53-1002651-02 07 December 2012 Brocade 6910 Ethernet Access Switch Configuration Guide Supporting R2.2.0.
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Title Publication number Summary of changes Date Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 Added ethernet loopback, VLAN flooding, new delaymeasure and loss measure CFM commands, DDM threshold commands October 2012 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 Configuring the destination MAC address for CFM twoway delay-measure as a multicast MAC address is no longer supported December 2012 Brocade 6910 Ethernet Access Switch Configuration Guid
iv Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Contents About This Document Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . .xlix Summary of enhancements for Brocade R2.2.0.2. . . . . . . . . . . . . . . . l Summary of enhancements for Brocade R2.2.0.0. . . . . . . . . . . . . . . . l Summary of enhancements for Brocade R2.1.0.4. . . . . . . . . . . . . . . li Summary of enhancements for Brocade R2.0.2.10. . . . . . . . . . . . . . li Summary of enhancements for Brocade R2.0.2.9. . . . . . . . . . . . . . .
Basic Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Setting an IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Manual Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Dynamic Configuration . . . . . . . . . . . . . . . . .
Chapter 5 System Management Commands Device Designation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Banner Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 banner configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 banner configure company . . . . . . . . . . . . . . . . . . . . . . . . . . .
silent-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 stopbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 timeout login response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 show line . . . . . . . . . . . . . . . . . . .
SNMP Target Host Commands . . . . . . . . . . . . . . . . . . . . . . . . . .110 snmp-server enable traps . . . . . . . . . . . . . . . . . . . . . . . . . . .110 snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 SNMPv3 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 snmp-server engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 snmp-server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 authentication enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 radius-server acct-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 radius-server auth-port . . . . . . . . . . . . . . . . . . .
show ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 802.1X Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 dot1x default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 dot1x eapol-pass- through . . . . . . . . . . . . . . . . . . . . . . . . . . 174 dot1x system-auth-control . . . . . . . . . . . . . . . . . . . .
network-access port-mac-filter . . . . . . . . . . . . . . . . . . . . . . .202 mac- authentication intrusion-action . . . . . . . . . . . . . . . . . .202 mac- authentication max-mac-count . . . . . . . . . . . . . . . . . .203 clear network-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 show network-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 show network-access mac-address- table . . . . . . . . . . . . . .204 show network-access mac-filter . . . . . . . .
Chapter 11 Access Control Lists IPv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 permit, deny (Standard IP ACL) . . . . . . . . . . . . . . . . . . . . . .235 permit, deny (Extended IPv4 ACL) . . . . . . . . . . . . . . . . . . . .236 ip access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 show ip access-group . . . . . . . . .
show interfaces brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 show interfaces counters . . . . . . . . . . . . . . . . . . . . . . . . . . .270 show interfaces history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 show interfaces status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . .275 show interfaces transceiver . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 16 Automatic Traffic Control Commands Threshold Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 auto-traffic-control apply-timer . . . . . . . . . . . . . . . . . . . . . . .311 auto-traffic-control release-timer . . . . . . . . . . . . . . . . . . . . .312 auto-traffic-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 auto-traffic-control action . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpdu-guard . . . . . . . . . . . . . . . . . . . . . . . . . .341 spanning-tree cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342 spanning-tree edge-port . . . . . . . . . . . . . . . . . . . . . . . . . . . .343 spanning-tree link-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343 spanning-tree loopback-detection . . . . . . . . . . . . . . . . . . . .344 spanning-tree loopback-detection action . . . . . . . . . . . . . .
show mac-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Configuring VLAN Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 interface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 switchport acceptable-frame-types . . . . . . . . . . . . . . . . . . .378 switchport allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 switchport ingress-filtering . . . . . . . . . . . . . . . . . . . . . . . . .
switchport voice vlan priority . . . . . . . . . . . . . . . . . . . . . . . . 411 switchport voice vlan rule . . . . . . . . . . . . . . . . . . . . . . . . . . .412 switchport voice vlan security . . . . . . . . . . . . . . . . . . . . . . .413 show voice vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413 Chapter 21 Class of Service Commands Priority Commands (Layer 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 queue mode . . . . . . . . . . . . . . . . . .
ip igmp snooping tcn-query-solicit . . . . . . . . . . . . . . . . . . . .449 ip igmp snooping unregistered-data-flood . . . . . . . . . . . . . .450 ip igmp snooping unsolicited-report-interval . . . . . . . . . . . .450 ip igmp snooping version . . . . . . . . . . . . . . . . . . . . . . . . . . .451 ip igmp snooping version-exclusive . . . . . . . . . . . . . . . . . . .451 ip igmp snooping vlan general-query-suppression . . . . . . .452 ip igmp snooping vlan immediate-leave . . . . . . . . . . . . . . .
MVR for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485 mvr6 associated-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 mvr6 domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 mvr6 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487 mvr6 proxy-switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488 mvr6 robustness-value . . . . . . . . . . . . . . . . . . .
ethernet cfm domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524 ethernet cfm enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525 ma index name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526 ma index name-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527 ethernet cfm mep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528 ethernet cfm port-enable . . . . . . . . . . . . . . . . . . . . . . . . . . .
ethernet cfm delay-measure two-way . . . . . . . . . . . . . . . . .560 show ethernet cfm delay-measure two-way . . . . . . . . . . . .561 Loss Measure Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .562 ethernet cfm loss-measure dual-ended destination . . . . . .562 ethernet cfm loss-measure enable . . . . . . . . . . . . . . . . . . .563 ethernet cfm loss-measure single-ended binding . . . . . . . .564 ethernet cfm loss-measure single-ended destination . . . .
DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592 ip dhcp relay server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593 ip dhcp restart relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593 show ip dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594 Chapter 29 IP Interface Commands IPv4 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 31 Debug Commands debug hardware dev-amtrdrv . . . . . . . . . . . . . . . . . . . . . . . .634 debug hardware dev-rm . . . . . . . . . . . . . . . . . . . . . . . . . . . .634 debug hardware dev-swdrv . . . . . . . . . . . . . . . . . . . . . . . . . .638 debug ipcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640 debug route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641 debug igmpsnp-mvr show-forward-entry . . . . . . . . . . . . . .
Displaying Memory Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696 Resetting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .697 Chapter 34 Interface Configuration Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .701 Configuring by Port List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .701 Configuring by Port Range. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring MAC-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 Configuring VLAN Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775 Configuring VLAN Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777 Chapter 36 Address Table Settings Setting Static Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .779 Changing the Aging Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .831 Attaching a Policy Map to a Port . . . . . . . . . . . . . . . . . . . . . . . . . . .839 Chapter 41 VoIP Traffic Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .841 Configuring VoIP Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .841 Configuring Telephony OUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .901 Configuring Global Settings for ARP Inspection . . . . . . . . . . . .901 Configuring VLAN Settings for ARP Inspection. . . . . . . . . . . . .903 Configuring Interface Settings for ARP Inspection. . . . . . . . . .904 Displaying ARP Inspection Statistics . . . . . . . . . . . . . . . . . . . .905 Displaying the ARP Inspection Log . . . . . . . . . . . . . . . . . . . . . .
Remote Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .973 Configuring RMON Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . .973 Configuring RMON Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976 Configuring RMON History Samples . . . . . . . . . . . . . . . . . . . . .978 Configuring RMON Statistical Samples . . . . . . . . . . . . . . . . . .980 Ethernet Ring Protection Switching . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Ping Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066 Using the Trace Route Function . . . . . . . . . . . . . . . . . . . . . . . . . . 1068 Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069 Basic ARP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1070 Configuring Static ARP Addresses . . . . . . . . . . . . . . . . . . . . . 1071 Displaying ARP Entries. . . . . . . . . . . . . . . . . . . . . . . . . . .
Multicast VLAN Registration for IPv4 . . . . . . . . . . . . . . . . . . . . . . .1114 Configuring MVR Global Settings . . . . . . . . . . . . . . . . . . . . . 1115 Configuring MVR Domain Settings . . . . . . . . . . . . . . . . . . . . .1116 Configuring MVR Group Address Profiles . . . . . . . . . . . . . . . .1117 Configuring MVR Interface Status . . . . . . . . . . . . . . . . . . . . 1120 Assigning Static MVR Multicast Groups to Interfaces . . . . . 1122 Displaying MVR Receiver Groups . . . . . . . . .
xxx Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Figures Figure 1 Storm Control by Limiting the Traffic Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Figure 2 Storm Control by Shutting Down a Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Figure 3 Configuring VLAN Trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Figure 4 Mapping QinQ Service VLAN to Customer VLAN. . . . . . . . . . . . . . . . . . . . . . . . . 388 Figure 5 Configuring VLAN Translation .
xxxii Figure 36 Configuring Local Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Figure 37 Displaying Local Port Mirror Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Figure 38 Configuring Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 Figure 39 Configuring Remote Port Mirroring (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 78 Configuring VLAN Trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 Figure 79 VLAN Compliant and VLAN Non-compliant Devices . . . . . . . . . . . . . . . . . . . . . . 750 Figure 80 Using GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 Figure 81 Creating Static VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 120 Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787 Figure 121 Configuring Port Loopback Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 Figure 122 Configuring Global Settings for STA (STP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 Figure 123 Configuring Global Settings for STA (RSTP) . . . . . . . . . . . . . . . . . . .
Figure 161 Showing the Rules for a Policy Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 Figure 162 Attaching a Policy Map to a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 Figure 163 Configuring a Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842 Figure 164 Configuring an OUI Telephony List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 203 Add a Rule to a Time Range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 Figure 204 Showing the Rules Configured for a Time Range . . . . . . . . . . . . . . . . . . . . . . . . 885 Figure 205 Showing TCAM Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 Figure 206 Creating an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 245 Configuring LLDP Interface Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 Figure 246 Displaying Local Device Information for LLDP (General) . . . . . . . . . . . . . . . . . . 944 Figure 247 Displaying Local Device Information for LLDP (Port) . . . . . . . . . . . . . . . . . . . . . 944 Figure 248 Displaying Remote Device Information for LLDP (Port) . . . . . . . . . . . . . . . . . . . 948 Figure 249 Displaying Remote Device Information for LLDP (Port Details).
Figure 287 Creating an ERPS Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989 Figure 288 Creating an ERPS Ring (Primary Ring). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990 Figure 289 Creating an ERPS Ring (Secondary Ring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991 Figure 290 Showing Configured ERPS Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 329 Displaying the OAM Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 Figure 330 Displaying Status of Remote Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043 Figure 331 Running a Remote Loop Back Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045 Figure 332 Displaying the Results of Remote Loop Back Testing . . . . . . . . . . . . . . . . . . . 1046 Figure 333 Configuring a Static IPv4 Address . . . . .
Figure 371 Configuring a Static Interface for a Multicast Router. . . . . . . . . . . . . . . . . . . . 1098 Figure 372 Showing Static Interfaces Attached a Multicast Router . . . . . . . . . . . . . . . . . 1098 Figure 373 Showing Current Interfaces Attached a Multicast Router . . . . . . . . . . . . . . . . 1099 Figure 374 Assigning an Interface to a Multicast Service. . . . . . . . . . . . . . . . . . . . . . . . . . 1100 Figure 375 Showing Static Interfaces Assigned to a Multicast Service . . . . . . .
Figure 413 Displaying MVR6 Statistics – Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138 Figure 414 Displaying MVR6 Statistics – VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139 Figure 415 Displaying MVR6 Statistics – Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xlii Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Tables Table 1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Table 2 System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Table 3 Options 60, 66 and 67 Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 4 Options 55 and 124 Statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xliv Table 36 Authentication Sequence Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Table 37 RADIUS Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Table 38 TACACS+ Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Table 39 AAA Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 78 Default STA Path Costs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Table 79 ERPS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Table 80 show erps - summary display description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Table 81 show erps domain - detailed display description . . . . . . . . . . . . . . . . . . . . . . . . 367 Table 82 VLAN Commands . . . .
xlvi Table 120 show mvr6 members - display description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Table 121 show mvr6 statistics input - display description. . . . . . . . . . . . . . . . . . . . . . . . . 497 Table 122 show mvr6 statistics output - display description . . . . . . . . . . . . . . . . . . . . . . . 497 Table 123 LLDP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Table 124 CFM Commands . . . . . . .
Table 162 IEEE 802.1p Egress Queue Priority Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Table 163 CoS Priority Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Table 164 Mapping Internal Per-hop Behavior to Hardware Queues . . . . . . . . . . . . . . . . . 819 Table 165 Default Mapping of DSCP Values to Internal PHB/Drop Values . . . . . . . . . . . .
xlviii Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
About This Document In this chapter • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix • Summary of enhancements for Brocade R2.2.0.2 . . . . . . . . . . . . . . . . . . . . . . l • Summary of enhancements for Brocade R2.2.0.0 . . . . . . . . . . . . . . . . . . . . . . l • Summary of enhancements for Brocade R2.1.0.4 . . . . . . . . . . . . . . . . . . . . . li • Summary of enhancements for Brocade R2.0.2.10 . . . . . . . . . . . . . . . . . . . .
Summary of enhancements for Brocade R2.2.0.2 The following table describes the changes included in R2.2.0.2. Enhancement Description Configuring the destination MAC address for CFM two-way delay-measure as a multicast MAC address is no longer supported The target address of the MPID for CFM two-way delay-measure can no longer be configured as a multicast MAC address. See “ethernet cfm delay-measure two-way” on page 560, and “Transmitting Periodic Delay-Measure Messages” on page 1010.
Enhancement Description Added display of DDM thresholds Added display of DDM thresholds. See “show interfaces transceiver” on page 277 and “Configuring Transceiver Thresholds” on page 719. Added configuration of DDM thresholds Added web page for configuring DDM thresholds. See “Configuring Transceiver Thresholds” on page 719. Added debug commands Added debug commands for reporting errors to Brocade for technical support. See “Debug Commands” on page 633. Summary of enhancements for Brocade R2.1.0.
Enhancement Description Web page for displaying ACL statistics was re-designed Configuration fields were modified, and a button to clear the hit counter was added to the web page for displaying ACL statistics. Refer to “Showing ACL Hardware Counters” on page 900. New options were added to the web configuration page for ERPS domains Non-ERPS Device Protection and CFM Port MEP fields were added to the web configuration page for ERPS domains. Refer to “ERPS Ring Configuration” on page 985.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. { } Mandatory elements appear in braces. [] Optional elements appear in brackets. variable Variables are printed in italics. ... Repeat the previous element, for example “member[,member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean.
Related publications The following Brocade documents supplement the information in this guide and can be located at http://www.brocade.com/ethernetproducts. • Brocade 6910 Ethernet Access Switch Installation Guide • Brocade 6910 Ethernet Access Switch MIB Reference • Brocade 6910 Ethernet Access Switch Diagnostic Guide NOTE For the latest edition of these documents, which contain the most up-to-date information, see Product Manuals at http://www.brocade.com/ethernetproducts.
Section II I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface, and includes the following chapters: • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • Initial Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 1 Introduction In this chapter This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for mosSt of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. This chapter includes the following topics: • Key Features . . . . . . . . . .
1 Description of Software Features TABLE 1 Key Features (Continued) Feature Description Port Mirroring 8 sessions, one or more source ports to one analysis port Congestion Control Rate Limiting Throttling for broadcast, multicast, unknown unicast storms Random Early Detection Address Table 16K MAC addresses in the forwarding table, 1K static MAC addresses, 1K L2 multicast groups IP Version 4 and 6 Supports IPv4 and IPv6 addressing and management IEEE 802.
Description of Software Features Authentication 1 This switch authenticates management access via the console port, Telnet, or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.
1 Description of Software Features IP Address Filtering Access to insecure ports can be controlled using DHCP Snooping which filters ingress traffic based on static IP addresses and addresses stored in the DHCP Snooping table. Traffic can also be restricted to specific source IP addresses or source IP/MAC address pairs based on static entries or entries stored in the DHCP Snooping table. IEEE 802.1D Bridge The switch supports IEEE 802.1D transparent bridging.
Description of Software Features 1 • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. • Use protocol VLANs to restrict traffic to specified interfaces based on protocol type. IEEE 802.
1 System Defaults Ethernet Ring Protection Switching ERPS can be used to increase the availability and robustness of Ethernet rings, such as those used in Metropolitan Area Networks (MAN). ERPS provides Layer 2 loop avoidance and fast reconvergence in Layer 2 ring topologies, supporting up to 255 nodes in the ring structure. It can also function with IEEE 802.1ag to support link monitoring when non-participating devices exist within the Ethernet ring. IP Routing The switch provides Layer 3 IP routing.
1 System Defaults TABLE 2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Server Port 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Sta
1 System Defaults TABLE 2 System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
Chapter Initial Switch Configuration 2 In this chapter This chapter includes information on connecting to the switch and basic configuration procedures. It includes the following topics: • Connecting to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 • Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 • Managing System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Connecting to the Switch • • • • • • • Configure the bandwidth of any port by limiting input or output rates • • • • • • Configure Spanning Tree parameters Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.
Basic Configuration 2 Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, or DHCP protocol. An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see “Setting an IP Address” on page 14. NOTE This switch supports four Telnet sessions or four SSH sessions.
2 Basic Configuration Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 32 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level. 2.
Basic Configuration 2 NOTE The IPv4 address for this switch is obtained via DHCP by default. Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
2 Basic Configuration 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Basic Configuration 2 Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::66/64 Console(config-if)#exit Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254 Console(config)end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
2 Basic Configuration 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
Basic Configuration 2 Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 will also be supported in future software releases.) To dynamically generate an IPv6 host address for the switch, complete the following steps: 1.
2 Basic Configuration • If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
Basic Configuration 2 option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_2" { #DHCP Option 60 Vendor class match if option vendor-class-identifier = "es020000.cfg"; option tftp-server-name "192.168.255.101"; option bootfile-name "test"; } NOTE Use “es020000.cfg” for the vendor-class-identifier in the dhcpd.conf file.
2 Basic Configuration To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2. To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press .
Managing System Files 2 For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 951, or refer to the specific CLI commands under “SNMP Commands” on page 105. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP.
2 Managing System Files There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config: command. The maximum number of saved configuration files depends on available flash memory.
Section Command Line Interface III This section provides a detailed description of the Command Line Interface, along with examples for all of the commands, and includes the following chapters: • Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 • General Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 • System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Using the Command Line Interface 3 In this chapter • Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 • Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 • CLI Command Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Entering Commands NOTE The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.
3 Entering Commands You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
3 Entering Commands garp gvrp history hosts interfaces ip ipv6 l2protocol-tunnel lacp line lldp log logging loop mac mac-address-table mac-vlan management memory mvr mvr6 network-access nlm policy-map port port-channel power-save process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan vlan-translation voice web-auth Cons
3 Entering Commands The command “show interfaces ?” will display the following information: Console#show interfaces ? brief Shows brief interface description counters Interface counters information history Historical sample of interface counters information protocol-vlan Protocol-VLAN information status Shows interface status subnet-vlan IP subnet-based VLAN information switchport Shows interface switchport information transceiver Interface of transceiver information Console# Show commands which display
3 Entering Commands Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Entering Commands 3 Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
3 Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
3 CLI Command Groups TABLE 7 Keystroke Commands (Continued) Keystroke Function Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line. Ctrl-W Deletes the last word typed. Esc-B Moves the cursor back one word. Esc-D Deletes from the cursor to the end of the word. Esc-F Moves the cursor forward one word.
3 CLI Command Groups TABLE 8 36 Command Group Index (Continued) Command Group Description Page Simple Network Management Protocol Activates authentication failure traps; configures community access strings, and trap receivers 105 Remote Monitoring Supports statistics, history, alarm and event groups 125 Flow Sampling Samples traffic flows, and forwards data to designated collector 133 User Authentication Configures user names and passwords, logon access using local or remote authentication
3 CLI Command Groups TABLE 8 Command Group Index (Continued) Command Group Description Page OAM Configures Operations, Administration and Maintenance remote management tools required to monitor and maintain the links to subscriber CPEs 569 Domain Name Service Configures DNS services.
3 38 CLI Command Groups Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 4 General Commands In this chapter General commands are used to control the command access mode, configuration mode, and other basic functions.
4 General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload (Global Configuration) This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
4 General Commands Command Usage • This command resets the entire system. • Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. • When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 67).
4 General Commands quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: show history This command shows the contents of the command history buffer.
General Commands 4 The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# configure This command activates Global Configuration mode.
4 General Commands reload (Privileged Exec) This command restarts the system. NOTE When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
General Commands 4 Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exits the configuration program.
4 46 General Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 5 System Management Commands In this chapter The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
5 Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
5 Banner Information TABLE 12 Banner Commands (Continued) Command Function Mode banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading GC show banner Displays all banner information NE, PE banner configure This command is used to interactively specify administrative information for this device.
5 Banner Information Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information. Console(config)# banner configure company This command is used to configure company information displayed in the banner. Use the no form to remove the company name from the banner display.
5 Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure dc-power-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure dc-power-info floor 3 row 15 rack 24 electrical-circuit 48v-id_3.15.24.
5 Banner Information banner configure equipment-info This command is used to configure the equipment information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure equipment-info manufacturer-id mfr-id floor floor-id row row-id rack rack-id shelf-rack sr-id manufacturer mfr-name no banner configure equipment-info [floor | manufacturer | manufacturer-id | rack | row | shelf-rack] mfr-id - The name of the device model number. floor-id - The floor number.
5 Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-location command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
5 Banner Information banner configure lp-number This command is used to configure the LP number information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure lp-number lp-num no banner configure lp-number lp-num - The LP number. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure lp-number command interprets spaces as data input boundaries.
5 Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure manager-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
5 Banner Information banner configure note This command is used to configure the note displayed in the banner. Use the no form to restore the default setting. Syntax banner configure note note-info no banner configure note note-info - Miscellaneous information that does not fit the other banner categories, or any other information of importance to users of the switch CLI.
5 System Status Number of LP: 12 Position MUX: telco-8734212kx_PVC-1/23 IP LAN: 192.168.1.1/255.255.255.0 Note: !!!!!ROUTINE_MAINTENANCE_firmware-upgrade_0100-0500_GMT-0500_20071022!!!!!_20min_ network_ Console# System Status This section describes commands used to display system information.
5 System Status Free Policy Control Entries Entries Used by System Entries Used by User TCAM Utilization Console# : : : : 352 160 0 31.25% show alarm-status This command displays information on predefined alarms (i.e., non-configurable) and on the link-down alarm (which is displayed as a minor alarm). Command Mode Privileged Exec Command Usage • Alarms are signalled through the Alarm LEDs (Major Alarm and Minor Alarm) and the Alarm Input and Output port on the front panel.
5 System Status Example Console#show memory Status Bytes % ------ ---------- --Free 39821312 29 Used 94396416 71 Total 134217728 Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands “memory” on page 123 show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
5 System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) Command Mode Privileged Exec Command Usage • Use the interface keyword to display configuration data for the specified interface.
5 System Status username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet state active ! spanning-tree mst configuration ! interface ethernet 1/1 ip igmp max-groups 1023 ip igmp max-groups action deny . . .
5 System Status • Interface settings and VLAN configuration settings for each interface • IP address for management VLAN • Any configured settings for the console port and Telnet Example Refer to the example for the running configuration file. Related Commands “show running-config” on page 60 show system This command displays system information.
5 System Status show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems. Command Mode Normal Exec, Privileged Exec Command Usage This command generates a long list of information including detailed system and interface settings. It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program.
5 System Status Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users User Name Accounts: User Name Privilege --------- --------admin 15 guest 0 steve 15 Public-Key ---------None None RSA Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.
5 Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. TABLE 14 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
5 File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file. Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/SFTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
5 File Management Default Setting None Command Mode Global Configuration Command Usage • A colon (:) is required after the specified file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands “dir” on page 70 “whichboot” on page 71 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server.
5 File Management Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”) • The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16.
File Management 5 The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish.
5 File Management User [Anonymous]: Password: Choose file type: 1. config: 2. opcode: 3. loader: 1 Source file name: startup2.cfg Destination file name: startup2.cfg Flash programming started. Flash programming completed. Success. Console# delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted.
5 File Management Default Setting None Command Mode Privileged Exec Command Usage • If you enter the command dir without any parameters, the system displays all files. File information is shown below: TABLE 16 File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Create Time The date and time the file was created.
5 File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------Unit 1: es020206.bix OpCode Y 2011-09-02 12:30:58 12764320 startup1.
5 File Management If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
5 File Management Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# upgrade opcode reload This command reloads the switch automatically after the opcode upgrade is completed. Use the no form to disable this feature. Syntax [no] upgrade opcode reload Default Setting Disabled Command Mode Global Configuration Example This shows how to specify a TFTP server where new code is stored.
5 Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
5 Line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
5 Line exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 1 - 65535 seconds; 600 seconds) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
5 Line Command Usage • There are three authentication modes provided by the switch itself at login: • login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. • login local selects authentication via the user name and password specified by the username command (i.e., default setting).
5 Line Console(config-line)# password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting No password is specified.
5 Line Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
5 Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 9600 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
5 Line timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval. (Range: 10 - 300 seconds) Default Setting 300 seconds Command Mode Line Configuration Command Usage • If a login attempt is not detected within the timeout interval, the connection is terminated for the session.
5 Event Logging Related Commands “show ssh” on page 172 “show users” on page 63 show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
5 Event Logging TABLE 18 Event Logging Commands (Continued) Command Function Mode logging on Controls logging of error messages GC logging trap Limits syslog messages saved to a remote server based on severity GC clear log Clears messages from the logging buffer PE show log Displays log messages PE show logging Displays the state of logging PE logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default.
5 Event Logging TABLE 19 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
5 Event Logging Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers.
5 Event Logging Command Mode Global Configuration Command Usage • Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. • Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.
5 Event Logging Command Mode Privileged Exec Command Usage • All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). • All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
5 SMTP Alerts Syslog logging: Enabled History logging in RAM: level debugging Console# TABLE 20 show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
5 SMTP Alerts TABLE 22 Event Logging Commands (Continued) Command Function Mode logging sendmail destination- email Email recipients of alert messages GC logging sendmail source-email Email address used for “From” field of alert messages GC show logging sendmail Displays SMTP event handler settings NE, PE logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
5 SMTP Alerts • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.) Example Console(config)#logging sendmail host 192.168.1.
5 SMTP Alerts Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to restore the default value.
5 Time SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
5 Time Command Mode Global Configuration Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). • This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command.
5 Time Related Commands “sntp client” on page 93 sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
5 Time Poll Interval Current Mode SNTP Status SNTP Server Current Server Console# : : : : : 16 seconds Unicast Enabled 137.92.140.80 0.0.0.0 0.0.0.0 137.92.140.80 Manual Configuration Commands clock summer-time (date) This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.
5 Time • This command sets the summer-time time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone (that is, the offset).
5 Time Example Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands “show sntp” on page 95 clock summer-time (recurring) This command allows the user to manually configure the start, end, and offset times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
5 Time Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. • This command sets the summer-time time zone relative to the currently configured time zone.
5 Time Related Commands “show sntp” on page 95 calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
5 Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. TABLE 25 Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode GC absolute Sets the time range for the execution of a command TR periodic Sets the time range for the periodic execution of a command TR show time-range Shows configured time ranges.
5 Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
5 Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
5 Time Range show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 6 SNMP Commands In this chapter SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
6 SNMP Commands TABLE 26 SNMP Commands (Continued) Command Function Mode show snmp notify-filter Displays the configured notification logs PE snmp-server enable traps ethernet cfm delay-measure threshold Enables SNMP trap generation for frame delay measurements above a configured threshold GC snmp-server enable port-traps atc broadcast-alarm-clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC (Port) snmp-server enab
6 SNMP Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server community This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c.
6 SNMP Commands snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
SNMP Commands 6 show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
6 SNMP Commands SNMP Target Host Commands snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down | ethernet cfm] authentication - Keyword to issue authentication failure notifications. link-up-down - Keyword to issue link-up or link-down notifications. ethernet cfm - Connectivity Fault Management traps.
6 SNMP Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
6 SNMP Commands • Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. • Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host.
6 SNMP Commands SNMPv3 Commands snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device. engineid-string - String identifying the engine ID.
6 SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
6 SNMP Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv {3des | aes128 | aes192 | aes256 | des56} priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} username - Name of user connecting to the SNMP agent.
6 SNMP Commands • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides.
6 SNMP Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
6 SNMP Commands Group Name: public Security Model: v1 Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write Vi
6 SNMP Commands show snmp user This command shows information on SNMP users.
6 SNMP Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# TABLE 30 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
6 SNMP Commands • Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server notify-filter This command creates an SNMP notification log. Use the no form to remove this log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
6 SNMP Commands • Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes. Information recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station. • When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
6 SNMP Commands Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for memory utilization alarm expressed in percentage.
6 SNMP Commands Default Setting Rising Threshold: 90% Falling Threshold: 70% Command Mode Global Configuration Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Chapter 7 Remote Monitoring Commands In this chapter Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
7 Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Remote Monitoring Commands 7 • If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. Example Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.
7 Remote Monitoring Commands rmon collection history This command periodically samples statistics on a physical interface. Use the no form to disable periodic sampling. Syntax rmon collection history controlEntry index [[owner name] [buckets number] [interval seconds]] | [buckets number] [interval seconds] | interval seconds no rmon collection history controlEntry index index – Index to this entry. (Range: 1-65535) number – The number of buckets requested for this entry.
Remote Monitoring Commands 7 Example Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history controlentry 21 owner mike buckets 24 interval 60 Console(config-if)# rmon collection rmon1 This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection. Syntax rmon collection rmon1 controlEntry index [owner name] no rmon collection rmon1 controlEntry index index – Index to this entry.
7 Remote Monitoring Commands Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 . . . show rmon events This command shows the settings for all configured events.
Remote Monitoring Commands 0 0 0 # # . . . 7 undersized and 0 oversized packets, fragments and 0 jabbers, CRC alignment errors and 0 collisions.
7 132 Remote Monitoring Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 8 Flow Sampling Commands In this chapter Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
8 Flow Sampling Commands Example Console(config)#sflow Console(config)# sflow destination This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings. Syntax sflow destination {ipv4 ipv4-address | ipv6 ipv6-address} [destination-udp-port] no sflow destination ipv4-address - IPv4 address of the sFlow Collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods.
Flow Sampling Commands 8 Command Usage When forwarding is enabled by this command, the sFlow agent sets the sampling interval, receiver’s name, destination address and UDP port, maximum header size, and maximum datagram size; and then starts forwarding samples. Example Console(config)interface ethernet 1/1 Console(config-if)#sflow forwarding Console(config-if)# sflow max-datagram-size This command configures the maximum size of the sFlow datagram payload. Use the no form to restore the default setting.
8 Flow Sampling Commands Example Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-header-size 256 Console(config-if)# sflow owner This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. Syntax sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) Default Setting None Command Mode Interface Configuration (Ethernet) Example This example set the owner’s name to Lamar.
Flow Sampling Commands 8 sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. Syntax sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken. (Range: 256-16777215 packets) Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example This example sets the sample rate to 1 out of every 100 packets.
8 Flow Sampling Commands show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 9 Authentication Commands In this chapter This switch can be configured to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
9 User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.) {0 | 7} - 0 means plain password, 7 means encrypted password.
9 User Accounts username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name name - The name of the user. (Maximum length: 32 characters, case sensitive. Maximum users: 16) access-level level - Specifies the user level.
9 Authentication Sequence Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Authentication Sequence 9 Related Commands enable password - sets the password for changing command modes (140) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password.
9 RADIUS Client RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
9 RADIUS Client Default Setting 1812 Command Mode Global Configuration Example Console(config)#radius-server auth-port 181 Console(config)# radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values.
9 RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Default Setting None Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries.
9 RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
9 TACACS+ Client RADIUS Server Group: Group Name Member Index ------------------------- ------------radius 1 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
9 TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
9 TACACS+ Client Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
9 AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
9 AAA TABLE 39 AAA Commands (Continued) Command Function Mode accounting exec Applies an accounting method to local console, Telnet or SSH connections Line authorization exec Applies an authorization method to local console, Telnet or SSH connections Line show accounting Displays all accounting information PE aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service.
9 AAA aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
9 AAA aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
9 AAA Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage • This command performs authorization to determine if a user is allowed to run an Exec shell. • AAA authentication must be enabled before authorization is enabled.
9 AAA Default Setting None Command Mode Server Group Configuration Command Usage • When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command. • When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.
9 AAA accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command. list-name - Specifies a method list created with the aaa accounting exec command.
9 AAA show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] level - Displays command accounting information for a specifiable command level. dot1x - Displays dot1x accounting information. exec - Displays Exec accounting records. statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username.
9 Web Server Web Server This section describes commands used to configure web browser management access to the switch.
9 Web Server Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands “ip http port” on page 159 “show system” on page 62 ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS.
9 Web Server Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: • The client authenticates the server using the server’s digital certificate.
9 Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
9 Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface. (Range: 1-65535) Default Setting 23 Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet.
9 Secure Shell Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. NOTE The switch supports both SSH Version 1.5 and 2.0 clients.
9 Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
9 Secure Shell Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e.
9 Secure Shell Related Commands “show ip ssh” on page 171 ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
9 Secure Shell Command Mode Global Configuration Command Usage The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
9 Secure Shell delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
9 Secure Shell Related Commands “ip ssh crypto zeroize” on page 170 “ip ssh save host-key” on page 170 ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
9 Secure Shell Related Commands “ip ssh crypto host-key generate” on page 169 show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
9 802.
9 802.1X Port Authentication TABLE 45 802.
9 802.1X Port Authentication Example Console(config)#dot1x default Console(config)# dot1x eapol-pass- through This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default.
802.1X Port Authentication 9 Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
9 802.1X Port Authentication Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
802.1X Port Authentication 9 Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
9 802.1X Port Authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. • The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command.
802.1X Port Authentication 9 dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
9 802.1X Port Authentication dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
802.1X Port Authentication 9 Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
9 802.1X Port Authentication Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
802.1X Port Authentication 9 Command Mode Interface Configuration Command Usage This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout auth-period 60 Console(config-if)# dot1x timeout held-period This command sets the time that a supplicant port waits before resending its credentials to find a new an authenticator. Use the no form to reset the default.
9 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout start-period 60 Console(config-if)# Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
9 802.1X Port Authentication • Quiet Period – Time a port waits after Max Request Count is exceeded before attempting to acquire a new client (see “dot1x timeout quiet-period” on page 178). • TX Period – Time a port waits during authentication session before re-transmitting EAP packet (see “dot1x timeout tx-period,”). • Supplicant Timeout – Supplicant timeout. • Server Timeout – Server timeout.
9 Management IP Filter Port -------Eth 1/ 1 Eth 1/ 2 . . . Eth 1/11 Eth 1/12 Type ------------Disabled Disabled Operation Mode -------------Single-Host Single-Host Control Mode -----------------Force-Authorized Force-Authorized Authorized ---------Yes Yes Disabled Enabled Single-Host Single-Host Force-Authorized Auto Yes Yes 802.1X Port Details 802.1X Authenticator is enabled on port 1/1 802.1X Supplicant is disabled on port 1/1 . . . 802.
Management IP Filter 9 management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups. http-client - Adds IP address(es) to the web group. snmp-client - Adds IP address(es) to the SNMP group.
9 Management IP Filter show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group. snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group.
Chapter General Security Measures 10 In this chapter This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
10 Port Security TABLE 48 Management IP Filter Commands Command Function Mode mac-address-table static Maps a static address to a port in a VLAN GC port security Configures a secure port IC show mac-address-table Displays entries in the bridge-forwarding database PE show port security Displays port security status and secure address count PE port security This command enables or configures port security. Use the no form without any keywords to disable port security.
10 Port Security • To configure the maximum number of address entries which can be learned on a port, specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs for frames received on the port. (The specified maximum address count is effective when port security is enabled or disabled.) Note that you can manually add additional secure addresses to a port using the mac-address-table static command.
10 Port Security Port Security Port Summary Port Port Security Port Status Intrusion Action MaxMacCnt CurrMacCnt -------------------------------------------------------------------------Eth 1/ 1 Disabled Secure/Down None 0 2 Eth 1/ 2 Enabled Secure/Up None 10 0 Eth 1/ 3 Disabled Secure/Down None 0 0 Eth 1/ 4 Disabled Secure/Down None 0 0 Eth 1/ 5 Disabled Secure/Down None 0 0 Eth 1/ 6 Disabled Secure/Down None 0 0 Eth 1/ 7 Disabled Secure/Down None 0 0 Eth 1/ 8 Disabled Secure/Down None 0 0 Eth 1/ 9 Disab
10 Network Access (MAC Address Authentication) This example shows information about a detected intrusion.
10 Network Access (MAC Address Authentication) TABLE 50 Network Access Commands (Continued) Command Function Mode mac- authentication intrusion-action Determines the port response when a connected host fails MAC authentication.
Network Access (MAC Address Authentication) 10 network-access mac-filter Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table. (Range: 1-64) mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for a range of addresses.
10 Network Access (MAC Address Authentication) Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected. Example Console(config)#mac-authentication reauth-time 300 Console(config)# network-access dynamic-qos Use this command to enable the dynamic QoS feature for an authenticated port.
Network Access (MAC Address Authentication) 10 Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
10 Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command). • When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command).
Network Access (MAC Address Authentication) 10 Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link-detection link-up Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
10 Network Access (MAC Address Authentication) network-access link-detection link-up-down Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-up-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
Network Access (MAC Address Authentication) 10 Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access mode mac-authentication Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication.
10 Network Access (MAC Address Authentication) network-access port-mac-filter Use this command to enable the specified MAC address filter. Use the no form of this command to disable the specified MAC address filter. Syntax network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Network Access (MAC Address Authentication) 10 mac- authentication max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of MAC-authenticated MAC addresses allowed.
10 Network Access (MAC Address Authentication) show network-access Use this command to display the MAC authentication settings for port interfaces. Syntax show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Default Setting Displays the settings for all interfaces.
10 Network Access (MAC Address Authentication) ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) sort - Sorts displayed entries by either MAC address or interface. Default Setting Displays all filters. Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”.
10 Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
10 Web Authentication Default Setting 3 login attempts Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet-period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
10 Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
10 Web Authentication web-auth re-authenticate (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
10 Web Authentication show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface interface - Specifies a port interface.
10 DHCP Snooping Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled . . . : Enabled Authenticated Host Count -----------------------0 8 0 0 0 DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
10 DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
10 DHCP Snooping • If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. • If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. • If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
10 DHCP Snooping Default Setting Option 82: Disabled CID/RID sub-type: Enabled Remote ID: MAC address (hexadecimal) Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
10 DHCP Snooping ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} drop - Drops the client’s request packet instead of relaying it. keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
10 DHCP Snooping Example This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# Related Commands “ip dhcp snooping” on page 212 “ip dhcp snooping vlan” on page 216 “ip dhcp snooping trust” on page 218 ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
10 DHCP Snooping ip dhcp snooping information option circuit-id This command enables the use of DHCP Option 82 information circuit-id suboption. Use the no form to disable this feature. Syntax ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.
10 DHCP Snooping Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 6910 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
10 DHCP Snooping clear ip dhcp snooping binding This command clears DHCP snooping binding table entries from RAM. Use this command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry.
10 IP Source Guard show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: 1 Verify Source Mac-Address: enable Interface Trusted ------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No Eth 1/4 No Eth 1/5 Yes . . .
10 IP Source Guard TABLE 55 IP Source Guard Commands (Continued) Command Function Mode ip source-guard max-binding Sets the maximum number of entries that can be bound to an interface IC show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
10 IP Source Guard Example This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 interface ethernet 1/5 Console(config-if)# Related Commands “ip source-guard” on page 222 “ip dhcp snooping” on page 212 “ip dhcp snooping vlan” on page 216 ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address.
10 IP Source Guard • If the IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) will be checked against the binding table. If no matching entry is found, the packet will be dropped. • Filtering rules are implemented as follows: • If DHCP snooping is disabled (see “ip dhcp snooping” on page 212), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
10 IP Source Guard Command Usage • This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry.
10 ARP Inspection ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
10 ARP Inspection Command Mode Global Configuration Command Usage • When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command. • When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
10 ARP Inspection • If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked. • If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped.
10 ARP Inspection Example Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection validate This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
10 ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage • When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command. • When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
10 ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit rate 150 Console(config-if)# ip arp inspection trust This command sets a port as trusted, and thus exempted from ARP Inspection. Use the no form to restore the default setting.
10 ARP Inspection show ip arp inspection interface This command shows the trust status and ARP Inspection rate limit for ports. Syntax show ip arp inspection interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
10 ARP Inspection Total ARP packets processed by ARP Inspection : ARP packets dropped by additional validation (source MAC address) : ARP packets dropped by additional validation (destination MAC address): ARP packets dropped by additional validation (IP address) : ARP packets dropped by ARP ACLs : ARP packets dropped by DHCP snooping : 150 0 0 0 0 0 Console# show ip arp inspection vlan This command shows the configuration settings for VLANs, including ARP Inspection status, the ARP ACL name, and if th
Chapter 11 Access Control Lists In this chapter Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
11 IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
11 IPv4 ACLs permit, deny (Standard IP ACL) This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address. bitmask – Dotted decimal number representing the address bits to match.
11 IPv4 ACLs permit, deny (Extended IPv4 ACL) This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
11 IPv4 ACLs dport – Protocol4 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range.
11 IPv4 ACLs This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.
11 IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# Related Commands “ip access-group” on page 238 show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
11 IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
11 IPv6 ACLs Related Commands “permit, deny (Standard IPv6 ACL)” on page 241 “permit, deny (Extended IPv6 ACL)” on page 242 “ipv6 access-group” on page 244 “show ipv6 access-list” on page 243 permit, deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
11 IPv6 ACLs permit, deny (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, or next header type. Use the no form to remove a rule.
11 IPv6 ACLs • Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
11 IPv6 ACLs Related Commands “permit, deny (Standard IPv6 ACL)” on page 241 “permit, deny (Extended IPv6 ACL)” on page 242 “ipv6 access-group” on page 244 ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name {in | out} [time-range time-range-name] [counter] no ipv6 access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets.
11 MAC ACLs Console# Related Commands “ipv6 access-group” on page 244 MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
11 MAC ACLs Related Commands “permit, deny (MAC ACL)” on page 246 “mac access-group” on page 248 “show mac access-list” on page 249 permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
11 MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 – Tagged Ethernet II packets. untagged-eth2 – Untagged Ethernet II packets. tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets.
11 MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands “access-list mac” on page 245 “Time Range” on page 101 mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
11 ARP ACLs Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands “mac access-group” on page 248 show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
11 ARP ACLs access-list arp This command adds an ARP access list and enters ARP ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list arp acl-name acl-name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
11 ARP ACLs [no] {permit | deny} response ip {any | host source-ip | source-ip ip-address-bitmask} {any | host destination-ip | destination-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [any | host destination-mac | destination-mac mac-address-bitmask] [log] source-ip – Source IP address. destination-ip – Destination IP address with bitmask. ip-address-bitmask6 – IPv4 number representing the address bits to match. source-mac – Source MAC address.
11 ACL Information Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.0 mac any any Console# Related Commands “permit, deny (ARP ACL)” on page 250 ACL Information This section describes commands used to display ACL information. TABLE 62 ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
11 ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [hardware counters] [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs. ip extended – Shows ingress rules for Extended IPv4 ACLs.
11 254 ACL Information Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 12 Interface Commands In this chapter Interface commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
12 Interface Commands TABLE 63 Interface Commands (Continued) Command Function Mode show interfaces status Displays status for the specified interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show interfaces transceiver Displays the temperature, voltage, bias current, transmit power, and receive power information on connector type and vendor-related parameters PE test cable-diagnostics Performs cable diagnostics on the speci
12 Interface Commands Command Mode Global Configuration Command Usage • The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP. • When the interface command is used for the first time to enter interface configuration mode for a VLAN, that VLAN is changed to a Layer 3 interface.
12 Interface Commands Example The following example adds an alias to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#alias finance Console(config-if)# capabilities This command advertises the port capabilities of a given interface during auto-negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
12 Interface Commands description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file.
12 Interface Commands • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port. Example The following example enables flow control on port 5.
12 Interface Commands media-type This command forces the port type selected for combination ports. Use the no form to restore the default mode. Syntax media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed). sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
12 Interface Commands • If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports. Example The following example configures port 10 to use auto-negotiation. Console(config)#interface ethernet 1/10 Console(config-if)#negotiation Console(config-if)# Related Commands “capabilities” on page 258 “speed-duplex.” shutdown This command disables an interface. To restart a disabled interface, use the no form.
12 Interface Commands 10full - Forces 10 Mbps full-duplex operation 10half - Forces 10 Mbps half-duplex operation Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100full on the 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode.
12 Interface Commands Default Setting Broadcast Storm Control: Enabled, packet-rate limit: 64 kbps Multicast Storm Control: Disabled Unknown Unicast Storm Control: Disabled Command Mode Interface Configuration (Ethernet) Command Usage • When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
12 Interface Commands Command Mode Interface Configuration (Ethernet) Command Usage • A high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold.
12 Interface Commands Command Usage • The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). • Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. • Trap messages configured by this command are sent to any management station configured by the snmp-server host command. • This command only applies to transceiver vendor "BROCADE".
12 Interface Commands Example The following example sets alarm thresholds for the transceiver temperature at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold temperature low-alarm 97 Console(config-if)#transceiver-threshold temperature high-alarm -83 Console# transceiver-threshold tx-power This command sends a trap when the power level of the transmitted signal falls outside of the specified thresholds.
12 Interface Commands transceiver-threshold voltage This command sends a trap when the transceiver voltage falls outside the specified thresholds. Syntax transceiver-threshold voltage {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sends an alarm message when the high voltage threshold is crossed. high-warning – Sends a warning message when the high voltage threshold is crossed. low-alarm – Sends an alarm message when the low voltage threshold is crossed.
12 Interface Commands clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
12 Interface Commands show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
12 Interface Commands 0 0 0 0 Carrier Sense Errors Symbol Errors Pause Frames Input Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets =====
12 Interface Commands output - Egress traffic. Default Setting Shows historical statistics for all interfaces, intervals, ingress traffic, and egress traffic. Command Mode Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics” on page 710. Example This example shows the statistics recorded for all named entries in the sampling table.
12 Interface Commands Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------648387890 819696 358285 8921 Discards Errors ------------- ------------0 0 Interface Name Interval Buckets Requested Buckets Granted Status : : : : : : Eth 1/ 1 1day 1440 minute(s) 7 0 Active Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:00:01 1563328011 8391643 4440171 241090 Discards Er
12 Interface Commands Discards Errors ------------- ------------0 0 Previous Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 9381 1895 50 00d 00:06:37 1566090 10660 2195 50 00d 00:07:37 1754781 11786 2674 59 Start Time Octets Input Discards Errors Unknown Proto ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 0 0 0 00d 00:06:37 1566090 0 0 0 00d 00:07:37 1754781 0
12 Interface Commands Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 704.
12 Interface Commands Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 1.
12 Interface Commands TABLE 64 show interfaces switchport - display description (Continued) Field Description Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (see “switchport allowed vlan” on page 379). Forbidden VLAN Shows the VLANs this interface can not dynamically join via GVRP (see “switchport forbidden vlan” on page 372). 802.1Q-tunnel Status Shows if 802.
12 Interface Commands Vendor OUI Vendor Name Vendor PN Vendor Rev Vendor SN Date Code DDM Info Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : : 00-05-1E BROCADE 33210-100 A TAF11119000075U 11-05-06 : : : : : 31.62 degree C 3.27 V 5.48 mA -5.45 dBm -33.01 dBm ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.
12 Interface Commands • Short: Shorted pair • Not Supported: This message is displayed for any Fast Ethernet ports that are linked up, or for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps. • Impedance mismatch: Terminating impedance is not in the reference range. • Ports are linked down while running cable diagnostics.
12 Interface Commands Loopback Testing ethernet loopback This command loops traffic back from destination port to source port. Use the no form to stop the loopback function. Syntax ethernet loopback [vlan vlan-list] no ethernet loopback vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4093) Command Mode Interface Configuration (Ethernet) Command Usage • This feature loops incoming frames back to the source.
12 Interface Commands Example Console(config)#interface ethernet 1/10 Console(config-if)#ethernet loopback vlan 1-2 Console(config-if)# show ethernet loopback interface This command shows adminstative status for each port, and the associated VLANs. Syntax show ethernet loopback interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
12 Interface Commands Power Savings power-save This command enables power savings mode on the specified port. Syntax [no] power-save Command Mode Interface Configuration (Ethernet) Command Usage • IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
12 Interface Commands Console(config-if)# show power-save This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
12 284 Interface Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 13 Link Aggregation Commands In this chapter Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
13 Link Aggregation Commands • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Link Aggregation Commands 13 • To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections: • dst-ip: All traffic with the same destination IP address is output on the same link in a trunk. This mode works best for switch-to-router trunk links where traffic through the switch is destined for many different hosts.
13 Link Aggregation Commands Example The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Link Aggregation Commands 13 Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 64 Kbits/second Multicast Storm : Disabled Multicast Storm Limit : 64 Kbits/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 64 Kbits/second Flow Control : Disabled VLAN Trunking : Disabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation speed-duplex : 1000full Up Time : 0w 0
13 Link Aggregation Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Link Aggregation Commands 13 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
13 Link Aggregation Commands Command Mode Interface Configuration (Port Channel) Command Usage • Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
13 Link Aggregation Commands Console(config-if)# Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
13 Link Aggregation Commands Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------Oper Key : 3 Admin Key : 0 Timeout : long Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Internal : 30 seconds LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 3 Oper Key : 3 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggre
13 Link Aggregation Commands Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0 Oper Key : 3 Admin State: defaulted, distrib
13 Link Aggregation Commands TABLE 69 show lacp sysid - display description Field Description Channel group System Priority* System MAC Address* * A link aggregation group configured on this switch. LACP system priority for this channel group. System MAC address. The LACP system priority and system MAC address are concatenated to form the LAG system ID. show port-channel load-balance This command shows the load-distribution method used on aggregated links.
Chapter 14 Port Mirroring Commands In this chapter Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
14 Local Port Mirroring Commands acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) Default Setting • No mirror session is defined. • When enabled for an interface, default mirroring is for both received and transmitted packets. • When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Local Port Mirroring Commands 14 This example configures port 2 to monitor packets matching the MAC address 00-12-CF-XX-XX-XX received by port 1.
14 RSPAN Mirroring Commands RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
14 RSPAN Mirroring Commands • IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. RSPAN uplink ports cannot be configured to use IEEE 802.
14 RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
14 RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. Syntax [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror sessions is allowed, including both local and remote mirroring.
14 RSPAN Mirroring Commands Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session. Syntax no rspan session session-id session-id – A number identifying this RSPAN session.
14 RSPAN Mirroring Commands Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 : : : : : Untagged Destination 2 Eth 1/3 Up 305
14 306 RSPAN Mirroring Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 15 Rate Limit Commands In this chapter Rate Limiting allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks.
15 Rate Limit Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# Related Command “show interfaces switchport” on page 275 308 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Automatic Traffic Control Commands 16 In this chapter Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
16 Automatic Traffic Control Commands TABLE 74 ATC Commands (Continued) Command Function Mode snmp-server enable port-traps atc multicast-control-release Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC (Port) show auto-traffic-control Shows global configuration settings for automatic storm control PE show auto-traffic-control interface Shows interface configuration settings and storm contro
Automatic Traffic Control Commands FIGURE 2 16 Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the switchport packet-rate command.
16 Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Automatic Traffic Control Commands 16 auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
16 Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Command Usage • When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command. • When the control response is set to rate limiting by this command, the rate limits are determined by the auto-traffic-control alarm-clear-threshold command.
Automatic Traffic Control Commands 16 • If rate limiting has been configured as a control response, it will be discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired. Note that if a port has been shut down by a control response, it will not be re-enabled by automatic traffic control. It can only be manually re-enabled using the auto-traffic-control control-release command.
16 Automatic Traffic Control Commands auto-traffic-control auto-control-release This command automatically releases a control response of rate-limiting after the time specified in the auto-traffic-control release-timer command has expired. Syntax auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Automatic Traffic Control Commands 16 SNMP Trap Commands snmp-server enable port-traps atc broadcast-alarm-clear This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
16 Automatic Traffic Control Commands snmp-server enable port-traps atc broadcast-control-apply This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Automatic Traffic Control Commands 16 snmp-server enable port-traps atc multicast-alarm-clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
16 Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-control-apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Automatic Traffic Control Commands 16 ATC Display Commands show auto-traffic-control This command shows global configuration settings for automatic storm control.
16 322 Automatic Traffic Control Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 17 Address Table Commands In this chapter These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
17 Address Table Commands mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
17 Address Table Commands clear mac-address-table dynamic This command removes any learned entries from the forwarding database. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address.
17 Address Table Commands • The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0” means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 16K.
17 Address Table Commands Command Mode Privileged Exec Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Port ID Dynamic Address Count Total MAC Addresses Total MAC Address Space Console# Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 :1 :0 :0 Available: 16384 327
17 328 Address Table Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 18 Spanning Tree Commands In this chapter This chapter includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
18 Spanning Tree Commands TABLE 76 Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopback-detection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST
Spanning Tree Commands 18 Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree cisco-prestandard This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting. [no] spanning-tree cisco-prestandard Default Setting Disabled Command Mode Global Configuration Command Usage Cisco prestandard versions prior to Cisco IOS Release 12.
18 Spanning Tree Commands Example Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) - 1].
Spanning Tree Commands 18 Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
18 Spanning Tree Commands • Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: • STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. • RSTP Mode – If RSTP is using 802.
Spanning Tree Commands 18 Command Usage • The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (“spanning-tree cost” on page 342) takes precedence over port priority (“spanning-tree port-priority” on page 348). • The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP).
18 Spanning Tree Commands Example Console(config)#spanning-tree mst configuration Console(config-mstp)# Related Commands “mst vlan” on page 338 “mst priority” on page 337 “name” on page 339 “revision” on page 339 “max-hops” on page 337 spanning-tree system-bpdu-flooding This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port.
Spanning Tree Commands 18 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
18 Spanning Tree Commands priority - Priority of the a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device.
Spanning Tree Commands 18 • By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 32 instances. You should try to group VLANs which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (“name” on page 339) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs.
18 Spanning Tree Commands Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (see “name” on page 339) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands 18 spanning-tree bpdu-guard This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]] auto-recovery - Automatically re-enables an interface after the specified interval.
18 Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method7, 1-200,000,000 for long path cost method) TABLE 77 Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.
Spanning Tree Commands 18 spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax spanning-tree edge-port [auto] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port. Default Setting Auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
18 Spanning Tree Commands Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. • When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link. • RSTP only works on point-to-point links between two bridges.
Spanning Tree Commands 18 duration - The duration to shut down the interface. (Range: 60-86400 seconds) Default Setting block Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • If an interface is shut down by this command, and the release mode is set to “auto” with the spanning-tree loopback-detection release-mode command, the selected interface will be automatically enabled when the shutdown interval has expired.
18 Spanning Tree Commands • When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree loopback-detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections.
Spanning Tree Commands 18 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. • Use the no spanning-tree mst cost command to specify auto-configuration mode.
18 Spanning Tree Commands Related Commands “spanning-tree mst cost” on page 346 spanning-tree port-bpdu-flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the default setting.
Spanning Tree Commands 18 • Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 Related Commands “spanning-tree cost” on page 342 spanning-tree root-guard This command prevents a designated port9 from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable this feature.
18 Spanning Tree Commands spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
18 Spanning Tree Commands spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
18 Spanning Tree Commands Default Setting None Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
18 Spanning Tree Commands External Admin Path Cost Internal Admin Path Cost External Oper Path Cost Internal Oper Path Cost Priority Designated Cost Designated Port Designated Root Designated Bridge Forward Transitions Admin Edge Port Oper Edge Port Admin Link Type Oper Link Type Flooding Behavior Spanning-Tree Status Loopback Detection Status Loopback Detection Release Mode Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recov
18 Spanning Tree Commands Revision Level :0 Instance VLANs -------------------------------------------------------------0 1-4093 Console# 354 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 19 ERPS Commands In this chapter The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
19 ERPS Commands 3. Configure the RPL owner: Configure one node in the ring as the Ring Protection Link (RPL) owner using the rpl owner command. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL. Under normal operations (Idle state), the RPL is blocked to ensure that a loop cannot form in the ring.
19 ERPS Commands erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. Syntax [no] erps domain name name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode Global Configuration Command Usage Up to 6 ERPS rings can be configured on the switch.
19 ERPS Commands • Also, the ring ports of the Control VLAN must be tagged. • Once the ring has been activated with the enable command, the configuration of the control VLAN cannot be modified. Use the no enable command to stop the ERPS ring before making any configuration changes to the control VLAN.
19 ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
19 ERPS Commands When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero. Instead, the hold-off timer will be started. When the timer expires, whether a defect still exists or not, the timer will be checked. If one does exist, that defect will be reported to the protection switching mechanism. The reported defect need not be the same one that started the timer.
19 ERPS Commands Default Setting 0 Command Mode ERPS Configuration Command Usage • This parameter is used to ensure that received R-APS PDUs are directed for this ring. A unique level should be configured for each local ring if there are many R-APS PDUs passing through this switch.
19 ERPS Commands • If CFM determines that a MEP node which has been configured to monitor a ring port with this command has gone down, this information is passed to ERPS, which in turn processes it as a ring node failure. For more information on how ERPS recovers from a node failure, refer to “Ethernet Ring Protection Switching” on page 982.
19 ERPS Commands Command Mode ERPS Configuration Command Usage • The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL. However, using this standard recovery procedure may cause a non-EPRS device to become isolated when the ERPS device adjacent to it detects a continuity check message (CCM) loss event and blocks the link between the non-ERPS device and ERPS device.
19 ERPS Commands Command Usage • When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. • When the MAC addresses are cleared, data traffic may flood onto the major ring.
19 ERPS Commands Example Console(config-erps)#ring-port east interface ethernet 1/12 Console(config-erps)# rpl owner This command configures a ring node to be the Ring Protection Link (RPL) owner or a non-owner. Syntax [no] rpl owner Default Setting non-owner Command Mode ERPS Configuration Command Usage • Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring).
19 ERPS Commands Example Console(config-erps)#wtr-timer 10 Console(config-erps)# show erps This command displays status information for all configured rings, or for a specified ring, Syntax show erps [domain ring-name] ring-name - Name of a specific ERPS ring. (Range: 1-32 characters) Command Mode Privileged Exec Example This example displays a summary of all the ERPS rings configured on the switch.
19 ERPS Commands This example displays detailed information for the specified ERPS ring.
19 ERPS Commands TABLE 81 368 show erps domain - detailed display description (Continued) Field Description East Port MEP The CFM MEP used to monitor link status on the east port of a ring node Non-ERPS Device Protect Shows if the RPL owner node is configured to send non-standard health-check packets when it enters protection state without any link down event having been detected through SF messages Propagate TC Shows if the ring is configured to propagate topology change notification messages.
Chapter 20 VLAN Commands In this chapter A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
20 GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
GVRP and Bridge Extension Commands 20 garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
20 GVRP and Bridge Extension Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4093).
20 GVRP and Bridge Extension Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Bridge Extension Capabilities” on page 678 for a description of the displayed items.
20 Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands “garp timer” on page 371 show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
20 Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
20 Editing VLAN Groups Command Mode VLAN Database Configuration Command Usage no vlan vlan-id deletes the VLAN. • • • • no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active). You can configure up to 4093 VLANs on the switch. NOTE The switch allows 4093 user-manageable VLANs. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
20 Configuring VLAN Interfaces Example Console(config)#vlan database Console(config-vlan)#no vlan 1 mac-learning Console(config-vlan)# show mac-learning This command shows the status of MAC address learning for the specified VLAN. Syntax show mac-learning vlan vlan-id vlan-id - ID of the configured VLAN. (Range: 1-4093) Default Setting Shows all VLANs.
20 Configuring VLAN Interfaces interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Syntax [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.
Configuring VLAN Interfaces 20 Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands “switchport mode” on page 381 switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default.
20 Configuring VLAN Interfaces Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default.
Configuring VLAN Interfaces 20 switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
20 Configuring VLAN Interfaces Default Setting VLAN 1 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.
20 Configuring VLAN Interfaces FIGURE 3 Configuring VLAN Trunking C E A B D V1 V2 V1 V2 Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
20 Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. TABLE 86 Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan Shows VLAN information NE, PE show vlan This command shows VLAN information.
20 Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
20 Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
Configuring IEEE 802.1Q Tunneling 20 • When a tunnel uplink port receives a packet from the service provider, the outer service provider’s tag is stripped off, and the packet passed on to the VLAN indicated by the inner tag. If no inner tag is found, the packet is passed onto the native VLAN defined for the uplink port.
20 Configuring IEEE 802.1Q Tunneling Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Configuring IEEE 802.1Q Tunneling 7. 20 Verify configuration settings. Console#show dot1q-tunnel service 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 1 10 100 Eth 1/ 1 20 200 Eth 1/ 1 30 300 Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300.
20 Configuring IEEE 802.1Q Tunneling Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands “show interfaces switchport” on page 275 show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
20 Configuring L2CP Tunneling Console#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 5 1 100 Eth 1/ 6 1 100 Console# Related Commands switchport dot1q-tunnel mode (386) Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
20 Configuring L2CP Tunneling • L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a proprietary MAC address (for example, the spanning tree protocol uses 10-12-CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad – Provider Bridges), or a user-defined address.
Configuring L2CP Tunneling 20 • L2PT is enabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is enabled, and (b) uplink ports after rewriting the destination address to make it a GBPT protocol packet (i.e., setting the destination address to 01-00-0C-CD-CD-D0). • L2PT is disabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is disabled, and (b) all uplink ports.
20 Configuring VLAN Translation Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#switchport l2protocol-tunnel spanning-tree Console(config-if)# show l2protocol-tunnel This command shows settings for Layer 2 Protocol Tunneling (L2PT).
20 Configuring VLAN Translation Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
20 Configuring Port-based Traffic Segmentation show vlan-translation This command displays the configuration settings for VLAN translation. Syntax show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
20 Configuring Port-based Traffic Segmentation traffic-segmentation This command enables traffic segmentation. Use the no form to disable traffic segmentation. Syntax [no] traffic-segmentation Default Setting Disabled Command Mode Global Configuration Command Usage • Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).
20 Configuring Port-based Traffic Segmentation Example This example enables traffic segmentation globally on the switch. Console(config)#traffic-segmentation Console(config)# traffic-segmentation session This command creates a traffic-segmentation client session. Use the no form to remove a client session. Syntax [no] pvlan session session-id session-id – Traffic segmentation session.
Configuring Port-based Traffic Segmentation 20 Default Setting Session 1 if not defined No segmented port groups are defined. Command Mode Global Configuration Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
20 Configuring Protocol-based VLANs show traffic-segmentation This command displays the configured traffic segments.
Configuring Protocol-based VLANs 20 protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame11 - Frame type used by this protocol.
20 Configuring Protocol-based VLANs Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
20 Configuring IP Subnet VLANs show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting The mapping for all interfaces is displayed.
20 Configuring IP Subnet VLANs subnet-vlan (Global Configuration) This command configures IP subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
20 Configuring IP Subnet VLANs subnet-vlan (Interface Configuration) This command binds an interface to an IP subnet VLAN. Use the no form to remove an interface from an IP subnet VLAN. Syntax [no] subnet-vlan subnet ip-address mask ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
20 Configuring MAC Based VLANs Example The following example displays a summary of configured IP subnet-based VLANs. Console#show interfaces subnet-vlan Port IP Address Mask -------- --------------- --------------Eth 1/1 192.168.12.0 255.255.255.128 Eth 1/2 192.168.12.128 255.255.255.192 Eth 1/3 192.168.12.192 255.255.255.224 Eth 1/4 192.168.12.224 255.255.255.240 Eth 1/5 192.168.12.240 255.255.255.248 Eth 1/6 192.168.12.248 255.255.255.252 Eth 1/7 192.168.12.252 255.255.255.254 Eth 1/8 192.168.12.
20 Configuring MAC Based VLANs TABLE 94 MAC Based VLAN Commands Command Function Mode mac-vlan Defines the IP Subnet VLANs GC show mac-vlan Displays IP Subnet VLAN settings PE mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched.
20 Configuring Voice VLANs Command Usage Use this command to display MAC address-to-VLAN mappings. Example The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC Address VLAN ID ----------------- -------00-00-00-11-22-33 10 Console# Priority -------0 Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic.
Configuring Voice VLANs 20 Command Usage • When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN. • VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.
20 Configuring Voice VLANs voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network. (For example, 01-23-45-00-00-00) mask-address - Identifies a range of MAC addresses.
Configuring Voice VLANs 20 switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
20 Configuring Voice VLANs Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. Example The following example sets the CoS priority to 5 on port 1.
Configuring Voice VLANs 20 switchport voice vlan security This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port. Syntax [no] switchport voice vlan security Default Setting Disabled Command Mode Interface Configuration Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID.
20 Configuring Voice VLANs Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age (minutes) -------- -------- -------- --------- -------- ------------Eth 1/ 1 Auto Enabled OUI 6 100 Eth 1/ 2 Disabled Disabled OUI 6 NA Eth 1/ 3 Manual Enabled OUI 5 100 Eth 1/ 4 Auto Enabled OUI 6 100 Eth 1/ 5 Disabled Disabled OUI 6 NA Eth 1/ 6 Disabled Disabled OUI 6 NA Eth 1/ 7 Disabled Disabled OUI 6 NA Eth 1/ 8 Disabled Disabled OUI 6 NA Eth 1/ 9 Disabled Disabled OUI 6 NA Eth 1/10 Disabled Disabled OU
Chapter 21 Class of Service Commands In this chapter The commands described in this chapter allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
21 Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Priority Commands (Layer 2) 21 • A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. • Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing.
21 Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands “queue mode” on page 416 “show queue weight” on page 419 switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value.
21 Priority Commands (Layer 3 and 4) Related Commands “show interfaces switchport” on page 275 show queue mode This command shows the current queue mode. Command Mode Privileged Exec Example Console#show queue mode Queue Mode : Weighted Round Robin Mode Console# show queue weight This command displays the weights used for the weighted queues.
21 Priority Commands (Layer 3 and 4) TABLE 98 Priority Commands (Layer 3 and 4) Command Function Mode show qos map dscp-mutation Shows ingress DSCP to internal DSCP map PE show qos map phb-queue Shows internal per-hop behavior to hardware queue map PE show qos map trust-mode Shows the QoS mapping mode PE The default settings used for mapping priority values to internal DSCP values and back to the hardware queues are designed to optimize priority services for the majority of network applicati
Priority Commands (Layer 3 and 4) 21 Command Usage • The default mapping of CoS to PHB values shown in Table 99 is based on the recommended settings in IEEE 802.1p for mapping CoS values to output queues. • Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight CoS/CFI paired values separated by spaces. • If a packet arrives with a 802.
21 Priority Commands (Layer 3 and 4) DEFAULT SETTING TABLE 100 Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1 0 1 2 3 4 5 6 7 8 9 0 0,0 0,1 0,0 0,3 0,0 0,1 0,0 0,3 1,0 1,1 1 1,0 1,3 1,0 1,1 1,0 1,3 2,0 2,1 2,0 2,3 2 2,0 2,1 2,0 2,3 3,0 3,1 3,0 3,3 3.0 3,1 3 3,0 3,3 4,0 4,1 4,0 4,3 4,0 4,1 4.0 4,3 4 5,0 5,1 5,0 5,3 5,0 5,1 6,0 5,3 6,0 6,1 5 6,0 6,3 6,0 6,1 6,0 6,3 7,0 7,1 7.
21 Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue. (Range: 0-7, where 7 is the highest priority queue) DEFAULT SETTING.
21 Priority Commands (Layer 3 and 4) Command Usage • If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet. • If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet's CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged.
Priority Commands (Layer 3 and 4) 21 show qos map dscp-mutation This command shows the ingress DSCP to internal DSCP map. Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
21 Priority Commands (Layer 3 and 4) show qos map phb-queue This command shows internal per-hop behavior to hardware queue map. Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter Quality of Service Commands 22 In this chapter The commands described in this chapter are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
22 Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, a CoS value, a DSCP or IP Precedence value, a source port, or a VLAN. 3.
22 Quality of Service Commands Example This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Related Commands “show class-map” on page 441 description This command specifies the description of a class map or policy map. Syntax description string string - Description of the class map or policy map.
22 Quality of Service Commands Default Setting None Command Mode Class Map Configuration Command Usage • First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map. • If an ingress packet matches an ACL specified by this command, any deny rules included in the ACL will be ignored.
Quality of Service Commands 22 Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
22 Quality of Service Commands Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: • set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Quality of Service Commands 22 transmit - Transmits without taking any action. drop - Drops packet as required by violate-action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage • You can configure up to 16 policers (i.e., class maps) for ingress ports. • The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes.
22 Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
Quality of Service Commands 22 • The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and BC, but not the BE, and red otherwise. • The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored.
22 Quality of Service Commands Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conform-action transmit exceed-action 0 violate-action drop Console(config-pmap-c)# police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Quality of Service Commands 22 Command Usage • You can configure up to 16 policers (i.e., class maps) for ingress ports. • The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes.
22 Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst si
Quality of Service Commands 22 set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
22 Quality of Service Commands Command Usage • The set phb command is used to set an internal QoS value in hardware for matching packets (see Table 100, "Default Mapping of DSCP Values to Internal PHB/Drop Values"). The QoS label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion by the police srtcm-color command and police trtcm-color command. • The set cos and set phb command function at the same level of priority.
Quality of Service Commands 22 show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
22 Quality of Service Commands Example Console#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter Multicast Filtering Commands 23 In this chapter This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
23 IGMP Snooping TABLE 104 444 IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into the attached VLAN GC ip igmp snooping unsolicited-report-interval Specifies how often the upstream interface should transmit unsolicited IGMP reports (when proxy reporting is enabled) GC ip igmp snooping vers
23 IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. Syntax [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Enabled Command Mode Global Configuration Command Usage • When IGMP snooping is enabled globally, the per VLAN interface settings for IGMP snooping take precedence.
23 IGMP Snooping Example Console(config)#ip igmp snooping priority 6 Console(config)# Related Commands “show ip igmp snooping” on page 458 ip igmp snooping proxy-reporting This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN.
23 IGMP Snooping Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping router-alert-option-check This command discards any IGMPv2/v3 packets that do not include the Router Alert option.
23 IGMP Snooping ip igmp snooping router-port-expire-time This command configures the querier time out. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
23 IGMP Snooping • By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs. In this mode, multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive loading on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
23 IGMP Snooping ip igmp snooping unregistered-data-flood This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Enabled Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
23 IGMP Snooping ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
23 IGMP Snooping Command Mode Global Configuration Command Usage • If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. • When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
23 IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage • If immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the time out period.
23 IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan last-memb-query-intvl This command configures the last-member-query interval. Use the no form to restore the default.
23 IGMP Snooping Command Mode Global Configuration Command Usage • Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
23 IGMP Snooping Many hosts do not implement RFC 4541, and therefore do not understand query messages with the source address of 0.0.0.0. These hosts will therefore not reply to the queries, causing the multicast router to stop sending traffic to them. To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command.
23 IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping vlan query-resp-intvl This command configures the maximum time the system waits for a response to general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The maximum time the system waits for a response to general queries.
23 IGMP Snooping interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting None Command Mode Global Configuration Command Usage • Static multicast entries are never aged out. • When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port.
23 IGMP Snooping Version Exclusive Version Proxy Reporting Querier VLAN 1: -------IGMP Snooping IGMP Snooping Running Status Version Version Exclusive Immediate Leave Last Member Query Interval Last Member Query Count General Query Suppression Query Interval Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : Disabled 2 Disabled Disabled : Enabled : Inactive : Using global Version (2) : Using global status (Disabled) : Disabled : 10 (unit: 1/10s) : 2 : Disable
23 IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Flag: R H P Up time: Expire : Router port, M - Group member port Host counts (number of hosts join the group on this port). Port counts (number of ports join the group). Group elapsed time (d:h:m:s). Group remaining time (m:s).
23 IGMP Snooping Console#show ip igmp snooping mrouter static VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/1 Static Console# The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/10 Static Console# show ip igmp snooping statistics This command shows IGMP snooping protocol statistics for the specified interface.
23 IGMP Snooping TABLE 105 show ip igmp snooping statistics input - display description (Continued) Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed. Join Succ The number of times a multicast group was successfully joined.
23 Static Multicast Routing TABLE 107 show ip igmp snooping statistics vlan query - display description (Continued) Field Description Number of Reports Sent The number of reports sent from this interface. Number of Leaves Sent The number of leaves sent from this interface. Static Multicast Routing This section describes commands used to configure static multicast routing on the switch.
23 IGMP Filtering and Throttling Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
IGMP Filtering and Throttling 23 • IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups. • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number.
23 IGMP Filtering and Throttling • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile.
IGMP Filtering and Throttling 23 Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. • A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
23 IGMP Filtering and Throttling deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group. Default Setting Deny Command Mode Interface Configuration (Ethernet) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
23 IGMP Filtering and Throttling show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.
23 MVR for IPv4 Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
23 MVR for IPv4 TABLE 110 Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address PE show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR) globally on the switch.
23 MVR for IPv4 Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands “mvr profile” on page 473 mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain.
23 MVR for IPv4 Command Mode Global Configuration Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#mvr priority 6 Console(config)# Related Commands “show mvr” on page 479 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile.
23 MVR for IPv4 mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function. Syntax [no] mvr proxy-switching Default Setting Enabled Command Mode Global Configuration Command Usage • When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface.
23 MVR for IPv4 mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
23 MVR for IPv4 Example Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received.
23 MVR for IPv4 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
23 MVR for IPv4 • One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through the MVR protocol or which have been assigned through the mvr vlan group command. • Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
23 MVR for IPv4 Example The following statically assigns a multicast group to a receiver port: Console(config)#interface ethernet 1/7 Console(config-if)#mvr domain 1 type receiver Console(config-if)#mvr domain 1 vlan 3 group 225.0.0.5 Console(config-if)# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address.
23 MVR for IPv4 TABLE 111 show mvr - display description (Continued) Field Description MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Current Learned Groups The current number of MVR group addresses MVR Upstream Source IP The source IP address assigned to all upstream control packets. show mvr associated-profile This command shows the profiles bound the specified domain.
23 MVR for IPv4 Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Port Type Status -------- -------- ------------------Eth 1/ 1 Source Active/Forwarding Eth 1/ 2 Receiver Inactive/Discarding Eth1/ 3 Source Inactive/Discarding Eth1/ 1 Receiver Active/Forwarding Eth1/ 4 Console# TABLE 112 Receiver Active/Discarding Immediate --------- Static Group Address ------------------------- Disabled 234.5.6.
23 MVR for IPv4 Default Setting Displays configuration settings for all domains and all forwarding entries. Command Mode Privileged Exec Example The following shows information about the number of multicast forwarding entries currently active in domain 1: Console#show mvr domain 1 members MVR Domain : 1 MVR Forwarding Entry Count :1 Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.
23 MVR for IPv4 Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
23 MVR for IPv4 TABLE 114 show mvr statistics input - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
23 MVR for IPv6 TABLE 116 show mvr statistics query - display description Field Description Querier IP Address The IP address of the querier on this interface. Querier Expire Time The time after which this querier is assumed to have expired. General Query Received The number of general queries received on this interface. General Query Sent The number of general queries sent from this interface. Specific Query Received The number of specific queries received on this interface.
23 MVR for IPv6 TABLE 117 Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode show mvr6 associated-profile Shows the profiles bound the specified domain PE show mvr6 interface Shows MVR settings for interfaces attached to the MVR VLAN PE show mvr6 members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address PE show mvr6 profile Shows all configured MVR profiles PE show mvr6
23 MVR for IPv6 Default Setting Disabled Command Mode Global Configuration Command Usage When MVR6 is enabled on a domain, any multicast data associated with an MVR6 group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group. Example The following example enables MVR for domain 1: Console(config)#mvr6 domain 1 Console(config)# mvr6 profile This command maps a range of MVR group addresses to a profile.
23 MVR for IPv6 Example The following example maps a range of MVR group addresses to a profile: Console(config)#mvr6 profile rd ff00::1 ff00::9 Console(config)# mvr6 proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
23 MVR for IPv6 mvr6 robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
23 MVR for IPv6 Command Usage All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
23 MVR for IPv6 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
23 MVR for IPv6 • One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through the MVR6 protocol or which have been assigned through the mvr6 vlan group command. All source ports must belong to the MVR6 VLAN. Subscribers should not be directly connected to source ports. • The same port cannot be configured as a source port in one MVR domain and as a receiver port in another domain.
23 MVR for IPv6 Example The following statically assigns a multicast group to a receiver port: Console(config)#interface ethernet 1/2 Console(config-if)#mvr6 domain 1 type receiver Console(config-if)#mvr6 domain 1 vlan 2 group ff00::1 Console(config-if)# show mvr6 This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address.
23 MVR for IPv6 show mvr6 associated-profile This command shows the profiles bound the specified domain. Syntax show mvr6 [domain domain-id] associated-profile domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays profiles bound to all MVR domains. Command Mode Privileged Exec Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IPv6 Addr. End IPv6 Addr.
23 MVR for IPv6 TABLE 119 show mvr6 interface - display description Field Description Port Shows interfaces attached to the MVR. Type Shows the MVR port type. Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
23 MVR for IPv6 Console# TABLE 120 show mvr6 members - display description Field Description Group Address Multicast group address. VLAN VLAN to which this address is forwarded. Port Port to which this address is forwarded. Up time Time that this multicast group has been known. Expire The time until this entry expires. Count The number of times this address has been learned by MVR (MLD snooping). show mvr6 profile This command shows all configured MVR profiles.
23 MVR for IPv6 Default Setting Displays statistics for all domains.
23 MVR for IPv6 TABLE 122 show mvr6 statistics output - display description (Continued) Field Description G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 24 LLDP Commands In this chapter Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
24 LLDP Commands TABLE 123 LLDP Commands (Continued) Command Function Mode lldp dot3-tlv mac-phy Configures an LLDP-enabled port to advertise its MAC and physical layer specifications IC lldp dot3-tlv max-frame Configures an LLDP-enabled port to advertise its maximum frame size IC lldp notification Enables the transmission of SNMP trap notifications about LLDP changes IC show lldp config Shows LLDP configuration settings for all ports PE show lldp info local-device Shows LLDP global and i
24 LLDP Commands Command Mode Global Configuration Command Usage The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp notification-interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes. Use the no form to restore the default setting.
24 LLDP Commands lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting. Syntax lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent.
24 LLDP Commands lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting. Syntax lldp tx-delay seconds no lldp tx-delay seconds - Specifies the transmit delay.
24 LLDP Commands Console(config-if)# lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The management address protocol packet includes the IPv4 address of the switch.
LLDP Commands 24 Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv system-capabilities This command configures an LLDP-enabled port to advertise its system capabilities. Use the no form to disable this feature.
24 LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv system-name This command configures an LLDP-enabled port to advertise the system name. Use the no form to disable this feature.
LLDP Commands 24 lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 400).
24 LLDP Commands lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 379 and “protocol-vlan protocol-group (Configuring Interfaces)” on page 401.
LLDP Commands 24 lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
24 LLDP Commands lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes. Use the no form to disable LLDP notifications. Syntax [no] lldp notification Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command.
24 LLDP Commands Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP Enabled Transmit Interval Hold Time Multiplier Delay Interval Re-initialization Delay Notification Interval : : : : : : Yes 30 sec. 4 2 sec. 2 sec. 5 sec. LLDP Port Configuration Port Admin Status Notification Enabled -------- ------------ -------------------Eth 1/1 Tx-Rx True Eth 1/2 Tx-Rx True Eth 1/3 Tx-Rx True Eth 1/4 Tx-Rx True Eth 1/5 Tx-Rx True . . .
24 LLDP Commands show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
24 LLDP Commands show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
24 LLDP Commands Remote Power via MDI : Remote power class : PSE Remote power MDI supported : Yes Remote power MDI enabled : Yes Remote power pair controllable : No Remote power pairs : Spare Remote power classification : Class1 Remote Link Aggregation : Remote link aggregation capable : Yes Remote link aggregation enable : No Remote link aggregation port ID : 0 Remote Max Frame Size : 1518 Console# show lldp info statistics This command shows statistics based on traffic received through all attached LLD
24 LLDP Commands Console#show lldp info statistics detail ethernet 1/1 LLDP Port Statistics Detail PortName Frames Discarded Frames Invalid Frames Received Frames Sent TLVs Unrecognized TLVs Discarded Neighbor Ageouts : : : : : : : : Eth 1/1 0 0 12 13 0 0 0 Console# Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 515
24 516 LLDP Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 25 CFM Commands In this chapter Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between Provider Edge devices or between Customer Edge devices.
25 CFM Commands TABLE 124 CFM Commands (Continued) Command Function Mode ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages IC ethernet cfm port-enable Enables CFM processing on an interface IC clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including global set
25 CFM Commands TABLE 124 CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache Enables caching of CFM data learned through link trace messages GC ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace message
25 CFM Commands TABLE 124 CFM Commands (Continued) Command Function Mode ethernet cfm loss-measure dual-ended destination Sets the destination MEP for periodically transmitted continuity check messages, including request dual-ended frame loss measurements GC ethernet cfm loss-measure enable Enables periodic transmission of loss-measure messages GC ethernet cfm loss-measure single-ended binding Binds periodic loss-measure settings to a specified local MEP GC ethernet cfm loss-measure single-e
25 CFM Commands Defining CFM Structures ethernet cfm ais level This command configures the maintenance level at which Alarm Indication Signal (AIS) information will be sent within the specified MA. Use the no form restore the default setting. Syntax ethernet cfm ais level level-id md domain-name ma ma-name no ethernet cfm ais level md domain-name ma ma-name level-id – Maintenance level at which AIS information will be sent. (Range: 0-7) domain-name – Domain name.
25 CFM Commands Command Usage • Each MA name must be unique within the CFM domain. • Frames with AIS information can be issued at the client’s maintenance level by a MEP upon detecting defect conditions. For example, defect conditions may include: • Signal failure conditions if continuity checks are enabled. • AIS condition or LCK condition if continuity checks are disabled. • A MEP continues to transmit periodic frames with AIS information until the defect condition is removed.
25 CFM Commands ethernet cfm ais suppress alarm This command suppresses sending frames containing AIS information following the detection of defect conditions. Use the no form to restore the default setting. Syntax [no] ethernet cfm ais suppress alarm md domain-name ma ma-name domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
25 CFM Commands ethernet cfm domain This command defines a CFM maintenance domain, sets the authorized maintenance level, and enters CFM configuration mode. Use the no form to delete a CFM maintenance domain. Syntax ethernet cfm domain index index name domain-name level level-id [mip-creation type] no ethernet cfm domain index index index – Domain index. (Range: 1-65535) domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
25 CFM Commands for all interconnection points within an MA, regardless of the domain’s level in the maintenance hierarchy (e.g., customer, provider, or operator). While the explicit option only generates MIPs within an MA if its associated domain is not at the bottom of the maintenance hierarchy. This option is used to hide the structure of network at the lowest domain level. The diagnostic functions provided by CFM can be used to detect connectivity failures between any pair of MEPs in an MA.
25 CFM Commands Example This example enables CFM globally on the switch. Console(config)#ethernet cfm enable Console(config)# ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA.
25 CFM Commands • Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). • If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
25 CFM Commands ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
25 CFM Commands ethernet cfm port-enable This command enables CFM processing on an interface. Use the no form to disable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
25 CFM Commands Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm configuration This command displays CFM configuration settings, including global settings, SNMP traps, and interface settings.
25 CFM Commands CC Configure Trap CC Loop Trap Cross Check MEP Unknown Trap Cross Check MEP Missing Trap Cross Check MA Up Console# TABLE 125 : : : : : Disabled Disabled Disabled Disabled Disabled show ethernet cfm configuration traps - display description Field Description CC MEP Up Trap Sends a trap if a remote MEP is discovered and added to the local database, the port state of a previously discovered remote MEP changes, or a CCM is received from a remote MEP which as an expired entry in the ar
25 CFM Commands Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.) ---------------------100 show ethernet cfm ma This command displays the configured maintenance associations. Syntax show ethernet cfm ma [level level] level – Maintenance level.
25 CFM Commands ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) level-id – Maintenance level for this domain. (Range: 0-7) Default Setting None Command Mode Privileged Exec Command Usage • Use the mep keyword with this command to display the MEPs configured on this device as DSAPs through the ethernet cfm mep command.
25 CFM Commands Command Mode Privileged Exec Example This example shows detailed information about the local MEP on port 1.
25 CFM Commands TABLE 126 show ethernet cfm maintenance-points local detail mep - display (Continued) Field Description Received RDI Receive status of remote defect indication (RDI) messages on the MEP. AIS Status Shows if MEPs within the specified MA are enabled to send frames with AIS information following detection of defect conditions. AIS Period The interval at which AIS information is sent.
25 CFM Commands Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
25 CFM Commands TABLE 127 show ethernet cfm maintenance-points remote detail - display (Continued) Field Description Interface State Interface states include: No Status – Either no CCM has been received, or no interface status TLV was received in the last CCM. Up – The interface is ready to pass packets. Down – The interface cannot pass packets. Testing – The interface is in some test mode. Unknown – The interface status cannot be determined for some reason.
25 CFM Commands Example This example sets the transmission delay for continuity check messages to level 7 (60 seconds). Console(config)#ethernet cfm cc md voip ma rd interval 7 Console(config)# Related Commands “ethernet cfm cc enable” on page 538 ethernet cfm cc enable This command enables the transmission of continuity check messages (CCMs) within a specified maintenance association. Use the no form to disable the transmission of these messages.
25 CFM Commands snmp-server enable traps ethernet cfm cc This command enables SNMP traps for CFM continuity check events. Use the no form to disable these traps. Syntax [no] snmp-server enable traps ethernet cfm cc [config | loop | mep-down | mep-up] config – Sends a trap if this device receives a CCM with the same MPID as its own but with a different source MAC address, indicating that a CFM configuration error exists.
25 CFM Commands Command Mode CFM Domain Configuration Command Usage A change to the hold time only applies to entries stored in the database after this command is entered. Example This example sets the aging time for missing MEPs in the CCM database to 30 minutes.
25 CFM Commands Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the error database. Use the domain keyword to clear the error database for a specific domain, or the level keyword to clear it for a specific maintenance level. Example Console#clear ethernet cfm errors domain voip Console# show ethernet cfm errors This command displays the CFM continuity check errors logged on this device.
25 CFM Commands TABLE 128 show ethernet cfm errors - display description Field Description Reason Error types include: LEAK – MA x is associated with a specific VID list*, one or more of the VIDs in this MA can pass through the bridge port, no MEP is configured facing outward (down) on any bridge port for this MA, and some other MA y, at a higher maintenance level, and associated with at least one of the VID(s) also in MA x, does have a MEP configured on the bridge port.
25 CFM Commands snmp-server enable traps ethernet cfm crosscheck This command enables SNMP traps for CFM continuity check events, in relation to the cross-check operations between statically configured MEPs and those learned via continuity check messages (CCMs). Use the no form to restore disable these traps. Syntax [no] snmp-server enable traps ethernet cfm crosscheck [ma-up | mep-missing | mep-unknown] ma-up – Sends a trap when all remote MEPs in an MA come up.
25 CFM Commands Default Setting No remote MEPs are configured. Command Mode CFM Domain Configuration Command Usage • Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational.
25 CFM Commands • The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm maintenance-points remote crosscheck This command displays information about remote MEPs statically configured in a cross-check list.
25 CFM Commands Command Usage • A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. • Use this command to enable the link trace cache to store the results of link trace operations initiated on this device. Use the ethernet cfm linktrace command to transmit a link trace message.
25 CFM Commands ethernet cfm linktrace cache size This command sets the maximum size for the link trace cache. Use the no form to restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache. (Range: 1-4095 entries) Default Setting 100 entries Command Mode Global Configuration Command Usage • Before setting the cache size, the cache must first be enabled with the ethernet cfm linktrace cache command.
25 CFM Commands number – The time to live of the linktrace message. (Range: 1-255 hops) Default Setting None Command Mode Privileged Exec Command Usage • Link trace messages can be targeted to MEPs, not MIPs. Before sending a link trace message, be sure you have configured the target MEP for the specified MA. • If the MAC address of target MEP has not been learned by any local MEP, then the linktrace may fail.
25 CFM Commands Example Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.6 Not Forwarded Console# TABLE 129 Ingress MAC Egress MAC ----------------00-12-CF-12-12-2D Ing. Action Relay Egr. Action ----------- ----ingOk Hit show ethernet cfm linktrace-cache - display description Field Description Hops The number hops taken to reach the target MEP. MA Name of the MA to which this device belongs.
25 CFM Commands Loopback Operations ethernet cfm loopback This command sends CFM loopback messages to a MAC address for a MEP or MIP. Syntax ethernet cfm loopback {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [count transmit-count] [size packet-size] destination-mpid – The identifier of a MEP that is the target of the loopback message.
25 CFM Commands Example This example sends a loopback message to the specified remote MEP. Console#ethernet cfm loopback dest-mep 1 md voip ma rd Console# Fault Generator Operations mep fault-notify alarm-time This command sets the time a defect must exist before a fault alarm is issued. Use the no form to restore the default setting. Syntax mep fault-notify alarm-time alarm-time no fault-notify alarm-time alarm-time – The time that one or more defects must be present before a fault alarm is generated.
25 CFM Commands Command Mode CFM Domain Configuration Command Usage • A fault alarm can generate an SNMP notification. It is issued when the MEP fault notification generator state machine detects that a configured time period (see the mep fault-notify alarm-time command) has passed with one or more defects indicated, and fault alarms are enabled at or above the priority level set by this command.
25 CFM Commands mep fault-notify reset-time This command configures the time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued. Use the no form to restore the default setting. Syntax mep fault-notify reset-time reset-time no fault-notify reset-time reset-time – The time that must pass without any further defects indicated before another fault alarm can be generated.
25 CFM Commands TABLE 132 show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry. MA Name The maintenance association for this entry. Hihest Defect The highest defect that will generate a fault alarm. (This is disabled by default.) Lowest Alarm The lowest defect that will generate a fault alarm (see the mep fault-notify lowest-priority command).
25 CFM Commands ethernet cfm delay-measure destination This command sets the destination MEP identifier or MAC address for periodically transmitted delay-measure messages. Use the no form to clear a destination.
25 CFM Commands ethernet cfm delay-measure enable This command enables periodic transmission of delay-measure messages. Use the no form to disable transmission. Syntax ethernet cfm delay-measure enable {one-way | two-way} md domain-name ma ma-name mpid source-mpid no ethernet cfm delay-measure enable md domain-name ma ma-name mpid mpid domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
25 CFM Commands ethernet cfm delay-measure group This command sets attributes for periodically transmitted delay-measure messages, including transmission cycle, duration, interval, and timeout. Use the no form to delete an attribute group. Syntax ethernet cfm delay-measure group group-index [cycle cycle] [duration duration] [interval interval] [size packet-size] [timeout timeout] no ethernet cfm delay-measure group group-index group-index – Attribute group index.
25 CFM Commands ethernet cfm delay-measure threshold This command sets the threshold for frame delay measurements at which an SNMP trap is sent and an entry is recorded in the system log. Use the no form to restore the default setting. Syntax ethernet cfm delay-measure threshold threshold no ethernet cfm delay-measure threshold threshold - The delay in transmission time at or above which a trap is sent and an entry recorded in the system log.
25 CFM Commands ethernet cfm delay-measure one-way This command sends on-demand delay-measure information to a specified MEP, stamped with the time of transmission. Syntax ethernet cfm delay-measure one-way [src-mep source-mpid] {dest-mep destination-mpid | mac-address} md domain-name ma ma-name [count transmit-count] [interval interval] [size packet-size] source-mpid – The identifier of a source MEP that will send delay-measure messages.
25 CFM Commands • One-way frame delay measurement requires the clocks at the transmitting and receiving MEPs to be synchronized. For the purposes of frame delay variation measurement, which is based on the difference between subsequent frame delay measurements, the requirement for clock synchronizations can be relaxed since the out-of-phase period can be eliminated in the difference of subsequent frame delay measurements. Example This example sends one-way delay-measure requests to a remote MEP.
25 CFM Commands Command Usage • Delay measurement can be used to measure frame delay and frame delay variation between MEPs. • Both the source and destination MEP must be configured for the same MA before using this command. • If a MEP is enabled to generate frames with delay measurement (DM) information, it sends the specified number of DM frames to its peer MEP in the same MA, and expects to receive DM frames back from it.
25 CFM Commands Jun 18 05:04:39 2012 10 Jun 18 05:04:40 2012 10 Jun 18 05:04:41 2012 < 10 Delay time min/avg/max=0/12/20 ms. Console# 10 0 10 Loss Measure Operations ethernet cfm loss-measure dual-ended destination This command sets the destination MEP for periodically transmitted continuity check messages (CCM), including request for dual-ended frame loss measurements. Use the no form to clear a destination.
25 CFM Commands ethernet cfm loss-measure enable This command enables periodic transmission of loss-measure messages. Use the no form to disable transmission. Syntax ethernet cfm loss-measure enable {dual-ended | single-ended} md domain-name ma ma-name mpid source-mpid no ethernet cfm delay-measure enable md domain-name ma ma-name mpid mpid domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
25 CFM Commands • Previous CCM frame's TxFCf, RxFCb and TxFCb values and local counter RxFC1 value at the time the previous CCM frame was received. These values are represented as TxFCf[tp], RxFCb[tp], TxFCb[tp] and RxFCl[tp], where tp is the reception time of the previous frame.
25 CFM Commands ma-name – Maintenance association name. (Range: 1-43 alphanumeric characters, maximum length is 44 minus the length of the domain name) mpid – Maintenance end point identifier. (Range: 1-8191) Default Setting None Command Mode Global Configuration Command Usage • If the specified attribute group has not been configured by the ethernet cfm loss-measure single-ended group command, the binding will fail.
25 CFM Commands Command Usage To modify the settings for a destination, first disable the transmission of periodic loss-measure messages with the no ethernet cfm loss-measure enable command. Example This example sets the periodic loss-measure message destination for a MEP.
25 CFM Commands ethernet cfm loss-measure single-ended This command sends on-demand loss-measure information to a specified MEP, stamped with the time of transmission. Syntax ethernet cfm loss-measure single-ended [src-mep source-mpid] dest-mep destination-mpid md domain-name ma ma-name [count transmit-count] [interval interval] source-mpid – The identifier of a source MEP that will send loss-measure messages.
25 CFM Commands show ethernet cfm loss-measure single-ended This command displays near-end and far-end frame loss for the on-demand single-ended loss-measure test.
Chapter 26 OAM Commands In this chapter This switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
26 OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage • If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. • Not all CPEs support OAM functions, and OAM is therefore disabled by default.
26 OAM Commands • Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. NOTE When system power fails, the switch will always send a dying gasp trap message prior to power down. Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam critical-link-event dying-gasp Console(config-if)# efm oam link-monitor frame This command enables reporting of errored frame link events. Use the no form to disable this function.
26 OAM Commands Command Mode Interface Configuration Command Usage If this feature is enabled, an event notification message is sent if the threshold is reached or exceeded within the period specified by the command “efm oam link-monitor frame window” on page 572. The Errored Frame Event TLV includes the number of errored frames detected during the specified period.
26 OAM Commands efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting. Syntax efm oam mode {active | passive} no efm oam mode active - All OAM functions are enabled. passive - All OAM functions are enabled, except for OAM discovery, and sending loopback control OAMPDUs. Default Setting Active Command Mode Interface Configuration Command Usage When set to active mode, the selected interface will initiate the OAM discovery process.
26 OAM Commands efm oam remote-loopback This command starts or stops OAM loopback test mode to the attached CPE. Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Default Setting None Command Mode Privileged Exec Command Usage • OAM remote loop back can be used for fault localization and link performance testing.
26 OAM Commands efm oam remote-loopback test This command performs a remote loopback test, sending a specified number of packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
26 OAM Commands show efm oam counters interface This command displays counters for various OAM PDU message types. Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
26 OAM Commands Console# show efm oam remote-loopback interface This command displays the results of an OAM remote loopback test. Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
26 OAM Commands Dying Gasp : Enabled Critical Event : Enabled Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status remote interface This
Chapter Domain Name Service Commands 27 In this chapter These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
27 Domain Name Service Commands Command Usage • Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. • If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used.
Domain Name Service Commands 27 Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands “ip domain-name” on page 581 “ip name-server” on page 582 ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name.
27 Domain Name Service Commands ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address. Default Setting No static entries Command Mode Global Configuration Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries.
Domain Name Service Commands 27 Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.
27 Domain Name Service Commands Example This example maps an IPv6 address to a host name. Console(config)#ipv6 host rd6 2001:0db8:1::12 Console(config)#end Console#show hosts No. Flag Type IP Address TTL ---- ---- ------- -------------------- ----0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 Console# Domain ------------------------------rd5 rd6 clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No.
27 Domain Name Service Commands show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No.
27 Domain Name Service Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 3 4 Address 209.131.36.
Chapter 28 DHCP Commands In this chapter These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface can be configured to automatically obtain an IP address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network.
28 DHCP Client ip dhcp client class-id This command specifies the DCHP client vendor class identifier option for the current interface. Use the no form to remove the class identifier from the DHCP packet. Syntax ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value.
28 DHCP Client FIGURE 7 Option Options 55 and 124 Statements Statement Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier • The server should reply with the TFTP server name and boot file name. • Note that the vendor class identifier can be formatted in either text or hexadecimal, but the format used by both the client and server must be the same.
28 DHCP Client Related Commands “ip address” on page 596 ipv6 dhcp client rapid-commit vlan This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
28 DHCP Client Command Mode Privileged Exec Command Usage • This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
28 DHCP Relay Command Usage • DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options. Static or dynamic address prefixes may be assigned by a DHCPv6 server based on the client’s DUID. • To display the DUID assigned to this device, first enter the ipv6 address autoconfig command.
28 DHCP Relay ip dhcp relay server This command specifies the addresses of DHCP servers to be used by the switch’s DHCP relay agent. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server. (Range: 1-5 addresses) Default Setting None Command Mode Interface Configuration (VLAN) Usage Guidelines • You must specify the IP address for at least one DHCP server.
28 DHCP Relay Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server on another network.
Chapter 29 IP Interface Commands In this chapter An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
29 IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
29 IPv4 Interface Command Usage • An IP address must be assigned to this device to gain management access over the network or to connect the switch to existing IP subnets. A specific IP address can be manually configured, or the switch can be directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format is not be accepted by the configuration program.
29 IPv4 Interface Command Mode Global Configuration Command Usage • Static routes can also be defined using the ip route command to ensure that traffic to the designated address or subnet passes through a preferred gateway. • A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. • A gateway must be defined if the management station is located in a different IP segment.
IPv4 Interface 29 Example Console#show ip traffic IP Statistics: IP received 4877 total received header errors unknown protocols address errors discards 4763 delivers reassembly request datagrams reassembly succeeded reassembly failed IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply m
29 IPv4 Interface Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage • Use the traceroute command to determine the path taken to reach a specified destination. • A trace terminates when the destination responds, when the maximum time out (TTL) is exceeded, or the maximum number of hops is exceeded.
29 IPv4 Interface ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. (Maximum length: 134 characters) count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
29 IPv4 Interface Related Commands “interface” on page 256 ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
29 IPv4 Interface Example Console(config)#arp 192.168.0.19 00-ab-cd-ef-11-22 Console(config)# Related Commands “clear arp-cache” on page 604 “show arp” on page 604 arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. Syntax arp timeout seconds no arp timeout seconds - The time a dynamic entry remains in the ARP cache.
29 IPv4 Interface Command Mode Interface Configuration (VLAN) Command Usage • Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network. • End stations that require Proxy ARP must view the entire network as a single network. These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices.
29 IPv6 Interface ARP Cache Timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 145.30.20.23 MAC Address ----------------FF-FF-FF-FF-FF-FF 00-00-AB-CD-00-00 FF-FF-FF-FF-FF-FF 09-50-40-30-20-10 Type --------other other other dynamic Interface ----------VLAN1 VLAN1 VLAN1 VLAN3 Total entry : 5 Console# IPv6 Interface This switch supports the following IPv6 interface commands.
29 IPv6 Interface TABLE 145 IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd reachable-time Configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred IC clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery cache PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This comm
29 IPv6 Interface Related Commands “show ipv6 default-gateway” on page 614 “ip default-gateway” on page 597 ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
29 IPv6 Interface FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
29 IPv6 Interface Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7272:2E0:CFF:FE00:FD/64, subnet is 2001:DB8:2222:7272::/64[AUTOCONFIG] valid lifetime 2591628 preferred lifetime 604428 Joined group address(es): FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND ND ND ND ND DAD is enabled, number of DAD attempts: 3.
29 IPv6 Interface • Note that the value specified in the ipv6-prefix may include some of the high-order host bits if the specified prefix length is less than 64 bits. If the specified prefix length exceeds 64 bits, then the network portion of the address will take precedence over the interface identifier. • If a duplicate address is detected, a warning message is sent to the console.
29 IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
29 IPv6 Interface ND ND ND ND retransmit interval is 1000 milliseconds advertised retransmit interval is 0 milliseconds reachable time is 30000 milliseconds advertised reachable time is 0 milliseconds Console# Related Commands “ipv6 enable” on page 612 “show ipv6 interface” on page 614 ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address.
29 IPv6 Interface FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
29 IPv6 Interface show ipv6 default-gateway This command displays the current IPv6 default gateway. Command Mode Normal Exec, Privileged Exec Example The following shows the default gateway configured for this device: Console#show ipv6 default-gateway IPv6 default gateway 2001:DB8:2222:7272::254 Console# show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces.
29 IPv6 Interface ND advertised reachable time is 0 milliseconds Console# TABLE 146 show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
29 IPv6 Interface Console# Related Commands “show ip interface” on page 598 show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
29 IPv6 Interface reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages router advertisement messages neighbor solicit messages neighbor advertisement messages r
29 IPv6 Interface TABLE 148 show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 recived 618 total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
29 IPv6 Interface TABLE 148 show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
29 IPv6 Interface TABLE 148 show ipv6 traffic - display description (Continued) Field Description redirect messages The number of Redirect messages received by the interface. group membership query messages The number of ICMPv6 Group Membership Query messages received by the interface. group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface.
29 IPv6 Interface TABLE 148 show ipv6 traffic - display description (Continued) Field Description other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity. clear ipv6 traffic This command resets IPv6 traffic counters.
29 IPv6 Interface • The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent. When pinging from the craft interface, use the zone index 4097.
29 IPv6 Interface • The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent. • A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded.
29 IPv6 Interface • Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. • Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state. Duplicate address detection is automatically restarted when the interface is administratively re-activated.
29 IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
29 IPv6 Interface ipv6 nd reachable-time This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
29 IPv6 Interface using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. Default Setting All IPv6 neighbor discovery cache entries are displayed.
29 IPv6 Interface Related Commands “show mac-address-table” on page 325 628 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 30 IP Routing Commands In this chapter To forward traffic to devices on other subnetworks, you can configure fixed paths with static routing commands. Dynamic routing protocols that exchange information with other routers on the network to automatically determine the best path to any subnetwork will be supported in a subsequent release. This section includes commands for static routing. These commands are used to connect between different local subnetworks.
30 IP Routing Commands Example This example forwards all traffic for subnet 192.168.1.0 to the gateway router 192.168.5.254. Console(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.254 Console(config)# show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | static | summary] connected – Displays all currently connected entries. static – Displays all static entries.
IP Routing Commands 30 Console# show ip route database This command displays entries in the Routing Information Base (RIB). Command Mode Privileged Exec Command Usage The RIB contains all directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
30 632 IP Routing Commands Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 31 Debug Commands In this chapter Debug commands are provided for reporting errors to Brocade for technical support.Many of these commands display information directly from the ASIC.
31 Debug Commands debug hardware dev-amtrdrv This command shows all MAC entries maintained by the address table management driver (operating in the system ASIC), including the MAC address table and the VLAN mapping table. Syntax debug hardware dev-amtrdrv {mac-table | vidx-table} mac-table –Displays all MAC address entries. vidx-table – Displays all multicast entries. Command Mode Privileged Exec Command Usage • This switch has only one MAC chip, so the chip ID is not specified.
31 Debug Commands pcl-table – Shows Policy Control List configuration table. rule-status – Shows the status of all rules.
31 Debug Commands policer[28]: TRTCM-COLOR-AWARE, cir=1, cbs=100, pir=2, pbs=200, yellowCmd=Remark-by-Entry, redCmd=Drop, modifyDscp, remarkMode=L2, qosProfile=21 {DP=Red, UP=0, TC=1, DSCP=21} ref pce = { 116 ,118 ,120 } policer[29]: SRTCM-COLOR-BLIND, cir=0, cbs=0, ebs=0, yellowCmd=No-Change, redCmd=No-Change, remarkMode=L2 policer[30]: SRTCM-COLOR-BLIND, cir=0, cbs=0, ebs=0, yellowCmd=No-Change, redCmd=No-Change, remarkMode=L2 …… policer[253]: SRTCM-COLOR-BLIND, cir=0, cbs=0, ebs=0, yellowCmd=No-Change,
31 Debug Commands port[09]:enabled=1, port[10]:enabled=1, port[11]:enabled=1, port[12]:enabled=1, port[00]:enabled=0, port[01]:enabled=0, port[02]:enabled=0, port[03]:enabled=0, port[04]:enabled=0, port[05]:enabled=0, port[06]:enabled=0, port[07]:enabled=0, port[08]:enabled=0, port[09]:enabled=0, port[10]:enabled=0, port[11]:enabled=0, port[12]:enabled=0, Console# pclId=0, pclId=0, pclId=0, pclId=0, nonIpKey=0, nonIpKey=0, nonIpKey=0, nonIpKey=0, ipv4Key=2, ipv4Key=2, ipv4Key=2, ipv4Key=2,
31 Debug Commands [512]pcl_id=512, hw_idx=118, upper_rule_id=56, policer_idx=-1, pce_type=4(EXT), valid=1 pattern:00000000 00000000 00000000 00000800 00000000 00000000 00000000 00000000 00000000 00000000 7003C000 00748EF8 mask:000001FF 00000000 00000000 00000800 00000000 00000000 00000000 00000000 00000000 00000000 FFFFFF00 00FFFFFF action:00000000 00000000 00000000 00000000 Forward Console# debug hardware dev-swdrv This command shows the switch driver’s buffer allocation for packets, including the statu
31 Debug Commands Console#debug hardware dev-swdrv drop-cnt ======== Ingress Bridge Drop Counter [R0] ======== [ COUNT_ALL_E] = 901 [ RATE_LIMIT_E] = 890 ======== Bridge Port/VLAN/Device Counters [ROC] ======== [gtBrgInFrames] = 4260 [gtBrgVlanIngFilterDisc] = 0 [gtBrgSecFilterDisc] = 0 [gtBrgLocalPropDisc] = 923 ======== Bridge Egress Counters [ROC] ======== [outUcFrames] = 1529 [outMcFrames] = 0 [outBcFrames] = 0 [brgEgrFilterDisc]= 0 [txqFilterDisc] = 0 [outCtrlFrames] = 2 [egrFrwDropFrames]= 0 Console
31 Debug Commands link disconnect Console# (25_6.
31 Debug Commands Example Console#debug ipcfg Dump IPv4 Rif =============================================================================== IP Address prefix_len ifindex role 192.168.2.1 24 1001 1 192.168.3.1 24 1002 1 192.68.4.
31 Debug Commands Dump IPV4 Routing Table IP Address Prefix Len 0.0.0.0 0 10.0.0.0 8 127.0.0.0 8 192.168.2.0 24 192.168.3.0 24 Next Hop 192.168.2.99 192.168.2.99 0.0.0.0 0.0.0.0 0.0.0.
31 Debug Commands debug igmpsnp-mvr show-forward-entry This command shows IGMP Snooping forwarding entries of all VLANs. Syntax debug igmpsnp-mvr show-forward-entry Command Mode Privileged Exec Example Console#debug igmpsnp-mvr show-forward-entry IGMP snooping entry limit:1023, count:4 VLAN: 1 Group: 225.1.1.1 Forwarding ports: Member ports : Expire time : Learning type : 1 1 0 Protocol Group: 225.1.1.3 Forwarding ports: Member ports : Expire time : Learning type : 1 1 0 Protocol Group: 225.128.1.
31 Debug Commands debug igmpsnp-mvr show-group-record This command shows IGMP group records for all IGMP Snooping interfaces. Syntax debug igmpsnp-mvr show-group-record Command Mode Privileged Exec Example Console#debug igmpsnp-mvr show-group-record Interface Name: 1001 Interface VID : 1 Group : 225.1.1.1 Uptime : 2284 Group mode : Exclude Last reporter : 0.0.0.
31 Debug Commands Group Uptime Group mode Last reporter TIB-A Count TIB-B Count Source list Flags : : : : : : : : 225.1.1.1 2300 Exclude (Expires: 1674) 192.168.1.12 0 0 empty --, V2, --, --, --, -- Interface Name: Interface VID : Group : Uptime : Group mode : Last reporter : TIB-A Count : TIB-B Count : Source list : Flags : 1 1 225.1.1.3 2345 Exclude (Expires: 1699) 192.168.1.
31 Debug Commands TIB-B Count Source list Flags : 0 : empty : --, V2, --, --, --, -- Interface Name: Interface VID : Group : Uptime : Group mode : Last reporter : TIB-A Count : TIB-B Count : Source list : Flags : 1005 5 239.255.255.250 2611 Exclude 0.0.0.0 0 0 empty --, V2, --, --, --, -- Interface Name: Interface VID : Group : Uptime : Group mode : Last reporter : TIB-A Count : TIB-B Count : Source list : Flags : 5 5 225.1.1.1 2390 Exclude (Expires: 1617) 192.168.1.
31 Debug Commands Example Console#debug igmpsnp-mvr show-interface-sflags Interface type: | name <= 1000 | name > 1000 -------------|--------------|-----------VID <= 10000 | IGMP port | IGMP VLAN VID > 10000 | MVR port | MVR VLAN Fields descriptions: ac : IGMP snooping function is worked on this interface. c1 : Compatibility version is IGMP version 1. c2 : Compatibility version is IGMP version 2. c3 : Compatibility version is IGMP version 3. ii : Configurations are inherited from VLAN interface.
31 Debug Commands Example Console#debug igmpsnp-mvr show-interface-status Interface type: | name <= 1000 | name > 1000 -------------|--------------|-----------VID <= 10000 | IGMP port | IGMP VLAN VID > 10000 | MVR port | MVR VLAN Fields descriptions: com : IGMP compatible version. st_rt : Static router port interface. dy_rt : Dynamic router port interface. ver : Configuration of IGMP version. rob : Configuration of robustness value. qi : Configuration of query interval.
31 Debug Commands MVR domain 4: name vid status com st_rt dy_rt ver rob 1001 10001 Inactive 2 1 Downstream port interface: Router port interface : MVR domain 5: name vid status com st_rt dy_rt ver rob 1001 10001 Inactive 2 1 Downstream port interface: Router port interface : Console# qi 125 qri 100 vlan_if --- qi 125 qri 100 vlan_if --- debug igmpsnp-mvr show-interface-timers This command shows the remaining time of all timers for all IGMP Snooping and MVR interfaces.
31 Debug Commands 1001 10001 Console# 0 0 0 0 0 0 0 0 debug msl show-interface-info This command shows the status of all Multicast Shim Layer (MSL) VLAN interfaces.
31 Debug Commands Group: 225.128.1.2, Source: 0.0.0.0, Upstream VLAN: 0, rp: 0 Flags: , SNP, , , , Hit Bit: 0 Snooping interface: L2 interface: 1(Flags : CHIP,,,) port:1, Multicast downstream interface: MVR downstream interface: Group: 233.171.129.255, Source: 0.0.0.0, Upstream VLAN: 0, rp: 0 Flags: , SNP, , , , Hit Bit: 0 Snooping interface: L2 interface: 5(Flags : CHIP,,,) port:5, Multicast downstream interface: MVR downstream interface: Group: 239.255.255.250, Source: 0.0.0.
31 Debug Commands Example Console#debug erps adm {domain id/name (1/test)} Adm: A-TG A-TH A-TW EN LV 500 0 300000 N 0 MYID A-TE MAJOR SUB-NBR 1 300 0 0 {domain id/name (2/aaa)} Adm: A-TG A-TH A-TW EN LV 500 0 300000 N 0 MYID A-TE MAJOR SUB-NBR 1 300 0 0 Console# Console#debug erps opr {domain id/name (1/test)} Opr: O-TG O-TH O-TW R-RAPS 0 0 0 0 LST-RAPS BLK1 BLK2 DIRT1 NR N N N {domain id/name (2/aaa)} Opr: O-TG O-TH O-TW R-RAPS 0 0 0 0 LST-RAPS BLK1 BLK2 DIRT1 NR N N N Console# VID 0 MEP1 0 PWEST PEAST
Section Web Configuration III This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser., and includes the following chapters: • Using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 • Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 • Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
654 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Using the Web Interface 32 In this chapter This chapter includes information on connecting to the switch and basic configuration procedures. It includes the following topics: • Connecting to the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 • Navigating the Web Browser Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Connecting to the Web Interface This switch provides an embedded HTTP web agent.
32 Navigating the Web Browser Interface Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Connection to the web interface is not supported for HTTPS using an IPv6 link local address. Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics.
Navigating the Web Browser Interface 32 Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. TABLE 152 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply.
32 Navigating the Web Browser Interface Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Configure by Port Range Configures connection settings for a range of ports 703 Show Information Displays port connection status 704 705 Mirror Add Sets the source and target ports for mirroring 705 Show Shows the configured mirror sessions 705 Statistics Shows Interface, Etherlike, and RMON port statistics 710 Chart Shows Interface, Etherlike, and RMON port statistics 710 715 Histor
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page 726 Configure Aggregation Port 726 Configure General Allows ports to dynamically join trunks 728 Actor Configures parameters for link aggregation group members on the local side 728 Partner Configures parameters for link aggregation group members on the remote side 728 733 Show Information Counters Displays statistics for LACP protocol messages 733 Internal Displays configuration settin
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Modify Configures group name and administrative status 752 Edit Member by VLAN Specifies VLAN attributes per VLAN 754 Edit Member by Interface Specifies VLAN attributes per interface 754 Edit Member by Interface Range Specifies VLAN attributes per interface range 754 Configure General Enables GVRP VLAN registration protocol globally 758 Configure Interface Configures GVRP status and ti
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Show Description Page Displays the configuration settings for VLAN translation 777 MAC Address 779 Static 779 Add Configures static entries in the address table 779 Show Displays static entries in the address table 779 Configure Aging Sets timeout for dynamically learned entries 781 Show Dynamic MAC Displays dynamic entries in the address table 782 Clear Dynamic MAC Removes any learned entries from
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port 810 Configure Global Sets the time to apply the control response after traffic has exceeded the upper threshold, and the time to release the control response after traffic has fallen beneath the lower threshold 811 Configure Interface Sets the storm control mode (broadcas
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu VoIP Configure Global Description Page Voice over IP 841 Configures auto-detection of VoIP traffic, sets the Voice VLAN, and VLAN aging time 841 843 Configure OUI Add Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer 843 Show Shows the OUI telephony list 843 Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filter
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description User Accounts Page 860 Add Configures user names, passwords, and access levels 860 Show Shows authorized users 860 Modify Modifies user attributes 860 Allows authentication and access to the network when 802.
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Periodic Show Rule Description Page Sets a recurrent time 883 Shows the time specified by a rule 883 886 Configure ACL Show TCAM Shows utilization parameters for TCAM 885 Add Adds an ACL based on IP or MAC address filtering 886 Show Shows the name and type of configured ACLs 886 Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 886 Show Rule Shows the rules
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Show Dynamic Binding Description Page Shows static addresses in the source-guard binding table 923 Displays the source-guard binding table for a selected interface 925 Administration 933 Log 933 933 System Configure Global Stores error messages in local memory 933 Show System Logs Shows logged error messages 933 Remote Configures the logging of messages to a remote logging process 936 SMTP Sends an S
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Shows configured groups and access policies 959 Add Community Configures community strings and access mode 960 Show Community Shows community strings and access mode 960 Add SNMPv3 Local User Configures SNMPv3 users on this switch 962 Show SNMPv3 Local User Shows SNMPv3 users configured on this switch 962 Change SNMPv3 Local User Group Assign a local user to a new group 962 Add SNMPv3
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu ERPS Configure Global Description Page Ethernet Ring Protection Switching 982 Activates ERPS globally 984 985 Configure Domain Add Creates an ERPS ring 985 Show Shows list of configured ERPS rings, status, and settings 985 Configure Details Configures ring parameters 985 Connectivity Fault Management 992 Configure Global Configures global settings, including administrative status, cross-check start del
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Transmits periodic dual-ended loss-measure messages 1014 Transmit Link Trace Sends link trace messages to isolate connectivity faults by tracing the path through a network to the designated target node 1018 Transmit Loopback Sends loopback messages to isolate connectivity faults by requesting a target node to echo the message back to the source 1020 Transmit Delay Measure Sends on-demand dela
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Trace Route ARP Configure General Description Page Shows the route packets take to a specified destination 1068 Address Resolution Protocol 1069 Sets the protocol timeout, and enables or disables proxy ARP for the specified VLAN 1070 1071 Configure Static Address Add Statically maps a physical address to an IP address 1071 Show Shows the MAC to IP address static table 1071 Shows dynamically learned entrie
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page 1084 Static Host Table Add Configures static entries for domain name to address mapping 1084 Show Shows the list of static mapping entries 1084 Modify Modifies the static address mapped to the selected host name 1084 Displays cache entries discovered by designated name servers 1086 Cache DHCP Dynamic Host Configuration Protocol Client Specifies the DHCP client identifier for an interfac
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page Add Multicast Group Range Assigns multicast groups to selected profile 1110 Show Multicast Group Range Shows multicast groups assigned to a profile 1110 Assigns IGMP filter profiles to port interfaces and sets throttling action 1112 Configure Interface 1106 Statistics Show Query Statistics Shows statistics for query-related messages 1106 Show VLAN Statistics Shows statistics for protocol
32 Navigating the Web Browser Interface TABLE 153 Switch Main Menu (Continued) Menu Description Page 1130 Configure Profile Add Configures multicast stream addresses 1130 Show Shows multicast stream addresses 1130 1130 Associate Profile Add Maps an address profile to a domain 1130 Show Shows addresses profile to domain mapping 1130 Configures MVR interface type and immediate leave mode; also displays MVR operational and active status 1133 Configure Port Configures MVR attributes for a
Chapter Basic Management Tasks 33 In this chapter This chapter describes the following topics: • Displaying System Information – Provides basic system description, including contact information. • Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions • Configuring Support for Jumbo Frames – Enables support for jumbo frames. • Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
33 Displaying Hardware/Software Versions Interface To configure general system information: 1. Click System, General. 2. Specify the system name, location, and contact information for the system administrator. 3. Click Apply. FIGURE 10 System Information Displaying Hardware/Software Versions Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system.
Configuring Support for Jumbo Frames 33 Interface To view hardware and software version information. 1. Click System, then Switch. FIGURE 11 General Switch Information Configuring Support for Jumbo Frames Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet. Compared to standard Ethernet frames that run only up to 1.
33 Displaying Bridge Extension Capabilities 3. Click Apply. FIGURE 12 Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
33 Managing System Files Interface To view Bridge Extension information: 1. Click System, then Capability. FIGURE 13 Displaying Bridge Extension Configuration Managing System Files This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Copying Files via FTP/SFTP/TFTP or HTTP Use the System > File (Copy) page to upload/download firmware or configuration settings using FTP, SFTP, TFTP or HTTP.
33 Managing System Files • Secure Shell FTP (SFTP) provides a method of transferring files between two network devices over an SSH2-secured connection. SFTP functions similar to Secure Copy (SCP), using SSH for user authentication and data encryption. Although the underlying premises of SFTP are similar to SCP, it requires some additional steps to verify the protocol versions and perform security checks.
33 Managing System Files 5. If FTP or SFTP Upgrade is used, enter the user name and password for your account on the FTP/SFTP server. 6. Set the file type to Operation Code. 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name. 9. Then click Apply. FIGURE 14 Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu.
33 Managing System Files Interface To save the running configuration file: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select Running-Config from the Copy Type list. 4. Select the current startup file on the switch to overwrite or specify a new file name. 5. Then click Apply. FIGURE 15 Saving the Running Configuration If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu.
33 Managing System Files FIGURE 16 Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Showing System Files Use the System > File (Show) page to show the files in the system directory, or to delete a file. NOTE Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI References • “dir” on page 70 • “delete” on page 70 Interface To show the system files: 1. Click System, then File. 2.
33 Managing System Files Automatic Operation Code Upgrade Use the System > File (Automatic Operation Code Upgrade) page to automatically download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Managing System Files 33 • During the automatic search and transfer process, the administrator cannot transfer or update another operation code image, configuration file, public key, or HTTPS certificate (i.e., no other concurrent file management operations are possible). • The upgrade operation code image is set as the startup image after it has been successfully written to the file system. • The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures.
33 Managing System Files Examples The following examples demonstrate the URL syntax for a TFTP server at IP address 192.168.0.1 with the operation code image stored in various locations: • tftp://192.168.0.1/ The image file is in the TFTP root directory. • tftp://192.168.0.1/switch-opcode/ The image file is in the “switch-opcode” directory, relative to the TFTP root. • tftp://192.168.0.
Setting the System Clock 33 If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart . . .
33 Setting the System Clock Interface To manually set the system clock: 1. Click System, then Time. 2. Select Configure General from the Step list. 3. Select Manual from the Maintain Type list. 4. Enter the time and date in the appropriate fields. 5. Click Apply FIGURE 19 Manually Setting the System Clock Setting the SNTP Polling Interval Use the System > Time (Configure General - SNTP) page to set the polling interval at which the switch will query the specified time servers.
33 Setting the System Clock FIGURE 20 Setting the Polling Interval for SNTP Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to specify the IP address for up to three SNTP time servers. CLI References • “sntp server” on page 95 Parameters The following parameters are displayed: • SNTP Server IP Address – Sets the IPv4 or IPv6 address for up to three time servers.
33 Setting the System Clock Setting the Time Zone Use the System > Time (Configure Time Server) page to set the time zone. SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
33 Setting the System Clock Configuring Summer Time Use the System > Time (Configure Summer Time) menu to configures summer time (that is, Daylight Savings Time) for the switch’s internal clock. CLI References • “clock summer-time (date)” on page 96 • “clock summer-time (predefined)” on page 97 • “clock summer-time (recurring)” on page 98 Usage Guidelines • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
33 Setting the System Clock • Recurring – Sets the start, end, and offset times of summer time on a recurring basis. • Offset – Summer time offset from the regular time zone. (Range: 0-99 minutes; Default: 60 minutes) • From – The recurring date and time at which to start using Summer Time settings. • To – The recurring date and time at which to stop using Summer Time settings. Interface To configure Summer Time: 1. Click System, then Time. 2. Select Configure Summer Time from the Step list. 3.
Configuring the Console Port 33 Configuring the Console Port Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
33 Configuring Telnet Settings Interface To configure parameters for the console port: 1. Click System, then Console. 2. Specify the connection parameters as required. 3. Click Apply FIGURE 24 Console Port Settings Configuring Telnet Settings Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal).
Configuring Telnet Settings 33 • Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated. (Range: 1-65535 seconds; Default: 600 seconds) • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts.
33 Displaying CPU Utilization Displaying CPU Utilization Use the System > CPU Utilization page to display information on CPU utilization. CLI References • “show process cpu” on page 59 Parameters The following parameters are displayed: • Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) • CPU Utilization – CPU utilization over specified interval. Interface To display CPU utilization: 1.
33 Resetting the System Parameters The following parameters are displayed: • Free Size – The amount of memory currently free for use. • Used Size – The amount of memory allocated to active processes. • Total – The total amount of system memory. Interface To display memory utilization: 1. Click System, then Memory Status.
33 Resetting the System • minutes – The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) • At – Specifies a time at which to reload the switch. • DD - The day of the month at which to reload. (Range: 1-31) • MM - The month at which to reload. (Range: 1-12) • YYYY - The year at which to reload. (Range: 2001-2050) • HH - The hour at which to reload. (Range: 0-23) • MM - The minute at which to reload.
33 Resetting the System FIGURE 28 Restarting the Switch (Immediately) FIGURE 29 Restarting the Switch (In) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 699
33 700 Resetting the System FIGURE 30 Restarting the Switch (At) FIGURE 31 Restarting the Switch (Regularly) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Interface Configuration 34 In this chapter This chapter describes the following topics: • Port Configuration – Configures connection settings, including auto-negotiation, or manual setting of speed, duplex mode, and flow control. • Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. • Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
34 Port Configuration CLI References • “Interface Commands” on page 255 Command Usage • Auto-negotiation must be disabled before you can configure or force an RJ-45 interface to use the Speed/Duplex mode or Flow Control options. • When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.
34 Port Configuration • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) • Flow Control – Allows automatic or manual selection of flow control. Interface To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port List from the Action List. 3. Modify the required interface settings. 4. Click Apply.
34 Port Configuration 4. Modify the required interface settings. 5. Click Apply. FIGURE 33 Configuring Connections by Port Range Displaying Connection Status Use the Interface > Port > General (Show Information) page to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. CLI References • “show interfaces status” on page 274 Parameters These parameters are displayed: • • • • • • • • • Port – Port identifier.
34 Port Configuration FIGURE 34 Displaying Port Information Configuring Local Port Mirroring Use the Interface > Port > Mirror page to mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
34 Port Configuration • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both. (Default: Both) Interface To configure a local mirror session: 1. Click Interface, Port, Mirror. 2. Select Add from the Action List. 3. Specify the source port. 4. Specify the monitor port. 5. Specify the traffic type to be mirrored. 6. Click Apply. FIGURE 36 Configuring Local Port Mirroring To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2.
34 Port Configuration FIGURE 38 Configuring Remote Port Mirroring Intermediate Switch Uplink port Uplink port Source Switch Source port RPSAN VLAN Uplink port Ingress or egress traffic is mirrored onto the RSPAN VLAN from here. Destination Switch Uplink port Destination port Tagged or untagged traffic from the RSPAN VLAN is analyzed at this port.
34 Port Configuration • RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: • RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface – source, destination, or uplink. Also, note that the source port and destination port cannot be configured on the same switch.
34 Port Configuration Only destination and uplink ports will be assigned by the switch as members of the RSPAN VLAN. Ports cannot be manually assigned to an RSPAN VLAN through the VLAN > Static page. Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the VLAN > Static (Show) page will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. • Type – Specifies the traffic type to be mirrored remotely.
34 Port Configuration FIGURE 40 Configuring Remote Port Mirroring (Intermediate) FIGURE 41 Configuring Remote Port Mirroring (Destination) Showing Port or Trunk Statistics Use the Interface > Port/Trunk > Statistics or Chart page to display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
34 Port Configuration Parameters These parameters are displayed: TABLE 155 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters. Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
34 Port Configuration TABLE 155 Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Deferred Transmissions A count of frames for which the first transmission attempt on a particular interface is delayed because the medium was busy.
34 Port Configuration TABLE 155 Port Statistics (Continued) Parameter Description 64 Bytes Packets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
34 Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Port Configuration 34 Configuring History Sampling Use the Interface > Port > History or Interface > Trunk > History page to configure a periodic sampling of statistics, specifying the sampling interval and number of samples. CLI References • “history” on page 260 • “show interfaces history” on page 271 Command Usage For a description of the statistics displayed on these pages, see “Showing Port or Trunk Statistics” on page 710. Parameters These parameters are displayed: Add • • • • Port – Port number.
34 Port Configuration FIGURE 44 Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list. FIGURE 45 Showing Entries for History Sampling To show the configured parameters for a sampling entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3.
34 Port Configuration FIGURE 46 Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
34 Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
34 Port Configuration Interface To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select Show Information from the Action list. 3. Select a port from the scroll-down list.
34 Port Configuration Parameters These parameters are displayed: • Port – Port number. (Range: 1-12) • DDM Thresholds – Information on alarm and warning thresholds. The switch can be configured to send a trap when the measured parameter falls outside of the specified thresholds. • • • • High Alarm – Sends an alarm message when the high threshold is crossed. High Warning – Sends a warning message when the high threshold is crossed. Low Warning – Sends a warning message when the low threshold is crossed.
34 Port Configuration FIGURE 50 Configuring Transceiver Thresholds Performing Cable Diagnostics Use the Interface > Port > Cable Test page to test the cable attached to a port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
34 Port Configuration Parameters These parameters are displayed: • • • • Port – Switch port identifier. Type – Displays media type. (GE – Gigabit Ethernet, Other – SFP) Link Status – Shows if the port link is up or down. Test Result – The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
Port Configuration 34 Command Usage • This feature loops incoming frames back to the source. The source MAC address is swapped with the destination MAC address, reflecting incoming frames back to the source. Testing and network initialization are critical processes in metro Ethernet networks. Traditional methods of testing required two technicians and two test sets, one at the remote location and one at the service provider’s core network.
34 Port Configuration Interface To configure loopback testing on a port: 1. Click Interface, Port, Ethernet Loopback. 2. Select Configure from the Action list. 3. Select a port from the drop-down list, set the Status to Enabled, and enter one or more VLANs associated with the port. 4. Click Apply. FIGURE 52 Performing Loopback Testing To show the adminstative status of loopback testing for each port, and the associated VLANs: 1. Click Interface, Port, Ethernet Loopback. 2.
34 Trunk Configuration FIGURE 54 Showing Available Resources for Loopback Testing Trunk Configuration This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 6 trunks at a time on the switch.
34 Trunk Configuration Configuring a Static Trunk Use the Interface > Trunk > Static page to create a trunk, assign member ports, and configure the connection parameters. FIGURE 55 Configuring Static Trunks } statically configured active links CLI References • “Link Aggregation Commands” on page 285 • “Interface Commands” on page 255 Command Usage • When configuring static trunks, you may not be able to link switches of different types, depending on the vendor’s implementation.
34 Trunk Configuration FIGURE 56 Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply. FIGURE 57 Adding Static Trunks Members To configure connection parameters for a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3.
34 Trunk Configuration FIGURE 58 Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
Trunk Configuration 34 • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
34 Trunk Configuration By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner. • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
34 Trunk Configuration To enable LACP for a port: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click General. 5. Enable LACP on the required ports. 6. Click Apply. FIGURE 62 Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5.
34 Trunk Configuration To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show Member from the Action List. 4. Select a Trunk. FIGURE 64 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4. Modify the required interface settings.
34 Trunk Configuration To display connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show from the Action List. FIGURE 66 Displaying Connection Parameters for Dynamic Trunks Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Counters) page to display statistics for LACP protocol messages.
34 Trunk Configuration Interface To display LACP port counters: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Counters. 5. Select a group member from the Port list.
34 Trunk Configuration TABLE 157 LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. ◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
34 Trunk Configuration FIGURE 68 Displaying LACP Port Internal Information Displaying LACP Settings and Status for the Remote Side Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show Information - Neighbors) page to display the configuration settings and operational state for the remote side of a link aggregation.
34 Trunk Configuration Interface To display LACP settings and status for the remote side: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Show Information from the Action list. 4. Click Internal. 5. Select a group member from the Port list. FIGURE 69 Displaying LACP Port Remote Information Configuring Load Balancing Use the Interface > Trunk > Load Balance page to set the load-distribution method used among ports in aggregated links.
34 Trunk Configuration • Destination MAC Address: All traffic with the same destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination MAC address is the same for all traffic.
34 Saving Power Saving Power Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI References • “power-save” on page 282 • “show power-save” on page 283 Command Usage • IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
34 Sampling Traffic Flows 3. Click Apply. FIGURE 71 Enabling Power Savings Sampling Traffic Flows The flow sampling (sFlow) feature embedded on this switch, together with a remote sFlow Collector, can provide network administrators with an accurate, detailed and real-time overview of the types and levels of traffic present on their network.
34 Sampling Traffic Flows Configuring sFlow Global Settings Use the Interface > sFlow (Configure Global) page to enable sFlow globally for the switch. CLI References • “sflow” on page 133 Parameters These parameters are displayed in the web interface: • sFlow Global Status – Enables sFlow globally for the switch. (Default: Disabled) Interface To configure flow sampling: 1. Click Interface, sFlow. 2. Select Configure Global from the Step list. 3. Enable or disable flow sampling. 4. Click Apply.
34 Sampling Traffic Flows • Receiver Owner13 – The name of the receiver. (Range: 1-256 characters; Default: None) • Receiver IP Address13 – IP address of the sFlow Collector. • Receiver Port13 – The UDP port on which the sFlow Collector is listening for sFlow streams. (Range: 0-65534; Default: 6343) • Max Header Size – Maximum size of the sFlow datagram header. (Range: 64-256 bytes; Default: 128 bytes) • Max Datagram Size – Maximum size of the sFlow datagram payload.
34 Traffic Segmentation Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
34 Traffic Segmentation Configuring Uplink and Downlink Ports Use the Interface > Traffic Segmentation (Configure Session) page to assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
34 Traffic Segmentation Interface To configure the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Add from the Action list. 4. Enter the session ID, set the direction to uplink or downlink, and select the interface to add. 5. Click Apply. FIGURE 75 Configuring Members for Traffic Segmentation To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2.
34 VLAN Trunking VLAN Trunking Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI References • “vlan-trunking” on page 382 Command Usage • Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
34 VLAN Trunking • VLAN Trunking Status – Enables VLAN trunking on the selected interface. Interface To enable VLAN trunking on a port or trunk: 1. Click Interface, VLAN Trunking. 2. Click Port or Trunk to specify the interface type. 3. Enable VLAN trunking on any of the ports or on a trunk. 4. Click Apply.
34 748 VLAN Trunking Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter VLAN Configuration 35 In this chapter This chapter includes the following topics: • IEEE 802.1Q VLANs – Configures static and dynamic VLANs. • IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. • Protocol VLANs – Configures VLAN groups based on specified protocols.
35 IEEE 802.1Q VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports.
35 IEEE 802.1Q VLANs switch receives these messages, it will automatically place the receiving port in the specified VLANs, and then forward the message to all other ports. When the message arrives at another switch that supports GVRP, it will also place the receiving port in the specified VLANs, and pass the message on to all other ports. VLAN requirements are propagated in this way throughout the network.
35 IEEE 802.1Q VLANs Configuring VLAN Groups Use the VLAN > Static (Add) page to create or remove VLAN groups, set administrative status, or specify Remote VLAN type (see “Configuring Remote Port Mirroring” on page 706). To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups.
35 IEEE 802.1Q VLANs • L3 Interface – Shows if the interface supports Layer 3 configuration. • MAC-Learning – Shows one of the following settings: • Enabled – The switch uses normal rules for MAC-address learning, or floods ingress traffic to all ports in the specified VLAN. • Disabled – The switch floods ingress traffic to all ports in the specified VLAN. Interface To create VLAN groups: 1. Click VLAN, Static. 2. Select Add from the Action list. 3. Enter a VLAN ID or range of IDs. 4.
35 IEEE 802.1Q VLANs FIGURE 82 Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. FIGURE 83 Showing Static VLANs Adding Static Members to VLANs Use the VLAN > Static page to configure port members for the selected VLAN index, interface, or a range of interfaces.
35 IEEE 802.1Q VLANs • Port – Port Identifier. (Range: 1-12) • Trunk – Trunk Identifier. (Range: 1-12) • Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) • Access - Sets the port to operate as an untagged interface. The port transmits and receives untagged frames on a single VLAN only. Access mode is mutually exclusive with VLAN trunking (see “VLAN Trunking” on page 746). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
35 IEEE 802.1Q VLANs Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. • Port Range – Displays a list of ports. (Range: 1-12) • Trunk Range – Displays a list of ports.
35 IEEE 802.1Q VLANs FIGURE 85 Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
35 IEEE 802.1Q VLANs Configuring Dynamic VLAN Registration Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to enable GVRP and adjust the protocol timers per interface. CLI References • “GVRP and Bridge Extension Commands” on page 370 • “Configuring VLAN Interfaces” on page 377 Parameters These parameters are displayed: Configure General • GVRP Status – GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
35 IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN Member • VLAN – Identifier of a VLAN this switch has joined through GVRP. • Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP. Interface To configure GVRP on the switch: 1. Click VLAN, Dynamic. 2. Select Configure General from the Step list. 3. Enable or disable GVRP. 4. Click Apply. FIGURE 87 Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic.
35 IEEE 802.1Q Tunneling To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. FIGURE 89 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list. FIGURE 90 Showing the Members of a Dynamic VLAN IEEE 802.1Q Tunneling IEEE 802.
35 IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
35 IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
IEEE 802.1Q Tunneling 35 • The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration. Instead, use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network. • There are some inherent incompatibilities between Layer 2 and Layer 3 switching: • Tunnel ports do not support IP Access Control Lists.
35 IEEE 802.1Q Tunneling Use this field to set a custom 802.1Q ethertype value for the 802.1Q Tunnel TPID. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, if 0x1234 is set as the custom 802.1Q ethertype on a trunk port, incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk.
35 IEEE 802.1Q Tunneling • Rather than relying on standard service paths and priority queuing, QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.
35 IEEE 802.1Q Tunneling FIGURE 94 Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the command “switchport dot1q-tunnel service match cvid” on page 387. Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch.
35 Protocol VLANs Interface To add an interface to a QinQ tunnel: 1. Click VLAN, Tunnel. 2. Select Configure Interface from the Step list. 3. Set the mode for any tunnel access port to Access and the tunnel uplink port to Uplink. 4. Click Apply. FIGURE 95 Adding an Interface to a QinQ Tunnel Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
35 Protocol VLANs Configuring Protocol VLAN Groups Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol groups. CLI References • “protocol-vlan protocol-group (Configuring Groups)” on page 401 Parameters These parameters are displayed: • Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. • Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6.
35 Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. FIGURE 97 Displaying Protocol VLANs Mapping Protocol Groups to Interfaces Use the VLAN > Protocol (Configure Interface - Add) page to map a protocol group to a VLAN for each interface that will participate in the group.
35 Protocol VLANs • Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4093) • Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Interface To map a protocol group to a VLAN for a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Add from the Action list. 4.
Configuring IP Subnet VLANs FIGURE 99 35 Showing the Interface to Protocol Group Mapping Configuring IP Subnet VLANs When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
35 Configuring IP Subnet VLANs • Priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority; Default: 0) Interface To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Configure IP Subnet from the Step list. 3. Select Add from the Action list. 4. Enter an address in the IP Address field. 5. Enter a mask in the Subnet Mask field. 6. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 7.
Configuring IP Subnet VLANs 35 Binding an Interface to an IP Subnet VLAN Use the VLAN > IP Subnet (Configure Interface - Add) page to bind an interface to an IP subnet VLAN. CLI References • “subnet-vlan (Interface Configuration)” on page 405 Command Usage • The IP subnet cannot be a broadcast or multicast IP address. • Use the Configure IP Subnet (Add) page described in the preceding section to create a IP subnet VLAN.
35 Configuring MAC-based VLANs 3. Select Show from the Action list. FIGURE 103 Showing the Interfaces Bound to IP Subnet VLANs Configuring MAC-based VLANs Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Configuring VLAN Mirroring 35 4. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured. 5. Enter a value to assign to untagged frames in the Priority field. 6. Click Apply. FIGURE 104 Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list.
35 Configuring VLAN Mirroring • When VLAN mirroring and port mirroring are both enabled, the target port can receive a mirrored packet twice; once from the source mirror port and again from the source mirrored VLAN. • The target port receives traffic from all monitored source VLANs and can become congested. Some mirror traffic may therefore be dropped from the target port.
35 Configuring VLAN Translation To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list. FIGURE 107 Showing the VLANs to Mirror Configuring VLAN Translation Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
35 Configuring VLAN Translation Parameters These parameters are displayed: • Old VLAN – The original VLAN ID. (Range: 1-4093) • New VLAN – The new VLAN ID. (Range: 1-4093) Interface To configure VLAN translation: 1. Click VLAN, Translation. 2. Select Add from the Action list. 3. Select a port, and enter the original and new VLAN IDs. 4. Click Apply. FIGURE 109 Configuring VLAN Translation To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list.
Chapter Address Table Settings 36 In this chapter Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: • • • • Static MAC Addresses – Configures static entries in the address table.
36 Setting Static Addresses • MAC Address – Physical address of a device mapped to this interface. Enter an address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. • Static Status – Sets the time to retain the specified address. • Delete-on-reset - Assignment lasts until the switch is reset. • Permanent - Assignment is permanent. (This is the default.) Interface To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3.
Changing the Aging Time 36 Changing the Aging Time Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI References • “mac-address-table aging-time” on page 323 Parameters These parameters are displayed: • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded.
36 Displaying the Dynamic Address Table Displaying the Dynamic Address Table Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
Clearing the Dynamic Address Table 36 Clearing the Dynamic Address Table Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database. CLI References • “clear mac-address-table dynamic” on page 325 Parameters These parameters are displayed: • Clear by – All entries can be cleared; or you can clear the entries for a specific MAC address, all the entries in a VLAN, or all the entries associated with a port or trunk.
36 Configuring MAC Address Mirroring • All mirror sessions must share the same destination port. • Spanning Tree BPDU packets are not mirrored to the target port. • When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see “Spanning Tree Algorithm” on page 785).
Chapter Spanning Tree Algorithm 37 In this chapter This chapter describes the following basic topics: • Loopback Detection – Configures detection and response to loopback BPDUs. • Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. • Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
37 Overview FIGURE 118 STP Root Ports and Designated Ports Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
37 Configuring Loopback Detection FIGURE 120 Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree Region 1 Region 1 CIST CST IST Region 4 Region 2 Region 4 Region 3 Region 2 Region 3 MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols.
37 Configuring Loopback Detection Parameters These parameters are displayed: • Interface – Displays a list of ports or trunks. • Status – Enables loopback detection on this interface. (Default: Enabled) • Trap – Enables SNMP trap notification for loopback events on this interface. (Default: Disabled) • Release Mode – Configures the interface for automatic or manual loopback release. (Default: Auto) • Release – Allows an interface to be manually released from discard mode.
Configuring Global Settings for STA 37 Configuring Global Settings for STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI References • “Spanning Tree Commands” on page 329 Command Usage • Spanning Tree Protocol14 This option uses RSTP set to STP forced compatibiltiy mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
37 Configuring Global Settings for STA Parameters These parameters are displayed: Basic Configuration of Global Settings • Spanning Tree Status – Enables/disables STA on this switch. (Default: Enabled) • Spanning Tree Type – Specifies the type of spanning tree used on this switch: • STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode). • RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
Configuring Global Settings for STA 37 • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
37 Configuring Global Settings for STA FIGURE 122 Configuring Global Settings for STA (STP) FIGURE 123 Configuring Global Settings for STA (RSTP) 792 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Displaying Global Settings for STA 37 FIGURE 124 Configuring Global Settings for STA (MSTP) Displaying Global Settings for STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
37 Configuring Interface Settings for STA • Root Path Cost – The path cost from the root port on this switch to the root device. • Configuration Changes – The number of times the Spanning Tree has been reconfigured. • Last Topology Change – Time since the Spanning Tree was last reconfigured. Interface To display global STA settings: 1. Click Spanning Tree, STA. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list.
37 Configuring Interface Settings for STA • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
37 Configuring Interface Settings for STA • Admin Edge Port – Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Displaying Interface Settings for STA 37 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Modify any of the required attributes. 5. Click Apply. FIGURE 126 Configuring Interface Settings for STA Displaying Interface Settings for STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree.
37 Displaying Interface Settings for STA • A port on a network segment with no other STA compliant bridging device is always forwarding. • If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. • All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
37 Configuring Multiple Spanning Trees R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B Interface To display interface settings for STA: 1. Click Spanning Tree, STA. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
37 Configuring Multiple Spanning Trees By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 33 instances. You should try to group VLANs which cover the same general area of your network.
Configuring Multiple Spanning Trees 37 FIGURE 129 Creating an MST Instance To show the MSTP instances: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. FIGURE 130 Displaying MST Instances To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply.
37 Configuring Multiple Spanning Trees FIGURE 131 Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Information from the Action list. 4. Select an MST ID. The attributes displayed on this page are described under “Displaying Global Settings for STA” on page 793. FIGURE 132 Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance: 1.
Configuring Interface Settings for MSTP 37 FIGURE 133 Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Show Member from the Action list. FIGURE 134 Displaying Members of an MST Instance Configuring Interface Settings for MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance.
37 Configuring Interface Settings for MSTP • Learning – Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses. • Forwarding – Port forwards packets, and continues learning addresses. • Priority – Defines the priority used for this port in the Spanning Tree Protocol.
Configuring Interface Settings for MSTP 37 To display MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Show Information from the Action list.
37 806 Configuring Interface Settings for MSTP Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Congestion Control 38 In this chapter The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: • Rate Limiting – Sets the input and output rate limits for a port.
38 Storm Control 4. Click Apply. FIGURE 137 Configuring Rate Limits Storm Control Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
38 Storm Control NOTE Due to a chip limitation, the switch supports only one limit on an interface for both ingress rate limiting and storm control (including unknown unicast, multicast, and broadcast storms). Parameters These parameters are displayed: • • • • • • Interface – Displays a list of ports or trunks. Type – Indicates interface type. (1000Base-T, 1000Base SFP) Unknown Unicast – Specifies storm control for unknown unicast traffic. Multicast – Specifies storm control for multicast traffic.
38 Automatic Traffic Control Automatic Traffic Control Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI References • “Automatic Traffic Control Commands” on page 309 Command Usage ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Automatic Traffic Control 38 FIGURE 140 Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
38 Automatic Traffic Control Parameters These parameters are displayed in the web interface: • Broadcast Apply Timer – The interval after the upper threshold has been exceeded at which to apply the control response to broadcast storms. (Range: 1-300 seconds; Default: 300 seconds) • Broadcast Release Timer – The time at which to release the control response after ingress traffic has fallen beneath the lower threshold for broadcast storms.
Automatic Traffic Control 38 Parameters These parameters are displayed in the web interface: • Storm Control – Specifies automatic storm control for broadcast traffic or multicast traffic. Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time. • Port – Port identifier. • State – Enables automatic traffic control for broadcast or multicast storms.
38 Automatic Traffic Control • Trap Storm Clear – Sends a trap when traffic falls beneath the lower threshold after a storm control response has been triggered. (Default: Disabled) • Trap Traffic Apply – Sends a trap when traffic exceeds the upper threshold for automatic storm control and the apply timer expires. (Default: Disabled) • Trap Traffic Release – Sends a trap when traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires.
Chapter Class of Service 39 In this chapter Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
39 Layer 2 Queue Settings Parameters These parameters are displayed: • Interface – Displays a list of ports or trunks. • CoS – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) Interface To configure the queue mode: 1. Click Traffic, Priority, Default Priority. 2. Select the interface type to display (Port or Trunk). 3. Modify the default priority for any interface. 4. Click Apply.
Layer 2 Queue Settings 39 • A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. Service time is shared at the egress ports by defining scheduling weights for WRR, or one of the queuing modes that use a combination of strict and weighted queuing.
39 Layer 2 Queue Settings FIGURE 144 Setting the Queue Mode (Strict) FIGURE 145 Setting the Queue Mode (WRR) FIGURE 146 Setting the Queue Mode (Strict and WRR) 818 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
39 Layer 2 Queue Settings Mapping CoS Values to Egress Queues Use the Traffic > Priority > PHB to Queue page to specify the hardware output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see “Mapping CoS Priorities to Internal DSCP Values” on page 824).
39 Layer 2 Queue Settings Parameters These parameters are displayed: • Port – Specifies a port. • PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7, where 7 is the highest priority) • Queue – Output queue buffer. (Range: 0-7, where 7 is the highest CoS priority queue) Interface To map internal PHB to hardware queues: 1. Click Traffic, Priority, PHB to Queue. 2. Select Configure from the Action list. 3. Select a port. 4. Map an internal PHB to a hardware queue.
Layer 3/4 Priority Settings 39 FIGURE 148 Showing CoS Values to Egress Queue Mapping Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
39 Layer 3/4 Priority Settings • If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet’s CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged. For an untagged packet, the default port priority (see “Setting the Default Priority for Interfaces” on page 815) is used for priority processing.
39 Layer 3/4 Priority Settings Command Usage • Enter per-hop behavior and drop precedence for any of the DSCP values 0 - 63. • This map is only used when the priority mapping mode is set to DSCP (see “Setting Priority Processing to DSCP or CoS” on page 821), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP.
39 Layer 3/4 Priority Settings 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. FIGURE 150 Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
39 Layer 3/4 Priority Settings • If a packet arrives with a 802.1Q header but it is not an IP packet, then the CoS/CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
39 Layer 3/4 Priority Settings FIGURE 152 Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port.
Chapter Quality of Service 40 In this chapter This chapter describes the following tasks required to apply QoS policies: • Class Map – Creates a map which identifies a specific class of traffic. • Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. • Binding to a Port – Applies a policy map to an ingress port.
40 Configuring a Class Map Command Usage To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
Configuring a Class Map • • • • • • 40 IP DSCP – A DSCP value. (Range: 0-63) IP Precedence – An IP Precedence value. (Range: 0-7) IPv6 DSCP – A DSCP value contained in an IPv6 packet. (Range: 0-63) VLAN ID – A VLAN. (Range:1-4093) CoS – A CoS value. (Range: 0-7) Source Port – A source port. (Range: 1-12) Interface To configure a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add from the Action list. 4. Enter a class name. 5. Enter a description. 6.
40 Configuring a Class Map To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5. Specify type of traffic for this class based on an access list, a DSCP or IP Precedence value, or a VLAN. You can specify up to 16 items to match when assigning ingress traffic to a class map. 6. Click Apply. FIGURE 156 Adding Rules to a Class Map To show the rules for a class map: 1.
Creating QoS Policies 40 Creating QoS Policies Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces. A policy map is used to group one or more class map statements (see “Configuring a Class Map” on page 828), modify service tagging, and enforce bandwidth policing. A policy map can then be bound by a service policy to one or more interfaces (see “Attaching a Policy Map to a Port” on page 839). Configuring QoS policies requires several steps.
40 Creating QoS Policies The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: • If Tc is less than BC, Tc is incremented by one, else • if Te is less then BE, Te is incremented by one, else • neither Tc nor Te is incremented.
40 Creating QoS Policies • The behavior of the meter is specified in terms of its mode and two token buckets, P and C, which are based on the rates PIR and CIR, respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
40 Creating QoS Policies • Action – This attribute is used to set an internal QoS value in hardware for matching packets. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions. • Set CoS – Configures the service provided to ingress traffic by setting an internal CoS value for a matching packet (as specified in rule settings for a class map).
40 Creating QoS Policies The color modes include “Color-Blind” which assumes that the packet stream is uncolored, and “Color-Aware” which assumes that the incoming packets are pre-colored. The functional differences between these modes is described at the beginning of this section under “srTCM Police Meter.” • Committed Information Rate (CIR) – Rate in kilobits per second.
40 Creating QoS Policies • Committed Burst Size (BC) – Burst in bytes. (Range: 0-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. • Peak Information Rate (PIR) – Rate in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) The rate cannot exceed the configured interface speed. • Peak Burst Size (BP) – Burst size in bytes. (Range: 0-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes.
Creating QoS Policies 40 FIGURE 158 Configuring a Policy Map To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. FIGURE 159 Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
40 Creating QoS Policies FIGURE 160 Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
Attaching a Policy Map to a Port 40 Attaching a Policy Map to a Port Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI References • “Quality of Service Commands” on page 427 Command Usage First define a class map, define a policy map, and then bind the service policy to the required interface. Parameters These parameters are displayed: • Port – Specifies a port. • Ingress – Applies the selected rule to ingress traffic.
40 840 Attaching a Policy Map to a Port Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter VoIP Traffic Configuration 41 In this chapter This chapter covers the following topics: • Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. • Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
41 Configuring VoIP Traffic Command Usage All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see “Adding Static Members to VLANs” on page 754). Parameters These parameters are displayed: • Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports.
Configuring Telephony OUI 41 Configuring Telephony OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP. Use the Traffic > VoIP (Configure OUI) page to configure this feature.
41 Configuring VoIP Traffic Ports To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list. FIGURE 165 Showing an OUI Telephony List Configuring VoIP Traffic Ports Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority.
Configuring VoIP Traffic Ports 41 • Discovery Protocol – Selects a method to use for detecting VoIP traffic on the port. (Default: OUI) • OUI – Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. OUI numbers are assigned to vendors and form the first three octets of a device MAC address. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
41 846 Configuring VoIP Traffic Ports Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Security Measures 42 In this chapter You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
42 AAA Authentication, Authorization and Accounting AAA Authentication, Authorization and Accounting The authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The three security functions can be summarized as follows: • Authentication — Identifies users that request access to the network. • Authorization — Determines if users can access specific services.
AAA Authentication, Authorization and Accounting 42 Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence. Then specify the corresponding parameters for the remote authentication protocol using the Security > AAA > Server page. Local and remote logon authentication control management access via the console port, web browser, or Telnet.
42 AAA Authentication, Authorization and Accounting FIGURE 168 Authentication Server Operation console Web Telnet RADIUS/ TACACS+ server 1. Client attempts management access. 2. Switch contacts authentication server. 3. Authentication server challenges client. 4. Client responds with proper password or key. 5. Authentication server approves access. 6. Switch grants management access. RADIUS uses UDP while TACACS+ uses TCP.
AAA Authentication, Authorization and Accounting 42 • Authentication Server UDP Port – Network (UDP) port on authentication server used for authentication messages. (Range: 1-65535; Default: 1812) • Authentication Timeout – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) • Authentication Retries – Number of times the switch tries to authenticate logon access via the authentication server.
42 AAA Authentication, Authorization and Accounting Interface To configure the parameters for RADIUS or TACACS+ authentication: 1. Click Security, AAA, Server. 2. Select Configure Server from the Step list. 3. Select RADIUS or TACACS+ server type. 4. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. 5.
AAA Authentication, Authorization and Accounting 42 To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
42 AAA Authentication, Authorization and Accounting Configuring AAA Accounting Use the Security > AAA > Accounting page to enable accounting of requested services for billing or security purposes, and also to display the configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions. CLI References • “AAA” on page 151 Command Usage AAA authentication through a RADIUS or TACACS+ server must be enabled before accounting is enabled.
AAA Authentication, Authorization and Accounting 42 Show Information – Summary • • • • Accounting Type - Displays the accounting service. Method Name - Displays the user-defined or default accounting method. Server Group Name - Displays the accounting server group. Interface - Displays the port, console or Telnet interface to which these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.
42 AAA Authentication, Authorization and Accounting FIGURE 174 Configuring AAA Accounting Methods To show the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Show from the Action list.
AAA Authentication, Authorization and Accounting 42 FIGURE 176 Configuring AAA Accounting Service for 802.1X Service FIGURE 177 Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
42 AAA Authentication, Authorization and Accounting FIGURE 179 Displaying Statistics for AAA Accounting Sessions Configuring AAA Authorization Use the Security > AAA > Authorization page to enable authorization of requested services, and also to display the configured authorization methods, and the methods applied to specific interfaces. CLI References • “AAA” on page 151 Command Usage • This feature performs authorization to determine if a user is allowed to run an Exec shell.
AAA Authentication, Authorization and Accounting 42 • Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) Interface To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3.
42 Configuring User Accounts 4. Click Apply. FIGURE 182 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list.
Configuring User Accounts 42 Normal privilege level provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Privileged level provides full access to all commands. • Password Type – Specifies the following options: • No Password – No password is required for this user to log in. • Plain Password – Plain text unencrypted password. • Encrypted Password – Encrypted password.
42 Web Authentication FIGURE 185 Showing User Accounts Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Web Authentication 42 • Login Attempts – Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period. (Range: 1-3 attempts; Default: 3 attempts) Interface To configure global parameters for web authentication: 1. Click Security, Web Authentication. 2. Select Configure Global from the Step list. 3. Enable web authentication globally on the switch, and adjust any of the protocol parameters as required. 4. Click Apply.
42 Network Access (MAC Address Authentication) Interface To enable web authentication for a port: 1. Click Security, Web Authentication. 2. Select Configure Interface from the Step list. 3. Set the status box to enabled for any port that requires web authentication, and click Apply. 4. Mark the check box for any host addresses that need to be re-authenticated, and click Re-authenticate.
42 Network Access (MAC Address Authentication) • When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
42 Network Access (MAC Address Authentication) • When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged): • The Filter-ID attribute cannot be found to carry the user profile. • The Filter-ID attribute is empty. • The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute).
Network Access (MAC Address Authentication) 42 Interface To configure aging status and reauthentication time for MAC address authentication: 1. Click Security, Network Access. 2. Select Configure Global from the Step list. 3. Enable or disable aging for secure addresses, and modify the reauthentication time as required. 4. Click Apply.
42 Network Access (MAC Address Authentication) The VLAN must already be created and active (see “Configuring VLAN Groups” on page 752). Also, when used with 802.1X authentication, intrusion action must be set for “Guest VLAN” (see “Configuring Port Authenticator Settings for 802.1X” on page 914). • Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.
Network Access (MAC Address Authentication) 42 Configuring Port Link Detection Use the Security > Network Access (Configure Interface - Link Detection) page to send an SNMP trap and/or shut down a port when a link event occurs. CLI References • “Network Access (MAC Address Authentication)” on page 193 Parameters These parameters are displayed: • Link Detection Status – Configures whether Link Detection is enabled or disabled for a port.
42 Network Access (MAC Address Authentication) Configuring a MAC Address Filter Use the Security > Network Access (Configure MAC Filter) page to designate specific MAC addresses or MAC address ranges as exempt from authentication. MAC addresses present in MAC Filter tables activated on a port are treated as pre-authenticated on that port. CLI References • “Network Access (MAC Address Authentication)” on page 193 Command Usage • Specified MAC addresses are exempt from authentication.
Network Access (MAC Address Authentication) 42 To show the MAC address filter table for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3. Select Show from the Action list. FIGURE 192 Showing the MAC Address Filter Table for Network Access Displaying Secure MAC Address Information Use the Security > Network Access (Show Information) page to display the authenticated MAC addresses stored in the secure MAC address table.
42 Configuring HTTPS 3. Use the sort key to display addresses based MAC address, interface, or attribute. 4. Restrict the displayed addresses by entering a specific address in the MAC Address field, specifying a port in the Interface field, or setting the address type to static or dynamic in the Attribute field. 5. Click Query.
42 Configuring HTTPS • The client and server negotiate a set of security protocols to use for the connection. • The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6.x or above, or Mozilla Firefox 3.6.2/4/5.
42 Configuring HTTPS Replacing the Default Secure-site Certificate Use the Security > HTTPS (Copy Certificate) page to replace the default secure-site certificate. When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
Configuring Secure Shell 42 FIGURE 195 Downloading the Secure-Site Certificate Configuring Secure Shell Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
42 Configuring Secure Shell 3. Import Client’s Public Key to the Switch – See “Importing User Public Keys” on page 880, or use the copy tftp public-key command (see “copy” on page 67) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described under “Configuring User Accounts” on page 860.) The clients are subsequently authenticated using these keys.
Configuring Secure Shell 42 b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
42 Configuring Secure Shell 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply. FIGURE 196 Configuring the SSH Server Generating the Host Key Pair Use the Security > SSH (Configure Host Key - Generate) page to generate a host public/private key pair used to provide secure communications between an SSH client and the switch.
Configuring Secure Shell 42 Interface To generate the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Generate from the Action list. 4. Select the host-key type from the drop-down box. 5. Select the option to save the host key from memory to flash if required. 6. Click Apply. FIGURE 197 Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3.
42 Configuring Secure Shell Importing User Public Keys Use the Security > SSH (Configure User Key - Copy) page to upload a user’s public key to the switch. This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Configuring Secure Shell 42 FIGURE 199 Copying the SSH User’s Public Key To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
42 Access Control Lists Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP, next header type), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
42 Access Control Lists Setting A Time Range Use the Security > ACL (Configure Time Range) page to sets a time range during which ACL functions are applied. CLI References • “Time Range” on page 101 Command Usage If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
42 Access Control Lists To show a list of time ranges: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show from the Action list. FIGURE 202 Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5. Select a mode option of Absolute or Periodic. 6.
Access Control Lists 42 FIGURE 204 Showing the Rules Configured for a Time Range Showing TCAM Utilization Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
42 Access Control Lists FIGURE 205 Showing TCAM Utilization Setting the ACL Name and Type Use the Security > ACL (Configure ACL - Add) page to create an ACL. CLI References • “access-list ip” on page 234 • “show ip access-list” on page 239 • “access-list ipv6” on page 240 • “show ipv6 access-list” on page 243 Parameters These parameters are displayed: • ACL Name – Name of the ACL.
Access Control Lists 42 FIGURE 206 Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. FIGURE 207 Showing a List of ACLs Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL.
42 Access Control Lists • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Subnet Mask fields. (Options: Any, Host, IP; Default: Any) • Source IP Address – Source IP address. • Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period.
42 Access Control Lists Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure an Extended IPv4 ACL. CLI References • “permit, deny (Extended IPv4 ACL)” on page 236 • “show ip access-list” on page 239 • “Time Range” on page 101 Parameters These parameters are displayed: • • • • Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type.
42 Access Control Lists • 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: • SYN flag valid, use control-code 2, control bit mask 2 • Both SYN and ACK valid, use control-code 18, control bit mask 18 • SYN valid and ACK invalid, use control-code 2, control bit mask 18 • Time Range – Name of a time range. Interface To add rules to an Extended IPv4 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3.
Access Control Lists 42 Configuring a Standard IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to configure a Standard IPv6ACL. CLI References • “permit, deny (Standard IPv6 ACL)” on page 241 • “show ipv6 access-list” on page 243 • “Time Range” on page 101 Parameters These parameters are displayed in the web interface: • • • • Type – Selects the type of ACLs to show in the Name list. Name – Shows the names of ACLs matching the selected type.
42 Access Control Lists FIGURE 210 Configuring a Standard IPv6 ACL Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to configure an Extended IPv6 ACL. CLI References • “permit, deny (Extended IPv6 ACL)” on page 242 • “show ipv6 access-list” on page 243 • “Time Range” on page 101 Parameters These parameters are displayed in the web interface: • • • • Type – Selects the type of ACLs to show in the Name list.
42 Access Control Lists Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
42 Access Control Lists FIGURE 211 Configuring an Extended IPv6 ACL Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI References • “permit, deny (MAC ACL)” on page 246 • “show ip access-list” on page 239 • “Time Range” on page 101 Parameters These parameters are displayed: • • • • Type – Selects the type of ACLs to show in the Name list.
Access Control Lists 42 • Tagged-eth2 – Tagged Ethernet II packets. • Tagged-802.3 – Tagged Ethernet 802.3 packets. • VID – VLAN ID. (Range: 1-4094) • VID Bit Mask – VLAN bit mask. (Range: 0-4095) • Ethernet Type – This option can only be used to filter Ethernet II formatted packets. (Range: 600-ffff hex.) A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX). • Ethernet Type Bit Mask – Protocol bit mask.
42 Access Control Lists Configuring an ARP ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see “Configuring Global Settings for ARP Inspection” on page 901).
Access Control Lists 42 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “IP,” enter a base address and a hexadecimal bit mask for an address range. 10. Enable logging if required. 11. Click Apply. FIGURE 213 Configuring a ARP ACL Binding a Port to an Access Control List After configuring ACLs, use the Security > ACL > Configure Interface (Configure) page to bind the ports that need to filter traffic to the appropriate ACLs.
42 Access Control Lists Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Select IP, MAC or IPv6 from the Type list. 5. Select a port. 6. Select the name of an ACL from the ACL list. 7. Click Apply.
Access Control Lists 42 3. Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored. Parameters These parameters are displayed: • Port – Port identifier. • ACL – ACL used for ingress packets. Interface To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply.
42 Access Control Lists Showing ACL Hardware Counters Use the Security > ACL > Configure Interface (Show Hardware Counters) page to show statistics for ACL hardware counters. CLI References • “show access-list” on page 253 Parameters These parameters are displayed: • • • • • • • • • • Port – Port identifier. (Range: 1-12) Type – Selects the type of ACL. Direction – Selects ingress or egress traffic. Query – Displays statistics for selected criteria. ACL Name – The ACL bound this port.
42 ARP Inspection ARP Inspection ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination.
42 ARP Inspection Command Usage ARP Inspection Validation • By default, ARP Inspection Validation is disabled. • Specifying at least one of the following validations enables ARP Inspection Validation globally. Any combination of the following checks can be active concurrently. • Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses.
42 ARP Inspection • Log Interval – The interval at which log messages are sent. (Range: 0-86400 seconds; Default: 1 second) Interface To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
42 ARP Inspection Parameters These parameters are displayed: • ARP Inspection VLAN ID – Selects any configured VLAN. (Default: 1) • ARP Inspection VLAN Status – Enables ARP Inspection for the selected VLAN. (Default: Disabled) • ARP Inspection ACL Name • ARP ACL – Allows selection of any configured ARP ACLs. (Default: None) • Static – When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database.
42 ARP Inspection By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting. Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests.
42 ARP Inspection Parameters These parameters are displayed: TABLE 169 ARP Inspection Statistics Parameter Description Received ARP packets before ARP inspection rate limit Count of ARP packets received but not exceeding the ARP Inspection rate limit. Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding (and dropped by) ARP rate limiting. ARP packets dropped by additional validation (IP) Count of ARP packets that failed the IP address test.
Filtering IP Addresses for Management Access 42 Displaying the ARP Inspection Log Use the Security > ARP Inspection (Show Information - Show Log) page to show information about entries stored in the log, including the associated VLAN, port, and address components. CLI References • “show ip arp inspection log” on page 231 Parameters These parameters are displayed: TABLE 170 ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen.
42 Filtering IP Addresses for Management Access • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
Configuring Port Security 42 To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. FIGURE 224 Showing IP Addresses Authorized for Management Access Configuring Port Security Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
42 Configuring Port Security • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Interface > Port > General page (see “Port Configuration” on page 701). • A secure port has the following restrictions: • It cannot be used as a member of a static or dynamic trunk. • It should not be connected to a network interconnection device. Parameters These parameters are displayed: • Port – Port identifier.
Configuring 802.1X Port Authentication 42 FIGURE 225 Configuring Port Security Configuring 802.1X Port Authentication The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication.
42 Configuring 802.1X Port Authentication FIGURE 226 Configuring Port Security 802.1x client RADIUS server 1. Client attempts to access a switch port. 2. Switch sends client an identity request. 3. Client sends back identity information. 4. Switch forwards this to authentication server. 5. Authentication server challenges client. 6. Client responds with proper credentials. 7. Authentication server approves access. 8. Switch grants client access to this port. The operation of 802.
Configuring 802.1X Port Authentication 42 When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
42 Configuring 802.1X Port Authentication Configuring Port Authenticator Settings for 802.1X Use the Security > Port Authentication (Configure Interface – Authenticator) page to configure 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e.
Configuring 802.1X Port Authentication 42 • Multi-Host – Allows multiple host to connect to this port. In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. • MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
42 Configuring 802.1X Port Authentication Supplicant List • Supplicant – MAC address of authorized client. Authenticator PAE State Machine • State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). • Reauth Count – Number of times connecting state is re-entered. • Current Identifier – Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Configuring 802.1X Port Authentication 42 FIGURE 228 Configuring Interface Settings for 802.1X Port Authenticator Configuring Port Supplicant Settings for 802.1X Use the Security > Port Authentication (Configure Interface – Supplicant) page to configure 802.1X port settings for supplicant requests issued from a port to an authenticator on another device. When 802.1X is enabled and the control mode is set to Force-Authorized (see “Configuring Port Authenticator Settings for 802.
42 Configuring 802.1X Port Authentication Parameters These parameters are displayed: • Port – Port number. • PAE Supplicant – Enables PAE supplicant mode. (Default: Disabled) If the attached client must be authenticated through another device in the network, supplicant status must be enabled. Supplicant status can only be enabled if PAE Control Mode is set to “Force-Authorized” on this port (see “Configuring Port Authenticator Settings for 802.1X” on page 914).
42 Configuring 802.1X Port Authentication Displaying 802.1X Statistics Use the Security > Port Authentication (Show Statistics) page to display statistics for dot1x protocol exchanges for any port. CLI References • “show dot1x” on page 184 Parameters These parameters are displayed: TABLE 171 802.1X Statistics Parameter Description Authenticator Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
42 Configuring 802.1X Port Authentication TABLE 171 802.1X Statistics (Continued) Parameter Description Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Supplicant. Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Supplicant. Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid.
42 IP Source Guard 3. Click Supplicant. FIGURE 231 Showing Statistics for 802.1X Port Supplicant IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 926). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
42 IP Source Guard • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see “DHCP Snooping” on page 926), or static addresses configured in the source guard binding table. • If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address and corresponding MAC address (SIP-MAC option) will be checked against the binding table. If no matching entry is found, the packet will be dropped.
42 IP Source Guard FIGURE 232 Setting the Filter Type for IP Source Guard Configuring Static Bindings for IP Source Guard Use the Security > IP Source Guard > Static Configuration page to bind a static address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
42 IP Source Guard • MAC Address – A valid unicast MAC address. • IP Address – A valid unicast IP address, including classful types A, B or C. Show • • • • • VLAN – VLAN to which this entry is bound. MAC Address – Physical address associated with the entry. Interface – The port to which this entry is bound. IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.
42 IP Source Guard Displaying Information for Dynamic IP Source Guard Bindings Use the Security > IP Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI References • “show ip dhcp snooping binding” on page 220 Parameters These parameters are displayed: Query by • • • • Port – A port on this switch. VLAN – ID of a configured VLAN (Range: 1-4093) MAC Address – A valid unicast MAC address.
42 DHCP Snooping DHCP Snooping The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
42 DHCP Snooping • If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
42 DHCP Snooping • DHCP Snooping MAC-Address Verification – Enables or disables MAC address verification. If the source MAC address in the Ethernet header of the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled) • DHCP Snooping Information Option Status – Enables or disables DHCP Option 82 information relay.
42 DHCP Snooping DHCP Snooping VLAN Configuration Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable DHCP snooping on specific VLANs. CLI References • “ip dhcp snooping vlan” on page 216 Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
42 DHCP Snooping Configuring Ports for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Interface) page to configure switch ports as trusted or untrusted. CLI References • “ip dhcp snooping trust” on page 218 Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
42 DHCP Snooping Displaying DHCP Snooping Binding Information Use the IP Service > DHCP > Snooping (Show Information) page to display entries in the binding table. CLI References • “show ip dhcp snooping binding” on page 220 Parameters These parameters are displayed: • • • • MAC Address – Physical address associated with the entry. IP Address – IP address corresponding to the client. Lease Time – The time for which this IP address is leased to the client.
42 932 DHCP Snooping Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter Basic Administration Protocols 43 In this chapter This chapter describes basic administration tasks including: • Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
43 Configuring Event Logging CLI References • “Event Logging” on page 83 Parameters These parameters are displayed: • System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
Configuring Event Logging 43 FIGURE 240 Configuring Settings for System Memory Logs To show the error messages logged to system or flash memory: 1. Click Administration, Log, System. 2. Select Show System Logs from the Step list. 3. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory. This page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.
43 Configuring Event Logging Remote Log Configuration Use the Administration > Log > Remote page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level. CLI References • “Event Logging” on page 83 Parameters These parameters are displayed: • Remote Log Status – Enables/disables the logging of debug or error messages to the remote logging process.
Configuring Event Logging 43 FIGURE 242 Configuring Settings for Remote Logging of Error Messages Sending Simple Mail Transfer Protocol Alerts Use the Administration > Log > SMTP page to alert system administrators of problems by sending SMTP (Simple Mail Transfer Protocol) email messages when triggered by logging events of a specified level. The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
43 Link Layer Discovery Protocol 3. Click Apply. FIGURE 243 Configuring SMTP Alert Messages Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
Link Layer Discovery Protocol 43 TTL in seconds is based on the following rule: minimum value ((Transmission Interval * Holdtime Multiplier), or 65535) Therefore, the default TTL is 4*30 = 120 seconds. • Delay Interval – Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
43 Link Layer Discovery Protocol FIGURE 244 Configuring LLDP Timing Attributes Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface) page to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
Link Layer Discovery Protocol 43 The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address. The interface number and OID are included to assist SNMP applications in the performance of network discovery by indicating enterprise specific or other starting points for the search, such as the Interface or Entity MIB.
43 Link Layer Discovery Protocol Interface To configure LLDP interface attributes: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 4. Click Apply.
43 Link Layer Discovery Protocol TABLE 173 Chassis ID Subtype (Continued) ID Basis Reference Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’ (IETF RFC 2737) MAC address MAC address (IEEE Std 802-2001) Network address networkAddress Interface name ifName (IETF RFC 2863) Locally assigned locally assigned • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system.
43 Link Layer Discovery Protocol Interface To display LLDP information for the local device: 1. Click Administration, LLDP. 2. Select Show Local Device Information from the Step list. 3. Select General, Port, or Trunk.
43 Link Layer Discovery Protocol Parameters These parameters are displayed: Port • Local Port – The local port to which a remote LLDP-capable device is attached. • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted. • System Name – A string that indicates the system’s administratively assigned name.
43 Link Layer Discovery Protocol • Management Address List – The management addresses for this device. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. Port Details – 802.
Link Layer Discovery Protocol 43 • Remote Port Auto-Neg Status – Shows whether port auto-negotiation is enabled on a port associated with the remote system. • Remote Port MAU Type – An integer value that indicates the operational MAU type of the sending device. This object contains the integer value derived from the list position of the corresponding dot3MauType as listed in IETF RFC 3636 and is equal to the last number in the respective dot3MauType OID. Port Details – 802.
43 Link Layer Discovery Protocol FIGURE 248 Displaying Remote Device Information for LLDP (Port) 948 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Link Layer Discovery Protocol 43 FIGURE 249 Displaying Remote Device Information for LLDP (Port Details) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 949
43 Link Layer Discovery Protocol Displaying Device Statistics Use the Administration > LLDP (Show Device Statistics) page to display statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. CLI References • “show lldp info statistics” on page 514 Parameters These parameters are displayed: General Statistics on Remote Devices • Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated.
Simple Network Management Protocol 43 FIGURE 250 Displaying LLDP Device Statistics (General) FIGURE 251 Displaying LLDP Device Statistics (Port) Simple Network Management Protocol Simple Network Management Protocol (SNMP) is typically used to configure devices and to monitor them to evaluate performance or detect potential problems. Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent.
43 Simple Network Management Protocol The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.
Simple Network Management Protocol 43 3. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. Configuring SNMPv3 Management Access 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure Trap) page to specify trap managers so that key events are reported by this switch to your management station. 3.
43 Simple Network Management Protocol FIGURE 252 Configuring Global Settings for SNMP Setting the Local Engine ID Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Simple Network Management Protocol 43 FIGURE 253 Configuring the Local Engine ID for SNMP Specifying a Remote Engine ID Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
43 Simple Network Management Protocol FIGURE 254 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: 1. Click Administration, SNMP. 2. Select Configure Engine from the Step list. 3. Select Show Remote Engine from the Action list. FIGURE 255 Showing Remote Engine IDs for SNMP Setting SNMPv3 Views Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree.
Simple Network Management Protocol 43 Add OID Subtree • View Name – Lists the SNMP views configured in the Add View page. • OID Subtree – Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string. • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view. Interface To configure an SNMP view of the switch’s MIB database: 1.
43 Simple Network Management Protocol To add an object identifier to an existing SNMP view of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Add OID Subtree from the Action list. 4. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view. 5.
Simple Network Management Protocol 43 Configuring SNMPv3 Groups Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
43 Simple Network Management Protocol FIGURE 260 Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Show from the Action list. FIGURE 261 Showing SNMP Groups Setting Community Access Strings Use the Administration > SNMP (Configure User - Add Community) page to configure up to five community strings authorized for management access by clients using SNMP v1 and v2c.
Simple Network Management Protocol 43 • Access Mode – Specifies the access rights for the community string: • Read-Only – Authorized management stations are only able to retrieve MIB objects. • Read/Write – Authorized management stations are able to both retrieve and modify MIB objects. Interface To set a community access string: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Add Community from the Action list. 4.
43 Simple Network Management Protocol Configuring Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
Simple Network Management Protocol 43 FIGURE 264 Configuring Local SNMPv3 Users To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. FIGURE 265 Showing Local SNMPv3 Users Configuring Remote SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch.
43 Simple Network Management Protocol Command Usage • To grant management access to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user. (See “Specifying Trap Managers” on page 965 and “Specifying a Remote Engine ID” on page 955.
Simple Network Management Protocol 43 FIGURE 266 Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list. FIGURE 267 Showing Remote SNMPv3 Users Specifying Trap Managers Use the Administration > SNMP (Configure Trap) page to specify the host devices to be sent traps and the types of traps to send.
43 Simple Network Management Protocol • “snmp-server enable traps” on page 110 Command Usage • Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host.
Simple Network Management Protocol 43 • Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. • Notification Type • Traps – Notifications are sent as trap messages. • Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) • Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
43 Simple Network Management Protocol Interface To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
Simple Network Management Protocol 43 FIGURE 270 Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. FIGURE 271 Showing Trap Managers Creating SNMP Notification Logs Use the Administration > SNMP (Configure Notify Filter - Add) page to create an SNMP notification log.
43 Simple Network Management Protocol Command Usage • Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
Simple Network Management Protocol 43 FIGURE 272 Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. FIGURE 273 Showing SNMP Notification Logs Showing SNMP Statistics Use the Administration > SNMP (Show Statistics) page to show counters for SNMP input and output protocol data units.
43 Simple Network Management Protocol • Number of requested variables – The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. • Number of altered variables – The total number of MIB objects which have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs.
Remote Monitoring 43 FIGURE 274 Showing SNMP Statistics Remote Monitoring Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
43 Remote Monitoring Command Usage • If an alarm is already defined for an index, the entry must be deleted before any changes can be made. Parameters These parameters are displayed: • Index – Index to this entry. (Range: 1-65535) • Variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex.
Remote Monitoring 43 6. Click Apply FIGURE 275 Configuring an RMON Alarm To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm.
43 Remote Monitoring Configuring RMON Events Use the Administration > RMON (Configure Global - Add - Event) page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Remote Monitoring 43 5. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event. 6. Click Apply FIGURE 277 Configuring an RMON Event To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event.
43 Remote Monitoring Configuring RMON History Samples Use the Administration > RMON (Configure Interface - Add - History) page to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems. The record can be used to establish normal baseline activity, which may reveal problems associated with high traffic levels, broadcast storms, or other unusual events.
Remote Monitoring 43 6. Enter an index number, the sampling interval, the number of buckets to use, and the name of the owner for this entry. 7. Click Apply FIGURE 279 Configuring an RMON History Sample To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. FIGURE 280 Showing Configured RMON History Samples To show collected RMON history samples: 1.
43 Remote Monitoring FIGURE 281 Showing Collected RMON History Samples Configuring RMON Statistical Samples Use the Administration > RMON (Configure Interface - Add - Statistics) page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates. CLI References • “Remote Monitoring Commands” on page 125 Command Usage • If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made.
Remote Monitoring 7. 43 Click Apply FIGURE 282 Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click Statistics. FIGURE 283 Showing Configured RMON Statistical Samples To show collected RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3.
43 Ethernet Ring Protection Switching FIGURE 284 Showing Collected RMON Statistical Samples Ethernet Ring Protection Switching NOTE Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links. The mechanisms and protocol defined in G.
43 Ethernet Ring Protection Switching Ring nodes may be in one of two states: Idle – normal operation, no link/node faults detected in ring Protection – Protection switching in effect after identifying a signal fault In Idle state, the physical topology has all nodes connected in a ring. The logical topology guarantees that all nodes are connected without a loop by blocking the RPL. Each link is monitored by its two adjacent nodes using Connectivity Fault Management (CFM) protocol messages.
43 Ethernet Ring Protection Switching 3. Configure the RPL owner (Configure Domain – Configure Details): Configure one node in the ring as the Ring Protection Link (RPL) owner. When this switch is configured as the RPL owner, the west ring port is set as being connected to the RPL. Under normal operations (Idle state), the RPL is blocked to ensure that a loop cannot form in the ring.
Ethernet Ring Protection Switching 43 Parameters These parameters are displayed: • ERPS Status – Enables ERPS on the switch. (Default: Disabled) ERPS must be enabled globally on the switch before it can enabled on an ERPS ring (by setting the Admin Status on the Configure Domain – Configure Details page). Interface To globally enable ERPS on the switch: 1. Click Administration, ERPS. 2. Select Configure Global from the Step list. 3. Mark the ERPS Status check box. 4. Click Apply.
43 Ethernet Ring Protection Switching Show • Domain Name – Name of a configured ERPS ring. • Node State – Shows the following ERPS states: • Init – The ERPS ring has started but has not yet determined the status of the ring. • Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up. This state will switch to protection state if a link failure occurs. • Protection – If a node in this state, it means that a link failure has occurred.
Ethernet Ring Protection Switching 43 • Down – The interface is not linked up. • Unknown – The interface is not in a known state. • • • • East Port – Connects to next ring node to the east. RPL Port – If node is connected to the RPL, this shows by which interface. RPL Owner – Configures a ring node to be the Ring Protection Link (RPL) owner. Holdoff Timer – The hold-off timer is used to filter out intermittent link faults.
43 Ethernet Ring Protection Switching Once the ring has been activated, the configuration of the control VLAN cannot be modified. Use the Admin Status parameter to stop the ERPS ring before making any configuration changes to the control VLAN. • Non-ERPS Device Protection – Sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through Signal Fault messages.
Ethernet Ring Protection Switching 43 FIGURE 287 Creating an ERPS Ring Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 989
43 Ethernet Ring Protection Switching To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list. 4. Configure the ERPS parameters for this node. Note that spanning tree protocol cannot be configured on the ring ports, nor can these ports be members of a static or dynamic trunk. And the control VLAN must be unique for each ring. Adjust the protocol timers as required.
Ethernet Ring Protection Switching 43 FIGURE 289 Creating an ERPS Ring (Secondary Ring) To show the configure ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
43 Connectivity Fault Management Connectivity Fault Management Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
43 Connectivity Fault Management The following figure shows a single Maintenance Domain, with DSAPs located on the domain boundary, and Internal Service Access Points (ISAPs) inside the domain through which frames may pass between the DSAPs. FIGURE 291 Single CFM Maintenance Domain Maintenance Domain Bridge DSAP ISAP The figure below shows four maintenance associations contained within a hierarchical structure of maintenance domains.
43 Connectivity Fault Management Basic CFM Operations CFM uses standard Ethernet frames for sending protocol messages. Both the source and destination address for these messages are based on unicast or multicast MAC addresses, and therefore confined to a single Layer 2 CFM service VLAN. For this reason, the transmission, forwarding, and processing of CFM frames is performed by bridges, not routers. Bridges that do not recognize CFM messages forward them as normal data.
Connectivity Fault Management 7. 43 Enable continuity check and cross-check operations, and configure AIS parameters using the Configure MA – Configure Details screen (see "Configuring CFM Maintenance Associations").
43 Connectivity Fault Management Use this command attribute to enable the link trace cache to store the results of link trace operations initiated on this device. Use the CFM Transmit Link Trace page (see "Transmitting Link Trace Messages") to transmit a linktrace message. Linktrace responses are returned from each MIP along the path and from the target MEP.
Connectivity Fault Management 43 • Cross Check MEP Missing – Sends a trap if the cross-check timer expires and no CCMs have been received from a remote MEP configured in the static list. A MEP Missing trap is sent if cross-checking is enabled19, and no CCM is received for a remote MEP configured in the static list20. • Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up.
43 Connectivity Fault Management FIGURE 293 Configuring Global Settings for CFM Configuring Interfaces for CFM CFM processes are enabled by default for all physical interfaces, both ports and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI References • “ethernet cfm port-enable” on page 529 Command Usage • An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
Connectivity Fault Management 43 4. Enable CFM on the required interface. 5. Click Apply. FIGURE 294 Configuring Interfaces for CFM Configuring CFM Maintenance Domains Use the Administration > CFM (Configure MD) pages to create and configure a Maintenance Domain (MD) which defines a portion of the network for which connectivity faults can be managed. Domain access points are set up on the boundary of a domain to provide end-to-end connectivity fault detection, analysis, and recovery.
43 Connectivity Fault Management points within an MA, regardless of the domain’s level in the maintenance hierarchy (e.g., customer, provider, or operator). While the explicit option only generates MIPs within an MA if its associated domain is not at the bottom of the maintenance hierarchy. This option is used to hide the structure of network at the lowest domain level. The diagnostic functions provided by CFM can be used to detect connectivity failures between any pair of MEPs in an MA.
Connectivity Fault Management TABLE 179 43 MEP Defect Descriptions (Continued) Defect Description DefErrorCCM The MEP has received at least one invalid CCM whose CCM Interval has not yet timed out. DefXconCCM The MEP has received at least one CCM from either another MAID or a lower MD Level whose CCM Interval has not yet timed out. Parameters These parameters are displayed: Creating a Maintenance Domain • • • • MD Index – Domain index. (Range: 1-65535) MD Name – Maintenance domain name.
43 Connectivity Fault Management 6. Click Apply. FIGURE 295 Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Show from the Action list. FIGURE 296 Showing Maintenance Domains To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5.
Connectivity Fault Management 43 FIGURE 297 Configuring Detailed Settings for Maintenance Domains Configuring CFM Maintenance Associations Use the Administration > CFM (Configure MA) pages to create and configure the Maintenance Associations (MA) which define a unique CFM service instance. Each MA can be identified by its parent MD, the MD’s maintenance level, the VLAN assigned to the MA, and the set of maintenance end points (MEPs) assigned to it.
43 Connectivity Fault Management • If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). • The interval at which CCMs are issued should be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA.
Connectivity Fault Management 43 The cross-check start delay, which sets the maximum delay this device waits for a remote MEP to come up before starting the cross-check operation, is a domain-level parameter. To set this parameter, use the CFM MD Configuration screen (see "Configuring CFM Maintenance Domains"). • AIS Status – Enables/disables suppression of the Alarm Indication Signal (AIS). (Default: Disabled) • AIS Period – Configures the period at which AIS is sent in an MA.
43 Connectivity Fault Management 4. Select an entry from the MD Index list. FIGURE 299 Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters. 6.
Connectivity Fault Management 43 Configuring Maintenance End Points Use the Administration > CFM (Configure MEP – Add) page to configure Maintenance End Points (MEPs). MEPs, also called Domain Service Access Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
43 Connectivity Fault Management FIGURE 301 Configuring Maintenance End Points To show the configured maintenance end points: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3. Select Show from the Action list. 4. Select an entry from MD Index and MA Index.
Connectivity Fault Management 43 • Remote MEPs can only be configured if local domain service access points (DSAPs) have already been created (see “Configuring Maintenance End Points” on page 1007) at the same maintenance level and in the same MA. DSAPs are MEPs that exist on the edge of the domain, and act as primary service access points for end-to-end cross-check, loop-back, and link-trace functions.
43 Connectivity Fault Management FIGURE 304 Showing Remote Maintenance End Points Transmitting Periodic Delay-Measure Messages Use the Administration > CFM (Configure Periodic Delay Measure) pages to configure periodic transmission of delay-measure messages. These messages can be used to measure frame delay and frame delay variation between MEPs.
Connectivity Fault Management 43 This parameter must be less than or equal to the "Duration" parameter. • Timeout – The timeout to wait for a response. (Range: 1-5 seconds; Default: 1 second) This parameter only applies to two-way delay-measure messages. • Packet Size – The size of the delay-measure message. (Range: 64-1518 bytes; Default: 64 bytes) Show Group The parameters on this page are the same as described for the Add Group page, except for the followin item.
43 Connectivity Fault Management • Two-Way – The local MEP generates frames with DM information, sending the specified number of frames to its peer MEP in the same MA, and waits to receive DM frames back from it.
Connectivity Fault Management 43 To show delay-measure attribute groups: 1. Click Administration, CFM. 2. Select Configure Periodic Delay Measure from the Step list. 3. Select Show Group from the Action list. FIGURE 306 Showing Delay-Measure Attribute Groups To transmit perioic delay-measure messages: 1. Click Administration, CFM. 2. Select Configure Periodic Delay Measure from the Step list. 3. Select Configure from the Action list. 4. Select the index for the MD, MA and MEP, and then click Query. 5.
43 Connectivity Fault Management Transmitting Periodic Loss-Measure Messages Use the Administration > CFM (Configure Periodic Loss Measure) pages to configure periodic transmission of loss-measure messages. These messages can be used to measure near-end and far-end frame loss. CLI References • “CFM Commands” on page 517 Command Usage • Both the source and destination MEP must be configured for the same MA before transmitting loss-measure messages.
Connectivity Fault Management 43 • Previous LMR frame's TxFCf, RxFCf and TxFCb values and local counter RxFC1 value at the time the previous LMR frame was received. These values are represented as TxFCf[tp], RxFCf[tp], TxFCb[tp] and RxFCl[tp], where tp is the reception time of the previous reply frame.
43 Connectivity Fault Management Show Single-Ended LM Group The parameters on this page are the same as described for the Add Single-Ended LM Group page, except for the followin item. • MEP Bind – Indicates whether or not an attribute group has been bound to a local MEP. Configure Single-Ended LM • • • • • MD Index – Domain index. (Range: 1-65535) MA Index – MA identifier. (Range: 1-2147483647) MEP ID – Maintenance end point identifier.
Connectivity Fault Management 43 To show single-ended loss-measure attribute groups: 1. Click Administration, CFM. 2. Select Configure Periodic Loss Measure from the Step list. 3. Select Show Single-Ended LM Group from the Action list. FIGURE 309 Showing Single-Ended Loss-Measure Attribute Groups To transmit periodic single-ended loss-measure messages: 1. Click Administration, CFM. 2. Select Configure Periodic Loss Measure from the Step list. 3. Select Configure Single-Ended LM from the Action list. 4.
43 Connectivity Fault Management 3. Select Configure Dual-Ended LM from the Action list. 4. Select the index for the MD, MA and MEP, and then click Query. 5. Mark the Status box to enable periodic transmission of loss-measure messages. 6. Specify the target MEP identifier. 7. Click Apply. FIGURE 311 Transmitting Dual-Ended Loss-Measure Messages Transmitting Link Trace Messages Use the Administration > CFM (Transmit Link Trace) page to transmit link trace messages (LTMs).
Connectivity Fault Management 43 • When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. • Parameters controlling the link trace cache, including operational state, entry hold time, and maximum size can be configured on the Configure Global page (see "Configuring Global Settings for CFM"). Parameters These parameters are displayed: • MD Index – Domain index.
43 Connectivity Fault Management Transmitting Loop Back Messages Use the Administration > CFM (Transmit Loopback) page to transmit Loopback Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
Connectivity Fault Management 43 FIGURE 313 Transmitting Loopback Messages Transmitting On-Demand Delay-Measure Requests Use the Administration > CFM (Transmit Delay Measure) pages to send on-demand delay-measure requests to a specified MEP within a maintenance association. Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
43 Connectivity Fault Management One-Way Delay Measure • If a MEP is enabled to generate frames with one-way delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA. • When one-way frame delay measurements are made, the transmitting MEP sends a frame with DM request information with the TxTimeStampf (timestamp at the time of sending a frame with DM request information).
Connectivity Fault Management 43 Interface To transmit two-way delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3. Select Execute Two-Way DM from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the delay-measure message is to be sent, the packet size, interval, and timeout. 6. Click Apply.
43 Connectivity Fault Management FIGURE 315 Transmitting One-Way Delay-Measure Messages Transmitting On-Demand Loss-Measure Requests Use the Administration > CFM (Transmit Single-Ended Loss Measure) page to send on-demand single-ended loss-measure requests to a specified MEP within a maintenance association. These messages can be used to measure near-end and far-end frame loss.
Connectivity Fault Management 43 Upon receiving an LMR frame, a MEP uses the following values to make near-end and far-end loss measurements: • Received LMR frame's TxFCf, RxFCf and TxFCb values and local counter RxFC1 value at the time this LMR frame was received. These values are represented as TxFCf[tc], RxFCf[tc], TxFCb[tc] and RxFCl[tc], where tc is the reception time of the current reply frame.
43 Connectivity Fault Management FIGURE 316 Transmitting Single-Ended Loss-Measure Messages Displaying Local MEPs Use the Administration > CFM > Show Information (Show Local MEP) page to show information for the MEPs configured on this device. CLI References • “show ethernet cfm maintenance-points local” on page 532 • “show ethernet cfm maintenance-points local detail mep” on page 533 Parameters These parameters are displayed: • • • • MEP ID – Maintenance end point identifier.
Connectivity Fault Management 43 Interface To show information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP from the Action list. FIGURE 317 Showing Information on Local MEPs Displaying Details for Local MEPs Use the Administration > CFM > Show Information (Show Local MEP Details) page to show detailed CFM information about a local MEP in the continuity check database.
43 Connectivity Fault Management • AIS Transmit Level – The maintenance level at which AIS information will be sent for the specified MEP. • Suppress Alarm – Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. • Suppressing Alarms – Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions.
Connectivity Fault Management 43 FIGURE 318 Showing Detailed Information on Local MEPs Displaying Local MIPs Use the Administration > CFM > Show Information (Show Local MIP) page to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under “Configuring CFM Maintenance Domains” on page 999.
43 Connectivity Fault Management • MA Name – Maintenance association name. • Primary VLAN – Service VLAN ID. • Interface – Physical interface of this entry (either a port or trunk). Interface To show information for the MIPs discovered by the CFM protocol: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MIP from the Action list.
Connectivity Fault Management 43 Interface To show information for remote MEPs: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Remote MEP from the Action list.
43 Connectivity Fault Management • Up – The port is functioning normally. • Blocked – The port has been blocked by the Spanning Tree Protocol. • No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM. • Interface State – Interface states include: • No Status – Either no CCM has been received, or no interface status TLV was received in the last CCM. • • • • • Up – The interface is ready to pass packets. Down – The interface cannot pass packets.
Connectivity Fault Management 43 FIGURE 321 Showing Detailed Information on Remote MEPs Displaying the Link Trace Cache Use the Administration > CFM > Show Information (Show Link Trace Cache) page to show information about link trace operations launched from this device. CLI References • “show ethernet cfm linktrace-cache” on page 548 Parameters These parameters are displayed: • • • • Hops – The number hops taken to reach the target MEP. MA – Maintenance association name.
43 Connectivity Fault Management • IngBlocked – The ingress port can be identified, but the target data frame was not forwarded when received on this port due to active topology management, i.e., the bridge port is not in the forwarding state. • IngVid – The ingress port is not in the member set of the LTM’s VIDs, and ingress filtering is enabled, so the target data frame was filtered by ingress filtering.
Connectivity Fault Management 43 Displaying Fault Notification Settings Use the Administration > CFM > Show Information (Show Fault Notification Generator) page to display configuration settings for the fault notification generator. CLI References • “show ethernet cfm fault-notify-generator” on page 553 Parameters These parameters are displayed: • • • • MEP ID – Maintenance end point identifier. MD Name – Maintenance domain name. MA Name – Maintenance association name.
43 Connectivity Fault Management Displaying Continuity Check Errors Use the Administration > CFM > Show Information (Show Continuity Check Error) page to display the CFM continuity check errors logged on this device. CLI References • “show ethernet cfm errors” on page 541 • “clear ethernet cfm errors” on page 540 Parameters These parameters are displayed: • • • • • • Level – Maintenance level associated with this entry. Primary VLAN – VLAN in which this error occurred.
Connectivity Fault Management 43 FIGURE 324 Showing Continuity Check Errors Displaying Two-Way Delay-Measure Results Use the Administration > CFM > Show Information (Show Two-Way Delay-Measure Results) page to display on-demand delay-measure requests logged on this device. CLI References • “show ethernet cfm delay-measure two-way” on page 561 Parameters These parameters are displayed: • Transmit DMM Time – The message transmission time.
43 OAM Configuration Displaying Single-Ended Loss-Measure Results Use the Administration > CFM > Show Information (Show Single-Ended Loss-Measure Results) page to display on-demand loss-measure requests logged on this device. CLI References • “show ethernet cfm loss-measure single-ended” on page 568 Parameters These parameters are displayed: • Received Time – The time this LMR frame was received from the peer device. • Far-end Frame Loss – Frame loss associated with egress data frames.
43 OAM Configuration CLI References • “OAM Commands” on page 569 Parameters These parameters are displayed: • Port – Port identifier. (Range: 1-12) • Admin Status – Enables or disables OAM functions. (Default: Disabled) • Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface. TABLE 180 OAM Operation State State Description Disabled OAM is disabled on this interface via the OAM Admin Status.
43 OAM Configuration Critical events include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. • Errored Frame – Controls reporting of errored frame link events. An errored frame is a frame in which one or more bits are errored. An errored frame link event occurs if the threshold is reached or exceeded within the specified period.
OAM Configuration 43 Displaying Statistics for OAM Messages Use the Administration > OAM > Counters page to display statistics for the various types of OAM messages passed across each port. CLI References • “show efm oam counters interface” on page 576 Parameters These parameters are displayed: • Port – Port identifier. (Range: 1-12) • Clear – Clears statistical counters for the selected ports.
43 OAM Configuration Displaying the OAM Event Log Use the Administration > OAM > Event Log page to display link events for the selected port. CLI References • “show efm oam event-log interface” on page 576 Command Usage • When a link event occurs, no matter whether the location is local or remote, this information is entered in OAM event log. • When the log system becomes full, older events are automatically deleted to make room for new entries.
OAM Configuration 43 Displaying the Status of Remote Interfaces Use the Administration > OAM > Remote Interface page to display information about attached OAM-enabled devices. CLI References • “show efm oam status remote interface” on page 578 Parameters These parameters are displayed: • • • • • Port – Port identifier. (Range: 1-12) MAC Address – MAC address of the OAM peer. OUI – Organizational Unit Identifier of the OAM peer. Remote Loopback – Shows if remote loopback is supported by the OAM peer.
43 OAM Configuration Configuring a Remote Loop Back Test Use the Administration > OAM > Remote Loopback (Remote Loopback Test) page to initiate a loop back test to the peer device attached to the selected port. CLI References • “efm oam remote-loopback” on page 574 • “efm oam remote-loopback test” on page 575 Command Usage • You can use this command to perform an OAM remote loop back test on the specified port.
43 OAM Configuration TABLE 181 Remote Loopback Status (Continued) State Description Terminating Loopback The local OAM client is in the process of terminating the remote loopback. Local Loopback The remote OAM client has put the local OAM entity in loopback mode. Unknown This status may be returned if the OAM loopback is in a transition state but should not persist. • Packets Transmitted – The number of loop back frames transmitted during the last loopback test on this interface.
43 OAM Configuration Displaying Results of Remote Loop Back Testing Use the Administration > OAM > Remote Loop Back (Show Test Result) page to display the results of remote loop back testing for each port for which this information is available. CLI References • “show efm oam remote-loopback interface” on page 577 Parameters These parameters are displayed: • Port – Port identifier.
Chapter IP Configuration 44 In this chapter This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
44 Setting the Switch’s IP Address (IP Version 4) • The precedence for configuring IP interfaces is the IP > General > Routing Interface (Add) menu, and then static routes (see “Configuring Static Routes” on page 1078). Parameters These parameters are displayed: • VLAN – ID of the configured VLAN (1-4093). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Setting the Switch’s IP Address (IP Version 4) 44 FIGURE 333 Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP” or “BOOTP.” 4. Click Apply to save your changes. 5. Then click Restart DHCP to immediately request a new address.
44 Setting the Switch’s IP Address (IP Version 6) If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. To show the IPv4 address configured for an interface: 1. Click IP, General, Routing Interface. 2. Select Show Address from the Action list. 3. Select an entry from the VLAN list.
Setting the Switch’s IP Address (IP Version 6) 44 Configuring the IPv6 Default Gateway Use the IP > IPv6 Configuration (Configure Global) page to configure an IPv6 default gateway for the switch. CLI References • “ipv6 default-gateway” on page 606 Parameters These parameters are displayed: • Default Gateway – Sets the IPv6 address of the default next hop router. • All IPv6 addresses must be configured according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
44 Setting the Switch’s IP Address (IP Version 6) Configuring IPv6 Interface Settings Use the IP > IPv6 Configuration (Configure Interface) page to configure general IPv6 settings for the selected VLAN, including auto-configuration of a global unicast interface address, explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
Setting the Switch’s IP Address (IP Version 6) 44 • MTU – Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. (Range: 1280-65535 bytes; Default: 1500 bytes) • The maximum value set in this field cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. • If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
44 Setting the Switch’s IP Address (IP Version 6) • ND Reachable Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds; Default: 30000 milliseconds) • Restart DHCPv6 – When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
Setting the Switch’s IP Address (IP Version 6) 44 FIGURE 337 Configuring General Settings for an IPv6 Interface Configuring an IPv6 Address Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPv6 interface for management access over the network. CLI References • “IPv6 Interface” on page 605 Command Usage • All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
44 Setting the Switch’s IP Address (IP Version 6) • You can also manually configure the global unicast address by entering the full address and prefix length. • You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. • If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console.
Setting the Switch’s IP Address (IP Version 6) 44 • Link Local – Configures an IPv6 link-local address. • The address prefix must be in the range of FE80~FEBF. • You can configure only one link-local address per interface. • The specified address replaces a link-local address that was automatically generated for the interface. • IPv6 Address – IPv6 address assigned to this interface. Interface To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2. Select Add IPv6 Address from the Action list.
44 Setting the Switch’s IP Address (IP Version 6) FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes. The interface-local multicast address is only used for loopback transmission of multicast traffic.
Setting the Switch’s IP Address (IP Version 6) 44 Showing the IPv6 Neighbor Cache Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to display the IPv6 addresses detected for neighbor devices. CLI References • “show ipv6 neighbors” on page 626 Parameters These parameters are displayed: TABLE 182 Show IPv6 Neighbors - display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable (in seconds).
44 Setting the Switch’s IP Address (IP Version 6) Interface To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. FIGURE 340 Showing IPv6 Neighbors Showing IPv6 Statistics Use the IP > IPv6 Configuration (Show Statistics) page to display statistics about IPv6 traffic passing through this switch.
Setting the Switch’s IP Address (IP Version 6) 44 Parameters These parameters are displayed: TABLE 183 Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error. Header Errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
44 Setting the Switch’s IP Address (IP Version 6) TABLE 183 Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Setting the Switch’s IP Address (IP Version 6) TABLE 183 44 Show IPv6 Statistics - display description (Continued) Field Description Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface. Group Membership Response Messages The number of ICMPv6 Group Membership Response messages received by the interface.
44 Setting the Switch’s IP Address (IP Version 6) TABLE 183 Show IPv6 Statistics - display description (Continued) Field Description UDP Statistics Input The total number of UDP datagrams delivered to UDP users. No Port Errors The total number of received UDP datagrams for which there was no application at the destination port. Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Setting the Switch’s IP Address (IP Version 6) 44 FIGURE 342 Showing IPv6 Statistics (ICMPv6) FIGURE 343 Showing IPv6 Statistics (UDP) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 1065
44 Using the Ping Function Showing the MTU for Responding Destinations Use the IP > IPv6 Configuration (Show MTU) page to display the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Using the Ping Function 44 • Host Name/IPv4 Address – IPv4 address or alias of the host. (Maximum length: 134 characters) • Probe Count – Number of packets to send. (Range: 1-16) • Packet Size – Number of bytes in a packet. (Range: 32-512 bytes) • IPv6 • Host Name/IPv6 Address – IPv6 address or alias of the host. • Probe Count – Number of packets to send. (Range: 1-16) • Packet Size – Number of bytes in a packet.
44 Using the Trace Route Function FIGURE 345 Pinging a Network Device Using the Trace Route Function Use the IP > General > Trace Route page to show the route packets take to a specified destination. CLI References • “traceroute” on page 600 Parameters These parameters are displayed: • Destination – IP address or alias of the host. Command Usage • Use the trace route function to determine the path taken to reach a specified destination.
44 Address Resolution Protocol 3. Click Apply. FIGURE 346 Tracing the Route to a Network Device Address Resolution Protocol The switch uses its routing tables (for static routes and directly connected subnets) to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
44 Address Resolution Protocol When devices receive this request, they discard it if their address does not match the destination IP address in the message. However, if it does match, they write their own hardware address into the destination MAC address field and send the message back to the source hardware address. When the source device receives a reply, it writes the destination IP address and corresponding MAC address into its cache, and forwards the IP traffic on to the next hop.
Address Resolution Protocol 44 • Proxy ARP – Enables or disables Proxy ARP for specified VLAN interfaces, allowing a non-routing device to determine the MAC address of a host on another subnet or network. (Default: Disabled) End stations that require Proxy ARP must view the entire network as a single network. These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices.
44 Address Resolution Protocol • A static entry may need to be used if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. • Static entries will not be aged out or deleted when power is reset. You can only remove a static entry via the configuration interface.
Address Resolution Protocol 44 FIGURE 350 Displaying Static ARP Entries Displaying ARP Entries Use the IP > ARP (Show Information) page to display dynamic entries in the ARP cache. The ARP cache contains entries for local interfaces, including subnet, host, and broadcast addresses. These entries are dynamically learned through replies to broadcast messages. CLI References • “show arp” on page 604 • “clear arp-cache” on page 604 Command Usage Static entries are only displayed for VLANs that are up.
44 Address Resolution Protocol FIGURE 352 Displaying Local ARP Entries Displaying ARP Statistics Use the IP > ARP (Show Information) page to display statistics for ARP messages crossing all interfaces on this router. CLI References • “show ip traffic” on page 598 Parameters These parameters are displayed: TABLE 186 ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router.
Chapter General IP Routing 45 In this chapter This chapter provides information on network functions including: • Static Routes – Configures static routes to other network segments. • Routing Table – Displays routing entries learned through dynamic routing and statically configured entries. Overview This switch supports IP routing via static routing definitions.
45 IP Routing and Switching FIGURE 354 Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Unt Untagged Unt VLAN 1 VLAN 2 Tagged or Tagged or Untagged Untagged Tagged or Tagged or Untagged Untagged Intra-subnet traffic (Layer 2 switching) IP Routing and Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Configuring IP Routing Interfaces 45 If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node. However, if the packet belongs to a subnet not included on this switch, then the packet should be sent to the next hop router (with the MAC address of the router itself used as the destination MAC address, and the destination IP address of the destination node).
45 Configuring Static Routes Once IP interfaces have been configured, the switch functions as a multilayer routing switch, operating at either Layer 2 or 3 as required. All IP packets are routed directly between local interfaces, or indirectly to remote interfaces using static routing. All other packets for non-IP protocols (for example, NetBuei, NetWare or AppleTalk) are switched based on MAC addresses).
Displaying the Routing Table 45 FIGURE 355 Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. FIGURE 356 Displaying Static Routes Displaying the Routing Table Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, or through static routes.
45 Displaying the Routing Table • The Routing Table (and show ip route command) only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with a static route entry must be up. Note that routes currently not accessible for forwarding, may still be displayed by using the show ip route database command. Parameters These parameters are displayed in the web interface: • VLAN – VLAN identifier (i.e.
Chapter 46 IP Services In this chapter This chapter describes how to configure Domain Name Service (DNS) and DHCP Relay Service. For information on DHCP snooping which is included in this folder, see “DHCP Snooping” on page 926. This chapter provides information on the following IP services, including: • DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries.
46 Domain Name Service Interface To configure general settings for DNS: 1. Click IP Service, DNS. 2. Select Configure Global from the Action list. 3. Enable domain lookup, and set the default domain name. 4. Click Apply. FIGURE 358 Configuring General Settings for DNS Configuring a List of Domain Names Use the IP Service > DNS - General (Add Domain Name) page to configure a list of domain names to be tried in sequential order.
Domain Name Service 46 3. Enter one domain name at a time. 4. Click Apply. FIGURE 359 Configuring a List of Domain Names for DNS To show the list domain names: 1. Click IP Service, DNS. 2. Select Show Domain Names from the Action list. FIGURE 360 Showing the List of Domain Names for DNS Configuring a List of Name Servers Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order.
46 Domain Name Service Parameters These parameters are displayed: • Name Server IP Address – Specifies the IPv4 or IPv6 address of a domain name server to use for name-to-address resolution. Up to six IP addresses can be added to the name server list. Interface To create a list name servers: 1. Click IP Service, DNS. 2. Select Add Name Server from the Action list. 3. Enter one name server at a time. 4. Click Apply. FIGURE 361 Configuring a List of Name Servers for DNS To show the list name servers: 1.
Domain Name Service 46 Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network. Parameters These parameters are displayed: • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-127 characters) • IP Address – Internet address(es) associated with a host name. Interface To configure static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table.
46 Domain Name Service Displaying the DNS Cache Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers. CLI References • “show dns cache” on page 585 Command Usage • Servers or other network devices may support one or more connections via multiple IP addresses.
Dynamic Host Configuration Protocol 46 Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up. If a subnet does not already include a BOOTP or DHCP server, you can relay DHCP client requests to a DHCP server on another subnet. Specifying A DHCP Client Identifier Use the IP Service > DHCP > Client page to specify the DHCP client identifier for a VLAN interface.
46 Dynamic Host Configuration Protocol FIGURE 366 Specifying A DHCP Client Identifier Configuring DHCP Relay Service Use the IP Service > DHCP > Relay page to configure DHCP relay service for attached host devices. If DHCP relay is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server.
Dynamic Host Configuration Protocol 46 Interface To configure DHCP relay service: 1. Click IP Service, DHCP, Relay. 2. Enter up to five IP addresses for any VLAN. 3. Click Apply.
46 1090 Dynamic Host Configuration Protocol Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Chapter 47 Multicast Filtering In this chapter This chapter describes how to configure the following multicast services: • IGMP – Configures snooping and query parameters. • Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. • Multicast VLAN Registration for IPv4 – Configures a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, preserving security and data isolation.
47 Layer 2 IGMP (Snooping and Query) This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
Layer 2 IGMP (Snooping and Query) 47 IGMP snooping will not function unless a multicast router port is enabled on the switch. This can accomplished in one of two ways. A static router port can be manually configured (see “Specifying Static Interfaces for a Multicast Router” on page 1097). Using this method, the router port is never timed out, and will continue to function until explicitly removed.
47 Layer 2 IGMP (Snooping and Query) Command Usage • IGMP Snooping – This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers/switches and IP multicast host groups to identify the IP multicast group members. It simply monitors the IGMP packets passing through it, picks out the group registration information, and configures the multicast filters accordingly.
Layer 2 IGMP (Snooping and Query) 47 If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a time out mechanism is used to delete all of the currently learned multicast channels. When a new uplink port starts up, the switch sends unsolicited reports for all currently learned channels out the new uplink port. By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs.
47 Layer 2 IGMP (Snooping and Query) • Forwarding Priority – Assigns a CoS priority to all multicast traffic. (Range: 0-6, where 6 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. • Version Exclusive – Discards any received IGMP messages which use a version different to that currently configured by the IGMP Version attribute.
Layer 2 IGMP (Snooping and Query) 47 FIGURE 370 Configuring General Settings for IGMP Snooping Specifying Static Interfaces for a Multicast Router Use the Multicast > IGMP Snooping > Multicast Router (Add) page to statically attach an interface to a multicast router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
47 Layer 2 IGMP (Snooping and Query) 3. Select the VLAN which will forward all the corresponding multicast traffic, and select the port or trunk attached to the multicast router. 4. Click Apply. FIGURE 371 Configuring a Static Interface for a Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
Layer 2 IGMP (Snooping and Query) 47 FIGURE 373 Showing Current Interfaces Attached a Multicast Router Assigning Interfaces to Multicast Services Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) page to statically assign a multicast service to an interface. Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see “Configuring IGMP Snooping and Query Parameters” on page 1093).
47 Layer 2 IGMP (Snooping and Query) FIGURE 374 Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information. FIGURE 375 Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: 1.
Layer 2 IGMP (Snooping and Query) 47 FIGURE 376 Showing Current Interfaces Assigned to a Multicast Service Setting IGMP Snooping Status per Interface Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to configure IGMP snooping attributes for a VLAN. To configure snooping globally, refer to “Configuring IGMP Snooping and Query Parameters” on page 1093.
47 Layer 2 IGMP (Snooping and Query) • On receipt of a Solicitation message. • Multicast Router Solicitation – Devices send Solicitation messages in order to solicit Advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link. Solicitation messages are also sent whenever a multicast forwarding interface is initialized or re-initialized.
Layer 2 IGMP (Snooping and Query) 47 If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period. Note that this time out is set to Last Member Query Interval * Robustness Variable (fixed at 2) as defined in RFC 2236.
47 Layer 2 IGMP (Snooping and Query) This command applies when the switch is serving as the querier (see “Configuring IGMP Snooping and Query Parameters” on page 1093), or as a proxy host when IGMP snooping proxy reporting is enabled (see “Configuring IGMP Snooping and Query Parameters” on page 1093). • Last Member Query Interval – The interval to wait for a response to a group-specific or group-and-source-specific query message.
Layer 2 IGMP (Snooping and Query) 47 Interface To configure IGMP snooping on a VLAN: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Configure VLAN from the Action list. 3. Select the VLAN to configure and update the required parameters. 4. Click Apply. FIGURE 377 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
47 Layer 2 IGMP (Snooping and Query) Displaying Multicast Groups Discovered by IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the forwarding entries learned through IGMP Snooping. CLI References • “show ip igmp snooping group” on page 459 Command Usage To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see “Configuring IGMP Snooping and Query Parameters” on page 1093).
Layer 2 IGMP (Snooping and Query) 47 Parameters These parameters are displayed: • VLAN – VLAN identifier. (Range: 1-4093) • Port – Port identifier. (Range: 1-12) • Trunk – Trunk identifier. (Range: 1-12) Query Statistics • • • • • • • • Querier IP Address – The IP address of the querier on this interface. Querier Expire Time – The time after which this querier is assumed to have expired. General Query Received – The number of general queries received on this interface.
47 Layer 2 IGMP (Snooping and Query) FIGURE 380 Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3. Select a VLAN.
Filtering and Throttling IGMP Groups 47 To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port. FIGURE 382 Displaying IGMP Snooping Statistics – Port Filtering and Throttling IGMP Groups In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
47 Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure General) page to enable IGMP filtering and throttling globally on the switch. CLI References • “ip igmp filter (Global Configuration)” on page 464 Parameters These parameters are displayed: • IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch. (Default: Disabled) Interface To enable IGMP filtering and throttling on the switch: 1.
Filtering and Throttling IGMP Groups 47 • Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range • Profile ID – Selects an IGMP profile to configure.
47 Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add Multicast Group Range from the Action list. 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply. FIGURE 386 Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1.
Filtering and Throttling IGMP Groups 47 Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
47 Multicast VLAN Registration for IPv4 Multicast VLAN Registration for IPv4 Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Multicast VLAN Registration for IPv4 47 • Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast groups are managed by IGMP snooping.
47 Multicast VLAN Registration for IPv4 Interface To configure global settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Global from the Step list. 3. Set the status for MVR proxy switching and the robustness value used for report and query messages. 4. Click Apply.
Multicast VLAN Registration for IPv4 47 • Upstream Source IP – The source IP address assigned to all MVR control packets sent upstream on the specified domain. By default, all MVR reports sent upstream use a null source IP address. Interface To configure settings for an MVR domain: 1. Click Multicast, MVR. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4.
47 Multicast VLAN Registration for IPv4 Parameters These parameters are displayed: Configure Profile • Profile Name – The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) • Start IP Address – Starting IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) • End IP Address – Ending IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Associate Profile • Domain ID – An independent multicast domain.
Multicast VLAN Registration for IPv4 47 FIGURE 393 Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. FIGURE 394 Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2.
47 Multicast VLAN Registration for IPv4 Configuring MVR Interface Status Use the Multicast > MVR (Configure Interface) page to configure each interface that participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Multicast VLAN Registration for IPv4 47 • Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN. Any port configured as an receiver port will be dynamically added to the MVR VLAN when it forwards an IGMP report or join message from an attached host requesting any of the designated multicast services supported by the MVR VLAN. Just remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
47 Multicast VLAN Registration for IPv4 Assigning Static MVR Multicast Groups to Interfaces Use the Multicast > MVR (Configure Static Group Member) page to statically bind multicast groups to a port which will receive long-term multicast streams associated with a stable set of hosts. CLI References • “mvr vlan group” on page 478 Command Usage • Multicast groups can be statically assigned to a receiver port using this configuration page. • The IP address range from 224.0.0.0 to 239.255.255.
Multicast VLAN Registration for IPv4 47 To show the static MVR groups assigned to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR domain. 5. Select the port or trunk for which to display this information.
47 Multicast VLAN Registration for IPv4 Interface To display the interfaces assigned to the MVR receiver groups: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. FIGURE 399 Displaying MVR Receiver Groups Displaying MVR Statistics Use the Multicast > MVR > Show Statistics pages to display MVR protocol-related statistics for the specified interface.
Multicast VLAN Registration for IPv4 47 • Leave – The number of leave messages received on this interface. • G Query – The number of general query messages received on this interface. • G(-S)-S Query – The number of group specific or group-and-source specific query messages received on this interface. • Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received.
47 Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN. FIGURE 401 Displaying MVR Statistics – VLAN To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4.
Multicast VLAN Registration for IPv6 47 FIGURE 402 Displaying MVR Statistics – Port Multicast VLAN Registration for IPv6 MVR6 functions in a manner similar to that described for MRV (see “Multicast VLAN Registration for IPv6” on page 1127). Command Usage • General Configuration Guidelines for MVR6: 1. Enable MVR6 for a domain on the switch, and select the MVR VLAN (see “Configuring MVR6 Domain Settings” on page 1129). 2.
47 Multicast VLAN Registration for IPv6 Configuring MVR6 Global Settings Use the Multicast > MVR6 (Configure Global) page to configure proxy switching and the robustness variable. CLI References • “MVR for IPv6” on page 485 Parameters These parameters are displayed: • Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Multicast VLAN Registration for IPv6 47 4. Click Apply. FIGURE 403 Configuring Global Settings for MVR6 Configuring MVR6 Domain Settings Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 globally on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI References • “MVR for IPv6” on page 485 Parameters These parameters are displayed: • Domain ID– An independent multicast domain.
47 Multicast VLAN Registration for IPv6 Interface To configure settings for an MVR6 domain: 1. Click Multicast, MVR6. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
Multicast VLAN Registration for IPv6 47 Parameters These parameters are displayed: Configure Profile • Profile Name – The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) • Start IPv6 Address – Starting IP address for an MVR6 multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. • End IPv6 Address – Ending IP address for an MVR6 multicast group.
47 Multicast VLAN Registration for IPv6 FIGURE 406 Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. FIGURE 407 Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2.
Multicast VLAN Registration for IPv6 47 Configuring MVR6 Interface Status Use the Multicast > MVR6 (Configure Interface) page to configure each interface that participates in the MVR6 protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
47 Multicast VLAN Registration for IPv6 • Receiver – A subscriber port that can receive multicast data sent through the MVR6 VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see “Adding Static Members to VLANs” on page 754). • Forwarding Status – Shows if multicast traffic is being forwarded or blocked. • MVR6 Status – Shows the MVR6 status. MVR6 status for source ports is “Active” if MVR6 is globally enabled on the switch.
Multicast VLAN Registration for IPv6 47 Command Usage • Multicast groups can be statically assigned to a receiver port using this configuration page. • All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
47 Multicast VLAN Registration for IPv6 5. Select the port or trunk for which to display this information. FIGURE 411 Showing the Static MVR6 Groups Assigned to a Port Displaying MVR6 Receiver Groups Use the Multicast > MVR6 (Show Member) page to show the multicast groups either statically or dynamically assigned to the MVR6 receiver groups on each interface. CLI References • “show mvr6 members” on page 495 Parameters These parameters are displayed: • Domain ID – An independent multicast domain.
Multicast VLAN Registration for IPv6 47 FIGURE 412 Displaying MVR6 Receiver Groups Displaying MVR6 Statistics Use the Multicast > MVR6 > Show Statistics pages to display MVR6 protocol-related statistics for the specified interface. CLI References • “show mvr6 statistics” on page 496 Parameters These parameters are displayed: • • • • Domain ID – An independent multicast domain. (Range: 1-5) VLAN – VLAN identifier. (Range: 1-4093) Port – Port identifier. (Range: 1-12) Trunk – Trunk identifier.
47 Multicast VLAN Registration for IPv6 • Join Success – The number of times a multicast group was successfully joined. • Group – The number of MVR6 groups active on this interface. Output Statistics • • • • Report – The number of MLD membership reports sent from this interface. Leave – The number of leave messages sent from this interface. G Query – The number of general query messages sent from this interface.
Multicast VLAN Registration for IPv6 47 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
47 Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
Section IV Appendices This section provides additional information and includes these items: • Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Glossary and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1142 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Appendix A Troubleshooting In this appendix • Problems Accessing the Management Interface. . . . . . . . . . . . . . . . . . . 1143 • Using System Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Using System Logs TABLE 187 Troubleshooting Chart (Continued) Symptom Action Cannot access the on-board configuration program via a serial port connection • • Check to see if you have set the terminal emulator program to VT100 compatible, 8 data bits, 1 stop bit, no parity, and the baud rate set to 9600 bps. Verify that you are using the RJ-45 to DB-9 null-modem serial cable supplied with the switch.
Appendix Software Specifications B In this appendix • Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1145 • Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 • Management Information Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 Software Features Management Authentication Local, RADIUS, TACACS+, Port Authentication (802.
B Management Features Class of Service Supports four levels of priority Strict, Weighted Round Robin (WRR), or a combination of strict and weighted queuing Layer 3/4 priority mapping: IP DSCP Quality of Service DiffServ23 supports class maps, policy maps, and service policies Multicast Filtering IGMP Snooping (Layer 2) IP Routing Multicast VLAN Registration ARP, Proxy ARP Static routes Additional Features BOOTP Client Connectivity Fault Management DHCP Client DNS Client, Proxy ERPS (Ethernet Ring
Standards B Standards Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.
B Management Information Bases Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) DNS Resolver MIB (RFC 1612) ERPS MIB (ITU-T G.
Management Information Bases B SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) SNMPv2 IP MIB (RFC 2011) TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02 1149
B 1150 Management Information Bases Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Appendix License Information C In this appendix • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151 • The GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151 Overview This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses.
C The GNU General Public License For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
The GNU General Public License c. C If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License.
C The GNU General Public License 5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 6.
The GNU General Public License C Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 11.
C 1156 The GNU General Public License Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
Appendix Glossary and Acronyms D ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
D Glossary and Acronyms DiffServ Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary and Acronyms D GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.
D Glossary and Acronyms IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Glossary and Acronyms D Link Aggregation See Port Trunk. LLDP Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings. MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
D Glossary and Acronyms Out-of-Band Management Management of the network from a station not attached to the network. Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively.
Glossary and Acronyms D SMTP Simple Mail Transfer Protocol is a standard host-to-host mail transport protocol that operates over TCP, port 25. SNMP Simple Network Management Protocol. The application protocol in the Internet suite of protocols which offers network management services. SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server.
D Glossary and Acronyms UTC Universal Time Coordinate. UTC is a time scale that couples Greenwich Mean Time (based solely on the Earth’s rotation rate) with highly accurate atomic time. The UTC does not have daylight saving time. VLAN Virtual LAN. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Command List A aaa accounting dot1x 152 aaa accounting exec 153 aaa accounting update 154 aaa authorization exec 154 aaa group server 155 absolute 102 access-list arp 250 access-list ip 234 access-list ipv6 240 access-list mac 245 accounting dot1x 156 accounting exec 157 alias 257 arp 602 arp timeout 603 authentication enable 142 authentication login 143 authorization exec 157 auto-traffic-control 313 auto-traffic-control action 313 auto-traffic-control alarm-clear-threshold 314 auto-traffic-control alarm-
debug igmpsnp-mvr show-group-record 644 debug igmpsnp-mvr show-interface-sflags 646 debug igmpsnp-mvr show-interface-status 647 debug igmpsnp-mvr show-interface-timers 649 debug ipcfg 640 debug msl show-interface-info 650 debug msl show-mrt-info 650 debug route 641 delete 70 delete public-key 169 description 429 description 259 dir 70 disable 43 disconnect 82 dot1q-tunnel system-tunnel-control 386 dot1x default 173 dot1x eapol-pass- through 174 dot1x identity profile 181 dot1x intrusion-action 175 dot1x max
holdoff-timer 359 hostname 48 I interface 256 interface vlan 378 ip access-group 238 ip address 596 ip arp inspection 225 ip arp inspection filter 226 ip arp inspection limit 229 ip arp inspection log-buffer logs 227 ip arp inspection trust 230 ip arp inspection validate 228 ip arp inspection vlan 228 ip default-gateway 597 ip dhcp client class-id 588 ip dhcp relay server 593 ip dhcp restart client 589 ip dhcp restart relay 593 ip dhcp snooping 212 ip dhcp snooping database flash 219 ip dhcp snooping infor
L l2protocol-tunnel tunnel-dmac 391 lacp 288 lacp admin-key (Ethernet Interface) 289 lacp admin-key (Port Channel) 291 lacp port-priority 290 lacp system-priority 291 lacp timeout 292 line 75 lldp 500 lldp admin-status 503 lldp basic-tlv management-ip-address 504 lldp basic-tlv port-description 504 lldp basic-tlv system-capabilities 505 lldp basic-tlv system-description 505 lldp basic-tlv system-name 506 lldp dot1-tlv proto-ident 506 lldp dot1-tlv proto-vid 507 lldp dot1-tlv pvid 507 lldp dot1-tlv vlan-name
network-access link-detection link-up-down 200 network-access mac-filter 195 network-access max-mac-count 200 network-access mode mac-authentication 201 network-access port-mac-filter 202 nlm 120 no rspan session 304 node-id 362 non-erps-dev-protect 362 P parity 78 password 79 password-thresh 79 periodic 103 permit, deny (ARP ACL) 250 permit, deny (Extended IPv4 ACL) 236 permit, deny (Extended IPv6 ACL) 242 permit, deny (MAC ACL) 246 permit, deny (Standard IP ACL) 235 permit, deny (Standard IPv6 ACL) 241 p
show cable-diagnostics 279 show calendar 100 show class-map 441 show dns 585 show dns cache 585 show dot1q-tunnel 390 show dot1x 184 show efm oam counters interface 576 show efm oam event-log interface 576 show efm oam remote-loopback interface 577 show efm oam status interface 577 show efm oam status remote interface 578 show erps 366 show ethernet cfm configuration 530 show ethernet cfm delay-measure two-way 561 show ethernet cfm errors 541 show ethernet cfm fault-notify-generator 553 show ethernet cfm li
show mvr6 profile 496 show mvr6 statistics 496 show network-access 204 show network-access mac-address- table 204 show network-access mac-filter 205 show nlm oper-status 122 show policy-map 441 show policy-map interface 442 show port monitor 299 show port security 191 show port-channel load-balance 296 show power-save 283 show process cpu 59 show protocol-vlan protocol-group 402 show public-key 171 show qos map cos-dscp 424 show qos map dscp-mutation 425 show qos map phb-queue 426 show qos map trust-mode 42
spanning-tree loopback-detection release-mode 345 spanning-tree loopback-detection trap 346 spanning-tree max-age 332 spanning-tree mode 333 spanning-tree mst configuration 335 spanning-tree mst cost 346 spanning-tree mst port-priority 347 spanning-tree pathcost method 334 spanning-tree port-bpdu-flooding 348 spanning-tree port-priority 348 spanning-tree priority 335 spanning-tree protocol-migration 351 spanning-tree root-guard 349 spanning-tree spanning-disabled 350 spanning-tree system-bpdu-flooding 336 s
Index Numerics 802.1Q tunnel, 385, 760 access, 386, 766 configuration guidelines, 385, 763 configuration limitations, 385, 762 CVID to SVID map, 387, 764 description, 760 ethernet type, 389, 763 interface configuration, 386–389, 766 mode selection, 386, 766 status, configuring, 386, 763 TPID, 389, 763 uplink, 386, 766 802.
web authentication, re-authenticating ports, 209, 863 web, configuring, 208, 862 Automatic Traffic Control See ATC B BOOTP, 596, 1048 BPDU, 786 filter, 340, 796 flooding when STA disabled on VLAN, 348, 790 flooding when STA globally disabled, 336, 790 guard, 341, 796 ignoring superior BPDUs, 349, 795 selecting protocol based on message format, 351, 796 shut down port on receipt, 341, 796 bridge extension capabilities, displaying, 373, 678 broadcast storm, threshold, 263, 808 C cable diagnostics, 278, 721
configuration settings restoring, 23, 66, 67, 681, 682 saving, 23, 66, 67, 681 Connectivity Fault Management See CFM console port, required connections, 12 continuity check errors, CFM, 540, 541, 1036 continuity check messages, CFM, 363, 517, 537, 538, 992, 994, 995 CoS, 423, 815 configuring, 415, 815 default mapping to internal values, 420, 824 enabling, 423, 821 layer 3/4 priorities, 419, 821 priorities, mapping to internal values, 420, 824 queue mapping, 423, 819 queue mode, 416, 816 queue weights, assig
domain name list, 582, 1081 enabling lookup, 580, 1081 name server list, 582, 1081 static entries, IPv4, 582, 1084 static entries, IPv6, 583 Domain Name Service See DNS domain service access point, CFM, 524, 992, 1003, 1007 downloading software, 67, 679 automatically, 72, 684 using FTP or TFTP, 67, 684 drop precedence CoS priority mapping, 420, 825 DSCP ingress map, 421, 823 DSA encryption, 169, 878, 880 DSCP, 423, 821 enabling, 423, 821 mapping to internal values, 421, 822 DSCP ingress map, drop precedence
replacing SSL certificate, 67, 874 secure-site certificate, 67, 874 UDP port, configuring, 160, 873 HTTPS, secure server, 160, 872 I IEEE 802.1D, 333, 785 IEEE 802.1s, 333, 785 IEEE 802.1w, 333, 785 IEEE 802.
link-local, 608, 611, 1057 manual configuration (global unicast), 15, 607, 1056 manual configuration (link-local), 15, 611, 1057 setting, 14, 607, 1050 J jumbo frame, 65, 677 K key private, 164, 875 public, 164, 875 user public, importing, 67, 880 key pair host, 164, 875 host, generating, 169, 878 L LACP configuration, 285, 728 group attributes, configuring, 291, 731 group members, configuring, 288–291, 729 local parameters, 293, 734 partner parameters, 293, 736 protocol message statistics, 293, 733 prot
maintenance level, CFM, 524, 992, 994 maintenance point, CFM, 517, 532, 992 management access, filtering per address, 187, 907 management access, IP filter, 186, 187, 907 Management Information Bases (MIBs), 1148 matching class settings, classifying QoS traffic, 429, 828 media-type, 261, 702 memory status, 58, 696 utilization, showing, 58, 696 memory utiilzation, setting trap, 123 MEP archive, CFM, 539 mirror port configuring, 297, 705 configuring local traffic, 297, 705 configuring remote traffic, 300, 706
displaying settings and status, 576–578, 1038 enabling on switch ports, 570, 1038 errored frame link events, 571–572 event log, displaying, 576, 1042 message statistics, displaying, 576, 1041 mode selection, 573, 1039 passive mode, 573, 1039 remote device information, displaying, 578, 1043 remote loop back test, 575, 1044 setting to active mode, 573, 1039 setting to passive mode, 573, 1039 Operations, Administration and Maintenance See OAM P password, line, 79 passwords, 14, 139 administrator setting, 141,
R RADIUS logon authentication, 144, 850 settings, 144, 850 rate limit port, 307, 807 setting, 307, 807 remote engine ID, 113, 955 remote logging, 86, 936 remote maintenance end point, CFM, 533, 535, 540, 543, 994, 1003, 1008, 1027, 1030, 1031 Remote Monitoring See RMON rename, DiffServ, 430 restarting the system, 40, 44, 697 at scheduled times, 40, 697 showing settings, 44 RMON, 125, 633, 973 alarm, displaying settings, 129, 975 alarm, setting thresholds, 126, 973 commands, 125, 633 event settings, displayi
global settings, displaying, 351, 793 hello time, 332, 790 interface settings, configuring, 340–350, 794 interface settings, displaying, 352, 797 link type, 343, 795, 798 loopback detection, 344, 787 maximum age, 332, 791 MSTP interface settings, configuring, 346, 347, 803 MSTP path cost, 346, 804 path cost, 334, 342, 795, 798 path cost method, 334, 790 port priority, 347, 348, 795 port/trunk loopback detection, 344, 787 protocol migration, 351, 796 transmission limit, 336, 790 standards, IEEE, 1147 startup
V VLAN flooding, transparent, 376, 752 VLAN trunking, 382, 746 VLANs, 369–413, 749–775 802.
1184 Brocade 6910 Ethernet Access Switch Configuration Guide 53-1002651-02
