ECS4510-28T/P/F ECS4510-28F-DC ECS4510-52T/P 28/52-Port Layer 2+ Stackable GE Switch CLI Reference Guide Software Release v1.5.2.36 www.edge-core.
CLI Reference Guide ECS4510-28T Stackable GE Switch Layer 2+ Stackable Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4510-28F-DC Stackable GE Switch Layer 2+ Stackable Gigabit Ethernet Fiber Switch with 22 SFP Ports, 2 10/100/1000BASE-T (RJ-45/SFP) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4510-28P Stackable GE PoE Switch Layer 2+ Stackable Gigabit Ethernet PoE Switch w
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Warning: Alerts you to a potential hazard that could cause personal injury. Documentation This documentation is provided for general information purposes only.
Contents Section I How to Use This Guide 3 Contents 5 Figures 39 Tables 41 Getting Started 47 1 Initial Switch Configuration Connecting to the Switch 49 49 Configuration Options 49 Connecting to the Console Port 50 Logging Onto the Command Line Interface 51 Setting Passwords 51 Remote Connections 52 Stack Operations 53 Selecting the Stack Master 53 Selecting the Backup Unit 54 Recovering from Stack Failure or Topology Change 54 Renumbering the Stack 55 Ensuring Consistent C
Contents Downloading Operation Code from a File Server 67 Specifying a DHCP Client Identifier 70 Downloading a Configuration File and Other Parameters Provided by a DHCP Server 71 Setting the System Clock Section II 73 Setting the Time Manually 73 Configuring SNTP 74 Configuring NTP 74 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 77 79 79 Console Connection 79 Telnet Connection 80 Entering Commands 81 Keywords and Arguments 81 Minimum Abbreviation 81
Contents show history 96 configure 97 disable 98 reload (Privileged Exec) 98 show reload 99 end 99 exit 99 4 System Management Commands Device Designation 101 101 hostname 102 Banner Information 102 banner configure 103 banner configure company 104 banner configure dc-power-info 105 banner configure department 105 banner configure equipment-info 106 banner configure equipment-location 107 banner configure ip-lan 107 banner configure lp-number 108 banner configure manager
Contents show watchdog 121 watchdog software 121 Fan Control 122 fan-speed force-full Frame Size 122 122 jumbo frame 122 File Management 123 General Commands 125 boot system 125 copy 126 delete 129 dir 130 whichboot 131 Automatic Code Upgrade Commands 132 upgrade opcode auto 132 upgrade opcode path 133 upgrade opcode reload 134 show upgrade 135 TFTP Configuration Commands 135 ip tftp retry 135 ip tftp timeout 136 show ip tftp 136 Line 137 line 138 databits 138
Contents terminal 146 show line 147 Event Logging 148 logging facility 148 logging history 149 logging host 150 logging on 150 logging trap 151 clear log 152 show log 152 show logging 153 SMTP Alerts 155 logging sendmail 155 logging sendmail host 155 logging sendmail level 156 logging sendmail destination-email 157 logging sendmail source-email 157 show logging sendmail 158 Time 158 SNTP Commands 159 sntp client 159 sntp poll 160 sntp server 161 show sntp 161
Contents calendar set 171 show calendar 171 Time Range 172 time-range 172 absolute 173 periodic 174 show time-range 175 Switch Clustering 175 cluster 176 cluster commander 177 cluster ip-pool 178 cluster member 178 rcommand 179 show cluster 180 show cluster members 180 show cluster candidates 180 Stacking 181 switch all renumber 181 switch master button 182 switch stacking button 183 show switch master button 183 show switch stacking button 184 5 SNMP Commands 1
Contents SNMPv3 Commands 195 snmp-server engine-id 195 snmp-server group 196 snmp-server user 197 snmp-server view 199 show snmp engine-id 200 show snmp group 200 show snmp user 201 show snmp view 202 Notification Log Commands 203 nlm 203 snmp-server notify-filter 204 show nlm oper-status 205 show snmp notify-filter 205 Additional Trap Commands 206 memory 206 process cpu 206 6 Remote Monitoring Commands 209 rmon alarm 210 rmon event 211 rmon collection history 212
Contents enable password 224 username 225 privilege 227 show privilege 227 Authentication Sequence 228 authentication enable 228 authentication login 229 RADIUS Client 230 radius-server acct-port 230 radius-server auth-port 231 radius-server host 231 radius-server key 232 radius-server retransmit 233 radius-server timeout 233 show radius-server 234 TACACS+ Client 234 tacacs-server host 235 tacacs-server key 235 tacacs-server port 236 tacacs-server retransmit 236 taca
Contents Web Server 247 ip http port 247 ip http server 248 ip http secure-port 248 ip http secure-server 249 Telnet Server 250 ip telnet max-sessions 251 ip telnet port 251 ip telnet server 252 show ip telnet 252 Secure Shell 253 ip ssh authentication-retries 256 ip ssh server 256 ip ssh server-key size 257 ip ssh timeout 257 delete public-key 258 ip ssh crypto host-key generate 259 ip ssh crypto zeroize 259 ip ssh save host-key 260 show ip ssh 260 show public-key
Contents dot1x timeout re-authperiod 269 dot1x timeout supp-timeout 269 dot1x timeout tx-period 270 dot1x re-authenticate 270 Supplicant Commands 271 dot1x identity profile 271 dot1x max-start 272 dot1x pae supplicant 272 dot1x timeout auth-period 273 dot1x timeout held-period 273 dot1x timeout start-period 274 Information Display Commands show dot1x 274 274 Management IP Filter 277 management 277 show management 278 PPPoE Intermediate Agent 279 pppoe intermediate-agent 2
Contents network-access aging 296 network-access mac-filter 297 mac-authentication reauth-time 298 network-access dynamic-qos 298 network-access dynamic-vlan 299 network-access guest-vlan 300 network-access link-detection 301 network-access link-detection link-down 301 network-access link-detection link-up 302 network-access link-detection link-up-down 303 network-access max-mac-count 303 network-access mode mac-authentication 304 network-access port-mac-filter 305 mac-authenticat
Contents ip dhcp snooping information option tr101 board-id 322 ip dhcp snooping information policy 322 ip dhcp snooping limit rate 323 ip dhcp snooping verify mac-address 323 ip dhcp snooping vlan 324 ip dhcp snooping information option circuit-id 325 ip dhcp snooping trust 326 clear ip dhcp snooping binding 327 clear ip dhcp snooping database flash 327 ip dhcp snooping database flash 328 show ip dhcp snooping 328 show ip dhcp snooping binding 329 DHCPv6 Snooping 329 ipv6 dhcp sn
Contents ipv6 source-guard max-binding 349 show ipv6 source-guard 350 show ipv6 source-guard binding 351 ARP Inspection 351 ip arp inspection 352 ip arp inspection filter 353 ip arp inspection log-buffer logs 354 ip arp inspection validate 355 ip arp inspection vlan 356 ip arp inspection limit 357 ip arp inspection trust 357 show ip arp inspection configuration 358 show ip arp inspection interface 358 show ip arp inspection log 359 show ip arp inspection statistics 359 show ip
Contents IPv4 ACLs 371 access-list ip 372 ip access-group (Global Configuration) 373 permit, deny (Standard IP ACL) 374 permit, deny (Extended IPv4 ACL) 375 ip access-group (Interface Configuration) 377 show ip access-group 378 show ip access-list 378 IPv6 ACLs 379 access-list ipv6 379 ipv6 access-group (Global Configuration) 380 permit, deny (Standard Pv6 ACL) 381 permit, deny (Extended IPv6 ACL) 382 ipv6 access-group (Interface Configuration) 384 show ipv6 access-group 384 s
Contents alias 401 capabilities 402 description 403 discard 403 flowcontrol 404 history 405 media-type 406 negotiation 407 shutdown 407 speed-duplex 408 clear counters 409 show discard 410 show interfaces brief 410 show interfaces counters 411 show interfaces status 415 show interfaces switchport 416 Transceiver Threshold Configuration 418 transceiver-monitor 418 transceiver-threshold-auto 418 transceiver-threshold current 419 transceiver-threshold rx-power 420 tra
Contents Manual Configuration Commands 432 port channel load-balance 432 channel-group 434 Dynamic Configuration Commands 435 lacp 435 lacp admin-key (Ethernet Interface) 436 lacp port-priority 437 lacp system-priority 438 lacp admin-key (Port Channel) 438 lacp timeout 439 Trunk Status Display Commands 440 show lacp 440 show port-channel load-balance 443 13 Power over Ethernet Commands 445 power inline 445 power inline maximum allocation 446 power inline priority 447 show
Contents switchport packet-rate 463 Automatic Traffic Control Commands 464 Threshold Commands 467 auto-traffic-control apply-timer 467 auto-traffic-control release-timer 468 auto-traffic-control 469 auto-traffic-control action 469 auto-traffic-control alarm-clear-threshold 470 auto-traffic-control alarm-fire-threshold 471 auto-traffic-control auto-control-release 472 auto-traffic-control control-release 473 SNMP Trap Commands 473 snmp-server enable port-traps atc broadcast-alarm-cle
Contents udld recovery 487 udld recovery-interval 487 udld aggressive 488 udld port 489 show udld 490 18 Address Table Commands 493 mac-address-table aging-time 493 mac-address-table hash-lookup-depth 494 mac-address-table static 495 clear collision-mac-address-table 496 clear mac-address-table dynamic 496 show collision-mac-address-table 496 show mac-address-table 497 show mac-address-table aging-time 498 show mac-address-table count 498 show mac-address-table hash-lookup-dep
Contents spanning-tree bpdu-filter 514 spanning-tree bpdu-guard 514 spanning-tree cost 515 spanning-tree edge-port 517 spanning-tree link-type 517 spanning-tree loopback-detection 518 spanning-tree loopback-detection action 519 spanning-tree loopback-detection release-mode 519 spanning-tree loopback-detection trap 520 spanning-tree mst cost 521 spanning-tree mst port-priority 522 spanning-tree port-bpdu-flooding 522 spanning-tree port-priority 523 spanning-tree root-guard 524 sp
Contents propagate-tc 545 raps-def-mac 546 raps-without-vc 547 ring-port 549 rpl neighbor 550 rpl owner 550 version 551 wtr-timer 552 clear erps statistics 553 erps clear 553 erps forced-switch 554 erps manual-switch 556 show erps 557 21 VLAN Commands 563 GVRP and Bridge Extension Commands 564 bridge-ext gvrp 564 garp timer 565 switchport forbidden vlan 566 switchport gvrp 566 show bridge-ext 567 show garp timer 568 show gvrp configuration 569 Editing VLAN Groups
Contents show vlan 578 Configuring IEEE 802.
Contents 22 Class of Service Commands 609 Priority Commands (Layer 2) 609 queue mode 610 queue weight 611 switchport priority default 612 show queue mode 613 show queue weight 613 Priority Commands (Layer 3 and 4) 614 qos map cos-dscp 614 qos map dscp-mutation 616 qos map phb-queue 617 qos map trust-mode 618 show qos map cos-dscp 619 show qos map dscp-mutation 619 show qos map phb-queue 620 show qos map trust-mode 621 23 Quality of Service Commands 623 class-map 624 desc
Contents IGMP Snooping 643 ip igmp snooping 645 ip igmp snooping priority 645 ip igmp snooping proxy-reporting 646 ip igmp snooping querier 647 ip igmp snooping router-alert-option-check 647 ip igmp snooping router-port-expire-time 648 ip igmp snooping tcn-flood 648 ip igmp snooping tcn-query-solicit 650 ip igmp snooping unregistered-data-flood 650 ip igmp snooping unsolicited-report-interval 651 ip igmp snooping version 652 ip igmp snooping version-exclusive 652 ip igmp snooping
Contents ip igmp authentication 670 ip igmp filter (Interface Configuration) 672 ip igmp max-groups 673 ip igmp max-groups action 673 ip igmp query-drop 674 ip multicast-data-drop 674 show ip igmp authentication 675 show ip igmp filter 676 show ip igmp profile 676 show ip igmp query-drop 677 show ip igmp throttle interface 677 show ip multicast-data-drop 678 MLD Snooping 679 ipv6 mld snooping 680 ipv6 mld snooping querier 680 ipv6 mld snooping query-interval 681 ipv6 mld sno
Contents ipv6 mld filter (Interface Configuration) 693 ipv6 mld max-groups 693 ipv6 mld max-groups action 694 ipv6 mld query-drop 695 ipv6 multicast-data-drop 695 show ipv6 mld filter 696 show ipv6 mld profile 696 show ipv6 mld query-drop 697 show ipv6 mld throttle interface 697 MVR for IPv4 698 mvr 699 mvr associated-profile 700 mvr domain 700 mvr priority 701 mvr profile 702 mvr proxy-query-interval 703 mvr proxy-switching 703 mvr robustness-value 704 mvr source-port-m
Contents mvr6 priority 723 mvr6 profile 724 mvr6 proxy-query-interval 725 mvr6 proxy-switching 725 mvr6 robustness-value 727 mvr6 source-port-mode dynamic 727 mvr6 upstream-source-ip 728 mvr6 vlan 729 mvr6 immediate-leave 729 mvr6 type 730 mvr6 vlan group 731 clear mvr6 groups dynamic 732 clear mvr6 statistics 733 show mvr6 733 show mvr6 associated-profile 734 show mvr6 interface 735 show mvr6 members 736 show mvr6 profile 737 show mvr6 statistics 738 25 LLDP Commands
Contents lldp dot1-tlv proto-vid 750 lldp dot1-tlv pvid 751 lldp dot1-tlv vlan-name 751 lldp dot3-tlv link-agg 752 lldp dot3-tlv mac-phy 752 lldp dot3-tlv max-frame 753 lldp dot3-tlv poe 753 lldp med-location civic-addr 754 lldp med-notification 756 lldp med-tlv ext-poe 756 lldp med-tlv inventory 757 lldp med-tlv location 757 lldp med-tlv med-cap 758 lldp med-tlv network-policy 758 lldp notification 759 show lldp config 760 show lldp info local-device 761 show lldp info re
Contents show ethernet cfm ma 782 show ethernet cfm maintenance-points local 783 show ethernet cfm maintenance-points local detail mep 784 show ethernet cfm maintenance-points remote detail 785 Continuity Check Operations 787 ethernet cfm cc ma interval 787 ethernet cfm cc enable 788 snmp-server enable traps ethernet cfm cc 789 mep archive-hold-time 790 clear ethernet cfm maintenance-points remote 790 clear ethernet cfm errors 791 show ethernet cfm errors 792 Cross Check Operations
Contents 27 OAM Commands 809 efm oam 810 efm oam critical-link-event 810 efm oam link-monitor frame 811 efm oam link-monitor frame threshold 812 efm oam link-monitor frame window 812 efm oam mode 813 clear efm oam counters 814 clear efm oam event-log 814 efm oam remote-loopback 815 efm oam remote-loopback test 816 show efm oam counters interface 817 show efm oam event-log interface 817 show efm oam remote-loopback interface 819 show efm oam status interface 819 show efm oam st
Contents show ip dhcp dynamic-provision DHCP for IPv6 833 834 ipv6 dhcp client rapid-commit vlan 834 ipv6 dhcp restart client vlan 834 show ipv6 dhcp duid 836 show ipv6 dhcp vlan 836 DHCP Relay 837 ip dhcp relay server 837 ip dhcp restart relay 838 DHCP Relay for IPv6 839 ipv6 dhcp relay destination 839 show ipv6 dhcp relay destination 840 show ip dhcp 840 30 IP Interface Commands IPv4 Interface 843 843 Basic IPv4 Configuration 844 ip address 844 ip default-gateway 846 show
Contents ipv6 address link-local 862 ipv6 enable 863 ipv6 mtu 864 show ipv6 default-gateway 865 show ipv6 interface 866 show ipv6 mtu 868 show ipv6 traffic 868 clear ipv6 traffic 873 ping6 873 traceroute6 874 Neighbor Discovery 876 ipv6 hop-limit 876 ipv6 nd dad attempts 876 ipv6 nd ns-interval 878 ipv6 nd raguard 879 ipv6 nd reachable-time 880 clear ipv6 neighbors 880 show ipv6 nd raguard 881 show ipv6 neighbors 881 ND Snooping 882 ipv6 nd snooping 884 ipv6 nd sno
Contents IPv4 Commands 894 ip route 894 show ip route 895 show ip route database 896 show ip route summary 896 show ip traffic 897 Routing Information Protocol (RIP) Section III 898 router rip 899 default-information originate 899 default-metric 900 distance 901 maximum-prefix 902 neighbor 902 network 903 passive-interface 904 redistribute 904 timers basic 906 version 907 ip rip authentication mode 908 ip rip authentication string 909 ip rip receive version 909 ip
Contents B License Information 921 The GNU General Public License 921 Glossary 925 Index of CLI Commands 933 Index 943 – 37 –
Contents – 38 –
Figures Figure 1: Storm Control by Limiting the Traffic Rate 466 Figure 2: Storm Control by Shutting Down a Port 467 Figure 3: Non-ERPS Device Protection 541 Figure 4: Sub-ring with Virtual Channel 548 Figure 5: Sub-ring without Virtual Channel 548 Figure 6: Configuring VLAN Trunking 577 Figure 7: Mapping QinQ Service VLAN to Customer VLAN 583 Figure 8: Configuring VLAN Translation 591 – 39 –
Figures – 40 –
Tables Table 1: Options 60, 66 and 67 Statements 72 Table 2: Options 55 and 124 Statements 72 Table 3: General Command Modes 85 Table 4: Configuration Command Modes 87 Table 5: Keystroke Commands 88 Table 6: Command Group Index 89 Table 7: General Commands 93 Table 8: System Management Commands 101 Table 9: Device Designation Commands 101 Table 10: Banner Commands 102 Table 11: System Status Commands 111 Table 12: show system – display description 118 Table 13: show version – displ
Tables Table 30: show snmp engine-id - display description 200 Table 31: show snmp group - display description 201 Table 32: show snmp user - display description 202 Table 33: show snmp view - display description 203 Table 34: RMON Commands 209 Table 35: sFlow Commands 217 Table 36: Authentication Commands 223 Table 37: User Access Commands 224 Table 38: Default Login Settings 226 Table 39: Authentication Sequence Commands 228 Table 40: RADIUS Client Commands 230 Table 41: TACACS+ Cli
Tables Table 65: Commands for Configuring Traffic Segmentation 366 Table 66: Traffic Segmentation Forwarding 367 Table 67: Access Control List Commands 371 Table 68: IPv4 ACL Commands 371 Table 69: IPv6 ACL Commands 379 Table 70: MAC ACL Commands 385 Table 71: ARP ACL Commands 393 Table 72: ACL Information Commands 395 Table 73: Interface Commands 399 Table 74: show interfaces counters - display description 412 Table 75: show interfaces switchport - display description 417 Table 76: L
Tables Table 100: show erps - summary display description 558 Table 101: show erps domain - detailed display description 559 Table 102: show erps statistics - detailed display description 561 Table 103: VLAN Commands 563 Table 104: GVRP and Bridge Extension Commands 564 Table 105: show bridge-ext - display description 567 Table 106: Commands for Editing VLAN Groups 569 Table 107: Commands for Configuring VLAN Interfaces 571 Table 108: Commands for Displaying VLAN Information 578 Table 109
Tables Table 135: show mvr interface - display description 713 Table 136: show mvr members - display description 715 Table 137: show mvr statistics input - display description 717 Table 138: show mvr statistics output - display description 717 Table 139: show mvr statistics query - display description 718 Table 140: show mvr statistics summary interface - display description 719 Table 141: show mvr statistics summary interface mvr vlan - description 720 Table 142: Multicast VLAN Registration
Tables Table 170: IPv4 Interface Commands 843 Table 171: Basic IP Configuration Commands 844 Table 172: Address Resolution Protocol Commands 851 Table 173: IPv6 Configuration Commands 855 Table 174: show ipv6 interface - display description 867 Table 175: show ipv6 mtu - display description 868 Table 176: show ipv6 traffic - display description 870 Table 177: show ipv6 neighbors - display description 882 Table 178: ND Snooping Commands 883 Table 179: IP Routing Commands 893 Table 180: G
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 48 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows keys. 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch Username: admin Password: CLI session with the ECS4510-28T* is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS4510-28T/52T Gigabit Ethernet switches, the ECS4510-28F/28F-DC Gigabit Ethernet fiber switches, and the ECS4510-28P/52P Gigabit Ethernet PoE switches.
Chapter 1 | Initial Switch Configuration Stack Operations Stack Operations Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode, but can automatically take over management of the stack if the Master unit fails.
Chapter 1 | Initial Switch Configuration Stack Operations Selecting the Once the Master unit finishes booting up, it continues to synchronize configuration Backup Unit information to all of the Slave units in the stack. If the Master unit fails or is powered off, a new master unit will be selected based on the election rules described in the preceding section. The backup unit elected to serve as the new stack Master will take control of the stack without any loss of configuration settings.
Chapter 1 | Initial Switch Configuration Stack Operations failover events, you should include port members on several units within the primary VLAN used for stack management. Resilient Configuration If a unit in the stack fails, the unit numbers will not change. This means that when you replace a unit in the stack, the original configuration for the failed unit will be restored to the replacement unit. This applies to both the Master and Slave units.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in-band Interface management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press . 3. Type “exit” to return to the global configuration mode prompt.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): (None) Joined group address(es): ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 4. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press .
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::2e0:cff:fe00:fd%1/64 Global unicast address(es): (None) Joined group address(es): ff02::1:ff00:fd ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Global unicast address(es): 2001:db8:2222:7272::/64, subnet is 2001:db8:2222:7272::/64[AUTOCONFIG] valid lifetime 2591978 preferred lifetime 604778 Joined group address(es): ff02::1:ff11:6700 ff02::1:ff00:0 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name. File names on the switch are case-sensitive.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press . 2. Enter the name of the start-up file. Press .
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Usage Guidelines ◆ If this feature is enabled, the switch searches the defined URL once during the bootup sequence. ◆ FTP (port 21) and TFTP (port 69) are both supported. Note that the TCP/UDP port bindings cannot be modified to support servers listening on non-standard ports. ◆ The host portion of the upgrade file location URL must be a valid IPv4 IP address. DNS host names are not recognized.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ During the automatic search and transfer process, the administrator cannot transfer or update another operation code image, configuration file, public key, or HTTPS certificate (i.e., no other concurrent file management operations are possible). ◆ The upgrade operation code image is set as the startup image after it has been successfully written to the file system.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings image upgrade is enabled by this command, the switch will follow these steps when it boots up: a. It will search for a new version of the image at the location specified by upgrade opcode path command. The name for the new image stored on the TFTP server must be ECS4510-28T.bix. If the switch detects a code version newer than the one currently in use, it will download the new image.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings can be formatted in either text or hexadecimal, but the format used by both the client and server must be the same.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings To successfully transmit a bootup configuration file to the switch, the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Chapter 1 | Initial Switch Configuration Setting the System Clock subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "ecs4510-28t.cfg"; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 1 | Initial Switch Configuration Setting the System Clock – 76 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Address Table Commands” on page 493 ◆ “Spanning Tree Commands” on page 501 ◆ “ERPS Commands” on page 531 ◆ “VLAN Commands” on page 563 ◆ “Class of Service Commands” on page 609 ◆ “Quality of Service Commands” on page 623 ◆ “Multicast Filtering Commands” on page 643 ◆ “LLDP Commands” on page 741 ◆ “CFM Commands” on page 767 ◆ “OAM Commands” on page 809 ◆ “Domain Name Service Commands” on page 821 ◆ “DHCP Commands” on page 829 ◆ “IP Interface Co
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands port port-channel power power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan switch system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Port characteristics Port channel information Shows power Shows the power
Chapter 2 | Using the Command Line Interface Entering Commands display the rest of the information without stopping. You can press any other key to terminate the display. Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map DHCP ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Router Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Chapter 2 | Using the Command Line Interface CLI Command Groups Console(config)#end Console#show ip igmp snooping mrouter VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static Console# CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Congestion C ontrol Sets the input/output rate limits, traffic storm thresholds, and 461 thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Chapter 2 | Using the Command Line Interface CLI Command Groups The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CFM (Connectivity Fault Management Configuration) CM (Class Map Configuration) ERPS (Ethernet Ring Protection Switching Configuration) GC (Global Configuration) IC (Interface Configuration) IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy
Chapter 2 | Using the Command Line Interface CLI Command Groups – 92 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 126).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (98) enable password (224) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 84. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 100 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by GC banner under the
Chapter 4 | System Management Commands Banner Information The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edge-Core Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4510-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner Edge-Core WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS4510-28T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correc
Chapter 4 | System Management Commands System Status Example Console#show memory Status Bytes % ------ ---------- --Free 111706112 41 Used 156729344 59 Total 268435456 Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands memory (206) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
Chapter 4 | System Management Commands System Status show process cpu task This command shows the CPU utilization per process. Command Mode Privileged Exec Example Console#show process cpu task Task Util (%) Avg (%) Max (%) --------------- -------- -------- -------AMTR_ADDRESS 0.00 0.00 0.00 AMTRL3 0.00 0.00 0.00 AMTRL3_GROUP 0.00 0.00 0.00 APP_PROTOCOL_PR 0.00 0.00 0.00 AUTH_GROUP 0.00 0.00 0.00 AUTH_PROC 0.00 0.00 0.00 BGP_TD 0.00 0.00 0.00 CFGDB_TD 0.00 0.00 0.00 CFM_GROUP 0.00 0.00 0.00 CLITASK0 0.
Chapter 4 | System Management Commands System Status SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG_PROC XFER_GROUP XFER_TD 0.00 21.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 19.25 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 21.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Console# show running-config This command displays the configuration information currently in use.
Chapter 4 | System Management Commands System Status ■ Any configured settings for the console port and Telnet Example Console#show running-config Building running configuration. Please wait...
Chapter 4 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 4 | System Management Commands System Status System Information System Up Time System Name System Location System Contact MAC Address (Unit 1) Web Server Web Server Port Web Secure Server Web Secure Server Port Telnet Server Telnet Server Port Jumbo Frame System Fan: Force Fan Speed Full Unit 1 Fan 1: Ok Fan 4: Ok : : : : : : : : : : : : 0 days, 0 hours, 15 minutes, and 38.
Chapter 4 | System Management Commands System Status show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems. Command Mode Normal Exec, Privileged Exec Command Usage This command generates a long list of information including detailed system and interface settings. It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program.
Chapter 4 | System Management Commands System Status Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Table 13: show version – display description (Continued) Parameter Description EPLD Version Version number of Erasable Programmable Logic Device. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply. Redundant Power Status Displays the status of the redundant power supply. Role Shows that this switch is operating as Master or Slave. Loader Version Version number of loader code.
Chapter 4 | System Management Commands Fan Control Fan Control This section describes the command used to force fan speed. Table 14: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed GC show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed.
Chapter 4 | System Management Commands File Management Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This switch provides more efficient throughput for large sequential data transfers by supporting layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Chapter 4 | System Management Commands File Management Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it. Note that the file “Factory_Default_Config.
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system [unit:] {boot-rom | config | opcode}: filename unit* - Unit identifier. (Range: 1-8) boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management Command Usage ◆ The system prompts for data required to complete the copy command. ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”) ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16.
Chapter 4 | System Management Commands File Management The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file.
Chapter 4 | System Management Commands File Management This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
Chapter 4 | System Management Commands File Management Command Mode Privileged Exec Command Usage ◆ If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. ◆ A colon (:) is required after the specified unit number. ◆ If the public key type is not specified, then both DSA and RSA keys will be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.
Chapter 4 | System Management Commands File Management ◆ A colon (:) is required after the specified unit number. File information is shown below: Table 17: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Modify Time The date and time the file was last modified. Size The length of the file in bytes.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------Unit 1: ECS4510-28T_V1.2.1.6.bix OpCode Y 2013-07-02 08:18:42 17601308 startup1.
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.
Chapter 4 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection.
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4510-28T.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (143) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (262) show users (119) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - UDP port number used by the remote server.
Chapter 4 | System Management Commands Event Logging Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (152) show log This command displays the log messages stored in local memory.
Chapter 4 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
Chapter 4 | System Management Commands Event Logging Table 21: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Chapter 4 | System Management Commands SMTP Alerts Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages.
Chapter 4 | System Management Commands Time Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.
Chapter 4 | System Management Commands Time Table 24: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE NTP Commands Manual Configuration Commands clock summer-time (date) Configures
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4 or IPv6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
Chapter 4 | System Management Commands Time NTP Status : Disabled NTP Authenticate Status : Enabled Last Update NTP Server : 0.0.0.0 Port: 0 Last Update Time : Jan 1 00:00:00 1970 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time relative to the configured time zone.
Chapter 4 | System Management Commands Time b-day - The day of the week when summer time will begin. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin.
Chapter 4 | System Management Commands Time Related Commands show sntp (161) clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC.
Chapter 4 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Chapter 4 | System Management Commands Time Range Summer Time in Effect : No Console# Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes. Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members.
Chapter 4 | System Management Commands Stacking Stacking This section includes commands which configure a unit as the stack master, set the 10G ports to stacking mode, or renumber all units in the stack. For information on how to physically connect units into a stack, see the Hardware Installation Guide. For detailed information on how stacking is implemented for this type of switch, refer to “Stack Operations” on page 53.
Chapter 4 | System Management Commands Stacking switch master button This command configures a unit as the stack master. Use the no form to disable the master button. Syntax [no] switch master button unit unit - Unit identifier. (Range: 1-8) Default Setting Disabled Command Mode Privileged Exec Command Usage ◆ The switch must be rebooted to activate this command. Note that the configured setting is not affected by changes to the start-up configuration file.
Chapter 4 | System Management Commands Stacking Provision complete ... Finished module 2 provision complete ... Module provision complete. switch stacking This command sets the front panel 10G ports to stacking mode. Use the no form to button disable this function. Syntax [no] switch stacking button Default Setting Disabled Command Mode Privileged Exec Command Usage ◆ Use this command on all stack members. ◆ Use the switch master button command to specify one unit as the stack master.
Chapter 4 | System Management Commands Stacking show switch stacking This command shows the status of the stacking button. button Command Mode Privileged Exec Command Usage Use the switch stacking button command to set the 10G ports to stacking mode.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands ATC Trap Commands snm
Chapter 5 | SNMP Commands General SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode transceiver-threshold tx-power Sends a trap when the power level of the transmitted signal IC (Port) power outside the specified thresholds transceiver-threshold voltage Sends a trap when the transceiver voltage falls outside the IC (Port) specified thresholds Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Communities : 1. public, and the access level is read-only 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (190) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see the Web Management Guide.
Chapter 5 | SNMP Commands SNMPv3 Commands md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (A minimum of eight characters is required.) priv des56 - Uses SNMPv3 with privacy with DES56 encryption. priv-password - Privacy password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password.
Chapter 5 | SNMP Commands SNMPv3 Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name view-name - Name of an SNMP view. (Range: 1-32 characters) oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP EngineBoots: 1 Remote SNMP EngineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 30: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 31: show snmp group -
Chapter 5 | SNMP Commands SNMPv3 Commands SNMP remote user Engine ID User Name Group Name Security Model Security Level Authentication Protocol Privacy Protocol Storage Type Row Status : : : : : : : : : 0000937564846450000 mark public v3 Anthentication and privacy MD5 DES56 Nonvolatile Active Console# Table 32: show snmp user - display description Field Description Engine ID String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Group Name Name of an SNMP group.
Chapter 5 | SNMP Commands Notification Log Commands Table 33: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry. Row Status The row status of this entry. Notification Log Commands nlm This command enables or disables the specified notification log. Syntax [no] nlm filter-name filter-name - Notification log name.
Chapter 5 | SNMP Commands Notification Log Commands snmp-server This command creates an SNMP notification log. Use the no form to remove this notify-filter log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the snmp-server host command. Note: The notification log is stored locally.
Chapter 5 | SNMP Commands Notification Log Commands recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station. ◆ When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
Chapter 5 | SNMP Commands Additional Trap Commands Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for memory utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands Default Setting Rising Threshold: 90% Falling Threshold: 70% Command Mode Global Configuration Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 208 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01 Received 77671 octets, 1077 packets, 61 broadcast and 978 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions.
Chapter 6 | Remote Monitoring Commands – 216 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector. A full IPv6 address including the network prefix and host address bits. An IPv6 address consists of 8 colon-separated 16-bit hexadecimal values.
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow polling instance This command enables an sFlow polling data source, for a specified interface, that polls periodically based on a specified time interval. Use the no form to remove the polling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Unit identifier.
Chapter 7 | Flow Sampling Commands – 222 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 137), user authentication via a remote authentication server (page 223), and host access authentication for specific ports (page 262).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 84 and “Configuration Commands” on page 86.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Chapter 8 | Authentication Commands AAA method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands AAA tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands AAA Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 8 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Line Configuration Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands Web Server Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (248) show system (117) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 8 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 44: HTTPS System Support Web Browser Operating System Internet Explorer 6.
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b.
Chapter 8 | Authentication Commands Secure Shell ip ssh This command configures the number of times the SSH server attempts to authentication-retries reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Chapter 8 | Authentication Commands Secure Shell Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (259) show ssh (262) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
Chapter 8 | Authentication Commands Secure Shell Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys.
Chapter 8 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.0 Session-Started Username Encryption admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 47: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 48: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x eapol- This command passes EAPOL frames through to all ports in STP forwarding state pass-through when dot1x is globally disabled. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default Single-host Command Mode Interface Configuration Command Usage ◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. ◆ In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x This command enables periodic re-authentication for a specified port. Use the no re-authentication form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage ◆ The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout This command sets the time period after which a connected client must be rere-authperiod authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Usage This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-start This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. Syntax dot1x max-start count no dot1x max-start count - Specifies the maximum number of EAP start frames.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ A port cannot be configured as a dot1x supplicant if it is a member of a trunk or LACP is enabled on the port. Example Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# dot1x timeout This command sets the time that a supplicant port waits before resending an start-period EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Privileged Exec Command Usage This command displays the following information: ◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 264). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 264).
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ Authenticator PAE State Machine ■ ■ ■ ◆ Backend State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands Management IP Filter Reauth Max Retries Max Request Operation Mode Port Control Intrusion Action : : : : : 2 2 Multi-host Auto Block traffic Supplicant : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count : 0 Current Identifier : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configu
Chapter 8 | Authentication Commands Management IP Filter end-address - The end address of a range. Default Setting All addresses Command Mode Global Configuration Command Usage The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent telnet-client - Displays IP addresses for the Telnet group. Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 50: PPPoE Intermediate Agent Commands (Continued) Command Function Mode clear pppoe intermediateagent statistics Clears PPPoE IA statistics PE show pppoe intermediateagent info Displays PPPoE IA configuration settings PE show pppoe intermediateagent statistics Displays PPPoE IA statistics PE pppoe This command enables the PPPoE Intermediate Agent globally on the switch. Use intermediate-agent the no form to disable this feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets the access node identifier and generic error message for the intermediate-agent switch. Use the no form to restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage PPPoE IA must also be enabled globally on the switch for this command to take effect. Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-enable Console(config-if)# pppoe This command sets the circuit-id or remote-id for an interface. Use the no form to intermediate-agent restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent command. ◆ If the remote-id is unspecified, the port name will be used for this parameter. If the port name is not configured, the remote-id is set to the port MAC (yy-yy-yyyy-yy-yy#), where # is the default delimiter.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets an interface to trusted mode to indicate that it is connected to a intermediate-agent PPPoE server. Use the no form to set an interface to untrusted mode. trust Syntax [no] pppoe intermediate-agent trust Default Setting Untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Set any interfaces connecting the switch to a PPPoE Server as trusted.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Intermediate Agent Oper Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 51: show pppoe intermediate-agent statistics - display description Field Description PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate – 287 –
Chapter 8 | Authentication Commands PPPoE Intermediate Agent – 288 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security security function such as 802.1X or DHCP snooping is enabled and maclearning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (415) shutdown (407) mac-address-table static (495) port security Use this command to save the MAC addresses that port security has learned as mac-address-as- static entries.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Port Security Details Port Port Security Port Status Intrusion Action Max MAC Count Current MAC Count MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : : : : : : 1/2 Enabled Secure/Up None 0 0 Disabled NA NA This example shows information about a detected intrusion.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 55: Network Access Commands (Continued) Command Function Mode network-access link-detection Enables the link detection feature IC network-access link-detection link-down Configures the link detection feature to detect and act upon link-down events IC network-access link-detection link-up Configures the link detection feature to detect and act upon link-up events IC network-access link-detection link-up-down
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 266). ◆ The maximum number of secure MAC addresses supported for the switch system is 1024.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 56: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (kbps) rate-limit-input=100 (kbps) rate-limit-output=rate (kbps) rate-limit-output=200 (kbps) 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command). Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# network-access Use this command to enable link detection for the selected port. Use the no form of link-detection this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link- Use this command to detect link-up events. When detected, the switch can shut detection link-up down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-up and link-down events. When either event is link-detection detected, the switch can shut down the port, send an SNMP trap, or both. Use the link-up-down no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access mode Use this command to enable network access authentication on a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabl
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 mac-address-table RADIUS Server Time --------------- ------------------------172.155.120.17 00d06h32m50s 172.155.120.
Chapter 9 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After login-attempts the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains session-timeout valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
Chapter 9 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth This command ends the web authentication session associated with the re-authenticate (IP) designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
Chapter 9 | General Security Measures DHCPv4 Snooping DHCPv4 Snooping DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/remove option 82 information in incoming DCHP packets but not relay them.
Chapter 9 | General Security Measures DHCPv4 Snooping EXAMPLE This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID). Console(config)#no ip dhcp snooping information option encode no-subtype Console(config)# ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, arbitrary information option string, or TR-101 compliant node identifier. Use the no form to restore the default remote-id setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier. tr101 board-id Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command sets the maximum number of DHCP packets that can be trapped by limit rate the switch for DHCP snooping. Use the no form to restore the default setting. Syntax ip dhcp snooping limit rate rate no dhcp snooping limit rate rate - The maximum number of DHCP packets that may be trapped for DHCP snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# Related Commands ip dhcp snooping (317) ip dhcp snooping vlan (324) ip dhcp snooping trust (326) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (317) ip dhcp snooping trust (326) ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk. ■ vlan - Tag of the VLAN which received the DHCP request. Note that the sub-type and sub-length fields can be enabled or disabled using the ip dhcp snooping information option command. ■ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above.
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Chapter 9 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping globally. Use the no form to restore the default setting. Syntax [no] ipv6 dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv6 Snooping Identifier, and address (4 message exchanges to get IPv6 address), and forward to trusted port. ■ Solicit: Add new entry in binding cache, recording client’s DUID, IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. ■ Decline: If no matching entry is found in binding cache, drop this packet.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which the switch submits a client request to the DHCPv6 server must be configured as trusted (using the ipv6 dhcp snooping trust command). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCPv6 server.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ ◆ DHCPv6 snooping must be enabled for the DHCPv6 Option 37 information to be inserted into packets. When enabled, the switch will either drop, keep or remove option 37 information in incoming DCHPv6 packets.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Usage When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# Related Commands ipv6 dhcp snooping (330) ipv6 dhcp snooping trust (335) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆ Set all ports connected to DHCv6 servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping show ipv6 dhcp This command shows the DHCPv6 snooping binding table entries.
Chapter 9 | General Security Measures IPv4 Source Guard IPv4 Source Guard IPv4 Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see “DHCPv4 Snooping” on page 316). IPv4 source guard can be used to prevent traffic attacks caused when a host tries to use the IPv4 address of a neighbor to access the network.
Chapter 9 | General Security Measures IPv4 Source Guard unit - Unit identifier. (Range: 1-8) port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-28/52) Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ If the binding mode is not specified in this command, the entry is bound to the ACL table by default.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Only unicast addresses are accepted for static bindings. Example This example configures a static source-guard binding on port 5. Since the binding mode is not specified, the entry is bound to the ACL table by default. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IPSG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier. ◆ Static addresses entered in the source guard binding table with the ip sourceguard binding command are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command sets the maximum number of entries that can be bound to an max-binding interface. Use the no form to restore the default setting. Syntax ip source-guard [mode {acl | mac}] max-binding number no ip source-guard [mode {acl | mac}] max-binding mode - Specifies the learning mode. acl - Searches for addresses in the ACL table. mac - Searches for addresses in the MAC address table.
Chapter 9 | General Security Measures IPv4 Source Guard Default Setting ACL Command Mode Interface Configuration (Ethernet) Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
Chapter 9 | General Security Measures IPv6 Source Guard Example Console#show ip source-guard binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------- --------- --------11-22-33-44-55-66 192.168.0.
Chapter 9 | General Security Measures IPv6 Source Guard interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier.
Chapter 9 | General Security Measures IPv6 Source Guard Example This example configures a static source-guard binding on port 5. Console(config)#ipv6 source-guard binding 00-ab-11-cd-23-45 vlan 1 2001::1 interface ethernet 1/5 Console(config)# Related Commands ipv6 source-guard (348) ipv6 dhcp snooping (330) ipv6 dhcp snooping vlan (334) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Static addresses entered in the source guard binding table with the ipv6 source-guard binding command are automatically configured with an infinite lease time. Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself. ◆ If IPv6 source guard is enabled, an inbound packet’s source IPv6 address will be checked against the binding table. If no matching entry is found, the packet will be dropped.
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting 5 Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command.
Chapter 9 | General Security Measures ARP Inspection Eth Eth Eth Eth . . . 1/3 1/4 1/5 1/6 DISABLED DISABLED SIP DISABLED 5 5 1 5 show ipv6 This command shows the IPv6 source guard binding table. source-guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 329) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. ◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Chapter 9 | General Security Measures ARP Inspection ◆ If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked. ◆ If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped.
Chapter 9 | General Security Measures ARP Inspection ◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message. ◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
Chapter 9 | General Security Measures ARP Inspection Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
Chapter 9 | General Security Measures ARP Inspection Command Mode Interface Configuration (Port, Static Aggregation) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip arp inspection interface ethernet 1/1 Port Number ------------Eth 1/1 Console# Trust Status -------------------Trusted Rate Limit (pps) -----------------------------150 show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components.
Chapter 9 | General Security Measures Denial of Service Protection show ip arp inspection This command shows the configuration settings for VLANs, including ARP vlan Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] vlan-id - VLAN ID.
Chapter 9 | General Security Measures Denial of Service Protection Table 64: DoS Protection Commands (Continued) Command Function Mode dos-protection tcp-udp-port-zero Protects against attacks which set the Layer 4 source GC or destination port to zero dos-protection tcp-xmas-scan Protects against DoS TCP-XMAS-scan attacks GC dos-protection udp-flooding Protects against DoS UDP-flooding attacks GC dos-protection win-nuke Protects against DoS WinNuke attacks GC show dos-protection Shows the c
Chapter 9 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection smurf Console(config)# dos-protection This command protects against DoS TCP-flooding attacks in which a perpetrator tcp-flooding sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-null-scan Console(config)# dos-protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a TCP SYN/ tcp-syn-fin-scan FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to all ports for ingress traffic. Use the no form to (Global Configuration) remove the port. Syntax ip access-group acl-name in [time-range time-range-name] [counter] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list.
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (378) Time Range (172) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (374) ip access-group (Interface Configuration) (377) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 64 rules.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#ipv6 access-group standard david in Console(config)# Related Commands show ipv6 access-list (385) Time Range (172) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard Pv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (379) Time Range (172) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Extended IPv6 ACL Command Usage ◆ All new rules are appended to the end of the list. ◆ Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Chapter 10 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds an IPv6 ACL to a port. Use the no form to remove the port. (Interface Configuration) Syntax ipv6 access-group acl-name {in | out} [time-range time-range-name] [counter] no ipv6 access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists MAC ACLs Related Commands ipv6 access-group (Interface Configuration) (384) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs Table 70: MAC ACL Commands (Continued) Command Function Mode show mac access-group Shows port assignments for MAC ACLs PE show mac access-list Displays the rules for configured MAC ACLs PE access-list mac This command enters MAC ACL configuration mode. Rules can be added to filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Chapter 10 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to all ports for ingress traffic. Use the no form to (Global Configuration) remove this binding. Syntax mac access-group acl-name in [time-range time-range-name] [counter] no mac access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists MAC ACLs {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-port dport [port-bitmask]}] [time-range time-range-name] no {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | so
Chapter 10 | Access Control Lists MAC ACLs {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-
Chapter 10 | Access Control Lists MAC ACLs destination – Destination MAC, IPv4 or IPv6 address. address-bitmask5 – Bitmask for MAC address (in hexadecimal format). network-mask – Network mask for IP subnet. This mask identifies the host address bits used for routing to specific subnets. prefix-length - Length of IPv6 prefix. A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128) vid – VLAN ID.
Chapter 10 | Access Control Lists MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (386) Time Range (172) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Global MAC access-list M5 in Console# Related Commands mac access-group (Interface Configuration) (391) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
Chapter 10 | Access Control Lists ACL Information Related Commands access-list arp (393) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#clear access-list hardware counters Console# show access-group This command shows the port assignments of ACLs.
Chapter 10 | Access Control Lists ACL Information mac – Shows ingress or egress rules for MAC ACLs. tcam-utilization – Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.
Chapter 10 | Access Control Lists ACL Information – 398 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 73: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sets thresholds for transceiver current which c
Chapter 11 | Interface Commands Interface Configuration port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
Chapter 11 | Interface Commands Interface Configuration capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands Interface Configuration Related Commands negotiation (407) speed-duplex (408) flowcontrol (404) description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet) Command Usage Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. Example The following example forwards CDP packets entering port 5. Console(config)#interface ethernet 1/5 Console(config-if)#no discard cdp Console(config-if)# flowcontrol This command enables flow control.
Chapter 11 | Interface Commands Interface Configuration Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (407) capabilities (402) history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table.
Chapter 11 | Interface Commands Interface Configuration media-type This command forces the transceiver mode to use for SFP/SFP+ ports, or the port type to use for combination RJ-45/SFP ports. Use the no form to restore the default mode. Syntax media-type {copper-forced | sfp-forced [mode] | sfp-preferred-auto} no media-type none - Mode is not forced. copper-forced10 - Always uses the built-in RJ-45 port. sfp-forced - Forces transceiver mode for the SFP/SFP+ port.
Chapter 11 | Interface Commands Interface Configuration negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 11 | Interface Commands Interface Configuration Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Chapter 11 | Interface Commands Interface Configuration ◆ To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface. ◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/ duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface.
Chapter 11 | Interface Commands Interface Configuration Example The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded.
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets ===== Port Ut
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description QLen Output The length of the output packet queue (in packets). Extended IF Table Stats Multicast Input The number of packets, delivered by this sub-layer to a higher (sub)layer, which were addressed to a multicast address at this sub-layer.
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description Input utilization The input utilization rate for this interface. Octets output per second Number of octets leaving this interface in kbits per second. Packets output per second Number of packets leaving this interface in packets per second. Output utilization The output utilization rate for this interface.
Chapter 11 | Interface Commands Interface Configuration LACP MAC Learning Media Type Current Status: Link Status Port Operation Status Operation Speed-duplex Up Time Flow Control Type Max Frame Size MAC Learning Status Console# : Disabled : Enabled : None : : : : : : : Up Up 100full 0w 0d 1h 11m 2s (4262 seconds) None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of the specified switchport interfaces.
Chapter 11 | Interface Commands Interface Configuration Allowed VLAN Forbidden VLAN 802.1Q Tunnel Status 802.1Q Tunnel Mode 802.1Q Tunnel TPID Layer 2 Protocol Tunnel Console# : : : : : : 1(u) Disabled Normal 8100 (Hex) None Table 75: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 463).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver current at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold current low-alarm 100 Console(config-if)#transceiver-threshold rx-power high-alarm 700 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the received signal rx-power which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power transmitted at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold tx-power low-alarm 8 Console(config-if)#transceiver-threshold tx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration DDM Info Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands Cable Diagnostics Transceiver-threshold-auto : Enabled Low Alarm ---------------------Temperature(Celsius) -123.00 Voltage(Volts) 3.10 Current(mA) 6.00 TxPower(dBm) -12.00 RxPower(dBm) -21.50 Console# Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.
Chapter 11 | Interface Commands Cable Diagnostics show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 11 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature. Syntax [no] power-save Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Chapter 11 | Interface Commands Power Savings determine whether or not it can reduce the signal amplitude used on a particular link. Note: Power-savings mode on a active link only works when the connection speed is 100 Mbps or higher at linkup, and line length is less than 60 meters. Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Chapter 11 | Interface Commands Power Savings – 430 –
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port-channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Flow Control : Disabled VLAN Trunking : Disabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation Speed-duplex : 1000full Up Time : 0w 0d 0h 0m 53s (53 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC L
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting 0 Command Mode Interface Configuration (Port Channel) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port. ◆ When a dynamic port-channel is torn down, the configured timeout value will be retained.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands . . Table 77: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 78: show lacp internal - display description (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 79: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands – 444 –
13 Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the RJ-45 ports 1-24/48 on the ECS4510-28P/52P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 13 | Power over Ethernet Commands ◆ When detection is enabled for PoE-compliant devices, power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the port’s power budget or the switch’s power budget.
Chapter 13 | Power over Ethernet Commands power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Chapter 13 | Power over Ethernet Commands show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 13 | Power over Ethernet Commands show power Use this command to display the current power status for the switch. mainpower Command Mode Privileged Exec Example Console#show power mainpower Unit 1 Main Power Status PoE Maximum Available Power PoE Maximum Allocation Power System Operation Status PoE Power Consumption Software Version Console# : : : : : 780.0 Watts (using main power) 780.
Chapter 13 | Power over Ethernet Commands – 450 –
14 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands ◆ You can create multiple mirror sessions, but all sessions must share the same destination port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command (page 371) to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 is prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN uplink ports cannot be configured to use IEEE 802.1X Port Authentication, but RSPAN source ports and destination ports can be configured to use it ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then no session can be configured for RSPAN.
15 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 87: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Table 90: ATC Commands (Continued) Command Function Mode auto-traffic-control action Sets the control action to limit ingress traffic or shut IC (Port) down the offending port auto-traffic-control alarm-clear-threshold Sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent auto-traffic-control alarm-fire-threshold Sets the upper threshold for ingress traffic beyond IC (Port) which a
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (469) auto-traffic-control alarm-clear-threshold (470) snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (471) auto-traffic-control apply-timer (467) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (469) auto-traffic-control alarm-clear-threshold (470) snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (471) auto-traffic-control apply-timer (467) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
16 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Chapter 16 | Loopback Detection Commands restore a specific port, use the no shutdown command. Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting.
Chapter 16 | Loopback Detection Commands Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 16 | Loopback Detection Commands Example Console#show loopback-detection Loopback Detection Global Information Global Status : Enabled Transmit Interval : 10 Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
17 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 17 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 17 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 17 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 17 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 17 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 17 | UniDirectional Link Detection Commands Table 93: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 17 | UniDirectional Link Detection Commands – 492 –
18 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 18 | Address Table Commands Command Usage The aging time is used to age out dynamically learned forwarding information. Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash lookup depth used when searching the MAC address hash-lookup-depth table. Use the no form to restore the default setting. Syntax mac-address-table hash-lookup-depth depth no mac-address-table hash-lookup-depth depth - The depth used in the hash lookup process.
Chapter 18 | Address Table Commands mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 18 | Address Table Commands clear collision-mac- This command removes all entries from the collision MAC address table. address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# clear mac-address- This command removes any learned entries from the forwarding database.
Chapter 18 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 18 | Address Table Commands Eth 1/ 1 00-E0-29-94-34-64 Console# 1 Learn Delete on Timeout show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec.
Chapter 18 | Address Table Commands Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address : 1024 Current number of entries which have been created in the system: Total Number of MAC Address : 3 Number of Static MAC Address : 1 Number of Dynamic MAC Address : 2 Console# show mac-address- This command shows the hash lookup depth used when searching the MAC table hash-lookup- address table.
Chapter 18 | Address Table Commands – 500 –
19 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 19 | Spanning Tree Commands Table 95: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection Enables BPDU loopback detection for a port IC spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for
Chapter 19 | Spanning Tree Commands Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 19 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 19 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning Tree and pathcost method Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
Chapter 19 | Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 19 | Spanning Tree Commands Default Setting Floods to all other ports in the same VLAN. Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree tc-prop This command configures a topology change propagation domain. Use the no form to remove a propagation domain.
Chapter 19 | Spanning Tree Commands Example Console(config)#spanning-tree tc-prop group 1 ethernet 1/1-5 Console(config)# spanning-tree This command configures the minimum interval between the transmission of transmission-limit consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds.
Chapter 19 | Spanning Tree Commands spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance.
Chapter 19 | Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances.
Chapter 19 | Spanning Tree Commands Command Mode MST Configuration Command Usage The MST region name and revision number (page 513) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 19 | Spanning Tree Commands spanning-tree This command filters all BPDUs received on an edge port. Use the no form to bpdu-filter disable this feature. Syntax [no] spanning-tree bpdu-filter Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time.
Chapter 19 | Spanning Tree Commands Default Setting BPDU Guard: Disabled Auto-Recovery: Disabled Auto-Recovery Interval: 300 seconds Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker.
Chapter 19 | Spanning Tree Commands Table 96: Recommended STA Path Cost Range (Continued) Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Gigabit Ethernet 3-10 2,000-200,000 10G Ethernet 1-5 200-20,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode.
Chapter 19 | Spanning Tree Commands spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default. Syntax spanning-tree edge-port [auto] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port. Default Setting Auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
Chapter 19 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. ◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the response for loopback detection to block user traffic loopback-detection or shut down the interface. Use the no form to restore the default. action Syntax spanning-tree loopback-detection action {block | shutdown duration} no spanning-tree loopback-detection action block - Blocks user traffic. shutdown - Shuts down the interface. duration - The duration to shut down the interface.
Chapter 19 | Spanning Tree Commands Default Setting auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: ■ The port receives any other BPDU except for it’s own, or; ■ The port’s link status changes to link down and then link up again, or; ■ The port ceases to receive it’s own BPDUs in a forward delay interva
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap spanning-tree This command configures the path cost on a spanning instance in the Multiple mst cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst port-priority (522) spanning-tree This command configures the interface priority on a spanning instance in the mst port-priority Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Chapter 19 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command. ◆ The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree cost (515) spanning-tree This command prevents a designated port from taking superior BPDUs into root-guard account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Chapter 19 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use spanning-disabled the no form to re-enable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
Chapter 19 | Spanning Tree Commands spanning-tree This command manually releases a port placed in discarding state by loopbackloopback-detection detection. release Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Spanning Tree Commands migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible). Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST).
Chapter 19 | Spanning Tree Commands ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
Chapter 19 | Spanning Tree Commands . . This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port (Eth) : Current Root Cost : RSTP Enabled 32768.
Chapter 19 | Spanning Tree Commands Example Console#show spanning-tree tc-prop group 1 Group 1 Eth 1/ 1, Eth 1/ 2, Eth 1/ 3, Eth 1/ 4, Eth 1/ 5 Console# – 530 –
20 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 20 | ERPS Commands Table 98: ERPS Commands (Continued) Command Function Mode clear erps statistics Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages PE erps clear Manually clears protection state which has been invoked by a Forced PE Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode erps forced-switch Blocks the specified ring port er
Chapter 20 | ERPS Commands 6. Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work. 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command.
Chapter 20 | ERPS Commands erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. Syntax erps domain ring-name [id ring-id] no erps domain ring-name ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) ring-id - ERPS ring identifier used in R-APS messages.
Chapter 20 | ERPS Commands Command Usage ◆ Configure one control VLAN for each ERPS ring. First create the VLAN to be used as the control VLAN (vlan, page 570), add the ring ports for the east and west interface as tagged members to this VLAN (switchport allowed vlan, page 573), and then use the control-vlan command to add it to the ring.
Chapter 20 | ERPS Commands ring-port command, the RPL owner specified with the rpl owner command, and the control VLAN configured with the control-vlan command. ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps)#enable Console(config-erps)# Related Commands erps (533) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages.
Chapter 20 | ERPS Commands holdoff-timer This command sets the timer to filter out intermittent link faults. Use the no form to restore the default setting. Syntax holdoff-timer milliseconds milliseconds - The hold-off timer is used to filter out intermittent link faults. Faults will only be reported to the ring protection mechanism if this timer expires.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ This switch can support up to six rings. However, ERPS control packets can only be sent on one ring. This command is used to indicate that the current ring is a secondary ring, and to specify the major ring which will be used to send ERPS control packets. ◆ The Ring Protection Link (RPL) is the west port and can not be configured. So the physical port on a secondary ring must be the west port.
Chapter 20 | ERPS Commands Example Console(config-erps)#meg-level 0 Console(config-erps)# Related Commands ethernet cfm domain (773) ethernet cfm mep (778) mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east. west - Connects to next ring node to the west. mpid – Maintenance end point identifier.
Chapter 20 | ERPS Commands Related Commands ethernet cfm domain (773) ethernet cfm mep (778) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 20 | ERPS Commands Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL.
Chapter 20 | ERPS Commands non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode. Syntax [no] non-revertive Default Setting Disabled Command Mode ERPS Configuration Command Usage Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages.
Chapter 20 | ERPS Commands traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and performing a flush FDB action. d. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL link that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF (do not flush) indication, all ring nodes flush the FDB.
Chapter 20 | ERPS Commands b. The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c. When the WTB timer expires, in the absence of any other higher priority request, the RPL Owner Node initiates reversion by blocking the traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes the FDB. d.
Chapter 20 | ERPS Commands ■ Recovery with revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request, starts the WTB timer and waits for it to expire. While the WTB timer is running, any latent RAPS (MS) message is ignored due to the higher priority of the WTB running signal. b. When the WTB timer expires, it generates the WTB expire signal.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. ◆ When the MAC addresses are cleared, data traffic may flood onto the major ring.
Chapter 20 | ERPS Commands raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes. Use the no form to restore the default setting. Syntax [no] raps-without-vc Default Setting R-APS with Virtual Channel Command Mode ERPS Configuration Command Usage A sub-ring may be attached to a primary ring with or without a virtual channel.
Chapter 20 | ERPS Commands Figure 4: Sub-ring with Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Virtual Channel ◆ Sub-ring without R-APS Virtual Channel – Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network. In this situation, the R-APS messages are terminated on the interconnection points.
Chapter 20 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 20 | ERPS Commands rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting. Syntax rpl neighbor no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage ◆ The RPL neighbor node, when configured, is a ring node adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions (i.e.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the erps forced-switch or erps manual-switch command). ◆ The east and west connections to the ring must be specified for all ring nodes using the ring-port command.
Chapter 20 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 20 | ERPS Commands clear erps statistics This command clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages. Syntax clear erps statistics [domain ring-name] ring-name - Name of a specific ERPS ring.
Chapter 20 | ERPS Commands Example Console#erps clear domain r&d Console# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port. Command Mode Privileged Exec Command Usage ◆ A ring with no pending request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links.
Chapter 20 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Chapter 20 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch domain r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command. Syntax erps manual-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port.
Chapter 20 | ERPS Commands e. A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. f. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node. At this point, traffic flows around the ring are resumed. From this point on, the following rules apply regarding processing of further manual switch commands: a.
Chapter 20 | ERPS Commands Example This example displays a summary of all the ERPS rings configured on the switch.
Chapter 20 | ERPS Commands Table 100: show erps - summary display description (Continued) Field Description Port State The operational state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all RAPS messages is allowed.
Chapter 20 | ERPS Commands Table 101: show erps domain - detailed display description (Continued) Field Description R-APS with VC The R-APS Virtual Channel is the R-APS channel connection used to tunnel R-APS messages between two interconnection nodes of a subring in another Ethernet ring or network. R-APS Def MAC Indicates if the switch’s MAC address is used to identify the node in RAPS messages. Propagate TC Shows if the ring is configured to propagate topology change notification messages.
Chapter 20 | ERPS Commands Table 102: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 20 | ERPS Commands – 562 –
21 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (568) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Table 105: show bridge-ext - display description (Continued) Field Description Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses. (Refer to the mac-address-table static command.) VLAN Version Number Based on IEEE 802.1Q, “1” indicates Bridges that support only single spanning tree (SST) operation, and “2” indicates Bridges that support multiple spanning tree (MST) operation.
Chapter 21 | VLAN Commands Editing VLAN Groups Related Commands garp timer (565) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) Default Setting Shows both global and interface-specific configuration.
Chapter 21 | VLAN Commands Editing VLAN Groups Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. ◆ Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Default Setting By default only VLAN 1 exists and is active. Command Mode VLAN Database Configuration Command Usage ◆ no vlan vlan-id deletes the VLAN. ◆ no vlan vlan-id name removes the VLAN name. ◆ no vlan vlan-id state returns the VLAN to the default state (i.e., active). ◆ You can configure up to 4094 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Use the no form to change a Layer 3 normal VLAN back to a Layer 2 interface. Syntax [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Default Setting All frame types Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces ◆ If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member. ◆ Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces ◆ Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP. Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport mode This command configures the VLAN membership mode for a port.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Related Commands switchport acceptable-frame-types (572) switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Command Usage ◆ Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.
Chapter 21 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 108: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. ◆ IGMP Snooping should not be enabled on a tunnel access port.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command creates a CVLAN to SPVLAN mapping entry. Use the no form to dot1q-tunnel service delete a VLAN mapping entry. match cvid Syntax switchport dot1q-tunnel service svid match cvid cvid svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4093) cvid - VLAN ID for the inner VLAN tag (Customer VID).
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300. Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 100,200,300 tagged switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel port.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show interfaces switchport (416) show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) svid - VLAN ID for the outer VLAN tag (SPVID).
Chapter 21 | VLAN Commands Configuring L2CP Tunneling Related Commands switchport dot1q-tunnel mode (581) Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 21 | VLAN Commands Configuring L2CP Tunneling proprietary MAC address (for example, the spanning tree protocol uses 10-12CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad – Provider Bridges), or a user-defined address. All intermediate switches carrying this traffic across the service provider’s network treat these encapsulated packets in the same way as normal data, forwarding them across to the tunnel’s egress port.
Chapter 21 | VLAN Commands Configuring L2CP Tunneling Processing Cisco-compatible protocol packets ◆ ◆ When a Cisco-compatible L2PT packet is received on an uplink port, and ■ recognized as a CDP/VTP/STP/PVST+ protocol packet (where STP means STP/RSTP/MSTP), it is forwarded to the following ports in the same S-VLAN: (a) all access ports for which L2PT has been disabled, and (b) all uplink ports. ■ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
Chapter 21 | VLAN Commands Configuring L2CP Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 21 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 21 | VLAN Commands Configuring VLAN Translation Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Console# show vlan-translation This command displays the configuration settings for VLAN translation. Syntax show vlan-translation [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Table 112: Protocol-based VLAN Commands (Continued) Command Function Mode show protocol-vlan protocol-group Shows the configuration of protocol groups PE show interfaces protocol-vlan protocol-group Shows the interfaces mapped to a protocol group and the PE corresponding VLAN To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 570).
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan This command maps a protocol group to a VLAN for the current interface.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Default Setting The mapping for all interfaces is displayed. Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# Configuring IP Subnet VLANs When using IEEE 802.
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. Command Mode Privileged Exec Command Usage ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. Example The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address [mask mask-address] | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 21 | VLAN Commands Configuring Voice VLANs show mac-vlan This command displays MAC address-to-VLAN assignments. Command Mode Privileged Exec Command Usage Use this command to display MAC address-to-VLAN mappings. Example The following example displays all configured MAC address-based VLANs.
Chapter 21 | VLAN Commands Configuring Voice VLANs voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID.
Chapter 21 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
Chapter 21 | VLAN Commands Configuring Voice VLANs description - User-defined text that identifies the VoIP devices. (Range: 1-32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Chapter 21 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When auto is selected, you must select the method to use for detecting VoIP traffic, either OUI or 802.1ab (LLDP) using the switchport voice vlan rule command. When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac-address command. ◆ All ports are set to VLAN hybrid mode by default.
Chapter 21 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command selects a method for detecting VoIP traffic on a port. Use the no rule form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. lldp - Uses LLDP to discover VoIP devices attached to the port.
Chapter 21 | VLAN Commands Configuring Voice VLANs Command Usage ◆ Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped.
Chapter 21 | VLAN Commands Configuring Voice VLANs Eth 1/ 9 Disabled Disabled OUI Eth 1/10 Disabled Disabled OUI Console#show voice vlan oui OUI Address Mask ----------------- ----------------00-12-34-56-78-9A FF-FF-FF-00-00-00 00-11-22-33-44-55 FF-FF-FF-00-00-00 00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Console# – 607 – 6 NA 6 NA Description -----------------------------old phones new phones Chris' phone
Chapter 21 | VLAN Commands Configuring Voice VLANs – 608 –
22 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (610) show queue weight (613) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (416) show queue mode This command shows the current queue mode.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 119: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ The default mapping of CoS to PHB values shown in Table 119 is based on the recommended settings in IEEE 802.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ◆ The specified mapping applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP. cos - Sets the QoS mapping mode to CoS.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example The ingress DSCP is composed of “d1” (most significant digit in the left column) and “d2” (least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table. Console#show qos map dscp-mutation interface ethernet 1/5 Information of Eth 1/5 DSCP mutation map.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) – 622 –
23 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 23 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, a CoS value, or a source port. 3.
Chapter 23 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 628). The policy map is then bound by a service policy to an interface (page 639). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 23 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | source-port interface | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 23 | Quality of Service Commands Example This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Chapter 23 | Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Chapter 23 | Quality of Service Commands Command Mode Policy Map Configuration Command Usage ◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: ◆ ■ set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Chapter 23 | Quality of Service Commands police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. Syntax [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 0-10000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
Chapter 23 | Quality of Service Commands ■ Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else else the packet is red and Tc is not decremented.
Chapter 23 | Quality of Service Commands violate-action - Action to take when rate exceeds the BE. (There are not enough tokens in bucket BE to service the packet, the packet is set red.) transmit - Transmits without taking any action. drop - Drops packet as required by exceed-action or violate-action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage You can configure up to 16 policers (i.e.
Chapter 23 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode: ■ ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
Chapter 23 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 23 | Quality of Service Commands ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR.
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 23 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 23 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 23 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 23 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 23 | Quality of Service Commands – 642 –
24 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 124: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping routeralert-option-check Discards any IGMPv2/v3 packets that do not include the Router Alert option GC ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs GC ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanni
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 124: IGMP Snooping Commands (Continued) Command Function Mode show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statistics for the specified interface PE ip igmp snooping This command enable
Chapter 24 | Multicast Filtering Commands IGMP Snooping priority - The CoS priority assigned to all multicast traffic. (Range: 0-7, where 7 is the highest priority) Default Setting 2 Command Mode Global Configuration Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
Chapter 24 | Multicast Filtering Commands IGMP Snooping means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device. ◆ If the IGMP proxy reporting is configured on a VLAN, this setting takes precedence over the global configuration. Example Console(config)#ip igmp snooping proxy-reporting Console(config)# ip igmp snooping This command enables the switch as an IGMP querier. Use the no form to disable it.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with a large source list and the Maximum Response Time set to a large value.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Default Setting Global: Disabled VLAN: Disabled Command Mode Global Configuration Command Usage ◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. ◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command immediately deletes a member port of a multicast service if a leave immediate-leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-andlast-memb-query- source-specific query messages that are sent out before the system assumes there count are no more local members. Use the no form to restore the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific or group-andsource-specific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
Chapter 24 | Multicast Filtering Commands IGMP Snooping message. When the multicast services provided to a VLAN is relatively stable, the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. ◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ◆ This command applies when the switch is serving as the querier (page 647), or as a proxy host when IGMP snooping proxy reporting is enabled (page 646). Example Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the static port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example Console#clear ip igmp snooping groups dynamic Console# clear ip igmp This command clears IGMP snooping statistics. snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Snooping . . . Router Port Mode TCN Flood TCN Query Solicit Unregistered Data Flood 802.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port).
Chapter 24 | Multicast Filtering Commands IGMP Snooping Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type Expire ---- ------------------ ------- -------1 Eth 1/4 Dynamic 0:4:28 1 Eth 1/10 Static Console# show ip igmp This command shows IGMP snooping protocol statistics for the specified interface.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 125: show ip igmp snooping statistics input - display description Field Description G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 24 | Multicast Filtering Commands Static Multicast Routing Table 127: show ip igmp snooping statistics vlan query - display description Field Description Querier IP Address The IP address of the querier on this interface. Querier Expire Time The time after which this querier is assumed to have expired. General Query Received The number of general queries received on this interface. General Query Sent The number of general queries sent from this interface.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Global Configuration Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Table 129: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp authentication Displays IGMP authentication settings for interfaces PE show ip igmp filter Displays the IGMP filtering status PE show ip igmp profile Displays IGMP profiles and settings PE show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the I
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Table 130: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). Example Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp This command displays the interface settings for IGMP authentication.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
Chapter 24 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 24 | Multicast Filtering Commands MLD Snooping Table 131: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports PE ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping.
Chapter 24 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default.
Chapter 24 | Multicast Filtering Commands MLD Snooping Default Setting 10 seconds Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the router-port- default. expire-time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 24 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1.
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4093) ipv6-address - An IPv6 address of a multicast group.
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Snooping Query Max Response Time Router Port Expiry Time Immediate Leave Unknown Flood Behavior MLD Snooping Version Console# : : : : : 10 sec 300 sec Disabled on all VLAN To Router Port Version 2 show ipv6 mld This command shows known multicast groups, member ports, and the means by snooping group which each group was learned.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Filter Mode (if exclude filter mode) Filter Timer elapse Request List Exclude List (if include filter mode) Include List : Include : 10 sec.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Table 132: MLD Filtering and Throttling Commands (Continued) Command Function Mode range Specifies one or a range of multicast addresses for a profile IPC ipv6 mld filter Assigns an MLD filter profile to an interface IC ipv6 mld max-groups Specifies an M:D throttling number for an interface IC ipv6 mld max-groups action Sets the MLD throttling action for an interface IC ipv6 mld query-drop Drops any received MLD query pac
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#ipv6 mld filter Console(config)# Related Commands show ipv6 mld filter ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. Syntax [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode MLD Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when a multicast group is not in the controlled range.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax [no] ipv6 mld filter profile-number profile-number - An MLD filter profile number.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting. Syntax [no] ipv6 mld query-drop Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage This command can be used to drop any query packets received on the specified interface.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling show ipv6 mld filter This command displays the global and interface settings for MLD filtering. Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Console#show ipv6 mld profile 5 MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld This command shows if the specified interface is configured to drop MLD query query-drop packets. Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ipv6 mld throttle interface ethernet 1/3 Eth 1/3 Information Status : TRUE Action : Replace Max Multicast Groups : 10 Current Multicast Groups : 0 Console# MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR).
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 133: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode mvr robustness-value Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries GC mvr source-port-mode dynamic Configures the switch to only forward multicast streams which the source port has dynamically joined GC mvr upstream-source-ip Configures the source IP address assigned to all control pac
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following example enables MVR globally. Console(config)#mvr Console(config)# mvr associated-profile This command binds the MVR group addresses specified in a profile to an MVR domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr This command configures the interval at which the receiver port sends out general proxy-query-interval queries. Use the no form to restore the default setting. Syntax mvr proxy-query-interval interval no mvr proxy-query-interval interval - The interval at which the receiver port sends out general queries.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR proxy service. ◆ When the source port receives report and leave messages, it only forwards them to other source ports.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ This command is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. ◆ This command only takes effect when MVR proxy switching is enabled.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example Console(config)#mvr source-port-mode dynamic Console(config)# mvr This command configures the source IP address assigned to all MVR control packets upstream-source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Usage ◆ This command specifies the VLAN through which MVR multicast data is received. This is the VLAN to which all source ports must be assigned. ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 would without this option having been used). Instead of immediately deleting that group, it will look up the record, and only delete the group if there are no other subscribers for it on the member port. Only when all hosts on that port leave the group will the member port be deleted.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through the MVR protocol or which have been assigned through the mvr vlan group command. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN identifier (Range: 1-4093) Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 134: show mvr - display description Field Description MVR 802.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 137: show mvr statistics input - display
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 138: show mvr statistics output - display description (Continued) Field Description G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for an interface: Console#show mvr domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Transmit : Transmit : General : 0 Report : 7 Group Specific : 0 Leave : 4 Received : Received : General : 0 Report : 0 Group Specific : 0 Leave : 0 V1 Warning Count: 0 Join Success : 0 V2 Warning Count: 0 Filter Drop : 0 V3 Warning Count: 0 Source Port Drop: 0 Others D
Chapter 24 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for the MVR VLAN: Console#show mvr domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Other Querier : None Host IP Addr : 192.168.0.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 141: show mvr statistics summary interface mvr vlan - description Field Description Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 142: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode mvr6 upstream-source-ip Configures the source IP address assigned to all control packets sent upstream GC mvr6 vlan Specifies the VLAN through which MVR multicast data is received GC mvr6 immediate-leave Enables immediate leave capability IC mvr6 type Configures an interface as an MVR receiver or source port IC mvr6 vlan group Statically binds a m
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following an MVR6 group address profile to domain 1: Console(config)#mvr6 domain 1 associated-profile rd Console(config)# mvr6 domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr6 domain domain-id domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#mvr priority 6 Console(config)# RELATED COMMANDS show mvr6 (733) mvr6 profile This command maps a range of MVR group addresses to a profile.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 ◆ The MVR6 group address range assigned to a profile cannot overlap with the group address range of any other profile. Example The following example maps a range of MVR6 group addresses to a profile: Console(config)#mvr6 profile rd ff01:0:0:0:0:0:0:fe ff01:0:0:0:0:0:0:ff Console(config)# mvr6 This command configures the interval at which the receiver port sends out general proxy-query-interval queries. Use the no form to restore the default setting.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Default Setting Enabled Command Mode Global Configuration Command Usage ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface, and the MVR receiver port serves as the querier. The source port performs only the host portion of MVR by sending summarized membership reports, and automatically disables MVR router functions. ◆ Receiver ports are known as downstream or router interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 This command configures the expected packet loss, and thereby the number of robustness-value times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr6 source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined. In other words, both the receiver port and source port must subscribe to a multicast group before a multicast stream is forwarded to any attached client.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6. A port which is not configured as an MVR receiver or source port can use MLD snooping to join or leave multicast groups using the standard rules for multicast filtering (see “MLD Snooping” on page 679). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 ip-address - Statically configures an interface to receive multicast traffic from the IPv6 address specified for an MVR multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. Default Setting No receiver port is a member of any configured multicast group.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example Console#clear mvr6 groups dynamic Console# clear mvr6 statistics Use this command to clear the MVR6 statistics. Syntax clear mvr6 statistics [interface {ethernet unit/port | port-channel channel-id | vlan vlan-id}] ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following shows the MVR6 settings: Console#show mvr6 MVR6 802.1p Forwarding Priority: MVR6 Proxy Switching : MVR6 Robustness Value : MVR6 Proxy Query Interval : MVR6 Source Port Mode : Domain : MVR6 Config Status : MVR6 Running Status : MVR6 Multicast VLAN : MVR6 Current Learned Groups : MVR6 Upstream Source IP : . . . Disabled Enabled 1 125(sec.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Mode Privileged Exec Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd ff01::fe ff01::ff Console# show mvr6 interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 144: show mvr6 interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 24 | Multicast Filtering Commands MVR for IPv6 show mvr6 statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr6 statistics {input | output} [interface interface] show mvr6 domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 146: show mvr6 statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 148: show mvr6 statistics query - display description Field Description Other Querier Address The IPv6 address of the querier on this interface. Other Querier Uptime Other querier’s time up. Other Querier Expire Time The time after which this querier is assumed to have expired. Self Querier Address This querier’s IPv6 address. Self Querier Uptime This querier’s time up. Self Querier Expire Time This querier’s expire time.
25 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 25 | LLDP Commands Table 149: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port- IC based protocol related VLAN information
Chapter 25 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 25 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 25 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 25 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 25 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 25 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 25 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 592). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 573 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 594. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage ◆ This command only applies to the ECS4510-28P/52P. ◆ This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Chapter 25 | LLDP Commands ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776. The following table describes some of the CA type numbers and provides examples.
Chapter 25 | LLDP Commands Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# lldp med-notification This command enables the transmission of SNMP trap notifications about LLDPMED changes. Use the no form to disable LLDP-MED notifications.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command only applies to the ECS4510-28P/52P. This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 25 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 25 | LLDP Commands MED Enabled TLVs Advertised : med-cap network-policy location ext-poe inventory MED Location Identification: Location Data Format : Civic Address LCI Civic Address Status : Enabled Country Name : US What : 2 CA-Type : 1 CA-Value : Alabama CA-Type : 2 CA-Value : Tuscaloosa Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 25 | LLDP Commands Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 25 | LLDP Commands System Description : ECS4510-52P System Capabilities : Bridge, Router Enabled Capabilities : Bridge, Router Management Address : 192.168.0.
Chapter 25 | LLDP Commands Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID : : : : : : : R0A 1.2.6.0 1.2.6.0 S123456 Prye VP101 340937 Console# show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier.
Chapter 25 | LLDP Commands TLVs Discarded Neighbor Ageouts : 0 : 1 Console# – 765 –
Chapter 25 | LLDP Commands – 766 –
26 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 26 | CFM Commands Table 151: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 26 | CFM Commands Table 151: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 26 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 26 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 26 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 26 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 26 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 26 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 26 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 26 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 26 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 26 | CFM Commands Defining CFM Structures Table 153: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 26 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 26 | CFM Commands Continuity Check Operations Table 154: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 26 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 26 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 26 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (795) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 26 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 26 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 26 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 26 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 26 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 26 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 26 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 26 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
Chapter 26 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 26 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec Example Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.
Chapter 26 | CFM Commands Loopback Operations Table 156: show ethernet cfm linktrace-cache - display description (Continued) Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false. EgrBlocked – The egress port can be identified, but the data frame was not passed through the egress port due to active topology management, i.e.
Chapter 26 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆ The point from which the loopback message is transmitted (i.e., the DSAP) and the target maintenance point specified in this command must be within the same MA.
Chapter 26 | CFM Commands Fault Generator Operations set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)# mep fault-notify This command sets the lowest priority defect that is allowed to generate a fault lowest-priority alarm. Use the no form to restore the default setting.
Chapter 26 | CFM Commands Fault Generator Operations ◆ Priority defects include the following items: Table 157: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. 3 remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported.
Chapter 26 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm This command displays configuration settings for the fault notification generator.
Chapter 26 | CFM Commands Delay Measure Operations Table 159: show fault-notify-generator - display description (Continued) Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the mep fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Chapter 26 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
Chapter 26 | CFM Commands Delay Measure Operations – 808 –
27 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 27 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 27 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 27 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 27 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 27 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 27 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 27 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 27 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
28 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 28 | Domain Name Service Commands Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
Chapter 28 | Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (823) ip name-server (824) ip domain-name This command defines the default domain name appended to incomplete host names (i.e.
Chapter 28 | Domain Name Service Commands Related Commands ip domain-list (821) ip name-server (824) ip domain-lookup (822) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
Chapter 28 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.
Chapter 28 | Domain Name Service Commands Command Mode Global Configuration Example This example maps an IPv6 address to a host name. Console(config)#ipv6 host rd6 2001:0db8:1::12 Console(config)#end Console#show hosts No. Flag Type IP Address TTL ---- ---- ------- -------------------- ----0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 Console# Domain ------------------------------rd5 rd6 clear dns cache This command clears all entries in the DNS cache.
Chapter 28 | Domain Name Service Commands Example This example clears all dynamic entries from the DNS table. Console(config)#clear host * Console(config)# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Chapter 28 | Domain Name Service Commands Table 162: show dns cache - display description (Continued) Field Description IP Address The IP address associated with this record. TTL The time to live reported by the name server. Host The host name associated with this record. show hosts This command displays the static host name-to-address mapping table.
29 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 29 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "SMC"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 29 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 29 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 29 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
Chapter 29 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (858) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 29 | DHCP Commands DHCP Relay RELATED COMMANDS ipv6 address (857) DHCP RELAY This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 29 | DHCP Commands DHCP Relay ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference.
Chapter 29 | DHCP Commands DHCP Relay Proxy ARP is disabled DHCP relay server: 0.0.0.0 Console# Related Commands ip dhcp relay server (837) DHCP Relay for IPv6 ipv6 dhcp relay This command specifies the destination address or VLAN to which client messages destination are forwarded for DHCP service. Use the no form to remove an entry.
Chapter 29 | DHCP Commands DHCP Relay ◆ When issuing the no ipv6 dhcp relay destination command without any arguments, the switch will delete all configured destination addresses and disable DHCP for IPv6 relay for all VLANs. EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination 2001:0DB8:3000:3000::42 Console(config-if)# show ipv6 dhcp relay This command shows the destination addresses or VLAN to which client messages destination are forwarded for DHCP relay service.
Chapter 29 | DHCP Commands DHCP Relay Command Mode Privileged Exec Example Console#show ip dhcp pool Console# – 841 –
Chapter 29 | DHCP Commands DHCP Relay – 842 –
30 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 30 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask. This interface address defines both the network number to which the router interface is attached and the router’s host number on that network.
Chapter 30 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.
Chapter 30 | IP Interface Commands IPv4 Interface after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 192.168.0.
Chapter 30 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 30 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 30 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 Hop Packet 1 Packet 2 Packet 3 --- -------- -------- -------1 20 ms <10 ms <10 ms hops max, timeout is 3 seconds IP Address --------------192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 30 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 824) and host name-to-address translation enabled (page 822). If necessary, local devices can also be specified in the DNS static host table (page 824). Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.
Chapter 30 | IP Interface Commands IPv4 Interface Default Setting No default entries Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
Chapter 30 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 30 | IP Interface Commands IPv6 Interface Table 173: IPv6 Configuration Commands (Continued) Command Function Mode clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery PE cache show ipv6 nd raguard Displays the configuration setting for RA Guard show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations wi
Chapter 30 | IP Interface Commands IPv6 Interface Example The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780%1 Console(config)# Related Commands ip default-gateway (846) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
Chapter 30 | IP Interface Commands IPv6 Interface ◆ If a duplicate address is detected, a warning message is sent to the console. Example This example specifies a full IPv6 address and prefix length.
Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 30 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. ◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 30 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set. Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (868) jumbo frame (122) show ipv6 This command displays the current IPv6 default gateway.
Chapter 30 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4093) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Table 174: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands show ip interface (847) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 30 | IP Interface Commands IPv6 Interface truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages router advertisement mess
Chapter 30 | IP Interface Commands IPv6 Interface Table 176: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 30 | IP Interface Commands IPv6 Interface Table 176: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 30 | IP Interface Commands IPv6 Interface Table 176: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Table 176: show ipv6 traffic - display description (Continued) Field Description UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting count: 5 size: 100 bytes Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 30 | IP Interface Commands IPv6 Interface host-name - A host name string which can be resolved into an IPv6 address through a domain name server. failure-count - The maximum number of failures before which the trace route is terminated. (Range: 1-255) Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination.
Chapter 30 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ Configuring a value of 0 disables duplicate address detection. ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆ Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state.
Chapter 30 | IP Interface Commands IPv6 Interface ND advertised reachable time is 0 milliseconds Console# Related Commands ipv6 nd ns-interval (878) show ipv6 neighbors (881) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 30 | IP Interface Commands IPv6 Interface 2009:db9:2229::79, subnet is 2009:db9:2229:0::/64 Joined group address(es): ff01::1/16 ff02::1/16 ff02::1:ff00:79/104 ff02::1:ff90:0/104 IPv6 link MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 30 | IP Interface Commands IPv6 Interface show ipv6 nd raguard This command displays the configuration setting for RA Guard. Syntax show ipv6 nd raguard [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 30 | IP Interface Commands ND Snooping FE80::2E0:CFF:FE9C:CA10 Console# 4 00-E0-0C-9C-CA-10 R 1 Table 177: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent.” Link-layer Addr Physical layer MAC address.
Chapter 30 | IP Interface Commands ND Snooping means that the address is already being used by another host, and the binding is therefore deleted. If it does not receive an NA packet after a timeout period, the binding will be bound to the original host. ND snooping can also maintain a prefix table used for stateless address auto-configuration by monitoring Router Advertisement (RA) packets sent from neighboring routers. ND snooping can also detect if an IPv6 address binding is no longer valid.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of VLANs. Use the no form to disable this feature. Syntax [no] ipv6 nd snooping [vlan {vlan-id | vlan-range}] vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Chapter 30 | IP Interface Commands ND Snooping ■ If an RA message is received in response to the original NS message (indicating a duplicate address) before the dynamic binding timeout period expires, the entry is deleted. Otherwise, when the timeout expires, the entry is dropped if the auto-detection process is not enabled. ■ If the auto-detection process is enabled, the switch periodically sends an NS message to determine is the client still exists.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the number of times the auto-detection process sends an NS auto-detect message to determine if a dynamic user binding is still valid. Use the no form to retransmit count restore the default setting. Syntax ipv6 nd snooping auto-detect retransmit count retransmit-times no ipv6 nd snooping auto-detect retransmit count retransmit-times – The number of times to send an NS message to determine if a client still exists.
Chapter 30 | IP Interface Commands ND Snooping Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping autodetect retransmit count command) x the retransmit interval. Based on the default settings, this is 3 seconds.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user max-binding binding table which can be bound to a port. Use the no form to restore the default setting. Syntax ipv6 nd snooping max-binding max-bindings no ipv6 nd snooping max-binding max-bindings – The maximum number of address entries in the dynamic user binding table which can be bound to a port.
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table.
Chapter 30 | IP Interface Commands ND Snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping Global ND Snooping status: enabled ND Snooping auto-detection: disabled ND Snooping auto-detection retransmit count: 3 ND Snooping auto-detection retransmit interval: 1 (second) ND Snooping is configured on the following VLANs: VLAN 1, Interface Trusted Max-binding --------------------------Eth 1/1 Yes 1 Eth 1/2 No 5 Eth 1/3 No 5 Eth 1/4 No 5 Eth 1/5 No 5 . . .
Chapter 30 | IP Interface Commands ND Snooping Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------2001:b000:: 64 2592000 100 1 Eth 1/1 2001:: 64 600 34 2 Eth 1/2 Console# – 891 –
Chapter 30 | IP Interface Commands ND Snooping – 892 –
50 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
Chapter 50 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 50 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | rip | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. rip – Displays all entries learned through the Routing Information Protocol (RIP). static – Displays all static entries.
Chapter 50 | IP Routing Commands Global Routing Configuration * - candidate default R 10.1.1.0/24 [120/2] via 192.168.1.10, VLAN1, 00:00:14 C 127.0.0.0/8 is directly connected, lo C 192.168.1.0/24 is directly connected, VLAN1 Console# show ip route This command displays entries in the Routing Information Base (RIB).
Chapter 50 | IP Routing Commands Global Routing Configuration show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) input errors 5867 output Console# Routing Information Protocol (RIP) .
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) router rip This command enables Routing Information Protocol (RIP) routing for all IP interfaces on the router. Use the no form to disable it. Syntax [no] router rip Command Mode Global Configuration Default Setting Disabled Command Usage ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Related Commands ip route (894) redistribute (904) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to external routes.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Related Commands redistribute (904) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. Syntax [no] distance distance network-address netmask distance - Administrative distance for external routes. External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) maximum-prefix This command sets the maximum number of RIP routes allowed by the system. Use the no form to restore the default setting. Syntax maximum-prefix maximum-routes no maximum-prefix maximum-routes - The maximum number of RIP routes which can be installed in the routing table.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Example Console(config-router)#neighbor 10.2.0.254 Console(config-router)# Related Commands passive-interface (904) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax [no] network {ip-address netmask | vlan vlan-id} ip-address – IP address of a network directly connected to this router. netmask - Network mask for the route.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) passive-interface This command stops RIP from sending routing updates on the specified interface. Use the no form to disable this feature. Syntax [no] passive-interface vlan vlan-id vlan-id - VLAN ID.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage ◆ When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes. ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. ◆ It is advisable to use a low metric when redistributing routes from another protocol into RIP.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults. Syntax timers basic update timeout garbage no timers basic update – Sets the update timer to the specified value. (Range: 5-2147483647 seconds) timeout – Sets the timeout timer to the specified value. (Range: 90-360 seconds) garbage – Sets the garbage collection timer to the specified value.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. Syntax version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 Default Setting Receive: Accepts RIPv1 or RIPv2 packets Send: Route information is broadcast to other routers with RIPv2.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (912) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (907) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Interface Configuration (VLAN) Default Setting split-horizon poisoned Command Usage ◆ Split horizon never propagates routes back to an interface from which they have been acquired. ◆ Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Using this command with the “all” parameter clears the RIP table of all routes. To avoid deleting the entire RIP network, use the redistribute connected command to make the RIP network a connected route. To delete the RIP routes learned from neighbors and also keep the RIP network intact, use the “rip” parameter with this command (clear ip rip route rip). Example This example clears one specific route.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Privileged Exec Example Console#show ip rip Codes: R - RIP, Rc - RIP connected, Rs - RIP static, C - Connected, S - Static, O - OSPF Network Next Hop Metric From Rc 192.168.0.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) – 916 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 919 ◆ “License Information” on page 921 – 917 –
Section III | Appendices – 918 –
A Troubleshooting Problems Accessing the Management Interface Table 182: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Index of CLI Commands aaa accounting commands 238 aaa accounting dot1x 239 aaa accounting exec 240 aaa accounting update 241 aaa authorization exec 242 aaa group server 243 absolute 173 access-list arp 393 access-list ip 372 access-list ipv6 379 access-list mac 386 accounting commands 244 accounting dot1x 244 accounting exec 245 alias 401 arp 851 arp timeout 852 authentication enable 228 authentication login 229 authorization exec 245 auto-traffic-control 469 auto-traffic-control action 469 auto-traffic-co
Index of CLI Commands databits 138 default-information originate 899 default-metric 900 delete 129 delete public-key 258 description 625 description 403 dir 130 disable 98 discard 403 disconnect 145 distance 901 dos-protection echo-chargen 361 dos-protection smurf 361 dos-protection tcp-flooding 362 dos-protection tcp-null-scan 362 dos-protection tcp-syn-fin-scan 363 dos-protection tcp-udp-port-zero 363 dos-protection tcp-xmas-scan 364 dos-protection udp-flooding 364 dos-protection win-nuke 365 dot1q-tunne
Index of CLI Commands ip dhcp snooping information option encode no-subtype 320 ip dhcp snooping information option remote-id 321 ip dhcp snooping information option tr101 board-id 322 ip dhcp snooping information policy 322 ip dhcp snooping limit rate 323 ip dhcp snooping trust 326 ip dhcp snooping verify mac-address 323 ip dhcp snooping vlan 324 ip domain-list 821 ip domain-lookup 822 ip domain-name 823 ip host 824 ip http port 247 ip http secure-port 248 ip http secure-server 249 ip http server 248 ip i
Index of CLI Commands ipv6 mld snooping vlan static 686 ipv6 mtu 864 ipv6 multicast-data-drop 695 ipv6 nd dad attempts 876 ipv6 nd ns-interval 878 ipv6 nd raguard 879 ipv6 nd reachable-time 880 ipv6 nd snooping 884 ipv6 nd snooping auto-detect 885 ipv6 nd snooping auto-detect retransmit count 886 ipv6 nd snooping auto-detect retransmit interval 886 ipv6 nd snooping max-binding 888 ipv6 nd snooping prefix timeout 887 ipv6 nd snooping trust 888 ipv6 source-guard 348 ipv6 source-guard binding 346 ipv6 source-
Index of CLI Commands mvr robustness-value 704 mvr source-port-mode dynamic 705 mvr type 708 mvr upstream-source-ip 706 mvr vlan 706 mvr vlan group 709 mvr6 associated-profile 722 mvr6 domain 723 mvr6 immediate-leave 729 mvr6 priority 723 mvr6 profile 724 mvr6 proxy-query-interval 725 mvr6 proxy-switching 725 mvr6 robustness-value 727 mvr6 source-port-mode dynamic 727 mvr6 type 730 mvr6 upstream-source-ip 728 mvr6 vlan 729 mvr6 vlan group 731 name 512 negotiation 407 neighbor 902 network 903 network-access
Index of CLI Commands revision 513 ring-port 549 rmon alarm 210 rmon collection history 212 rmon collection rmon1 213 rmon event 211 router rip 899 rpl neighbor 550 rpl owner 550 rspan destination 457 rspan remote vlan 458 rspan source 456 server 243 service-policy 639 set cos 636 set ip dscp 637 set phb 638 sflow owner 217 sflow polling instance 219 sflow sampling instance 220 show access-group 396 show access-list 396 show access-list arp 395 show access-list tcam-utilization 112 show accounting 246 show
Index of CLI Commands show ipv6 default-gateway 865 show ipv6 dhcp duid 836 show ipv6 dhcp relay destination 840 show ipv6 dhcp snooping 337 show ipv6 dhcp snooping binding 338 show ipv6 dhcp snooping statistics 338 show ipv6 dhcp vlan 836 show ipv6 interface 866 show ipv6 mld filter 696 show ipv6 mld profile 696 show ipv6 mld query-drop 697 show ipv6 mld snooping group 688 show ipv6 mld snooping group source-list 688 show ipv6 mld snooping mrouter 689 show ipv6 mld throttle interface 697 show ipv6 mld sno
Index of CLI Commands show system 117 show tacacs-server 237 show tech-support 119 show time-range 175 show traffic-segmentation 370 show udld 490 show upgrade 135 show users 119 show version 120 show vlan 578 show vlan-translation 592 show voice vlan 606 show watchdog 121 show web-auth 314 show web-auth interface 315 show web-auth summary 315 shutdown 407 silent-time 143 snmp-server 187 snmp-server community 187 snmp-server contact 188 snmp-server enable traps ethernet cfm cc 789 snmp-server enable traps
Index of CLI Commands tacacs-server port 236 tacacs-server retransmit 236 tacacs-server timeout 237 terminal 146 test cable-diagnostics 426 timeout login response 145 time-range 172 timers basic 906 traceroute 849 traceroute6 874 traffic-segmentation 366 traffic-segmentation session 367 traffic-segmentation uplink/downlink 368 traffic-segmentation uplink-to-uplink 369 transceiver-monitor 418 transceiver-threshold current 419 transceiver-threshold rx-power 420 transceiver-threshold temperature 421 transceiv
Index of CLI Commands – 942 –
Index Numerics 802.1Q tunnel 579 access 581 CVID to SVID map 582 ethernet type 584 interface configuration 581–584 mode selection 581 status, configuring 580 TPID 584 uplink 581 802.1X authenticator, configuring 265–270 global settings 263–264 port authentication 262, 264 port authentication accounting 244 supplicant, configuring 271–274 A AAA accounting 802.
Index shut down port on receipt 514 bridge extension capabilities, displaying 567 broadcast storm, threshold 463 C cable diagnostics 426 CDP discard 403 CFM continuity check errors 791, 792 continuity check messages 541, 767, 787, 788 cross-check errors 789, 793, 795 cross-check message 767, 793, 795, 796 cross-check start delay 793 delay measure 806 domain service access point 774 fault isolation 767, 799 fault notification 767, 802, 803, 804 fault notification generator 803, 805 fault verification 767 l
Index relay service, address 839, 840 relay service, enabling 839 DHCPv6 snooping 329 enabling 330 global configuration 330 remote id policy, option 37 333 remote ID, option 37 332 specifying trusted interfaces 335 VLAN configuration 334 DiffServ 623 binding policy to interface 639 class map 624, 628 class map, description 625 classifying QoS traffic 626 color aware, srTCM 631 color aware, trTCM 634 color blind, srTCM 631 color blind, trTCM 634 committed burst size 630, 631, 634 committed information rate 6
Index accounting 245 authorization 242 F fault isolation, CFM 767, 799 fault notification generator, CFM 803, 805 fault notification, CFM 767, 802, 803, 804 fault verification, CFM 767 FIB, description 895 firmware displaying version 120 upgrading 126 upgrading automatically 132 upgrading with FTP or TFP 132 version, displaying 120 firmware upgrade, for stack 55 forwarding information base See FIB G gateway, IPv4 default 846 gateway, IPv6 default 856 general security measures 289 GNU license 921 GVRP ena
Index IPv4 address BOOTP/DHCP 833, 844 dynamic configuration 59 manual configuration 56 setting 56, 844 IPv6 displaying neighbors 881 duplicate address detection 876 enabling 863 hop-limit, advertisements 876 MTU 864 neighbor reachable time 880 neighbor solicitation interval 878 router advertisements, blocking 879 IPv6 address dynamic configuration (global unicast) 858 dynamic configuration (link-local) 60, 863 EUI format 860 EUI-64 setting 860 explicit configuration 863 global unicast 857 link-local 859 m
Index M MAC address authentication 295 ports, configuring 295, 304 reauthentication 298 MAC address, mirroring 451 maintenance association, CFM 767, 776, 782 maintenance domain, CFM 767, 773, 782 maintenance end point, CFM 774, 778, 783 maintenance intermediate point, CFM 773, 774, 776, 783 maintenance level, CFM 773 maintenance point, CFM 767, 783 management access, filtering per address 277 management access, IP filter 277 matching class settings, classifying QoS traffic 626 media-type 406 memory status
Index static binding 724, 731 static binding, group to port 731 statistics, displaying 738 using immediate leave 729 N ND snooping automatic validation 885–886 enabling 884 max bindings 888 trusted interface 888 Neighbor Discovery Snooping See ND snooping network access authentication 295 dynamic QoS assignment 298 dynamic VLAN assignment 299 MAC address filter 297 port configuration 304 reauthentication 298 secure MAC information 308, 309 NTP authentication keys, specifying 163 client, enabling 164 specif
Index proxy query interval, IGMP snooping 658 proxy query response interval, IGMP snooping 659 proxy reporting, IGMP snooping 646 public key 253 PVID, port native VLAN 576 PVST discard 403 Q QoS 623 configuration guidelines 624 configuring 623 CoS/CFI to PHB/drop precedence 614 DSCP to PHB/drop precedence 616 dynamic assignment 298 matching class settings 626 PHB to queue 617 selecting DSCP, CoS 618 QoS policy committed burst size 630, 631, 634 excess burst size 631 peak burst size 634 srTCM 631 srTCM pol
Index polling period 219 samping period 220 timeout 217 version 218 SMTP event handling 155 sending log events 155 SNMP 185 community string 187 enabling traps 190 enabling traps, mac-address changes 194 filtering IP addresses 277 global settings, configuring 187–199 mac address traps 190, 194 trap manager 192 traps, CFM 789, 793 SNMPv3 195–197 engine ID 195 engine identifier, local 195 engine identifier, remote 195 groups 196 local users, configuring 197 remote users, configuring 197 user configuration 19
Index logon authentication 234 settings 234 TCN flood 648 general query solicitation 650 Telnet configuring 250 server, enabling 252 terminal, configuration settings 146 TFTP retry count 135 timeout 136 time range, ACL 172 time zone, setting 170 time, setting 158 TPID 584 traffic segmentation 366 assigning ports 368 enabling 366 sessions, assigning ports 368 sessions, creating 367 transceiver thresholds displaying 425 trap manager 64, 192 troubleshooting 919 trTCM police meter 634 QoS policy 634 trunk conf
E092020-CS-R03 150200000989A
