U SER G UIDE GTL-2691 20 GE + 4 GE Combo SFP + 2 10G Slots L3 Managed Stackable Switch User Manual V1.
U SER M ANUAL GTL-2691MANAGED 24-PORT L3 STACKABLE GE SWITCH Layer 3 Stackable Gigabit Ethernet Switch with 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, and 2 Stacking Ports GTL-2691 E042013/ST-R01
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE REVISION HISTORY This section summarizes the changes in each revision of this guide. APRIL 2013 RELEASE This is the first version of this guide. This guide is valid for software release v1.4.2.0.
CONTENTS SECTION I ABOUT THIS GUIDE 3 CONTENTS 5 FIGURES 47 TABLES 61 GETTING STARTED 69 1 INTRODUCTION 71 Key Features 71 Description of Software Features 72 System Defaults 79 2 INITIAL SWITCH CONFIGURATION 83 Connecting to the Switch 83 Configuration Options 83 Required Connections 84 Remote Connections 85 Stack Operations 86 Selecting the Stack Master 86 Selecting the Backup Unit 87 Recovering from Stack Failure or Topology Change 87 Renumbering the Stack 88 Ensur
CONTENTS SECTION II WEB CONFIGURATION 103 3 USING THE WEB INTERFACE 105 Connecting to the Web Interface 105 Navigating the Web Browser Interface 106 Home Page 106 Configuration Options 107 Panel Display 107 Main Menu 108 4 BASIC MANAGEMENT TASKS 129 Displaying System Information 129 Displaying Switch Hardware/Software Versions 131 Configuring Support for Jumbo Frames 132 Displaying Bridge Extension Capabilities 133 Managing System Files 135 Copying Files via FTP/TFTP or HTTP 1
CONTENTS Displaying Connection Status 165 Configuring Port Mirroring 166 Showing Port or Trunk Statistics 168 Performing Cable Diagnostics 172 Trunk Configuration 174 Configuring a Static Trunk 175 Configuring a Dynamic Trunk 178 Displaying LACP Port Counters 183 Displaying LACP Settings and Status for the Local Side 184 Displaying LACP Settings and Status for the Remote Side 186 Configuring Load Balancing 187 Sampling Traffic Flows Configuring sFlow Parameters Traffic Segmentation 1
CONTENTS 7 ADDRESS TABLE SETTINGS 233 Configuring MAC Address Learning 233 Setting Static Addresses 235 Changing the Aging Time 236 Displaying the Dynamic Address Table 237 Clearing the Dynamic Address Table 238 8 SPANNING TREE ALGORITHM 241 Overview 241 Configuring Loopback Detection 243 Configuring Global Settings for STA 245 Displaying Global Settings for STA 250 Configuring Interface Settings for STA 251 Displaying Interface Settings for STA 255 Configuring Multiple Spanning T
CONTENTS 12 VOIP TRAFFIC CONFIGURATION 303 Overview 303 Configuring VoIP Traffic 303 Configuring Telephony OUI 305 Configuring VoIP Traffic Ports 306 13 SECURITY MEASURES 309 AAA Authorization and Accounting 310 Configuring Local/Remote Logon Authentication 311 Configuring Remote Logon Authentication Servers 312 Configuring AAA Accounting 317 Configuring AAA Authorization 322 Configuring User Accounts 325 Web Authentication 327 Configuring Global Settings for Web Authentication 3
CONTENTS Configuring a MAC ACL 365 Configuring an ARP ACL 367 Binding a Port to an Access Control List 369 ARP Inspection 370 Configuring Global Settings for ARP Inspection 371 Configuring VLAN Settings for ARP Inspection 373 Configuring Interface Settings for ARP Inspection 375 Displaying ARP Inspection Statistics 376 Displaying the ARP Inspection Log 377 Filtering IP Addresses for Management Access 378 Configuring Port Security 380 Configuring 802.
CONTENTS Simple Network Management Protocol 426 Configuring Global Settings for SNMP 428 Setting the Local Engine ID 429 Specifying a Remote Engine ID 430 Setting SNMPv3 Views 432 Configuring SNMPv3 Groups 435 Setting Community Access Strings 439 Configuring Local SNMPv3 Users 440 Configuring Remote SNMPv3 Users 442 Specifying Trap Managers 445 Creating SNMP Notification Logs 449 Showing SNMP Statistics 451 Remote Monitoring 453 Configuring RMON Alarms 454 Configuring RMON Event
CONTENTS Displaying Fault Notification Settings 508 Displaying Continuity Check Errors 509 15 MULTICAST FILTERING 511 Overview 511 IGMP Protocol 512 Layer 2 IGMP (Snooping and Query) 513 Configuring IGMP Snooping and Query Parameters 515 Specifying Static Interfaces for a Multicast Router 519 Assigning Interfaces to Multicast Services 521 Setting IGMP Snooping Status per Interface 522 Filtering IGMP Query Packets and Multicast Data 527 Displaying Multicast Groups Discovered by IGMP Sn
CONTENTS 16 IP CONFIGURATION 573 Setting the Switch’s IP Address (IP Version 4) 573 Sending DHCP Inform Requests for Additional Information 577 Setting the Switch’s IP Address (IP Version 6) 578 Configuring the IPv6 Default Gateway 579 Configuring IPv6 Interface Settings 579 Configuring an IPv6 Address 582 Showing IPv6 Addresses 585 Showing the IPv6 Neighbor Cache 587 Showing IPv6 Statistics 588 Showing the MTU for Responding Destinations 594 17 IP SERVICES 595 Domain Name Service
CONTENTS Configuring IP Routing Interfaces 624 Configuring Local and Remote Interfaces 624 Using the Ping Function 625 Using the Trace Route Function 626 Address Resolution Protocol 627 Basic ARP Configuration 628 Configuring Static ARP Addresses 630 Displaying Dynamic or Local ARP Entries 632 Displaying ARP Statistics 633 Configuring Static Routes 633 Displaying the Routing Table 635 Equal-cost Multipath Routing 637 19 CONFIGURING ROUTER REDUNDANCY 639 Configuring VRRP Groups 64
CONTENTS Configuring Stub Settings 682 Displaying Information on NSSA and Stub Areas 684 Configuring Area Ranges (Route Summarization for ABRs) 685 Redistributing External Routes 687 Configuring Summary Addresses (for External AS Routes) 689 Configuring OSPF Interfaces 691 Configuring Virtual Links 697 Displaying Link State Database Information 700 Displaying Information on Neighboring Routers 702 21 MULTICAST ROUTING 705 Overview 705 Configuring Global Settings for Multicast Routing
CONTENTS SECTION III COMMAND LINE INTERFACE 745 22 USING THE COMMAND LINE INTERFACE 747 Accessing the CLI 747 Console Connection 747 Telnet Connection 748 Entering Commands 749 Keywords and Arguments 749 Minimum Abbreviation 749 Command Completion 749 Getting Help on Commands 750 Partial Keyword Lookup 751 Negating the Effect of Commands 752 Using Command History 752 Understanding Command Modes 752 Exec Commands 752 Configuration Commands 753 Command Line Processing 755 C
CONTENTS System Status 769 show access-list tcam-utilization 769 show memory 770 show process cpu 770 show running-config 771 show startup-config 772 show system 773 show tech-support 774 show users 775 show version 775 Frame Size 776 jumbo frame 776 Fan Control 777 fan-speed force-full File Management 777 778 General Commands 779 boot system 779 copy 780 delete 783 dir 784 whichboot 785 Automatic Code Upgrade Commands 785 upgrade opcode auto 785 upgrade opcode p
CONTENTS stopbits 796 timeout login response 796 disconnect 797 show line 797 Event Logging 798 logging facility 799 logging history 799 logging host 800 logging on 801 logging trap 801 clear log 802 show log 803 show logging 803 SMTP Alerts 805 logging sendmail 805 logging sendmail host 805 logging sendmail level 806 logging sendmail destination-email 807 logging sendmail source-email 807 show logging sendmail 808 Time 808 SNTP Commands 809 sntp client 809 sntp
CONTENTS Time Range 817 time-range 818 absolute 818 periodic 819 show time-range 820 Switch Clustering 820 cluster 821 cluster commander 822 cluster ip-pool 823 cluster member 823 rcommand 824 show cluster 824 show cluster members 825 show cluster candidates 825 25 SNMP COMMANDS 827 General SNMP Commands 829 snmp-server 829 snmp-server community 829 snmp-server contact 830 snmp-server location 830 show snmp 831 SNMP Target Host Commands 832 snmp-server enable tra
CONTENTS show nlm oper-status 845 show snmp notify-filter 845 Additional Trap Commands 845 memory 845 process cpu 846 26 REMOTE MONITORING COMMANDS 847 rmon alarm 848 rmon event 849 rmon collection history 850 rmon collection rmon1 851 show rmon alarms 852 show rmon events 852 show rmon history 852 show rmon statistics 853 27 FLOW SAMPLING COMMANDS 855 sflow 855 sflow destination 856 sflow max-datagram-size 857 sflow max-header-size 857 sflow owner 858 sflow polling-
CONTENTS radius-server key 870 radius-server retransmit 871 radius-server timeout 871 show radius-server 872 TACACS+ Client 872 tacacs-server host 873 tacacs-server key 873 tacacs-server port 874 tacacs-server retransmit 874 tacacs-server timeout 875 show tacacs-server 875 AAA 876 aaa accounting dot1x 876 aaa accounting exec 877 aaa accounting update 878 aaa authorization exec 879 aaa group server 880 server 880 accounting dot1x 881 accounting exec 881 authorization e
CONTENTS ip ssh timeout 894 delete public-key 894 ip ssh crypto host-key generate 895 ip ssh crypto zeroize 896 ip ssh save host-key 896 show ip ssh 897 show public-key 897 show ssh 898 802.
CONTENTS pppoe intermediate-agent vendor-tag strip 917 clear pppoe intermediate-agent statistics 917 show pppoe intermediate-agent info 918 show pppoe intermediate-agent statistics 918 29 GENERAL SECURITY MEASURES Port Security 921 922 mac-learning 922 port security 923 show port security 925 Network Access (MAC Address Authentication) 927 network-access aging 928 network-access mac-filter 928 mac-authentication reauth-time 929 network-access dynamic-qos 930 network-access dynamic
CONTENTS web-auth re-authenticate (IP) 944 show web-auth 945 show web-auth interface 945 show web-auth summary 946 DHCP Snooping 946 ip dhcp snooping 947 ip dhcp snooping database flash 949 ip dhcp snooping information option 949 ip dhcp snooping information policy 950 ip dhcp snooping verify mac-address 951 ip dhcp snooping vlan 952 ip dhcp snooping trust 952 clear ip dhcp snooping binding 953 clear ip dhcp snooping database flash 954 show ip dhcp snooping 954 show ip dhcp sn
CONTENTS Denial of Service Protection 969 dos-protection land 969 dos-protection tcp-scan 970 show dos-protection 970 30 ACCESS CONTROL LISTS IPv4 ACLs 973 973 access-list ip 974 permit, deny (Standard IP ACL) 975 permit, deny (Extended IPv4 ACL) 976 ip access-group 978 show ip access-group 979 show ip access-list 979 IPv6 ACLs 980 access-list ipv6 980 permit, deny (Standard IPv6 ACL) 981 permit, deny (Extended IPv6 ACL) 982 show ipv6 access-list 984 ipv6 access-group 985
CONTENTS capabilities 999 description 1000 flowcontrol 1001 media-type 1002 negotiation 1002 shutdown 1003 speed-duplex 1004 switchport mtu 1005 switchport packet-rate 1006 clear counters 1007 show interfaces brief 1008 show interfaces counters 1008 show interfaces status 1010 show interfaces switchport 1011 show interfaces transceiver 1013 Cable Diagnostics 1014 test cable-diagnostics dsp 1014 test loop internal 1015 show cable-diagnostics dsp 1015 show loop internal
CONTENTS show port monitor RSPAN Mirroring Commands 1030 1031 rspan source 1033 rspan destination 1034 rspan remote vlan 1035 no rspan session 1036 show rspan 1036 34 RATE LIMIT COMMANDS rate-limit 1039 1039 35 AUTOMATIC TRAFFIC CONTROL COMMANDS Threshold Commands 1041 1044 auto-traffic-control apply-timer 1044 auto-traffic-control release-timer 1044 auto-traffic-control 1045 auto-traffic-control action 1046 auto-traffic-control alarm-clear-threshold 1047 auto-traffic-control alar
CONTENTS show mac-address-table aging-time 1058 show mac-address-table count 1059 37 SPANNING TREE COMMANDS 1061 spanning-tree 1062 spanning-tree forward-time 1063 spanning-tree hello-time 1063 spanning-tree max-age 1064 spanning-tree mode 1065 spanning-tree pathcost method 1066 spanning-tree priority 1067 spanning-tree mst configuration 1067 spanning-tree system-bpdu-flooding 1068 spanning-tree transmission-limit 1068 max-hops 1069 mst priority 1070 mst vlan 1070 name 1071
CONTENTS show spanning-tree 1086 show spanning-tree mst configuration 1088 38 ERPS COMMANDS 1089 erps 1091 erps domain 1091 control-vlan 1092 enable 1093 guard-timer 1093 holdoff-timer 1094 major-domain 1095 meg-level 1095 mep-monitor 1096 node-id 1097 non-erps-dev-protect 1098 propagate-tc 1099 ring-port 1100 rpl owner 1101 wtr-timer 1101 clear erps statistics 1102 show erps 1102 show erps statistics 1105 39 VLAN COMMANDS 1107 GVRP and Bridge Extension Commands
CONTENTS switchport allowed vlan 1117 switchport ingress-filtering 1118 switchport mode 1119 switchport native vlan 1120 vlan-trunking 1120 Displaying VLAN Information 1122 show vlan 1122 Configuring IEEE 802.
CONTENTS show mac-vlan 1147 Configuring Voice VLANs 1147 voice vlan 1148 voice vlan aging 1149 voice vlan mac-address 1149 switchport voice vlan 1150 switchport voice vlan priority 1151 switchport voice vlan rule 1152 switchport voice vlan security 1152 show voice vlan 1153 40 CLASS OF SERVICE COMMANDS 1155 Priority Commands (Layer 2) 1155 queue cos-map 1156 queue mode 1157 queue weight 1158 switchport priority default 1159 show queue cos-map 1160 show queue mode 1160 sh
CONTENTS police flow 1175 police srtcm-color 1176 police trtcm-color 1179 set 1181 service-policy 1182 show class-map 1183 show policy-map 1183 show policy-map interface 1184 42 MULTICAST FILTERING COMMANDS IGMP Snooping 1185 1186 ip igmp snooping 1187 ip igmp snooping proxy-reporting 1188 ip igmp snooping querier 1188 ip igmp snooping router-alert-option-check 1189 ip igmp snooping router-port-expire-time 1190 ip igmp snooping tcn-flood 1190 ip igmp snooping tcn-query-solicit
CONTENTS IGMP Filtering and Throttling 1208 ip igmp filter (Global Configuration) 1208 ip igmp profile 1209 permit, deny 1210 range 1210 ip igmp filter (Interface Configuration) 1211 ip igmp max-groups 1211 ip igmp max-groups action 1212 ip igmp query-drop 1213 ip multicast-data-drop 1213 show ip igmp filter 1214 show ip igmp profile 1214 show ip igmp query-drop 1215 show ip igmp throttle interface 1216 show ip multicast-data-drop 1216 MLD Snooping 1217 ipv6 mld snooping 12
CONTENTS mvr proxy-query-interval 1230 mvr proxy-switching 1231 mvr robustness-value 1232 mvr source-port-mode dynamic 1233 mvr upstream-source-ip 1233 mvr vlan 1234 mvr immediate-leave 1235 mvr type 1236 mvr vlan group 1237 show mvr 1238 show mvr associated-profile 1239 show mvr interface 1239 show mvr members 1240 show mvr profile 1242 show mvr statistics 1242 MVR for IPv6 1245 mvr6 associated-profile 1246 mvr6 domain 1246 mvr6 profile 1247 mvr6 proxy-query-interval
CONTENTS ip igmp last-member-query-interval 1262 ip igmp max-resp-interval 1263 ip igmp query-interval 1264 ip igmp robustval 1264 ip igmp static-group 1265 ip igmp version 1266 clear ip igmp group 1267 show ip igmp groups 1267 show ip igmp interface 1270 IGMP Proxy Routing 1270 ip igmp proxy 1271 ip igmp proxy unsolicited-report-interval 1272 MLD (Layer 3) 1273 ipv6 mld 1273 ipv6 mld last-member-query-response-interval 1274 ipv6 mld max-resp-interval 1275 ipv6 mld query-int
CONTENTS lldp basic-tlv port-description 1292 lldp basic-tlv system-capabilities 1293 lldp basic-tlv system-description 1293 lldp basic-tlv system-name 1294 lldp dot1-tlv proto-ident 1294 lldp dot1-tlv proto-vid 1295 lldp dot1-tlv pvid 1295 lldp dot1-tlv vlan-name 1296 lldp dot3-tlv link-agg 1296 lldp dot3-tlv mac-phy 1297 lldp dot3-tlv max-frame 1297 lldp med-location civic-addr 1298 lldp med-notification 1299 lldp med-tlv inventory 1300 lldp med-tlv location 1301 lldp med-tl
CONTENTS show ethernet cfm md 1323 show ethernet cfm ma 1324 show ethernet cfm maintenance-points local 1325 show ethernet cfm maintenance-points local detail mep 1326 show ethernet cfm maintenance-points remote detail 1327 Continuity Check Operations 1329 ethernet cfm cc ma interval 1329 ethernet cfm cc enable 1330 snmp-server enable traps ethernet cfm cc 1331 mep archive-hold-time 1332 clear ethernet cfm maintenance-points remote 1332 clear ethernet cfm errors 1333 show ethernet c
CONTENTS 45 DOMAIN NAME SERVICE COMMANDS 1351 ip domain-list 1351 ip domain-lookup 1352 ip domain-name 1353 ip host 1354 ip name-server 1355 ipv6 host 1356 clear dns cache 1356 clear host 1357 show dns 1357 show dns cache 1358 show hosts 1358 46 DHCP COMMANDS 1361 DHCP Client 1361 ip dhcp client class-id 1361 ip dhcp inform 1363 ip dhcp restart client 1364 DHCP Relay 1365 DHCP Relay for IPv4 1365 ip dhcp relay server 1365 ip dhcp restart relay 1366 DHCP Relay for I
CONTENTS netbios-name-server 1376 netbios-node-type 1377 network 1377 next-server 1378 clear ip dhcp binding 1379 show ip dhcp binding 1379 show ip dhcp 1380 47 VRRP COMMANDS 1381 vrrp authentication 1382 vrrp ip 1382 vrrp preempt 1383 vrrp priority 1384 vrrp timers advertise 1385 clear vrrp interface counters 1386 clear vrrp router counters 1386 show vrrp 1386 show vrrp interface 1388 show vrrp interface counters 1389 show vrrp router counters 1390 48 IP INTERFACE COM
CONTENTS ip helper 1404 ip helper-address 1405 show ip helper 1406 IPv6 Interface 1407 Interface Address Configuration and Utilities 1408 ipv6 default-gateway 1408 ipv6 address 1409 ipv6 address eui-64 1411 ipv6 address link-local 1413 ipv6 enable 1414 ipv6 mtu 1415 show ipv6 interface 1416 show ipv6 mtu 1418 show ipv6 traffic 1419 clear ipv6 traffic 1423 ping6 1423 traceroute6 1425 Neighbor Discovery 1426 ipv6 hop-limit 1426 ipv6 neighbor 1426 ipv6 nd dad attempts
CONTENTS tunnel source vlan 1444 tunnel ttl 1445 show ipv6 tunnel 1445 49 IP ROUTING COMMANDS Global Routing Configuration IPv4 Commands 1447 1447 1448 ip route 1448 maximum-paths 1449 show ip host-route 1450 show ip route 1450 show ip route database 1451 show ip route summary 1452 show ip traffic 1452 IPv6 Commands 1454 ipv6 route 1454 show ipv6 route 1455 Routing Information Protocol (RIP) 1457 router rip 1458 default-information originate 1458 default-metric 1459 dist
CONTENTS show ip protocols rip 1473 show ip rip 1473 Open Shortest Path First (OSPFv2) General Configuration 1474 1476 router ospf 1476 compatible rfc1583 1476 default-information originate 1477 router-id 1479 timers spf 1480 clear ip ospf process 1480 Route Metrics and Summaries 1481 area default-cost 1481 area range 1482 auto-cost reference-bandwidth 1483 default-metric 1484 redistribute 1485 summary-address 1486 Area Configuration 1487 area nssa 1487 area stub 1489
CONTENTS show ip ospf database 1505 show ip ospf interface 1511 show ip ospf neighbor 1512 show ip ospf route 1513 show ip ospf virtual-links 1514 show ip protocols ospf 1515 Open Shortest Path First (OSPFv3) General Configuration 1516 1517 router ipv6 ospf 1517 abr-type 1518 max-current-dd 1520 router-id 1520 timers spf 1521 Route Metrics and Summaries 1522 area default-cost 1522 area range 1523 default-metric 1524 redistribute 1524 Area Configuration 1525 area stub 15
CONTENTS show ipv6 ospf route 1541 show ipv6 ospf virtual-links 1542 50 MULTICAST ROUTING COMMANDS 1545 General Multicast Routing 1545 IPv4 Commands 1545 ip multicast-routing 1545 show ip mroute 1546 IPv6 Commands 1548 ipv6 multicast-routing 1548 show ipv6 mroute 1549 Static Multicast Routing 1551 ip igmp snooping vlan mrouter 1551 show ip igmp snooping mrouter 1552 PIM Multicast Routing 1553 IPv4 PIM Commands Shared Mode Commands 1553 1554 router pim 1554 ip pim 1555 ip p
CONTENTS ip pim rp-candidate 1568 ip pim spt-threshold 1570 ip pim dr-priority 1571 ip pim join-prune-interval 1572 clear ip pim bsr rp-set 1573 show ip pim bsr-router 1573 show ip pim rp mapping 1574 show ip pim rp-hash 1575 IPv6 PIM Commands PIM6 Shared Mode Commands 1575 1577 router pim6 1577 ipv6 pim 1577 ipv6 pim hello-holdtime 1579 ipv6 pim hello-interval 1579 ipv6 pim join-prune-holdtime 1580 ipv6 pim lan-prune-delay 1580 ipv6 pim override-interval 1581 ipv6 pim propa
CONTENTS SECTION IV show ipv6 pim rp mapping 1597 show ipv6 pim rp-hash 1598 APPENDICES 1599 A SOFTWARE SPECIFICATIONS 1601 Software Features 1601 Management Features 1603 Standards 1603 Management Information Bases 1604 B TROUBLESHOOTING 1607 Problems Accessing the Management Interface 1607 Using System Logs 1608 C LICENSE INFORMATION 1609 The GNU General Public License 1609 GLOSSARY 1613 COMMAND LIST 1621 INDEX 1631 – 46 –
FIGURES Figure 1: Home Page 106 Figure 2: Front Panel Indicators 107 Figure 3: System Information 130 Figure 4: General Switch Information 132 Figure 5: Configuring Support for Jumbo Frames 133 Figure 6: Displaying Bridge Extension Configuration 134 Figure 7: Copy Firmware 136 Figure 8: Saving the Running Configuration 137 Figure 9: Setting Start-Up Files 138 Figure 10: Displaying System Files 139 Figure 11: Configuring Automatic Code Upgrade 143 Figure 12: Manually Setting the System
FIGURES Figure 32: Displaying Port Information 166 Figure 33: Configuring Local Port Mirroring 166 Figure 34: Configuring Local Port Mirroring 167 Figure 35: Displaying Local Port Mirror Sessions 168 Figure 36: Showing Port Statistics (Table) 171 Figure 37: Showing Port Statistics (Chart) 172 Figure 38: Performing Cable Tests 174 Figure 39: Configuring Static Trunks 175 Figure 40: Creating Static Trunks 176 Figure 41: Adding Static Trunks Members 177 Figure 42: Configuring Connection Pa
FIGURES Figure 68: Configuring Static VLAN Members by Interface Range 207 Figure 69: Configuring Global Status of GVRP 208 Figure 70: Configuring GVRP for an Interface 209 Figure 71: Showing Dynamic VLANs Registered on the Switch 209 Figure 72: Showing the Members of a Dynamic VLAN 210 Figure 73: Configuring Private VLANs 211 Figure 74: Showing Private VLANs 212 Figure 75: Associating Private VLANs 213 Figure 76: Showing Associated VLANs 213 Figure 77: Configuring Interfaces for Private V
FIGURES Figure 104: Displaying Global Settings for STA 251 Figure 105: Configuring Interface Settings for STA 255 Figure 106: STA Port Roles 257 Figure 107: Displaying Interface Settings for STA 257 Figure 108: Creating an MST Instance 259 Figure 109: Displaying MST Instances 259 Figure 110: Modifying the Priority for an MST Instance 260 Figure 111: Displaying Global Settings for an MST Instance 260 Figure 112: Adding a VLAN to an MST Instance 261 Figure 113: Displaying Members of an MST
FIGURES Figure 140: Configuring a Voice VLAN 304 Figure 141: Configuring an OUI Telephony List 306 Figure 142: Showing an OUI Telephony List 306 Figure 143: Configuring Port Settings for a Voice VLAN 308 Figure 144: Configuring the Authentication Sequence 312 Figure 145: Authentication Server Operation 312 Figure 146: Configuring Remote Authentication Server (RADIUS) 315 Figure 147: Configuring Remote Authentication Server (TACACS+) 316 Figure 148: Configuring AAA Server Groups 316 Figure
FIGURES Figure 176: Copying the SSH User’s Public Key 350 Figure 177: Showing the SSH User’s Public Key 350 Figure 178: Setting the Name of a Time Range 353 Figure 179: Showing a List of Time Ranges 353 Figure 180: Add a Rule to a Time Range 354 Figure 181: Showing the Rules Configured for a Time Range 354 Figure 182: Showing TCAM Utilization 355 Figure 183: Creating an ACL 357 Figure 184: Showing a List of ACLs 357 Figure 185: Configuring a Standard IPv4 ACL 358 Figure 186: Configuring
FIGURES Figure 212: Displaying the Binding Table for DHCP Snooping 403 Figure 213: Configuring Settings for System Memory Logs 407 Figure 214: Showing Error Messages Logged to System Memory 407 Figure 215: Configuring Settings for Remote Logging of Error Messages 409 Figure 216: Configuring SMTP Alert Messages 410 Figure 217: Configuring LLDP Timing Attributes 412 Figure 218: Configuring LLDP Interface Attributes 416 Figure 219: Displaying Local Device Information for LLDP (General) 418 Fig
FIGURES Figure 248: Configuring an RMON Alarm 456 Figure 249: Showing Configured RMON Alarms 456 Figure 250: Configuring an RMON Event 458 Figure 251: Showing Configured RMON Events 459 Figure 252: Configuring an RMON History Sample 460 Figure 253: Showing Configured RMON History Samples 461 Figure 254: Showing Collected RMON History Samples 461 Figure 255: Configuring an RMON Statistical Sample 463 Figure 256: Showing Configured RMON Statistical Samples 463 Figure 257: Showing Collected
FIGURES Figure 284: Showing Information on Remote MEPs 504 Figure 285: Showing Detailed Information on Remote MEPs 506 Figure 286: Showing the Link Trace Cache 508 Figure 287: Showing Settings for the Fault Notification Generator 509 Figure 288: Showing Continuity Check Errors 510 Figure 289: Multicast Filtering Concept 511 Figure 290: IGMP Protocol 513 Figure 291: Configuring General Settings for IGMP Snooping 518 Figure 292: Configuring a Static Interface for a Multicast Router 519 Figu
FIGURES Figure 320: Configuring IGMP Proxy Routing 549 Figure 321: Configuring IGMP Interface Settings 552 Figure 322: Configuring Static IGMP Groups 553 Figure 323: Showing Static IGMP Groups 554 Figure 324: Displaying Multicast Groups Learned from IGMP (Information) 556 Figure 325: Displaying Multicast Groups Learned from IGMP (Detail) 556 Figure 326: MVR Concept 557 Figure 327: Configuring Domain Settings for MVR 559 Figure 328: Configuring an MVR Group Address Profile 560 Figure 329:
FIGURES Figure 356: Showing the List of Name Servers for DNS 599 Figure 357: Configuring Static Entries in the DNS Table 600 Figure 358: Showing Static Entries in the DNS Table 600 Figure 359: Showing Entries in the DNS Cache 601 Figure 360: Specifying A DHCP Client Identifier 602 Figure 361: Layer 3 DHCP Relay Service 603 Figure 362: Configuring DHCP Relay Service 604 Figure 363: DHCP Server 604 Figure 364: Enabling the DHCP Server 605 Figure 365: Configuring Excluded Addresses on the DH
FIGURES Figure 392: Setting the Maximum ECMP Number 638 Figure 393: Master Virtual Router with Backup Routers 639 Figure 394: Several Virtual Master Routers Using Backup Routers 639 Figure 395: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing 640 Figure 396: Configuring the VRRP Group ID 644 Figure 397: Showing Configured VRRP Groups 644 Figure 398: Setting the Virtual Router Address for a VRRP Group 645 Figure 399: Showing the Virtual Addresses Assigned to VRRP Gr
FIGURES Figure 428: Showing General Settings for OSPF 677 Figure 429: Adding an NSSA or Stub 678 Figure 430: Showing NSSAs or Stubs 679 Figure 431: 679 OSPF NSSA Figure 432: Configuring Protocol Settings for an NSSA 682 Figure 433: 682 OSPF Stub Area Figure 434: Configuring Protocol Settings for a Stub 684 Figure 435: Displaying Information on NSSA and Stub Areas 685 Figure 436: 685 Route Summarization for ABRs Figure 437: Configuring Route Summaries for an Area Range 686 Figure 438:
FIGURES Figure 464: Configuring a Static Rendezvous Point 723 Figure 465: Showing Static Rendezvous Points 723 Figure 466: Configuring an RP Candidate 725 Figure 467: Showing Settings for an RP Candidate 725 Figure 468: Showing Information About the BSR 727 Figure 469: Showing RP Mapping 728 Figure 470: Enabling PIMv6 Multicast Routing 728 Figure 471: Configuring PIMv6 Interface Settings (Dense Mode) 733 Figure 472: Configuring PIMv6 Interface Settings (Sparse Mode) 734 Figure 473: Showin
TABLES Table 1: Key Features 71 Table 2: System Defaults 79 Table 3: Options 60, 66 and 67 Statements 96 Table 4: Options 55 and 124 Statements 96 Table 5: Web Page Configuration Buttons 107 Table 6: Switch Main Menu 108 Table 7: Port Statistics 168 Table 8: LACP Port Counters 183 Table 9: LACP Internal Configuration Information 184 Table 10: LACP Internal Configuration Information 186 Table 11: Traffic Segmentation Forwarding 193 Table 12: Recommended STA Path Cost Range 252 Table
TABLES Table 32: ShowIPv6 Neighbors - display description 587 Table 33: Show IPv6 Statistics - display description 589 Table 34: Show MTU - display description 594 Table 35: Address Resolution Protocol 628 Table 36: ARP Statistics 633 Table 37: VRRP Group Statistics 647 Table 38: OSPF System Information 676 Table 39: General Command Modes 752 Table 40: Configuration Command Modes 754 Table 41: Keystroke Commands 755 Table 42: Command Group Index 756 Table 43: General Commands 759 Ta
TABLES Table 68: User Access Commands 864 Table 69: Default Login Settings 865 Table 70: Authentication Sequence Commands 866 Table 71: RADIUS Client Commands 868 Table 72: TACACS+ Client Commands 872 Table 73: AAA Commands 876 Table 74: Web Server Commands 883 Table 75: HTTPS System Support 886 Table 76: Telnet Server Commands 887 Table 77: Secure Shell Commands 889 Table 78: show ssh - display description 898 Table 79: 802.
TABLES Table 104: show lacp neighbors - display description 1027 Table 105: show lacp sysid - display description 1028 Table 106: Port Mirroring Commands 1029 Table 107: Mirror Port Commands 1029 Table 108: RSPAN Commands 1031 Table 109: Rate Limit Commands 1039 Table 110: ATC Commands 1041 Table 111: Address Table Commands 1055 Table 112: Spanning Tree Commands 1061 Table 113: Recommended STA Path Cost Range 1074 Table 114: Default STA Path Costs 1075 Table 115: ERPS Commands 1089
TABLES Table 140: IGMP Snooping Commands 1186 Table 141: show ip igmp snooping statistics input - display description 1204 Table 142: show ip igmp snooping statistics output - display description 1204 Table 143: show ip igmp snooping statistics vlan query - display description 1205 Table 144: Static Multicast Interface Commands 1206 Table 145: IGMP Filtering and Throttling Commands 1208 Table 146: MLD Snooping Commands 1217 Table 147: Multicast VLAN Registration Commands 1227 Table 148: sho
TABLES Table 176: MEP Defect Descriptions 1346 Table 177: show fault-notify-generator - display description 1348 Table 178: Address Table Commands 1351 Table 179: show dns cache - display description 1358 Table 180: show hosts - display description 1359 Table 181: DHCP Commands 1361 Table 182: DHCP Client Commands 1361 Table 183: Options 60, 66 and 67 Statements 1362 Table 184: Options 55 and 124 Statements 1362 Table 185: DHCP Relay Commands 1365 Table 186: DHCP Server Commands 1368
TABLES Table 212: show ip ospf database summary - display description 1510 Table 213: show ip ospf interface - display description 1511 Table 214: show ip ospf neighbor - display description 1513 Table 215: show ip ospf virtual-links - display description 1514 Table 216: show ip protocols ospf - display description 1515 Table 217: Open Shortest Path First Commands (Version 3) 1516 Table 218: show ip ospf - display description 1537 Table 219: show ip ospf database - display description 1539
TABLES – 68 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 70 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Address Table Up to 16K MAC addresses in the forwarding table, 1024 static MAC addresses; Up to 8K IPv4 and 4K IPv6 entries in the host table; 8K entries in the ARP cache, 256 static ARP entries; 8K IPv4 and 4K IPv6 entries in the IP routing table, 512 static IP routes, 512 IP interfaces; 1024 L2 multicast groups IP Version 4 and 6 Supports IPv4 and IPv6 addressing, and management IEEE 802.
CHAPTER 1 | Introduction Description of Software Features CONFIGURATION You can save the current configuration settings to a file on the BACKUP AND management station (using the web interface) or an FTP/TFTP server RESTORE (using the web or console interface), and later download this file to restore the switch configuration settings. AUTHENTICATION This switch authenticates management access via the console port, Telnet, or a web browser.
CHAPTER 1 | Introduction Description of Software Features RATE LIMITING This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port.
CHAPTER 1 | Introduction Description of Software Features This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 2 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks. SPANNING TREE The switch supports these spanning tree protocols: ALGORITHM ◆ Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection.
CHAPTER 1 | Introduction Description of Software Features ◆ Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection. ◆ Provide data security by restricting all traffic to the originating VLAN, except where a connection is explicitly defined via the switch's routing service.
CHAPTER 1 | Introduction Description of Software Features ETHERNET RING ERPS can also be used to increase the availability and robustness of PROTECTION Ethernet rings, such as those used in Metropolitan Area Networks (MAN). SWITCHING ERPS technology converges in a little over 50 ms. ERPS supports up to 255 nodes in the ring structure. And the convergence time is also independent of the number of nodes in the ring. IP ROUTING The switch provides Layer 3 IP routing.
CHAPTER 1 | Introduction Description of Software Features ADDRESS RESOLUTION The switch uses ARP and Proxy ARP to convert between IP addresses and PROTOCOL MAC (hardware) addresses. This switch supports conventional ARP, which locates the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next. Either static or dynamic entries can be configured in the ARP cache.
CHAPTER 1 | Introduction System Defaults SYSTEM DEFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadcast: Enabled (500 packets/sec) Port Trunking Congestion Control Multicast: Disabled Unknown Unicast: Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: RST
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN Any VLAN configured with an IP address IP Address 192.168.1.1 Default Gateway 0.0.0.
CHAPTER 1 | Introduction System Defaults – 82 –
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. CONNECTING TO THE SWITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). NOTE: An IPv4 address for this switch is obtained via DHCP by default.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch 3. Make sure the terminal emulation software is set as follows: ■ Select the appropriate serial port (COM port 1 or COM port 2). ■ Set the baud rate to 115200 bps. ■ Set the data format to 8 data bits, 1 stop bit, and no parity. ■ Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows keys.
CHAPTER 2 | Initial Switch Configuration Stack Operations STACK OPERATIONS Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode, but can automatically take over management of the stack if the Master unit fails.
CHAPTER 2 | Initial Switch Configuration Stack Operations SELECTING THE Once the Master unit finishes booting up, it continues to synchronize BACKUP UNIT configuration information to all of the Slave units in the stack. If the Master unit fails or is powered off, a new master unit will be selected based on the election rules described in the preceding section. The backup unit elected to serve as the new stack Master will take control of the stack without any loss of configuration settings.
CHAPTER 2 | Initial Switch Configuration Stack Operations other units within this VLAN interface, then this IP address will no longer be available. To retain a constant IP address for management access across fail over events, you should include port members on several units within the primary VLAN used for stack management. RESILIENT CONFIGURATION If a unit in the stack fails, the unit numbers will not change.
CHAPTER 2 | Initial Switch Configuration Basic Configuration running a different image version. For information on downloading firmware, see “Managing System Files” on page 123. BASIC CONFIGURATION CONSOLE The CLI program provides two different command levels — normal access CONNECTION level (Normal Exec) and privileged access level (Privileged Exec).
CHAPTER 2 | Initial Switch Configuration Basic Configuration 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the GTL-2691 is opened. To end the CLI session, enter [Exit].
CHAPTER 2 | Initial Switch Configuration Basic Configuration ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press . 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration example, followed by the “link-local” command parameter. Then press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF11:6700/104 IPv6 link MTU is 1500 bytes.
CHAPTER 2 | Initial Switch Configuration Basic Configuration 3. Type “exit” to return to the global configuration mode prompt. Press . 4. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. At the interface-configuration mode prompt, use one of the following commands: ■ ■ To obtain IP settings via DHCP, type “ip address dhcp” and press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration 2. Type “ipv6 enable” and press . Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::200:E8FF:FE90:0/64 Global unicast address(es): Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF90:0/104 IPv6 link MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1.
CHAPTER 2 | Initial Switch Configuration Basic Configuration ◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
CHAPTER 2 | Initial Switch Configuration Basic Configuration option dynamicProvision.tftp-server-name code 66 = text; option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
CHAPTER 2 | Initial Switch Configuration Basic Configuration ◆ private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
CHAPTER 2 | Initial Switch Configuration Managing System Files CONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
CHAPTER 2 | Initial Switch Configuration Managing System Files ◆ Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
CHAPTER 2 | Initial Switch Configuration Managing System Files To restore configuration settings from a backup server, enter the following command: 1. From the Privileged Exec mode prompt, type “copy tftp startup-config” and press . 2. Enter the address of the TFTP server. Press . 3. Enter the name of the startup file stored on the server. Press . 4. Enter the name for the startup file on the switch. Press . Console#copy tftp startup-config TFTP server IP address: 192.168.0.
CHAPTER 2 | Initial Switch Configuration Managing System Files – 102 –
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration ◆ "Multicast Routing" on page 705 – 104 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (such as Internet Explorer 5.0 or above, or Mozilla Firefox 2.0 or above). NOTE: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface forwarding (i.e., enable Admin Edge Port) to improve the switch’s response time to management commands issued through the web interface. See "Configuring Interface Settings for STA" on page 251. NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 5: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure by Port Range Configures connection settings for a range of ports 164 Show Information Displays port connection status 165 Add Sets the source and target ports for mirroring 166 Show Shows the configured mirror sessions 166 Statistics Shows Interface, Etherlike, RMON and Utilization port statistics 168 Chart Shows Interface, Etherlike, RMON and U
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, RMON and Utilization trunk statistics 168 Chart Shows Interface, Etherlike, RMON and Utilization trunk statistics 168 Load Balance Sets the load-distribution method among ports in aggregated links 187 sFlow Configures flow sampling for source and destination ports 189 Configure Global Enables traffic segmentation globally
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Creates a protocol group, specifying supported protocols 224 Show Shows configured protocol groups 224 Add Maps a protocol group to a VLAN 226 Show Shows the protocol groups mapped to each VLAN 226 Add Maps IP subnet traffic to a VLAN 228 Show Shows IP subnet to VLAN mapping 228 Add Maps traffic with specified source MAC address to a VLAN 230 Show
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Modify Modify priority for an MST instance 258 Add Member Adds VLAN members for an MST instance 258 Show Member Displays or deletes VLAN members for an MST instance 258 Show Information Displays MSTP values used for the bridge 258 Configure Configures interface settings for an MST instance 262 Show Informaton Displays interface settings for an MST instance
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu VoIP Configure Global Description Page Voice over IP 303 Configures auto-detection of VoIP traffic, sets the Voice VLAN, and 303 VLAN aging time Configure OUI 305 Add Maps the OUI in the source MAC address of ingress packets to the 305 VoIP device manufacturer Show Shows the OUI telephony list 305 Configures VoIP traffic settings for ports, including the way in which a port is a
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page User Accounts 325 Add Configures user names, passwords, and access levels 325 Show Shows authorized users 325 Modify Modifies user attributes 325 Allows stations to authenticate and access the network in situations where 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule 352 Absolute Sets exact time or time range 352 Periodic Sets a recurrent time 352 Shows the time specified by a rule 352 Show Rule Configure ACL 356 Show TCAM Shows utilization parameters for TCAM 355 Add Adds an ACL based on IP or MAC address filtering 356 Show Shows the name and type of configured ACLs 356 Add Rule Configures packet filter
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Administration 405 Log 405 System 405 Configure Global Stores error messages in local memory 405 Show System Logs Shows logged error messages 405 Remote Configures the logging of messages to a remote logging process 408 SMTP Sends an SMTP client message to a participating server 409 Link Layer Discovery Protocol 410 Configure Global Configures global L
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Community Shows community strings and access mode 439 Add SNMPv3 Local User Configures SNMPv3 users on this switch 440 Show SNMPv3 Local User Shows SNMPv3 users configured on this switch 440 Change SNMPv3 Local User Group Assign a local user to a new group 440 Add SNMPv3 Remote User Configures SNMPv3 users from a remote device 442 Show SNMPv3 Remote Us
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Configure Details CFM Description Page Configures ring parameters 468 Connectivity Fault Management 474 Configure Global Configures global settings, including administrative status, cross- 477 check start delay, link trace, and SNMP traps Configure Interface Configures administrative status on an interface 481 Configure MD Configure Maintenance Domains 481 Add Defines a portio
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Fault Notification Generator Displays configuration settings for the fault notification generator 508 Show Continuity Check Error Displays CFM continuity check errors logged on this device 509 Add Address Configures an IP interface for a VLAN 573 Configure Interface Submits a DHCP request for additional information from a VLAN interface configured with a sta
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure detailed settings, such as advertisement interval, preemption, priority, and authentication 640 Global Statistics Displays global statistics for VRRP protocol packet errors 646 Group Statistics Displays statistics for VRRP protocol events and errors on the specified VRRP group and interface 647 Configure Detail Show Statistics IPv6 Configuration 578 Co
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Global Enables DHCP snooping globally, MAC-address verification, information option; and sets the information policy 399 Configure VLAN Enables DHCP snooping on a VLAN 400 Configure Interface Sets the trust mode for an interface 401 Show Information Displays the DHCP Snooping binding information 402 Server 604 Configure Global Enables DHCP service
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router 519 Show Current Multicast Router Displays ports attached to a neighboring multicast router, either through static or dynamic configuration 519 IGMP Member 521 Add Static Member Statically assigns multicast addresses to the selected VLAN 521 Show Stati
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Shows multicast addresses associated with the selected VLAN, either through static or dynamic configuration 543 Displays known multicast groups, member ports, the means by which each group was learned, and the corresponding source list 545 Internet Group Management Protocol 546 Proxy Configures IGMP proxy service for multicast routing 547 Interface Configures La
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show VLAN Statistics Shows statistics for protocol messages and number of active groups 567 Show Port Statistics Shows statistics for protocol messages and number of active groups 567 Show Trunk Statistics Shows statistics for protocol messages and number of active groups 567 Routing Information Protocol 650 Routing Protocol RIP General 651 Configure Enables
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Reset Statistics OSPF Description Page Clears statistics for RIP protocol messages 668 Open Shortest Path First (Version 2) 668 Network Area 670 Add Defines OSPF area address, area ID, and process ID 670 Show Shows configured areas 670 Show Process Show configured processes 670 System 673 Configure Configures the Router ID, global settings, and default information 673 S
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Virtual Link 697 Add Configures a virtual link through a transit area to the backbone 697 Show Shows virtual links, neighbor address, and state 697 Configure Detailed Settings Configures detailed protocol and authentication settings 697 Show MD5 Key Shows the MD5 key ID used for each neighbor 697 LSDB Shows information about different OSPF Link State Adverti
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Description Page Shows the static addresses configured for each RP and the associated multicast groups 738 RP Candidate 739 Add Advertises the switch as an RP candidate to the BSR for the specified multicast groups 739 Show Shows the multicast groups for which this switch is advertising itself as an RP candidate to the BSR 739 Show BSR Router Displays information about the
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface – 128 –
4 BASIC MANAGEMENT TASKS This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Switch Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
CHAPTER 4 | Basic Management Tasks Displaying System Information PARAMETERS These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up. ◆ System Name – Name assigned to the switch system. ◆ System Location – Specifies the system location. ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Basic Management Tasks Displaying Switch Hardware/Software Versions DISPLAYING SWITCH HARDWARE/SOFTWARE VERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI REFERENCES ◆ "System Management Commands" on page 767 PARAMETERS The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch.
CHAPTER 4 | Basic Management Tasks Configuring Support for Jumbo Frames WEB INTERFACE To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information CONFIGURING SUPPORT FOR JUMBO FRAMES Use the System > Capability page to configure support for layer 2 jumbo frames.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities PARAMETERS The following parameters are displayed: ◆ Jumbo Frame – Configures support for jumbo frames. (Default: Disabled) WEB INTERFACE To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database. ◆ Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs. ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port.
CHAPTER 4 | Basic Management Tasks Managing System Files MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP. By backing up a file to an FTP or TFTP server or management station, that file can later be downloaded to the switch to restore operation.
CHAPTER 4 | Basic Management Tasks Managing System Files NOTE: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. NOTE: The maximum number of user-defined configuration files is limited only by available flash memory space. NOTE: The file “Factory_Default_Config.cfg” can be copied to a file server or management station, but cannot be used as the destination file name on the switch. WEB INTERFACE To copy firmware files: 1.
CHAPTER 4 | Basic Management Tasks Managing System Files SAVING THE RUNNING Use the System > File (Copy) page to save the current configuration CONFIGURATION TO A settings to a local file on the switch. The configuration settings are not LOCAL FILE automatically saved by the system for subsequent use when the switch is rebooted. You must save these settings to the current startup file, or to another file which can be subsequently set as the startup file.
CHAPTER 4 | Basic Management Tasks Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. SETTING THE START- Use the System > File (Set Start-Up) page to specify the firmware or UP FILE configuration file to use for system initialization. CLI REFERENCES ◆ "whichboot" on page 785 ◆ "boot system" on page 779 WEB INTERFACE To set a file to use for system initialization: 1. Click System, then File. 2.
CHAPTER 4 | Basic Management Tasks Managing System Files WEB INTERFACE To show the system files: 1. Click System, then File. 2. Select Show from the Action list. 3. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to OPERATION CODE automatically download an operation code file when a file newer than the UPGRADE currently installed one is discovered on the file server.
CHAPTER 4 | Basic Management Tasks Managing System Files indicated here). Enter the file name for other switches described in this manual exactly as shown on the web interface. ◆ The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled. ◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept GTL-2691.
CHAPTER 4 | Basic Management Tasks Managing System Files PARAMETERS The following parameters are displayed: ◆ Automatic Opcode Upgrade – Enables the switch to search for an upgraded operation code file during the switch bootup process. (Default: Disabled) ◆ Automatic Upgrade Location URL – Defines where the switch should search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The GTL-2691.
CHAPTER 4 | Basic Management Tasks Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: ■ tftp://192.168.0.1/ The image file is in the TFTP root directory. ■ tftp://192.168.0.1/switch-opcode/ The image file is in the “switch-opcode” directory, relative to the TFTP root. ■ tftp://192.168.0.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 11: Configuring Automatic Code Upgrade If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.
CHAPTER 4 | Basic Management Tasks Setting the System Clock PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch. ◆ Hours – Sets the hour. (Range: 0-23; Default: 0) ◆ Minutes – Sets the minute value. (Range: 0-59; Default: 0) ◆ Seconds – Sets the second value. (Range: 0-59; Default: 0) ◆ Month – Sets the month. (Range: 1-12; Default: 1) ◆ Day – Sets the day of the month. (Range: 1-31; Default: 1) ◆ Year – Sets the year.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE SNTP Use the System > Time (Configure General - SNTP) page to set the polling POLLING INTERVAL interval at which the switch will query the time servers. CLI REFERENCES ◆ "Time" on page 808 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch. ◆ SNTP Polling Interval – Sets the interval between sending requests for a time update from a time server.
CHAPTER 4 | Basic Management Tasks Setting the System Clock CONFIGURING NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. CLI REFERENCES ◆ "Time" on page 808 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
CHAPTER 4 | Basic Management Tasks Setting the System Clock CONFIGURING TIME Use the System > Time (Configure Time Server) pages to specify the IP SERVERS address for NTP/SNTP time servers, or to set the authentication key for NTP time servers. SPECIFYING SNTP TIME SERVERS Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SPECIFYING NTP TIME SERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI REFERENCES ◆ "ntp server" on page 814 PARAMETERS The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List SPECIFYING NTP AUTHENTICATION KEYS Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Authentication Key from the Action list. Figure 19: Showing the NTP Authentication Key List SETTING THE TIME Use the System > Time (Configure Time Server) page to set the time zone.
CHAPTER 4 | Basic Management Tasks Console Port Settings ◆ Minutes (0-59) – The number of minutes before/after UTC. WEB INTERFACE To set your local time zone: 1. Click System, then Time. 2. Select Configure Time Zone from the Action list. 3. Set the offset for your time zone relative to the UTC in hours and minutes. 4. Click Apply. Figure 20: Setting the Time Zone CONSOLE PORT SETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port.
CHAPTER 4 | Basic Management Tasks Console Port Settings ◆ Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 60-65535 seconds; Default: 600 seconds) ◆ Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts.
CHAPTER 4 | Basic Management Tasks Telnet Settings Figure 21: Console Port Settings TELNET SETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
CHAPTER 4 | Basic Management Tasks Telnet Settings ◆ Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 60-65535 seconds; Default: 600 seconds) ◆ Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts.
CHAPTER 4 | Basic Management Tasks Displaying CPU Utilization DISPLAYING CPU UTILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI REFERENCES ◆ "show process cpu" on page 770 PARAMETERS The following parameters are displayed: ◆ Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) ◆ CPU Utilization – CPU utilization over specified interval.
CHAPTER 4 | Basic Management Tasks Displaying Memory Utilization DISPLAYING MEMORY UTILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI REFERENCES ◆ "show memory" on page 770 PARAMETERS The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory. WEB INTERFACE To display memory utilization: 1.
CHAPTER 4 | Basic Management Tasks Resetting the System Master unit is taken as the top of the stack and is numbered as unit 1, and all other units are numbered sequentially down through the ring. WEB INTERFACE To renumber the units in the stack: 1. Click System, then Renumber. 2. Click OK when the confirmation message appears.
CHAPTER 4 | Basic Management Tasks Resetting the System PARAMETERS The following parameters are displayed: System Reload Information ◆ Reload Settings – Displays information on the next scheduled reload and selected reload mode as shown in the following example: “The switch will be rebooted at March 9 12:00:00 2012. Remaining Time: 0 days, 2 hours, 46 minutes, 5 seconds. Reloading switch regularly time: 12:00 everyday.” ◆ Refresh – Refreshes reload information.
CHAPTER 4 | Basic Management Tasks Resetting the System ■ ■ Weekly - Day of the week at which to reload. (Range: Sunday ... Saturday) Monthly - Day of the month at which to reload. (Range: 1-31) WEB INTERFACE To restart the switch: 1. Click System, then Reset. 2. Select the required rest mode. 3. For any option other than to reset immediately, fill in the required parameters 4. Click Apply. 5. When prompted, confirm that you want reset the switch.
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 27: Restarting the Switch (In) Figure 28: Restarting the Switch (At) Figure 29: Restarting the Switch (Regularly) – 160 –
5 INTERFACE CONFIGURATION This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Displaying Statistics – Shows Interface, Etherlike, and RMON port statistics in table or chart form. ◆ Cable Test – Performs cable diagnostics on the specified port.
CHAPTER 5 | Interface Configuration Port Configuration ◆ When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface. ◆ The 1000BASE-T and 10GBASE-T standard does not support forced mode.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Name – Allows you to label an interface. (Range: 1-64 characters) ◆ Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also disable an interface for security reasons. ◆ Media Type – Configures the forced/preferred port type to use for the combination ports.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control. ◆ MTU Size – The maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. (Range: 1500-9216 bytes; Default: 1518 bytes) WEB INTERFACE To configure port connection parameters: 1.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port Range from the Action List. 3. Enter to range of ports to which your configuration changes apply. 4. Modify the required interface settings. 5. Click Apply.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Media Type – Media type used. (Options: Copper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) ◆ Autonegotiation – Shows if auto-negotiation is enabled or disabled. ◆ Oper Speed Duplex – Shows the current speed and duplex mode. ◆ Oper Flow Control – Shows if flow control is enabled or disabled.
CHAPTER 5 | Interface Configuration Port Configuration COMMAND USAGE ◆ Traffic can be mirrored from one or more source ports to one destination port on the same switch. ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆ When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see "Spanning Tree Algorithm" on page 241).
CHAPTER 5 | Interface Configuration Port Configuration To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 35: Displaying Local Port Mirror Sessions SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higherlayer protocol.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To show a list of port statistics: 1. Click Interface, Port, Statistics. 2. Select the statistics mode to display (Interface, Etherlike or RMON). 3. Select a port from the drop-down list. 4. Use the Refresh button at the bottom of the page if you need to update the screen, or the Clear button to reset statistics. Figure 36: Showing Port Statistics (Table) To show a chart of port statistics: 1. Click Interface, Port, Chart. 2.
CHAPTER 5 | Interface Configuration Port Configuration Figure 37: Showing Port Statistics (Chart) PERFORMING CABLE Use the Interface > Port > Cable Test page to test the cable attached to a DIAGNOSTICS port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
CHAPTER 5 | Interface Configuration Port Configuration ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length to a fault.
CHAPTER 5 | Interface Configuration Trunk Configuration WEB INTERFACE To test the cable attached to a port: 1. Click Interface, Port, Cable Test. 2. Click Test for any port to start the cable test. Figure 38: Performing Cable Tests TRUNK CONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
CHAPTER 5 | Interface Configuration Trunk Configuration COMMAND USAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
CHAPTER 5 | Interface Configuration Trunk Configuration However, note that the static trunks on this switch are Cisco EtherChannel compatible. ◆ To avoid creating a loop in the network, be sure you add a static trunk via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface. PARAMETERS These parameters are displayed: ◆ Trunk ID – Trunk identifier. (Range: 1-32) ◆ Member – The initial trunk member.
CHAPTER 5 | Interface Configuration Trunk Configuration To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. Figure 41: Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
CHAPTER 5 | Interface Configuration Trunk Configuration To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
CHAPTER 5 | Interface Configuration Trunk Configuration ◆ All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. ◆ Ports are only allowed to join the same Link Aggregation Group (LAG) if (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured). However, if the LAG admin key is set, then the port admin key must be set to the same value for a port to be allowed to join that group.
CHAPTER 5 | Interface Configuration Trunk Configuration NOTE: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. NOTE: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 46: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 47: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 48: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4. Modify the required interface settings. (See "Configuring by Port List" on page 161 for a description of the interface settings.) 5. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 50: Displaying Connection Parameters for Dynamic Trunks DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show PORT COUNTERS Information - Counters) page to display statistics for LACP protocol messages.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 51: Displaying LACP Port Counters DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Internal) page to display the configuration settings and FOR THE LOCAL SIDE operational state for the local side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. ◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. ◆ LACP-Activity – Activity control value with regard to this link.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Neighbors) page to display the configuration settings and FOR THE REMOTE SIDE operational state for the remote side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 53: Displaying LACP Port Remote Information CONFIGURING LOAD Use the Interface > Trunk > Load Balance page to set the load-distribution BALANCING method used among ports in aggregated links. CLI REFERENCES ◆ "port channel load-balance" on page 1018 COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration ■ ■ ■ ■ Source and Destination IP Address: All traffic with the same source and destination IP address is output on the same link in a trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk.
CHAPTER 5 | Interface Configuration Sampling Traffic Flows Figure 54: Configuring Load Balancing SAMPLING TRAFFIC FLOWS The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
CHAPTER 5 | Interface Configuration Sampling Traffic Flows CONFIGURING SFLOW Use the Interface > sFlow page to set the source and destination PARAMETERS parameters for the sampled data, payload parameters, and sampling interval. CLI REFERENCES ◆ "Flow Sampling Commands" on page 855 PARAMETERS These parameters are displayed: ◆ Port – Choose the port to configure. (Range: 1-26; Default: 1) ◆ Status – Enables sFlow on the selected port. ◆ Receiver Owner1 – The name of the receiver.
CHAPTER 5 | Interface Configuration Traffic Segmentation 3. Click Apply. Figure 55: Sampling Traffic Flows TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports. Data traffic on downlink ports is only forwarded to, and from, uplink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation ■ ■ Blocking – Blocks traffic between uplink ports assigned to different sessions. Forwarding – Forwards traffic between uplink ports assigned to different sessions. WEB INTERFACE To enable traffic segmentation: 1. Click Interface, Traffic Segmentation. 2. Select Configure Global from the Step list. 3. Mark the Status check box, and set the required uplink-to-uplink mode. 4. Click Apply.
CHAPTER 5 | Interface Configuration Traffic Segmentation CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation ◆ Interface – Displays a list of ports or trunks. ■ Port – Port Identifier. (Range: 1-26) ■ Trunk – Trunk Identifier. (Range: 1-32) WEB INTERFACE To configure the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Add from the Action list. 4. Enter the session ID, set the direction to uplink or downlink, and select the interface to add. 5. Click Apply.
CHAPTER 5 | Interface Configuration VLAN Trunking VLAN TRUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI REFERENCES ◆ "vlan-trunking" on page 1120 COMMAND USAGE ◆ Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
CHAPTER 5 | Interface Configuration VLAN Trunking ◆ Trunk – Trunk Identifier. (Range: 1-32) ◆ VLAN Trunking Status – Enables VLAN trunking on the selected interface. WEB INTERFACE To enable VLAN trunking on a port or trunk: 1. Click Interface, VLAN Trunking. 2. Click Port or Trunk to specify the interface type. 3. Enable VLAN trunking on any of the Gigibit ports or on a trunk containing Gigabit ports. 4. Click Apply.
6 VLAN CONFIGURATION This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ Private VLANs – Configures private VLANs, using primary for unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group. ◆ IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4093 VLANs based on the IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 62: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 7 8 15 16 14 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs about this interface type. This parameter must be enabled before you can assign an IP address to a VLAN (see "Setting the Switch’s IP Address (IP Version 4)" on page 573). Modify ◆ VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name, operational status, or Layer 3 Interface status as required. 5. Click Apply. Figure 64: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. CLI REFERENCES ◆ "Configuring VLAN Interfaces" on page 1115 ◆ "Displaying VLAN Information" on page 1122 PARAMETERS These parameters are displayed: Edit Member by VLAN ◆ VLAN – ID of configured VLAN (1-4093). ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Ingress Filtering – Determines how to process frames tagged for VLANs for which the ingress port is not a member. (Default: Disabled) ■ ■ ■ ■ ◆ Ingress filtering only affects tagged frames. If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Trunk Range – Displays a list of ports. (Range: 1-32) NOTE: The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Modify VLAN and Member Ports or Edit Member by Interface page. WEB INTERFACE To configure static members by the VLAN index: 1. Click VLAN, Static. 2. Select Edit Member by VLAN from the Action list. 3. Select a VLAN from the scroll-down list. 4.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs 4. Modify the settings for any interface as required. 5. Click Apply. Figure 67: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 68: Configuring Static VLAN Members by Interface Range CONFIGURING Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to DYNAMIC VLAN enable GVRP and adjust the protocol timers per interface.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ■ ■ ■ Join – The interval between transmitting requests/queries to participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic. 2. Select Configure Interface from the Step list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the GVRP status or timers for any interface. 5. Click Apply. Figure 70: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3.
CHAPTER 6 | VLAN Configuration Private VLANs To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list. Figure 72: Showing the Members of a Dynamic VLAN PRIVATE VLANS Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups.
CHAPTER 6 | VLAN Configuration Private VLANs all other traffic through promiscuous ports). Then assign any promiscuous ports to a primary VLAN and any host ports a community VLAN. CREATING PRIVATE Use the VLAN > Private (Configure VLAN - Add) page to create primary or VLANS community VLANs. CLI REFERENCES ◆ "private-vlan" on page 1136 PARAMETERS These parameters are displayed: ◆ VLAN ID – ID of configured VLAN (2-4093).
CHAPTER 6 | VLAN Configuration Private VLANs To display a list of private VLANs: 1. Click VLAN, Private. 2. Select Configure VLAN from the Step list. 3. Select Show from the Action list. Figure 74: Showing Private VLANs NOTE: All member ports must be removed from the VLAN before it can be deleted. ASSOCIATING PRIVATE Use the VLAN > Private (Configure VLAN - Add Community VLAN) page to VLANS associate each community VLAN with a primary VLAN.
CHAPTER 6 | VLAN Configuration Private VLANs 5. Select an entry from the Community VLAN list to associate it with the selected primary VLAN. Note that a community VLAN can only be associated with one primary VLAN. 6. Click Apply. Figure 75: Associating Private VLANs To show a list of community VLANs associated with a primary VLAN: 1. Click VLAN, Private. 2. Select Configure VLAN from the Step list. 3. Select Show Community VLAN from the Action list. 4. Select an entry from the Primary VLAN list.
CHAPTER 6 | VLAN Configuration Private VLANs ◆ Port – Port Identifier. (Range: 1-26/50) ◆ Trunk – Trunk Identifier. (Range: 1-32) ◆ Port/Trunk Mode – Sets the private VLAN port types. ■ ■ ■ Normal – The port is not assigned to a private VLAN. Host – The port is a community port. A community port can communicate with other ports in its own community VLAN and with designated promiscuous port(s). Promiscuous – A promiscuous port can communicate with all interfaces within a private VLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 77: Configuring Interfaces for Private VLANs IEEE 802.1Q TUNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 6. Configure the QinQ tunnel uplink port to Uplink mode (see "Adding an Interface to a QinQ Tunnel" on page 222). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see "Adding Static Members to VLANs" on page 202). ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to TUNNELING ON THE operate in IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 79: Enabling QinQ Tunneling CREATING CVLAN TO Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to SPVLAN MAPPING SPVLAN mapping entry.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-26) ◆ Customer VLAN ID – VLAN ID for the inner VLAN tag. (Range: 1-4094) ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4093) WEB INTERFACE To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 81: Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command on page 1126. ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on TO A QINQ TUNNEL the switch.
CHAPTER 6 | VLAN Configuration Protocol VLANs ■ Uplink – Configures QinQ tunneling for an uplink port to another device within the service provider network. WEB INTERFACE To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply.
CHAPTER 6 | VLAN Configuration Protocol VLANs COMMAND USAGE ◆ To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 1113). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the Configure Protocol (Add) page. 3.
CHAPTER 6 | VLAN Configuration Protocol VLANs WEB INTERFACE To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Add from the Action list. 4. Select an entry from the Frame Type list. 5. Select an entry from the Protocol Type list. 6. Enter an identifier for the protocol group. 7. Click Apply. Figure 83: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3.
CHAPTER 6 | VLAN Configuration Protocol VLANs MAPPING PROTOCOL Use the VLAN > Protocol (Configure Interface - Add) page to map a GROUPS TO protocol group to a VLAN for each interface that will participate in the INTERFACES group. CLI REFERENCES ◆ "protocol-vlan protocol-group (Configuring Interfaces)" on page 1141 COMMAND USAGE ◆ When creating a protocol-based VLAN, only assign interfaces using this configuration screen.
CHAPTER 6 | VLAN Configuration Protocol VLANs 6. Enter the corresponding VLAN to which the protocol traffic will be forwarded. 7. Click Apply. Figure 85: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs WEB INTERFACE To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Add from the Action list. 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs 6. Click Apply. Figure 89: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs – 232 –
7 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
CHAPTER 7 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ ■ 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 384). Security Status (see "Configuring Port Security" on page 380) is enabled on the same interface. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
CHAPTER 7 | Address Table Settings Setting Static Addresses SETTING STATIC ADDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
CHAPTER 7 | Address Table Settings Changing the Aging Time 4. Click Apply. Figure 92: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list. Figure 93: Displaying Static MAC Addresses CHANGING THE AGING TIME Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information.
CHAPTER 7 | Address Table Settings Displaying the Dynamic Address Table WEB INTERFACE To set the aging time for entries in the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Configure Aging from the Action list. 3. Modify the aging status if required. 4. Specify a new aging time. 5. Click Apply.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table WEB INTERFACE To show the dynamic address table: 1. Click MAC Address, Dynamic. 2. Select Show Dynamic MAC from the Action list. 3. Select the Sort Key (MAC Address, VLAN, or Interface). 4. Enter the search parameters (MAC Address, VLAN, or Interface). 5. Click Query.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table 3. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). 4. Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. 5. Click Clear.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table – 240 –
8 SPANNING TREE ALGORITHM This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
CHAPTER 8 | Spanning Tree Algorithm Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 258). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection ◆ The interface ceases to receive it’s own BPDUs in a forward delay interval. NOTE: If loopback detection is not enabled and an interface receives it's own BPDU, then the interface will drop the loopback BPDU according to IEEE Standard 802.1w-2001 9.3.4 (Note 1). NOTE: Loopback detection will not be active if Spanning Tree is disabled on the switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 100: Configuring Port Loopback Detection CONFIGURING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1061 COMMAND USAGE ◆ Spanning Tree Protocol2 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA spanning tree is disabled globally on the switch or disabled on a specific port. ■ ■ To VLAN: Floods BPDUs to all other ports within the receiving port’s native VLAN (i.e., as determined by port’s PVID). This is the default. To All: Floods BPDUs to all other ports on the switch. The setting has no effect if BPDU flooding is disabled on a port (see "Configuring Interface Settings for STA").
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. ■ Default: 15 ■ Minimum: The higher of 4 or [(Max.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 101: Configuring Global Settings for STA (STP) Figure 102: Configuring Global Settings for STA (RSTP) – 249 –
CHAPTER 8 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 103: Configuring Global Settings for STA (MSTP) DISPLAYING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA CLI REFERENCES ◆ "Spanning Tree Commands" on page 1061 PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 245) or when spanning tree is disabled on specific port.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 13: Default STA Path Costs ◆ Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.1D-2004) Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Admin Link Type – The link type attached to this interface. ■ Point-to-Point – A connection to exactly one other bridge. ■ Shared – A connection to two or more bridges.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: ■ ■ ■ ■ If spanning tree mode is set to STP (page 245), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting. If loopback detection is enabled (page 243) and a loopback BPDU is detected, the interface cannot function as an edge port until the loopback state is released.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA 5. Click Apply. Figure 105: Configuring Interface Settings for STA DISPLAYING INTERFACE SETTINGS FOR STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI REFERENCES ◆ "show spanning-tree" on page 1086 PARAMETERS These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ ■ ■ A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 106: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B WEB INTERFACE To display interface settings for STA: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees CONFIGURING MULTIPLE SPANNING TREES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1061 COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees WEB INTERFACE To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 110: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP CONFIGURING INTERFACE SETTINGS FOR MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1061 PARAMETERS These parameters are displayed: ◆ MST Instance ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 252. The default path costs are listed in Table 13 on page 253. WEB INTERFACE To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP – 264 –
9 CONGESTION CONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
CHAPTER 9 | Congestion Control Storm Control ◆ Rate – Sets the rate limit level. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10G Ethernet ports) WEB INTERFACE To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required ports or trunks. 4. Set the rate limit for the individual ports. 5. Click Apply.
CHAPTER 9 | Congestion Control Storm Control ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port.
CHAPTER 9 | Congestion Control Automatic Traffic Control 4. Set the required threshold beyond which the switch will start dropping packets. 5. Click Apply. Figure 117: Configuring Storm Control AUTOMATIC TRAFFIC CONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port.
CHAPTER 9 | Congestion Control Automatic Traffic Control The key elements of this diagram are described below: ◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
CHAPTER 9 | Congestion Control Automatic Traffic Control SETTING THE ATC Use the Traffic > Auto Traffic Control (Configure Global) page to set the TIMERS time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 120: Configuring ATC Timers CONFIGURING ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the THRESHOLDS AND storm control mode (broadcast or multicast), the traffic thresholds, the RESPONSES control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 118 on page 268. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
CHAPTER 9 | Congestion Control Automatic Traffic Control WEB INTERFACE To configure the response timers for automatic storm control: 1. Click Traffic, Automatic Storm Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
CHAPTER 9 | Congestion Control Automatic Traffic Control – 274 –
10 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CHAPTER 10 | Class of Service Layer 2 Queue Settings ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2.
CHAPTER 10 | Class of Service Layer 2 Queue Settings ◆ WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
CHAPTER 10 | Class of Service Layer 2 Queue Settings WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Select the interface type to display (Port or Trunk). 3. Set the queue mode. 4. If any of the weighted queue modes is selected, the queue weight can be modified if required. 5. If any of the queue modes that use a combination of strict and weighted queueing are selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Figure 125: Setting the Queue Mode (Strict and WRR) MAPPING COS VALUES Use the Traffic > Priority > CoS to Queue page to specify the hardware TO EGRESS QUEUES output queues to use for Class of Service (CoS) priority tagged traffic.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Table 15: CoS Priority Levels Priority Level Traffic Type 1 Background 2 (Spare) 0 (default) Best Effort 3 Excellent Effort 4 Controlled Load 5 Video, less than 100 milliseconds latency and jitter 6 Voice, less than 10 milliseconds latency and jitter 7 Network Control CLI REFERENCES ◆ "queue cos-map" on page 1156 ◆ "show queue cos-map" on page 1160 COMMAND USAGE ◆ Egress packets are placed into the hardware queues according to the mappi
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 126: Mapping CoS Values to Egress Queues LAYER 3/4 PRIORITY SETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings COMMAND USAGE ◆ The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant devices will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 127: Mapping IP DSCP Priority Values MAPPING IP Use the Traffic > Priority > IP Precedence to CoS page to map IP PRECEDENCE Precedence priorities found in ingress packets to CoS values for internal priority processing.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings NOTE: IP Precedence settings apply to all interfaces. PARAMETERS These parameters are displayed: ◆ IP Precedence Mapping Status – Enables or disables the use of IP Precedence priorities and the mapping of these priority values to CoS values. (Default: Disabled) ◆ IP Precedence – 3-bit precedence value. (Range: 0-7) ◆ CoS – Class-of-Service value (Range: 0-7) WEB INTERFACE To set the IP Precedence to CoS priority map: 1.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings COMMAND USAGE ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. ◆ No default mapping is defined for ingress TCP/UDP port types. NOTE: IP Port settings apply to all interfaces.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the TCP/UDP port number to CoS priority map: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Show from the Action list.
11 QUALITY OF SERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
CHAPTER 11 | Quality of Service Configuring a Class Map COMMAND USAGE To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3.
CHAPTER 11 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
CHAPTER 11 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 132: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 134: Showing the Rules for a Class Map CREATING QOS POLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
CHAPTER 11 | Quality of Service Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate” option (CIR). Action may be taken for traffic conforming to the maximum throughput, or exceeding the maximum throughput.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ ■ if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
CHAPTER 11 | Quality of Service Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC. Thereafter, the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC.
CHAPTER 11 | Quality of Service Creating QoS Policies Add Rule ◆ Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. ◆ Action – Configures the service provided to ingress traffic. Packets matching the rule settings for a class map can be remarked as follows: ■ ■ ■ Set CoS – Sets a priority bits in the VLAN tag for matching packets.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Violate – Specifies whether the traffic that exceeds the maximum rate (CIR) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ ■ Violate – Specifies whether the traffic that exceeds the excess burst size (BE) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Drop – Drops out of conformance traffic. Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ ■ Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the peak information rate (PIR) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Transmit – Transmits in-conformance traffic without any change to the DSCP service level. Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63). Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 136: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies Figure 137: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port ATTACHING A POLICY MAP TO A PORT Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI REFERENCES ◆ "Quality of Service Commands" on page 1169 COMMAND USAGE ◆ First define a class map, define a policy map, and bind the service policy to the required interface. ◆ Only one policy map can be bound to an interface.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port – 302 –
12 VOIP TRAFFIC CONFIGURATION This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic CLI REFERENCES ◆ "Configuring Voice VLANs" on page 1147 PARAMETERS These parameters are displayed: ◆ Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports. (Default: Disabled) ◆ Voice VLAN – Sets the Voice VLAN ID for the network. Only one Voice VLAN is supported and it must already be created on the switch.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI CONFIGURING TELEPHONY OUI VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports Figure 141: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports ■ ■ Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list. Manual – The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports 3. Configure any required changes to the VoIP settings each port. 4. Click Apply.
13 SECURITY MEASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. NOTE: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
CHAPTER 13 | Security Measures AAA Authorization and Accounting 3. Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. 4. Apply the method names to port or line interfaces. NOTE: This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. WEB INTERFACE To configure the method(s) of controlling management access: 1. Click Security, AAA, System Authentication. 2. Specify the authentication sequence (i.e., one to three methods). 3. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting CLI REFERENCES ◆ "RADIUS Client" on page 868 ◆ "TACACS+ Client" on page 872 ◆ "AAA" on page 876 COMMAND USAGE ◆ If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ■ ■ ◆ Set Key – Mark this box to set or modify the encryption key. Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match.
CHAPTER 13 | Security Measures AAA Authorization and Accounting When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 311). WEB INTERFACE To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 147: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers. No information is sent to the servers about the method to use.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user accessed the switch. ◆ Time Elapsed - Displays the length of time this entry has been active. WEB INTERFACE To configure global settings for AAA accounting: 1. Click Security, AAA, Accounting. 2. Select Configure Global from the Step list. 3. Enter the required update interval. 4. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 151: Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 153: Configuring AAA Accounting Service for 802.1X Service Figure 154: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
CHAPTER 13 | Security Measures AAA Authorization and Accounting other group name refers to a server group configured on the TACACS+ Group Settings page. Authorization is only supported for TACACS+ servers. Configure Service ◆ Console Method Name – Specifies a user defined method name to apply to console connections. ◆ VTY Method Name – Specifies a user defined method name to apply to Telnet connections. Show Information ◆ Authorization Type - Displays the authorization service.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list. Figure 158: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list.
CHAPTER 13 | Security Measures Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list. Figure 160: Displaying the Applied AAA Authorization Method CONFIGURING USER ACCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords.
CHAPTER 13 | Security Measures Configuring User Accounts ■ Plain Password – Plain text unencrypted password. ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
CHAPTER 13 | Security Measures Web Authentication To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 162: Showing User Accounts WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
CHAPTER 13 | Security Measures Web Authentication CONFIGURING GLOBAL Use the Security > Web Authentication (Configure Global) page to edit the SETTINGS FOR WEB global parameters for web authentication. AUTHENTICATION CLI REFERENCES ◆ "Web Authentication" on page 940 PARAMETERS These parameters are displayed: ◆ Web Authentication Status – Enables web authentication for the switch. (Default: Disabled) Note that this feature must also be enabled for any port where required under the Configure Interface menu.
CHAPTER 13 | Security Measures Web Authentication CONFIGURING Use the Security > Web Authentication (Configure Interface) page to INTERFACE SETTINGS enable web authentication on a port, and display information for any FOR WEB connected hosts. AUTHENTICATION CLI REFERENCES ◆ "Web Authentication" on page 940 PARAMETERS These parameters are displayed: ◆ Port – Indicates the port being configured. ◆ Status – Configures the web authentication status for the port.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) Figure 164: Configuring Interface Settings for Web Authentication NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.” ◆ Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 385). Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) PARAMETERS These parameters are displayed: ◆ MAC Authentication ■ Status – Enables MAC authentication on a port. (Default: Disabled) ■ Intrusion – Sets the port response to a host MAC authentication failure, to either block access to the port or to pass traffic through.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) WEB INTERFACE To configure MAC authentication on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the General button. 4.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ■ ■ ◆ Link down – Only link down events will trigger the port action. Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event. ■ ■ ■ Trap – An SNMP trap is sent. Trap and shutdown – An SNMP trap is sent and the port is shut down. Shutdown – The port is shut down.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) COMMAND USAGE ◆ Specified MAC addresses are exempt from authentication. ◆ Up to 65 filter tables can be defined. ◆ There is no limitation on the number of entries used in a filter table. PARAMETERS These parameters are displayed: ◆ Filter ID – Adds a filter rule for the specified filter.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) Figure 169: Showing the MAC Address Filter Table for Network Access DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table. INFORMATION Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To display the authenticated MAC addresses stored in the secure MAC address table: 1. Click Security, Network Access. 2. Select Show Information from the Step list. 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4.
CHAPTER 13 | Security Measures Configuring HTTPS CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable SETTINGS FOR HTTPS HTTPS and specify the UDP port used for this service.
CHAPTER 13 | Security Measures Configuring HTTPS PARAMETERS These parameters are displayed: ◆ HTTPS Status – Allows you to enable/disable the HTTPS server feature on the switch. (Default: Enabled) ◆ HTTPS Port – Specifies the UDP port number used for HTTPS connection to the switch’s web interface. (Default: Port 443) WEB INTERFACE To configure HTTPS: 1. Click Security, HTTPS. 2. Select Configure Global from the Step list. 3. Enable HTTPS and specify the port number if required. 4. Click Apply.
CHAPTER 13 | Security Measures Configuring HTTPS When you have obtained these, place them on your TFTP server and transfer them to the switch to replace the default (unrecognized) certificate with an authorized one. NOTE: The switch must be reset for the new certificate to be activated.
CHAPTER 13 | Security Measures Configuring the Secure Shell Figure 172: Downloading the Secure-Site Certificate CONFIGURING THE SECURE SHELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
CHAPTER 13 | Security Measures Configuring the Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
CHAPTER 13 | Security Measures Configuring the Secure Shell NOTE: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client’s keys. Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method.
CHAPTER 13 | Security Measures Configuring the Secure Shell CONFIGURING THE Use the Security > SSH (Configure Global) page to enable the SSH server SSH SERVER and configure basic settings for authentication. NOTE: A host key pair must be configured on the switch before you can enable the SSH server. See "Generating the Host Key Pair" on page 347.
CHAPTER 13 | Security Measures Configuring the Secure Shell Figure 173: Configuring the SSH Server GENERATING THE Use the Security > SSH (Configure Host Key - Generate) page to generate HOST KEY PAIR a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public Keys" on page 349.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Select the host-key type from the drop-down box. 5. Select the option to save the host key from memory to flash if required. 6. Click Apply. Figure 174: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2.
CHAPTER 13 | Security Measures Configuring the Secure Shell IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a PUBLIC KEYS user’s public key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
CHAPTER 13 | Security Measures Configuring the Secure Shell Figure 176: Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
CHAPTER 13 | Security Measures Access Control Lists ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
CHAPTER 13 | Security Measures Access Control Lists ◆ If no matches are found down to the end of the list, the traffic is denied. For this reason, frequently hit entries should be placed at the top of the list. There is an implied deny for traffic that is not explicitly permitted. Also, note that a single-entry ACL with only one deny entry has the effect of denying all traffic. You should therefore use at least one permit statement in an ACL or all traffic will be blocked.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To configure a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add from the Action list. 4. Enter the name of a time range. 5. Click Apply. Figure 178: Setting the Name of a Time Range To show a list of time ranges: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures Access Control Lists 6. Fill in the required parameters for the selected mode. 7. Click Apply. Figure 180: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 13 | Security Measures Access Control Lists SHOWING TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show UTILIZATION utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
CHAPTER 13 | Security Measures Access Control Lists SETTING THE ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL. NAME AND TYPE CLI REFERENCES ◆ "access-list ip" on page 974 ◆ "show ip access-list" on page 979 PARAMETERS These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
CHAPTER 13 | Security Measures Access Control Lists Figure 183: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. Figure 184: Showing a List of ACLs CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to STANDARD IPV4 ACL configure a Standard IPv4 ACL.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source IP Address – Source IP address. ◆ Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. ◆ Time Range – Name of a time range.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to EXTENDED IPV4 ACL configure an Extended IPv4 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv4 ACL)" on page 976 ◆ "show ip access-list" on page 979 ◆ "Time Range" on page 817 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
CHAPTER 13 | Security Measures Access Control Lists Figure 186: Configuring an Extended IPv4 ACL CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to STANDARD IPV6 ACL configure a Standard IPv6ACL. CLI REFERENCES ◆ "permit, deny (Standard IPv6 ACL)" on page 981 ◆ "show ipv6 access-list" on page 984 ◆ "Time Range" on page 817 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page EXTENDED IPV6 ACL to configure an Extended IPv6 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv6 ACL)" on page 982 ◆ "show ipv6 access-list" on page 984 ◆ "Time Range" on page 817 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists ◆ Flow Label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-1048575) A flow label is assigned to a flow by the flow's source node. New flow labels must be chosen pseudo-randomly and uniformly from the range 1 to FFFFF hexadecimal.
CHAPTER 13 | Security Measures Access Control Lists Figure 188: Configuring an Extended IPv6 ACL CONFIGURING A MAC Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ACL configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI REFERENCES ◆ "permit, deny (MAC ACL)" on page 987 ◆ "show ip access-list" on page 979 ◆ "Time Range" on page 817 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Packet Format – This attribute includes the following packet types: ■ Any – Any Ethernet packet type. ■ Untagged-eth2 – Untagged Ethernet II packets. ■ Untagged-802.3 – Untagged Ethernet 802.3 packets. ■ tagged-eth2 – Tagged Ethernet II packets. ■ Tagged-802.3 – Tagged Ethernet 802.3 packets. ◆ VID – VLAN ID. (Range: 1-4094) ◆ VID Bit Mask – VLAN bit mask.
CHAPTER 13 | Security Measures Access Control Lists Figure 189: Configuring a MAC ACL CONFIGURING AN ARP Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACL ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection" on page 371).
CHAPTER 13 | Security Measures Access Control Lists ◆ Source/Destination IP Subnet Mask – Subnet mask for source or destination address. (See the description for Subnet Mask on page 357.) ◆ Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address.
CHAPTER 13 | Security Measures Access Control Lists Figure 190: Configuring a ARP ACL BINDING A PORT TO AN After configuring ACLs, use the Security > ACL (Configure Interface) page ACCESS CONTROL to bind the ports that need to filter traffic to the appropriate ACLs. You can LIST assign one IP access list and one MAC access list to any port.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select IP or MAC from the Type list. 4. Select the name of an ACL from the ACL list. 5. Click Apply. Figure 191: Binding a Port to an ACL ARP INSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets.
CHAPTER 13 | Security Measures ARP Inspection COMMAND USAGE Enabling & Disabling ARP Inspection ◆ ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. ◆ ■ If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
CHAPTER 13 | Security Measures ARP Inspection with different MAC addresses are classified as invalid and are dropped. ■ ■ IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
CHAPTER 13 | Security Measures ARP Inspection ■ Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. ◆ Log Message Number – The maximum number of entries saved in a log message. (Range: 0-256; Default: 5) ◆ Log Interval – The interval at which log messages are sent. (Range: 0-86400 seconds; Default: 1 second) WEB INTERFACE To configure global settings for ARP Inspection: 1.
CHAPTER 13 | Security Measures ARP Inspection ◆ ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
CHAPTER 13 | Security Measures ARP Inspection Figure 193: Configuring VLAN Settings for ARP Inspection CONFIGURING Use the Security > ARP Inspection (Configure Interface) page to specify INTERFACE SETTINGS the ports that require ARP inspection, and to adjust the packet inspection FOR ARP INSPECTION rate. CLI REFERENCES ◆ "ARP Inspection" on page 960 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
CHAPTER 13 | Security Measures ARP Inspection 3. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. 4. Click Apply. Figure 194: Configuring Interface Settings for ARP Inspection DISPLAYING ARP Use the Security > ARP Inspection (Show Information - Show Statistics) INSPECTION page to display statistics about the number of ARP packets processed, or STATISTICS dropped for various reasons.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To display statistics for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Statistics from the Step list. Figure 195: Displaying Statistics for ARP Inspection DISPLAYING THE ARP Use the Security > ARP Inspection (Show Information - Show Log) page to INSPECTION LOG show information about entries stored in the log, including the associated VLAN, port, and address components.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access WEB INTERFACE To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Log from the Step list.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access ◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address. PARAMETERS These parameters are displayed: ◆ Mode ■ Web – Configures IP address(es) for the web group. ■ SNMP – Configures IP address(es) for the SNMP group. ■ Telnet – Configures IP address(es) for the Telnet group. ◆ Start IP Address – A single IP address, or the starting address of a range.
CHAPTER 13 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 198: Showing IP Addresses Authorized for Management Access CONFIGURING PORT SECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
CHAPTER 13 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication The maximum address count is effective when port security is enabled or disabled, but can only be set when Security Status is disabled. ◆ Current MAC Count – The number of MAC addresses currently associated with this interface. ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 336. ◆ Filter ID – The identifier for a MAC address filter.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network. This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Each client that needs to be authenticated must have dot1X client software installed and properly configured. ◆ The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication 4. Click Apply Figure 201: Configuring Global Settings for 802.1X Port Authentication CONFIGURING PORT Use the Security > Port Authentication (Configure Interface) page to SETTINGS FOR 802.1X configure 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Control Mode – Sets the authentication mode to one of the following options: ■ ■ ■ ◆ Auto – Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access. Force-Authorized – Forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Identifier (Server) – Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. Reauthentication State Machine ◆ State – Current state (including initialize, re-authenticate). WEB INTERFACE To configure port authenticator settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Interface from the Step list. 3. Click Authenticator. 4.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication DISPLAYING 802.1X Use the Security > Port Authentication (Show Statistics) page to display STATISTICS statistics for dot1x protocol exchanges for any port. CLI REFERENCES ◆ "show dot1x" on page 908 PARAMETERS These parameters are displayed: Table 22: 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
CHAPTER 13 | Security Measures DoS Protection WEB INTERFACE To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. Figure 203: Showing Statistics for 802.1X Port Authenticator DOS PROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
CHAPTER 13 | Security Measures IP Source Guard ◆ TCP Scan – Configures the switch to protect against the types of DoS attacks described below. (Default: Disabled) ■ ■ ■ DoS TCP-null-scan attacks – A TCP NULL scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
CHAPTER 13 | Security Measures IP Source Guard CONFIGURING PORTS Use the Security > IP Source Guard > Port Configuration page to set the FOR IP SOURCE filtering type based on source IP address, or source IP address and MAC GUARD address pairs. IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
CHAPTER 13 | Security Measures IP Source Guard PARAMETERS These parameters are displayed: ◆ ◆ Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) ■ None – Disables IP source guard filtering on the port. ■ SIP – Enables traffic filtering based on IP addresses stored in the binding table.
CHAPTER 13 | Security Measures IP Source Guard CONFIGURING STATIC Use the Security > IP Source Guard > Static Configuration page to bind a BINDINGS FOR IP static address to a port. Table entries include a MAC address, IP address, SOURCE GUARD lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
CHAPTER 13 | Security Measures IP Source Guard 4. Click Apply Figure 206: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Show from the Action list. Figure 207: Displaying Static Bindings for IP Source Guard DISPLAYING Use the Security > IP Source Guard > Dynamic Binding page to display the INFORMATION FOR source-guard binding table for a selected interface.
CHAPTER 13 | Security Measures DHCP Snooping ◆ IP Address – A valid unicast IP address, including classful types A, B or C. Dynamic Binding List ◆ VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – Port to which this entry is bound. ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. WEB INTERFACE To display the binding table for IP Source Guard: 1.
CHAPTER 13 | Security Measures DHCP Snooping COMMAND USAGE DHCP Snooping Process ◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on a non-secure interface from outside the network or fire wall. When DHCP snooping is enabled globally and enabled on a VLAN interface, DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped.
CHAPTER 13 | Security Measures DHCP Snooping ■ ■ ■ ■ If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
CHAPTER 13 | Security Measures DHCP Snooping DHCP packets, keep the existing information, or replace it with the switch’s relay information. DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure Global) page to enable CONFIGURATION DHCP Snooping globally on the switch, or to configure MAC Address Verification. CLI REFERENCES ◆ "DHCP Snooping" on page 946 PARAMETERS These parameters are displayed: ◆ DHCP Snooping Status – Enables DHCP snooping globally.
CHAPTER 13 | Security Measures DHCP Snooping 4. Click Apply Figure 209: Configuring Global Settings for DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or VLAN disable DHCP snooping on specific VLANs. CONFIGURATION CLI REFERENCES ◆ "ip dhcp snooping vlan" on page 952 COMMAND USAGE ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click Security, IP Source Guard, DHCP Snooping. 2. Select Configure VLAN from the Step list. 3. Enable DHCP Snooping on any existing VLAN. 4. Click Apply Figure 210: Configuring DHCP Snooping on a VLAN CONFIGURING PORTS Use the IP Service > DHCP > Snooping (Configure Interface) page to FOR DHCP SNOOPING configure switch ports as trusted or untrusted.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To configure global settings for DHCP Snooping: 1. Click Security, IP Source Guard, DHCP Snooping. 2. Select Configure Interface from the Step list. 3. Set any ports within the local network or firewall to trusted. 4. Click Apply Figure 211: Configuring the Port Mode for DHCP Snooping DISPLAYING DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display SNOOPING BINDING entries in the binding table.
CHAPTER 13 | Security Measures DHCP Snooping ◆ Store – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid. ◆ Clear – Removes all dynamically learned snooping entries from flash memory.
CHAPTER 13 | Security Measures DHCP Snooping – 404 –
14 BASIC ADMINISTRATION PROTOCOLS This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory. The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM. CLI REFERENCES ◆ "Event Logging" on page 798 PARAMETERS These parameters are displayed: ◆ System Log Status – Enables/disables the logging of debug or error messages to the logging process.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging 3. Enable or disable system logging, set the level of event messages to be logged to flash memory and RAM. 4. Click Apply. Figure 213: Configuring Settings for System Memory Logs To show the error messages logged to system memory: 1. Click Administration, Log, System. 2. Select Show System Logs from the Step list. 3. Click RAM or Flash. This page allows you to scroll through the logged system and event messages.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging REMOTE LOG Use the Administration > Log > Remote page to send log messages to CONFIGURATION syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level. CLI REFERENCES ◆ "Event Logging" on page 798 PARAMETERS These parameters are displayed: ◆ Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging Figure 215: Configuring Settings for Remote Logging of Error Messages SENDING SIMPLE MAIL Use the Administration > Log > SMTP page to alert system administrators TRANSFER PROTOCOL of problems by sending SMTP (Simple Mail Transfer Protocol) email ALERTS messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To configure SMTP alert messages: 1. Click Administration, Log, SMTP. 2. Enable SMTP, specify a source email address, and select the minimum severity level. Specify the source and destination email addresses, and one or more SMTP servers. 3. Click Apply.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol SETTING LLDP TIMING Use the Administration > LLDP (Configure Global) page to set attributes for ATTRIBUTES general functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. ◆ MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDPMED Fast Start mechanism.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol CONFIGURING LLDP Use the Administration > LLDP (Configure Interface) page to specify the INTERFACE message attributes for individual interfaces, including whether messages ATTRIBUTES are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ■ ■ ◆ Max Frame Size – The maximum frame size. (See "Configuring Support for Jumbo Frames" on page 132 for information on configuring the maximum frame size for this switch MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 218: Configuring LLDP Interface Attributes DISPLAYING LLDP Use the Administration > LLDP (Show Local Device Information) page to LOCAL DEVICE display information about the switch, such as its MAC address, chassis ID, INFORMATION management IP address, and port information.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 24: Chassis ID Subtype (Continued) ID Basis Reference Interface name ifName (IETF RFC 2863) Locally assigned locally assigned ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ System Name – A string that indicates the system’s administratively assigned name (see "Displaying System Information" on page 129).
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To display LLDP information for the local device: 1. Click Administration, LLDP. 2. Select Show Local Device Information from the Step list. 3. Select General, Port, or Trunk.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol PARAMETERS These parameters are displayed: Port ◆ Local Port – The local port to which a remote LLDP-capable device is attached. ◆ Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. ◆ Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 26: Port ID Subtype (Continued) ID Basis Reference MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned ◆ Port Description – A string that indicates the port’s description. If RFC 2863 is implemented, the ifDescr object should be used for this field.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Port Details – 802.3 Extension Port Information ◆ Remote Port Auto-Neg Supported – Shows whether the given port (associated with remote system) supports auto-negotiation. ◆ Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Remote Power Pairs – “Signal” means that the signal pairs only are in use, and “Spare” means that the spare pairs only are in use. ◆ Remote Power MDI Supported – Shows whether MDI power is supported on the given port associated with the remote system. ◆ Remote Power Pair Controlable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 221: Displaying Remote Device Information for LLDP (Port) – 423 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 222: Displaying Remote Device Information for LLDP (Port Details) DISPLAYING DEVICE Use the Administration > LLDP (Show Device Statistics) page to display STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol PARAMETERS These parameters are displayed: General Statistics on Remote Devices ◆ Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated. ◆ New Neighbor Entries Count – The number of LLDP neighbors for which the remote TTL has not yet expired. ◆ Neighbor Entries Deleted Count – The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 223: Displaying LLDP Device Statistics (General) Figure 224: Displaying LLDP Device Statistics (Port) SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: ◆ Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps7 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) ◆ Link-up and Link-down Traps7 – Issues a notification message whenever a port link is established or broken.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. PARAMETERS These parameters are displayed: ◆ Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. (See "Configuring Remote SNMPv3 Users" on page 442.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 228: Showing Remote Engine IDs for SNMP SETTING SNMPV3 Use the Administration > SNMP (Configure View) page to configure VIEWS SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5. Click Apply Figure 229: Creating an SNMP View To show the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 231: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Show OID Subtree from the Action list. 4. Select a view name from the list of existing views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3 SNMPV3 GROUPS group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 29: Supported Notification Messages (Continued) Model Level Group swPowerStatusChangeTrap 1.3.6.1.4.1.22426.1.269101.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.22426.1.269101.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled. swIpFilterRejectTrap 1.3.6.1.4.1.22426.1.269101.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 233: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to ACCESS STRINGS configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 238: Showing Local SNMPv3 Users CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: ■ ■ ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. AuthPriv – SNMP communications use both authentication and encryption.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 239: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SPECIFYING TRAP Use the Administration > SNMP (Configure Trap) page to specify the host MANAGERS devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: SNMP Version 1 ◆ IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) ◆ Community String – Specifies a valid community string for the new trap manager entry.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. ◆ Notification Type ■ ■ ◆ Traps – Notifications are sent as trap messages. Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 243: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 244: Showing Trap Managers CREATING SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to NOTIFICATION LOGS create an SNMP notification log.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 4. Fill in the IP address of a configured trap manager and the filter profile name. 5. Click Apply Figure 245: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Unknown community name – The total number of SNMP messages delivered to the SNMP entity which used a SNMP community name not known to said entity. ◆ Illegal operation for community name supplied – The total number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message. ◆ Encoding errors – The total number of ASN.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Response PDUs – The total number of SNMP Get-Response PDUs which have been accepted and processed by, or generated by, the SNMP protocol entity. ◆ Trap PDUs – The total number of SNMP Trap PDUs which have been accepted and processed by, or generated by, the SNMP protocol entity. To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring a trap message to the management agent which can then respond to the event if so configured. CONFIGURING RMON Use the Administration > RMON (Configure Global - Add - Alarm) page to ALARMS define specific criteria that will generate response events.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring threshold, and again moves back up to the rising threshold. (Range: 1-65535) ◆ Rising Event Index – The index of the event to use if an alarm is triggered by monitored variables reaching or crossing above the rising threshold. If there is no corresponding entry in the event control table, then no event will be generated.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 248: Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring CONFIGURING RMON Use the Administration > RMON (Configure Global - Add - Event) page to EVENTS set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring WEB INTERFACE To configure an RMON event: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Click Event. 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 251: Showing Configured RMON Events CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - History) page HISTORY SAMPLES to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Owner - Name of the person who created this entry. (Range: 1-127 characters) WEB INTERFACE To periodically sample statistics on a port: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Add from the Action list. 4. Click History. 5. Select a port from the list as the data source. 6. Enter an index number, the sampling interval, the number of buckets to use, and the name of the owner for this entry.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 253: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Click History. 5. Select a port from the list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics) STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. CLI REFERENCES ◆ "Remote Monitoring Commands" on page 847 COMMAND USAGE ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 255: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Click Statistics. 5. Select a port from the list. Figure 256: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 257: Showing Collected RMON Statistical Samples ETHERNET RING PROTECTION SWITCHING NOTE: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic. Ring nodes may be in one of two states: Idle – normal operation, no link/node faults detected in ring Protection – Protection switching in effect after identifying a signal fault In Idle state, the physical topology has all nodes connected in a ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Configuration Guidelines for ERPS 1. Create an ERPS ring (Configure Domain – Add): The ring name is used as an index in the G.8032 database. 2. Configure the east and west interfaces (Configure Domain – Configure Details): Each node on the ring connects to it through two ring ports. Configure one port connected to the next node in the ring to the east (or clockwise direction) and another port facing west in the ring. 3.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Ring ports can not be a member of a dynamic trunk. ◆ Dynamic VLANs are not supported as protected data ports. ◆ Exclusive use of STP, EAPS or ERPS on any port. ◆ The switch takes about 350 ms to detect link-up on 1000Base-T copper ports, so the convergence time on this port type is more than 50 ms. ◆ One VLAN must be added to an EAPS domain as the CVLAN.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS RING Use the Administration > ERPS (Configure Domain) pages to configure CONFIGURATION ERPS rings. CLI REFERENCES ◆ "ERPS Commands" on page 1089 COMMAND USAGE ◆ An ERPS ring containing one Control VLAN and one or more protected Data VLANs must be configured, and the global ERPS function enabled on the switch (see "ERPS Configuration" on page 467) before a ring can start running.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Configure Details ◆ Domain Name – Name of a configured ERPS ring. ◆ Admin Status – Activates the current ERPS ring. Before enabling a ring, the global ERPS function should be enabled see ("ERPS Configuration" on page 467), the east and west ring ports configured on each node, the RPL owner specified, and the control VLAN configured.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ RPL Owner – Configures a ring node to be the Ring Protection Link (RPL) owner. ◆ Holdoff Timer – The hold-off timer is used to filter out intermittent link faults. Faults will only be reported to the ring protection mechanism if this timer expires. (Range: 0-10000 milliseconds, in steps of 100 milliseconds) In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Control VLAN must be tagged. Failure to observe these restrictions can result in a loop in the network. Once the ring has been activated, the configuration of the control VLAN cannot be modified. Use the Admin Status parameter to stop the ERPS ring before making any configuration changes to the control VLAN. ◆ Propagate TC – Enables propagation of topology change messages from a secondary ring to the primary ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 260: Creating an ERPS Ring To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list. 4. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 262: Creating an ERPS Ring (Secondary Ring) To show the configure ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONNECTIVITY FAULT MANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management the DSAPs within an MA, and may also include interconnection points in lower-level domains if exposed by CFM settings. The following figure shows a single Maintenance Domain, with DSAPs located on the domain boundary, and Internal Service Access Points (ISAPs) inside the domain through which frames may pass between the DSAPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN. Basic CFM Operations CFM uses standard Ethernet frames for sending protocol messages. Both the source and destination address for these messages are based on unicast or multicast MAC addresses, and therefore confined to a single Layer 2 CFM service VLAN.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 3. Configure the local maintenance end points (MEPs) which will serve as the domain service access points for the specified maintenance association using the MEP List (see "Configuring CFM Maintenance Associations"). 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the Remote MEP List (see "Configuring Remote Maintenance End Points").
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Domains"), Configure MA page (see "Configuring CFM Maintenance Associations"), and the Configure MEP page (see "Configuring Maintenance End Points"). When CFM is enabled, hardware resources are allocated for CFM processing. ◆ MEP Cross Check Start Delay – Sets the maximum delay that a device waits for remote MEPs to come up before starting the crosscheck operation.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Continuity Check Errors ◆ Connectivity Check Config – Sends a trap if this device receives a continuity check message (CCM) with the same maintenance end point identifier (MPID) as its own but with a different source MAC address, indicating that a CFM configuration error exists.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To configure global settings for CFM: 1. Click Administration, CFM. 2. Select Configure Global from the Step list. 3. Before enabling CFM processing on the switch, first configure the required CFM domains, maintenance associations, and static MEPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING CFM processes are enabled by default for all physical interfaces, both ports INTERFACES FOR CFM and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI REFERENCES ◆ "ethernet cfm port-enable" on page 1321 COMMAND USAGE ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1309 COMMAND USAGE Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: Creating a Maintenance Domain ◆ MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 3. Select Add from the Action list. 4. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply.$$$ Figure 268: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5. Specify the MEP archive hold and MEP fault notification parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 481). ◆ Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points" on page 491). ◆ For a detailed description of the MIP types, refer to the Command Usage section under "Configuring CFM Maintenance Domains" on page 481.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: ■ ■ ■ Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit – MIPs can be created for this MA only on bridge ports through which the MA’s VID can pass, and only if a maintenance end point (MEP) is created at some lower MA Level.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level ◆ AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) WEB INTERFACE To create a maintenance association: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 272: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING Use the Administration > CFM (Configure MEP – Add) page to configure MAINTENANCE END Maintenance End Points (MEPs). MEPs, also called Domain Service Access POINTS Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 6. Click Apply. Figure 274: Configuring Maintenance End Points To show the configured maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management COMMAND USAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. ◆ Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see "Configuring Maintenance End Points") at the same maintenance level and in the same MA.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 276: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. ◆ LTMs are used to isolate faults. However, this task can be difficult in an Ethernet environment, since each node is connected through multipoint links.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 5. Click Apply. 6. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 278: Transmitting Link Trace Messages TRANSMITTING LOOP Use the Administration > CFM (Transmit Loopback) page to transmit BACK MESSAGES Loopback Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 0-4094) ◆ Source MEP ID – The identifier of a source MEP that will send the loopback message. (Range: 1-8191) ◆ Target ■ ■ MEP ID – The identifier of a remote MEP that is the target of a loopback message. (Range: 1-8191) MAC Address – MAC address of a remote MEP that is the target of a loopback message.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management TRANSMITTING DELAY- Use the Administration > CFM (Transmit Delay Measure) page to send MEASURE REQUESTS periodic delay-measure requests to a specified MEP within a maintenance association. CLI REFERENCES ◆ "ethernet cfm delay-measure two-way" on page 1348 COMMAND USAGE ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Count – The number of times to retry sending the message if no response is received before the specified timeout. (Range: 1-5; Default: 5) ◆ Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) ◆ Interval – The transmission delay between delay-measure messages. (Range: 1-5 seconds; Default: 1 second) ◆ Timeout – The timeout to wait for a response.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING LOCAL Use the Administration > CFM > Show Information (Show Local MEP) page MEPS to show information for the MEPs configured on this device. CLI REFERENCES ◆ "show ethernet cfm maintenance-points local" on page 1325 PARAMETERS These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING DETAILS Use the Administration > CFM > Show Information (Show Local MEP FOR LOCAL MEPS Details) page to show detailed CFM information about a local MEP in the continuity check database. CLI REFERENCES ◆ "show ethernet cfm maintenance-points local detail mep" on page 1326 PARAMETERS These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Suppress Alarm – Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. ◆ Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions. WEB INTERFACE To show detailed information for the MEPs configured on this device: 1.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING LOCAL Use the Administration > CFM > Show Information (Show Local MIP) page MIPS to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) CLI REFERENCES ◆ "show ethernet cfm maintenance-points local" on page 1325 PARAMETERS These parameters are displayed: ◆ MD Name – Maintenance domain name.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING REMOTE Use the Administration > CFM > Show Information (Show Remote MEP) MEPS page to show MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING DETAILS Use the Administration > CFM > Show Information (Show Remote MEP FOR REMOTE MEPS Details) page to show detailed information for MEPs located on other devices which have been discovered through continuity check messages, or statically configured in the MEP database and verified through cross-check messages.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ■ Down – The interface cannot pass packets. ■ Testing – The interface is in some test mode. ■ ■ ■ ■ ◆ Unknown – The interface status cannot be determined for some reason. Dormant – The interface is not in a state to pass packets but is in a pending state, waiting for some external event. Not Present – Some component of the interface is missing.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management DISPLAYING THE LINK Use the Administration > CFM > Show Information (Show Link Trace TRACE CACHE Cache) page to show information about link trace operations launched from this device. CLI REFERENCES ◆ "show ethernet cfm linktrace-cache" on page 1342 ◆ "clear ethernet cfm linktrace-cache" on page 1342 PARAMETERS These parameters are displayed: ◆ Hops – The number hops taken to reach the target MEP.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ■ ◆ EgrVid – The Egress Port can be identified, but the bridge port is not in the LTM’s VID member set, and was therefore filtered by egress filtering. Reply – Reply action: ■ FDB – Target address found in forwarding database. ■ MPDB – Target address found in the maintenance point database. ■ HIT – Target located on this device. WEB INTERFACE To show information about link trace operations launched from this device: 1.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Alarm Time – The time a defect must exist before a fault alarm is issued10. ◆ Reset Time – The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued10. WEB INTERFACE To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management and some other MA y, at a higher maintenance level, and associated with at least one of the VID(s) also in MA x, does have a MEP configured on the bridge port.
15 MULTICAST FILTERING This chapter describes how to configure the following multicast services: ◆ Layer 2 IGMP – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ Layer 3 IGMP – Configures IGMP query used with multicast routing.
CHAPTER 15 | Multicast Filtering IGMP Protocol This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) across different subnetworks. Therefore, when PIM routing is enabled for a subnet on the switch, IGMP is automatically enabled.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) NOTE: When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. NOTE: IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) CONFIGURING IGMP Use the Multicast > IGMP Snooping > General page to configure the switch SNOOPING AND QUERY to forward multicast traffic intelligently. Based on the IGMP query and PARAMETERS report messages, the switch forwards multicast traffic only to the ports that request it. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it immediately issues an IGMP general query.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ IGMP Snooping Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) SPECIFYING STATIC Use the Multicast > IGMP Snooping > Multicast Router (Add Static INTERFACES FOR A Multicast Router) page to statically attach an interface to a multicast MULTICAST ROUTER router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) To show the static interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ASSIGNING Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) INTERFACES TO page to statically assign a multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters" on page 515).
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 295: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) and snooping switches from different vendors. In response to this problem, the Multicast Router Discovery (MRD) protocol has been developed for use by IGMP snooping and multicast routing devices. MRD is used to discover which interfaces are attached to multicast routers, allowing IGMP-enabled devices to determine where to send multicast source and group membership messages. (MRD is specified in draft-ietf-magma-mrdisc-07.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) NOTE: MRD messages are flooded to all ports in a VLAN where IGMP snooping or routing has been enabled. To ensure that older switches which do not support MRD can also learn the multicast router port, the switch floods IGMP general query packets, which do not have a null source address (0.0.0.0), to all ports in the attached VLAN.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Multicast Router Discovery – MRD is used to discover which interfaces are attached to multicast routers. (Default: Enabled) ◆ General Query Suppression – Suppresses general queries except for ports attached to downstream multicast hosts. (Default: Disabled) By default, general query messages are flooded to all ports, except for the multicast router through which they are received.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Last Member Query Interval – The interval to wait for a response to a group-specific or group-and-source-specific query message. (Range: 1-31744 tenths of a second in multiples of 10; Default: 1 second) When a multicast host leaves a group, it sends an IGMP leave message.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 297: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) PARAMETERS These parameters are displayed: ◆ IGMP Query Drop – Configures an interface to drop any IGMP query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier. ◆ Multicast Data Drop – Configures an interface to stop multicast services from being forwarded to users attached to the downstream port (i.e.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface. ◆ Source Address – The address of one of the multicast servers transmitting traffic to the specified group. ◆ Interface – A downstream port or trunk that is receiving traffic for the specified multicast group.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) ◆ Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier. (Range: 1-8) Query Statistics ◆ Querier IP Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Output Statistics ◆ Report – The number of IGMP membership reports sent from this interface. ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. WEB INTERFACE To display statistics for IGMP snooping query-related messages: 1.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query) Figure 302: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups FILTERING AND THROTTLING IGMP GROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 304: Enabling IGMP Filtering and Throttling $$$ CONFIGURING IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page FILTER PROFILES to create an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups WEB INTERFACE To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 305: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups 5. Click Apply. Figure 307: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4. Select the profile for which to display this information.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk. ◆ Profile ID – Selects an existing profile to assign to an interface.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 309: Configuring IGMP Filtering and Throttling Interface Settings MLD SNOOPING (SNOOPING AND QUERY FOR IPV6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 310: Configuring General Settings for MLD Snooping SETTING IMMEDIATE Use the Multicast > MLD Snooping > Interface page to configure LEAVE STATUS FOR Immediate Leave status for a VLAN. MLD SNOOPING PER INTERFACE CLI REFERENCES ◆ "ipv6 mld snooping vlan immediate-leave" on page 1224 PARAMETERS These parameters are displayed: ◆ VLAN – A VLAN identification number.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 311: Configuring Immediate Leave for MLD Snooping SPECIFYING STATIC INTERFACES FOR AN IPV6 MULTICAST ROUTER Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to an IPv6 multicast router/ switch. Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 312: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ASSIGNING Use the Multicast > MLD Snooping > MLD Member (Add Static Member) INTERFACES TO IPV6 page to statically assign an IPv6 multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters" on page 538).
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 315: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 317: Showing Current Interfaces Assigned to an IPv6 Multicast Service SHOWING MLD Use the Multicast > MLD Snooping > Group Information page to display SNOOPING GROUPS known multicast groups, member ports, the means by which each group AND SOURCE LIST was learned, and the corresponding source list.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Request List – Sources included on the router’s request list. ◆ Exclude List – Sources included on the router’s exclude list. WEB INTERFACE To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) NOTE: Multicast Routing Discovery (MRD) is used to discover which interfaces are attached to multicast routers. (For a description of this protocol, see “Multicast Router Discovery” on page 522.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) the proxy devices independent of the multicast routing protocols used by core routers. IGMP proxy routing uses a tree topology, where the root of the tree is connected to a complete multicast infrastructure (with the upstream interface connected to the Internet as shown in the figure above).
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ The system periodically checks the multicast route table for (*,G) anysource multicast forwarding entries. When changes occur in the downstream IGMP groups, an IGMP state change report is created and sent to the upstream router.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) CONFIGURING IGMP Use the Multicast > IGMP > Interface page to configure interface settings INTERFACE for IGMP. PARAMETERS The switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. The hosts may respond with several types of IP multicast messages.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) the QRV field does not contain a declared robustness value, the switch will set the robustness variable to the value statically configured by this command. If the QRV exceeds 7, the maximum value of the QRV field, the robustness value is set to zero, meaning that this device will not advertise a QRV in any query messages it subsequently sends. ◆ Query Interval – Configures the frequency at which host query messages are sent.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) WEB INTERFACE To configure IGMP interface settings: 1. Click Multicast, IGMP, Interface. 2. Select each interface that will support IGMP (Layer 3), and set the required IGMP parameters. 3. Click Apply. Figure 321: Configuring IGMP Interface Settings CONFIGURING STATIC Use the Multicast > IGMP > Static Group page to manually propagate IGMP GROUP traffic from specific multicast groups onto the specified VLAN interface.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ The switch supports a maximum of 64 static group entries. PARAMETERS These parameters are displayed: ◆ VLAN – VLAN interface to assign as a static member of the specified multicast group. (Range: 1-4093) ◆ Static Group Address – An IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 239.255.255.255.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Figure 323: Showing Static IGMP Groups DISPLAYING When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > MULTICAST GROUP Group Information pages to display the current multicast groups learned INFORMATION through IGMP. When IGMP (Layer 3) is disabled and IGMP (Layer 2) is enabled, the active multicast groups can be viewed on the Multicast > IGMP Snooping > Forwarding Entry page (see page 528).
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ V1 Timer – The time remaining until the switch assumes that there are no longer any IGMP Version 1 members on the IP subnet attached to this interface. ■ ■ If the switch receives an IGMP Version 1 Membership Report, it sets a timer to note that there are Version 1 hosts present which are members of the group for which it heard the report.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ■ Forward – Indicates whether or not traffic will be forwarded from the multicast source. WEB INTERFACE To display the current multicast groups learned through IGMP: 1. Click Multicast, IGMP, Group Information. 2. Select Show Information from the Action list. 3. Select a VLAN. The selected entry must be a configured IP interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration MULTICAST VLAN REGISTRATION Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration group to the participating interfaces (see "Assigning Static MVR Multicast Groups to Interfaces" on page 564). ◆ Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To configure global settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR for the selected domain, select the MVR VLAN, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration PARAMETERS These parameters are displayed: Configure Profile ◆ Profile Name – The name of a profile containing one or more MVR group addresses. (Range: 1-20 characters) ◆ Start IP Address – Starting IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) ◆ End IP Address – Ending IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Associate Profile ◆ Domain ID – An independent multicast domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 329: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration Figure 331: Showing the MVR Group Address Profiles Assigned to a Domain CONFIGURING MVR Use the Multicast > MVR (Configure Interface) page to configure each INTERFACE STATUS interface that participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration remaining subscribers for that multicast group before removing the port from the group list. ■ ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. Immediate leave does not apply to multicast groups which have been statically assigned to a port.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To configure interface settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Interface from the Step list. 3. Select Configure Port or Configure Trunk from the Action list. 4. Select an MVR domain. 5. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings. PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4093) ◆ Group IP Address – Defines a multicast service sent to the selected port. Multicast groups must be assigned from the MVR group range configured on the Configure General page.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration 4. Select an MVR domain. 5. Select the port or trunk for which to display this information. Figure 334: Showing the Static MVR Groups Assigned to a Port DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups on each interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To show all MVR groups assigned to a port: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. Figure 335: Displaying MVR Receiver Groups DISPLAYING MVR Use the Multicast > MVR > Show Statistics pages to display MVR protocolSTATISTICS related statistics for the specified interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration WEB INTERFACE To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration – 572 –
16 IP CONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 633) or use dynamic routing; i.e., RIP, OSPFv2 or OSPFv3 (page 650, 668 or 1516 respectively). ◆ The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add) menu, static routes (page 633), and then dynamic routing.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) WEB INTERFACE To set a static address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select any configured VLAN, set IP Address Mode to “Static,” set IP Address Type to “Primary” if no address has yet been configured for this interface, and then enter the IP address and subnet mask. 4. Click Apply.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 340: Configuring a Dynamic IPv4 Address NOTE: The switch will also broadcast a request for IP configuration settings on each power reset. NOTE: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
CHAPTER 16 | IP Configuration Sending DHCP Inform Requests for Additional Information Figure 341: Showing the Configured IP Address for an Interface SENDING DHCP INFORM REQUESTS FOR ADDITIONAL INFORMATION Use the IP > General > Routing Interface (Configure Interface) page to submit a DHCP request for information about the default domain name server and default gateway from a VLAN interface configured with a static IPv4 address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To send DHCP Inform requests for additional information: 1. Click IP, General, Routing Interface. 2. Select Configure Interface from the Action list. 3. Select a VLAN configured with a static IPv4 address. 4. Set the DHCP inform field to the required status. 5. Click Apply.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) CONFIGURING THE Use the IP > IPv6 Configuration (Configure Global) page to configure an IPV6 DEFAULT IPv6 default gateway for the switch. GATEWAY CLI REFERENCES ◆ "ipv6 default-gateway" on page 1408 PARAMETERS These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ "DHCP Client" on page 1361 COMMAND USAGE ◆ The switch must be configured with a link-local address. The option to explicitly enable IPv6 creates a link-local address, but will not generate a global IPv6 address. The global unicast address must be manually configured (see "Configuring an IPv6 Address" on page 582). ◆ IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND DAD Attempts – The number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. (Range: 0-600, Default: 2) ■ ■ ■ ◆ Configuring a value of 0 disables duplicate address detection. Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ■ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value. Setting the time limit to 0 means that the configured time is unspecified by this router. WEB INTERFACE To general IPv6 settings for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Specify the VLAN to configure, 4.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ The switch must always be configured with a link-local address. Therefore, explicitly enabling IPv6 (see "Configuring IPv6 Interface Settings" on page 579) or manually assigning a global unicast address will also automatically generate a link-local unicast address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ EUI-64 (Extended Universal Identifier) – Configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) 3. Specify the VLAN to configure, select the address type, and then enter an IPv6 address and prefix length. 4. Click Apply. Figure 345: Configuring an IPv6 Address SHOWING IPV6 Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the ADDRESSES IPv6 addresses assigned to an interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) example, FF02::1:FF90:0/104 is the solicited-node multicast address which is formed by taking the low-order 24 bits of the address and appending those bits to the prefix. Note that the solicited-node multicast address (link-local scope FF02) is used to resolve the MAC addresses for neighbor nodes since IPv6 does not support the broadcast method used by the Address Resolution Protocol in IPv4.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices. CLI REFERENCES ◆ "show ipv6 neighbors" on page 1437 PARAMETERS These parameters are displayed: Table 32: ShowIPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 347: Showing IPv6 Neighbors SHOWING IPV6 Use the IP > IPv6 Configuration (Show Statistics) page to display statistics STATISTICS about IPv6 traffic passing through this switch.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: Table 33: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query The number of ICMPv6 Group Membership Query messages Messages received by the interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 33: Show IPv6 Statistics - display description (Continued) Field Description Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity. WEB INTERFACE To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 349: Showing IPv6 Statistics (ICMPv6) Figure 350: Showing IPv6 Statistics (UDP) – 593 –
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
17 IP SERVICES This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆ DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded. ◆ DHCP Server – Configures address to be allocated to networks or specific hosts.
CHAPTER 17 | IP Services Domain Name Service COMMAND USAGE ◆ To enable DNS service on this switch, enable domain lookup status, and configure one or more name servers (see "Configuring a List of Name Servers" on page 598). PARAMETERS These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names.
CHAPTER 17 | IP Services Domain Name Service ◆ If there is no domain list, the default domain name is used (see "Configuring General DNS Service Parameters" on page 595). If there is a domain list, the system will search it for a corresponding entry. If none is found, it will use the default domain name.
CHAPTER 17 | IP Services Domain Name Service Figure 354: Showing the List of Domain Names for DNS CONFIGURING A LIST Use the IP Service > DNS - General (Add Name Server) page to configure a OF NAME SERVERS list of name servers to be tried in sequential order.
CHAPTER 17 | IP Services Domain Name Service Figure 355: Configuring a List of Name Servers for DNS To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 356: Showing the List of Name Servers for DNS CONFIGURING STATIC Use the IP Service > DNS - Static Host Table (Add) page to manually DNS HOST TO configure static entries in the DNS table that are used to map domain ADDRESS ENTRIES names to IP addresses.
CHAPTER 17 | IP Services Domain Name Service WEB INTERFACE To configure static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Add from the Action list. 3. Enter a host name and the corresponding address. 4. Click Apply. Figure 357: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol client can try each address in succession, until it establishes a connection with the target device. PARAMETERS These parameters are displayed: ◆ No. – The entry number for each resource record. ◆ Flag – The flag is always “4” indicating a cache entry and therefore unreliable. ◆ Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol SPECIFYING A DHCP Use the IP Service > DHCP > Client page to specify the DHCP client CLIENT IDENTIFIER identifier for a VLAN interface. CLI REFERENCES ◆ "ip dhcp client class-id" on page 1361 COMMAND USAGE ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol CONFIGURING DHCP Use the IP Service > DHCP > Relay page to configure DHCP relay service RELAY SERVICE for attached host devices. If DHCP relay is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Figure 362: Configuring DHCP Relay Service CONFIGURING THE This switch includes a Dynamic Host Configuration Protocol (DHCP) server DHCP SERVER that can assign temporary IP addresses to any attached host requesting service.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ENABLING THE SERVER Use the IP Service > DHCP > Server (Configure Global) page to enable the DHCP Server. CLI REFERENCES ◆ "service dhcp" on page 1370 PARAMETERS These parameters are displayed: ◆ DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) WEB INTERFACE To enable the DHCP server: 1. Click IP Service, DHCP, Server. 2. Select Configure Global from the Step list. 3. Mark the Enabled box. 4. Click Apply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ◆ End IP Address – The last address in a range that the DHCP server should not assign to DHCP clients. NOTE: Be sure you exclude the address for this switch and other key network devices. WEB INTERFACE To configure IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Configure Excluded Addresses from the Step list. 3. Select Add from the Action list. 4. Enter a single address or an address range. 5.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol CONFIGURING ADDRESS POOLS Use the IP Service > DHCP > Server (Configure Pool – Add) page configure IP address pools for each IP interface that will provide addresses to attached clients via the DHCP server. CLI REFERENCES ◆ "DHCP Server" on page 1368 COMMAND USAGE ◆ First configure address pools for the network interfaces. Then you can manually bind an address to a specific client if required.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ◆ Subnet Mask – The bit combination that identifies the network (or subnet) and the host portion of the DHCP address pool. Setting Parameters for a Static Host ◆ IP – The IP address to assign to the host. ◆ Subnet Mask – Specifies the network mask of the client. ◆ Client-Identifier – A unique designation for the client device, either a text string (1-15 characters) or hexadecimal value.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol 3. Select Add from the Action list. 4. Set the pool Type to Network or Host. 5. Enter the IP address and subnet mask for a network pool or host. If configuring a static binding for a host, enter the client identifier or hardware address for the host device. Configure the optional parameters such as a gateway server and DNS server. 6. Click Apply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Figure 368: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: 1. Click IP Service, DHCP, Server. 2. Select Configure Pool from the Step list. 3. Select Show from the Action list.
CHAPTER 17 | IP Services Forwarding UDP Service Requests PARAMETERS These parameters are displayed: ◆ IP Address – IP address assigned to host. ◆ MAC Address – MAC address of host. ◆ Lease Time – Duration that this IP address can be used by the host. ◆ Start Time – Time this address was assigned by the switch. WEB INTERFACE To show the addresses assigned to DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Show IP Binding from the Step list.
CHAPTER 17 | IP Services Forwarding UDP Service Requests ENABLING THE UDP Use the IP Service > UDP Helper > General page to enable the UDP helper HELPER globally on the switch. CLI REFERENCES ◆ "ip helper" on page 1404 PARAMETERS These parameters are displayed: ◆ UDP Helper Status – Enables or disables the UDP helper. (Default: Disabled) WEB INTERFACE To enable the UDP help: 1. Click IP Service, UDP Helper, General. 2. Mark the Enabled check box. 3. Click Apply.
CHAPTER 17 | IP Services Forwarding UDP Service Requests IEN-116 Name Service NetBIOS Datagram Server NetBIOS Name Server NTP TACACS service TFTP port port port port port port 42 138 137 37 49 69 WEB INTERFACE To specify UDP destination ports for forwarding: 1. Click IP Service, UDP Helper, Forwarding. 2. Select Add from the Action list. 3. Enter a destination UDP port number for which service requests are to be forwarded to a remote application server. 4. Click Apply.
CHAPTER 17 | IP Services Forwarding UDP Service Requests SPECIFYING THE Use the IP Service > UDP Helper > Address page to specify the application TARGET SERVER OR server or subnet (indicated by a directed broadcast address) to which SUBNET designated UDP broadcast packets are forwarded. CLI REFERENCES ◆ "ip helper-address" on page 1405 COMMAND USAGE ◆ Up to 20 helper addresses can be specified.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent 3. Enter the address of the remote server or subnet where UDP request packets are to be forwarded. 4. Click Apply. Figure 374: Specifying the Target Server or Subnet for UDP Requests To show the target server or subnet for UDP requests: 1. Click IP Service, UDP Helper, Address. 2. Select Show from the Action list.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent COMMAND USAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports (designated on the Configure Interface page).
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent Figure 376: Configuring Global Settings for PPPoE Intermediate Agent CONFIGURING Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page PPPOE IA INTERFACE to enable PPPoE IA on an interface, set trust status, enable vendor tag SETTINGS stripping, and set the circuit ID and remote ID. CLI REFERENCES ◆ "PPPoE Intermediate Agent" on page 913 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent ■ ■ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent SHOWING PPPOE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to STATISTICS show statistics on PPPoE IA protocol messages. CLI REFERENCES ◆ "show pppoe intermediate-agent statistics" on page 918 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent Figure 378: Showing PPPoE Intermediate Agent Statistics g – 620 –
18 GENERAL IP ROUTING This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
CHAPTER 18 | General IP Routing IP Routing and Switching Figure 379: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP ROUTING AND SWITCHING IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
CHAPTER 18 | General IP Routing IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces ROUTING PROTOCOLS The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces unknown destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 633, enter 0.0.0.0 for the IP address and subnet mask, and then specify this switch itself or another router as the gateway.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces WEB INTERFACE To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply. Figure 380: Pinging a Network Device USING THE TRACE Use the IP > General > Trace Route page to show the route packets take to ROUTE FUNCTION the specified destination.
CHAPTER 18 | General IP Routing Address Resolution Protocol returning an “ICMP port unreachable” message. If the timer goes off before a response is returned, the trace function prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
CHAPTER 18 | General IP Routing Address Resolution Protocol next hop. IP traffic passes along the path to its final destination in this way, with each routing device mapping the destination IP address to the MAC address of the next hop toward the recipient, until the packet is delivered to the final destination. If there is no entry for an IP address in the ARP cache, the router will broadcast an ARP request packet to all devices on the network.
CHAPTER 18 | General IP Routing Address Resolution Protocol Figure 382: Proxy ARP Proxy ARP no routing, no default gateway ARP request Remote ARP Server PARAMETERS These parameters are displayed: ◆ Timeout – Sets the aging time for dynamic entries in the ARP cache. (Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes) The ARP aging timeout can be set for any configured VLAN. The aging time determines how long dynamic entries remain in the cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol Figure 383: Configuring General Settings for ARP CONFIGURING STATIC For devices that do not respond to ARP requests or do not respond in a ARP ADDRESSES timely manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, use the IP > ARP (Configure Static Address – Add) page to manually map an IP address to the corresponding physical address in the ARP cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol WEB INTERFACE To map an IP address to the corresponding physical address in the ARP cache using the web interface: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3. Select Add from the Action List. 4. Enter the IP address and the corresponding MAC address. 5. Click Apply. Figure 384: Configuring Static ARP Entries To display static entries in the ARP cache: 1. Click IP, ARP. 2.
CHAPTER 18 | General IP Routing Address Resolution Protocol DISPLAYING DYNAMIC The ARP cache contains static entries, and entries for local interfaces, OR LOCAL ARP including subnet, host, and broadcast addresses. However, most entries will ENTRIES be dynamically learned through replies to broadcast messages. Use the IP > ARP (Show Information) page to display dynamic or local entries in the ARP cache.
CHAPTER 18 | General IP Routing Configuring Static Routes DISPLAYING ARP Use the IP > ARP (Show Information) page to display statistics for ARP STATISTICS messages crossing all interfaces on this router. CLI REFERENCES ◆ "show ip traffic" on page 1452 PARAMETERS These parameters are displayed: Table 36: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router.
CHAPTER 18 | General IP Routing Configuring Static Routes network topology, so you should only configure a small number of stable routes to ensure network accessibility. CLI REFERENCES ◆ "ip route" on page 1448 COMMAND USAGE ◆ Up to 512 static routes can be configured. ◆ Up to eight equal-cost multipaths (ECMP) can be configured for static routing (see "Equal-cost Multipath Routing" on page 637).
CHAPTER 18 | General IP Routing Displaying the Routing Table Figure 389: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 390: Displaying Static Routes DISPLAYING THE ROUTING TABLE Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
CHAPTER 18 | General IP Routing Displaying the Routing Table network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base – RIB), which holds all routing information received from routing peers. The FIB contains unique paths only. It does not contain any secondary paths. A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet.
CHAPTER 18 | General IP Routing Equal-cost Multipath Routing Figure 391: Displaying the Routing Table EQUAL-COST MULTIPATH ROUTING Use the IP > Routing > Routing Table (Configure ECMP Number) page to configure the maximum number of equal-cost paths that can transmit traffic to the same destination. The Equal-cost Multipath routing algorithm is a technique that supports load sharing over multiple equal-cost paths for data passing to the same destination.
CHAPTER 18 | General IP Routing Equal-cost Multipath Routing ◆ The routing table can only have up to 8 equal-cost multipaths for static routing and 8 for dynamic routing for a common destination. However, the system supports up to 256 total ECMP entries in ASIC for fast switching, with any additional entries handled by software routing.
19 CONFIGURING ROUTER REDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 395: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing Router 1 Router 2 VRID 23 (Master) IP(R1) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VRID 23 (Backup) IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 VR Priority = 100 VRID 25 (Backup) IP(R1) = 192.168.1.3 IP(VR25) = 192.168.1.5 VR Priority = 100 VRID 25 (Master) IP(R1) = 192.168.1.5 IP(VR25) = 192.168.1.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups priority. In cases where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. ◆ If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group. ◆ The interfaces of all routers participating in a virtual router group must be within the same IP subnet.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups ◆ VLAN – ID of a VLAN configured with an IP interface. (Range: 1-4093; Default: 1) Adding a Virtual IP Address ◆ VLAN ID – ID of a VLAN configured with an IP interface. (Range: 1-4093) ◆ VRID – VRRP group identifier. (Range: 1-255) ◆ IP Address – Virtual IP address for this group. Use the IP address of a real interface on this router to make it the master virtual router for the group.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups ◆ Authentication Mode – Authentication mode used to verify VRRP packets received from other routers. (Options: None, Simple Text; Default: None) If simple text authentication is selected, then you must also enter an authentication string. All routers in the same VRRP group must be set to the same authentication mode, and be configured with the same authentication string. Plain text authentication does not provide any real security.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 396: Configuring the VRRP Group ID To show the configured VRRP groups: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Show from the Action List. Figure 397: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Add IP Address from the Action List. 4.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 398: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Show IP Addresses from the Action List. 4. Select a VLAN, and a VRRP group identifier. Figure 399: Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group: 1. Click IP, VRRP. 2.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Global Statistics Figure 400: Configuring Detailed Settings for a VRRP Group DISPLAYING VRRP GLOBAL STATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Group Statistics Figure 401: Showing Counters for Errors Found in VRRP Packets DISPLAYING VRRP GROUP STATISTICS Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface. CLI REFERENCES ◆ "show vrrp interface counters" on page 1389 PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN configured with an IP interface.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Group Statistics Table 37: VRRP Group Statistics (Continued) Parameter Description Received Invalid Type VRRP Packets Number of VRRP packets received by the virtual router with an invalid value in the “type” field. Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router.
20 UNICAST ROUTING This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. OVERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol. It supports RIP, RIP-2 and OSPFv2 dynamic routing.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol To coexist with a network built on multilayer switches, the subnetworks for non-IP protocols must follow the same logical boundary as that of the IP subnetworks. A separate multi-protocol router can then be used to link the subnetworks by connecting to one port from each available VLAN on the network. CONFIGURING THE ROUTING INFORMATION PROTOCOL The RIP protocol is the most widely used routing protocol.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks. Moreover, RIP (version 1) wastes valuable network bandwidth by propagating routing information via broadcasts; it also considers too few network variables to make the best routing decision.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol RIP send/receive versions set on the RIP Interface settings screen (page 662) always take precedence over the settings for the Global RIP Version. However, when the Global RIP Version is set to “By Interface,” any VLAN interface not previously set to a specific receive or send version is set to the following default values: ◆ ■ Receive: Accepts RIPv1 or RIPv2 packets.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol access list that filters networks according to the IP address of the router supplying the routing information. ◆ Number of Route Changes – The number of route changes made to the IP route database by RIP. ◆ Number of Queries – The number of responses sent to RIP queries from other systems. Basic Timer Settings NOTE: The timers must be set to the same values for all routers in the network.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 404: Configuring General Settings for RIP CLEARING ENTRIES Use the Routing Protocol > RIP > General (Clear Route) page to clear FROM THE ROUTING entries from the routing table based on route type or a specific network TABLE address. CLI REFERENCES ◆ "clear ip rip route" on page 1472 COMMAND USAGE ◆ Clearing “All” types deletes all routes in the RIP table.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ ■ Network IP Address – Deletes all related entries for the specified network address. Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. WEB INTERFACE To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol PARAMETERS These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 407: Showing Network Interfaces Using RIP SPECIFYING PASSIVE Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP INTERFACES from sending routing updates on the specified interface. CLI REFERENCES ◆ "passive-interface" on page 1463 COMMAND USAGE ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 408: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol 3. Add the address of any static neighbors which may not readily to discovered through RIP. 4. Click Apply. Figure 410: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 651.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 413: Showing External Routes Redistributed into RIP SPECIFYING AN Use the Routing Protocol > RIP > Distance (Add) page to define an ADMINISTRATIVE administrative distance for external routes learned from other routing DISTANCE protocols.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol WEB INTERFACE To define an administrative distance for external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Add from the Action list. 3. Enter the distance, the external route, and optionally enter the name of an ACL to filter networks according to the IP address of the router supplying the routing information. 4. Click Apply.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ ◆ ◆ "ip rip authentication mode" on page 1467 "ip rip authentication string" on page 1468 "ip rip split-horizon" on page 1471 COMMAND USAGE Specifying Receive and Send Protocol Types ◆ Specify the protocol message type accepted (that is, RIP version) and the message type sent (that is, RIP version or compatibility mode) for each RIP interface.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol password. If any incoming protocol messages do not contain the correct password, they are simply dropped. For authentication to function properly, both the sending and receiving interface must be configured with the same password or authentication key.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Authentication Type – Specifies the type of authentication required for exchanging RIPv2 protocol messages. (Default: No Authentication) ■ ■ ■ No Authentication: No authentication is required. Simple Password: Requires the interface to exchange routing information with other routers based on an authorized password. (Note that authentication only applies to RIPv2.) MD5: Message Digest 5 (MD5) authentication.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 416: Configuring a Network Interface for RIP To show the network interface settings configured for RIP: 1. Click Routing Protocol, RIP, Interface. 2. Select Show from the Action list. Figure 417: Showing RIP Network Interface Settings DISPLAYING RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) INTERFACE SETTINGS page to display information about RIP interface configuration settings.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Rcv Bad Routes – Number of bad routes received. ◆ Send Updates – Number of route changes. WEB INTERFACE To display RIP interface configuration settings: 1. Click Routing Protocol, RIP, Statistics. 2. Select Show Interface Information from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 419: Showing RIP Peer Information RESETTING RIP Use the Routing Protocol > RIP > Statistics (Reset Statistics) page to reset STATISTICS all statistics for RIP protocol messages. CLI REFERENCES ◆ no comparable command WEB INTERFACE To reset RIP statistics: 1. Click Routing Protocol, RIP, Statistics. 2. Select Reset Statistics from the Action list. 3. Click Reset.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 421: Configuring OSPF isolated area stub ABR ABR virtual link backbone ABR ABR normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B COMMAND USAGE ◆ OSPF looks at more than just the simple hop count. When adding the shortest path to any node into the tree, the optimal path is chosen on the basis of delay, throughput and connectivity.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ■ ■ You can further optimize the exchange of OSPF traffic by specifying an area range that covers a large number of subnetwork addresses. This is an important technique for limiting the amount of traffic exchanged between Area Border Routers (ABRs). And finally, you must specify a virtual link to any OSPF area that is not physically attached to the OSPF backbone.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1476 ◆ "network area" on page 1493 COMMAND USAGE ◆ Specify an Area ID and the corresponding network address range for each OSPF broadcast area. Each area identifies a logical group of OSPF routers that actively exchange Link State Advertisements (LSAs) to ensure that they share an identical view of the network topology. ◆ Each area must be connected to a backbone area.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) WEB INTERFACE To define an OSPF area and the interfaces that operate within this area: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Add from the Action list. 3. Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces. 4.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 425: Showing OSPF Process Identifiers CONFIGURING To implement dynamic OSPF routing, first assign VLAN groups to each IP GENERAL PROTOCOL subnet to which this router will be attached (as described in the preceding SETTINGS section), then use the Routing Protocol > OSPF > System (Configure) page to assign an Router ID to this device, and set the other basic protocol parameters.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Auto Cost – Calculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth. The reference bandwidth is defined in Mbits per second. (Range: 1-4294967) By default, the cost is 0.1 for Gigabit ports, and 0.01 for 10 Gigabit ports. A higher reference bandwidth can be used for aggregate links to indicate preferred use as a lower cost interface.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Advertise Default Route12 – The router can advertise a default external route into the autonomous system (AS). (Options: Not Always, Always; Default: Not Always) ■ Always – The router will advertise itself as a default external route for the local AS, even if a default external route does not actually exist. (To define a default route, see "Configuring Static Routes" on page 633.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 427: Configure General Settings for OSPF DISPLAYING Use the Routing Protocol > OSPF > System (Show) page to display general ADMINISTRATIVE administrative settings and statistics for OSPF.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Table 38: OSPF System Information (Continued) Parameter Description ABR Status (Area Border Router) Indicates if this router connects directly to networks in two or more areas. An area border router runs a separate copy of the Shortest Path First algorithm, maintaining a separate routing database for each area.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ADDING AN NSSA OR Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page STUB to add a not-so-stubby area (NSSA) or a stubby area (Stub). CLI REFERENCES ◆ "router ospf" on page 1476 ◆ "area stub" on page 1489 ◆ "area nssa" on page 1487 COMMAND USAGE ◆ This router supports up to 5 stubs or NSSAs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: 1. Click Routing Protocol, OSPF, Area. 2. Select Configure Area from the Step list. 3. Select Show Area from the Action list. 4. Select a Process ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1476 ◆ "area default-cost" on page 1481 ◆ "area nssa" on page 1487 COMMAND USAGE ◆ Before creating an NSSA, first specify the address range for the area (see "Defining Network Areas Based on Addresses" on page 670). Then create an NSSA as described under "Adding an NSSA or Stub" on page 678.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Redistribute – Disable this option when the router is an NSSA Area Border Router (ABR) and routes only need to be imported into normal areas (see "Redistributing External Routes" on page 687), but not into the NSSA. In other words, redistribution should be disabled to prevent the NSSA ABR from advertising external routing information (learned through routers in other areas) into the NSSA.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 5. Click Apply Figure 432: Configuring Protocol Settings for an NSSA CONFIGURING STUB Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub SETTINGS Area) page to configure protocol settings for a stub. A stub does not accept external routing information.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ A stub can have multiple ABRs or exit points. However, all of the exit points and local routers must contain the same external routing data so that the exit point does not need to be determined for each external destination. PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 670). ◆ Area ID – Identifier for a stub.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 434: Configuring Protocol Settings for a Stub DISPLAYING Use the Routing Protocol > OSPF > Area (Show Information) page to INFORMATION ON protocol information on NSSA and Stub areas. NSSA AND STUB AREAS CLI REFERENCES ◆ "show ip ospf" on page 1502 PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 670).
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 435: Displaying Information on NSSA and Stub Areas CONFIGURING AREA RANGES (ROUTE SUMMARIZATION FOR ABRS) An OSPF area can include a large number of nodes. If the Area Border Router (ABR) has to advertise route information for each of these nodes, this wastes a lot of bandwidth and processor time.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 670). ◆ Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295. ◆ Range Network – Base address for the routes to summarize.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 3. Select the process ID. Figure 438: Showing Configured Route Summaries REDISTRIBUTING Use the Routing Protocol > OSPF > Redistribute (Add) page to import EXTERNAL ROUTES external routing information from other routing protocols, static routes, or directly connected routes into the autonomous system, and to generate AS-external-LSAs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain. (Options: RIP, Static; Default: RIP) ◆ Metric Type – Indicates the method used to calculate external route costs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 440: Importing External Routes To show the imported external route types: 1. Click Routing Protocol, OSPF, Redistribute. 2. Select Show from the Action list. 3. Select the process ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1476 ◆ "summary-address" on page 1486 COMMAND USAGE ◆ If you are not sure what address ranges to consolidate, first enable external route redistribution via the Redistribute configuration screen, view the routes imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for adver
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the summary addresses for external routes: 1. Click Routing Protocol, OSPF, Summary Address. 2. Select Show from the Action list. 3. Select the process ID. Figure 443: Showing Summary Addresses for External Routes CONFIGURING OSPF You should specify a routing interface for any local subnet that needs to INTERFACES communicate with other network segments located on this router or elsewhere in the network.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ IP Address – Address of the interfaces assigned to a VLAN on the Network Area (Add) page. This parameter only applies to the Configure by Address page. ◆ Cost – Sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. (Range: 1-65535; Default: 1) The interface cost indicates the overhead required to send packets across a certain interface.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Transmit Delay – Sets the estimated time to send a link-state update packet over an interface. (Range: 1-65535 seconds; Default: 1 second) LSAs have their age incremented by this delay before transmission. You should consider both the transmission and propagation delays for an interface when estimating this delay. Set the transmit delay according to link speed, using larger values for lower-speed links.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) the OSPF header when routing protocol packets are originated by this device. A different password can be assigned to each network interface, but the password must be used consistently on all neighboring routers throughout a network (that is, autonomous system). All neighboring routers in the same network with the same password will exchange routing data.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 444: Configuring Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN: 1. Click Routing Protocol, OSPF, Interface. 2. Select Configure by Address from the Action list. 3. Specify the VLAN ID, enter the address assigned to an area, and configure the required interface settings. 4. Click Apply.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 445: Configuring Settings for a Specific Area Assigned to a VLAN To show the configuration settings for OSPF interfaces: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show from the Action list. 3. Select the VLAN ID. Figure 446: Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface: 1. Click Routing Protocol, OSPF, Interface. 2.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 447: Showing MD5 Authentication Keys CONFIGURING VIRTUAL Use the Routing Protocol > OSPF > Virtual Link (Add) and (Configure LINKS Detailed Settings) pages to configure a virtual link from an area that does not have a direct physical connection to the OSPF backbone. All OSPF areas must connect to the backbone.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1476 ◆ "area virtual-link" on page 1490 COMMAND USAGE ◆ Use the Add page to create a virtual link, and then use the Configure Detailed Settings page to set the protocol timers and authentication settings for the link. The parameters to be configured on the Configure Detailed Settings page are described under "Configuring OSPF Interfaces" on page 691.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show virtual links: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Show from the Action list. 3. Select the process ID. Figure 450: Showing Virtual Links To configure detailed settings for a virtual link: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Configure Detailed Settings from the Action list. 3.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 452: Showing MD5 Authentication Keys DISPLAYING LINK Use the Routing Protocol > OSPF > Information (LSDB) page to show the STATE DATABASE Link State Advertisements (LSAs) sent by OSPF routers advertising routes. INFORMATION The full collection of LSAs collected by a router interface from the attached area is known as a link state database.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "show ip ospf database" on page 1505 PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 670). ◆ Query by – The LSA database can be searched using the following criteria: ◆ ■ Self-Originate – LSAs generated by this router. ■ Link ID – LSAs advertising a specific link.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 453: Displaying Information in the Link State Database DISPLAYING Use the Routing Protocol > OSPF > Information (Neighbor) page to display INFORMATION ON information about neighboring routers on each interface.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ■ ■ Attempt – Connection down, but attempting contact (non-broadcast networks) Init – Have received Hello packet, but communications not yet established ■ Two-way – Bidirectional communications established ■ ExStart – Initializing adjacency between neighbors ■ Exchange – Database descriptions being exchanged ■ Loading – LSA databases being exchanged ■ Full – Neighboring routers now fully adjacent Identif
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) – 704 –
21 MULTICAST ROUTING This chapter describes the following multicast routing topics: ◆ Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. ◆ Displaying the Multicast Routing Table – Describes how to display the multicast routing table. ◆ Configuring PIM for IPv4 – Describes how to configure PIM-DM and PIM-SM for IPv4. ◆ Configuring PIMv6 for IPv6 – Describes how to configure PIM-DM and PIM-SM (Version 6) for IPv6.
CHAPTER 21 | Multicast Routing Overview PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast sourcegroup pair. As mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface.
CHAPTER 21 | Multicast Routing Overview group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR and all the routers receiving these messages use the same hash algorithm to elect an RP for each multicast group. If each router is properly configured, the results of the election process will be the same for each router. Each elected RP then starts to serve as the root of a shared distribution tree for one or more multicast groups.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing DISPLAYING THE Use the Multicast > Multicast Routing > Information page to display MULTICAST ROUTING information on each multicast route it has learned through PIM. The router TABLE learns multicast routes from neighboring routers, and also advertises these routes to its neighbors. The router stores entries for all paths learned by itself or from other routers, without considering actual group membership or prune messages.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing Show Details ◆ Group Address – IP group address for a multicast service. ◆ Source Address – Subnetwork containing the IP multicast source. ◆ Source Mask – Network mask for the IP multicast source. ◆ Upstream Neighbor – The multicast router (RPF Neighbor) immediately upstream for this group. ◆ Upstream Interface – Interface leading to the upstream neighbor. ◆ Up Time – Time since this entry was created.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing ■ ■ Pruned – This route has been terminated. Registering - A downstream device is registering for a multicast source. WEB INTERFACE To display the multicast routing table: 1. Click Multicast, Multicast Routing, Information. 2. Select Show Summary from the Action List. Figure 456: Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table: 1.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 CONFIGURING PIM FOR IPV4 This section describes how to configure PIM-DM and PIM-SM for IPv4. ENABLING PIM Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing GLOBALLY globally on the router. CLI REFERENCES ◆ "router pim" on page 1554 COMMAND USAGE ◆ This feature enables PIM-DM and PIM-SM globally for the router.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ PIM and IGMP proxy cannot be used at the same time. When an interface is set to use PIM Dense mode or Sparse mode, IGMP proxy cannot be enabled on any interface of the device (see "Configuring IGMP Snooping and Query Parameters" on page 515). Also, when IGMP proxy is enabled on an interface, PIM cannot be enabled on any interface.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. PIM-SM routers use these messages not only to inform neighboring routers of their presence, but also to determine which router for each LAN segment will serve as the Designated Router (DR).
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 The override interval and the propagation delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the flow is not terminated.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 of each router in the tree. This also enables PIM routers to recognize topology changes (sources joining or leaving a multicast group) before the default three-minute state timeout expires. This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to the sources of multicast groups.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 459: Configuring PIM Interface Settings (Dense Mode) Figure 460: Configuring PIM Interface Settings (Sparse Mode) – 717 –
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 DISPLAYING NEIGHBOR Use the Routing Protocol > PIM > Neighbor page to display all neighboring INFORMATION PIM routers. CLI REFERENCES ◆ "show ip pim neighbor" on page 1562 PARAMETERS These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ Register Source – Configures the IP source address of a register message to an address other than the outgoing interface address of the DR that leads back toward the RP.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 462: Configuring Global Settings for PIM-SM CONFIGURING A BSR Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure CANDIDATE the switch as a Bootstrap Router (BSR) candidate. CLI REFERENCES ◆ "ip pim bsr-candidate" on page 1564 COMMAND USAGE ◆ When this router is configured as a BSR candidate, it starts sending bootstrap messages to all of its PIM-SM neighbors.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) ◆ Priority – Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ If an IP address is specified that was previously used for an RP, then the older entry is replaced. ◆ Multiple RPs can be defined for different groups or group ranges. If a group is matched by more than one entry, the router will use the RP associated with the longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 464: Configuring a Static Rendezvous Point To display static rendezvous points: 1. Click Multicast, Multicast Routing, SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list. Figure 465: Showing Static Rendezvous Points CONFIGURING AN RP Use the Routing Protocol > PIM > SM (RP Candidate) page to configure the CANDIDATE switch to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR).
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ The election process for each group is based on the following criteria: ■ Find all RPs with the most specific group range. ■ Select those with the highest priority (lowest priority value). ■ ■ Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. If there is a tie, use the candidate RP with the highest IP address.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 466: Configuring an RP Candidate To display settings for an RP candidate: 1. Click Multicast, Multicast Routing, PIM-SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ Priority – Priority value used by this BSR candidate. ◆ Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. ◆ Expire – The time before the BSR is declared down. ◆ Role – Candidate or non-candidate BSR. ◆ State13 – Operation state of BSR includes: ■ No information – No information is stored for this device.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 468: Showing Information About the BSR DISPLAYING RP Use the Routing Protocol > PIM > SM (Show Information – Show RP MAPPING Mapping) page to display active RPs and associated multicast routing entries. CLI REFERENCES ◆ "show ip pim rp mapping" on page 1574 PARAMETERS These parameters are displayed: ◆ Groups – A multicast group address. ◆ RP Address – IP address of the RP for the listed multicast group.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 469: Showing RP Mapping CONFIGURING PIMV6 FOR IPV6 This section describes how to configure PIM-DM and PIM-SM for IPv6. ENABLING PIM Use the Routing Protocol > PIM6 > General page to enable IPv6 PIM GLOBALLY routing globally on the router. CLI REFERENCES ◆ "router pim6" on page 1577 COMMAND USAGE ◆ This feature enables PIM-DM and PIM-SM for IPv6 globally on the router.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 CONFIGURING PIM Use the Routing Protocol > PIM6 > Interface page configure the routing INTERFACE SETTINGS protocol’s functional attributes for each interface. CLI REFERENCES ◆ "IPv6 PIM Commands" on page 1575 COMMAND USAGE ◆ Most of the attributes on this page are common to both PIM6-DM and PIM6-SM. Select Dense or Sparse Mode to display the common attributes, as well as those applicable to the selected mode.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead. Note that the hello holdtime should be greater than or equal to the value of Hello Interval, otherwise it will be automatically set to 3.5 x the Hello Interval. (Range: 1-65535 seconds; Default: 105 seconds, or 3.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 command effectively prompts any downstream neighbors with hosts receiving the flow to reply with a Join message. If no join messages are received after the prune delay expires, this router will prune the flow. The sum of the Override Interval and Propagation Delay are used to calculate the LAN prune delay.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Max. Graft Retries – The maximum number of times to resend a Graft message if it has not been acknowledged. (Range: 1-10; Default: 3) ◆ State Refresh Origination Interval – The interval between sending PIM-DM state refresh control messages. (Range: 1-100 seconds; Default: 60 seconds) The pruned state times out approximately every three minutes and the entire PIM-DM network is re-flooded with multicast packets and prune messages.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 prune state for this (source, group) pair until the join/prune interval timer expires. WEB INTERFACE To configure PIMv6 interface settings: 1. Click Routing Protocol, PIM6, Interface. 2. Modify any of the protocol parameters as required. 3. Click Apply.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 472: Configuring PIMv6 Interface Settings (Sparse Mode) DISPLAYING NEIGHBOR Use the Routing Protocol > PIM6 > Neighbor page to display all INFORMATION neighboring PIMv6 routers. CLI REFERENCES ◆ "show ip pim neighbor" on page 1562 PARAMETERS These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 CONFIGURING GLOBAL Use the Routing Protocol > PIM6 > PIM6-SM (Configure Global) page to PIM6-SM SETTINGS configure the rate at which register messages are sent, the source of register messages, and switchover to the Shortest Path Tree (SPT).
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 WEB INTERFACE To configure global settings for PIM6-SM: 1. Click Routing Protocol, PIM6, PIM6-SM. 2. Select Configure Global from the Step list. 3. Set the register rate limit and source of register messages if required. Also specify any multicast groups which must be routed across the shared tree, instead of switching over to the SPT. 4. Click Apply.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 PARAMETERS These parameters are displayed: ◆ BSR Candidate Status – Configures the switch as a Bootstrap Router (BSR) candidate. (Default: Disabled) ◆ VLAN ID – Identifier of configured VLAN interface. (Range: 1-4093) ◆ Hash Mask Length – Hash mask length (in bits) used for RP selection (see "Configuring a PIM6 Static Rendezvous Point" on page 738 and "Configuring a PIM6 RP Candidate" on page 739).
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 CONFIGURING A PIM6 Use the Routing Protocol > PIM6 > PIM6-SM (RP Address) page to STATIC RENDEZVOUS configure a static address as the Rendezvous Point (RP) for a particular POINT multicast group. CLI REFERENCES ◆ "ipv6 pim rp-address" on page 1590 COMMAND USAGE ◆ The router will act as an RP for all multicast groups in the local PIM6-SM domain if no groups are specified.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 3. Specify the static RP to use for a multicast group, or a range of groups by using a subnet mask. 4. Click Apply. Figure 476: Configuring a PIM6 Static Rendezvous Point To display static rendezvous points: 1. Click Routing Protocol, PIM6, PIM6-SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 from the BSR also elects an active RP for each group range using the same election process. ◆ The election process for each group is based on the following criteria: ■ Find all RPs with the most specific group range. ■ Select those with the highest priority (lowest priority value). ■ ■ Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 multicast group address and mask indicating the groups for which this router is bidding to become the RP. 4. Click Apply. Figure 478: Configuring a PIM6 RP Candidate To display settings for an RP candidate: 1. Click Routing Protocol, PIM6, PIM6-SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Priority – Priority value used by this BSR candidate. ◆ Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. ◆ Expire – The time before the BSR is declared down. ◆ Role – Candidate or non-candidate BSR. ◆ State14 – Operation state of BSR includes: ■ No information – No information is stored for this device.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 480: Showing Information About the PIM6 BSR DISPLAYING RP Use the Routing Protocol > PIM6 > PIM6-SM (Show Information – Show RP MAPPING Mapping) page to display active RPs and associated multicast routing entries. CLI REFERENCES ◆ "show ipv6 pim rp mapping" on page 1597 PARAMETERS These parameters are displayed: ◆ Groups – A multicast group address. ◆ RP Address – IP address of the RP for the listed multicast group.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 481: Showing PIM6 RP Mapping – 744 –
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
SECTION III | Command Line Interface ◆ "Class of Service Commands" on page 1155 ◆ "Quality of Service Commands" on page 1169 ◆ "Multicast Filtering Commands" on page 1185 ◆ "LLDP Commands" on page 1285 ◆ "CFM Commands" on page 1309 ◆ "Domain Name Service Commands" on page 1351 ◆ "DHCP Commands" on page 1361 ◆ "VRRP Commands" on page 1381 ◆ "IP Interface Commands" on page 1391 ◆ "IP Routing Commands" on page 1447 ◆ "Multicast Routing Commands" on page 1545 – 746 –
22 USING THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). NOTE: You can only access the console interface through the Master unit in the stack. ACCESSING THE CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
CHAPTER 22 | Using the Command Line Interface Accessing the CLI TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
CHAPTER 22 | Using the Command Line Interface Entering Commands NOTE: You can open up to eight sessions to the device via Telnet or SSH. ENTERING COMMANDS This section describes how to enter CLI commands. KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify ARGUMENTS a command, and arguments specify configuration parameters.
CHAPTER 22 | Using the Command Line Interface Entering Commands GETTING HELP ON You can display a brief description of the help system by entering the help COMMANDS command. You can also display command syntax by using the “?” character to list keywords or parameters. SHOWING COMMANDS If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
CHAPTER 22 | Using the Command Line Interface Entering Commands radius-server reload rmon rspan running-config sflow snmp sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan voice vrrp web-auth Console#show RADIUS server information Shows the reload settings Remote Monitoring Protocol Display status of the current RSPAN configuration Information on the running configuration Shows the sflow information Simple Network
CHAPTER 22 | Using the Command Line Interface Entering Commands NEGATING THE EFFECT For many configuration commands you can enter the prefix keyword “no” OF COMMANDS to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
CHAPTER 22 | Using the Command Line Interface Entering Commands display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the GTL-2691 is opened. To end the CLI session, enter [Exit].
CHAPTER 22 | Using the Command Line Interface Entering Commands ◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. ◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance. ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces.
CHAPTER 22 | Using the Command Line Interface Entering Commands Table 40: Configuration Command Modes (Continued) Mode Command Prompt Page Router router Console(config-router) {ipv6 ospf | ospf | pim | pim6 | rip} Time Range time-range Console(config-time-range) 818 VLAN vlan database Console(config-vlan) 1517 1476 1554 1577 1458 1113 For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface etherne
CHAPTER 22 | Using the Command Line Interface CLI Command Groups Table 41: Keystroke Commands (Continued) Keystroke Function Esc-F Moves the cursor forward one word. Delete key or backspace key Erases a mistake when entering a command. CLI COMMAND GROUPS The system commands can be broken down into the functional groups shown below.
CHAPTER 22 | Using the Command Line Interface CLI Command Groups Table 42: Command Group Index (Continued) Command Group Description Page Address Table Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time 1055 Spanning Tree Configures Spanning Tree settings for the switch 1061 ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 1089
CHAPTER 22 | Using the Command Line Interface CLI Command Groups PM (Policy Map Configuration) RC (Router Configuration) VC (VLAN Database Configuration) – 758 –
23 GENERAL COMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions.
CHAPTER 23 | General Commands EXAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified Configuration) delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
CHAPTER 23 | General Commands COMMAND USAGE ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See "copy" on page 780).
CHAPTER 23 | General Commands EXAMPLE Console>enable Password: [privileged level password] Console# RELATED COMMANDS disable (764) enable password (864) quit This command exits the configuration program. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program.
CHAPTER 23 | General Commands EXAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the confi
CHAPTER 23 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes" on page 752. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
CHAPTER 23 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. COMMAND MODE Privileged Exec EXAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
CHAPTER 23 | General Commands EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 766 –
24 SYSTEM MANAGEMENT COMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
CHAPTER 24 | System Management Commands Device Designation hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. SYNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console(config)#hostname RD#1 Console(config)# switch all renumber This command resets the switch unit identification numbers in the stack.
CHAPTER 24 | System Management Commands System Status SYSTEM STATUS This section describes commands used to display system information.
CHAPTER 24 | System Management Commands System Status show memory This command shows memory utilization parameters. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, and the total amount of system memory.
CHAPTER 24 | System Management Commands System Status show running- This command displays the configuration information currently in use. config SYNTAX show running-config [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) vlan vlan-id (Range: 1-4093) COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the interface keyword to display configuration data for the specified interface.
CHAPTER 24 | System Management Commands System Status !00_00-00-00-00-00-00_00 !00_00-00-00-00-00-00_00 ! snmp-server community public ro snmp-server community private rw ! snmp-server enable traps authentication ! username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca ! v
CHAPTER 24 | System Management Commands System Status ◆ This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
CHAPTER 24 | System Management Commands System Status EXAMPLE Console#show system System Description : GTL-2691 Managed L3 Stackable Switch System OID String : 1.3.6.1.4.1.22426.1.269101 System Information System Up Time : 0 days, 0 hours, 21 minutes, and 47.
CHAPTER 24 | System Management Commands System Status Telnet Server Port: Jumbo Frame: . . . 23 Disabled show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
CHAPTER 24 | System Management Commands Frame Size EXAMPLE Console#show version Unit 1 Serial Number Hardware Version EPLD Version Number of Ports Main Power Status Redundant Power Status Role Loader Version Linux Kernel Version Boot ROM Version Operation Code Version : : : : : : : : : : : S123456 R0A 1.06 26 Up Not present Master 1.3.2.3 2.6.19.2-0.1 0.0.0.1 1.4.2.0 Console# FRAME SIZE This section describes commands used to configure the Ethernet frame size on the switch.
CHAPTER 24 | System Management Commands Fan Control between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames. ◆ This command globally enables support for jumbo frames on all Gigabit and 10 Gigabit ports and trunks. To set the MTU for a specific interface, enable jumbo frames and use the switchport mtu command to specify the required size of the MTU.
CHAPTER 24 | System Management Commands File Management FILE MANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
CHAPTER 24 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. SYNTAX boot system [unit:] {boot-rom: | config: | opcode:} filename unit - Stack unit. (Range: 1-8) boot-rom - Boot ROM. config - Configuration file. opcode - Run-time operation code. filename - Name of configuration file or code image.
CHAPTER 24 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
CHAPTER 24 | System Management Commands File Management ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack.
CHAPTER 24 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
CHAPTER 24 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[Anonymous]: admin Password[]: ***** Choose file type: 1. config; 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete This command deletes a file or image. SYNTAX delete [unit:] filename unit - Stack unit. (Range: 1-8) filename - Name of configuration file or code image.
CHAPTER 24 | System Management Commands File Management dir This command displays a list of files in flash memory. SYNTAX dir [unit:] {boot-rom: | config: | opcode:} [filename]} unit - Stack unit. (Range: 1-8) boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
CHAPTER 24 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. SYNTAX whichboot [unit] unit - Stack unit. (Range: 1-8) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
CHAPTER 24 | System Management Commands File Management 1. It will search for a new version of the image at the location specified by upgrade opcode path command (page 786). The name for the new image stored on the TFTP server must be GTL-2691.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2.
CHAPTER 24 | System Management Commands File Management DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be GTL-2691.bix. However, note that file name is not to be included in this command.
CHAPTER 24 | System Management Commands Line COMMAND MODE Global Configuration EXAMPLE This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. COMMAND MODE Privileged Exec EXAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : GTL-2691.
CHAPTER 24 | System Management Commands Line Table 51: Line Commands (Continued) Command Function Mode password-thresh Sets the password intrusion threshold, which limits the number of failed logon attempts LC silent-time* Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the passwordthresh command LC speed* Sets the terminal baud rate LC stopbits* Sets the number of the stop bits transmitted per byte LC
CHAPTER 24 | System Management Commands Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. SYNTAX databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.
CHAPTER 24 | System Management Commands Line COMMAND USAGE ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
CHAPTER 24 | System Management Commands Line ◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. EXAMPLE Console(config-line)#login local Console(config-line)# RELATED COMMANDS username (865) password (793) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Line password This command specifies the password for a line. Use the no form to remove the password. SYNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) DEFAULT SETTING No password is specified.
CHAPTER 24 | System Management Commands Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. SYNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) DEFAULT SETTING The default value is three attempts.
CHAPTER 24 | System Management Commands Line COMMAND MODE Line Configuration (console only) EXAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# RELATED COMMANDS password-thresh (794) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. SYNTAX speed bps no speed bps - Baud rate in bits per second.
CHAPTER 24 | System Management Commands Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Line EXAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. SYNTAX disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier “0” will disconnect the console connection.
CHAPTER 24 | System Management Commands Event Logging EXAMPLE To show all lines, enter this command: Console#show line Console Configuration: Password Threshold : 3 times Inactive Timeout : Disabled Login Timeout : Disabled Silent Time : Disabled Baud Rate : 115200 Data Bits : 8 Parity : None Stop Bits : 1 VTY Configuration: Password Threshold Inactive Timeout Login Timeout Silent Time Console# : : : : 3 times 600 sec. 300 sec.
CHAPTER 24 | System Management Commands Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. SYNTAX logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
CHAPTER 24 | System Management Commands Event Logging Table 53: Logging Levels (Continued) Level Severity Name Description 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
CHAPTER 24 | System Management Commands Event Logging EXAMPLE Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. SYNTAX [no] logging on DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The logging process controls error messages saved to switch memory or sent to remote syslog servers.
CHAPTER 24 | System Management Commands Event Logging DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE ◆ Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. ◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. EXAMPLE Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer.
CHAPTER 24 | System Management Commands Event Logging show log This command displays the log messages stored in local memory. SYNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
CHAPTER 24 | System Management Commands Event Logging EXAMPLE The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0).
CHAPTER 24 | System Management Commands SMTP Alerts SMTP ALERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
CHAPTER 24 | System Management Commands SMTP Alerts COMMAND MODE Global Configuration COMMAND USAGE ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
CHAPTER 24 | System Management Commands SMTP Alerts EXAMPLE This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no destination-email form to remove a recipient. SYNTAX [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages.
CHAPTER 24 | System Management Commands Time COMMAND USAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. EXAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show logging sendmail SMTP servers ----------------------------------------------1.
CHAPTER 24 | System Management Commands Time Table 57: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE NTP Commands Manual Configuration Commands clock timezone Sets the time zone
CHAPTER 24 | System Management Commands Time Current Mode: unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# RELATED COMMANDS sntp server (810) sntp poll (810) show sntp (811) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. SYNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.
CHAPTER 24 | System Management Commands Time DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. EXAMPLE Console(config)#sntp server 10.1.0.
CHAPTER 24 | System Management Commands Time NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. SYNTAX [no] ntp authenticate DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
CHAPTER 24 | System Management Commands Time COMMAND MODE Global Configuration COMMAND USAGE ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure. ◆ Note that NTP authentication key numbers and values must match on both the server and client. ◆ NTP authentication is optional.
CHAPTER 24 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. EXAMPLE Console(config)#ntp client Console(config)# RELATED COMMANDS sntp client (809) ntp server (814) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued.
CHAPTER 24 | System Management Commands Time EXAMPLE Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)# RELATED COMMANDS ntp client (813) show ntp (815) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
CHAPTER 24 | System Management Commands Time minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude.
CHAPTER 24 | System Management Commands Time Range COMMAND USAGE Note that when SNTP is enabled, the system clock cannot be manually configured. EXAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock.
CHAPTER 24 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. SYNTAX [no] time-range name name - Name of the time range. (Range: 1-30 characters) DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions, such as Access Control Lists.
CHAPTER 24 | System Management Commands Time Range COMMAND MODE Time Range Configuration COMMAND USAGE If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. EXAMPLE This example configures the time for the single occurrence of an event.
CHAPTER 24 | System Management Commands Switch Clustering EXAMPLE This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. SYNTAX show time-range [name] name - Name of the time range.
CHAPTER 24 | System Management Commands Switch Clustering Table 59: Switch Cluster Commands (Continued) Command Function Mode show cluster members Displays current cluster Members PE show cluster candidates Displays current cluster Candidates in the network PE Using Switch Clustering ◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster.
CHAPTER 24 | System Management Commands Switch Clustering IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster.
CHAPTER 24 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. SYNTAX cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. DEFAULT SETTING 10.254.254.
CHAPTER 24 | System Management Commands Switch Clustering COMMAND MODE Global Configuration COMMAND USAGE ◆ The maximum number of cluster Members is 16. ◆ The maximum number of cluster Candidates is 100. EXAMPLE Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. SYNTAX rcommand id member-id member-id - The ID number of the Member switch.
CHAPTER 24 | System Management Commands Switch Clustering Heartbeat Loss Count : 3 seconds Number of Members : 1 Number of Candidates : 2 Console# show cluster This command shows the current switch cluster members. members COMMAND MODE Privileged Exec EXAMPLE Console#show cluster members Cluster Members: ID : 1 Role : Active member IP Address : 10.254.254.
CHAPTER 24 | System Management Commands Switch Clustering – 826 –
25 SNMP COMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
CHAPTER 25 | SNMP Commands Table 60: SNMP Commands (Continued) Command Function Mode Notification Log Commands nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE ATC Trap Commands snmp-server enable port- Sends a trap when broadcast traffic falls beneath the traps atc
CHAPTER 25 | SNMP Commands General SNMP Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. SYNTAX [no] snmp-server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize community management access by clients using SNMP v1 or v2c.
CHAPTER 25 | SNMP Commands General SNMP Commands EXAMPLE Console(config)#snmp-server community alpha rw Console(config)# snmp-server This command sets the system contact string. Use the no form to remove contact the system contact information. SYNTAX snmp-server contact string no snmp-server contact string - String that describes the system contact information.
CHAPTER 25 | SNMP Commands General SNMP Commands EXAMPLE Console(config)#snmp-server location WC-19 Console(config)# RELATED COMMANDS snmp-server contact (830) show snmp This command can be used to check the status of SNMP communications.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands SNMP Target Host Commands snmp-server enable This command enables this device to send Simple Network Management traps Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. SYNTAX [no] snmp-server enable traps [authentication | link-up-down] authentication - Keyword to issue authentication failure notifications. link-up-down - Keyword to issue link-up or link-down notifications.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. SYNTAX snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - Internet address of the host (the targeted recipient).
CHAPTER 25 | SNMP Commands SNMP Target Host Commands enable multiple hosts, you must issue a separate snmp-server host command for each host. ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally.
CHAPTER 25 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#snmp-server host 10.1.19.23 batman Console(config)# RELATED COMMANDS snmp-server enable traps (832) SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. engine-id Use the no form to restore the default. SYNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
CHAPTER 25 | SNMP Commands SNMPv3 Commands ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 837).
CHAPTER 25 | SNMP Commands SNMPv3 Commands COMMAND USAGE ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see Table 29, "Supported Notification Messages," on page 436.
CHAPTER 25 | SNMP Commands SNMPv3 Commands DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 25 | SNMP Commands SNMPv3 Commands snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. SYNTAX snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name view-name - Name of an SNMP view. (Range: 1-32 characters) oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.
CHAPTER 25 | SNMP Commands SNMPv3 Commands show snmp This command shows the SNMP engine ID. engine-id COMMAND MODE Privileged Exec EXAMPLE This example shows the default engine ID. Console#show snmp engine-id Local SNMP EngineID: 8000002a8000000000e8666672 Local SNMP EngineBoots: 1 Remote SNMP EngineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 61: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID.
CHAPTER 25 | SNMP Commands SNMPv3 Commands Write View Notify View Storage Type Row Status : : : : No writeview specified No notifyview specified volatile active Group Name Security Model Read View Write View Notify View Storage Type Row Status : : : : : : : private v1 defaultview defaultview No notifyview specified volatile active Group Name Security Model Read View Write View Notify View Storage Type Row Status : : : : : : : private v2c defaultview defaultview No notifyview specified volatile act
CHAPTER 25 | SNMP Commands SNMPv3 Commands Row Status: active Console# Table 63: show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry.
CHAPTER 25 | SNMP Commands Notification Log Commands Notification Log Commands nlm This command enables or disables the specified notification log. SYNTAX [no] nlm filter-name filter-name - Notification log name. (Range: 1-32 characters) DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command.
CHAPTER 25 | SNMP Commands Notification Log Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether those are Traps or Informs that exceed retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
CHAPTER 25 | SNMP Commands Additional Trap Commands show nlm This command shows the operational status of configured notification logs. oper-status COMMAND MODE Privileged Exec EXAMPLE Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts.
CHAPTER 25 | SNMP Commands Additional Trap Commands COMMAND USAGE Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. EXAMPLE Console(config)#memory rising 80 Console(config)#memory falling 60 Console# RELATED COMMANDS show memory (770) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
26 REMOTE MONITORING COMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 26 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. SYNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
CHAPTER 26 | Remote Monitoring Commands ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. EXAMPLE Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 26 | Remote Monitoring Commands ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. EXAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use history the no form to disable periodic sampling.
CHAPTER 26 | Remote Monitoring Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# rmon collection This command enables the collection of statistics on a physical interface. rmon1 Use the no form to disable statistics collection. SYNTAX rmon collection rmon1 controlEntry index [owner name] no rmon collection rmon1 controlEntry index index – Index to this entry.
CHAPTER 26 | Remote Monitoring Commands show rmon alarms This command shows the settings for all configured alarms. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 . . . show rmon events This command shows the settings for all configured events.
CHAPTER 26 | Remote Monitoring Commands show rmon This command shows the information collected for all configured entries in statistics the statistics group. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions.
CHAPTER 26 | Remote Monitoring Commands – 854 –
27 FLOW SAMPLING COMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
CHAPTER 27 | Flow Sampling Commands COMMAND USAGE Flow sampling must be enabled globally on the switch, as well as for those ports where it is required (see the sflow source command). EXAMPLE Console(config)#sflow Console(config)# sflow destination This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings.
CHAPTER 27 | Flow Sampling Commands sflow max- This command configures the maximum size of the sFlow datagram datagram-size payload. Use the no form to restore the default setting. SYNTAX sflow max-datagram-size max-datagram-size no max-datagram-size max-datagram-size - The maximum size of the sFlow datagram payload.
CHAPTER 27 | Flow Sampling Commands sflow owner This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. SYNTAX sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) DEFAULT SETTING None COMMAND MODE Interface Configuration (Ethernet) EXAMPLE This example set the owner’s name to Lamar.
CHAPTER 27 | Flow Sampling Commands sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. SYNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken. (Range: 256-16777215 packets) DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet) EXAMPLE This example sets the sample rate to 1 out of every 100 packets.
CHAPTER 27 | Flow Sampling Commands sflow timeout This command configures the length of time samples are sent to the Collector before resetting all sFlow port parameters. Use the no form to restore the default time out. SYNTAX sflow timeout seconds no sflow timeout seconds - The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters.
CHAPTER 27 | Flow Sampling Commands COMMAND MODE Privileged Exec EXAMPLE Console#show sflow interface ethernet 1/9 Interface of Ethernet 1/9 : Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.
CHAPTER 27 | Flow Sampling Commands – 862 –
28 AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access17 to the data ports.
CHAPTER 28 | Authentication Commands User Accounts USER ACCOUNTS The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 788), user authentication via a remote authentication server (page 863), and host access authentication for specific ports (page 899).
CHAPTER 28 | Authentication Commands User Accounts EXAMPLE Console(config)#enable password level 15 0 admin Console(config)# RELATED COMMANDS enable (761) authentication enable (866) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
CHAPTER 28 | Authentication Commands Authentication Sequence EXAMPLE This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# AUTHENTICATION SEQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
CHAPTER 28 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
CHAPTER 28 | Authentication Commands RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
CHAPTER 28 | Authentication Commands RADIUS Client COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server acct-port 181 Console(config)# radius-server auth- This command sets the RADIUS server network port. Use the no form to port restore the default. SYNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
CHAPTER 28 | Authentication Commands RADIUS Client key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 28 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the retransmit default. SYNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
CHAPTER 28 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
CHAPTER 28 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. SYNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
CHAPTER 28 | Authentication Commands TACACS+ Client COMMAND MODE Global Configuration EXAMPLE Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. SYNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
CHAPTER 28 | Authentication Commands TACACS+ Client EXAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server This command sets the interval between transmitting authentication timeout requests to the TACACS+ server. Use the no form to restore the default. SYNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 28 | Authentication Commands AAA TACACS Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 73: AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802.
CHAPTER 28 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 28 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 28 | Authentication Commands AAA ◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting. EXAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form exec to disable the authorization service.
CHAPTER 28 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. SYNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
CHAPTER 28 | Authentication Commands AAA EXAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. SYNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
CHAPTER 28 | Authentication Commands AAA EXAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
CHAPTER 28 | Authentication Commands Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 28 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. SYNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
CHAPTER 28 | Authentication Commands Web Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. SYNTAX ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535) DEFAULT SETTING 443 COMMAND MODE Global Configuration COMMAND USAGE ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
CHAPTER 28 | Authentication Commands Web Server COMMAND USAGE ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆ When you start HTTPS, the connection is established in this way: ◆ ■ The client authenticates the server using the server’s digital certificate.
CHAPTER 28 | Authentication Commands Telnet Server TELNET SERVER This section describes commands used to configure Telnet management access to the switch.
CHAPTER 28 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. SYNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
CHAPTER 28 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# SECURE SHELL This section describes the commands used to configure the SSH server.
CHAPTER 28 | Authentication Commands Secure Shell Table 77: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
CHAPTER 28 | Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
CHAPTER 28 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. NOTE: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
CHAPTER 28 | Authentication Commands Secure Shell COMMAND MODE Global Configuration COMMAND USAGE ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
CHAPTER 28 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. SYNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) DEFAULT SETTING 10 seconds COMMAND MODE Global Configuration COMMAND USAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
CHAPTER 28 | Authentication Commands Secure Shell EXAMPLE Console#delete public-key admin dsa Console# ip ssh crypto host- This command generates the host key pair (i.e., public and private). key generate SYNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. DEFAULT SETTING Generates both the DSA and RSA key pairs. COMMAND MODE Privileged Exec COMMAND USAGE ◆ The switch uses only RSA Version 1 for SSHv1.
CHAPTER 28 | Authentication Commands Secure Shell ip ssh crypto This command clears the host key from memory (i.e. RAM). zeroize SYNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. DEFAULT SETTING Clears both the DSA and RSA key. COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
CHAPTER 28 | Authentication Commands Secure Shell RELATED COMMANDS ip ssh crypto host-key generate (895) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. COMMAND MODE Privileged Exec EXAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
CHAPTER 28 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrK
CHAPTER 28 | Authentication Commands 802.1X Port Authentication 802.1X PORT AUTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 79: 802.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. COMMAND MODE Global Configuration EXAMPLE Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding through state when dot1x is globally disabled. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x system-auth- This command enables IEEE 802.1X port authentication globally on the control switch. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x max-reauth- This command sets the maximum number of times that the switch sends req an EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized mode port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. SYNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# RELATED COMMANDS dot1x timeout re-authperiod (905) dot1x timeout quiet- This command sets the time that a switch port waits after the maximum period request count (see page 902) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout supp- This command sets the time that an interface on the switch waits for a timeout response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. SYNTAX dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re- This command forces re-authentication on all ports or a specific interface. authenticate SYNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication Display Information Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. SYNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
CHAPTER 28 | Authentication Commands Management IP Filter 802.1X Port Details 802.1X Authenticator is enabled on port 1/1 . . . 802.
CHAPTER 28 | Authentication Commands Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. SYNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups. http-client - Adds IP address(es) to the web group. snmp-client - Adds IP address(es) to the SNMP group.
CHAPTER 28 | Authentication Commands Management IP Filter show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. SYNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group. snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent PPPOE INTERMEDIATE AGENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent port-ID attribute in PPP authentication and AAA accounting requests to a RADIUS server. ◆ PPPoE IA must be enabled globally by this command before this feature can be enabled on an interface using the pppoe intermediate-agent port-enable command. EXAMPLE Console(config)#pppoe intermediate-agent Console(config)# pppoe intermediate- This command sets the access node identifier and generic error message agent format-type for the switch.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command enables the PPPoE IA on an interface. Use the no form to agent port-enable disable this feature. SYNTAX [no] pppoe intermediate-agent port-enable DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE PPPoE IA must also be enabled globally on the switch for this command to take effect.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent ◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server. The tag contains the Line-ID of the customer line over which the discovery packet was received, entering the switch (or access node) where the intermediate agent resides.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command enables the stripping of vendor tags from PPPoE Discovery agent vendor-tag packets sent from a PPPoE server. Use the no form to disable this feature. strip SYNTAX [no] pppoe intermediate-agent vendor-tag strip DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This command only applies to trusted interfaces.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent show pppoe This command displays configuration settings for the PPPoE Intermediate intermediate-agent Agent. info SYNTAX show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console#show pppoe intermediate-agent statistics interface ethernet 1/1 Eth 1/1 statistics ----------------------------------------------------------------------------Received : All PADI PADO PADR PADS PADT ---------- ---------- ---------- ---------- ---------- ---------3 0 0 0 0 3 Dropped : Response from untrusted ----------------------0 Request towards untrusted ------------------------0 Malformed --------0 Console# Table 82: show
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent – 920 –
29 GENERAL SECURITY MEASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and Port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
CHAPTER 29 | General Security Measures Port Security PORT SECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
CHAPTER 29 | General Security Measures Port Security ◆ The mac-learning commands cannot be used if 802.1X Port Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface. EXAMPLE The following example disables MAC address learning for port 2.
CHAPTER 29 | General Security Measures Port Security COMMAND USAGE ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
CHAPTER 29 | General Security Measures Port Security show port security This command displays port security status and the secure address count. SYNTAX show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-26) COMMAND MODE Privileged Exec EXAMPLE This example shows the port security settings and number of secure addresses for all ports.
CHAPTER 29 | General Security Measures Port Security The following example shows the port security settings and number of secure addresses for a specific port. The Last Intrusion MAC and Last Time Detected Intrusion MAC fields show information about the last detected intrusion MAC address. These fields are not applicable if no intrusion has been detected or port security is disabled. The MAC Filter ID field is configured by the network-access port-mac-filter command.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable aging for authenticated MAC addresses stored aging in the secure MAC address table. Use the no form of this command to disable address aging.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Global Configuration COMMAND USAGE ◆ Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated dynamic-qos port. Use the no form to restore the default. SYNTAX [no] network-access dynamic-qos DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an dynamic-vlan authenticated port. Use the no form to disable dynamic VLAN assignment.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when guest-vlan 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch link-detection link- can shut down the port, send an SNMP trap, or both. Use the no form of down this command to disable this feature. SYNTAX network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either link-detection link- event is detected, the switch can shut down the port, send an SNMP trap, up-down or both. Use the no form of this command to disable this feature.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration COMMAND USAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC intrusion-action authentication failure. Use the no form of this command to restore the default.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) clear network- Use this command to clear entries from the secure MAC addresses table. access SYNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xxxx-xx-xx) interface - Specifies a port interface.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabl
CHAPTER 29 | General Security Measures Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. EXAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
CHAPTER 29 | General Security Measures Web Authentication NOTE: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 866). NOTE: Web authentication cannot be configured on trunk ports.
CHAPTER 29 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet- This command defines the amount of time a host must wait after exceeding period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. SYNTAX web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
CHAPTER 29 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the auth-control no form to restore the default.
CHAPTER 29 | General Security Measures Web Authentication web-auth re- This command ends all web authentication sessions connected to the port authenticate (Port) and forces the users to re-authenticate. SYNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 29 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters interface and statistics.
CHAPTER 29 | General Security Measures DHCP Snooping show web-auth This command displays a summary of web authentication port parameters summary and statistics. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
CHAPTER 29 | General Security Measures DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. SYNTAX [no] ip dhcp snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
CHAPTER 29 | General Security Measures DHCP Snooping ■ ■ ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
CHAPTER 29 | General Security Measures DHCP Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash database flash memory. COMMAND MODE Privileged Exec COMMAND USAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
CHAPTER 29 | General Security Measures DHCP Snooping just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/ remove option 82 information in incoming DCHP packets but not relay them.
CHAPTER 29 | General Security Measures DHCP Snooping policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information. EXAMPLE Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP verify mac-address packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
CHAPTER 29 | General Security Measures DHCP Snooping ip dhcp snooping This command enables DHCP snooping on the specified VLAN. Use the no vlan form to restore the default setting.
CHAPTER 29 | General Security Measures DHCP Snooping COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
CHAPTER 29 | General Security Measures DHCP Snooping COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ip dhcp snooping binding 11-22-33-44-55-66 vlan 1 Console(config)# clear ip dhcp This command removes all dynamically learned snooping entries from flash snooping database memory. flash COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ip dhcp snooping database flash Console(config)# show ip dhcp This command shows the DHCP snooping configuration settings.
CHAPTER 29 | General Security Measures IP Source Guard show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
CHAPTER 29 | General Security Measures IP Source Guard ip source-guard This command adds a static address to the source-guard binding table. Use binding the no form to remove a static entry. SYNTAX ip source-guard binding mac-address vlan vlan-id ip-address interface no ip source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4093) ip-address - A valid unicast IP address, including classful types A, B or C.
CHAPTER 29 | General Security Measures IP Source Guard EXAMPLE This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config-if)# RELATED COMMANDS ip source-guard (957) ip dhcp snooping (947) ip dhcp snooping vlan (952) ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address.
CHAPTER 29 | General Security Measures IP Source Guard ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier. ◆ Static addresses entered in the source guard binding table with the ip source-guard binding command (page 956) are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself.
CHAPTER 29 | General Security Measures IP Source Guard ip source-guard This command sets the maximum number of entries that can be bound to max-binding an interface. Use the no form to restore the default setting. SYNTAX ip source-guard max-binding number no ip source-guard max-binding number - The maximum number of IP addresses that can be mapped to an interface in the binding table.
CHAPTER 29 | General Security Measures ARP Inspection show ip source- This command shows the source guard binding table. guard binding SYNTAX show ip source-guard binding [dhcp-snooping | static] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 946) static - Shows static entries configured with the ip source-guard binding command (see page 956).
CHAPTER 29 | General Security Measures ARP Inspection Table 91: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port IC ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection IC show ip arp inspection configuration Displays the global configuration settings for ARP Inspection PE show ip arp inspection interface Shows the trust status and inspection rate limit for ports PE sho
CHAPTER 29 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. EXAMPLE Console(config)#ip arp inspection Console(config)# ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use filter the no form to remove an ACL binding.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# ip arp inspection This command sets the maximum number of entries saved in a log log-buffer logs message, and the rate at which these messages are sent. Use the no form to restore the default settings.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting.
CHAPTER 29 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection for a specified VLAN or range of vlan VLANs. Use the no form to disable this function. SYNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 29 | General Security Measures ARP Inspection ip arp inspection This command sets a rate limit for the ARP packets received on a port. Use limit the no form to restore the default setting. SYNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp This command displays the global configuration settings for ARP inspection Inspection.
CHAPTER 29 | General Security Measures ARP Inspection show ip arp This command shows information about entries stored in the log, including inspection log the associated VLAN, port, and address components. COMMAND MODE Privileged Exec EXAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
CHAPTER 29 | General Security Measures Denial of Service Protection EXAMPLE Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static DENIAL OF SERVICE PROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 29 | General Security Measures Denial of Service Protection dos-protection tcp- This command protects against DoS TCP-null-scan attacks, DoS TCP-SYN/ scan FIN-scan attacks, and DoS TCP-xmas-scan attacks. Use the no form to disable this feature.
CHAPTER 29 | General Security Measures Denial of Service Protection EXAMPLE Console#show dos-protection Global DoS Protections: LAND Attack TCP Scan Console# : Enabled : Eanbled – 971 –
CHAPTER 29 | General Security Measures Denial of Service Protection – 972 –
30 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
CHAPTER 30 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter (Standard IP ACL) condition for packets emanating from the specified source. Use the no form to remove a rule. SYNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match.
CHAPTER 30 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter (Extended IPv4 ACL) condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
CHAPTER 30 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-30 characters) DEFAULT SETTING None COMMAND MODE Extended IPv4 ACL COMMAND USAGE ◆ All new rules are appended to the end of the list.
CHAPTER 30 | Access Control Lists IPv4 ACLs EXAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
CHAPTER 30 | Access Control Lists IPv4 ACLs COMMAND USAGE ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. EXAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# RELATED COMMANDS show ip access-list (979) Time Range (817) show ip access- This command shows the ports assigned to IP ACLs.
CHAPTER 30 | Access Control Lists IPv6 ACLs EXAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# RELATED COMMANDS permit, deny (975) ip access-group (978) IPV6 ACLS The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
CHAPTER 30 | Access Control Lists IPv6 ACLs COMMAND MODE Global Configuration COMMAND USAGE ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 128 rules.
CHAPTER 30 | Access Control Lists IPv6 ACLs DEFAULT SETTING None COMMAND MODE Standard IPv6 ACL COMMAND USAGE New rules are appended to the end of the list. EXAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
CHAPTER 30 | Access Control Lists IPv6 ACLs flow-label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-16777215) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range.
CHAPTER 30 | Access Control Lists IPv6 ACLs EXAMPLE This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the flow label is 43.
CHAPTER 30 | Access Control Lists IPv6 ACLs permit 2009:DB9:2229:5::/64 Console# RELATED COMMANDS permit, deny (Standard IPv6 ACL) (981) permit, deny (Extended IPv6 ACL) (982) ipv6 access-group (985) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. SYNTAX ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists MAC ACLs show ipv6 access- This command shows the ports assigned to IPv6 ACLs. group COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 access-group Interface ethernet 1/2 IPv6 access-list david in Console# RELATED COMMANDS ipv6 access-group (985) MAC ACLS The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
CHAPTER 30 | Access Control Lists MAC ACLs COMMAND USAGE ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 128 rules.
CHAPTER 30 | Access Control Lists MAC ACLs {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] [time-range time-range-name] no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] {permit | deny} tagged-802.
CHAPTER 30 | Access Control Lists MAC ACLs COMMAND MODE MAC ACL COMMAND USAGE ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060.
CHAPTER 30 | Access Control Lists MAC ACLs EXAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# RELATED COMMANDS show mac access-list (990) Time Range (817) show mac access- This command shows the ports assigned to MAC ACLs.
CHAPTER 30 | Access Control Lists ARP ACLs ARP ACLS The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command (page 965).
CHAPTER 30 | Access Control Lists ARP ACLs permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching (ARP ACL) a specified source or destination address in ARP messages. Use the no form to remove a rule. SYNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-ip | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
CHAPTER 30 | Access Control Lists ARP ACLs EXAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# RELATED COMMANDS access-list arp (991) show arp access-list This command displays the rules for configured ARP ACLs. SYNTAX show arp access-list [acl-name] acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists ACL Information ACL INFORMATION This section describes commands used to display ACL information. Table 98: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port PE show access-list Show all ACLs and associated rules PE show access-group This command shows the port assignments of ACLs.
CHAPTER 30 | Access Control Lists ACL Information EXAMPLE Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.
CHAPTER 30 | Access Control Lists ACL Information – 996 –
31 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
CHAPTER 31 | Interface Commands Interface Configuration Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. SYNTAX [no] interface interface interface ethernet unit/port-list unit - Stack unit. (Range: 1-8) port-list - Physical port number or list of port numbers.
CHAPTER 31 | Interface Commands Interface Configuration COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. EXAMPLE The following example adds an alias to port 4.
CHAPTER 31 | Interface Commands Interface Configuration ◆ The 1000BASE-T and 10GBASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T and 10GBASE-T port or trunk. ◆ When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command.
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# flowcontrol This command enables flow control. Use the no form to disable flow control. SYNTAX [no] flowcontrol DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ 1000BASE-T and 10GBASE-T do not support forced mode.
CHAPTER 31 | Interface Commands Interface Configuration media-type This command forces the port type selected for combination ports 21-24. Use the no form to restore the default mode. SYNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if a module not installed). sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
CHAPTER 31 | Interface Commands Interface Configuration ◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When autonegotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. ◆ If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. EXAMPLE The following example configures port 11 to use auto-negotiation.
CHAPTER 31 | Interface Commands Interface Configuration speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
CHAPTER 31 | Interface Commands Interface Configuration RELATED COMMANDS negotiation (1002) capabilities (999) switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. Use the no form to restore the default setting. SYNTAX switchport mtu size no switchport mtu size - Specifies the maximum transfer unit (or frame size) for a Gigabit and 10 Gigabit Ethernet port or trunk.
CHAPTER 31 | Interface Commands Interface Configuration ◆ The port MTU size can be displayed with the show show interfaces status command.
CHAPTER 31 | Interface Commands Interface Configuration ◆ The rate limits set by this command are also used by automatic storm control when the control response is set to rate limiting by the autotraffic-control action command. ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results.
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show interfaces This command displays a summary of key information, including brief operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE Console#show interfaces counters ethernet 1/17 Ethernet 1/ 1 ===== IF table Stats ===== 138550 Octets Input 820500 Octets Output 734 Unicast Input 932 Unicast Output 12 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output ===== Extended Iftable Stats ===== 38 Multi-cast Input 1342 Multi-cast Output 210 Broadcast Input 2 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS Errors 0
CHAPTER 31 | Interface Commands Interface Configuration show interfaces This command displays the status for an interface. status SYNTAX show interfaces status [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) vlan vlan-id (Range: 1-4093) DEFAULT SETTING Shows the status for all interfaces.
CHAPTER 31 | Interface Commands Interface Configuration show interfaces This command displays the administrative and operational status of the switchport specified interfaces. SYNTAX show interfaces switchport [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) DEFAULT SETTING Shows all interfaces.
CHAPTER 31 | Interface Commands Interface Configuration Table 100: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 1006). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 1006).
CHAPTER 31 | Interface Commands Interface Configuration show interfaces This command displays identifying information for the specified transceiver, transceiver as well as the temperature, voltage, bias current, transmit power, and receive power. SYNTAX show interfaces transceiver [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 21-26) DEFAULT SETTING Shows all SFP interfaces.
CHAPTER 31 | Interface Commands Cable Diagnostics Vcc Bias Current TX Power RX Power Console# : : : : 0.00 V 43.11 mA 605 uW 3 uW Cable Diagnostics test cable- This command performs cable diagnostics on the specified port to diagnose diagnostics dsp any cable faults (short, open, etc.) and report the cable length. SYNTAX test cable-diagnostics dsp interface interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 31 | Interface Commands Cable Diagnostics Cable Short with accuracy 0 meters. Pair A OK, length 1 meters Pair B OK, length 2 meters Pair C Short, length 1 meters Pair D Short, length 2 meters Last Update 0n 2010-04-23 07:59:26 Console# test loop internal This command performs an internal loop back test on the specified port. SYNTAX test loop internal interface interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 31 | Interface Commands Cable Diagnostics EXAMPLE Console#show cable-diagnostics dsp interface ethernet 1/1 Cable Diagnostics on interface Ethernet 1/1: Cable OK with accuracy 0 meters. Pair A OK, length 0 meters Pair B OK, length 0 meters Pair C OK, length 1 meters Pair D OK, length 1 meters Last Update 0n 2009-10-21 15:08:20 Console# show loop internal This command shows the results of a loop back test.
32 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
CHAPTER 32 | Link Aggregation Commands Manual Configuration Commands ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
CHAPTER 32 | Link Aggregation Commands Manual Configuration Commands DEFAULT SETTING src-dst-ip COMMAND MODE Global Configuration COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. SYNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-32) DEFAULT SETTING The current port will be added to this trunk. COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands COMMAND USAGE ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no (Ethernet Interface) form to restore the default setting. SYNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands DEFAULT SETTING 0 COMMAND MODE Interface Configuration (Port Channel) COMMAND USAGE ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands EXAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Sent : 12 LACPDUs Received : 6 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands Table 103: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands Table 104: show lacp neighbors - display description (Continued) Field Description Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner. Admin State Administrative values of the partner’s state parameters. (See preceding table.
33 PORT MIRRORING COMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
CHAPTER 33 | Port Mirroring Commands Local Port Mirroring Commands DEFAULT SETTING ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. COMMAND MODE Interface Configuration (Ethernet, destination port) COMMAND USAGE ◆ You can mirror traffic from any source port to a destination port for real-time analysis.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND MODE Privileged Exec COMMAND USAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. SYNTAX [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. SYNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1-2) Only two mirror sessions are allowed, including both local and remote mirroring.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. SYNTAX [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND MODE Privileged Exec EXAMPLE Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 1037 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands – 1038 –
34 RATE LIMIT COMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
CHAPTER 34 | Rate Limit Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# RELATED COMMAND show interfaces switchport (1011) – 1040 –
35 AUTOMATIC TRAFFIC CONTROL COMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
CHAPTER 35 | Automatic Traffic Control Commands Table 110: ATC Commands (Continued) Command Function Mode snmp-server enable port-traps atc multicast-controlapply Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC (Port) snmp-server enable port-traps atc multicast-controlrelease Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires I
CHAPTER 35 | Automatic Traffic Control Commands expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged. Note that if the control action has shut down a port, it can only be manually re-enabled using the auto-traffic-control control-release command).
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands Threshold Commands auto-traffic-control This command sets the time at which to apply the control response after apply-timer ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting. SYNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) DEFAULT SETTING 900 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the delay after which the control response can be terminated.
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example enables automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# auto-traffic-control This command sets the control action to limit ingress traffic or shut down action the offending port. Use the no form to restore the default setting.
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example sets the control response for broadcast traffic on port 1.
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands EXAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a alarm-fire-threshold storm control response is triggered after the apply timer expires.
CHAPTER 35 | Automatic Traffic Control Commands Threshold Commands auto-traffic-control This command automatically releases a control response of rate-limiting auto-control-release after the time specified in the auto-traffic-control release-timer command has expired. SYNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 35 | Automatic Traffic Control Commands SNMP Trap Commands SNMP Trap Commands snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered. Use the no broadcast-alarm- form to disable this trap.
C HAPTER 3 5 | Automatic Traffic Control Commands SNMP Trap Commands snmp-server enable This command sends a trap when broadcast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the broadcast-control- no form to disable this trap.
CHAPTER 35 | Automatic Traffic Control Commands SNMP Trap Commands snmp-server enable This command sends a trap when multicast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered. Use the no multicast-alarm- form to disable this trap.
CHAPTER 35 | Automatic Traffic Control Commands SNMP Trap Commands snmp-server enable This command sends a trap when multicast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the multicast-control- no form to disable this trap.
CHAPTER 35 | Automatic Traffic Control Commands ATC Display Commands ATC Display Commands show auto-traffic- This command shows global configuration settings for automatic storm control control.
36 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
CHAPTER 36 | Address Table Commands EXAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use static the no form to remove an address. SYNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 36 | Address Table Commands EXAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
CHAPTER 36 | Address Table Commands COMMAND USAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ Learn - Dynamic address entries Config - Static entry ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
CHAPTER 36 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number table count of available MAC addresses for the overall system or for an interface. SYNTAX show mac-address-table count [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 36 | Address Table Commands – 1060 –
37 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
CHAPTER 37 | Spanning Tree Commands Table 112: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst portpriority Configures the priority of an instance in the MST IC spanning-tree port-bpduflooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning-tree port-priority Confi
CHAPTER 37 | Spanning Tree Commands EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally forward-time for this switch. Use the no form to restore the default. SYNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
CHAPTER 37 | Spanning Tree Commands DEFAULT SETTING 2 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the time interval (in seconds) at which the root device transmits a configuration message. EXAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# RELATED COMMANDS spanning-tree forward-time (1063) spanning-tree max-age (1064) spanning-tree max- This command configures the spanning tree bridge maximum age globally age for this switch.
CHAPTER 37 | Spanning Tree Commands RELATED COMMANDS spanning-tree forward-time (1063) spanning-tree hello-time (1063) spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. SYNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
CHAPTER 37 | Spanning Tree Commands ■ ■ A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
CHAPTER 37 | Spanning Tree Commands spanning-tree This command configures the spanning tree priority globally for this switch. priority Use the no form to restore the default. SYNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
CHAPTER 37 | Spanning Tree Commands revision (1072) max-hops (1069) spanning-tree This command configures the system to flood BPDUs to all other ports on system-bpdu- the switch or just to all other ports in the same VLAN when spanning tree is flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
CHAPTER 37 | Spanning Tree Commands COMMAND USAGE This command limits the maximum transmission rate for BPDUs. EXAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. SYNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
CHAPTER 37 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. SYNTAX mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
CHAPTER 37 | Spanning Tree Commands COMMAND MODE MST Configuration COMMAND USAGE ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
CHAPTER 37 | Spanning Tree Commands EXAMPLE Console(config-mstp)#name R&D Console(config-mstp)# RELATED COMMANDS revision (1072) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. SYNTAX revision number number - Revision number of the spanning tree.
CHAPTER 37 | Spanning Tree Commands COMMAND USAGE ◆ This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
CHAPTER 37 | Spanning Tree Commands be manually re-enabled using the no spanning-tree spanning-disabled command. ◆ Before enabling BPDU Guard, the interface must be configured as an edge port with the spanning-tree edge-port command. Also note that if the edge port attribute is disabled on an interface, BPDU Guard will also be disabled on that interface.
CHAPTER 37 | Spanning Tree Commands Table 114: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices.
CHAPTER 37 | Spanning Tree Commands devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related time out problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
CHAPTER 37 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback-detection loopback BPDU packets on the port. Use the no form to disable this feature. SYNTAX [no] spanning-tree loopback-detection DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
CHAPTER 37 | Spanning Tree Commands command, the selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanningtree loopback-detection release command.
CHAPTER 37 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback loopback-detection BPDU detections.
CHAPTER 37 | Spanning Tree Commands shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. The default path costs are listed in Table 114 on page 1075. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs.
CHAPTER 37 | Spanning Tree Commands COMMAND USAGE ◆ This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
CHAPTER 37 | Spanning Tree Commands spanning-tree port- This command configures the priority for the specified interface. Use the priority no form to restore the default. SYNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) DEFAULT SETTING 128 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm.
CHAPTER 37 | Spanning Tree Commands COMMAND USAGE ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
CHAPTER 37 | Spanning Tree Commands spanning-tree This command stops propagating topology changes on an interface. Use tc-prop-stop the no form to restore the default setting. SYNTAX [no] spanning-tree tc-prop-stop DEFAULT SETTING Propagation of topology change notification messages are enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This command may be used to troubleshoot excessive TCN messages appearing on an interface.
CHAPTER 37 | Spanning Tree Commands EXAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the protocol-migration selected interface. SYNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 37 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). SYNTAX show spanning-tree [interface | mst instance-id | brief] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) instance-id - Instance identifier of the multiple spanning tree.
CHAPTER 37 | Spanning Tree Commands EXAMPLE This example shows a full listing of global and interface settings for the spanning tree. Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance : 0 VLANs Configuration : 1-4093 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.
CHAPTER 37 | Spanning Tree Commands This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port : Current Root Cost : RSTP Enabled 32768.0000E89382A0 0 0 Interface Pri Designated Designated Oper STP Role State Oper Bridge ID Port ID Cost Status Edge --------- --- --------------------- ---------- -------- ------ ---- ----- --Eth 1/ 1 128 32768.
38 ERPS COMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
CHAPTER 38 | ERPS Commands Configuration Guidelines for ERPS 1. Create an ERPS ring: Create a ring using the erps domain command. The ring name is used as an index in the G.8032 database. 2. Configure the east and west interfaces: Each node on the ring connects to it through two ring ports. Use the ring-port command to configure one port connected to the next node in the ring to the east (or clockwise direction); and then use the ring-port command again to configure another port facing west in the ring.
CHAPTER 38 | ERPS Commands erps This command enables ERPS on the switch. Use the no form to disable this feature. SYNTAX [no] erps DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ERPS must be enabled globally on the switch before it can enabled on an ERPS ring using the enable command. EXAMPLE Console(config)#erps Console(config)# RELATED COMMANDS enable (1093) erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain.
CHAPTER 38 | ERPS Commands control-vlan This command specifies a dedicated VLAN used for sending and receiving ERPS protocol messages. Use the no form to remove the Control VLAN. SYNTAX [no] control-vlan vlan-id vlan-id - VLAN ID (Range: 1-4094) DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE ◆ Configure one control VLAN for each ERPS ring.
CHAPTER 38 | ERPS Commands enable This command activates the current ERPS ring. Use the no form to disable the current ring. SYNTAX [no] enable DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ Before enabling a ring, the global ERPS function should be enabled with the erps command, the east and west ring ports configured on each node with the ring-port command, the RPL owner specified with the rpl owner command, and the control VLAN configured with the control-vlan command.
CHAPTER 38 | ERPS Commands COMMAND USAGE The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A sideeffect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. EXAMPLE Console(config-erps)#guard-timer 300 Console(config-erps)# holdoff-timer This command sets the timer to filter out intermittent link faults.
CHAPTER 38 | ERPS Commands major-domain This command specifies the ERPS ring used for sending control packets. Use the no form to remove the current setting. SYNTAX major-domain name no major-domain name - Name of the ERPS ring used for sending control packets. (Range: 1-32 characters) DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE ◆ This switch can support up to two rings. However, ERPS control packets can only be sent on one ring.
CHAPTER 38 | ERPS Commands COMMAND USAGE ◆ This parameter is used to ensure that received R-APS PDUs are directed for this ring. A unique level should be configured for each local ring if there are many R-APS PDUs passing through this switch.
CHAPTER 38 | ERPS Commands more information on how ERPS recovers from a node failure, refer to "Ethernet Ring Protection Switching" on page 464. EXAMPLE Console(config-erps)#mep-monitor east mep 1 Console(config-erps)# RELATED COMMANDS ethernet cfm domain (1315) ethernet cfm mep (1320) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. SYNTAX node-id mac-address mac-address – A MAC address unique to the ring node.
CHAPTER 38 | ERPS Commands non-erps-dev- This command sends non-standard health-check packets when an owner protect node enters protection state without any link down event having been detected through SF messages. Use the no form to disable this feature. SYNTAX [no] non-erps-dev-protect DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ The RPL owner node detects a failed link when it receives R-APS (SF signal fault) messages from nodes adjacent to the failed link.
CHAPTER 38 | ERPS Commands EXAMPLE Console(config-erps)#non-erps-dev-protect Console(config-erps)# propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. SYNTAX [no] propagate-tc DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring.
CHAPTER 38 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. SYNTAX ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 38 | ERPS Commands rpl owner This command configures a ring node to be the Ring Protection Link (RPL) owner or a non-owner. SYNTAX [no] rpl owner DEFAULT SETTING non-owner COMMAND MODE ERPS Configuration COMMAND USAGE ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring).
CHAPTER 38 | ERPS Commands EXAMPLE Console(config-erps)#wtr-timer 10 Console(config-erps)# clear erps statistics This command clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages. SYNTAX clear erps statistics [domain ring-name] ring-name - Name of a specific ERPS ring.
CHAPTER 38 | ERPS Commands Table 116: show erps - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch. Number of ERPS Domains Shows the number of ERPS rings configured on the switch. Domain State Displays the name of each ring followed by a brief list of status information Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring.
CHAPTER 38 | ERPS Commands Table 117: show erps domain - detailed display description (Continued) Field Description Node ID A MAC address unique to this ring node. Node State See Table 116. West Port Shows the west ring port for this node, and the interface state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R-APS messages is allowed.
CHAPTER 38 | ERPS Commands Table 118: show erps statistics - display description Field Description Interface Shows the west (W) and east (E) ring ports for this node. Local SF Local Signal Failure events that have occurred on this ring port. Local Clear SF Local Clear Signal Failure events that have occurred on this ring port. SF R-APS SF – Signal Failure messages generated on this ring port.
CHAPTER 38 | ERPS Commands – 1106 –
39 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
CHAPTER 39 | VLAN Commands GVRP and Bridge Extension Commands GVRP AND BRIDGE EXTENSION COMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
CHAPTER 39 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. SYNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
CHAPTER 39 | VLAN Commands GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the forbidden vlan list of forbidden VLANs. SYNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CHAPTER 39 | VLAN Commands GVRP and Bridge Extension Commands COMMAND USAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
CHAPTER 39 | VLAN Commands GVRP and Bridge Extension Commands COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# RELATED COMMANDS garp timer (1109) show gvrp This command shows if GVRP is enabled. configuration SYNTAX show gvrp configuration [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 39 | VLAN Commands Editing VLAN Groups EDITING VLAN GROUPS Table 121: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
CHAPTER 39 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. SYNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4093) name - Keyword to be followed by the VLAN name.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces COMMAND USAGE ◆ Creating a “normal” VLAN with the vlan command initializes it as a Layer 2 interface. To change it to a Layer 3 interface, use the interface command to enter interface configuration for the desired VLAN, enter any Layer 3 configuration commands, and save the configuration settings. ◆ To change a Layer 3 normal VLAN back to a Layer 2 VLAN, use the no interface command.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# RELATED COMMANDS switchport mode (1119) switchport allowed This command configures VLAN groups on the selected interface. Use the vlan no form to restore the default.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. SYNTAX switchport mode {access | hybrid | trunk | private-vlan} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces switchport native This command configures the PVID (i.e., default VLAN ID) for a port. Use vlan the no form to restore the default. SYNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
CHAPTER 39 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 484: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
CHAPTER 39 | VLAN Commands Displaying VLAN Information DISPLAYING VLAN INFORMATION This section describes commands used to display VLAN information. Table 123: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan Shows VLAN information NE, PE show vlan This command shows VLAN information.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console# CONFIGURING IEEE 802.1Q TUNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customerspecific VLAN IDs.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no tunnel mode form to disable QinQ on the interface. SYNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no tunnel service form to delete a VLAN mapping entry. match cvid SYNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4093, no leading zeroes) cvid - VLAN ID for the inner VLAN tag (Customer VID).
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling EXAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to SVLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Verify configuration settings. Console#show dot1q-tunnel service 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 1 10 100 Eth 1/ 1 20 200 Eth 1/ 1 30 300 Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300.
CHAPTER 39 | VLAN Commands Configuring IEEE 802.1Q Tunneling ◆ The specified ethertype only applies to ports configured in Uplink mode using the switchport dot1q-tunnel mode command. If the port is in normal mode, the TPID is always 8100. If the port is in Access mode, received packets are processes as untagged packets.
CHAPTER 39 | VLAN Commands Configuring Port-based Traffic Segmentation Console#show dot1q-tunnel service 100 802.
CHAPTER 39 | VLAN Commands Configuring Port-based Traffic Segmentation COMMAND MODE Global Configuration COMMAND USAGE ◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group.
CHAPTER 39 | VLAN Commands Configuring Port-based Traffic Segmentation traffic-segmentation This command creates a traffic-segmentation client session. Use the no session form to remove a client session. SYNTAX [no] traffic-segmentation session session-id session-id – Traffic segmentation session. (Range: 1-4) DEFAULT SETTING None COMMAND MODE Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session.
CHAPTER 39 | VLAN Commands Configuring Port-based Traffic Segmentation COMMAND MODE Global Configuration COMMAND USAGE ◆ A port cannot be configured in both an uplink and downlink list. ◆ A port can only be assigned to one traffic-segmentation session. ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
CHAPTER 39 | VLAN Commands Configuring Private VLANs EXAMPLE This example enables forwarding of traffic between uplink ports assigned to different client sessions. Console(config)#traffic-segmentation uplink-to-uplink forwarding Console(config)# show traffic- This command displays the configured traffic segments.
CHAPTER 39 | VLAN Commands Configuring Private VLANs Table 127: Private VLAN Commands Command Function Mode private-vlan Adds or deletes primary or community VLANs VC private vlan association Associates a community VLAN with a primary VLAN VC Edit Private VLAN Groups Configure Private VLAN Interfaces switchport mode privatevlan Sets an interface to host mode or promiscuous mode IC switchport private-vlan host-association Associates an interface with a secondary VLAN IC switchport private-v
CHAPTER 39 | VLAN Commands Configuring Private VLANs private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN. SYNTAX private-vlan vlan-id {community | primary} no private-vlan vlan-id vlan-id - ID of private VLAN. (Range: 1-4093). community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN.
CHAPTER 39 | VLAN Commands Configuring Private VLANs private vlan Use this command to associate a primary VLAN with a secondary (i.e., association community) VLAN. Use the no form to remove all associations for the specified primary VLAN. SYNTAX private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association primary-vlan-id - ID of primary VLAN. (Range: 1-4093). secondary-vlan-id - ID of secondary (i.
CHAPTER 39 | VLAN Commands Configuring Private VLANs COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the switchport private-vlan host-association command.
CHAPTER 39 | VLAN Commands Configuring Private VLANs switchport private- Use this command to map an interface to a primary VLAN. Use the no form vlan mapping to remove this mapping. SYNTAX switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4093).
CHAPTER 39 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE Console#show vlan private-vlan Primary Secondary Type -------- ----------- ---------5 primary 5 6 community Console# Interfaces -----------------------------Eth1/ 3 Eth1/ 4 Eth1/ 5 CONFIGURING PROTOCOL-BASED VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
CHAPTER 39 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a protocol-group group. Use the no form to remove a protocol group. (Configuring Groups) SYNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame24 - Frame type used by this protocol.
CHAPTER 39 | VLAN Commands Configuring Protocol-based VLANs COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
CHAPTER 39 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the protocol-vlan selected interfaces.
CHAPTER 39 | VLAN Commands Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 39 | VLAN Commands Configuring IP Subnet VLANs is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. EXAMPLE The following example assigns traffic for the subnet 192.168.12.192, mask 255.
CHAPTER 39 | VLAN Commands Configuring MAC Based VLANs CONFIGURING MAC BASED VLANS When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. EXAMPLE The following example assigns traffic from source MAC address 00-00-0011-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan This command displays MAC address-to-VLAN assignments.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs Table 131: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports IC switchport voice vlan security Enables Voice VLAN security on ports IC show voice vlan Displays Voice VLAN settings PE voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. SYNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) DEFAULT SETTING 1440 minutes COMMAND MODE Global Configuration COMMAND USAGE The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs description - User-defined text that identifies the VoIP devices. (Range: 1-32 characters) DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs COMMAND USAGE When auto is selected, you must select the method to use for detecting VoIP traffic, either OUI or 802.1ab (LLDP) using the switchport voice vlan rule command. When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac-address command. EXAMPLE The following example sets port 1 to Voice VLAN auto mode.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs switchport voice This command selects a method for detecting VoIP traffic on a port. Use vlan rule the no form to disable the detection method on the port. SYNTAX [no] switchport voice vlan rule {oui | lldp} oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. lldp - Uses LLDP to discover VoIP devices attached to the port.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs COMMAND USAGE ◆ Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped.
CHAPTER 39 | VLAN Commands Configuring Voice VLANs Eth 1/10 Disabled Disabled OUI Console#show voice vlan oui OUI Address Mask ----------------- ----------------00-12-34-56-78-9A FF-FF-FF-00-00-00 00-11-22-33-44-55 FF-FF-FF-00-00-00 00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Console# – 1154 – 6 NA Description -----------------------------old phones new phones Chris' phone
40 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values. SYNTAX queue cos-map queue_id [cos1 ... cosn] no queue cos-map queue_id - The ID of the priority queue. Ranges are 0 to 7, where 7 is the highest priority queue. cos1 ... cosn - The CoS values that are mapped to the queue ID.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) RELATED COMMANDS show queue cos-map (1160) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) ◆ A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ge1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# RELATED COMMANDS queue mode (1157) show queue weight (1161) switchport priority This command sets a priority for incoming untagged frames. Use the no default form to restore the default value.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# RELATED COMMANDS show interfaces switchport (1011) show queue cos- This command shows the class of service priority map. map SYNTAX show queue cos-map [interface] ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 2) COMMAND MODE Privileged Exec EXAMPLE Console#show queue mode ethernet 1/1 Unit Port queue mode --------------------1 1 Weighted Round Robin Console# show queue weight This command displays the weights used for the weighted queues. SYNTAX show queue mode interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) PRIORITY COMMANDS (LAYER 3 AND 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) map ip port (Global This command enables IP port mapping (i.e., class of service mapping for Configuration) TCP/UDP sockets). Use the no form to disable IP port mapping. SYNTAX [no] map ip port DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip dscp This command sets IP DSCP priority (i.e., Differentiated Services Code (Interface Point priority). Use the no form to restore the default table. Configuration) SYNTAX map ip dscp dscp-value cos cos-value no map ip dscp dscp-value - 8-bit DSCP value.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# map ip port This command sets IP port priority (i.e., TCP/UDP port priority). Use the no (Interface form to remove a specific setting.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) map ip precedence This command sets IP precedence priority (i.e., IP Type of Service priority). (Interface Use the no form to restore the default table. Configuration) SYNTAX map ip precedence ip-precedence-value cos cos-value no map ip precedence precedence-value - 3-bit precedence value. (Range: 0-7) cos-value - Class-of-Service value (Range: 0-7) DEFAULT SETTING The list below shows the default priority mapping.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) show map ip dscp This command shows the IP DSCP priority map. SYNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 40 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port IP Port CoS --------- -------- --Eth 1/ 5 80 0 Console# show map ip This command shows the IP precedence priority map. precedence SYNTAX show map ip precedence [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
41 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 41 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, or a VLAN. 3.
CHAPTER 41 | Quality of Service Commands COMMAND USAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 1173). The policy map is then bound by a service policy to an interface (page 1182). A service policy defines packet classification, service tagging, and bandwidth policing.
CHAPTER 41 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. SYNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) dscp - A Differentiated Service Code Point value.
CHAPTER 41 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
CHAPTER 41 | Quality of Service Commands COMMAND USAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 1173) before assigning it to a Policy Map.
CHAPTER 41 | Quality of Service Commands ◆ Up to 16 classes can be included in a policy map. EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets.
CHAPTER 41 | Quality of Service Commands ◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698.
CHAPTER 41 | Quality of Service Commands committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 1-1000000 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes. (Range: 64-524288) excess-burst - Excess burst size (BE) in bytes. (Range: 64-524288) exceed-action - Action to take when rate exceeds the CIR and BC but is within the BE. (There are enough tokens in bucket BE to service the packet, the packet is set yellow.
CHAPTER 41 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: ■ ■ ■ If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
CHAPTER 41 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. SYNTAX [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
CHAPTER 41 | Quality of Service Commands Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
CHAPTER 41 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed bur
CHAPTER 41 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 41 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. SYNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) DEFAULT SETTING Displays all class maps.
CHAPTER 41 | Quality of Service Commands EXAMPLE Console#show policy-map Policy Map rd-policy Description: class rd-class set cos 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set cos 3 Console# show policy-map This command displays the service policy assigned to the specified interface interface. SYNTAX show policy-map interface interface input interface unit/port unit - Stack unit. (Range: 1-8) port - Port number.
42 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping IGMP SNOOPING This section describes commands used to configure IGMP snooping on the switch.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping Table 140: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mappin
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no proxy-reporting form to restore the default setting. SYNTAX [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. EXAMPLE Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the router-alert-option- Router Alert option.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore router-port-expire- the default. time SYNTAX ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING 400 seconds COMMAND MODE Global Configuration COMMAND USAGE ◆ When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface. ◆ This command only applies when proxy reporting is enabled (see page 1188).
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following configures the global setting for IGMP snooping to version 1. Console(config)#ip igmp snooping version 1 Console(config)# ip igmp snooping This command discards any received IGMP messages (except for multicast version-exclusive protocol packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping This command configures the number of IGMP proxy group-specific or vlan last-memb- group-and-source-specific query messages that are sent out before the query-count system assumes there are no more local members. Use the no form to restore the default.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING 10 (1 second) COMMAND MODE Global Configuration COMMAND USAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP groupspecific or group-and-source-specific query message, and starts a timer.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping ◆ Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the expiration of a periodic timer, as a part of a router's start up procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping downstream hosts, all receivers build an IGMP report for the multicast groups they have joined. ◆ This command applies when the switch is serving as the querier (page 1188), or as a proxy host when IGMP snooping proxy reporting is enabled (page 1188).
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE This command displays global and VLAN-specific IGMP configuration settings. See "Configuring IGMP Snooping and Query Parameters" on page 515 for a description of the displayed items.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping igmpsnp - Display only entries learned through IGMP snooping. sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries. vlan-id - VLAN ID (1-4093) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER, depending on selected options. EXAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1.
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Privileged Exec EXAMPLE The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 14 5 Console# Table 141: show ip igmp snooping statistics input - display description Field Description Interface Shows interface
CHAPTER 42 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Querier IP Address : 192.168.1.
CHAPTER 42 | Multicast Filtering Commands Static Multicast Routing STATIC MULTICAST ROUTING This section describes commands used to configure static multicast routing on the switch. Table 144: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping This command statically configures a (Layer 2) multicast router port on the vlan mrouter specified VLAN.
CHAPTER 42 | Multicast Filtering Commands Static Multicast Routing EXAMPLE The following shows how to configure port 11 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp This command displays information on statically configured and snooping mrouter dynamically learned multicast router ports.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling IGMP FILTERING AND THROTTLING In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. SYNTAX {permit | deny} DEFAULT SETTING Deny COMMAND MODE IGMP Profile Configuration COMMAND USAGE ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the (Interface switch. Use the no form to remove a profile from an interface. Configuration) SYNTAX [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling DEFAULT SETTING 1024 COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. SYNTAX show ip igmp filter [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp query- This command shows if the specified interface is configured to drop IGMP drop query packets. SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
CHAPTER 42 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command displays the interface settings for IGMP throttling. throttle interface SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26) port-channel channel-id (Range: 1-32) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces. EXAMPLE Console#show ip multicast-data-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping Table 146: MLD Snooping Commands (Continued) Command Function Mode ipv6 mld snooping vlan mrouter Adds an IPv6 multicast router port GC ipv6 mld snooping vlan static Adds an interface as a member of a multicast group GC show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source lis
CHAPTER 42 | Multicast Filtering Commands MLD Snooping COMMAND USAGE ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the maximum response time advertised in MLD query-max- general queries. Use the no form to restore the default. response-time SYNTAX ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping EXAMPLE Console(config)#ipv6 mld snooping robustness 2 Console(config)# ipv6 mld snooping This command configures the MLD query timeout. Use the no form to router-port-expire- restore the default. time SYNTAX ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ When set to “flood,” any received IPv6 multicast packets that have not been requested by a host are flooded to all ports in the VLAN. ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping port-channel channel-id (Range: 1-32) DEFAULT SETTING No static multicast router ports are configured. COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping EXAMPLE Console(config)#ipv6 mld snooping vlan 1 static FF00:0:0:0:0:0:0:10C ethernet 1/6 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast vlan immediate- service when a leave packet is received at that port and immediate-leave is leave enabled for the parent VLAN. Use the no form to restore the default.
CHAPTER 42 | Multicast Filtering Commands MLD Snooping EXAMPLE The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Querier Status : Robustness : Query Interval : Query Max Response Time : Router Port Expiry Time : Immediate Leave : Unknown Flood Behavior : MLD Snooping Version : Console# Disabled Disabled 2 125 sec 10 sec 300 sec Disabled on all VLAN To Router Port Version 2 show ipv6 mld This command shows known multicast groups, member ports, and t
CHAPTER 42 | Multicast Filtering Commands MLD Snooping EXAMPLE The following shows MLD Snooping group mapping information: Console#show ipv6 mld snooping group source-list Console#show ipv6 mld snooping group source-list VLAN ID : 1 Mutlicast IPv6 Address : FF02::01:01:01:01 Member Port : Eth 1/1 Type : MLD Snooping Filter Mode : Include (if exclude filter mode) Filter Timer elapse : 10 sec.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 MVR FOR IPV4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 Table 147: Multicast VLAN Registration Commands (Continued) Command Function Mode show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# RELATED COMMANDS mvr profile (1229) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr domain domain-id domain-id - An independent multicast domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING No profiles are defined COMMAND MODE Global Configuration COMMAND USAGE ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 EXAMPLE This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr proxy-query-interval 250 Console(config)# mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following example enable MVR proxy switching. Console(config)#mvr proxy-switching Console(config)# RELATED COMMANDS mvr proxy-query-interval (1230) mvr robustness-value (1232) mvr robustness- This command configures the expected packet loss, and thereby the value number of times to generate report and group-specific queries. Use the no form to restore the default setting.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 mvr source-port- This command configures the switch to only forward multicast streams mode dynamic which the source port has dynamcially joined. Use the no form to restore the default setting. SYNTAX [no] mvr source-port-mode dynamic DEFAULT SETTING Forwards all multicast streams which have been specified in a profile and bound to a domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Global Configuration EXAMPLE Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr [domain domain-id] vlan vlan-id no mvr [domain domain-id] vlan domain-id - An independent multicast domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 mvr immediate- This command causes the switch to immediately remove an interface from leave a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] immediate-leave domain-id - An independent multicast domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 mvr vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. SYNTAX [no] mvr [domain domain-id] vlan vlan-id group ip-address domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Receiver VLAN to which the specified multicast traffic is flooded.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. SYNTAX show mvr [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays configuration settings for all MVR domains.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows the profiles bound the specified domain. associated-profile SYNTAX show mvr [domain domain-id] associated-profile domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays profiles bound to all MVR domains. COMMAND MODE Privileged Exec EXAMPLE The following displays the profiles bound to domain 1: Console#show mvr domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IP Addr. End IP Addr.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 Console# Table 149: show mvr interface - display description Field Description MVR Domain An independent multicast domain. Port Shows interfaces attached to the MVR. Type Shows the MVR port type. Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following shows information about the number of multicast forwarding entries currently active in domain 1: Console#show mvr domain 1 members MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port). P - Port counts (number of ports joined to group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. COMMAND MODE Privileged Exec EXAMPLE The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 EXAMPLE The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 VLAN 1 2 0 0 2 2 20 9 Console# Table 151: show mvr statistics input - display description Field Description Inter
CHAPTER 42 | Multicast Filtering Commands MVR for IPv4 Table 152: show mvr statistics output - display description (Continued) Field Description G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. The following shows MVR query-related statistics: Console#show mvr domain 1 statistics query Querier IP Address : 192.168.1.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 MVR FOR IPV6 This section describes commands used to configure Multicast VLAN Registration for IPv6 (MVR6). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 mvr6 associated- This command binds the MVR group addresses specified in a profile to an profile MVR domain. Use the no form of this command to remove the binding. SYNTAX [no] mvr6 domain domain-id associated-profile profile-name domain-id - An independent multicast domain. (Range: 1-5) profile-name - The name of a profile containing one or more MVR group addresses.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following example enables MVR for domain 1: Console(config)#mvr6 domain 1 Console(config)# mvr6 profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. SYNTAX mvr6 profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR group addresses.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 mvr6 proxy-query- This command configures the interval at which the receiver port sends out interval general queries. Use the no form to restore the default setting. SYNTAX mvr proxy-query-interval interval no mvr proxy-query-interval interval - The interval at which the receiver port sends out general queries.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR proxy service. ◆ When the source port receives report and leave messages, it only forwards them to other source ports.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ This command sets the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. ◆ This command only takes effect when MVR6 proxy switching is enabled.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 mvr6 upstream- This command configures the source IPv6 address assigned to all MVR source-ip control packets sent upstream on the specified domain. Use the no form to restore the default setting. SYNTAX mvr6 domain domain-id upstream-source-ip source-ip-address no mvr6 domain domain-id upstream-source-ip domain-id - An independent multicast domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Global Configuration COMMAND USAGE MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but MVR receiver ports should not be statically configured as members of this VLAN.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following enables immediate leave on a receiver port. Console(config)#interface ethernet 1/5 Console(config-if)#mvr6 domain 1 immediate-leave Console(config-if)# mvr6 type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. SYNTAX [no] mvr6 domain domain-id type {receiver | source} domain-id - An independent multicast domain.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following configures one source port and several receiver ports on the switch.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following statically assigns a multicast group to a receiver port: Console(config)#interface ethernet 1/2 Console(config-if)#mvr6 domain 1 type receiver Console(config-if)#mvr6 domain 1 vlan 2 group ff00::1 Console(config-if)# show mvr6 This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 Table 155: show mvr6 - display description (Continued) Field Description MVR6 Domain An independent multicast domain. MVR6 Config Status Shows if MVR is globally enabled on the switch. MVR6 Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Privileged Exec EXAMPLE The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr6 domain 1 interface MVR6 Domain : 1 Port Type Status Immediate -------- -------- ------------- --------Eth1/ 1 Source Active/Up Eth1/ 2 Receiver Active/Up Disabled Console# Static Group Address ------------------------FF00::1(VLAN2) Table 156: show mvr6 interface - display description Field Description
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following shows information about the number of multicast forwarding entries currently active in domain 1: Console#show mvr6 domain 1 members MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of ports join the group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 show mvr6 profile This command shows all configured MVR profiles. COMMAND MODE Privileged Exec EXAMPLE The following shows all configured MVR profiles: Console#show mvr6 profile MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd FF00::1 FF00::9 Console# show mvr6 This command shows MVR protocol-related statistics for the specified statistics interface.
CHAPTER 42 | Multicast Filtering Commands MVR for IPv6 Eth 1/ 2 VLAN 1 Console# 12 2 15 0 8 0 3 2 5 2 19 20 Table 158: show mvr6 statistics input - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) Specific Query Sent Number of Reports Sent Number of Leaves Sent Console# : 0 : 2 : 0 IGMP (LAYER 3) This section describes commands used to configure Layer 3 Internet Group Management Protocol (IGMP) on the switch.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip igmp Console(config-if)#end Console#show ip igmp interface IGMP IGMP Version IGMP Proxy IGMP Unsolicited Report Interval Robustness Variable Query Interval Query Max Response Time Last Member Query Interval Querier Joined Groups : Static Groups : : : : : : : : : : Enabled 2 Disabled 400 sec 2 125 sec 100 (resolution in 0.1 sec) 10 (resolution in 0.1 sec) 0.0.0.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip igmp last-member-query-interval 20 Console(config-if)# ip igmp max-resp- This command configures the maximum response time advertised in IGMP interval queries. Use the no form of this command to restore the default. SYNTAX ip igmp max-resp-interval seconds no ip igmp max-resp-interval seconds - The report delay advertised in IGMP queries.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) ip igmp query- This command configures the frequency at which host query messages are interval sent. Use the no form to restore the default. SYNTAX ip igmp query-interval seconds no ip igmp query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The robustness value is used in calculating the appropriate range for other IGMP variables, such as the Group Membership Interval, as well as the Other Querier Present Interval, and the Startup Query Count (RFC 3376). ◆ Routers adopt the robustness value from the most recently received query.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) request to join the multicast group will also fail if the next node up the reverse path tree has enabled the PIM-SSM protocol. ◆ If a static group is configured for an any-source multicast (*,G), a source address cannot subsequently be defined for this group without first deleting the entry.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) If there are Version 1 hosts present for a particular group, the switch will ignore any Leave Group messages that it receives for that group. EXAMPLE Console(config-if)#ip igmp version 1 Console(config-if)# clear ip igmp group This command deletes entries from the IGMP cache. SYNTAX clear ip igmp group [group-address | interface interface] group-address - IP address of the multicast group. interface vlan vlan-id - VLAN ID.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) COMMAND MODE Privileged Exec COMMAND USAGE To display information about multicast groups, IGMP must first be enabled on the interface to which a group has been assigned using the ip igmp command, and multicast routing must be enabled globally on the system using the ip multicast-routing command. EXAMPLE The following shows options for displaying IGMP group information by interface, group address, and static listing.
CHAPTER 42 | Multicast Filtering Commands IGMP (Layer 3) The following shows the information displayed in a detailed listing for a dynamically learned multicast group. Console#show ip igmp groups detail Interface : VLAN 1 Group : 224.1.2.3 Uptime : 0h:0m:12s Group mode : Include Last reporter : 0.0.0.0 Group Source List: Source Address Uptime v3 Exp Fwd --------------- ----------- ----------- --192.1.2.
CHAPTER 42 | Multicast Filtering Commands IGMP Proxy Routing show ip igmp This command shows multicast information for the specified interface. interface SYNTAX show ip igmp interface [interface] interface vlan vlan-id - VLAN ID. (Range: 1-4093) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following example shows the IGMP configuration for VLAN 1, as well as the device currently serving as the IGMP querier for active multicast services on this interface.
CHAPTER 42 | Multicast Filtering Commands IGMP Proxy Routing To enable IGMP proxy service, follow these steps: 1. Use the ip multicast-routing command to enable IP multicasting globally on the router. 2. Use the ip igmp proxy command to enable IGMP proxy on the upstream interface that is attached to an upstream multicast router. 3. Use the ip igmp command to enable IGMP on the downstream interfaces from which to forward IGMP membership reports. 4.
CHAPTER 42 | Multicast Filtering Commands IGMP Proxy Routing ◆ Only one upstream interface is supported on the system. ◆ A maximum of 1024 multicast streams are supported. EXAMPLE The following example enables multicast routing globally on the switch, configures VLAN 2 as a downstream interface, and then VLAN 1 as the upstream interface.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) MLD (LAYER 3) This section describes commands used to configure Layer 3 Multicast Listener Discovery (MLD) on the switch.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) Query Interval Query Max Response Time Last Member Query Interval Querier Joined Groups : Static Groups : : : : : 125 sec 10 sec 1 sec :: Console# ipv6 mld last- This command configures the frequency at which to send MLD groupmember-query- specific or MLDv2 group-source-specific query messages in response to response-interval receiving a group-specific or group-source-specific leave message from the last known active host on the subnet.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld max-resp- This command configures the maximum response time advertised in MLD interval queries. Use the no form of this command to restore the default setting. SYNTAX ipv6 mld max-resp-interval seconds no ipv6 mld max-resp-interval seconds - The report delay advertised in MLD queries.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service. Only the designated multicast router for a subnet sends host query messages, which are addressed to the link-scope all-nodes multicast address FF02::1, and uses a time-to-live (TTL) value of 1.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) the robustness value is set to zero, meaning that this device will not advertise a QRV in any query messages it subsequently sends. EXAMPLE Console(config-if)#ipv6 mld robustval 3 Console(config-if)# ipv6 mld static- This command statically binds multicast groups to a VLAN interface. Use group the no form to remove the static mapping.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) EXAMPLE The following example assigns VLAN 1 as a static member of the specified multicast group. Console(config)#interface vlan 1 Console(config-if)#ipv6 mld static-group FFEE::0101 Console(config-if)# ipv6 mld version This command configures the MLD version used on an interface. Use the no form of this command to restore the default setting.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) clear ipv6 mld group This command deletes entries from the MLD cache. SYNTAX clear ipv6 mld group [group-address | interface interface] group-address - IPv6 address of the multicast group. interface vlan vlan-id - VLAN ID. (Range: 1-4093) DEFAULT SETTING Deletes all entries in the cache if no options are selected. COMMAND MODE Privileged Exec COMMAND USAGE Enter the address for a multicast group to delete all entries for the specified group.
CHAPTER 42 | Multicast Filtering Commands MLD (Layer 3) command, and multicast routing must be enabled globally on the system using the ip multicast-routing command. EXAMPLE The following shows options for displaying MLD group information.
CHAPTER 42 | Multicast Filtering Commands MLD Proxy Routing show ipv6 mld This command shows multicast information for the specified interface. interface SYNTAX show ipv6 mld interface [interface] interface vlan vlan-id - VLAN ID. (Range: 1-4093) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following example shows the MLD configuration for VLAN 1, as well as the device currently serving as the MLD querier for active multicast services on this interface.
CHAPTER 42 | Multicast Filtering Commands MLD Proxy Routing To enable MLD proxy service, follow these steps: 1. Use the ipv6 multicast-routing command to enable IP multicasting globally on the router. 2. Use the ipv6 mld proxy command to enable MLD proxy on the upstream interface that is attached to an upstream multicast router. 3. Use the ipv6 mld command to enable MLD on the downstream interfaces from which to forward MLD membership reports. 4.
CHAPTER 42 | Multicast Filtering Commands MLD Proxy Routing ◆ Only one upstream interface is supported on the system. ◆ MLD and MLD proxy cannot be enabled on the same interface. ◆ A maximum of 1024 multicast streams are supported. EXAMPLE The following example enables multicast routing globally on the switch, configures VLAN 2 as a downstream interface, and then VLAN 1 as the upstream interface.
CHAPTER 42 | Multicast Filtering Commands MLD Proxy Routing – 1284 –
43 LLDP COMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
CHAPTER 43 | LLDP Commands Table 167: LLDP Commands (Continued) Command Function Mode lldp basic-tlv systemname Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv protoident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related VLAN information IC lldp dot1-tlv pvid* Configures an LLDP-enabled port to advertise its default VLAN ID IC lldp dot1-tlv vlanname* Configu
CHAPTER 43 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. SYNTAX [no] lldp DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP multiplier advertisements. Use the no form to restore the default setting.
CHAPTER 43 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit count during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. SYNTAX lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
CHAPTER 43 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
CHAPTER 43 | LLDP Commands COMMAND MODE Global Configuration COMMAND USAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. EXAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
CHAPTER 43 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. SYNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
CHAPTER 43 | LLDP Commands enterprise specific or other starting points for the search, such as the Interface or Entity MIB. ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 43 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-capabilities DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
CHAPTER 43 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-name name. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
CHAPTER 43 | LLDP Commands lldp dot1-tlv proto- This command configures an LLDP-enabled port to advertise port related vid VLAN information. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv proto-vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the port-based protocol VLANs configured on this interface (see "Configuring Protocol-based VLANs" on page 1140).
CHAPTER 43 | LLDP Commands lldp dot1-tlv vlan- This command configures an LLDP-enabled port to advertise its VLAN name name. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv vlan-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the name of all VLANs to which this interface has been assigned. See "switchport allowed vlan" on page 1117 and "protocolvlan protocol-group (Configuring Interfaces)" on page 1141.
CHAPTER 43 | LLDP Commands lldp dot3-tlv mac- This command configures an LLDP-enabled port to advertise its MAC and phy physical layer capabilities. Use the no form to disable this feature. SYNTAX [no] lldp dot3-tlv mac-phy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
CHAPTER 43 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its civic-addr location identification details. Use the no form to restore the default settings. SYNTAX lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 43 | LLDP Commands Table 168: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
CHAPTER 43 | LLDP Commands COMMAND USAGE ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command (page 833).
CHAPTER 43 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises location identification details.
CHAPTER 43 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network-policy network policy configuration. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv network-policy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
CHAPTER 43 | LLDP Commands An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. SYNTAX show lldp config [detail interface] detail - Shows configuration summary.
CHAPTER 43 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.
CHAPTER 43 | LLDP Commands EXAMPLE Console#show lldp info local-device LLDP Local System Information Chassis Type : Chassis ID : System Name : System Description : System Capabilities Support : System Capabilities Enabled : Management Address : MAC Address 00-00-E8-93-82-A0 GTL-2691 Managed L3 Stackable Switch Bridge, Router Bridge, Router 192.168.0.
CHAPTER 43 | LLDP Commands EXAMPLE Note that an IP phone or other end-node device which advertises LLDPMED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
CHAPTER 43 | LLDP Commands Power Priority Power Value Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID : Unknown : 0 Watts : R01 : 1.2.2.1 : 1.2.2.1 : : : : Console# show lldp info This command shows statistics based on traffic received through all statistics attached LLDP-enabled interfaces. SYNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Stack unit.
CHAPTER 43 | LLDP Commands Console#show lldp info statistics detail ethernet 1/1 LLDP Port Statistics Detail PortName Frames Discarded Frames Invalid Frames Received Frames Sent TLVs Unrecognized TLVs Discarded Neighbor Ageouts : : : : : : : : Eth 1/1 0 0 12 13 0 0 0 Console# – 1308 –
44 CFM COMMANDS Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between Provider Edge devices or between Customer Edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
CHAPTER 44 | CFM Commands Table 169: CFM Commands (Continued) Command Function Mode ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages IC ethernet cfm port-enable Enables CFM processing on an interface IC clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including gl
CHAPTER 44 | CFM Commands Table 169: CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache Enables caching of CFM data learned through link trace messages GC ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace
CHAPTER 44 | CFM Commands Defining CFM Structures 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6. Enable CFM on the local MEPs with the ethernet cfm port-enable command. 7. Enable continuity check operations with the ethernet cfm cc enable command. 8. Enable cross-check operations with the ethernet cfm mep crosscheck command.
CHAPTER 44 | CFM Commands Defining CFM Structures EXAMPLE This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. SYNTAX [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
CHAPTER 44 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use period the no form to restore the default setting. SYNTAX ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 44 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ For multipoint connectivity, a MEP cannot determine the specific maintenance level entity that has encountered defect conditions upon receiving a frame with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information.
CHAPTER 44 | CFM Commands Defining CFM Structures pass, and only if a maintenance end point (MEP) is created at some lower MA Level. none – No MIP can be created for any MA configured in this domain. DEFAULT SETTING No maintenance domains are configured. No MIPs are created for any MA in the specified domain. COMMAND MODE Global Configuration COMMAND USAGE ◆ A domain can only be configured with one name.
CHAPTER 44 | CFM Commands Defining CFM Structures Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command.
CHAPTER 44 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
CHAPTER 44 | CFM Commands Defining CFM Structures applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command. EXAMPLE This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method.
CHAPTER 44 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. SYNTAX ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
CHAPTER 44 | CFM Commands Defining CFM Structures ethernet cfm port- This command enables CFM processing on an interface. Use the no form to enable disable CFM processing on an interface. SYNTAX [no] ethernet cfm port-enable DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
CHAPTER 44 | CFM Commands Defining CFM Structures COMMAND USAGE This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. EXAMPLE This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global configuration settings, SNMP traps, and interface settings.
CHAPTER 44 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
CHAPTER 44 | CFM Commands Defining CFM Structures DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.) ---------------------100 show ethernet cfm This command displays the configured maintenance associations. ma SYNTAX show ethernet cfm ma [level level] level – Maintenance level.
CHAPTER 44 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local SYNTAX show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
CHAPTER 44 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep SYNTAX show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
CHAPTER 44 | CFM Commands Defining CFM Structures Table 171: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
CHAPTER 44 | CFM Commands Defining CFM Structures ma-name – Maintenance association name. (Range: 1-44 alphanumeric characters) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. EXAMPLE This example shows detailed information about the remote MEP designated by MPID 2.
CHAPTER 44 | CFM Commands Continuity Check Operations Table 172: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
CHAPTER 44 | CFM Commands Continuity Check Operations is registered. The interval at which CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
CHAPTER 44 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). EXAMPLE This example enables continuity check messages for the specified maintenance association.
CHAPTER 44 | CFM Commands Continuity Check Operations EXAMPLE This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# RELATED COMMANDS ethernet cfm mep crosscheck (1337) mep archive-hold- This command sets the time that data from a missing MEP is retained in time the continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
CHAPTER 44 | CFM Commands Continuity Check Operations DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
CHAPTER 44 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this errors device. SYNTAX show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
CHAPTER 44 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote crosscheck start- MEPs to come up before starting the cross-check operation. Use the no delay form to restore the default setting. SYNTAX ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
CHAPTER 44 | CFM Commands Cross Check Operations mep-unknown – Sends a trap if an unconfigured MEP comes up. DEFAULT SETTING All continuity checks are enabled. COMMAND MODE Global Configuration COMMAND USAGE ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
CHAPTER 44 | CFM Commands Cross Check Operations COMMAND USAGE ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the crosscheck operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
CHAPTER 44 | CFM Commands Cross Check Operations These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. EXAMPLE This example enables cross-checking within the specified maintenance association.
CHAPTER 44 | CFM Commands Link Trace Operations Link Trace Operations ethernet cfm This command enables caching of CFM data learned through link trace linktrace cache messages. Use the no form to disable caching.
CHAPTER 44 | CFM Commands Link Trace Operations COMMAND MODE Global Configuration COMMAND USAGE Before setting the aging time for cache entries, the cache must first be enabled with the ethernet cfm linktrace cache command. EXAMPLE This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm This command sets the maximum size for the link trace cache.
CHAPTER 44 | CFM Commands Link Trace Operations ethernet cfm This command sends CFM link trace messages to the MAC address of a linktrace remote MEP. SYNTAX ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number] destination-mpid – The identifier of a remote MEP that is the target of the link trace message.
CHAPTER 44 | CFM Commands Link Trace Operations When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. ◆ EXAMPLE This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm This command clears link trace messages logged on this device.
CHAPTER 44 | CFM Commands Loopback Operations Table 174: show ethernet cfm linktrace-cache - display description Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
CHAPTER 44 | CFM Commands Fault Generator Operations transmit-count – The number of times the loopback message is sent. (Range: 1-100) packet-size – The size of the loopback message. (Range: 64-1518 bytes) DEFAULT SETTING Loop back count: One loopback message is sent. Loop back size: 64 bytes COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command to test the connectivity between maintenance points.
CHAPTER 44 | CFM Commands Fault Generator Operations DEFAULT SETTING 3 seconds COMMAND MODE CFM Domain Configuration COMMAND USAGE A fault alarm is issued when the MEP fault notification generator state machine detects that a time period configured by this command has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. EXAMPLE This example set the delay time before generating a fault alarm.
CHAPTER 44 | CFM Commands Fault Generator Operations notification generator state machine has been reset, and repeat those steps until the fault is resolved. ◆ Only the highest priority defect currently detected is reported in the fault alarm. ◆ Priority defects include the following items: Table 175: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM.
CHAPTER 44 | CFM Commands Fault Generator Operations mep fault-notify This command configures the time after a fault alarm has been issued, and reset-time no defect exists, before another fault alarm can be issued. Use the no form to restore the default setting. SYNTAX mep fault-notify reset-time reset-time no fault-notify reset-time reset-time – The time that must pass without any further defects indicated before another fault alarm can be generated.
CHAPTER 44 | CFM Commands Delay Measure Operations Table 177: show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry. MA Name The maintenance association for this entry. Hihest Defect The highest defect that will generate a fault alarm. (This is disabled by default.) Lowest Alarm The lowest defect that will generate a fault alarm (see the mep faultnotify lowest-priority command).
CHAPTER 44 | CFM Commands Delay Measure Operations Size: 64 bytes Timeout: 5 seconds COMMAND MODE Privileged Exec COMMAND USAGE ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
CHAPTER 44 | CFM Commands Delay Measure Operations – 1350 –
45 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
CHAPTER 45 | Domain Name Service Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
CHAPTER 45 | Domain Name Service Commands ◆ If all name servers are deleted, DNS will automatically be disabled. EXAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
CHAPTER 45 | Domain Name Service Commands Domain Name List: Name Server List: Console# RELATED COMMANDS ip domain-list (1351) ip name-server (1355) ip domain-lookup (1352) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. SYNTAX [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
CHAPTER 45 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. SYNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IP address of domain-name server. server-address2 … server-address6 - IP address of additional domain-name servers.
CHAPTER 45 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. SYNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 45 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. SYNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. EXAMPLE This example clears all dynamic entries from the DNS table.
CHAPTER 45 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. COMMAND MODE Privileged Exec EXAMPLE Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Domain --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 179: show dns cache - display description Field Description No.
CHAPTER 45 | Domain Name Service Commands Table 180: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
CHAPTER 45 | Domain Name Service Commands – 1360 –
46 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network, or it can be configured to provide DHCP service directly to any client.
CHAPTER 46 | DHCP Commands DHCP Client DEFAULT SETTING Class identifier option enabled, with the name GTL-2691 COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Use this command without any keyword to restore the default setting. ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
CHAPTER 46 | DHCP Commands DHCP Client EXAMPLE Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 000099669966 Console(config-if)# RELATED COMMANDS ip dhcp restart client (1364) ip dhcp inform This command submits a DHCP request for information about the default domain name server and default gateway from a VLAN interface configured with a static IPv4 address. Use the no form to stop this request.
CHAPTER 46 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
CHAPTER 46 | DHCP Commands DHCP Relay DHCP RELAY This section describes commands used to configure DHCP relay functions for host devices attached to the switch.
CHAPTER 46 | DHCP Commands DHCP Relay for IPv4 RELATED COMMANDS ip dhcp restart relay (1366) ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. DEFAULT SETTING Disabled COMMAND MODE Privileged Exec COMMAND USAGE This command is used to configure DHCP relay functions for host devices attached to the switch.
CHAPTER 46 | DHCP Commands DHCP Relay for IPv6 DHCP Relay for IPv6 ipv6 dhcp relay This command specifies the destination address or VLAN to which client destination messages are forwarded for DHCP service. Use the no form to remove an entry. SYNTAX [no] ipv6 dhcp relay destination {ipv6-address | multicast {all | vlan vlan-id}} ipv6-address - A full IPv6 address including the network prefix and host address bits. This address may designate another relay server or a DHCPv6 server.
CHAPTER 46 | DHCP Commands DHCP Server EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination 2001:0DB8:3000:3000::42 Console(config-if)# show ipv6 dhcp This command shows the destination addresses or VLAN to which client relay destination messages are forwarded for DHCP relay service. SYNTAX show ipv6 dhcp relay destination interface [vlan vlan-id] vlan-id - ID of configured VLAN.
CHAPTER 46 | DHCP Commands DHCP Server Table 186: DHCP Server Commands (Continued) Command Function Mode lease Sets the duration an IP address is assigned to a DHCP client DC netbios-name-server Configures NetBIOS Windows Internet Naming Service (WINS) name servers available to Microsoft DHCP clients DC netbios-node-type Configures NetBIOS node type for Microsoft DHCP clients DC network Configures the subnet number and mask for a DHCP address pool DC next-server Configures the next server i
CHAPTER 46 | DHCP Commands DHCP Server ip dhcp pool This command configures a DHCP address pool and enter DHCP Pool Configuration mode. Use the no form to remove the address pool. SYNTAX [no] ip dhcp pool name name - A string or integer. (Range: 1-8 characters) DEFAULT SETTING DHCP address pools are not configured. COMMAND MODE Global Configuration USAGE GUIDELINES ◆ After executing this command, the switch changes to DHCP Pool Configuration mode, identified by the (config-dhcp)# prompt.
CHAPTER 46 | DHCP Commands DHCP Server COMMAND USAGE If the DHCP server is running, you must restart it to implement any configuration changes. EXAMPLE Console(config)#service dhcp Console(config)# bootfile This command specifies the name of the default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified with the next-server command. Use the no form to delete the boot image name.
CHAPTER 46 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration COMMAND USAGE ◆ This command identifies a DHCP client to bind to an address specified in the host command. If both a client identifier and hardware address are configured for a host address, the client identifier takes precedence over the hardware address in the search procedure. ◆ BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
CHAPTER 46 | DHCP Commands DHCP Server dns-server This command specifies the Domain Name System (DNS) IP servers available to a DHCP client. Use the no form to remove the DNS server list. SYNTAX dns-server address1 [address2] no dns-server address1 - Specifies the IP address of the primary DNS server. address2 - Specifies the IP address of the alternate DNS server.
CHAPTER 46 | DHCP Commands DHCP Server hardware-address This command specifies the hardware address of a DHCP client. This command is valid for manual bindings only. Use the no form to remove the hardware address. SYNTAX hardware-address hardware-address type no hardware-address hardware-address - Specifies the MAC address of the client device.
CHAPTER 46 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES ◆ Host addresses must fall within the range specified for an existing network pool. ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e.
CHAPTER 46 | DHCP Commands DHCP Server hours - Specifies the number of hours in the lease. A days value must be supplied before you can configure hours. (Range: 0-23) minutes - Specifies the number of minutes in the lease. A days and hours value must be supplied before you can configure minutes. (Range: 0-59) infinite - Specifies that the lease time is unlimited. This option is normally used for addresses manually bound to a BOOTP client via the host command.
CHAPTER 46 | DHCP Commands DHCP Server EXAMPLE Console(config-dhcp)#netbios-name-server 10.1.0.33 10.1.0.34 Console(config-dhcp)# RELATED COMMANDS netbios-node-type (1377) netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
CHAPTER 46 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e., the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received.
CHAPTER 46 | DHCP Commands DHCP Server EXAMPLE Console(config-dhcp)#next-server 10.1.0.21 Console(config-dhcp)# RELATED COMMANDS bootfile (1371) clear ip dhcp This command deletes an automatic address binding from the DHCP server binding database. SYNTAX clear ip dhcp binding {address | *} address - The address of the binding to clear. * - Clears all automatic bindings. DEFAULT SETTING None COMMAND MODE Privileged Exec USAGE GUIDELINES ◆ An address specifies the client’s IP address.
CHAPTER 46 | DHCP Commands DHCP Server DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip dhcp binding IP MAC Lease Time Start (dd/hh/mm/ss) --------------- ----------------- ------------------ ----------192.1.3.21 00-00-e8-98-73-21 86400 Dec 25 08:01:57 2002 Console# show ip dhcp This command displays DHCP address pools configured on the switch.
47 VRRP COMMANDS Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
CHAPTER 47 | VRRP Commands vrrp authentication This command specifies the key used to authenticate VRRP packets received from other routers. Use the no form to prevent authentication. SYNTAX vrrp group authentication key no vrrp group authentication group - Identifies the virtual router group. (Range: 1-255) key - Authentication string. (Range: 1-8 alphanumeric characters) DEFAULT SETTING No key is defined.
CHAPTER 47 | VRRP Commands COMMAND MODE Interface (VLAN) COMMAND USAGE ◆ The interfaces of all routers participating in a virtual router group must be within the same IP subnet. ◆ If the IP address assigned to the virtual router with this command is already configured as the primary address on this interface, this router is considered the Owner, and will assume the role of the Master virtual router in the group.
CHAPTER 47 | VRRP Commands COMMAND USAGE ◆ If preempt is enabled, and this backup router has a priority higher than the current acting master, it will take over as the new master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master. ◆ The delay can give additional time to receive an advertisement message from the current master before taking control.
CHAPTER 47 | VRRP Commands ◆ If the backup preempt function is enabled with the vrrp preempt command, and a backup router with a priority higher than the current acting master comes on line, this backup router will take over as the new acting master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master.
CHAPTER 47 | VRRP Commands EXAMPLE Console(config-if)#vrrp 1 timers advertise 5 Console(config-if)# clear vrrp interface This command clears VRRP system statistics for the specified group and counters interface. clear vrrp group interface interface counters group - Identifies a VRRP group. (Range: 1-255) interface - Identifier of configured VLAN interface.
CHAPTER 47 | VRRP Commands COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router. ◆ Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on this router. ◆ Specify a group number to display status information for a specific group EXAMPLE This example displays the full listing of status information for all groups.
CHAPTER 47 | VRRP Commands Table 188: show vrrp - display description (Continued) Field Description Master Advertisement interval The advertisement interval configured on the VRRP master. Master down interval The down interval configured on the VRRP master (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups.
CHAPTER 47 | VRRP Commands EXAMPLE This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 VLAN 1 - Group 1, State Master Virtual IP Address 192.168.1.6 Virtual MAC Address 00-00-5E-00-01-01 Advertisement Interval 5 sec Preemption Enabled Min Delay 10 sec Priority 1 Authentication SimpleText Authentication Key bluebird Master Router 192.168.1.
CHAPTER 47 | VRRP Commands show vrrp router This command displays counters for errors found in VRRP protocol packets. counters COMMAND MODE Privileged Exec EXAMPLE Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
48 IP INTERFACE COMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 48 | IP Interface Commands IPv4 Interface BASIC IPV4 This section describes commands used to configure IP addresses for VLAN CONFIGURATION interfaces on the switch.
CHAPTER 48 | IP Interface Commands IPv4 Interface ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets.
CHAPTER 48 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in the local routing tables. Use the no form to remove a default gateway. SYNTAX ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway DEFAULT SETTING No default gateway is established. COMMAND MODE Global Configuration COMMAND USAGE ◆ The default gateway can also be defined using the following command: ip route 0.0.0.0 0.0.0.
CHAPTER 48 | IP Interface Commands IPv4 Interface RELATED COMMANDS ip route (1448) show ip route (1450) ipv6 default-gateway (1408) show ip interface This command displays the settings of an IPv4 interface. COMMAND MODE Privileged Exec EXAMPLE Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-00-E8-93-82-A0 Index: 1001, MTU: 1500 Address Mode is User specified IP Address: 192.168.0.2 Mask: 255.255.255.
CHAPTER 48 | IP Interface Commands IPv4 Interface ICMP Statistics: ICMP received 45 input 45 errors 45 destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent 45 output errors 45 destination unreachable messages time exceeded messages parameter problem message echo request message
CHAPTER 48 | IP Interface Commands IPv4 Interface ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the roundtrip time for each message.
CHAPTER 48 | IP Interface Commands IPv4 Interface COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE ◆ Use the ping command to see if another site on the network can be reached. ◆ ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.
CHAPTER 48 | IP Interface Commands IPv4 Interface ARP CONFIGURATION This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
CHAPTER 48 | IP Interface Commands IPv4 Interface EXAMPLE Console(config)#arp 10.1.0.19 01-02-03-04-05-06 Console(config)# RELATED COMMANDS clear arp-cache (1401) show arp (1402) arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. SYNTAX arp timeout seconds no arp timeout seconds - The time a dynamic entry remains in the ARP cache.
CHAPTER 48 | IP Interface Commands IPv4 Interface ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. SYNTAX [no] ip proxy-arp DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network. ◆ End stations that require Proxy ARP must view the entire network as a single network.
CHAPTER 48 | IP Interface Commands IPv4 Interface show arp This command displays entries in the Address Resolution Protocol (ARP) cache. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE ◆ This command displays information about the ARP cache. The first line shows the cache timeout. It also shows each cache entry, including the IP address, MAC address, type (static, dynamic, other), and VLAN interface. Note that entry type “other” indicates local addresses for this router.
CHAPTER 48 | IP Interface Commands IPv4 Interface UDP HELPER User Datagram Protocol (UDP) Helper allows host applications to forward CONFIGURATION UDP broadcast packets from this switch to another part of the network. This section describes the commands used to configure UDP Helper.
CHAPTER 48 | IP Interface Commands IPv4 Interface EXAMPLE This example enables forwarding for DHCPv6 UDP packets. Console(config)#ip forward-protocol udp 547 Console(config)# ip helper This command enables UDP helper globally on the switch. Use the no form to disable this feature. SYNTAX [no] ip helper DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Network hosts occasionally use UDP broadcasts to determine information such as address configuration, and domain name mapping.
CHAPTER 48 | IP Interface Commands IPv4 Interface ip helper-address This command specifies the application server or subnet (indicated by a directed broadcast address) to which designated UDP broadcast packets are forwarded. Use the no form to remove a UDP helper address. SYNTAX [no] ip helper-address ip-address ip-address - Host address or directed broadcast address to which UDP broadcast packets are forwarded.
CHAPTER 48 | IP Interface Commands IPv4 Interface EXAMPLE This example indicates that designated UDP broadcast packets are to be forwarded to the directed broadcast address of 192.168.2.255. Console(config)#interface vlan 1 Console(config-if)#ip helper-address 192.168.2.255 Console(config-if)# show ip helper This command displays configuration settings for UDP helper.
CHAPTER 48 | IP Interface Commands IPv6 Interface IPV6 INTERFACE This switch supports the following IPv6 interface commands.
CHAPTER 48 | IP Interface Commands IPv6 Interface Table 195: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd ra interval Configures the interval between the transmission of router advertisements on an interface IC ipv6 nd ra lifetime Configures the router lifetime value used in router advertisements sent from an interface IC ipv6 nd ra router-preference Configures the default router preference for the router on an interface IC ipv6 nd ra suppress Suppresses router advert
CHAPTER 48 | IP Interface Commands IPv6 Interface ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the router.
CHAPTER 48 | IP Interface Commands IPv6 Interface ◆ When configuring a global IPv6 address for a static tunnel, the link-local address generated by this command is the 32-bit IPv4 address of the underlying source interface, with the bytes in the same order in which they would appear in the header of an IPv4 packet, padded at the left with zeros to a total of 64 bits. Note that the “Universal/Local” bit is zero, indicating that the interface identifier is not globally unique.
CHAPTER 48 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
CHAPTER 48 | IP Interface Commands IPv6 Interface ◆ For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE1C-82-35.
CHAPTER 48 | IP Interface Commands IPv6 Interface ipv6 address This command configures an IPv6 link-local address for an interface and link-local enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. SYNTAX ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
CHAPTER 48 | IP Interface Commands IPv6 Interface FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# RELATED COMMANDS ipv6 enable (1414) show ipv6 interface (1416) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address.
CHAPTER 48 | IP Interface Commands IPv6 Interface Link-local address: FE80::200:E8FF:FE93:82A0/64 Global unicast address(es): 2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96 Joined group address(es): FF02::1:2 FF02::1:FF00:72 FF02::1:FF00:0 FF02::1:FF93:82A0 FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 2.
CHAPTER 48 | IP Interface Commands IPv6 Interface ◆ IPv6 must be enabled on an interface before the MTU can be set. EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# RELATED COMMANDS show ipv6 mtu (1418) jumbo frame (776) show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces.
CHAPTER 48 | IP Interface Commands IPv6 Interface FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 2.
CHAPTER 48 | IP Interface Commands IPv6 Interface This example displays a brief summary of IPv6 addresses configured on the switch.
CHAPTER 48 | IP Interface Commands IPv6 Interface show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
CHAPTER 48 | IP Interface Commands IPv6 Interface 3 neighbor solicit messages neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages multicast listener discovery version 2 reports UDP Statistics: input no port errors other errors output Console# Table 198: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by
CHAPTER 48 | IP Interface Commands IPv6 Interface Table 198: show ipv6 traffic - display description (Continued) Field Description reassembly succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
CHAPTER 48 | IP Interface Commands IPv6 Interface Table 198: show ipv6 traffic - display description (Continued) Field Description echo request messages The number of ICMP Echo (request) messages received by the interface. echo reply messages The number of ICMP Echo Reply messages received by the interface. router solicit messages The number of ICMP Router Solicit messages received by the interface.
CHAPTER 48 | IP Interface Commands IPv6 Interface Table 198: show ipv6 traffic - display description (Continued) Field Description group membership response messages The number of ICMPv6 Group Membership Response messages sent. group membership reduction messages The number of ICMPv6 Group Membership Reduction messages sent. multicast listener discovery version 2 reports The number of MLDv2 reports sent by the interface.
CHAPTER 48 | IP Interface Commands IPv6 Interface size - Number of bytes in a packet. (Range: 0-1500 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information. DEFAULT SETTING count: 5 size: 0 bytes COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path.
CHAPTER 48 | IP Interface Commands IPv6 Interface traceroute6 This command shows the route packets take to the specified destination. SYNTAX traceroute6 {ipv6-address | host-name} ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 48 | IP Interface Commands IPv6 Interface Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------1 <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed. Console# Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting.
CHAPTER 48 | IP Interface Commands IPv6 Interface vlan-id - VLAN ID (Range: 1-4093) hardware-address - The 48-bit MAC layer address for the neighbor device. This address must be formatted as six hexadecimal pairs separated by hyphens. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ Address Resolution Protocol (ARP) has been replaced in IPv6 with the Neighbor Discovery Protocol (NDP).
CHAPTER 48 | IP Interface Commands IPv6 Interface ipv6 nd dad This command configures the number of consecutive neighbor solicitation attempts messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. SYNTAX ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
CHAPTER 48 | IP Interface Commands IPv6 Interface EXAMPLE The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
CHAPTER 48 | IP Interface Commands IPv6 Interface ◆ The ipv6 nd other-config-flag command is used to tell hosts that they should use stateful autoconfiguration to get other non-address parameters (such as DNS server addresses) from DHCPv6 servers. ◆ The absence of the “managed-address configuration” flag tells hosts to use only stateless address autoconfiguration (based on IPv6 prefixes found in router advertisements). ◆ The “managed address configuration” flag is only a suggestion to attached hosts.
CHAPTER 48 | IP Interface Commands IPv6 Interface EXAMPLE The following tells hosts to use stateful autoconfiguration to obtain other non-address information from a DHCPv6 server: Console(config)#interface vlan 1 Console(config)#ipv6 nd other-config-flag Console(config)# ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value.
CHAPTER 48 | IP Interface Commands IPv6 Interface FF02::2 FF02::1:FF00:0 FF02::1:2 FF02::1:FF9C:CA10 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 2.
CHAPTER 48 | IP Interface Commands IPv6 Interface EXAMPLE The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd reachable-time 1000 Console(config)# RELATED COMMANDS show ipv6 neighbors (1437) ipv6 nd prefix This command configures the IPv6 prefixes to include in router advertisements. Use the no form to remove a prefix.
CHAPTER 48 | IP Interface Commands IPv6 Interface COMMAND USAGE ◆ Prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If prefixes are configured for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised. ◆ The preferred lifetime and valid lifetime are counted down in real time. After the preferred lifetime expires, no new connections are made using this prefix.
CHAPTER 48 | IP Interface Commands IPv6 Interface by the system (33% of the maximum RA interval) and the maximum value set by the ipv6 nd ra interval command. EXAMPLE The following sets the maximum RA interval to 1800 seconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd ra interval 1800 Console(config)# ipv6 nd ra lifetime This command configures the router lifetime value used in IPv6 router advertisements sent from an interface. Use the no form to restore the default setting.
CHAPTER 48 | IP Interface Commands IPv6 Interface ipv6 nd ra This command configures the default router preference for the router on an router-preference interface. Use the no form to restore the default setting. SYNTAX ipv6 nd ra router-preference {high | medium | low} no ipv6 nd ra router-preference high - Preference for the router is high. medium - Preference for the router is medium. low - Preference for the router is low.
CHAPTER 48 | IP Interface Commands IPv6 Interface EXAMPLE The following suppressed router advertisements on the current interface: Console(config)#interface vlan 1 Console(config)#ipv6 nd ra suppress Console(config)# clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache.
CHAPTER 48 | IP Interface Commands IPv6 Interface IPv6 Address FE80::2E0:CFF:FE9C:CA10 Console# Age 4 Link-layer Addr State VLAN 00-E0-0C-9C-CA-10 R 1 Table 199: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in minutes). A static entry is indicated by the value “Permanent.” Link-layer Addr Physical layer MAC address.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels IPV6 TO IPV4 TUNNELS This switch supports connection between isolated IPv6 nodes over IPv4 networks using manually configured tunnels (RFC 2893), as well as the connection of isolated IPv6 domains over IPv4 clouds without explicit tunnel configuration (RFC 3056).
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels 7. Bind the tunnel to a VLAN with the tunnel source vlan command. 8. Assign an IPv6 global unicast address to the tunnel using the ipv6 address command. 9. Then check your configuration settings using the show ipv6 tunnel command, and the interface status of the tunnel using the show ip interface or show ip interface brief command. interface tunnel This command configures an IPv6 to IPv4 tunnel interface and enters tunnel configuration mode.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel destination This command sets the IPv4 address of a tunnel destination (or far end- point of a tunnel). Use the no form to remove the assigned IPv4 address. SYNTAX tunnel destination ip-address no tunnel destination ip-address - IPv4 address of the device at the far end of the tunnel.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels packets (by ensuring an IPv4 MTU of at least 1300 bytes is used) or by preventing frequent changes to IPv4 routing. ◆ Packets delivered to transport protocols on the decapsulating node should not be subject to ingress filtering. For bidirectionally configured tunnels this is done by verifying that the source address is the IPv4 address of the other end of the tunnel.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels The 6to4 mechanism is typically implemented almost entirely in routers bordering between IPv4 and IPv6 domains. The tunnel end-point address of a 6to4 tunnel is dynamically determined by the tunnel source (local end-point node) via the IPv6 6to4 address of the packet sent from IPv6 6to4 hosts. The 6to4 endpoint address is constructed using “2002:Public IPv4 Address::/48” as the IPv6 address prefix.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel end-point IPv4 address. This eliminates the need to explicitly configure the tunnel end-point address. ◆ The two tunneling techniques – configured and automatic – differ primarily in how they determine the tunnel end-point address. Most of the underlying mechanisms are the same: ■ ■ The entry node of the tunnel (the encapsulating node) creates an encapsulating IPv4 header and transmits the encapsulated packet.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel ttl This command configures the TTL (Time to Live) value stored in the IPv4 header of a packet used for tunneling IPv6 traffic. Use the no form to restore the default value. SYNTAX tunnel ttl ttl-value no tunnel ttl ttl-value - The TTL value of the IPv4 encapsulating packet.
CHAPTER 48 | IP Interface Commands IPv6 to IPv4 Tunnels The following example shows the interface status of the configured tunnels. Console#show ipv6 interface VLAN 1 is up IPv6 is stale. Link-local address: (None) Global unicast address(es): (None) Joined group address(es): FF02::1:2 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 2.
49 IP ROUTING COMMANDS After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
CHAPTER 49 | IP Routing Commands Global Routing Configuration Table 202: Global Routing Configuration Commands (Continued) Command Function Mode show ip route summary Displays summary information for the routing table PE show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE ipv6 route Configures static routes GC show ipv6 route Displays specified entries in the routing table PE IPv6 Commands IPv4 Commands ip route This command configures static routes.
CHAPTER 49 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the RIP or OSPF redistribute command (see page 1463 or page 1485, respectively).
CHAPTER 49 | IP Routing Commands Global Routing Configuration show ip host-route This command displays the interface associated with known routes. COMMAND MODE Privileged Exec EXAMPLE Console#show ip host-route IP Address MAC Address VLAN Port --------------- ----------------- ---- ------192.168.0.99 00-E0-29-94-34-64 1 1/1 192.168.1.250 00-00-30-01-01-01 3 1/ 1 10.2.48.2 00-00-30-01-01-02 1 1/ 1 10.2.5.6 00-00-30-01-01-03 1 1/ 2 10.3.9.
CHAPTER 49 | IP Routing Commands Global Routing Configuration COMMAND MODE Privileged Exec COMMAND USAGE ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
CHAPTER 49 | IP Routing Commands Global Routing Configuration Information Base (see Command Usage under the show ip route command). EXAMPLE Console#show ip route database Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info C C *> 127.0.0.
CHAPTER 49 | IP Routing Commands Global Routing Configuration IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent outpu
CHAPTER 49 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. SYNTAX [no] ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance] | tunnel interface-number} destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host. This must be a full IPv6 address including the network prefix and host address bits.
CHAPTER 49 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the OSPFv3 redistribute command (see page 1524).
CHAPTER 49 | IP Routing Commands Global Routing Configuration COMMAND MODE Privileged Exec COMMAND USAGE ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) ROUTING INFORMATION PROTOCOL (RIP) .
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) router rip This command enables Routing Information Protocol (RIP) routing for all IP interfaces on the router. Use the no form to disable it. SYNTAX [no] router rip COMMAND MODE Global Configuration DEFAULT SETTING Disabled COMMAND USAGE ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) RELATED COMMANDS ip route (1448) redistribute (1463) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to external routes.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. SYNTAX [no] distance distance network-address netmask [acl-name] distance - Administrative distance for external routes. External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) maximum-prefix This command sets the maximum number of RIP routes allowed by the system. Use the no form to restore the default setting. SYNTAX maximum-prefix maximum-routes no maximum-prefix maximum-routes - The maximum number of RIP routes which can be installed in the routing table.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) EXAMPLE Console(config-router)#neighbor 10.2.0.254 Console(config-router)# RELATED COMMANDS passive-interface (1463) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. SYNTAX [no] network {ip-address netmask | vlan vlan-id} ip-address – IP address of a network directly connected to this router. netmask - Network mask for the route.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) passive-interface This command stops RIP from sending routing updates on the specified interface. Use the no form to disable this feature. SYNTAX [no] passive-interface vlan vlan-id vlan-id - VLAN ID.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) COMMAND MODE Router Configuration COMMAND USAGE ◆ When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes. ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. ◆ It is advisable to use a low metric when redistributing routes from another protocol into RIP.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) timers basic This command configures the RIP update timer, timeout timer, and garbage- collection timer. Use the no form to restore the defaults. SYNTAX timers basic update timeout garbage no timers basic update – Sets the update timer to the specified value. (Range: 5-2147483647 seconds) timeout – Sets the timeout timer to the specified value. (Range: 90-360 seconds) garbage – Sets the garbage collection timer to the specified value.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. SYNTAX version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 DEFAULT SETTING Receive: Accepts RIPv1 or RIPv2 packets Send: Route information is broadcast to other routers with RIPv2.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for mode RIPv2 packets. Use the no form to restore the default value. SYNTAX ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the string no form to delete the authentication key. SYNTAX ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# RELATED COMMANDS ip rip send-packet (1471) ip rip send version This command specifies a RIP version to send on an interface. Use the no form to restore the default value. SYNTAX ip rip send version {1 | 2 | 1-compatible} no ip rip send version 1 - Sends only RIPv1 packets. 2 - Sends only RIPv2 packets.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) RELATED COMMANDS version (1466) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) COMMAND USAGE ◆ Split horizon never propagates routes back to an interface from which they have been acquired. ◆ Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.
CHAPTER 49 | IP Routing Commands Routing Information Protocol (RIP) the RIP routes learned from neighbors and also keep the RIP network intact, use the “rip” parameter with this command (clear ip rip route rip). EXAMPLE This example clears one specific route. Console#clear ip rip route 192.168.1.0 255.255.255.0 Console# show ip protocols This command displays RIP process parameters.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console#show ip rip Codes: R - RIP, Rc - RIP connected, Rs - RIP static, C - Connected, S - Static, O - OSPF Network Next Hop Metric From Rc 192.168.0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 205: Open Shortest Path First Commands (Continued) Command Function Mode area stub Defines a stubby area that cannot send or receive LSAs RC area virtual-link Defines a virtual link from an area border routers to the backbone RC network area Assigns specified interface to an area RC Specifies the authentication type for an interface IC Interface Configuration ip ospf authentication ip ospf authentication-key Assigns a si
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) General Configuration router ospf This command enables Open Shortest Path First (OSPFv2) routing for all IP interfaces on the router and enters router configuration mode. Use the no form to disable OSPF for all processes or for a specified process. SYNTAX [no] router ospf [process-id] process-id - Process ID must be entered when configuring multiple routing instances.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) destination. When disabled, preference is based on type of path (where type 1 external paths are preferred over type 2 external paths, using cost only to break ties (RFC 2328). ◆ All routers in an OSPF routing domain should use the same RFC for calculating summary routes.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ The metric for the default external route is used to calculate the path cost for traffic passed from other routers within the AS out through the ASBR. ◆ When you use this command to redistribute routes into a routing domain (i.e., an Autonomous System, this router automatically becomes an Autonomous System Boundary Router (ASBR). However, an ASBR does not, by default, generate a default route into the routing domain.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) router-id This command assigns a unique router ID for this device within the autonomous system for the current OSPF process. Use the no form to use the default router identification method (i.e., the highest interface address). SYNTAX router-id ip-address no router-id ip-address - Router ID formatted as an IPv4 address.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations. Use the no form to restore the default values. SYNTAX timers spf spf-delay spf-holdtime no timers spf spf-delay - The delay after receiving a topology change notification and starting the SPF calculation.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console#clear ip ospf process Console# Route Metrics and Summaries area default-cost This command specifies a cost for the default summary route sent into a stub or NSSA from an Area Border Router (ABR). Use the no form to remove the assigned default cost. SYNTAX area area-id default-cost cost no area area-id default-cost area-id - Identifies the stub or NSSA.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. SYNTAX [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295. ip-address - Base address for the routes to summarize.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) auto-cost reference- Use this command to calculate the default metrics for an interface based bandwidth on bandwidth. Use the no form to automatically assign costs based on interface type. SYNTAX auto-cost reference-bandwidth reference-value no auto-cost reference-bandwidth reference-value - Bandwidth of interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) the cost associated with reaching the advertising ASBR, plus the cost of the external route. When a Type 2 LSA is received by a router, it only uses the external route metric to determine route cost. ◆ A tag can be used to distinguish between routes learned from different external autonomous systems (other routing protocols). For example, if there are two ASBRs in a routing domain: A and B.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a summary address for all routes contained in 192.168.x.x. Console(config-router)#summary-address 192.168.0.0 255.255.0.0 Console(config-router)# RELATED COMMANDS area range (1523) redistribute (1524) Area Configuration area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) other areas within the AS for an NSSA ABR, or to areas outside the AS for an NSSA ASBR. metric-value - Metric assigned to Type-7 default LSAs. (Range: 1-16777214: Default: 1) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. COMMAND MODE Router Configuration DEFAULT SETTING No NSSA is configured.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a stub area 10.3.0.0, and assigns all interfaces with class B addresses 10.3.x.x to the NSSA. It also instructs the router to generate external LSAs into the NSSA when it is an NSSA ABR or NSSA ASBR. Console(config-router)#area 10.3.0.0 nssa default-information-originate Console(config-router)#network 10.3.0.0 255.255.0.0 area 10.2.0.0 Console(config-router)# area stub This command defines a stub area.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a stub area 10.2.0.0, and assigns all interfaces with class B addresses 10.2.x.x to the stub. Console(config-router)#area 10.2.0.0 stub Console(config-router)#network 10.2.0.0 0.255.255.255 area 10.2.0.0 Console(config-router)# RELATED COMMANDS area default-cost (1481) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) value must be the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 4 x hello interval, or 40 seconds) hello-interval seconds - Specifies the transmit delay between sending hello packets. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase the routing traffic. This value must be the same for all routers attached to an autonomous system.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) DEFAULT SETTING area-id: None router-id: None hello-interval: 10 seconds retransmit-interval: 5 seconds transmit-delay: 1 second dead-interval: 40 seconds authentication-key: None message-digest-key: None COMMAND USAGE ◆ All areas must be connected to a backbone area (0.0.0.0) to maintain routing connectivity throughout the autonomous system. If it not possible to physically connect an area to the backbone, you can use a virtual link.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) network area This command defines an OSPF area and the interfaces that operate within this area. Use the no form to disable OSPF for a specified interface. SYNTAX [no] network ip-address netmask area area-id ip-address - Address of the interfaces to add to the area. netmask - Network mask of the address range to add to the area. area-id - Area to which the specified address or range is assigned.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Interface Configuration ip ospf This command specifies the authentication type used for an interface. authentication Enter this command without any optional parameters to specify plain text (or simple password) authentication. Use the no form to restore the default of no authentication. SYNTAX ip ospf [ip-address] authentication [message-digest | null] no ip ospf [ip-address] authentication ip-address - IP address of the interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ The plain-text authentication-key, or the MD5 key-id and key, must be used consistently throughout the autonomous system. EXAMPLE This example enables message-digest authentication for the specified interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example sets a password for the specified interface. Console(config)#interface vlan 1 Console(config-if)#ip ospf authentication-key badboy Console(config-if)# RELATED COMMANDS ip ospf authentication (1494) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. SYNTAX ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf hello-interval This command specifies the interval between sending hello packets on an interface. Use the no form to restore the default value. SYNTAX ip ospf [ip-address] hello-interval seconds no ip ospf [ip-address] hello-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface. If not specified, the command applies to all networks connected to the current interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) DEFAULT SETTING MD5 authentication is disabled. COMMAND USAGE ◆ Before specifying MD5 authentication for an interface with the ip ospf authentication command, configure the message-digest key-id and key with this command. ◆ Normally, only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets. Neighbor routers must use the same key identifier and key value.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) DEFAULT SETTING 1 COMMAND USAGE ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF network segment based on Router Priority. The DR forms an active adjacency to all other routers in the network segment to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role. ◆ Set the priority to zero to prevent a router from being elected as a DR or BDR.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) COMMAND USAGE ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. SYNTAX [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID. (Range: 1-4093) ip-address - An IPv4 address configured on this interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console#show ip ospf Routing Process "ospf 1" with ID 192.168.1.3 Process uptime is 20 minutes Conforms to RFC2328, and RFC1583Compatibility flag is disabled Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Refresh timer 10 secs Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 206: show ip ospf - display description (Continued) Field Description Checksum The sum of the LS checksums of opaque link-state advertisements contained in the link-state database. LSDB database overflow limit The maximum number of LSAs allowed in the external database. Number of LSA originated The number of new link-state advertisements that have been originated.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf This command shows information about different OSPF Link State database Advertisements (LSAs) stored in this router’s database. SYNTAX show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID 192.168.0.2 ADV Router 192.168.0.2 Age Seq# CkSum 225 0x80000001 0x9c0f AS External Link States Link ID 0.0.0.0 0.0.0.0 ADV Router 192.168.0.2 192.168.0.3 Age Seq# CkSum Route 487 0x80000001 0xd491 E2 0.0.0.0/0 0 222 0x80000001 0xce96 E2 0.0.0.0/0 0 Tag Console# Table 207: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF process ID and router ID.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 208: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detec
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) External Route Tag: 0 Console# Table 209: show ip ospf database external - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type AS External Links - LSA describes routes to destinations outside the AS (including default external routes for the AS) Link State ID IP network number (External Network Number) Advertising Router Adv
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 210: show ip ospf database network - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Network Link - LSA describes the routers attached to the network Link State ID Interface address of the designated router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older dup
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 211: show ip ospf database router - display description (Continued) Field Description Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Link connected to Link-state type, including transit network, st
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 212: show ip ospf database summary - display description (Continued) Field Description Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Network Mask Destination network’s IP address mask Metrics Cost of the link show ip ospf This command displays summary infor
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 213: show ip ospf interface - display description (Continued) Field Description Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ Disabled – OSPF not enabled on this interface ◆ Down – OSPF is enabled on this interface, but interface is down ◆ Loopback – This is a loopback interface ◆ Waiting – Router is t
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console#show ip ospf neighbor ID Pri State Address Interface --------------- ------ ---------------- --------------- -------------192.168.0.3 1 FULL/BDR 192.168.0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) IA 172.16.10.0/24 [30] via 10.10.11.50, VLAN2, Area 0.0.0.0 E2 192.168.0.0/16 [10/20] via 10.10.11.50, VLAN2 Console# show ip ospf virtual- This command displays detailed information about virtual links. links SYNTAX show ip ospf virtual-links COMMAND MODE Privileged Exec EXAMPLE Console#show ip ospf virtual-links Virtual Link VLINK1 to router 192.168.0.2 is up Transit area 0.0.0.1 via interface VLAN1 Local address 192.168.0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip protocols This command displays OSPF process parameters. ospf SYNTAX show ip protocols ospf COMMAND MODE Privileged Exec EXAMPLE Console#show ip protocols ospf Routing Protocol is "ospf 200" Redistributing: rip Routing for Networks: 192.30.30.0/24 192.40.40.0/24 Routing for Summary Address: 192.168.1.0/24 192.168.3.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) OPEN SHORTEST PATH FIRST (OSPFV3) .
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 217: Open Shortest Path First Commands (Version 3) (Continued) Command Function Mode show ipv6 ospf database Shows information about different LSAs in the database PE show ipv6 ospf interface Displays interface information PE show ipv6 ospf neighbor Displays neighbor information PE show ipv6 ospf route Displays the OSPF routing table PE show ipv6 ospf virtuallinks Displays parameters and the adjacency state of virtual
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND USAGE ◆ This command is used to enable an OSPFv3 routing process, and to enter router configuration mode. ◆ The process-name is only used on the local router to distinguish between different routing processes. It should not be confused with the instance-id configured with the ipv6 router ospf area command which is used to distinguish between different routing processes running on the same link-local network segment.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) DEFAULT SETTING cisco COMMAND USAGE ◆ The basic criteria for a router to serve as an ABR is shown below: ■ Cisco Systems Interpretation: A router is considered to be an ABR if it has more than one area actively attached and one of them is the backbone area. ■ IBM Interpretation: A router is considered to be an ABR if it has more than one actively attached area and the backbone area is configured.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) max-current-dd This command sets the maximum number of neighbors with which the switch can concurrently exchange database descriptor (DD) packets. Use the no form to restore the default setting. SYNTAX max-current-dd max-packets no max-current-dd max-packets - The maximum number of neighbors with which the switch can concurrently send or receive DD packets.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND USAGE ◆ This command sets the router ID for the OSPF process specified in the router ipv6 ospf command. ◆ The router ID must be unique for every router in the autonomous system. (Note that the router ID can also be set to 255.255.255.255).
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ Using a low value for the holdtime allows the router to switch to a new path faster, but uses more CPU processing time. EXAMPLE Console(config-router)#timers spf 20 Console(config-router)# Route Metrics and Summaries area default-cost This command specifies a cost for the default summary route sent into a stub from an Area Border Router (ABR). Use the no form to remove the assigned default cost.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. SYNTAX [no] area area-id range ipv6-prefix/prefix-length {advertise | not-advertise} area-id - Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal route metric to external route metric. COMMAND MODE Router Configuration DEFAULT SETTING redistribution - none metric-value - 20 type-metric - 2 COMMAND USAGE ◆ This command is used to import routes learned from other routing protocols into the OSPF domain, and to generate AS-external-LSAs.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) no-summary - Stops an Area Border Router (ABR) from sending summary link advertisements into the stub area. COMMAND MODE Router Configuration DEFAULT SETTING No stub is configured. Summary advertisement are sent into the stub. COMMAND USAGE ◆ All routers in a stub must be configured with the same area ID. ◆ Routing table space is saved by stopping an ABR from flooding Type-4 Inter-Area Router and Type 5 AS-External LSAs into the stub.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) DEFAULT SETTING area-id: None router-id: None hello-interval: 10 seconds retransmit-interval: 5 seconds transmit-delay: 1 second dead-interval: 40 seconds COMMAND USAGE ◆ All areas must be connected to a backbone area (0.0.0.0) to maintain routing connectivity throughout the autonomous system. If it not possible to physically connect an area to the backbone, you can use a virtual link.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND MODE Interface Configuration DEFAULT SETTING None COMMAND USAGE ◆ An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. ◆ Set the area ID to the same value for all routers on a network segment.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf tag This command binds an OSPF area to the selected interface and process. area Use the no form to remove the specified area from an interface. [no] ipv6 router ospf tag process-name area area-id [instance-id instance-id] area-id - Area to bind to the current Layer 3 interface. An OSPF area identifies a group of routers that share common routing information.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) RELATED COMMANDS router ipv6 ospf (1517) router-id (1520) ipv6 router ospf area (1528) Interface Configuration ipv6 ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value. SYNTAX ipv6 ospf cost cost [instance-id instance-id] no ipv6 ospf cost [instance-id instance-id] cost - Link metric for this interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf dead- This command sets the interval at which hello packets are not seen before interval neighbors declare the router down. Use the no form to restore the default value. SYNTAX ipv6 ospf dead-interval seconds [instance-id instance-id] no ipv6 ospf dead-interval [instance-id instance-id] seconds - The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf hello- This command specifies the interval between sending hello packets on an interval interface. Use the no form to restore the default value. SYNTAX ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND MODE Interface Configuration (VLAN) DEFAULT SETTING 1 COMMAND USAGE ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) DEFAULT SETTING 5 seconds COMMAND USAGE ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) receive them. To avoid this problem, use the transmit delay to force the router to wait a specified interval between transmissions. EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) Display Information show ipv6 ospf This command shows basic information about the routing configuration. COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 218: show ip ospf - display description (Continued) Field Description Number of opaque AS LSA Number of opaque link-state advertisements (Type 9, 10 and 11 LSAs) in the link-state database. These LSAs advertise information about external applications, and are only used by OSPF for the graceful restart process. Checksum The sum of the LS checksums of opaque link-state advertisements contained in the link-state database.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) AS-external-LSA ADV Router Age Link State ID Console# Seq# CkSum Table 219: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF router ID and process ID. The router ID uniquely identifies the router in the autonomous system. By convention, this is normally set to one of the router's IP interface addresses.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 220: show ip ospf interface - display description (Continued) Field Description Area OSPF area to which this interface belongs Tag OSPF process identifier string Router ID Identifier for this router Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ Backup – Backup Designated Router ◆ Down – OSPF is enabl
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) EXAMPLE Console#show ipv6 ospf neighbor ID Pri State Interface ID Interface --------------- ------ ---------------- --------------- -------------192.168.0.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) C ? C ? 2001:DB8:2222:7272::/64, VLAN1 FE80::/64, VLAN1 inactive FE80::/64, VLAN1 FF00::/8, VLAN1 inactive Console# show ipv6 ospf This command displays detailed information about virtual links. virtual-links SYNTAX show ipv6 ospf [tag process-id] virtual-links process-id - The ID of the router process for which information will be displayed.
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 222: show ipv6 ospf neighbor - display description Field Description Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have received Hello packet, but communications not yet established Two-way – Bidirectional communications established ExStart –
CHAPTER 49 | IP Routing Commands Open Shortest Path First (OSPFv3) – 1544 –
50 MULTICAST ROUTING COMMANDS Multicast routers can use various kinds of multicast routing protocols to deliver IP multicast packets across different subnetworks. This router supports Protocol Independent Multicasting (PIM). (Note that IGMP will be enabled for any interface that is using multicast routing.
CHAPTER 50 | Multicast Routing Commands General Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ This command is used to enable IPv4 multicast routing globally for the router. A specific multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim command, and then specify the interfaces that will support multicast routing using the ip pim dense-mode or ip pim sparse-mode commands.
CHAPTER 50 | Multicast Routing Commands General Multicast Routing IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Channel, C - Connected, P - Pruned, F - Register flag, R - RPT-bit set, T - SPT-bit set, J - Join SPT Interface state: F - Forwarding, P - Pruned, L - Local (192.168.2.1, 224.0.17.17), uptime 00:00:05 Owner: PIM-DM, Flags: D Incoming Interface: VLAN2, RPF neighbor: 192.168.2.
CHAPTER 50 | Multicast Routing Commands General Multicast Routing Table 225: show ip mroute - display description (Continued) Field Description RPF neighbor IP address of the multicast router immediately upstream for this group. Outgoing interface list and flags The interface(s) on which multicast subscribers have been recorded. The flags associated with each interface indicate: ◆ F (Register flag) - This device is registering for a multicast source. ◆ P (Pruned) - This route has been terminated.
CHAPTER 50 | Multicast Routing Commands General Multicast Routing EXAMPLE Console(config)#ipv6 multicast-routing Console(config)# show ipv6 mroute This command displays the IPv6 multicast routing table. SYNTAX show ipv6 mroute [group-address source] [summary] group-address - An IPv6 multicast group address with subscribers directly attached or downstream from this router. source - The IPv6 subnetwork at the root of the multicast delivery tree. This subnetwork contains a known multicast source.
CHAPTER 50 | Multicast Routing Commands General Multicast Routing Table 226: show ip mroute - display description Field Description Flags The flags associated with this entry: ◆ D (Dense) - PIM Dense mode in use. ◆ S (Sparse) - PIM Sparse mode in use. ◆ s (SSM) - A multicast group with the range of IP addresses used for PIM-SSM. ◆ C (Connected) - A member of the multicast group is present on this interface. ◆ P (Pruned) - This route has been terminated.
CHAPTER 50 | Multicast Routing Commands Static Multicast Routing This example lists all entries in the multicast table in summary form: Console#show ipv6 mroute summary IP Multicast Forwarding is disabled IP Multicast Routing Table (Summary) Flags: F - Forwarding, P - Pruned, D - PIM-DM, S – PIM-SM, V – DVMRP, M - MLD Group Source Interface Flag ------------------------------ ------------------------------ ---------- ---FF02::0101 FE80::0101 VLAN 4096 DF Total Entry is 1 Console# STATIC MULTICAST ROUTING
CHAPTER 50 | Multicast Routing Commands Static Multicast Routing COMMAND USAGE Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing PIM MULTICAST ROUTING This section describes the PIM commands used for IPv4 and IPv6. Note that PIM can run on an IPv4 network and PIM6 on an IPv6 network simultaneously. Also note that Internet Group Management Protocol (IGMP) is used for IPv4 networks and Multicast Listener Discovery (MLD) for IPv6 networks. Table 228: IPv4 and IPv6 PIM Commands Command Group Function IPv4 PIM Commands Configures multicast routing for IPv4 PIM.
C HAPTER 5 0 | Multicast Routing Commands PIM Multicast Routing Table 229: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ip pim bsr-candidate Configures the switch as a Bootstrap Router (BSR) candidate GC ip pim register-rate-limit Configures the rate at which register messages are sent by the Designated Router (DR) GC ip pim register-source Configure the IP source address of a register message to an address other than the outgoing interface address of the designa
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE Console(config)#router pim Console(config)#exit Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing determines that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE The ip pim hello-holdtime should be greater than the value of ip pim hello-interval. EXAMPLE Console(config-if)#ip pim hello-holdtime 210 Console(config-if)# ip pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value. SYNTAX ip pim hello-interval seconds no pim hello-interval seconds - Interval between sending PIM hello messages.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing RELATED COMMANDS ip pim override-interval (1559) ip pim propagation-delay (1560) ip pim override- This command configures the override interval, or the time it takes a interval downstream router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ip pim propagation- This command configures the propagation delay required for a LAN prune delay delay message to reach downstream routers. Use the no form to restore the default setting. ip pim propagation-delay milliseconds no ip pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing show ip pim This command displays information about PIM neighbors. neighbor SYNTAX show ip pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) DEFAULT SETTING Displays information for all known PIM neighbors. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip pim neighbor Neighbor Address VLAN Interface Uptime (sec.) Expiration Time (sec) ---------------- -------------- ------------- --------------------192.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ip pim max-graft-retries command).
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The pruned state times out approximately every three minutes and the entire PIM-DM network is reflooded with multicast packets and prune messages. The state refresh feature keeps the pruned state from timing out by periodically forwarding a control message down the distribution tree, refreshing the prune state on the outgoing interfaces of each router in the tree.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ When the ip pim bsr-candidate command is entered, the router starts sending bootstrap messages to all of its PIM-SM neighbors. The IP address of the designated VLAN is sent as the candidate’s BSR address. Each neighbor receiving the bootstrap message compares the BSR address with the address from previous messages.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE This command can be used to relieve the load on the Designated Router (DR) and RP. However, because register messages exceeding the limit are dropped, some receivers may experience data packet loss within the first few seconds in which register messages are sent from bursty sources. EXAMPLE This example sets the register rate limit to 500 pps.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ip pim rp-address This command sets a static address for the Rendezvous Point (RP) for a particular multicast group. Use the no form to remove an RP address or an RP address for a specific group. SYNTAX [no] ip pim rp-address rp-address [group-prefix group-address mask] rp-address - Static IP address of the router that will be an RP for the specified multicast group(s). group-address - An IP multicast group address.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE In the following example, the first PIM-SM command just specifies the RP address 192.168.1.1 to indicate that it will be used to service all multicast groups. The second PIM-SM command includes the multicast groups to be serviced by the RP. Console(config)#ip pim rp-address 192.168.1.1 Console(config)#ip pim rp-address 192.168.2.1 group-prefix 224.9.0.0 255.255.0.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ When the ip pim rp-candidate command is entered, the router periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the specified group addresses. The IP address of the designated VLAN is sent as the candidate’s RP address. The BSR places information about all of the candidate RPs in subsequent bootstrap messages.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ip pim spt-threshold This command prevents the last-hop PIM router from switching to Shortest Path Source Tree (SPT) mode. Use the no form to allow the router to switch over to SPT mode. SYNTAX ip pim spt-threshold infinity [group-prefix group-address mask] no ip pim spt-threshold infinity group-address - An IP multicast group address. If a group address is not specified, the command applies to all multicast groups.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ip pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting. SYNTAX ip pim dr-priority priority-value no ip pim dr-priority priority-value - Priority advertised by a router when bidding to become the DR.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Console# ip pim join-prune- This command sets the join/prune timer. Use the no form to restore the interval default setting. SYNTAX ip pim join-prune-interval seconds no ip pim join-prune-interval seconds - The interval at which join/prune messages are sent.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Propagation Delay Override Interval DR Priority Join/Prune Interval : : : : 500 ms 2500 ms 20 80 sec Console# clear ip pim bsr This command clears multicast group to RP mapping entries learned rp-set through the PIMv2 bootstrap router (BSR). COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command can be used to update entries in the static multicast forwarding table immediately after making configuration changes to the RP.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR Table 231: show ip pim bsr-router - display description Field Description BSR Address IP address of interface configured as the BSR. Uptime The time this BSR has been up and running. BSR Priority Priority assigned to this interface for use in the BSR election process. Hash Mask Length The number of significant bits used in the multicast group comparison mask.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Table 232: show ip pim rp mapping - display description Field Description Groups The multicast group address, mask length managed by the RP.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Table 234: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ipv6 pim hello-interval Sets the interval between sending PIM hello messages IC ipv6 pim join-pruneholdtime Configures the hold time for the prune state IC ipv6 pim lan-prune-delay Informs downstream routers of the delay before it prunes a flow after receiving a prune request IC ipv6 pim override-interval Specifies the time it takes a downstream r
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing PIM6 Shared Mode Commands router pim6 This command enables IPv6 Protocol-Independent Multicast routing globally on the router. Use the no form to disable PIM multicast routing. SYNTAX [no] router pim6 DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ This command enables IPv6 PIM-DM globally for the router.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing globally for the router with the router pim6 command, and also enable PIM-DM or PIM-SM for each interface that will participate in multicast routing with this command. ◆ If you enable PIM on an interface, you should also enable MLD (see "MLD (Layer 3)" on page 1273) on that interface. PIM mode selection determines how the switch populates the multicast routing table, and how it forwards packets received from directly connected LAN interfaces.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim hello- This command configures the interval to wait for hello messages from a holdtime neighboring PIM router before declaring it dead. Use the no form to restore the default value. SYNTAX ipv6 pim hello-holdtime seconds no ipv6 pim hello-interval seconds - The hold time for PIM hello messages.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE Console(config-if)#ipv6 pim hello-interval 60 Console(config-if)# ipv6 pim join-prune- This command configures the hold time for the prune state. Use the no holdtime form to restore the default value. SYNTAX ipv6 pim join-prune-holdtime seconds no ipv6 pim join-prune-holdtime seconds - The hold time for the prune state.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE ◆ When other downstream routers on the same VLAN are notified that this upstream router has received a prune request, they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow. The message generated by this command effectively prompts any downstream neighbors with hosts receiving the flow to reply with a Join message.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Join message back to the upstream router to ensure that the flow is not terminated. EXAMPLE Console(config-if)#ipv6 pim override-interval 3500 Console(config-if)# RELATED COMMANDS ipv6 pim propagation-delay (1582) ipv6 pim lan-prune-delay (1580) ipv6 pim This command configures the propagation delay required for a LAN prune propagation-delay delay message to reach downstream routers. Use the no form to restore the default setting.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim trigger- This command configures the maximum time before transmitting a hello-delay triggered PIM Hello message after the router is rebooted or PIM is enabled on an interface. Use the no form to restore the default value. SYNTAX ipv6 pim trigger-hello-delay seconds no ipv6 pim trigger-hello-delay seconds - The maximum time before sending a triggered PIM Hello message.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE Console#show ipv6 pim interface vlan 1 PIM is enabled. VLAN 1 is up.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Table 235: show ipv6 pim neighbor - display description (Continued) Field Description DR The designated PIM6-SM router. If multicast hosts are directly connected to the LAN, then only one of these routers is elected as the DR, and acts on behalf of these hosts, sending periodic Join/ Prune messages toward a group-specific RP for each group.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim max-graft- This command configures the maximum number of times to resend a Graft retries message if it has not been acknowledged. Use the no form to restore the default value. SYNTAX ipv6 pim max-graft-retries retries no ipv6 pim max-graft-retries retries - The maximum number of times to resend a Graft.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ◆ This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to sources of multicast groups. EXAMPLE Console(config-if)#ipv6 pim state-refresh origination-interval 30 Console(config-if)# PIM-SM Commands ipv6 pim bsr- This command configures the switch as a Bootstrap Router (BSR) candidate candidate. Use the no form to restore the default value.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ◆ This router will continue to be the BSR until it receives a bootstrap message from another candidate with a higher priority (or a higher IP address if the priorities are the same). ◆ To improve failover recovery, it is advisable to select at least two core routers in diverse locations, each to serve as both a candidate BSR and candidate RP. It is also preferable to set up one of these routers as both the primary BSR and RP.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE This example sets the register rate limit to 500 pps. Console(config)#ipv6 pim register-rate-limit 500 Console(config)# ipv6 pim register- This command configures the IP source address of a register message to source an address other than the outgoing interface address of the designated router (DR) that leads back toward the rendezvous point (RP). Use the no form to restore the default setting.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim rp-address This command sets a static address for the Rendezvous Point (RP) for a particular multicast group. Use the no form to remove an RP address or an RP address for a specific group. SYNTAX [no] ipv6 pim rp-address rp-address [group-prefix group-prefix] rp-address - Static IPv6 address of the router that will be an RP for the specified multicast group(s). group-prefix - An IPv6 network prefix for a multicast group.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing EXAMPLE In the following example, the first PIM-SM command just specifies the RP address 192.168.1.1 to indicate that it will be used to service all multicast groups. The second PIM-SM command includes the multicast groups to be serviced by the RP.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing candidate RP for the specified group addresses. The IP address of the designated VLAN is sent as the candidate’s RP address. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR uses the RP-election hash algorithm to select an active RP for each group range. The election process is performed by the BSR only for its own use.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim spt- This command prevents the last-hop PIM router from switching to Shortest threshold Path Source Tree (SPT) mode. Use the no form to allow the router to switch over to SPT mode. SYNTAX ipv6 pim spt-threshold infinity [group-prefix group-prefix] no ipv6 pim spt-threshold infinity group-prefix - An IPv6 network prefix for a multicast group. If a group address is not specified, the command applies to all multicast groups.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing ipv6 pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting. SYNTAX ipv6 pim dr-priority priority-value no ipv6 pim dr-priority priority-value - Priority advertised by a router when bidding to become the DR.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Console# ipv6 pim join-prune- This command sets the join/prune timer. Use the no form to restore the interval default setting. SYNTAX ipv6 pim join-prune-interval seconds no ipv6 pim join-prune-interval seconds - The interval at which join/prune messages are sent.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Propagation Delay Override Interval DR Priority Join/Prune Interval : : : : 500 ms 2500 ms 1 220 sec Console# clear ipv6 pim bsr This command clears multicast group to RP mapping entries learned rp-set through the PIMv2 bootstrap router (BSR). COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command can be used to update entries in the static multicast forwarding table immediately after making configuration changes to the RP.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR Table 236: show ip pim bsr-router - display description Field Description BSR Address IP address of interface configured as the BSR. Uptime The time this BSR has been up and running. BSR Priority Priority assigned to this interface for use in the BSR election process. Hash Mask Length The number of significant bits used in the multicast group comparison mask.
CHAPTER 50 | Multicast Routing Commands PIM Multicast Routing Table 237: show ip pim rp mapping - display description Field Description Groups The multicast group address, mask length managed by the RP.
SECTION IV APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 1601 ◆ "Troubleshooting" on page 1607 ◆ "License Information" on page 1609 – 1599 –
SECTION IV | Appendices – 1600 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port AUTHENTICATION Security, IP Filter GENERAL SECURITY Access Control Lists (256 ACLs – 96 MAC rules, 96 IP rules, 96 IPv6 rules), MEASURES Port Authentication (802.
CHAPTER A | Software Specifications Software Features VLAN SUPPORT Up to 4093 groups; port-based, protocol-based, tagged (802.
CHAPTER A | Software Specifications Management Features MANAGEMENT FEATURES IN-BAND MANAGEMENT Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell OUT-OF-BAND RS-232 DB-9 console port MANAGEMENT SOFTWARE LOADING HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) STANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.
CHAPTER A | Software Specifications Management Information Bases IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support IGMP Proxy (RFC 4541) IPv4 IGMP (RFC 3228) MLD Snooping (RFC 4541) NTP (RFC 1305) OSPF (RFC 2328, 2178, 1587) OSPFv3 (RFC 2740) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
CHAPTER A | Software Specifications Management Information Bases MIB II (RFC 1213) OSPF MIB (RFC 1850) OSPFv3 MIB (draft-ietf-ospf-ospfv3-mib-15.txt) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
CHAPTER A | Software Specifications Management Information Bases – 1606 –
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 239: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered up. ◆ Check network cabling between the management station and the switch. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
CHAPTER B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
CHAPTER C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
CHAPTER C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute co
CHAPTER C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. IEEE 802.
GLOSSARY IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
GLOSSARY LINK AGGREGATION See Port Trunk. LLDP Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings. MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
GLOSSARY OSPF Open Shortest Path First is a link-state routing protocol that functions better over a larger network such as the Internet, as opposed to distancevector routing protocols such as RIP. It includes features such as unlimited hop count, authentication of routing updates, and Variable Length Subnet Masks (VLSM). OUT-OF-BAND Management of the network from a station not attached to the network. MANAGEMENT PIM Protocol Independent Multicast Routing.
GLOSSARY RIP Routing Information Protocol seeks to find the shortest route to another device by minimizing the distance-vector, or hop count, which serves as a rough estimate of transmission cost. RIP-2 is a compatible upgrade to RIP. It adds useful capabilities for subnet routing, authentication, and multicast transmissions. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities.
GLOSSARY TELNET Defines a remote communication facility for interfacing to a terminal device over TCP/IP. TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet- switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
COMMAND LIST A C aaa accounting dot1x 876 aaa accounting exec 877 aaa accounting update 878 aaa authorization exec 879 aaa group server 880 abr-type 1518 absolute 818 access-list arp 991 access-list ip 974 access-list ipv6 980 access-list mac 986 accounting dot1x 881 accounting exec 881 alias 998 area default-cost 1481 area default-cost 1522 area nssa 1487 area range 1482 area range 1523 area stub 1489 area stub 1525 area virtual-link 1490 area virtual-link 1527 arp 1399 arp timeout 1400 authentication e
COMMAND LIST default-information originate 1458 default-information originate 1477 default-metric 1459 default-metric 1484 default-metric 1524 default-router 1372 delete 783 delete public-key 894 description 1171 description 1000 dir 784 disable 764 disconnect 797 distance 1460 dns-server 1373 domain-name 1373 dos-protection land 969 dos-protection tcp-scan 970 dot1q-tunnel system-tunnel-control 1124 dot1x default 900 dot1x eapol-pass-through 900 dot1x intrusion-action 901 dot1x max-reauth-req 902 dot1x ma
COMMAND LIST ip ip ip ip ip ip ip ip ip ip ip domain-name 1353 forward-protocol udp 1403 helper 1404 helper-address 1405 host 1354 http port 884 http secure-port 885 http secure-server 885 http server 884 igmp 1261 igmp filter (Global Configuration) 1208 ip igmp filter (Interface Configuration) 1211 ip igmp last-member-query-interval 1262 ip igmp max-groups 1211 ip igmp max-groups action 1212 ip igmp max-resp-interval 1263 ip igmp profile 1209 ip igmp proxy 1271 ip igmp proxy unsolicited-reportinterval 12
COMMAND LIST ipv6 access-group 985 ipv6 address 1409 ipv6 address eui-64 1411 ipv6 address link-local 1413 ipv6 default-gateway 1408 ipv6 dhcp relay destination 1367 ipv6 enable 1414 ipv6 hop-limit 1426 ipv6 host 1356 ipv6 mld 1273 ipv6 mld last-member-query-responseinterval 1274 ipv6 mld max-resp-interval 1275 ipv6 mld proxy 1282 ipv6 mld proxy unsolicited-reportinterval 1283 ipv6 mld query-interval 1275 ipv6 mld robustval 1276 ipv6 mld snooping 1218 ipv6 mld snooping querier 1218 ipv6 mld snooping query-
COMMAND LIST lldp reinit-delay 1289 lldp tx-delay 1290 logging facility 799 logging history 799 logging host 800 logging on 801 logging sendmail 805 logging sendmail destination-email 807 logging sendmail host 805 logging sendmail level 806 logging sendmail source-email 807 logging trap 801 login 791 M ma index name 1318 ma index name-format 1319 mac access-group 989 mac-address-table aging-time 1055 mac-address-table static 1056 mac-authentication intrusion-action 937 mac-authentication max-mac-count 937
COMMAND LIST ntp client 813 ntp server 814 P parity 792 passive-interface 1463 passive-interface 1502 passive-interface 1536 password 793 password-thresh 794 periodic 819 permit, deny 1210 permit, deny (ARP ACL) 992 permit, deny (Extended IPv4 ACL) 976 permit, deny (Extended IPv6 ACL) 982 permit, deny (Standard IP ACL) 975 permit, deny (Standard IPv6 ACL) 981 permit, deny (MAC ACL) 987 ping 1397 ping6 1423 police flow 1175 police srtcm-color 1176 police trtcm-color 1179 policy-map 1173 port channel load-b
COMMAND LIST show class-map 1183 show cluster 824 show cluster candidates 825 show cluster members 825 show dns 1357 show dns cache 1358 show dos-protection 970 show dot1q-tunnel 1129 show dot1x 908 show erps 1102 show erps statistics 1105 show ethernet cfm configuration 1322 show ethernet cfm errors 1334 show ethernet cfm fault-notifygenerator 1347 show ethernet cfm linktrace-cache 1342 show ethernet cfm ma 1324 show ethernet cfm maintenance-points local 1325 show ethernet cfm maintenance-points local det
COMMAND LIST show lacp 1025 show line 797 show lldp config 1303 show lldp info local-device 1304 show lldp info remote-device 1305 show lldp info statistics 1307 show log 803 show logging 803 show logging sendmail 808 show loop internal 1016 show mac access-group 990 show mac access-list 990 show mac-address-table 1057 show mac-address-table aging-time 1058 show mac-address-table count 1059 show mac-vlan 1147 show management 912 show map ip dscp 1167 show map ip port 1167 show map ip precedence 1168 show m
COMMAND LIST snmp-server enable traps ethernet cfm cc 1331 snmp-server enable traps ethernet cfm crosscheck 1335 snmp-server engine-id 835 snmp-server group 836 snmp-server host 833 snmp-server location 830 snmp-server notify-filter 843 snmp-server user 837 snmp-server view 839 sntp client 809 sntp poll 810 sntp server 810 spanning-tree 1062 spanning-tree bpdu-filter 1072 spanning-tree bpdu-guard 1073 spanning-tree cost 1074 spanning-tree edge-port 1075 spanning-tree forward-time 1063 spanning-tree hello-t
COMMAND LIST vlan-trunking 1120 voice vlan 1148 voice vlan aging 1149 voice vlan mac-address 1149 vrrp authentication 1382 vrrp ip 1382 vrrp preempt 1383 vrrp priority 1384 vrrp timers advertise 1385 – 1630 – W web-auth 943 web-auth login-attempts 941 web-auth quiet-period 942 web-auth re-authenticate (IP) 944 web-auth re-authenticate (Port) 944 web-auth session-timeout 942 web-auth system-auth-control 943 whichboot 785 wtr-timer 1101
INDEX NUMERICS 802.1Q tunnel 215, 1123 access 1125 configuration, guidelines 218, 1123 configuration, limitations 218, 1124 CVID to SVID map 220, 1126 description 215 ethernet type 219, 1128 interface configuration 222, 1125–1128 mode selection 222, 1125 status, configuring 219, 1124 TPID 219, 1128 uplink 223, 1125 802.1X authenticator, configuring 385, 899 global settings 384, 900–901 port authentication 382, 899, 901 port authentication accounting 317, 318, 881 A AAA accounting 802.
INDEX ignoring superior BPDUs 253, 1082 selecting protocol based on message format 254, 1085 shut down port on receipt 254, 1073 bridge extension capabilities, displaying 133, 1111 broadcast storm, threshold 266, 267, 1006 C cable diagnostics 172, 1014 CFM basic operations 476 continuity check errors 509, 1333, 1334 continuity check messages 474, 476, 477, 1098, 1309, 1329, 1330 cross-check errors 1331, 1335, 1337 cross-check message 474, 477, 1309, 1335, 1337, 1338 cross-check start delay 1335 delay meas
INDEX information option policy 399, 950 information option, enabling 399, 949 policy selection 399, 950 specifying trusted interfaces 401, 952 verifying MAC addresses 399, 951 VLAN configuration 400, 952 DHCPv6 relay service, address 1367, 1368 relay service, enabling 1367 Differentiated Services See DiffServ DiffServ 287, 1169 binding policy to interface 301, 1182 class map 288, 1170, 1174 class map, description 289, 1171 classifying QoS traffic 288, 1172 color aware, srTCM 296, 1176 color aware, trTCM 2
INDEX F fault isolation, CFM 474, 1341 fault notification generator, CFM 476, 483, 508, 1345, 1347 fault notification, CFM 474, 508, 1309, 1344, 1345, 1347 fault verification, CFM 474, 1309 FIB, description 1451 firmware displaying version 131, 775 upgrading 135, 780 upgrading automatically 139, 785 upgrading with FTP or TFP 139 version, displaying 131, 775 forwarding information base See FIB G GARP VLAN Registration Protocol See GVRP gateway, IPv4 default 1394 gateway, IPv6 default 579, 1408 general secu
INDEX static multicast routing 519, 1206 static port assignment 521, 1206 static router interface 514, 1206 static router port, configuring 519, 1206 statistics, displaying 529, 1203 TCN flood 516, 1190 unregistered data flooding 517, 1192 version exclusive 517, 1194 version for interface, setting 525, 1193 version, setting 518, 1193 with proxy reporting 514, 1188 immediate leave, IGMP snooping 524, 1195 immediate leave, MLD snooping 540, 1224 importing user public keys 349, 780 ingress filtering 204, 1118
INDEX local device information, displaying 416, 1304 message attributes 413, 1285 message statistics 424, 1307 remote information, displaying 1305 remote port information, displaying 418, 1305 timing attributes, configuring 411, 1287–1290 TLV 410, 413 TLV, 802.1 414, 1294–1296 TLV, 802.
INDEX multicast filtering 511, 1185 enabling IGMP snooping 515, 1187 enabling IGMP snooping per interface 522, 1187 enabling MLD snooping 538, 1218 router configuration 519, 1206 multicast groups 522, 528, 544, 554, 1202, 1267 displaying 522, 528, 544, 554, 1267 static 521, 522, 543, 544, 1201, 1202 Multicast Listener Discovery See MLD Multicast Listener Discovery See MLD snooping multicast router discovery 523, 1197 multicast router port, displaying 520, 542, 1207 multicast routing 705, 1545 description 7
INDEX default metric for external routes 674, 1484 enabling 1476 general settings 673, 676, 1474 hello interval 692, 1498 interface summary information, displaying 696, 1511 LSA advertisement interval 693, 1500 LSA database, displaying 700, 1505 message digest key 694, 1498 neighboring router information, displaying 702, 1512 network area 670, 1493 normal area 670, 1493 NSSA 678, 679, 684, 1487 process ID 671, 673, 678, 680, 683, 684, 686, 687, 690, 1476 process parameters, displaying 676, 1515 redistribut
INDEX triggered hello delay 731, 1583 PIMv6-DM global configuration 729, 735 interface settings 731 PIMv6-SM 735 bootstrap router 736 BSR candidate 736 BSR elected, displaying 741 configuring 735 DR priority 732 global configuration 732 hash mask length for BSR 737 interface settings 732 register rate limit for DR 735 rendezvous point 738 RP candidate 739 RP candidate, advertising 739 RP mapping, displaying 743 shared tree 735 shortest path tree 735 SPT threshold 735 static RP, configuring 738 policing tra
INDEX remote maintenance end point, CFM 477, 486, 492, 501, 504, 505, 1326, 1327, 1332, 1336 Remote Monitoring See RMON rename, DiffServ 1173 rendezvous point PIM-SM 721, 1567, 1568, 1590, 1591 PIMv6-SM 738 restarting the system 157, 760, 764, 765 at scheduled times 157, 760 RIP 650, 1457 authentication key 665, 1468 authentication mode 665, 1467 clearing routes 1472 configuration settings, displaying 1473 configuring 650, 1458–1473 default external route 652, 1458 default metric 652, 1459 description 649
INDEX configuring 343, 890 downloading public keys for clients 349, 780 generating host key pair 347, 895 server, configuring 346, 892 timeout 346, 894 SSL, replacing certificate 341 STA 241, 1061 BPDU filter 254, 1072 BPDU flooding 246, 252, 1081 BPDU shutdown 254, 1073 detecting loopbacks 243, 1077 edge port 253, 256, 1075 forward delay 247, 1063 global settings, configuring 245, 1062–1068 global settings, displaying 250, 1086 hello time 247, 1063 interface settings, configuring 251, 1072–1083 interface
INDEX basic information, displaying 1111 configuring port members, by interface 206, 1116–1120 configuring port members, VLAN index 205 creating 200, 1114 description 197 displaying port members 1122 dynamic assignment 334, 931 egress mode 203, 1119 interface configuration 202, 1116–1120 IP subnet-based 228, 1144 L3 interface, setting type 200 MAC-based 230, 1146 port members, displaying 1122 private 210, 1134 protocol 223, 1140 protocol, configuring 224, 1140 protocol, configuring groups 224, 1141 protoco
GTL-2691 E042013/ST-R01