, it would send an R-APS (SF) message to the RPL owner and block the link to node D, isolating that non-ERPS device.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. ◆ WTB Timer – The Wait to Block (WTB) timer is used when clearing Forced Switch (FS) and Manual Switch (MS) commands. As multiple FS commands are allowed to co-exist in a ring, the WTB timer ensures that clearing of a single FS command does not trigger re-blocking of the RPL.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching 5. Click Apply. Figure 290: Creating an ERPS Ring To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list. 4. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 291: Creating an ERPS Ring To show the configured ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS FORCED AND Use the Administration > ERPS (Configure Operation) page to block a ring MANUAL MODE port using Forced Switch or Manual Switch commands. OPERATIONS CLI REFERENCES ◆ "erps forced-switch" on page 1141 ◆ "erps manual-switch" on page 1143 ◆ "erps clear" on page 1140 PARAMETERS These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS. R-APS (FS) messages are continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. (Options: West or East) ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and nonrevertive mode is described under the Revertive parameter.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 293: Blocking an ERPS Ring Port CONNECTIVITY FAULT MANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 295: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1347 PARAMETERS These parameters are displayed: Global Configuration ◆ CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled13, and a CCM is received from a remote MEP that is not configured in the static list14. WEB INTERFACE To configure global settings for CFM: 1. Click Administration, CFM. 2. Select Configure Global from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING CFM processes are enabled by default for all physical interfaces, both ports INTERFACES FOR CFM and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI REFERENCES ◆ "ethernet cfm port-enable" on page 1359 COMMAND USAGE ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1347 COMMAND USAGE Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: Creating a Maintenance Domain ◆ MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To create a maintenance domain: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Add from the Action list. 4. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5. Specify the MEP archive hold and MEP fault notification parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 527). ◆ Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points" on page 537). ◆ For a detailed description of the MIP types, refer to the Command Usage section under "Configuring CFM Maintenance Domains" on page 527.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: ■ ■ ■ Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit – MIPs can be created for this MA only on bridge ports through which the MA’s VID can pass, and only if a maintenance end point (MEP) is created at some lower MA Level.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level ◆ AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) WEB INTERFACE To create a maintenance association: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 302: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING Use the Administration > CFM (Configure MEP – Add) page to configure MAINTENANCE Maintenance End Points (MEPs). MEPs, also called Domain Service Access END POINTS Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 6. Click Apply. Figure 304: Configuring Maintenance End Points To show the configured maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management COMMAND USAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. ◆ Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see "Configuring Maintenance End Points") at the same maintenance level and in the same MA.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 306: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. ◆ LTMs are used to isolate faults. However, this task can be difficult in an Ethernet environment, since each node is connected through multipoint links.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 5. Click Apply. 6. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 308: Transmitting Link Trace Messages TRANSMITTING Use the Administration > CFM (Transmit Loopback) page to transmit LOOP BACK Loopback Messages (LBMs). These messages can be used to isolate or MESSAGES verify connectivity faults by submitting a request to a target node (i.e.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the loopback message. (Range: 1-8191) ◆ Target ■ ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) MAC Address – MAC address of a remote MEP that is the target of a loopback message.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management TRANSMITTING Use the Administration > CFM (Transmit Delay Measure) page to send DELAY-MEASURE periodic delay-measure requests to a specified MEP within a maintenance REQUESTS association. CLI REFERENCES ◆ "ethernet cfm delay-measure two-way" on page 1386 COMMAND USAGE ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Count – The number of times to retry sending the message if no response is received before the specified timeout. (Range: 1-5; Default: 5) ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING Use the Administration > CFM > Show Information (Show Local MEP) page LOCAL MEPS to show information for the MEPs configured on this device. CLI REFERENCES ◆ "show ethernet cfm maintenance-points local" on page 1363 PARAMETERS These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING DETAILS Use the Administration > CFM > Show Information (Show Local MEP FOR LOCAL MEPS Details) page to show detailed CFM information about a local MEP in the continuity check database. CLI REFERENCES ◆ "show ethernet cfm maintenance-points local detail mep" on page 1364 PARAMETERS These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. WEB INTERFACE To show detailed information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain. ◆ MA Name – Maintenance association name. ◆ Primary VLAN – Service VLAN ID. ◆ Interface – Physical interface of this entry (either a port or trunk). WEB INTERFACE To show information for the MIPs discovered by the CFM protocol: 1. Click Administration, CFM. 2.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ Primary VLAN – Service VLAN ID. ◆ MEP Up – Indicates whether or not this MEP is functioning normally. ◆ Remote MAC Address – MAC address of the remote maintenance point. (If a CCM for the specified remote MEP has never been received or the remote MEP record times out, the address will be set to the initial value of all Fs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ MAC Address – MAC address of this MEP entry. ◆ Primary VLAN – Service VLAN ID. ◆ Incoming Port – Port to which this remote MEP is attached. ◆ CC Lifetime – Length of time to hold messages about this MEP in the CCM database.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show detailed information for remote MEPs: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Remote MEP Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Select a MEP ID.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s CPU. ◆ Forwarded – Shows whether or not this link trace message was forwarded. A message is not forwarded if received by the target MEP. ◆ Ingress MAC Address – MAC address of the ingress port on the target device. ◆ Egress MAC Address – MAC address of the egress port on the target device.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show information about link trace operations launched from this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Link Trace Cache from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ ■ VIDS – MA x is associated with a specific VID list16, an MEP is configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port. ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities.
CHAPTER 14 | Basic Administration Protocols OAM Configuration CLI REFERENCES ◆ "OAM Commands" on page 1389 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ Critical Link Event – Controls reporting of critical link events to its OAM peer. ■ Dying Gasp – If an unrecoverable condition occurs, the local OAM entity (i.e., this switch) indicates this by immediately sending a trap message. (Default: Enabled) Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset.
CHAPTER 14 | Basic Administration Protocols OAM Configuration 3. Click Apply. Figure 319: Enabling OAM for Local Ports DISPLAYING Use the Administration > OAM > Counters page to display statistics for the STATISTICS FOR various types of OAM messages passed across each port. OAM MESSAGES CLI REFERENCES ◆ "show efm oam counters interface" on page 1397 ◆ "clear efm oam counters" on page 1394 PARAMETERS These parameters are displayed: ◆ Port – Port identifier.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 320: Displaying Statistics for OAM Messages DISPLAYING THE Use the Administration > OAM > Event Log page to display link events for OAM EVENT LOG the selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration Figure 321: Displaying the OAM Event Log DISPLAYING Use the Administration > OAM > Remote Interface page to display THE STATUS OF information about attached OAM-enabled devices. REMOTE INTERFACES CLI REFERENCES ◆ "show efm oam status remote interface" on page 1400 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28/52) ◆ MAC Address – MAC address of the OAM peer.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 322: Displaying Status of Remote Interfaces CONFIGURING A Use the Administration > OAM > Remote Loopback (Remote Loopback REMOTE LOOP Test) page to initiate a loop back test to the peer device attached to the BACK TEST selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. This attribute must be enabled before starting the loopback test. ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packets Number – Number of packets to send. (Range: 1-99999999; Default: 10000) ◆ Packet Size – Size of packets to send. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Test – Starts the loop back test.
CHAPTER 14 | Basic Administration Protocols OAM Configuration 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display the results of remote loop back testing for each port for which this information is available: 1. Click Administration, OAM, Remote Loop Back. 2. Select Show Test Result from the Action list.
CHAPTER 14 | Basic Administration Protocols OAM Configuration – 566 –
15 MULTICAST FILTERING This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 325: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) network segments where no node has expressed interest in receiving a specific multicast service. For switches that do not support multicast routing, or where multicast routing is already enabled on other switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) your switch (page 574). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch. Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 576).
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) these devices is elected “querier” and assumes the role of querying the LAN for group members. It then propagates the service requests on to any upstream multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When a new uplink port starts up, the switch sends unsolicited reports for all currently learned channels out the new uplink port. By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs. In this mode, multicast traffic will be flooded to all VLAN ports.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. ◆ Forwarding Priority – Assigns a CoS priority to all multicast traffic.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 326: Configuring General Settings for IGMP Snooping SPECIFYING STATIC Use the Multicast > IGMP Snooping > Multicast Router (Add Static INTERFACES FOR A Multicast Router) page to statically attach an interface to a multicast MULTICAST ROUTER router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router ◆ VLAN – Selects the VLAN for which to display any configured static multicast routers. ◆ Interface – Shows the interface to which the specified static multicast routers are attached. Show Current Multicast Router ◆ VLAN – Selects the VLAN for which to display any currently active multicast routers. ◆ Interface – Shows the interface to which an active multicast router is attached.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 328: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/ switch are displayed.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) COMMAND USAGE ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. PARAMETERS These parameters are displayed: ◆ VLAN – Specifies the VLAN which is to propagate the multicast service. (Range: 1-4094) ◆ Interface – Activates the Port or Trunk scroll down list.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 331: Showing Static Interfaces Assigned to a Multicast Service SETTING IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to SNOOPING STATUS configure IGMP snooping attributes for a VLAN. To configure snooping PER INTERFACE globally, refer to "Configuring IGMP Snooping and Query Parameters" on page 570.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) PARAMETERS These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. (Default: Based on global setting) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Query Response Interval – The maximum time the system waits for a response to general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This command applies when the switch is serving as the querier (page 570), or as a proxy host when IGMP snooping proxy reporting is enabled (page 570). ◆ Last Member Query Interval – The interval to wait for a response to a group-specific query message.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 3. Select the VLAN to configure and update the required parameters. 4. Click Apply. Figure 332: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) FILTERING IGMP Use the Multicast > IGMP Snooping > Interface (Configure Interface) page QUERY PACKETS AND to configure an interface to drop IGMP query packets or multicast data MULTICAST DATA packets. CLI REFERENCES ◆ "ip igmp query-drop" on page 1257 ◆ "ip multicast-data-drop" on page 1257 PARAMETERS These parameters are displayed: ◆ Interface – Specifies port or trunk selection.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) DISPLAYING Use the Multicast > IGMP Snooping > Forwarding Entry page to display the MULTICAST GROUPS forwarding entries learned through IGMP Snooping. DISCOVERED BY IGMP SNOOPING CLI REFERENCES ◆ "show ip igmp snooping group" on page 1244 ◆ "clear ip igmp snooping groups dynamic" on page 1242 COMMAND USAGE To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 570).
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 335: Showing Multicast Groups Learned by IGMP Snooping DISPLAYING Use the Multicast > IGMP Snooping > Statistics pages to display IGMP IGMP SNOOPING snooping protocol-related statistics for the specified interface. STATISTICS CLI REFERENCES ◆ "show ip igmp snooping statistics" on page 1246 ◆ "clear ip igmp snooping statistics" on page 1243 PARAMETERS These parameters are displayed: ◆ VLAN – VLAN identifier.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Warn Rate Limit – The rate at which received query messages of the wrong version type cause the Vx warning count to increment.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. ◆ Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or IGMP group report received.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) 3. Select a VLAN. Figure 337: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups FILTERING AND THROTTLING IGMP GROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 339: Enabling IGMP Filtering and Throttling CONFIGURING IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page FILTER PROFILES to create an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups WEB INTERFACE To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 340: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups 5. Click Apply. Figure 342: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. ◆ Profile ID – Selects an existing profile to assign to an interface.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 344: Configuring IGMP Filtering and Throttling Interface Settings MLD SNOOPING (SNOOPING AND QUERY FOR IPV6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) PARAMETERS These parameters are displayed: ◆ MLD Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. (Default: Disabled) ◆ Querier Status – When enabled, the switch can serve as the querier for MLDv2 snooping if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ■ To Router Port – Forwards any received IPv6 multicast packets that have not been requested by a host to ports that are connected to a detected multicast router. (This is the default action.) WEB INTERFACE To configure general settings for MLD Snooping: 1. Click Multicast, MLD Snooping, General. 2. Adjust the settings as required. 3. Click Apply.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) enabled device, either a service host or a neighbor running MLD snooping. WEB INTERFACE To configure immediate leave for MLD Snooping: 1. Click Multicast, MLD Snooping, Interface. 2. Select a VLAN, and set the status for immediate leave. 3. Click Apply.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) WEB INTERFACE To specify a static interface attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3. Select the VLAN which will forward all the corresponding IPv6 multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 349: Showing Current Interfaces Attached an IPv6 Multicast Router ASSIGNING Use the Multicast > MLD Snooping > MLD Member (Add Static Member) INTERFACES TO IPV6 page to statically assign an IPv6 multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters" on page 595).
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) WEB INTERFACE To statically assign an interface to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Add Static Member from the Action list. 3. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an MLD-enabled switch or multicast router), and enter the multicast IP address. 4. Click Apply.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Current Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 request list and exclude list, indicating that the reception of packets sent to the given multicast address is requested from all IP source addresses, except for those listed in the exclude source-list and for any other sources where the source timer status has expired. ◆ Filter Timer Elapse – The Filter timer is only used when a specific multicast address is in Exclude mode.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 support common multicast services over a wide part of the network without having to use any multicast routing protocol. MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 hosts can issue multicast join or leave messages. Since IGMP version 1 hosts do not support leave messages, they are timed out by the switch. CONFIGURING Use the Multicast > MVR (Configure Global) page to configure proxy MVR GLOBAL switching and the robustness variable.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ■ ■ ◆ This parameter only takes effect when MVR proxy switching is enabled. Proxy Query Interval – Configures the interval at which the receiver port sends out general queries.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 355: Configuring Global Settings for MVR CONFIGURING MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally DOMAIN SETTINGS on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI REFERENCES ◆ "MVR for IPv4" on page 1281 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Upstream Source IP – The source IP address assigned to all MVR control packets sent upstream on the specified domain. By default, all MVR reports sent upstream use a null source IP address. WEB INTERFACE To configure settings for an MVR domain: 1. Click Multicast, MVR. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ IGMP snooping and MVR share a maximum number of 1023 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 357: Configuring an MVR Group Address Profile To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 358: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 359: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Receiver ports should not be statically configured as a member of the MVR VLAN. If so configured, its MVR status will be inactive. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see "Adding Static Members to VLANs" on page 205). ◆ One or more interfaces may be configured as MVR source ports.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ■ Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) ◆ Forwarding Status – Shows if MVR traffic is being forwarded or discarded. ◆ MVR Status – Shows the MVR status. MVR status for source ports is “Active” if MVR is globally enabled on the switch.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 361: Configuring Interface Settings for MVR ASSIGNING Use the Multicast > MVR (Configure Static Group Member) page to STATIC MVR statically bind multicast groups to a port which will receive long-term MULTICAST GROUPS multicast streams associated with a stable set of hosts.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To assign a static MVR group to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Add from the Action list. 4. Select an MVR domain. 5. Select a VLAN and interface to receive the multicast stream, and then enter the multicast group address. 6. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 363: Showing the Static MVR Groups Assigned to a Port DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups on each interface. CLI REFERENCES ◆ "show mvr" on page 1293 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 364: Displaying MVR Receiver Groups DISPLAYING Use the Multicast > MVR > Show Statistics pages to display MVR protocolMVR STATISTICS related statistics for the specified interface. CLI REFERENCES ◆ "show mvr statistics" on page 1298 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface. VLAN, Port, and Trunk Statistics Input Statistics ◆ Report – The number of IGMP membership reports received on this interface. ◆ Leave – The number of leave messages received on this interface. ◆ G Query – The number of general query messages received on this interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN. Figure 366: Displaying MVR Statistics – VLAN To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 367: Displaying MVR Statistics – Port MULTICAST VLAN REGISTRATION FOR IPV6 MVR6 functions in a manner similar to that described for MRV (see "Multicast VLAN Registration for IPv4" on page 603). COMMAND USAGE ◆ General Configuration Guidelines for MVR6: 1. Enable MVR6 for a domain on the switch, and select the MVR VLAN (see "Configuring MVR6 Domain Settings" on page 624). 2.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Global) page to configure proxy GLOBAL SETTINGS switching and the robustness variable. CLI REFERENCES ◆ "MVR for IPv6" on page 1303 PARAMETERS These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ ■ ◆ This parameter sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 DOMAIN SETTINGS globally on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI REFERENCES ◆ "MVR for IPv6" on page 1303 PARAMETERS These parameters are displayed: ◆ Domain ID– An independent multicast domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 WEB INTERFACE To configure settings for an MVR6 domain: 1. Click Multicast, MVR6. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ The MVR6 group address range assigned to a profile cannot overlap with the group address range of any other profile. ◆ MRV6 domains can be associated with more than one MVR6 profile. But since MVR6 domains cannot share the group range, an MRV6 profile can only be associated with one MVR6 domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 370: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 371: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list. Figure 373: Showing MVR6 Group Address Profiles Assigned to a Domain CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Interface) page to configure each INTERFACE STATUS interface that participates in the MVR6 protocol as a source port or receiver port.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ■ By Host IP – The router/querier will not send out a group-specific query when an MLDv1/v2 Listener Done message is received (the same as it would without this option having been used). Instead of immediately deleting that group, it will look up the record, and only delete the group if there are no other subscribers for it on the member port. Only when all hosts on that port leave the group will the member port be deleted.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.) ◆ The MVR6 VLAN cannot be specified as the receiver VLAN for static bindings.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To show the static MVR6 groups assigned to an interface: 1. Click Multicast, MVR6. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Expire – Time before this entry expires if no membership report is received from currently active or new clients. ◆ Count – The number of multicast services currently being forwarded from the MVR6 VLAN. WEB INTERFACE To display the interfaces assigned to the MVR6 receiver groups: 1. Click Multicast, MVR6. 2. Select Show Member from the Step list. 3. Select an MVR6 domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 WEB INTERFACE To display statistics for MVR6 query-related messages: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR6 domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 – 638 –
16 IP CONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 1468). ◆ The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add Address) menu, and then static routes. PARAMETERS These parameters are displayed: ◆ VLAN – ID of the configured VLAN (1-4094). By default, all ports on the switch are members of VLAN 1.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) WEB INTERFACE To set a static address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Click Apply.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 382: Configuring a Dynamic IPv4 Address NOTE: The switch will also broadcast a request for IP configuration settings on each power reset. NOTE: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 383: Showing the Configured IP Address for an Interface SETTING THE SWITCH’S IP ADDRESS (IP VERSION 6) This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address. ■ If no static routes are defined, you must define a gateway if the target device is located in a different subnet.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) COMMAND USAGE ◆ The switch must be configured with a link-local address. The switch’s address auto-configuration function will automatically create a link-local address, as well as an IPv6 global address if router advertisements are detected on the local interface. ◆ The option to explicitly enable IPv6 creates a link-local address, but will not generate a global IPv6 address if auto-configuration is not enabled.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ Enable IPv6 Explicitly – Enables IPv6 on an interface and assigns it a link-local address. Note that when an explicit address is assigned to an interface, IPv6 is automatically enabled, and cannot be disabled until all assigned addresses have been removed. (Default: Disabled) Disabling this parameter does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) configuration commands associated with a duplicate address remain configured while the address is in “duplicate” state. ■ ◆ If the link-local address for an interface is changed, duplicate address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) switch should attempt to acquire from the DHCPv6 server as described below. ■ Both M and O flags are set to 1: DHCPv6 is used for both address and other configuration settings. This combination is known as DHCPv6 stateful autoconfiguration, in which a DHCPv6 server assigns stateful addresses to IPv6 hosts. ■ The M flag is set to 0, and the O flag is set to 1: DHCPv6 is used only for other configuration settings.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) message interval, and the amount of time that a remote IPv6 node is considered reachable. 6. Click Apply. Figure 385: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4. Enable RA Guard for untrusted interfaces. 5. Click Apply.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) AN CONFIGURING Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPV6 ADDRESS IPv6 interface for management access over the network, or for creating an interface to multiple subnets. CLI REFERENCES ◆ "IPv6 Interface" on page 1432 COMMAND USAGE ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■ ◆ The specified address replaces a link-local address that was automatically generated for the interface. IPv6 Address – IPv6 address assigned to this interface. WEB INTERFACE To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 389: Showing IPv6 Neighbors SHOWING IPV6 Use the IP > IPv6 Configuration (Show Statistics) page to display statistics STATISTICS about IPv6 traffic passing through this switch.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: Table 41: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 41: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 41: Show IPv6 Statistics - display description (Continued) Field Description Group Membership Reduction Messages The number of ICMPv6 Group Membership Reduction messages received by the interface. Router Solicit Messages The number of ICMP Router Solicit messages received by the interface. Router Advertisement Messages The number of ICMP Router Advertisement messages received by the interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3. Click IPv6, ICMPv6 or UDP.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 391: Showing IPv6 Statistics (ICMPv6) Figure 392: Showing IPv6 Statistics (UDP) – 660 –
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 662 –
17 IP SERVICES This chapter describes how to configure Domain Name Service (DNS) and a DHCP client identifier for the switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 412. This chapter provides information on the following IP services, including: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface.
CHAPTER 17 | IP Services Domain Name Service PARAMETERS These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) WEB INTERFACE To configure general settings for DNS: 1. Click IP Service, DNS. 2.
CHAPTER 17 | IP Services Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 666). PARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) WEB INTERFACE To create a list domain names: 1. Click IP Service, DNS. 2.
CHAPTER 17 | IP Services Domain Name Service CONFIGURING A LIST Use the IP Service > DNS - General (Add Name Server) page to configure a OF NAME SERVERS list of name servers to be tried in sequential order. CLI REFERENCES ◆ "ip name-server" on page 1405 ◆ "show dns" on page 1407 COMMAND USAGE ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see "Configuring General DNS Service Parameters" on page 663).
CHAPTER 17 | IP Services Domain Name Service Figure 398: Showing the List of Name Servers for DNS CONFIGURING STATIC Use the IP Service > DNS - Static Host Table (Add) page to manually DNS HOST TO configure static entries in the DNS table that are used to map domain ADDRESS ENTRIES names to IP addresses.
CHAPTER 17 | IP Services Domain Name Service Figure 399: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 400: Showing Static Entries in the DNS Table DISPLAYING THE Use the IP Service > DNS - Cache page to display entries in the DNS cache DNS CACHE that have been learned via the designated name servers.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ◆ Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias. ◆ IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. WEB INTERFACE To display entries in the DNS cache: 1. Click IP Service, DNS, Cache.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Table 43: Options 60, 66 and 67 Statements Option ◆ Statement Keyword Parameter 60 vendor-class-identifier a string indicating the vendor class identifier 66 tftp-server-name a string indicating the tftp server name 67 bootfile-name a string indicating the bootfile name By default, DHCP option 66/67 parameters are not carried in a DHCP server reply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol WEB INTERFACE To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value. 3. Click Apply.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent PARAMETERS These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. ◆ Restart DHCP Relay – Use this button to re-initialize DHCP relay service. WEB INTERFACE To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent COMMAND USAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports (designated on the Configure Interface page).
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent Figure 405: Configuring Global Settings for PPPoE Intermediate Agent CONFIGURING Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page PPPOE IA INTERFACE to enable PPPoE IA on an interface, set trust status, enable vendor tag SETTINGS stripping, and set the circuit ID and remote ID. CLI REFERENCES ◆ "PPPoE Intermediate Agent" on page 880 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent ◆ Circuit ID – String identifying the circuit identifier (or interface) on this switch to which the user is connected. (Range: 1-10 ASCII characters; Default: Unit/Port:VLAN-ID, or 0/Trunk-ID:VLAN-ID) ■ ■ ■ The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NASPort-ID attribute in AAA access and accounting requests.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent Figure 406: Configuring Interface Settings for PPPoE Intermediate Agent g SHOWING PPPOE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to STATISTICS show statistics on PPPoE IA protocol messages. CLI REFERENCES ◆ "show pppoe intermediate-agent statistics" on page 886 ◆ "clear pppoe intermediate-agent statistics" on page 885 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent WEB INTERFACE To show statistics for PPPoE IA protocol messages: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Show Statistics from the Step list. 3. Select Port or Trunk interface type.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent – 678 –
18 GENERAL IP ROUTING This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
CHAPTER 18 | General IP Routing IP Routing and Switching Figure 408: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP ROUTING AND SWITCHING IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
CHAPTER 18 | General IP Routing IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces ROUTING PROTOCOLS The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 691, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. WEB INTERFACE To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The trace route function first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message.
CHAPTER 18 | General IP Routing Address Resolution Protocol ADDRESS RESOLUTION PROTOCOL The router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this router (or any standardsbased router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol sending its own MAC address to the requesting node. That node then sends traffic to the router, which in turn uses its own routing table to forward the traffic to the remote destination.
CHAPTER 18 | General IP Routing Address Resolution Protocol CONFIGURING STATIC For devices that do not respond to ARP requests or do not respond in a ARP ADDRESSES timely manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, use the IP > ARP (Configure Static Address – Add) page to manually map an IP address to the corresponding physical address in the ARP cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol Figure 413: Configuring Static ARP Entries To display static entries in the ARP cache: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3. Select Show from the Action List. Figure 414: Displaying Static ARP Entries DISPLAYING DYNAMIC Use the IP > ARP (Show Information) page to display dynamic or local OR LOCAL ARP entries in the ARP cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol Figure 415: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: 1. Click IP, ARP. 2. Select Show Information from the Step List. 3. Click Other Address. Figure 416: Displaying Local ARP Entries DISPLAYING Use the IP > ARP (Show Information) page to display statistics for ARP ARP STATISTICS messages crossing all interfaces on this router.
CHAPTER 18 | General IP Routing Configuring Static Routes WEB INTERFACE To display ARP statistics: 1. Click IP, ARP. 2. Select Show Information from the Step List. 3. Click Statistics. Figure 417: Displaying ARP Statistics CONFIGURING STATIC ROUTES This router can configure routes to other network segments by manually entering static routes in the routing table using the IP > Routing > Static Routes (Add) page. Static routes can be set to force the use of a specific route to a subnet.
CHAPTER 18 | General IP Routing Configuring Static Routes PARAMETERS These parameters are displayed: ◆ Destination IP Address – IP address of the destination network, subnetwork, or host. ◆ Netmask – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. ◆ Next Hop – IP address of the next router hop used for this route.
CHAPTER 18 | General IP Routing Displaying the Routing Table Figure 419: Displaying Static Routes DISPLAYING THE ROUTING TABLE Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
CHAPTER 18 | General IP Routing Displaying the Routing Table PARAMETERS These parameters are displayed: ◆ VLAN – VLAN identifier (i.e., configured as a valid IP subnet). ◆ Destination IP Address – IP address of the destination network, subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router. ◆ Net Mask – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
SECTION III | Command Line Interface ◆ "Spanning Tree Commands" on page 1091 ◆ "ERPS Commands" on page 1119 ◆ "VLAN Commands" on page 1149 ◆ "Class of Service Commands" on page 1195 ◆ "Quality of Service Commands" on page 1207 ◆ "Multicast Filtering Commands" on page 1225 ◆ "LLDP Commands" on page 1323 ◆ "CFM Commands" on page 1347 ◆ "OAM Commands" on page 1389 ◆ "Domain Name Service Commands" on page 1401 ◆ "DHCP Commands" on page 1411 ◆ "IP Interface Commands" on page 1421 ◆ "IP
19 USING THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). ACCESSING THE CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
CHAPTER 19 | Using the Command Line Interface Accessing the CLI TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
CHAPTER 19 | Using the Command Line Interface Entering Commands NOTE: You can open up to eight sessions to the device via Telnet or SSH. ENTERING COMMANDS This section describes how to enter CLI commands. KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify ARGUMENTS a command, and arguments specify configuration parameters.
CHAPTER 19 | Using the Command Line Interface Entering Commands GETTING HELP ON You can display a brief description of the help system by entering the help COMMANDS command. You can also display command syntax by using the “?” character to list keywords or parameters. SHOWING COMMANDS If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
CHAPTER 19 | Using the Command Line Interface Entering Commands port-channel power18 power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan voice watchdog web-auth Port channel information Shows power Shows the power saving information Displays PPPoE configuration Shows current priv
CHAPTER 19 | Using the Command Line Interface Entering Commands PARTIAL KEYWORD If you terminate a partial keyword with a question mark, alternatives that LOOKUP match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
CHAPTER 19 | Using the Command Line Interface Entering Commands EXEC COMMANDS When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode).
CHAPTER 19 | Using the Command Line Interface Entering Commands ◆ Class Map Configuration - Creates a DiffServ class map for a specified traffic type. ◆ ERPS Configuration – These commands configure Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks. ◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode.
CHAPTER 19 | Using the Command Line Interface Entering Commands Table 48: Configuration Command Modes (Continued) Mode Command Prompt Page Interface interface {ethernet port | port-channel id| vlan id} Console(config-if) 996 Line line {console | vty} Console(config-line) 749 MSTP spanning-tree mst-configuration Console(config-mstp) 1098 Policy Map policy-map Console(config-pmap) 1211 Time Range time-range Console(config-time-range) 783 VLAN vlan database Console(config-vlan) 1155
CHAPTER 19 | Using the Command Line Interface CLI Command Groups Table 49: Keystroke Commands (Continued) Keystroke Function Esc-F Moves the cursor forward one word. Delete key or backspace key Erases a mistake when entering a command. OUTPUT MODIFIERS Some of the show commands include options for output modifiers.
CHAPTER 19 | Using the Command Line Interface CLI Command Groups Table 50: Command Group Index (Continued) Command Group Description Page General Security Measures Segregates traffic for clients attached to common data ports; and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses 889 Access Control List Provides filtering for IPv4 frames (based on add
CHAPTER 19 | Using the Command Line Interface CLI Command Groups Table 50: Command Group Index (Continued) Command Group Description Page IP Interface Configures IP address for the switch interfaces; also configures ARP parameters and static entries 1421 IP Routing Configures static unicast routing 1467 Debug Displays debugging information for all key functions These commands are not described in this manual. Please refer to the prompt messages included in the CLI interface.
20 GENERAL COMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions.
CHAPTER 20 | General Commands COMMAND USAGE This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. EXAMPLE Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified (Global Configuration) delay, or at a periodic interval.
CHAPTER 20 | General Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See "copy" on page 738).
CHAPTER 20 | General Commands EXAMPLE Console>enable Password: [privileged level password] Console# RELATED COMMANDS disable (714) enable password (824) quit This command exits the configuration program. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program.
CHAPTER 20 | General Commands EXAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the confi
CHAPTER 20 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes" on page 702. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
CHAPTER 20 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. COMMAND MODE Privileged Exec EXAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
CHAPTER 20 | General Commands EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 716 –
21 SYSTEM MANAGEMENT COMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
CHAPTER 21 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. SYNTAX hostname name no hostname name - The name of this host.
CHAPTER 21 | System Management Commands Banner Information Table 54: Banner Commands (Continued) Command Function Mode banner configure manager-info Configures the Manager contact information that is displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading GC show banner Displays all banner information NE, PE banner configure This co
CHAPTER 21 | System Management Commands Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information. Console(config)# banner configure This command is used to configure company information displayed in the company banner.
CHAPTER 21 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the dc-power-info banner. Use the no form to restore the default setting. SYNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
CHAPTER 21 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 21 | System Management Commands Banner Information EXAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS4110-52T floor 3 row 10 rack 15 shelf-rack 12 manufacturer EdgeCore Console(config)# banner configure This command is used to configure the equipment location information equipment-location displayed in the banner. Use the no form to restore the default setting.
CHAPTER 21 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. EXAMPLE Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
CHAPTER 21 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information manager-info displayed in the banner. Use the no form to restore the default setting. SYNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
CHAPTER 21 | System Management Commands Banner Information DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 21 | System Management Commands System Status show banner This command displays all banner information. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show banner EdgeCore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis EdgeCore - ECS4110-52T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.
CHAPTER 21 | System Management Commands System Status Table 55: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of
CHAPTER 21 | System Management Commands System Status Alarm Configuration Rising Threshold Falling Threshold : 95% : 90% Console# RELATED COMMANDS memory (813) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
CHAPTER 21 | System Management Commands System Status COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the interface keyword to display configuration data for the specified interface. ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. ◆ This command displays settings for key command modes.
CHAPTER 21 | System Management Commands System Status queue mode strict-wrr 0 0 0 1 queue weight 1 2 4 0 ! line console ! line vty ! end ! Console# RELATED COMMANDS show startup-config (731) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system.
CHAPTER 21 | System Management Commands System Status show system This command displays system information. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE ◆ For a description of the items shown by this command, refer to "Displaying System Information" on page 123. ◆ The ECS4110-28T/P has two fans and ECS4110-52T/P has three. ◆ The ECS4110-28T/P does not monitor system temperature.
CHAPTER 21 | System Management Commands System Status EXAMPLE Console#show tech-support show system: System Description : ECS4110-52T Managed GE Switch System OID String : 1.3.6.1.4.1.259.10.1.39.101 System Information System Up Time : 0 days, 1 hours, 28 minutes, and 51.
CHAPTER 21 | System Management Commands System Status show version This command displays hardware and software version information for the system. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE See "Displaying Hardware/Software Versions" on page 125 for detailed information on the items displayed by this command.
CHAPTER 21 | System Management Commands Frame Size watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly. SYNTAX watchdog software {disable | enable} DEFAULT SETTING Disabled COMMAND MODE Privileged Exec EXAMPLE Console#watchdog Console# FRAME SIZE This section describes commands used to configure the Ethernet frame size on the switch.
CHAPTER 21 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
CHAPTER 21 | System Management Commands File Management Table 57: Flash/File Commands (Continued) Command Function Mode whichboot Displays the files booted PE Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server GC upgrade opcode path Specifies an FTP/TFTP server and directory in which the new opcode is stored GC upgrade opcode reload Reloads the switch automatically after the opcode upgrade is compl
CHAPTER 21 | System Management Commands File Management RELATED COMMANDS dir (742) whichboot (743) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
CHAPTER 21 | System Management Commands File Management ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
CHAPTER 21 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
CHAPTER 21 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete This command deletes a file or image. SYNTAX delete file name filename filename - Name of configuration file or code image.
CHAPTER 21 | System Management Commands File Management dir This command displays a list of files in flash memory. SYNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
CHAPTER 21 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. SYNTAX whichboot DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
CHAPTER 21 | System Management Commands File Management stored on the TFTP server must be ecs4110-series.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3.
CHAPTER 21 | System Management Commands File Management COMMAND MODE Global Configuration COMMAND USAGE ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ecs4110-series.bix. However, note that file name is not to be included in this command.
CHAPTER 21 | System Management Commands File Management EXAMPLE This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. COMMAND MODE Privileged Exec EXAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ecs4110-series.
CHAPTER 21 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. SYNTAX ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
CHAPTER 21 | System Management Commands Line LINE You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
CHAPTER 21 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. SYNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). DEFAULT SETTING There is no default line. COMMAND MODE Global Configuration COMMAND USAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
CHAPTER 21 | System Management Commands Line COMMAND USAGE The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
CHAPTER 21 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. SYNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
CHAPTER 21 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. SYNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity DEFAULT SETTING No parity COMMAND MODE Line Configuration COMMAND USAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
CHAPTER 21 | System Management Commands Line COMMAND USAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
CHAPTER 21 | System Management Commands Line EXAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# RELATED COMMANDS silent-time (754) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
CHAPTER 21 | System Management Commands Line DEFAULT SETTING 115200 bps COMMAND MODE Line Configuration COMMAND USAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported.
CHAPTER 21 | System Management Commands Line timeout login This command sets the interval that the system waits for a user to log into response the CLI. Use the no form to restore the default setting. SYNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
CHAPTER 21 | System Management Commands Line EXAMPLE Console#disconnect 1 Console# RELATED COMMANDS show ssh (862) show users (733) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting.
CHAPTER 21 | System Management Commands Line EXAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. SYNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
CHAPTER 21 | System Management Commands Event Logging EVENT LOGGING This section describes commands used to configure event logging on the switch.
CHAPTER 21 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. SYNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
CHAPTER 21 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. SYNTAX logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - The UDP port number used by the remote server.
CHAPTER 21 | System Management Commands Event Logging EXAMPLE Console(config)#logging on Console(config)# RELATED COMMANDS logging history (760) logging trap (762) clear log (763) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
CHAPTER 21 | System Management Commands Event Logging clear log This command clears messages from the log buffer. SYNTAX clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). DEFAULT SETTING Flash and RAM COMMAND MODE Privileged Exec EXAMPLE Console#clear log Console# RELATED COMMANDS show log (763) show log This command displays the log messages stored in local memory.
CHAPTER 21 | System Management Commands Event Logging EXAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
CHAPTER 21 | System Management Commands Event Logging Table 62: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
CHAPTER 21 | System Management Commands SMTP Alerts SMTP ALERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
CHAPTER 21 | System Management Commands SMTP Alerts COMMAND MODE Global Configuration COMMAND USAGE ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
CHAPTER 21 | System Management Commands SMTP Alerts EXAMPLE This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no destination-email form to remove a recipient. SYNTAX [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages.
CHAPTER 21 | System Management Commands Time COMMAND USAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. EXAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show logging sendmail SMTP servers ----------------------------------------------192.
CHAPTER 21 | System Management Commands Time Table 65: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE NTP Commands Manual Configuration Commands clock summer-time (date) Configur
CHAPTER 21 | System Management Commands Time EXAMPLE Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.
CHAPTER 21 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. SYNTAX sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
CHAPTER 21 | System Management Commands Time EXAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
CHAPTER 21 | System Management Commands Time ntp This command configures authentication keys and key numbers to use authentication-key when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. SYNTAX ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
CHAPTER 21 | System Management Commands Time DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command. ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without NTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
CHAPTER 21 | System Management Commands Time requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch. ◆ You can configure up to 50 NTP servers on the switch. Re-enter this command for each server you want to configure. ◆ NTP authentication is optional.
CHAPTER 21 | System Management Commands Time Manual Configuration Commands clock summer-time This command sets the start, end, and offset times of summer time (date) (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time. SYNTAX clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [offset] no clock summer-time name - Name of the time zone while summer time is in effect, usually an acronym.
CHAPTER 21 | System Management Commands Time ◆ This command sets the summer-time time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
CHAPTER 21 | System Management Commands Time Table 66: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Rel.
CHAPTER 21 | System Management Commands Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end. (Range: 0-23 hours) e-minute - The minute when summer time will end.
CHAPTER 21 | System Management Commands Time hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
CHAPTER 21 | System Management Commands Time Range COMMAND MODE Privileged Exec COMMAND USAGE Note that when SNTP is enabled, the system clock cannot be manually configured. EXAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2012. Console#calendar set 15:12:34 1 February 2012 Console# show calendar This command displays the system clock.
CHAPTER 21 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. SYNTAX [no] time-range name name - Name of the time range. (Range: 1-16 characters) DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ This command sets a time range for use by other functions, such as Access Control Lists.
CHAPTER 21 | System Management Commands Time Range COMMAND MODE Time Range Configuration COMMAND USAGE ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
CHAPTER 21 | System Management Commands Time Range DEFAULT SETTING None COMMAND MODE Time Range Configuration COMMAND USAGE ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e.
CHAPTER 21 | System Management Commands Switch Clustering SWITCH CLUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
CHAPTER 21 | System Management Commands Switch Clustering to the Commander. When using a console connection, from the Commander CLI prompt, use the rcommand to connect to the Member switch. cluster This command enables clustering on the switch. Use the no form to disable clustering.
CHAPTER 21 | System Management Commands Switch Clustering COMMAND MODE Global Configuration COMMAND USAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. ◆ Cluster Member switches can be managed through a Telnet connection to the Commander.
CHAPTER 21 | System Management Commands Switch Clustering EXAMPLE Console(config)#cluster ip-pool 10.2.3.4 Console(config)# cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. SYNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
CHAPTER 21 | System Management Commands Switch Clustering ◆ There is no need to enter the username and password for access to the Member switch CLI. EXAMPLE Console#rcommand id 1 CLI session with the ECS4110-52T is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration.
CHAPTER 21 | System Management Commands Switch Clustering show cluster This command shows the discovered Candidate switches in the network.
CHAPTER 21 | System Management Commands Switch Clustering – 792 –
22 SNMP COMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
CHAPTER 22 | SNMP Commands Table 69: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views PE Notification Log Commands nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE snmp-server enable port-traps atc broadcastalarm-clear Sends a t
CHAPTER 22 | SNMP Commands General SNMP Commands Table 69: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization alarm GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters PE Additional Trap Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all
CHAPTER 22 | SNMP Commands General SNMP Commands DEFAULT SETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server community alpha rw Console(config)# snmp-server This command sets the system contact string. Use the no form to remove contact the system contact information.
CHAPTER 22 | SNMP Commands General SNMP Commands DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server location WC-19 Console(config)# RELATED COMMANDS snmp-server contact (796) show snmp This command can be used to check the status of SNMP communications.
CHAPTER 22 | SNMP Commands SNMP Target Host Commands 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands snmp-server This command enables this device to send Simple Network Management enable traps Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
CHAPTER 22 | SNMP Commands SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. ◆ The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
CHAPTER 22 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See "Simple Network Management Protocol" on page 452 for further information about these authentication and encryption options. port - Host UDP port to use.
CHAPTER 22 | SNMP Commands SNMP Target Host Commands 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 795). 2. Create a remote SNMPv3 user to use in the message exchange 3. 4. 5. 6. process (page 805). Create a view with the required notification messages (page 806). Create a group that includes the required notify view (page 804).
CHAPTER 22 | SNMP Commands SNMP Target Host Commands COMMAND USAGE This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the snmpserver enable traps mac-authentication command. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# show snmp-server This command shows if SNMP traps are enabled or disabled for the enable port-traps specified interfaces.
CHAPTER 22 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. engine-id Use the no form to restore the default. SYNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - IPv4 or IPv6 address of the remote device.
CHAPTER 22 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# RELATED COMMANDS snmp-server host (799) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
CHAPTER 22 | SNMP Commands SNMPv3 Commands ◆ For additional information on the notification messages supported by this switch, see Table 34, "Supported Notification Messages," on page 462. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
CHAPTER 22 | SNMP Commands SNMPv3 Commands COMMAND USAGE ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 22 | SNMP Commands SNMPv3 Commands DEFAULT SETTING defaultview (includes access to the entire MIB tree) COMMAND MODE Global Configuration COMMAND USAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. EXAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.
CHAPTER 22 | SNMP Commands SNMPv3 Commands Table 70: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
CHAPTER 22 | SNMP Commands SNMPv3 Commands Console# Table 71: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
CHAPTER 22 | SNMP Commands Notification Log Commands Table 72: show snmp user - display description (Continued) Field Description Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. COMMAND MODE Privileged Exec EXAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
CHAPTER 22 | SNMP Commands Notification Log Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. EXAMPLE This example enables the notification log A1.
CHAPTER 22 | SNMP Commands Notification Log Commands event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. ◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
CHAPTER 22 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
CHAPTER 22 | SNMP Commands Additional Trap Commands process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. SYNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for CPU utilization alarm expressed in percentage.
23 REMOTE MONITORING COMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 23 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. SYNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
CHAPTER 23 | Remote Monitoring Commands ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. EXAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 23 | Remote Monitoring Commands ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. EXAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use history the no form to disable periodic sampling.
CHAPTER 23 | Remote Monitoring Commands show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
CHAPTER 23 | Remote Monitoring Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# show rmon alarms This command shows the settings for all configured alarms. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 23 | Remote Monitoring Commands 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 . . . show rmon This command shows the information collected for all configured entries in statistics the statistics group. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
CHAPTER 23 | Remote Monitoring Commands – 822 –
24 AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access21 to the data ports.
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels USER ACCOUNTS AND PRIVILEGE LEVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 748), user authentication via a remote authentication server (page 823), and host access authentication for specific ports (page 862).
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels DEFAULT SETTING The default is level 15. The default password is “super” COMMAND MODE Global Configuration COMMAND USAGE ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels Level 0-7 provide the same default access privileges, all within Normal Exec mode under the “Console>” command prompt. Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands.
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. SYNTAX privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See "Understanding Command Modes" on page 702 and "Configuration Commands" on page 703.
CHAPTER 24 | Authentication Commands Authentication Sequence EXAMPLE This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# AUTHENTICATION SEQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
CHAPTER 24 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
CHAPTER 24 | Authentication Commands RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
CHAPTER 24 | Authentication Commands RADIUS Client COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to auth-port restore the default. SYNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
CHAPTER 24 | Authentication Commands RADIUS Client key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 24 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the retransmit default. SYNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
CHAPTER 24 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
CHAPTER 24 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. SYNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
CHAPTER 24 | Authentication Commands TACACS+ Client COMMAND MODE Global Configuration EXAMPLE Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. SYNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
CHAPTER 24 | Authentication Commands TACACS+ Client EXAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server This command sets the interval between transmitting authentication timeout requests to the TACACS+ server. Use the no form to restore the default. SYNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 24 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
CHAPTER 24 | Authentication Commands AAA method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 24 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 24 | Authentication Commands AAA server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE ◆ This command runs accounting for Exec service requests for the local console and Telnet connections.
CHAPTER 24 | Authentication Commands AAA EXAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form exec to disable the authorization service. SYNTAX aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
CHAPTER 24 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. SYNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
CHAPTER 24 | Authentication Commands AAA EXAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. SYNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
CHAPTER 24 | Authentication Commands AAA COMMAND MODE Line Configuration EXAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. SYNTAX accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
CHAPTER 24 | Authentication Commands AAA DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
CHAPTER 24 | Authentication Commands Web Server Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type: EXEC Method List : default Group List : tacacs+ Interface : vty Console# WEB SERVER This section describes commands used to configure web browser management access to the switch.
CHAPTER 24 | Authentication Commands Web Server EXAMPLE Console(config)#ip http port 769 Console(config)# RELATED COMMANDS ip http server (848) show system (732) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
CHAPTER 24 | Authentication Commands Web Server COMMAND USAGE ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
CHAPTER 24 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 83: HTTPS System Support Web Browser Operating System Internet Explorer 6.
CHAPTER 24 | Authentication Commands Telnet Server NOTE: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet This command specifies the maximum number of Telnet sessions that can max-sessions simultaneously connect to this system. Use the no from to restore the default setting.
CHAPTER 24 | Authentication Commands Telnet Server COMMAND MODE Global Configuration EXAMPLE Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function.
CHAPTER 24 | Authentication Commands Secure Shell SECURE SHELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. NOTE: The switch supports both SSH Version 1.5 and 2.0 clients.
CHAPTER 24 | Authentication Commands Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
CHAPTER 24 | Authentication Commands Secure Shell entered into the known host file. However, you do not need to configure the client's keys. Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a.
CHAPTER 24 | Authentication Commands Secure Shell ip ssh This command configures the number of times the SSH server attempts to authentication- reauthenticate a user. Use the no form to restore the default setting. retries SYNTAX ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
CHAPTER 24 | Authentication Commands Secure Shell EXAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# RELATED COMMANDS ip ssh crypto host-key generate (858) show ssh (862) ip ssh server-key This command sets the SSH server key size. Use the no form to restore the size default setting. SYNTAX ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
CHAPTER 24 | Authentication Commands Secure Shell COMMAND MODE Global Configuration COMMAND USAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
CHAPTER 24 | Authentication Commands Secure Shell DEFAULT SETTING Generates both the DSA and RSA key pairs. COMMAND MODE Privileged Exec COMMAND USAGE ◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
CHAPTER 24 | Authentication Commands Secure Shell ◆ The SSH server must be disabled before you can execute this command. EXAMPLE Console#ip ssh crypto zeroize dsa Console# RELATED COMMANDS ip ssh crypto host-key generate (858) ip ssh save host-key (860) no ip ssh server (856) ip ssh save host-key This command saves the host key from RAM to flash memory. SYNTAX ip ssh save host-key DEFAULT SETTING Saves both the DSA and RSA key.
CHAPTER 24 | Authentication Commands Secure Shell show public-key This command shows the public key for the specified user or for the host. SYNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) DEFAULT SETTING Shows all public keys. COMMAND MODE Privileged Exec COMMAND USAGE ◆ If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. COMMAND MODE Privileged Exec EXAMPLE Console#show ssh Connection Version State 0 2.0 Session-Started Username Encryption admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 86: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication Table 87: 802.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication ◆ dot1x timeout quiet-period ◆ dot1x timeout tx-period ◆ dot1x timeout re-authperiod ◆ dot1x timeout sup-timeout ◆ dot1x re-authentication ◆ dot1x intrusion-action EXAMPLE Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding through state when dot1x is globally disabled. Use the no form to restore the default.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x system-auth- This command enables IEEE 802.1X port authentication globally on the control switch. Use the no form to restore the default.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x This command sets the maximum number of times that the switch sends max-reauth-req an EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized operation-mode port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. SYNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# RELATED COMMANDS dot1x timeout re-authperiod (869) dot1x timeout This command sets the time that a switch port waits after the maximum quiet-period request count (see page 866) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a supp-timeout response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. SYNTAX dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x This command forces re-authentication on all ports or a specific interface. re-authenticate SYNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity This command sets the dot1x supplicant user name and password. Use the profile no form to delete the identity settings. SYNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-11 characters) password - Specifies the supplicant password.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae This command enables dot1x supplicant mode on a port. Use the no form supplicant to disable dot1x supplicant mode on a port.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response auth-period from the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending start-period an EAPOL start frame to the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 872). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication ■ ■ ◆ Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. Reauthentication State Machine State – Current state (including initialize, reauthenticate). EXAMPLE Console#show dot1x Global 802.
CHAPTER 24 | Authentication Commands Management IP Filter Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# MANAGEMENT IP FILTER This section describes commands used to configure IP management access to the switch.
CHAPTER 24 | Authentication Commands Management IP Filter ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent pppoe This command enables the PPPoE Intermediate Agent globally on the intermediate-agent switch. Use the no form to disable this feature.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent DEFAULT SETTING ◆ Access Node Identifier: IP address of the management interface. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets the circuit-id or remote-id for an interface. Use the no intermediate-agent form to restore the default settings. port-format-type SYNTAX pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets an interface to trusted mode to indicate that it is intermediate-agent connected to a PPPoE server. Use the no form to set an interface to trust untrusted mode. SYNTAX [no] pppoe intermediate-agent trust DEFAULT SETTING Untrusted COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Set any interfaces connecting the switch to a PPPoE Server as trusted.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics SYNTAX clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent PPPoE Discover packet too large to process. Try reducing the number of tags added. PPPoE Intermediate Agent Oper Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent Table 90: show pppoe intermediate-agent statistics - display description Field Description PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted. Request towards untrusted Request sent to an interface which not been configured as trusted. Malformed Corrupted PPPoE message.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent – 888 –
25 GENERAL SECURITY MEASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
CHAPTER 25 | General Security Measures Port Security PORT SECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
CHAPTER 25 | General Security Measures Port Security traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
CHAPTER 25 | General Security Measures Port Security COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
CHAPTER 25 | General Security Measures Port Security EXAMPLE The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap RELATED COMMANDS show interfaces status (1007) shutdown (1002) mac-address-table static (1086) port security Use this command to save the MAC addresses that port security has mac-address-as- learned as static entries.
CHAPTER 25 | General Security Measures Port Security COMMAND MODE Privileged Exec EXAMPLE This example shows the port security settings and number of secure addresses for all ports.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) Port Status Intrusion Action Max MAC Count Current MAC Count MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : : : : Secure/Up None 0 0 Disabled NA NA This example shows information about a detected intrusion.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) Table 94: Network Access Commands (Continued) Command Function Mode network-access link-detection Configures the link detection feature to detect and link-down act upon link-down events IC network-access link-detection Configures the link detection feature to detect and link-up act upon link-up events IC network-access link-detection Configures the link detection feature to detect and link-up-down act upon both link-u
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 867). ◆ The maximum number of secure MAC addresses supported for the switch system is 1024. EXAMPLE Console(config-if)#network-access aging Console(config-if)# network-access Use this command to add a MAC address into a filter table.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC reauth-time address must be re-authenticated. Use the no form of this command to restore the default value. SYNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 95: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (Kbps) rate-limit-input=100 (Kbps) rate-limit-output=rate (Kbps) rate-limit-output=200 (Kbps) 802.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration COMMAND USAGE ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command). EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# network-access Use this command to enable link detection for the selected port. Use the link-detection no form of this command to restore the default.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access Use this command to detect link-up events. When detected, the switch can link-detection shut down the port, send an SNMP trap, or both. Use the no form of this link-up command to disable this feature.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable network access authentication on a port. Use mode the no form of this command to disable network access authentication.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the specified MAC address filter. Use the no port-mac-filter form of this command to disable the specified MAC address filter. SYNTAX network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the maximum number of MAC addresses that can max-mac-count be authenticated on a port via MAC authentication. Use the no form of this command to restore the default. SYNTAX mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of MAC-authenticated MAC addresses allowed.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) show Use this command to display the MAC authentication settings for port network-access interfaces. SYNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) DEFAULT SETTING Displays the settings for all interfaces.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) show Use this command to display secure MAC address table entries. network-access mac-address-table SYNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
CHAPTER 25 | General Security Measures Web Authentication show Use this command to display information for entries in the MAC filter network-access tables. mac-filter SYNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) DEFAULT SETTING Displays all filters.
CHAPTER 25 | General Security Measures Web Authentication Table 96: Web Authentication (Continued) Command Function Mode web-auth system-authcontrol Enables web authentication globally for the switch GC web-auth Enables web authentication for an interface IC web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate PE web-auth re-authenticate (IP) Ends the web authentication session associated with PE the designated IP address and f
CHAPTER 25 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding quiet-period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. SYNTAX web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
CHAPTER 25 | General Security Measures Web Authentication web-auth This command globally enables web authentication for the switch. Use the system-auth-control no form to restore the default. SYNTAX [no] web-auth system-auth-control DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
CHAPTER 25 | General Security Measures Web Authentication web-auth This command ends all web authentication sessions connected to the port re-authenticate (Port) and forces the users to re-authenticate. SYNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 25 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters interface and statistics.
CHAPTER 25 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters summary and statistics. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
CHAPTER 25 | General Security Measures DHCPv4 Snooping Table 97: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory PE show ip dhcp snooping Shows the DHCP snooping configuration settings PE show ip dhcp snooping binding Shows the DHCP snooping binding table entries PE ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: ■ ■ ■ ■ If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the information option switch, and specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ◆ When the DHCP Snooping Information Option 82 is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets.
CHAPTER 25 | General Security Measures DHCPv4 Snooping COMMAND USAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
CHAPTER 25 | General Security Measures DHCPv4 Snooping COMMAND USAGE If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. EXAMPLE This example enables MAC address verification.
CHAPTER 25 | General Security Measures DHCPv4 Snooping EXAMPLE This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# RELATED COMMANDS ip dhcp snooping (916) ip dhcp snooping trust (923) ip dhcp snooping This command enables the use of DHCP Option 82 information circuit-id information option suboption. Use the no form to disable this feature.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ports within the VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
CHAPTER 25 | General Security Measures DHCPv4 Snooping EXAMPLE Console#clear ip dhcp snooping database flash Console# ip dhcp snooping This command writes all dynamically learned snooping entries to flash database flash memory. COMMAND MODE Privileged Exec COMMAND USAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
CHAPTER 25 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
CHAPTER 25 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping globally. Use the no form to restore the default setting. SYNTAX [no] ipv6 dhcp snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
CHAPTER 25 | General Security Measures DHCPv6 Snooping ■ ■ ■ ■ Solicit: Add new entry in binding cache, recording client’s DUID, IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. Decline: If no matching entry is found in binding cache, drop this packet. Renew, Rebind, Release, Confirm: If no matching entry is found in binding cache, drop this packet.
CHAPTER 25 | General Security Measures DHCPv6 Snooping EXAMPLE This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# RELATED COMMANDS ipv6 dhcp snooping vlan (931) ipv6 dhcp snooping trust (932) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information option remote-id into DHCPv6 client messages.
CHAPTER 25 | General Security Measures DHCPv6 Snooping either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows: ■ ■ ■ ◆ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
CHAPTER 25 | General Security Measures DHCPv6 Snooping COMMAND USAGE When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
CHAPTER 25 | General Security Measures DHCPv6 Snooping EXAMPLE This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# RELATED COMMANDS ipv6 dhcp snooping (927) ipv6 dhcp snooping trust (932) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in max-binding the binding database for an interface. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures DHCPv6 Snooping COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆ Set all ports connected to DHCv6 servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
CHAPTER 25 | General Security Measures DHCPv6 Snooping COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# clear ipv6 dhcp This command removes all dynamically learned snooping entries from flash snooping database memory. flash COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ipv6 dhcp snooping database flash Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
CHAPTER 25 | General Security Measures DHCPv6 Snooping show ipv6 dhcp This command shows the DHCPv6 snooping binding table entries.
CHAPTER 25 | General Security Measures IPv4 Source Guard IPV4 SOURCE GUARD IP Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see "DHCPv4 Snooping" on page 915). IPv4 source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
CHAPTER 25 | General Security Measures IPv4 Source Guard DEFAULT SETTING No configured entries COMMAND MODE Global Configuration COMMAND USAGE ◆ If the binding mode is not specified in this command, the entry is bound to the ACL table by default. ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier.
CHAPTER 25 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. SYNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
CHAPTER 25 | General Security Measures IPv4 Source Guard ◆ Filtering rules are implemented as follows: ■ ■ If DHCPv4 snooping is disabled (see page 916), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
CHAPTER 25 | General Security Measures IPv4 Source Guard COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. EXAMPLE This example sets the maximum number of allowed entries in the binding table for port 5 to one entry.
CHAPTER 25 | General Security Measures IPv4 Source Guard clear ip This command remove all blocked records. source-guard binding blocked SYNTAX clear ip source-guard binding blocked COMMAND MODE Privileged Exec COMMAND USAGE When IP Source-Guard detects an invalid packet it creates a blocked record. These records can be viewed using the show ip source-guard binding blocked command. A maximum of 512 blocked records can be stored before the switch overwrites the oldest record with new blocked records.
CHAPTER 25 | General Security Measures IPv4 Source Guard show ip This command shows the source guard binding table. source-guard binding SYNTAX show ip source-guard binding [dhcp-snooping | static [acl | mac] | blocked [vlan vlan-id | interface interface] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 915) static - Shows static entries configured with the ip source-guard binding command (see page 936). acl - Shows static entries in the ACL binding table.
CHAPTER 25 | General Security Measures IPv6 Source Guard IPV6 SOURCE GUARD IPv6 Source Guard is a security feature that filters IPv6 traffic on nonrouted, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see "DHCPv6 Snooping" on page 926).
CHAPTER 25 | General Security Measures IPv6 Source Guard COMMAND MODE Global Configuration COMMAND USAGE ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
CHAPTER 25 | General Security Measures IPv6 Source Guard ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
CHAPTER 25 | General Security Measures IPv6 Source Guard entry type is static IPv6 source guard binding, the packet will be forwarded. ■ ■ ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
CHAPTER 25 | General Security Measures IPv6 Source Guard ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings. ◆ If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled on a port, the dynamic bindings used by ND snooping, DHCPv6 snooping, and IPv6 source guard static bindings cannot exceed the maximum allowed bindings set by the ipv6 source-guard maxbinding command.
CHAPTER 25 | General Security Measures ARP Inspection show ipv6 This command shows the IPv6 source guard binding table. source-guard binding SYNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 926) static - Shows static entries configured with the ipv6 source-guard binding command.
CHAPTER 25 | General Security Measures ARP Inspection Table 102: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port IC ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection IC show ip arp inspection configuration Displays the global configuration settings for ARP Inspection PE show ip arp inspection interface Shows the trust status and inspection rate limit for ports PE sh
CHAPTER 25 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. EXAMPLE Console(config)#ip arp inspection Console(config)# ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use filter the no form to remove an ACL binding. Use the no form to remove an ACL binding.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# ip arp inspection This command sets the maximum number of entries saved in a log log-buffer logs message, and the rate at which these messages are sent. Use the no form to restore the default settings.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection for a specified VLAN or range of vlan VLANs. Use the no form to disable this function. SYNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 25 | General Security Measures ARP Inspection ip arp inspection This command sets a rate limit for the ARP packets received on a port. Use limit the no form to restore the default setting. SYNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip This command displays the global configuration settings for ARP arp inspection Inspection.
CHAPTER 25 | General Security Measures ARP Inspection show ip This command shows information about entries stored in the log, including arp inspection log the associated VLAN, port, and address components. COMMAND MODE Privileged Exec EXAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
CHAPTER 25 | General Security Measures Denial of Service Protection EXAMPLE Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static DENIAL OF SERVICE PROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 25 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS echo/chargen attacks in which the echo-chargen echo service repeats anything sent to it, and the chargen (character generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service. Use the no form to disable this feature.
CHAPTER 25 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-flooding attacks in which a tcp-flooding perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service. Use the no form to disable this feature.
CHAPTER 25 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a tcp-syn-fin-scan TCP SYN/FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan.
CHAPTER 25 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-xmas-scan in which a so-called tcp-xmas-scan TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
CHAPTER 25 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation PORT-BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation COMMAND MODE Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation – 968 –
26 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
CHAPTER 26 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter (Standard IP ACL) condition for packets emanating from the specified source. Use the no form to remove a rule. SYNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
CHAPTER 26 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter (Extended IPv4 ACL) condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
CHAPTER 26 | Access Control Lists IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) DEFAULT SETTING None COMMAND MODE Extended IPv4 ACL COMMAND USAGE ◆ All new rules are appended to the end of the list.
CHAPTER 26 | Access Control Lists IPv4 ACLs For example, if you configured an access list to deny packets with a ToS of 7 (00001110), the highlighted bit would be ignored, and the access list would drop packets with a ToS of both 6 and 7. Table 108: Priority Bits Processed by Extended IPv4 ACL DSCP Precedence 7 6 ToS 5 4 3 2 1 0 EXAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.
CHAPTER 26 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port. SYNTAX ip access-group acl-name in [time-range time-range-name] [counter] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-16 characters) counter – Enables counter for ACL statistics.
CHAPTER 26 | Access Control Lists IPv6 ACLs RELATED COMMANDS ip access-group (975) show ip access-list This command displays the rules for configured IPv4 ACLs. SYNTAX show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL. (Maximum length: 32 characters) COMMAND MODE Privileged Exec EXAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.
CHAPTER 26 | Access Control Lists IPv6 ACLs access-list ipv6 This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ipv6 {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists IPv6 ACLs permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter (Standard IPv6 ACL) condition for packets emanating from the specified source. Use the no form to remove a rule. SYNTAX {permit | deny} {any | host source-ipv6-address | source-ipv6-address[/prefix-length]} [time-range time-range-name] no {permit | deny} {any | host source-ipv6-address | source-ipv6-address[/prefix-length]} any – Any source IP address.
CHAPTER 26 | Access Control Lists IPv6 ACLs permit, deny This command adds a rule to an Extended IPv6 ACL. The rule sets a filter (Extended IPv6 ACL) condition for packets with specific source or destination IP addresses, or next header type. Use the no form to remove a rule.
CHAPTER 26 | Access Control Lists IPv6 ACLs ◆ Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
CHAPTER 26 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. SYNTAX ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-16 characters) counter – Enables counter for ACL statistics.
CHAPTER 26 | Access Control Lists IPv6 ACLs RELATED COMMANDS ipv6 access-group (981) show ipv6 This command displays the rules for configured IPv6 ACLs. access-list SYNTAX show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists MAC ACLs MAC ACLS The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
CHAPTER 26 | Access Control Lists MAC ACLs EXAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# RELATED COMMANDS permit, deny (984) mac access-group (987) show mac access-list (988) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching (MAC ACL) a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
CHAPTER 26 | Access Control Lists MAC ACLs {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol] [l4-source-port sport
CHAPTER 26 | Access Control Lists MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.
CHAPTER 26 | Access Control Lists MAC ACLs DEFAULT SETTING None COMMAND MODE MAC ACL COMMAND USAGE ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060.
CHAPTER 26 | Access Control Lists MAC ACLs COMMAND USAGE ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. EXAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# RELATED COMMANDS show mac access-list (988) Time Range (782) show mac This command shows the ports assigned to MAC ACLs.
CHAPTER 26 | Access Control Lists ARP ACLs RELATED COMMANDS permit, deny (984) mac access-group (987) ARP ACLS The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command (page 953).
CHAPTER 26 | Access Control Lists ARP ACLs RELATED COMMANDS permit, deny (990) show access-list arp (991) permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching (ARP ACL) a specified source or destination address in ARP messages. Use the no form to remove a rule. SYNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
CHAPTER 26 | Access Control Lists ARP ACLs EXAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# RELATED COMMANDS access-list arp (989) show access-list arp This command displays the rules for configured ARP ACLs. SYNTAX show access-list arp [acl-name] acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists ACL Information ACL INFORMATION This section describes commands used to display ACL information. Table 112: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
CHAPTER 26 | Access Control Lists ACL Information MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. SYNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.
CHAPTER 26 | Access Control Lists ACL Information – 994 –
27 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
CHAPTER 27 | Interface Commands Interface Configuration Table 113: Interface Commands (Continued) Command Function Mode transceiver-threshold temperature Sets thresholds for the transceiver temperature which can be used to trigger an alarm or warning message IC transceiver-threshold tx-power Sets thresholds for the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message IC transceiver-threshold voltage Sets thresholds for the transceiver voltage
CHAPTER 27 | Interface Commands Interface Configuration EXAMPLE To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)#shutdown alias This command configures an alias name for the interface. Use the no form to remove the alias name. SYNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
CHAPTER 27 | Interface Commands Interface Configuration 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control DEFAULT SETTING 100BASE-FX: 100full (SFP) 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The 1000BASE-T standard does not support forced mode.
CHAPTER 27 | Interface Commands Interface Configuration DEFAULT SETTING None COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. EXAMPLE The following example adds a description to port 4.
CHAPTER 27 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. SYNTAX [no] flowcontrol DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
CHAPTER 27 | Interface Commands Interface Configuration media-type This command forces the transceiver mode to use for SFP ports. Use the no form to restore the default mode. SYNTAX media-type sfp-forced {1000sfp | 100fx} no media-type 1000sfp - Forces the port to use 1000BASE SFP mode 100fx - Forces the port to use 100BASE-FX mode DEFAULT SETTING Not specified COMMAND MODE Interface Configuration (SFP Ports) EXAMPLE This forces the switch to use the built-in RJ-45 port for the combination port 10.
CHAPTER 27 | Interface Commands Interface Configuration EXAMPLE The following example configures port 11 to use auto-negotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# RELATED COMMANDS capabilities (997) speed-duplex (1002) shutdown This command disables an interface. To restart a disabled interface, use the no form. SYNTAX [no] shutdown DEFAULT SETTING All interfaces are enabled.
CHAPTER 27 | Interface Commands Interface Configuration 10full - Forces 10 Mbps full-duplex operation 10half - Forces 10 Mbps half-duplex operation DEFAULT SETTING ◆ Auto-negotiation is enabled by default. ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The 1000BASE-T standard does not support forced mode.
CHAPTER 27 | Interface Commands Interface Configuration clear counters This command clears statistics on an interface. SYNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
CHAPTER 27 | Interface Commands Interface Configuration . . show interfaces This command displays a summary of key information, including brief operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
CHAPTER 27 | Interface Commands Interface Configuration EXAMPLE Console#show interfaces counters ethernet 1/17 Ethernet 1/ 17 ===== IF table Stats ===== 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS
CHAPTER 27 | Interface Commands Interface Configuration show interfaces This command displays the status for an interface. status SYNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4094) DEFAULT SETTING Shows the status for all interfaces.
CHAPTER 27 | Interface Commands Interface Configuration show interfaces This command displays the administrative and operational status of the switchport specified interfaces. SYNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) DEFAULT SETTING Shows all interfaces.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration Table 114: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 1057). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 1057).
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration EXAMPLE Console(config)interface ethernet 1/52 Console(config-if)#transceiver-monitor Console# transceiver- This command uses default threshold settings obtained from the threshold-auto transceiver to determine when an alarm or warning message should be sent. Use the no form to disable this feature.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration COMMAND MODE Interface Configuration (SFP Ports) COMMAND USAGE ◆ If trap messages are enabled with the transceiver-monitor command, and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration threshold-value – The power threshold of the received signal. (Range: -4000 - 820 in units of 0.01 dBm) DEFAULT SETTING High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm COMMAND MODE Interface Configuration (SFP Ports) COMMAND USAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW).
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration threshold-value – The threshold of the transceiver temperature. (Range: -12800 - 12800 in units of 0.01 Celsius) DEFAULT SETTING High Alarm: 75.00 C HIgh Warning: 70.00 C Low Alarm: -123.00 C Low Warning: 0.00 C COMMAND MODE Interface Configuration (SFP Ports) COMMAND USAGE ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING High Alarm: -9.00 dBm HIgh Warning: -9.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm COMMAND MODE Interface Configuration (SFP Ports) COMMAND USAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING High Alarm: 3.50 Volts HIgh Warning: 3.45 Volts Low Warning: 3.15 Volts Low Alarm: 3.10 Volts COMMAND MODE Interface Configuration (SFP Ports) COMMAND USAGE ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds.
CHAPTER 27 | Interface Commands Cable Diagnostics COMMAND USAGE ◆ The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices.
CHAPTER 27 | Interface Commands Cable Diagnostics ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
CHAPTER 27 | Interface Commands Power Savings COMMAND MODE Privileged Exec COMMAND USAGE ◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found. ◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics. ◆ For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters.
CHAPTER 27 | Interface Commands Power Savings checks for energy on the circuit to determine if there is a link partner. If none is detected, the switch automatically turns off the transmitter, and most of the receive circuitry (entering Sleep Mode). In this mode, the low-power energy-detection circuit continuously checks for energy on the cable. If none is detected, the MAC interface is also powered down to save additional energy.
28 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 16 trunks.
CHAPTER 28 | Link Aggregation Commands Manual Configuration Commands ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
CHAPTER 28 | Link Aggregation Commands Manual Configuration Commands DEFAULT SETTING src-dst-mac COMMAND MODE Global Configuration COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. SYNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-16) DEFAULT SETTING The current port will be added to this trunk. COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no (Ethernet Interface) form to restore the default setting. SYNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands DEFAULT SETTING 0 COMMAND MODE Interface Configuration (Port Channel) COMMAND USAGE ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands LACPDUs Sent LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts LACPDUs Illegal Pkts . . . : : : : : : 12 6 0 0 0 0 Table 116: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands Table 117: show lacp internal - display description (Continued) Field Description Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. ◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands Table 118: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner. Admin State Administrative values of the partner’s state parameters. (See preceding table.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands – 1034 –
29 POWER OVER ETHERNET COMMANDS The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24 on the ECS4110-28P and ports 1-48 on the ECS4110-52P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a perport power priority can be set so that the switch never exceeds its allocated power budget.
CHAPTER 29 | Power over Ethernet Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device.
CHAPTER 29 | Power over Ethernet Commands DEFAULT SETTING ECS4110-28P: 390000 milliwatts ECS4110-52P: 400000 milliwatts COMMAND MODE Global Configuration COMMAND USAGE ◆ Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. ◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
CHAPTER 29 | Power over Ethernet Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power inline Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#no power inline Console(config-if)# RELATED COMMANDS time-range (783) power inline This command limits the power allocated to specific ports. Use the no form maximum allocation to restore the default setting.
CHAPTER 29 | Power over Ethernet Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. SYNTAX power inline priority priority no power inline priority priority - The power priority for the port.
CHAPTER 29 | Power over Ethernet Commands ■ If priority is not set for any ports, and PoE consumption exceeds the maximum power provided by the switch, power is shut down in the following sequence: Table 122: PoE Shut Down Sequence Switch PoE Port Shut Down Sequence ECS4110-28P 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13 ECS4110-52P 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 2
CHAPTER 29 | Power over Ethernet Commands show power inline This command displays the current power status for all ports or for specific status ports. SYNTAX show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 29 | Power over Ethernet Commands show power inline This command displays the time-range and current status for specific ports time-range or for all ports. SYNTAX show power inline time-range time-range-name [interface] time-range-name - Name of the time range. (Range: 1-30 characters) interface ethernet unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 29 | Power over Ethernet Commands Table 124: show power mainpower - display description Field Description PoE Maximum Available Power The available power budget for the switch PoE Maximum Allocation Power The overall maximum power which is currently allocated by the power mainpower maximum allocation command.
CHAPTER 29 | Power over Ethernet Commands – 1044 –
30 PORT MIRRORING COMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
CHAPTER 30 | Port Mirroring Commands Local Port Mirroring Commands tx - Mirror transmitted packets. both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) DEFAULT SETTING ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
CHAPTER 30 | Port Mirroring Commands Local Port Mirroring Commands ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command (page 969) to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3. Use the port monitor access-list command to specify the destination port to which traffic matching the ACL will be mirrored.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND MODE Privileged Exec COMMAND USAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. SYNTAX [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. SYNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. SYNTAX [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. EXAMPLE The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session.
CHAPTER 30 | Port Mirroring Commands RSPAN Mirroring Commands EXAMPLE Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 1054 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
31 CONGESTION CONTROL COMMANDS The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 128: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
CHAPTER 31 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. SYNTAX rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
CHAPTER 31 | Congestion Control Commands Storm Control Commands STORM CONTROL COMMANDS Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands Table 131: ATC Commands (Continued) Command Function Mode auto-traffic-control auto-control-release Automatically releases a control response IC (Port) auto-traffic-control control-release Manually releases a control response IC (Port) snmp-server enable port-traps atc broadcast-alarm-clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC (Port) s
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands USAGE GUIDELINES ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands Figure 422: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually reenable the port. FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands COMMAND USAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply command. EXAMPLE This example sets the apply timer to 200 seconds for all ports.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. SYNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. DEFAULT SETTING rate-control COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands DEFAULT SETTING 250 kilo-packets per second COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-clear command or snmp-server enable port-traps atc multicast-alarm-clear command.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands COMMAND USAGE ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmfire command or snmp-server enable port-traps atc multicast-alarmfire command.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release SYNTAX auto-traffic-control {broadcast | multicast} control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic exceeds the upper enable port-traps threshold for automatic storm control. Use the no form to disable this trap.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps threshold after a storm control response has been triggered and the atc broadcast- release timer expires. Use the no form to disable this trap.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic exceeds the upper enable port-traps threshold for automatic storm control. Use the no form to disable this trap.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic falls beneath the lower enable port-traps threshold after a storm control response has been triggered and the atc multicast- release timer expires. Use the no form to disable this trap.
CHAPTER 31 | Congestion Control Commands Automatic Traffic Control Commands show This command shows interface configuration settings and storm control auto-traffic-control status for the specified port. interface SYNTAX show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
32 LOOPBACK DETECTION COMMANDS The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
CHAPTER 32 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. SYNTAX [no] loopback-detection DEFAULT SETTING Disabled COMMAND MODE Global Configuration Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
CHAPTER 32 | Loopback Detection Commands COMMAND USAGE ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
CHAPTER 32 | Loopback Detection Commands EXAMPLE Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback transmit-interval detection control frames. Use the no form to restore the default setting. SYNTAX loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
CHAPTER 32 | Loopback Detection Commands COMMAND MODE Global Configuration COMMAND USAGE Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. EXAMPLE Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
CHAPTER 32 | Loopback Detection Commands Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
33 UNIDIRECTIONAL LINK DETECTION COMMANDS The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
CHAPTER 33 | UniDirectional Link Detection Commands If the link is deemed anything other than bidirectional at the end of the detection phase, this curve becomes a flat line with a fixed value of Mfast (7 seconds). If the link is instead deemed bidirectional, the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady-state transmissions. Mslow is the value configured by this command.
CHAPTER 33 | UniDirectional Link Detection Commands problem. Because this type of detection can be event-less, and lack of information cannot always be associated to an actual malfunction of the link, this mode is optional and is recommended only in certain scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible). EXAMPLE This example enables UDLD aggressive mode on port 1.
CHAPTER 33 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. SYNTAX show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 33 | UniDirectional Link Detection Commands Table 134: show udld - display description (Continued) Field Description Port State Shows the UDLD port state (Unknown, Bidirectional, Unidirectional, Transmit-to-receive loop, Mismatch with neighbor state reported, Neighbor's echo is empty) The state is Unknown if the link is down or not connected to a UDLDcapable device. The state is Bidirectional if the link has a normal two-way connection to a UDLD-capable device.
CHAPTER 33 | UniDirectional Link Detection Commands – 1084 –
34 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
CHAPTER 34 | Address Table Commands EXAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use static the no form to remove an address. SYNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 34 | Address Table Commands EXAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear This command removes any learned entries from the forwarding database. mac-address-table dynamic DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#clear mac-address-table dynamic Console# show This command shows classes of entries in the bridge-forwarding database.
CHAPTER 34 | Address Table Commands COMMAND USAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ Learn - Dynamic address entries Config - Static entry ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
CHAPTER 34 | Address Table Commands show This command shows the number of MAC addresses used and the number mac-address-table of available MAC addresses for the overall system or for an interface. count SYNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 34 | Address Table Commands – 1090 –
35 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
CHAPTER 35 | Spanning Tree Commands Table 136: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst port-priority Configures the priority of an instance in the MST IC spanning-tree port-bpdu-flooding Floods
CHAPTER 35 | Spanning Tree Commands EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with cisco-prestandard Cisco prestandard versions. Use the no form to restore the default setting.
CHAPTER 35 | Spanning Tree Commands COMMAND USAGE This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally max-age for this switch. Use the no form to restore the default. SYNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
CHAPTER 35 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning pathcost method Tree and Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
CHAPTER 35 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on system-bpdu- the switch or just to all other ports in the same VLAN when spanning tree is flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. SYNTAX spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
CHAPTER 35 | Spanning Tree Commands EXAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. SYNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) DEFAULT SETTING 20 COMMAND MODE MST Configuration COMMAND USAGE An MSTI region is treated as a single node by the STP and RSTP protocols.
CHAPTER 35 | Spanning Tree Commands DEFAULT SETTING 32768 COMMAND MODE MST Configuration COMMAND USAGE ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 35 | Spanning Tree Commands which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 1102) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
CHAPTER 35 | Spanning Tree Commands DEFAULT SETTING 0 COMMAND MODE MST Configuration COMMAND USAGE The MST region name (page 1102) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
CHAPTER 35 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# RELATED COMMANDS spanning-tree edge-port (1106) spanning-tree This command shuts down an edge port (i.e., an interface set for fast bpdu-guard forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
CHAPTER 35 | Spanning Tree Commands RELATED COMMANDS spanning-tree edge-port (1106) spanning-tree spanning-disabled (1114) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. SYNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
CHAPTER 35 | Spanning Tree Commands COMMAND USAGE ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 1097) is set to short, the maximum value for path cost is 65,535.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and link-type Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
CHAPTER 35 | Spanning Tree Commands COMMAND USAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in loopback-detection the discarding state because a loopback BPDU was received. Use the no release-mode form to restore the default. SYNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
CHAPTER 35 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback loopback-detection BPDU detections. Use the no form to restore the default.
CHAPTER 35 | Spanning Tree Commands ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify autoconfiguration mode. ◆ Path cost takes precedence over interface priority.
CHAPTER 35 | Spanning Tree Commands RELATED COMMANDS spanning-tree mst cost (1110) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled port-bpdu-flooding globally or disabled on a specific port. Use the no form to restore the default setting.
CHAPTER 35 | Spanning Tree Commands COMMAND USAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
CHAPTER 35 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree This command disables the spanning tree algorithm for the specified spanning-disabled interface. Use the no form to re-enable the spanning tree algorithm for the specified interface.
CHAPTER 35 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#spanning-tree tc-prop-stop Console(config-if)# spanning-tree This command manually releases a port placed in discarding state by loopback-detection loopback-detection. release SYNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 35 | Spanning Tree Commands COMMAND USAGE If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
CHAPTER 35 | Spanning Tree Commands ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces. ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
CHAPTER 35 | Spanning Tree Commands Spanning-Tree Status Loopback Detection Status Loopback Detection Release Mode Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status TC Propagate Stop : : : : : : : : : : : Enabled Enabled Auto Disabled Shutdown, 300 seconds Disabled Disabled Disabled 300 Disabled Disabled . . .
36 ERPS COMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
CHAPTER 36 | ERPS Commands Table 139: ERPS Commands(Continued) Command Function Mode erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode PE erps forcedswitch Blocks the specified ring port PE erps manualswitch Blocks the specified ring port, in the absence of a failure or an erps forced-switch command P
CHAPTER 36 | ERPS Commands 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command. When configuration is completed and the ring enabled, R-APS messages will start flowing in the control VLAN, and normal traffic will begin to flow in the data VLANs. To stop a ring, it can be disabled on any node using the no enable command. 8.
CHAPTER 36 | ERPS Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 26 ERPS rings can be configured on the switch. ◆ R-APS information is carried in an R-APS PDUs. The last octet of the MAC address is designated as the Ring ID (01-19-A7-00-00-[Ring ID]).
CHAPTER 36 | ERPS Commands ◆ Once the ring has been activated with the enable command, the configuration of the control VLAN cannot be modified. Use the no enable command to stop the ERPS ring before making any configuration changes to the control VLAN.
CHAPTER 36 | ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. SYNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
CHAPTER 36 | ERPS Commands server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero. Instead, the hold-off timer will be started. When the timer expires, whether a defect still exists or not, the timer will be checked.
CHAPTER 36 | ERPS Commands meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. SYNTAX meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) DEFAULT SETTING 1 COMMAND MODE ERPS Configuration COMMAND USAGE ◆ This parameter is used to ensure that received R-APS PDUs are directed for this ring.
CHAPTER 36 | ERPS Commands COMMAND MODE ERPS Configuration COMMAND USAGE ◆ If this command is used to monitor the link status of an ERPS node with CFM continuity check messages, then the MEG level set by the meglevel command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs. ◆ To ensure complete monitoring of a ring node, use the mep-monitor command to specify the CFM MEPs used to monitor both the east and west ports of the ring node.
CHAPTER 36 | ERPS Commands ring ports, informing its neighbors that no request is present at this node. When another recovered node holding the link blocked receives this message, it compares the Node ID information with its own. If the received R-APS (NR) message has a higher priority, this unblocks its ring ports. Otherwise, the block remains unchanged. ◆ The node identifier may also be used for debugging, such as to distinguish messages when a node is connected to more than one ring.
CHAPTER 36 | ERPS Commands When non-ERPS device protection is enabled on the ring, the ring ports on the RPL owner node and non-owner nodes will not be blocked when signal loss is detected by CCM loss events. ◆ When non-ERPS device protection is enabled on an RPL owner node, it will send non-standard health-check packets to poll the ring health when it enters the protection state.
CHAPTER 36 | ERPS Commands A ring node that has one ring port in an SF condition and detects the SF condition cleared, continuously transmits the R-APS (NR – no request) message with its own Node ID as the priority information over both ring ports, informing that no request is present at this ring node and initiates a guard timer. When another recovered ring node (or nodes) holding the link block receives this message, it compares the Node ID information with its own Node ID.
CHAPTER 36 | ERPS Commands ◆ Recovery for Forced Switching – An erps forced-switch command is removed by issuing the erps clear command to the same ring node where Forced Switch mode is in effect. The clear command removes any existing local operator commands, and triggers reversion if the ring is in revertive behavior mode. The ring node where the Forced Switch was cleared keeps the ring port blocked for the traffic channel and for the R-APS channel, due to the previous Forced Switch command.
CHAPTER 36 | ERPS Commands SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as result of an operator command. ◆ Recovery for Manual Switching – An erps manual-switch command is removed by issuing the erps clear command at the same ring node where the Manual Switch is in effect.
CHAPTER 36 | ERPS Commands ports, informing the ring that the RPL is blocked, and flushes its FDB. c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as result of an operator command.
CHAPTER 36 | ERPS Commands raps-def-mac This command sets the switch’s MAC address to be used as the node identifier in R-APS messages. Use the no form to use the node identifier specified in the G8032 standards. SYNTAX [no] raps-def-mac DEFAULT SETTING Enabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
CHAPTER 36 | ERPS Commands ◆ Sub-ring with R-APS Virtual Channel – When using a virtual channel to tunnel R-APS messages between interconnection points on a sub-ring, the R-APS virtual channel may or may not follow the same path as the traffic channel over the network. R-APS messages that are forwarded over the sub-ring’s virtual channel are broadcast or multicast over the interconnected network.
CHAPTER 36 | ERPS Commands Figure 425: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring EXAMPLE Console(config-erps)#raps-without-vc Console(config-erps)# ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. SYNTAX ring-port {east | west} interface interface east - Connects to next ring node to the east.
CHAPTER 36 | ERPS Commands ◆ If a port channel (static trunk) is specified as a ring port, it can not be destroyed before it is removed from the domain configuration. ◆ A static trunk will be treated as a signal fault, if it contains no member ports or all of its member ports are in signal fault. ◆ If a static trunk is configured as a ring port prior to assigning any member ports, spanning tree will be disabled for the first member port assigned to the static trunk.
CHAPTER 36 | ERPS Commands EXAMPLE Console(config-erps)#rpl neighbor Console(config-erps)# rpl owner This command configures a ring node to be the Ring Protection Link (RPL) owner. Use the no form to restore the default setting. SYNTAX rpl owner no rpl DEFAULT SETTING None (that is, neither owner nor neighbor) COMMAND MODE ERPS Configuration COMMAND USAGE ◆ Only one RPL owner can be configured on a ring.
CHAPTER 36 | ERPS Commands COMMAND MODE ERPS Configuration COMMAND USAGE ◆ In addition to the basic features provided by version 1, version 2 also supports: ■ Multi-ring/ladder network support ■ Revertive/Non-revertive recovery ■ Forced Switch (FS) and Manual Switch (MS) commands for manually blocking a particular ring port ■ Flush FDB (forwarding database) logic which reduces amount of flush FDB operations in the ring ■ Support of multiple ERP instances on a single ring ◆ Version 2 is backward
CHAPTER 36 | ERPS Commands COMMAND MODE ERPS Configuration COMMAND USAGE If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state.
CHAPTER 36 | ERPS Commands COMMAND USAGE ◆ Two steps are required to make a ring operating in non-revertive mode return to Idle state from forced switch or manual switch state: 1. Issue an erps clear command to remove the forced switch command on the node where a local forced switch command is active. 2. Issue an erps clear command on the RPL owner node to trigger the reversion. ◆ The erps clear command will also stop the WTR and WTB delay timers and reset their values.
CHAPTER 36 | ERPS Commands other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d. The ring node accepting an R-APS (FS) message, without any local higher priority requests stops transmission of R-APS messages. e. The ring node receiving an R-APS (FS) message flushes its FDB.
CHAPTER 36 | ERPS Commands Table 140: ERPS Request/State Priority (Continued) Request / State and Status Type R-APS (NR, RB) remote | R-APS (NR) remote lowest * Priority If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
CHAPTER 36 | ERPS Commands b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS. R-APS (MS) message are continuously transmitted by this ring node while the local MS command is the ring node’s highest priority command (see Table 140 on page 1142). The R-APS (MS) message informs other ring nodes of the MS command and that the traffic channel is blocked on one ring port. c.
CHAPTER 36 | ERPS Commands show erps This command displays status information for all configured rings, or for a specified ring SYNTAX show erps [domain ring-name] [statistics] domain - Keyword to display ERPS ring configuration settings. ring-name - Name of a specific ERPS ring. (Range: 1-32 characters) statistics - Keyword to display ERPS ring statistics. COMMAND MODE Privileged Exec EXAMPLE This example displays a summary of all the ERPS rings configured on the switch.
CHAPTER 36 | ERPS Commands Table 141: show erps - summary display description (Continued) Field Description State Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring. Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up. This state will switch to protection state if a link failure occurs. Protection – If a node in this state, it means that a link failure has occurred.
CHAPTER 36 | ERPS Commands East Eth 1/ 3 Forwarding No No No No Console# Table 141 on page 1145 describes most of the parameters shown by show erps domain command. The following table includes the remaining parameters. Table 142: show erps domain - detailed display description Field Description Major Domain Name of the ERPS major domain. Node ID A MAC address unique to this ring node.
CHAPTER 36 | ERPS Commands Interface Local SF ------------ ---------(E) Eth 1/ 3 0 SF ---------Sent 0 Received 0 Ignored 0 EVENT ---------Sent 0 Received 0 Ignored 0 Local Clear SF -------------0 NR NR-RB FS MS ---------- ---------- ---------- ---------62 948 0 0 0 0 0 0 0 0 0 0 HEALTH ---------0 0 0 Console# Table 143: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port.
37 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
CHAPTER 37 | VLAN Commands GVRP and Bridge Extension Commands GVRP AND BRIDGE EXTENSION COMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
CHAPTER 37 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. SYNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
CHAPTER 37 | VLAN Commands GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the forbidden vlan list of forbidden VLANs. SYNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CHAPTER 37 | VLAN Commands GVRP and Bridge Extension Commands COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
CHAPTER 37 | VLAN Commands GVRP and Bridge Extension Commands port-channel channel-id (Range: 1-16) DEFAULT SETTING Shows all GARP timers. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# RELATED COMMANDS garp timer (1151) show gvrp This command shows if GVRP is enabled.
CHAPTER 37 | VLAN Commands Editing VLAN Groups EDITING VLAN GROUPS Table 146: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
CHAPTER 37 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. SYNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces RELATED COMMANDS show vlan (1164) CONFIGURING VLAN INTERFACES Table 147: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an inte
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# RELATED COMMANDS shutdown (1002) interface (996) vlan (1156) switchport This command configures the acceptable frame types for a port. Use the acceptable-frame- no form to restore the default.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces switchport This command configures VLAN groups on the selected interface. Use the allowed vlan no form to restore the default. SYNTAX switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to ingress-filtering restore the default.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. SYNTAX switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces DEFAULT SETTING VLAN 1 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.
CHAPTER 37 | VLAN Commands Configuring VLAN Interfaces Figure 426: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
CHAPTER 37 | VLAN Commands Displaying VLAN Information DISPLAYING VLAN INFORMATION This section describes commands used to display VLAN information. Table 148: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan Shows VLAN information NE, PE show vlan This command shows VLAN information.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling CONFIGURING IEEE 802.1Q TUNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customerspecific VLAN IDs.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. ◆ IGMP Snooping should not be enabled on a tunnel access port.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no dot1q-tunnel mode form to disable QinQ on the interface. SYNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command creates a CVLAN to SPVLAN mapping entry. Use the no dot1q-tunnel form to delete a VLAN mapping entry. service match cvid SYNTAX switchport dot1q-tunnel service svid match cvid cvid svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID).
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to SVLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300. Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 100,200,300 tagged switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel dot1q-tunnel tpid port.
CHAPTER 37 | VLAN Commands Configuring IEEE 802.1Q Tunneling RELATED COMMANDS show interfaces switchport (1008) show dot1q-tunnel This command displays information about QinQ tunnel ports. SYNTAX show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) svid - VLAN ID for the outer VLAN tag (SPVID).
CHAPTER 37 | VLAN Commands Configuring L2CP Tunneling CONFIGURING L2CP TUNNELING This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
CHAPTER 37 | VLAN Commands Configuring L2CP Tunneling them across to the tunnel’s egress port. The egress port decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site (via all of the appropriate tunnel ports and access ports30 connected to the same metro VLAN).
CHAPTER 37 | VLAN Commands Configuring L2CP Tunneling ■ ■ ◆ all uplink ports. When a Cisco-compatible L2PT packet is received on an access port, and ■ recognized as a CDP/VTP/STP/PVST+ protocol packet, and ■ ■ ■ ◆ other access ports for which L2PT is enabled after decapsulating the packet and restoring the proper protocol and MAC address information.
CHAPTER 37 | VLAN Commands Configuring L2CP Tunneling switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified l2protocol-tunnel protocol. Use the no form to disable L2PT for the specified protocol.
CHAPTER 37 | VLAN Commands Configuring VLAN Translation Console# CONFIGURING VLAN TRANSLATION QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
CHAPTER 37 | VLAN Commands Configuring VLAN Translation For example, assume that the upstream switch does not support QinQ tunneling. If the command switchport vlan-translation 10 100 is used to map VLAN 10 to VLAN 100 for upstream traffic entering port 1, and VLAN 100 to VLAN 10 for downstream traffic leaving port 1, then the VLAN IDs will be swapped as shown below.
CHAPTER 37 | VLAN Commands Configuring Protocol-based VLANs show vlan- This command displays the configuration settings for VLAN translation. translation SYNTAX show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 37 | VLAN Commands Configuring Protocol-based VLANs To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 1156). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol-vlan protocol-group command (Global Configuration mode). 3.
CHAPTER 37 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. protocol-group Use the no form to remove the protocol mapping for this interface. (Configuring Interfaces) SYNTAX protocol-vlan protocol-group group-id vlan vlan-id [priority priority] no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group.
CHAPTER 37 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan This command shows the frame and protocol type associated with protocol protocol-group groups.
CHAPTER 37 | VLAN Commands Configuring IP Subnet VLANs DEFAULT SETTING The mapping for all interfaces is displayed. COMMAND MODE Privileged Exec EXAMPLE This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# CONFIGURING IP SUBNET VLANS When using IEEE 802.
CHAPTER 37 | VLAN Commands Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. SYNTAX subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
CHAPTER 37 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. EXAMPLE The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
CHAPTER 37 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. SYNTAX mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs EXAMPLE The following example assigns traffic from source MAC address 00-00-0011-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan This command displays MAC address-to-VLAN assignments. COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display MAC address-to-VLAN mappings. EXAMPLE The following example displays all configured MAC address-based VLANs.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs Table 155: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan security Enables Voice VLAN security on ports IC show voice vlan Displays Voice VLAN settings PE voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. SYNTAX voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. SYNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) DEFAULT SETTING 1440 minutes COMMAND MODE Global Configuration COMMAND USAGE The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs voice vlan This command specifies MAC address ranges to add to the OUI Telephony mac-address list. Use the no form to remove an entry from the list. SYNTAX voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs switchport This command specifies the Voice VLAN mode for ports. Use the no form to voice vlan disable the Voice VLAN feature on the port. SYNTAX switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs COMMAND MODE Interface Configuration COMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. EXAMPLE The following example sets the CoS priority to 5 on port 1.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs EXAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice This command enables security filtering for VoIP traffic on a port. Use the vlan security no form to disable filtering on a port.
CHAPTER 37 | VLAN Commands Configuring Voice VLANs DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age (minutes) -------- -------- -------- --------- -------- ------------Eth 1/ 1 Auto Enabled OUI 6 100 Eth 1/ 2 Disabled Disabled OUI 6 NA Eth 1/ 3 Manual Enabled OUI 5 100 Eth 1/ 4 Auto Ena
CHAPTER 37 | VLAN Commands Configuring Voice VLANs – 1194 –
38 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# RELATED COMMANDS queue mode (1196) show queue weight (1199) switchport This command sets a priority for incoming untagged frames. Use the no priority default form to restore the default value.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# RELATED COMMANDS show interfaces switchport (1008) show queue mode This command shows the current queue mode.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) PRIORITY COMMANDS (LAYER 3 AND 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING Table 159: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS COMMAND MODE Global Configuration COMMAND USAGE ◆ The default mapping of CoS to PHB values shown in Table 159 is based on the recommended settings in IEEE 802.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior dscp-mutation and drop precedence values for priority processing. Use the no form to restore the default settings. SYNTAX qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ◆ The specified mapping applies to all interfaces. EXAMPLE This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3 and a drop precedence of 1.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE Console(config)#qos map phb-queue 0 from 1 2 3 Console(config)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. SYNTAX qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP. cos - Sets the QoS mapping mode to CoS.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp COMMAND MODE Privileged Exec EXAMPLE Console#show qos map cos-dscp CoS-DSCP map.(x,y),x: PHB,y: drop precedence: CoS : CFI 0 1 --------------------------------0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) Console# show qos map This command shows the ingress DSCP to internal DSCP map.
CHAPTER 38 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue COMMAND MODE Privileged Exec EXAMPLE Console#show qos map phb-queue PHB Queue Map: PHB: 0 1 2 3 4 5 6 7 ------------------------------------------------------Queue: 1 0 0 1 2 2 3 3 Console# show qos map This command shows the QoS mapping mode.
39 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 39 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, or a CoS value. 3.
CHAPTER 39 | Quality of Service Commands COMMAND USAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 1211). The policy map is then bound by a service policy to an interface (page 1222). A service policy defines packet classification, service tagging, and bandwidth policing.
CHAPTER 39 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. SYNTAX [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan-id} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
CHAPTER 39 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
CHAPTER 39 | Quality of Service Commands COMMAND USAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 1211) before assigning it to a Policy Map.
CHAPTER 39 | Quality of Service Commands ■ ■ ◆ set ip dscp command sets the IP DSCP value in matching packets. (This modifies packet priority in the IP header.) police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
CHAPTER 39 | Quality of Service Commands COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. ◆ Policing is based on a token bucket, where bucket depth (i.e.
CHAPTER 39 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. SYNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
CHAPTER 39 | Quality of Service Commands ◆ The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
CHAPTER 39 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets
CHAPTER 39 | Quality of Service Commands violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) DEFAULT SETTING None COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e.
CHAPTER 39 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: ■ ■ ■ If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
CHAPTER 39 | Quality of Service Commands COMMAND USAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
CHAPTER 39 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 39 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 39 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. SYNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) DEFAULT SETTING Displays all class maps.
CHAPTER 39 | Quality of Service Commands EXAMPLE Console#show policy-map Policy Map rd-policy Description: class rd-class set PHB 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set PHB 3 Console# show policy-map This command displays the service policy assigned to the specified interface interface. SYNTAX show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
40 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping IGMP SNOOPING This section describes commands used to configure IGMP snooping on the switch.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping Table 164: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to priority restore the default setting. SYNTAX ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with a large source list and the Maximum Response Time set to a large value.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree tcn-flood topology change notification (TCN) occurs. Use the no form to disable flooding. SYNTAX [no] ip igmp snooping tcn-flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query tcn-query-solicit solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to version restore the default.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Global: Disabled VLAN: Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. ◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp This command immediately deletes a member port of a multicast service if snooping vlan a leave packet is received at that port and immediate-leave is enabled for immediate-leave the parent VLAN. Use the no form to restore the default.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the number of IGMP proxy group-specific or vlan last-memb- group-and-source-specific query messages that are sent out before the query-count system assumes there are no more local members. Use the no form to restore the default.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP groupspecific or group-and-source-specific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. ◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN. EXAMPLE This example disables sending of multicast router solicitation messages on VLAN 1.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ◆ This command applies when the switch is serving as the querier (page 1229), or as a proxy host when IGMP snooping proxy reporting is enabled (page 1228). EXAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp This command configures the maximum time the system waits for a snooping vlan response to general queries. Use the no form to restore the default.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping EXAMPLE Console#clear ip igmp snooping groups dynamic Console# clear ip igmp This command clears IGMP snooping statistics. snooping statistics SYNTAX clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP Snooping Router Port Expire Time Router Alert Check Router Port Mode TCN Flood TCN Query Solicit Unregistered Data Flood 802.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries. vlan-id - VLAN ID (1-4094) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER, depending on selected options. EXAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type Expire ---- ------------------- ------- -------1 Eth 1/4 Dynamic 0:4:28 1 Eth 1/10 Static Console# show ip igmp This command shows IGMP snooping protocol statistics for the specified snooping statistics interface.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping Table 165: show ip igmp snooping statistics input - display description Field Description Interface Shows interface. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
CHAPTER 40 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : 192.168.0.1 Other Querier Expire : 0(m):30(s) Other Querier Uptime : 0(h):55(m):0(s) Self Querier : 192.168.0.4 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 10 General Query Sent : 0 Specific Query Received : 2 Specific Query Sent : 1 Warn Rate Limit : 0 sec.
CHAPTER 40 | Multicast Filtering Commands Static Multicast Routing STATIC MULTICAST ROUTING This section describes commands used to configure static multicast routing on the switch. Table 168: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping This command statically configures a (Layer 2) multicast router port on the vlan mrouter specified VLAN.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP FILTERING AND THROTTLING In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. (Global Configuration) Use the no form to disable the feature. SYNTAX [no] ip igmp filter DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile. EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling ◆ If the port leaves the group and subsequently rejoins the same group, the join report needs to again be authenticated. ◆ When receiving an IGMP v3 report message, the switch will send the access request to the RADIUS server only when the record type is either IS_EX or TO_EX, and the source list is empty. Other types of packets will not initiate RADIUS authentication.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command assigns an IGMP filtering profile to an interface on the (Interface Configuration) switch. Use the no form to remove a profile from an interface. SYNTAX [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. ◆ IGMP throttling can also be set on a trunk interface.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting. SYNTAX [no] ip igmp query-drop [vlan vlan-id] vlan-id - A VLAN identification number. (Range: 1-4094) DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE This command can be used to drop any query packets received on the specified interface.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command displays the interface settings for IGMP authentication. authentication SYNTAX show ip igmp authentication interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND MODE Privileged Exec EXAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command shows if the specified interface is configured to drop IGMP query-drop query packets. SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces.
CHAPTER 40 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE Using this command without specifying an interface displays information for all interfaces. EXAMPLE Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast-data-drop multicast data packets.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping Table 171: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports PE ipv6 mld snooping This command enables MLD Snooping globally on t
CHAPTER 40 | Multicast Filtering Commands MLD Snooping ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses its own IPv6 address as the query source address. ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the maximum response time advertised in MLD query-max- general queries. Use the no form to restore the default. response-time SYNTAX ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping EXAMPLE Console(config)#ipv6 mld snooping robustness 2 Console(config)# ipv6 mld snooping This command configures the MLD query timeout. Use the no form to router-port-expire- restore the default. time SYNTAX ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ When set to “flood,” any received IPv6 multicast packets that have not been requested by a host are flooded to all ports in the VLAN. ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping EXAMPLE The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping COMMAND USAGE This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. EXAMPLE Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics SYNTAX clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands MLD Snooping Router Port Expiry Time Immediate Leave Unknown Flood Behavior MLD Snooping Version Console# : : : : 300 sec Disabled on all VLAN To Router Port Version 2 show ipv6 mld This command shows known multicast groups, member ports, and the snooping group means by which each group was learned.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling Request List : ::01:02:03:04, ::01:02:03:05, ::01:02:03:06, ::01:02:03:07 : ::02:02:03:04, ::02:02:03:05, ::02:02:03:06, ::02:02:03:07 Exclude List (if include filter mode) Include List : ::02:02:03:04, ::02:02:03:05, ::02:02:03:06, ::02:02:03:06 Option: Filter Mode: Include, Exclude Console# show ipv6 mld This command shows MLD Snooping multicast router information.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling Table 172: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ipv6 mld filter (Interface Configuration) Assigns an MLD filter profile to an interface IC ipv6 mld max-groups Specifies an M:D throttling number for an interface IC ipv6 mld max-groups action Sets the MLD throttling action for an interface IC ipv6 mld query-drop Drops any received MLD query packets IC ipv6 multicast-data-drop Enable mult
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling RELATED COMMANDS show ipv6 mld filter ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. SYNTAX [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when a multicast group is not in the controlled range. EXAMPLE Console(config)#ipv6 mld profile 19 Console(config-mld-profile)#permit Console(config-mld-profile)# range This command specifies multicast group addresses for a profile.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling DEFAULT SETTING None COMMAND MODE Interface Configuration COMMAND USAGE ◆ The MLD filtering profile must first be created with the ipv6 mld profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling ◆ If the maximum number of MLD groups is set to the default value, the running status of MLD throttling will change to false. This means that any configuration for MLD throttling will have no effect until the maximum number of MLD groups is configured to another value.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff05::101 ff05::103 Console# show ipv6 mld This command displays MLD filtering profiles created on the switch.
CHAPTER 40 | Multicast Filtering Commands MLD Filtering and Throttling show ipv6 mld This command shows if the specified interface is configured to drop MLD query-drop query packets. SYNTAX show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 COMMAND USAGE Using this command without specifying an interface displays information for all interfaces. EXAMPLE Console#show ipv6 mld throttle interface ethernet 1/3 Eth 1/3 Information Status : TRUE Action : Replace Max Multicast Groups : 10 Current Multicast Groups : 0 Console# MVR FOR IPV4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR).
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 Table 173: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode mvr immediate-leave Enables immediate leave capability IC mvr type Configures an interface as an MVR receiver or source port IC mvr vlan group Statically binds a multicast group to a port IC clear mrv groups dynamic Clears multicast group information dynamically learned through MVR PE clear mrv statistics Clears MRV statistics PE show mvr Shows
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 mvr This command binds the MVR group addresses specified in a profile to an associated-profile MVR domain. Use the no form of this command to remove the binding. SYNTAX [no] mvr domain domain-id associated-profile profile-name domain-id - An independent multicast domain. (Range: 1-5) profile-name - The name of a profile containing one or more MVR group addresses.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following example enables MVR for domain 1: Console(config)#mvr domain 1 Console(config)# mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting. SYNTAX mvr priority priority no mvr priority priority - The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING No profiles are defined COMMAND MODE Global Configuration COMMAND USAGE ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 EXAMPLE This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr proxy-query-interval 250 Console(config)# mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following example enable MVR proxy switching. Console(config)#mvr proxy-switching Console(config)# RELATED COMMANDS mvr robustness-value (1287) mvr This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 mvr This command configures the switch to only forward multicast streams source-port-mode which the source port has dynamically joined. Use the no form to restore dynamic the default setting. SYNTAX [no] mvr source-port-mode dynamic DEFAULT SETTING Forwards all multicast streams which have been specified in a profile and bound to a domain.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Global Configuration EXAMPLE Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr [domain domain-id] vlan vlan-id no mvr [domain domain-id] vlan domain-id - An independent multicast domain.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 mvr This command causes the switch to immediately remove an interface from immediate-leave a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] immediate-leave [by-host-ip] domain-id - An independent multicast domain. (Range: 1-5) by-host-ip - Specifies that the member port will be deleted only when there are no hosts joining this group.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 mvr vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] vlan vlan-id group ip-address domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Receiver VLAN to which the specified multicast traffic is flooded.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 clear mrv groups This command clears multicast group information dynamically learned dynamic through MRV. SYNTAX clear mrv groups dynamic COMMAND MODE Privileged Exec COMMAND USAGE This command only clears entries learned though MRV. Statically configured multicast address are not cleared. Example Console#clear mrv groups dynamic Console# clear mrv statistics This command clears MRV statistics.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING Displays configuration settings for all MVR domains. COMMAND MODE Privileged Exec EXAMPLE The following shows the MVR settings: Console#show mvr MVR 802.1p Forwarding Priority MVR Proxy Switching MVR Robustness Value MVR Proxy Query Interval MVR Source Port Mode MVR MVR MVR MVR MVR MVR . . . Domain Config Status Running Status Multicast VLAN Current Learned Groups Upstream Source IP : : : : : Disabled Enabled 1 125(sec.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows the profiles bound the specified domain. associated-profile SYNTAX show mvr [domain domain-id] associated-profile domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays profiles bound to all MVR domains. COMMAND MODE Privileged Exec EXAMPLE The following displays the profiles bound to domain 1: Console#show mvr domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IP Addr. End IP Addr.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 Eth 1/ 1 Receiver Active/Forwarding Eth1/ 4 Console# Receiver Active/Discarding Disabled 225.0.0.1(VLAN1) 225.0.0.9(VLAN3) Disabled Table 175: show mvr interface - display description Field Description MVR Domain An independent multicast domain. Port Shows interfaces attached to the MVR. Type Shows the MVR port type. Status Shows the MVR status and interface status.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING Displays configuration settings for all domains and all forwarding entries. COMMAND MODE Privileged Exec EXAMPLE The following shows information about the number of multicast forwarding entries currently active in domain 1: Console#show mvr domain 1 members MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 Table 176: show mvr members - display description (Continued) Field Description Expire The time until this entry expires. Count The number of times this address has been learned by IGMP snooping. show mvr profile This command shows all configured MVR profiles. COMMAND MODE Privileged Exec EXAMPLE The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Privileged Exec EXAMPLE The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 177: show m
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 Table 178: show mvr statistics output - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for an interface: Console#show mvr domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Transmit : Transmit : General : 0 Report : 7 Group Specific : 0 Leave : 4 Recieved : Recieved : General : 0 Report : 0 Group Specific : 0 Leave : 0 V1 Warning Count: 0 Join Success : 0 V2 Warning Count: 0 Filter Drop : 0 V3 Warning Count: 0 Source Port Drop: 0 Others
CHAPTER 40 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for the MVR VLAN: Console#show mvr domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Other Querier : None Host IP Addr : 192.168.0.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 Table 181: show mvr statistics summary interface mvr vlan - description Field Description Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 Table 182: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode mvr6 vlan Specifies the VLAN through which MVR multicast data is received GC mvr6 immediate-leave Enables immediate leave capability IC mvr6 type Configures an interface as an MVR receiver or source port IC mvr6 vlan group Statically binds a multicast group to a port IC clear mvr6 groups dynamic Clears multicast group information dynamically lear
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following an MVR6 group address profile to domain 1: Console(config)#mvr6 domain 1 associated-profile rd Console(config)# mvr6 domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr6 domain domain-id domain-id - An independent multicast domain.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. EXAMPLE Console(config)#mvr6 priority 6 Console(config)# RELATED COMMANDS show mvr6 mvr6 profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 ◆ The MVR6 group address range assigned to a profile cannot overlap with the group address range of any other profile. EXAMPLE The following example maps a range of MVR6 group addresses to a profile: Console(config)#mvr6 profile rd ff01:0:0:0:0:0:0:fe ff01:0:0:0:0:0:0:ff Console(config)# mvr6 This command configures the interval at which the receiver port sends out proxy-query-interval general queries. Use the no form to restore the default setting.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Global Configuration COMMAND USAGE ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface, and the MVR receiver port serves as the querier. The source port performs only the host portion of MVR by sending summarized membership reports, and automatically disables MVR router functions. ◆ Receiver ports are known as downstream or router interfaces.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 mvr6 This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting. SYNTAX mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr6 source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined. In other words, both the receiver port and source port must subscribe to a multicast group before a multicast stream is forwarded to any attached client.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6. A port which is not configured as an MVR receiver or source port can use MLD snooping to join or leave multicast groups using the standard rules for multicast filtering (see "MLD Snooping" on page 1262).
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 group - Defines a multicast service sent to the selected port. ip-address - Statically configures an interface to receive multicast traffic from the IPv6 address specified for an MVR multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. DEFAULT SETTING No receiver port is a member of any configured multicast group.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 EXAMPLE Console#clear mvr6 groups dynamic Console# clear mvr6 statistics Use this command to clear the MVR6 statistics. SYNTAX clear mvr6 statistics [interface {ethernet unit/port | port-channel channel-id | vlan vlan-id}] ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following shows the MVR6 settings: Console#show mvr6 MVR6 802.1p Forwarding Priority: MVR6 Proxy Switching : MVR6 Robustness Value : MVR6 Proxy Query Interval : MVR6 Source Port Mode : Domain : MVR6 Config Status : MVR6 Running Status : MVR6 Multicast VLAN : MVR6 Current Learned Groups : MVR6 Upstream Source IP : Console# Disabled Enabled 2 125(sec.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Privileged Exec EXAMPLE The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd ff01::fe ff01::ff Console# show mvr6 interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 Table 184: show mvr6 interface - display description (Continued) Field Description Immediate Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR group assigned to an interface, and the receiver VLAN. show mvr6 This command shows information about the current number of entries in members the forwarding database, or detailed information about a specific multicast address.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 show mvr6 This command shows MVR protocol-related statistics for the specified statistics interface. SYNTAX show mvr6 statistics {input | output} [interface interface] show mvr6 domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 Table 186: show mvr6 statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
CHAPTER 40 | Multicast Filtering Commands MVR for IPv6 Table 188: show mvr6 statistics query - display description Field Description Other Querier Address The IPv6 address of the querier on this interface. Other Querier Uptime Other querier’s time up. Other Querier Expire Time The time after which this querier is assumed to have expired. Self Querier Address This querier’s IPv6 address. Self Querier Uptime This querier’s time up. Self Querier Expire Time This querier’s expire time.
41 LLDP COMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
CHAPTER 41 | LLDP Commands Table 189: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident1 Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid1 Configures an LLDP-enabled port to advertise port related VLAN information IC lldp dot1-tlv pvid1 Configures an LLDP-enabled port to advertise its default VLAN ID IC lldp dot1-tlv vlan-name1 Conf
CHAPTER 41 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. SYNTAX [no] lldp DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP multiplier advertisements. Use the no form to restore the default setting.
CHAPTER 41 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit med-fast-start-count during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. SYNTAX lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
CHAPTER 41 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
CHAPTER 41 | LLDP Commands COMMAND MODE Global Configuration COMMAND USAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. EXAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
CHAPTER 41 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. SYNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
CHAPTER 41 | LLDP Commands enterprise specific or other starting points for the search, such as the Interface or Entity MIB. ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 41 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-capabilities DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
CHAPTER 41 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-name name. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
CHAPTER 41 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise port-based proto-vid protocol VLAN information. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv proto-vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the port-based protocol VLANs configured on this interface (see "Configuring Protocol-based VLANs" on page 1178).
CHAPTER 41 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN vlan-name name. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv vlan-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the name of all VLANs to which this interface has been assigned. See switchport allowed vlan and protocol-vlan protocol-group (Configuring Interfaces).
CHAPTER 41 | LLDP Commands lldp dot3-tlv This command configures an LLDP-enabled port to advertise its MAC and mac-phy physical layer capabilities. Use the no form to disable this feature. SYNTAX [no] lldp dot3-tlv mac-phy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
CHAPTER 41 | LLDP Commands lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power- over-Ethernet (PoE) capabilities. Use the no form to disable this feature.
CHAPTER 41 | LLDP Commands DEFAULT SETTING Not advertised No description COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Use this command without any keywords to advertise location identification details. ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776.
CHAPTER 41 | LLDP Commands EXAMPLE The following example enables advertising location identification details.
CHAPTER 41 | LLDP Commands lldp med-tlv ext-poe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature.
CHAPTER 41 | LLDP Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises location identification details.
CHAPTER 41 | LLDP Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network-policy network policy configuration. Use the no form to disable this feature.
CHAPTER 41 | LLDP Commands ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
CHAPTER 41 | LLDP Commands Eth 1/4 Eth 1/5 Tx-Rx Tx-Rx True True . . . Console#show lldp config detail LLDP Port Configuration Detail Port Admin Status Notification Enabled Basic TLVs Advertised ethernet 1/1 : : : : 802.1 specific TLVs Advertised : 802.
CHAPTER 41 | LLDP Commands EXAMPLE Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : B4-0E-DC-34-96-08 System Name : System Description : ECS4110-52P System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.
CHAPTER 41 | LLDP Commands EXAMPLE Note that an IP phone or other end-node device which advertises LLDPMED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
CHAPTER 41 | LLDP Commands show lldp info This command shows statistics based on traffic received through all statistics attached LLDP-enabled interfaces. SYNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
42 CFM COMMANDS Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
CHAPTER 42 | CFM Commands Table 191: CFM Commands (Continued) Command Function Mode ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages IC ethernet cfm port-enable Enables CFM processing on an interface IC clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including gl
CHAPTER 42 | CFM Commands Table 191: CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache Enables caching of CFM data learned through link trace messages GC ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace
CHAPTER 42 | CFM Commands Defining CFM Structures 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6. Enable CFM on the local MEPs with the ethernet cfm port-enable command. 7. Enable continuity check operations with the ethernet cfm cc enable command. 8. Enable cross-check operations with the ethernet cfm mep crosscheck command.
CHAPTER 42 | CFM Commands Defining CFM Structures EXAMPLE This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. SYNTAX [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
CHAPTER 42 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use period the no form to restore the default setting. SYNTAX ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 42 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ For multipoint connectivity, a MEP cannot determine the specific maintenance level entity that has encountered defect conditions upon receiving a frame with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information.
CHAPTER 42 | CFM Commands Defining CFM Structures pass, and only if a maintenance end point (MEP) is created at some lower MA Level. none – No MIP can be created for any MA configured in this domain. DEFAULT SETTING No maintenance domains are configured. No MIPs are created for any MA in the specified domain. COMMAND MODE Global Configuration COMMAND USAGE ◆ A domain can only be configured with one name.
CHAPTER 42 | CFM Commands Defining CFM Structures Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command.
CHAPTER 42 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
CHAPTER 42 | CFM Commands Defining CFM Structures EXAMPLE This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#ma index 1 name rd vlan 1 mip-creation default Console(config-ether-cfm)# ma index This command specifies the name format for the maintenance association name-format as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
CHAPTER 42 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. SYNTAX ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
CHAPTER 42 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to port-enable disable CFM processing on an interface. SYNTAX [no] ethernet cfm port-enable DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
CHAPTER 42 | CFM Commands Defining CFM Structures COMMAND USAGE This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. EXAMPLE This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global configuration settings, SNMP traps, and interface settings.
CHAPTER 42 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
CHAPTER 42 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the configured maintenance domains. md SYNTAX show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
CHAPTER 42 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local SYNTAX show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
CHAPTER 42 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep SYNTAX show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
CHAPTER 42 | CFM Commands Defining CFM Structures Table 193: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
CHAPTER 42 | CFM Commands Defining CFM Structures ma-name – Maintenance association name. (Range: 1-43 alphanumeric characters) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. EXAMPLE This example shows detailed information about the remote MEP designated by MPID 2.
CHAPTER 42 | CFM Commands Continuity Check Operations Table 194: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
CHAPTER 42 | CFM Commands Continuity Check Operations is registered. The interval at which CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
CHAPTER 42 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). EXAMPLE This example enables continuity check messages for the specified maintenance association.
CHAPTER 42 | CFM Commands Continuity Check Operations EXAMPLE This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# RELATED COMMANDS ethernet cfm mep crosscheck (1375) mep This command sets the time that data from a missing MEP is retained in archive-hold-time the continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
CHAPTER 42 | CFM Commands Continuity Check Operations DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
CHAPTER 42 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this errors device. SYNTAX show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
CHAPTER 42 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote crosscheck MEPs to come up before starting the cross-check operation. Use the no start-delay form to restore the default setting. SYNTAX ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
CHAPTER 42 | CFM Commands Cross Check Operations mep-unknown – Sends a trap if an unconfigured MEP comes up. DEFAULT SETTING All continuity checks are enabled. COMMAND MODE Global Configuration COMMAND USAGE ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
CHAPTER 42 | CFM Commands Cross Check Operations COMMAND USAGE ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the crosscheck operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
CHAPTER 42 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. EXAMPLE This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically maintenance-points configured in a cross-check list.
CHAPTER 42 | CFM Commands Link Trace Operations COMMAND MODE Global Configuration COMMAND USAGE ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
CHAPTER 42 | CFM Commands Link Trace Operations EXAMPLE This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm This command sets the maximum size for the link trace cache. Use the no linktrace cache size form to restore the default setting. SYNTAX ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
CHAPTER 42 | CFM Commands Link Trace Operations ethernet cfm This command sends CFM link trace messages to the MAC address of a linktrace remote MEP. SYNTAX ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number] destination-mpid – The identifier of a remote MEP that is the target of the link trace message.
CHAPTER 42 | CFM Commands Link Trace Operations When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. ◆ EXAMPLE This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm This command clears link trace messages logged on this device.
CHAPTER 42 | CFM Commands Loopback Operations Table 196: show ethernet cfm linktrace-cache - display description Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
CHAPTER 42 | CFM Commands Fault Generator Operations transmit-count – The number of times the loopback message is sent. (Range: 1-1024) packet-size – The size of the loopback message. (Range: 64-1518 bytes) DEFAULT SETTING Loop back count: One loopback message is sent. Loop back size: 64 bytes COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command to test the connectivity between maintenance points.
CHAPTER 42 | CFM Commands Fault Generator Operations DEFAULT SETTING 3 seconds COMMAND MODE CFM Domain Configuration COMMAND USAGE A fault alarm is issued when the MEP fault notification generator state machine detects that a time period configured by this command has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. EXAMPLE This example set the delay time before generating a fault alarm.
CHAPTER 42 | CFM Commands Fault Generator Operations notification generator state machine has been reset, and repeat those steps until the fault is resolved. ◆ Only the highest priority defect currently detected is reported in the fault alarm. ◆ Priority defects include the following items: Table 197: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM.
CHAPTER 42 | CFM Commands Fault Generator Operations mep fault-notify This command configures the time after a fault alarm has been issued, and reset-time no defect exists, before another fault alarm can be issued. Use the no form to restore the default setting. SYNTAX mep fault-notify reset-time reset-time no fault-notify reset-time reset-time – The time that must pass without any further defects indicated before another fault alarm can be generated.
CHAPTER 42 | CFM Commands Delay Measure Operations Table 199: show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry. MA Name The maintenance association for this entry. Hihest Defect The highest defect that will generate a fault alarm. (This is disabled by default.) Lowest Alarm The lowest defect that will generate a fault alarm (see the mep faultnotify lowest-priority command).
CHAPTER 42 | CFM Commands Delay Measure Operations Size: 64 bytes Timeout: 5 seconds COMMAND MODE Privileged Exec COMMAND USAGE ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
CHAPTER 42 | CFM Commands Delay Measure Operations – 1388 –
43 OAM COMMANDS The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
CHAPTER 43 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. SYNTAX [no] efm oam DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
CHAPTER 43 | OAM Commands detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. NOTE: When system power fails, the switch will always send a dying gasp trap message prior to power down.
CHAPTER 43 | OAM Commands efm oam This command sets the threshold for errored frame link events. Use the no link-monitor form to restore the default setting. frame threshold SYNTAX efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
CHAPTER 43 | OAM Commands (page 1392) is reached or exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. EXAMPLE This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
CHAPTER 43 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message counters types. SYNTAX clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 43 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached remote-loopback CPE. SYNTAX efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ OAM remote loop back can be used for fault localization and link performance testing.
CHAPTER 43 | OAM Commands efm oam This command performs a remote loopback test, sending a specified remote-loopback number of packets. test SYNTAX efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
CHAPTER 43 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface SYNTAX show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 43 | OAM Commands EXAMPLE Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
CHAPTER 43 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface SYNTAX show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 43 | OAM Commands Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam This command displays information about attached OAM-enabled devices.
44 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
CHAPTER 44 | Domain Name Service Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
CHAPTER 44 | Domain Name Service Commands ◆ If all name servers are deleted, DNS will automatically be disabled. EXAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
CHAPTER 44 | Domain Name Service Commands Name Server List: Console# RELATED COMMANDS ip domain-list (1401) ip name-server (1405) ip domain-lookup (1402) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. SYNTAX [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
CHAPTER 44 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. SYNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
CHAPTER 44 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. SYNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 44 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. SYNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. EXAMPLE This example clears all dynamic entries from the DNS table.
CHAPTER 44 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. COMMAND MODE Privileged Exec EXAMPLE Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Domain --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 202: show dns cache - display description Field Description No.
CHAPTER 44 | Domain Name Service Commands Table 203: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
CHAPTER 44 | Domain Name Service Commands – 1410 –
45 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
CHAPTER 45 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp client This command specifies the DCHP client vendor class identifier for the class-id current interface. Use the no form to remove the class identifier from the DHCP packet. SYNTAX ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value.
CHAPTER 45 | DHCP Commands DHCP Client Table 207: Options 55 and 124 Statements Option Statement Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier ◆ The server should reply with Option 66 attributes, including the TFTP server name and boot file name.
CHAPTER 45 | DHCP Commands DHCP Client EXAMPLE In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart client Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 70-72-CF-94-22-34 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.5 Mask: 255.255.255.0 Proxy ARP is disabled DHCP relay server: 0.0.0.
CHAPTER 45 | DHCP Commands DHCP Client EXAMPLE Console(config)#ipv6 dhcp client rapid-commit vlan 2 Console(config)# ipv6 dhcp restart This command submits a DHCPv6 client request. client vlan SYNTAX ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
CHAPTER 45 | DHCP Commands DHCP Client This combination is known as DHCPv6 stateless, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings. ◆ DHCPv6 clients build a list of servers by sending a solicit message and collecting advertised message replies. These servers are then ranked based on their advertised preference value.
CHAPTER 45 | DHCP Commands DHCP Relay show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface(s). SYNTAX show ipv6 dhcp vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
CHAPTER 45 | DHCP Commands DHCP Relay COMMAND MODE Interface Configuration (VLAN) USAGE GUIDELINES ◆ DHCP relay service applies to DHCP client requests received on the specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
CHAPTER 45 | DHCP Commands DHCP Relay request so the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server on another network. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then broadcasts the DHCP response received from the server to the client.
CHAPTER 45 | DHCP Commands DHCP Relay – 1420 –
46 IP INTERFACE COMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 46 | IP Interface Commands IPv4 Interface BASIC IPV4 This section describes commands used to configure IP addresses for VLAN CONFIGURATION interfaces on the switch.
CHAPTER 46 | IP Interface Commands IPv4 Interface routing. The router interface consists of an IP address and subnet mask. This interface address defines both the network number to which the router interface is attached and the router’s host number on that network. In other words, a router interface address defines the network and subnetwork numbers of the segment that is connected to that interface, and allows you to send IP packets to or from the router.
CHAPTER 46 | IP Interface Commands IPv4 Interface This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.1/24 Console(config-if)# RELATED COMMANDS ip dhcp restart client (1413) ip default-gateway (1424) ipv6 address (1434) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway.
CHAPTER 46 | IP Interface Commands IPv4 Interface EXAMPLE The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# RELATED COMMANDS ip address (1422) ip route (1468) ipv6 default-gateway (1433) show ip interface This command displays the settings of an IPv4 interface.
CHAPTER 46 | IP Interface Commands IPv4 Interface IP sent forwards datagrams 9903 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors de
CHAPTER 46 | IP Interface Commands IPv4 Interface COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message.
CHAPTER 46 | IP Interface Commands IPv4 Interface size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. DEFAULT SETTING count: 5 size: 32 bytes COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE ◆ Use the ping command to see if another site on the network can be reached.
CHAPTER 46 | IP Interface Commands IPv4 Interface ARP CONFIGURATION This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
CHAPTER 46 | IP Interface Commands IPv4 Interface RELATED COMMANDS clear arp-cache (1430) show arp (1431) ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. SYNTAX [no] ip proxy-arp DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network.
CHAPTER 46 | IP Interface Commands IPv4 Interface show arp This command displays entries in the Address Resolution Protocol (ARP) cache. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE This command displays information about the ARP cache. The first line shows the cache timeout. It also shows each cache entry, including the IP address, MAC address, type (static, dynamic, other), and VLAN interface. Note that entry type “other” indicates local addresses for this router.
CHAPTER 46 | IP Interface Commands IPv6 Interface IPV6 INTERFACE This switch supports the following IPv6 interface commands.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities Interface Address Configuration and Utilities ipv6 This command sets an IPv6 default gateway to use for destinations with no default-gateway known next hop. Use the no form to remove a previously configured default gateway. SYNTAX ipv6 default-gateway ipv6-address no ipv6 address ipv6-address - The IPv6 address of the default next hop router to use for destinations with no known next hop.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface. SYNTAX [no] ipv6 address ipv6-address[/prefix-length] ipv6-address - A full IPv6 address including the network prefix and host address bits.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities Joined Group Address(es): ff02::1:ff00:72 ff02::1:ff34:9608 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# RELATED COMMANDS ipv6 address eui-64 (1436) ipv6 a
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities information (such as a default gateway) from a DHCPv6 server when DHCPv6 is restarted. EXAMPLE This example assigns a dynamic global unicast address to the switch.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities DEFAULT SETTING No IPv6 addresses are defined COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities EXAMPLE This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities appropriate number of zeros required to fill the undefined fields. And the address prefix must be in the range of FE80~FEBF. ◆ The address specified with this command replaces a link-local address that was automatically generated for the interface. ◆ You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities DEFAULT SETTING IPv6 is disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ This command enables IPv6 on the current VLAN interface and automatically generates a link-local unicast address. The address prefix uses FE80, and the host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 1436).
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. SYNTAX ipv6 mtu size no ipv6 mtu size - Specifies the MTU size.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 This command displays the current IPv6 default gateway. default-gateway COMMAND MODE Normal Exec, Privileged Exec EXAMPLE The following shows the default gateway configured for this device: Console#show ipv6 default-gateway IPv6 default gateway 2001:DB8:2222:7272::254 Console# show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities ND ND ND ND ND ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities This example displays a brief summary of IPv6 addresses configured on the switch.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities 0 0 0 0 neighbor advertisement messages redirect messages group membership response messages group membership reduction messages 0 0 0 0 input no port errors other errors output UDP Statistics: Console# Table 216: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 recived total received The total number of input datagrams received by the interface, including those received in error.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities Table 216: show ipv6 traffic - display description (Continued) Field Description reassembly failed The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities Table 216: show ipv6 traffic - display description (Continued) Field Description router solicit messages The number of ICMP Router Solicit messages received by the interface. router advertisement messages The number of ICMP Router Advertisement messages received by the interface. neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities Table 216: show ipv6 traffic - display description (Continued) Field Description multicast listener discovery version 2 reports The number of MLDv2 reports sent by the interface. UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port.
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities DEFAULT SETTING count: 5 size: 100 bytes COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
CHAPTER 46 | IP Interface Commands Interface Address Configuration and Utilities be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. host-name - A host name string which can be resolved into an IPv6 address through a domain name server. failure-count – The maximum number of failures before which the trace route is terminated.
CHAPTER 46 | IP Interface Commands Neighbor Discovery Neighbor Discovery ipv6 nd dad This command configures the number of consecutive neighbor solicitation attempts messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. SYNTAX ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
CHAPTER 46 | IP Interface Commands Neighbor Discovery EXAMPLE The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going.
CHAPTER 46 | IP Interface Commands Neighbor Discovery COMMAND USAGE ◆ When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations.
CHAPTER 46 | IP Interface Commands Neighbor Discovery COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
CHAPTER 46 | IP Interface Commands Neighbor Discovery ◆ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value. ◆ Setting the time limit to 0 means that the configured time is unspecified by this router.
CHAPTER 46 | IP Interface Commands Neighbor Discovery EXAMPLE Console#show ipv6 nd raguard interface ethernet 1/1 Interface RA Guard --------- -------Eth 1/ 1 Yes Console# show ipv6 This command displays information in the IPv6 neighbor discovery cache. neighbors SYNTAX show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device.
CHAPTER 46 | IP Interface Commands ND Snooping Table 217: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
CHAPTER 46 | IP Interface Commands ND Snooping This section describes commands used to configure ND Snooping.
CHAPTER 46 | IP Interface Commands ND Snooping COMMAND USAGE ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
CHAPTER 46 | IP Interface Commands ND Snooping EXAMPLE This example enables ND snooping globally and on VLAN 1. Console(config)#ipv6 nd snooping Console(config)#ipv6 nd snooping vlan 1 Console(config)# ipv6 nd snooping This command enables automatic validation of dynamic user binding table auto-detect entries by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
CHAPTER 46 | IP Interface Commands ND Snooping COMMAND MODE Global Configuration COMMAND USAGE The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval (see the ipv6 nd snooping auto-detect retransmit interval command). Based on the default settings, this is 3 seconds.
CHAPTER 46 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the time to wait for an RA message before deleting an prefix timeout entry in the prefix table. Use the no form to restore the default setting. SYNTAX ipv6 nd snooping prefix timeout timeout no ipv6 nd snooping prefix timeout timeout – The time to wait for an RA message to confirm that a prefix entry is still valid.
CHAPTER 46 | IP Interface Commands ND Snooping EXAMPLE Console(config)#ipv6 nd snooping prefix timeout 200 Console(config)# ipv6 nd snooping This command configures a port as a trusted interface from which prefix trust information in RA messages can be added to the prefix table, or NS messages can be forwarded without validation. Use the no form to restore the default setting.
CHAPTER 46 | IP Interface Commands ND Snooping EXAMPLE Console#clear ipv6 nd snooping binding Console#show ipv6 nd snooping binding MAC Address IPv6 Address Lifetime VLAN Interface -------------- -------------------------------------- ---------- ---- --------Console# clear ipv6 nd This command clears all entries in the address prefix table. snooping prefix SYNTAX clear ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
CHAPTER 46 | IP Interface Commands ND Snooping . . show ipv6 nd This command shows all entries in the dynamic user binding table.
46 IP ROUTING COMMANDS After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
CHAPTER 46 | IP Routing Commands IPv4 Commands IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. SYNTAX ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
CHAPTER 46 | IP Routing Commands IPv4 Commands ip sw-route This command using software to process static routes. Us the no form to disable this function. SYNTAX [no] ip sw-route DEFAULT SETTING Hardware is used to process static routes. COMMAND MODE Global Configuration COMMAND USAGE ◆ Due to a hardware limitation on the ECS4110-52T, static routes do not work with DiffServ. Hardware processing of static routes is enabled by default.
CHAPTER 46 | IP Routing Commands IPv4 Commands destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers. The forwarding information base contains unique paths only. It does not contain any secondary paths.
CHAPTER 46 | IP Routing Commands IPv4 Commands > - selected route, * - FIB route, p - stale info C *> 127.0.0.0/8 is directly connected, lo0 C *> 192.168.1.0/24 is directly connected, VLAN1 Console# show ip route This command displays summary information for the routing table. summary COMMAND MODE Privileged Exec EXAMPLE In the following example, the numeric identifier following the named routing table (that is, the Forwarding Information Base) is the FIB ID.
CHAPTER 46 | IP Routing Commands IPv4 Commands – 1472 –
SECTION IV APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 1475 ◆ "Troubleshooting" on page 1479 ◆ "License Information" on page 1481 – 1473 –
SECTION IV | Appendices – 1474 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port AUTHENTICATION Security, IP Filter, DHCP Snooping CLIENT ACCESS Access Control Lists (512 rules), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 256 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards STANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
APPENDIX A | Software Specifications Management Information Bases Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 205: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered up. ◆ Check network cabling between the management station and the switch. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
APPENDIX C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GARP Generic Attribute Registration Protocol. GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations. Formerly called Group Address Registration Protocol. GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups.
GLOSSARY IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3AC Defines frame extensions for VLAN tagging. IEEE 802.3X Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. (Now incorporated in IEEE 802.3-2002) IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services.
GLOSSARY LACP Link Aggregation Control Protocol. Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. LAYER 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. LINK AGGREGATION See Port Trunk.
GLOSSARY MVR Multicast VLAN Registration is a method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network. MVR simplifies the configuration of multicast services by using a common VLAN for distribution, while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard or private VLAN groups.
GLOSSARY RADIUS Remote Authentication Dial-in User Service. RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. RSTP Rapid Spanning Tree Protocol.
GLOSSARY TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet- switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
COMMAND LIST A C aaa accounting commands 838 aaa accounting dot1x 839 aaa accounting exec 840 aaa accounting update 841 aaa authorization exec 842 aaa group server 843 absolute 783 access-list arp 989 access-list ip 970 access-list ipv6 977 access-list mac 983 accounting commands 844 accounting dot1x 844 accounting exec 845 alias 997 arp 1429 authentication enable 828 authentication login 829 authorization exec 845 auto-traffic-control 1063 auto-traffic-control action 1063 auto-traffic-control alarm-clea
COMMAND LIST clock summer-time (recurring) clock timezone 780 cluster 787 cluster commander 787 cluster ip-pool 788 cluster member 789 configure 713 control-vlan 1122 copy 738 779 D databits 749 delete 741 delete public-key 858 description 1209 description 998 dir 742 disable 714 discard 999 disconnect 756 dos-protection echo-chargen 958 dos-protection smurf 958 dos-protection tcp-flooding 959 dos-protection tcp-null-scan 959 dos-protection tcp-syn-fin-scan 960 dos-protection tcp-udp-port-zero 960 dos-pr
COMMAND LIST ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip access-group 975 address 1422 arp inspection 949 arp inspection filter 950 arp inspection limit 954 arp inspection log-buffer logs 951 arp inspection trust 954 arp inspection validate 952 arp inspection vlan 953 default-gateway 1424 dhcp client class-id 1412 dhcp relay server 1417 dhcp restart client 1413 dhcp restart relay 1418 dhcp snooping 916 dhcp snooping database flash 925 dhcp snooping information option 918 ip dhcp snooping informatio
COMMAND LIST ipv6 host 1406 ipv6 mld filter (Global Configuration) 1273 ipv6 mld filter (Interface Configuration) 1275 ipv6 mld max-groups 1276 ipv6 mld max-groups action 1277 ipv6 mld profile 1274 ipv6 mld query-drop 1277 ipv6 mld snooping 1263 ipv6 mld snooping querier 1263 ipv6 mld snooping query-interval 1264 ipv6 mld snooping query-maxresponse-time 1265 ipv6 mld snooping robustness 1265 ipv6 mld snooping router-port-expiretime 1266 ipv6 mld snooping unknown-multicast mode 1266 ipv6 mld snooping versio
COMMAND LIST mac-authentication max-mac-count 906 mac-authentication reauth-time 898 mac-learning 890 mac-vlan 1185 major-domain 1125 management 878 match 1210 max-hops 1100 media-type 1001 meg-level 1126 memory 813 mep archive-hold-time 1370 mep crosscheck mpid 1374 mep fault-notify alarm-time 1382 mep fault-notify lowest-priority 1383 mep fault-notify reset-time 1385 mep-monitor 1126 mst priority 1100 mst vlan 1101 mvr 1282 mvr associated-profile 1283 mvr domain 1283 mvr immediate-leave 1290 mvr priority
COMMAND LIST pppoe intermediate-agent trust 884 pppoe intermediate-agent vendor-tag strip 884 privilege 827 process cpu 814 prompt 709 propagate-tc 1133 protocol-vlan protocol-group (Configuring Groups) 1179 protocol-vlan protocol-group (Configuring Interfaces) 1180 Q qos map cos-dscp 1200 qos map dscp-mutation 1202 qos map phb-queue 1203 qos map trust-mode 1204 queue mode 1196 queue weight 1197 quit 712 R radius-server acct-port 830 radius-server auth-port 831 radius-server host 831 radius-server key 83
COMMAND LIST show interfaces transceiver 1015 show interfaces transceiver-threshold 1016 show ip access-group 975 show ip access-list 976 show ip arp inspection configuration 955 show ip arp inspection interface 955 show ip arp inspection log 956 show ip arp inspection statistics 956 show ip arp inspection vlan 956 show ip dhcp snooping 925 show ip dhcp snooping binding 926 show ip igmp authentication 1258 show ip igmp filter 1258 show ip igmp profile 1259 show ip igmp query-drop 1260 show ip igmp snooping
COMMAND LIST show qos map phb-queue 1206 show qos map trust-mode 1206 show queue mode 1199 show queue weight 1199 show radius-server 834 show reload 715 show rmon alarms 820 show rmon events 820 show rmon history 820 show rmon statistics 821 show rspan 1053 show running-config 729 show snmp 797 show snmp engine-id 807 show snmp group 808 show snmp notify-filter 813 show snmp user 809 show snmp view 810 show snmp-server enable port-traps 802 show sntp 772 show spanning-tree 1116 show spanning-tree mst confi
COMMAND LIST speed 754 speed-duplex 1002 stopbits 755 subnet-vlan 1183 switchport acceptable-frame-types 1158 switchport allowed vlan 1159 switchport dot1q-tunnel mode 1167 switchport dot1q-tunnel service match cvid 1168 switchport dot1q-tunnel tpid 1170 switchport forbidden vlan 1152 switchport gvrp 1152 switchport ingress-filtering 1160 switchport l2protocol-tunnel 1175 switchport mode 1161 switchport native vlan 1161 switchport packet-rate 1057 switchport priority default 1198 switchport vlan-translatio
COMMAND LIST – 1502 –
INDEX NUMERICS 802.1Q tunnel 212, 1165 access 219, 1167 configuration, guidelines 215, 1165 configuration, limitations 215, 1166 CVID to SVID map 217, 1168 description 212 ethernet type 216, 1170 interface configuration 219, 1167–1170 mode selection 219, 1167 status, configuring 216, 1166 TPID 216, 1170 uplink 219, 1167 802.
INDEX ignoring superior BPDUs 252, 1113 selecting protocol based on message format 253, 1115 shut down port on receipt 253, 1104 bridge extension capabilities, displaying 127, 1153 broadcast storm, threshold 263, 264, 1057 C cable diagnostics 174, 1017 canonical format indicator 283 CDP, discard 999 CFM basic operations 522 continuity check errors 555, 1371, 1372 continuity check messages 510, 520, 522, 523, 1128, 1347, 1367, 1368 cross-check errors 1369, 1373, 1375 cross-check message 520, 523, 1347, 137
INDEX VLAN configuration 417, 921 DHCPv6 snooping 926 enabling 927 global configuration 927 remote ID 929 remote ID policy 930 specifying trusted interfaces 932 VLAN configuration 931 Differentiated Code Point Service See DSCP Differentiated Services See DiffServ DiffServ 287, 1207 binding policy to interface 301, 1222 class map 288, 1208, 1212 class map, description 1209 classifying QoS traffic 288, 1210 color aware, srTCM 296, 1215 color aware, trTCM 297, 1217 color blind, srTCM 296, 1215 color blind, tr
INDEX F fault isolation, CFM 520, 1347, 1379 fault notification generator, CFM 523, 529, 554, 1383, 1385 fault notification, CFM 520, 554, 1347, 1382, 1383, 1385 fault verification, CFM 520, 1347 FIB, description 1469 firmware displaying version 125, 734 upgrading 129, 738 upgrading automatically 133, 743 upgrading with FTP or TFP 133, 738 version, displaying 125, 734 forwarding information base See FIB G GARP VLAN Registration Protocol See GVRP gateway, IPv4 default 1424 gateway, IPv6 default 644, 1433 g
INDEX IPv4 address BOOTP/DHCP 640, 1413, 1422 dynamic configuration 92 manual configuration 89 setting 89, 639, 1422 IPv4 source guard configuring static entries 403, 936 setting filter criteria 401, 938 setting maximum bindings 402, 939, 940 IPv6 displaying neighbors 654, 1457 duplicate address detection 646, 654, 1452, 1457 enabling 646, 1439 MTU 646, 1441 router advertisements, blocking 648, 1454 statistics 655, 1445 IPv6 address dynamic configuration (global unicast) 93, 651, 1435 dynamic configuration
INDEX logon banner, configuring 718 loop back messages, CFM 520, 522, 542, 1347, 1381 loopback detection, non-STA 1073 loopback detection, STA 242, 1107 M MAC address authentication 331, 895 ports, configuring 334, 895, 904 reauthentication 334, 898 MAC address learning 231, 890 MAC address, mirroring 237, 1045 main menu, web interface 106 maintenance association, CFM 520, 532, 1347, 1356, 1362 maintenance domain, CFM 520, 521, 527, 1347, 1353, 1362 maintenance end point, CFM 521, 523, 528, 533, 537, 546,
INDEX specifying priority 607, 1284, 1305 static binding 614, 1284, 1292 static binding, group to port 614, 1292 statistics, displaying 617, 1298 using immediate leave 613, 1290 MVR6 assigning static multicast groups 630, 1306, 1313 configuring 624, 1303, 1311 interface status, configuring 628, 1311–1313 interface status, displaying 630, 1317 IP for control packets sent upstream 624, 1310 proxy switching 622, 1307 receiver groups, displaying 632, 1318 robust value for proxy switching 622, 1309 setting inte
INDEX transceiver threshold, temperature 173, 1012 transceiver threshold, trap 172, 1009 transceiver threshold, TX power 173, 1013 transceiver threshold, voltage 173, 1014 unknown unicast storm threshold 265, 1057 power budgets port 450, 1038 port priority 452, 1039 power savings configuring 191, 1019 enabling per port 191, 1019 PPPoE 672–677, 880–886 priority, default port ingress 273, 1198 private key, SSH 344, 853 privilege level, defining per command 827 problems, troubleshooting 1479 protocol migratio
INDEX SNMP 452, 793 community string 466, 795 enabling traps 472, 798 filtering IP addresses 383, 878 global settings, configuring 454, 795 trap manager 472, 799 traps, CFM 525, 1369, 1373 users, configuring 467, 469 SNMPv3 803–805 engine ID 456, 457, 803 engine identifier, local 456, 803 engine identifier, remote 457, 803 groups 461, 804 local users, configuring 467, 805 remote users, configuring 469, 805 user configuration 467, 469, 805 views 458, 806 SNTP setting the system clock 138, 770–772 specifying
INDEX trace route 684, 1426, 1450 traffic segmentation 193, 963 assigning ports 193, 963, 964, 965 enabling 193, 963, 964, 965 sessions, assigning ports 195, 963, 964, 965 sessions, creating 194, 963, 964, 965 transceiver data, displaying 170, 1015 transceiver thresholds configuring 172, 1009 displaying 172, 1009, 1016 trap manager 98, 472, 799 troubleshooting 1479 trTCM police meter 297, 1217 QoS policy 293, 1217 trunk configuration 176, 1021 LACP 179, 1021, 1024 load balance 189, 1022 load balancing 1022
ECS4110-28T ECS4110-28P ECS4110-52T ECS4110-52P E072014/ST-R02 150200000929A